The new International Standard on Crisis Management: ISO 22361

A new international standard on crisis management has just been finalised and all medium to large organisations should be having a close look to see how they measure up.

Whether its ransomware, pandemics, operational incidents, or geopolitical instability, managing risk and building business resilience is a key responsibility for any management team or board. Ensuring that your organisation has a robust crisis management capability is a critical step in managing this risk.

ISO 22361 Crisis Management is an excellent summary of international best practice. If your crisis management systems are mature, ISO 22361 is a useful measuring stick. If you are just starting down your crisis management journey, ISO 22361 can be a great guide.

Over time, ISO 22361 will become the benchmark by which your organisation’s crisis management capability will be judged. It makes sense to look at the new standard now to ensure your organisation aligns to international best practice.

Building crisis management capability

So, what’s new?

At its core, ISO 22361 Crisis Management is structured around the idea of building crisis management capability. This is a broader concept than being ‘crisis prepared’. Capability is a function of leadership, structures (principles, processes and procedures, resourcing, communications, assets, and information management), culture (values, ethics, and behaviour) and people (knowledge, skills, and performance).

If an organisation does these things well, it has the best chance of managing a crisis successfully.

ISO 22361 also clarifies where crisis management sits in relation to other business resilience functions like risk management, business continuity, information security, physical security, safety, incident response, and emergency management. It is important that organisations avoid any confusion around how these different pieces fit together.

Another thing that ISO 22361 does differently, when compared to other attempts to codify crisis management, is to define seven overarching principles of best practice crisis management. Robust crisis management is not just about having an up-to-date plan. Rather, it is about the way an organisation thinks about and responds to an existential threat in a manner that aligns with its core values and strategic objectives.

Under ISO 22361, the seven principles of crisis management[1] are:

• Governance: Crisis management is dependent upon effective governance at all levels of the organisation. A crisis management capability is dependent upon clearly understood structures, roles, responsibilities, and competence.
• Strategy: Crisis management is a strategic capability. Building and maintaining a crisis management capability is dependent upon leadership communicating its value and importance to the organisation, setting objectives, and allocating resources to achieve these.
• Risk management: Crisis management capability is dynamic and is founded upon the management of risk. Adaptive and timely crisis management is dependent upon situational and risk awareness, enabling the organisation to actively monitor its internal and external environments and assess its potential vulnerabilities, and opportunities.
• Decision-making: Effective decision-making relies on good information management, situational awareness, and an understanding of the needs and expectations of interested parties. Leaders across the organisation should seek an understanding through situational awareness and information management to make decisions that are based on evidence, logic, and judgement and understanding of the impact of potential consequences.
• Communication: Crisis management requires effective communications. The organisation should communicate accurate, credible, and timely information to interested parties (including those within the organisation) to increase its crisis management effectiveness and protect its reputation and integrity.
• Ethics: An organisation’s response to a potential or actual crisis is guided by its core values and ethical expectations.
• Learning: An organisation’s crisis management capability is enhanced through organisational learning. An organisation learns by ensuring people with crisis management roles and responsibilities are competent through training, exercising, and learning from internal and external experience.

Consequently, any organisation that is seeking to align its crisis management system to international best practice should ensure that these principles are deeply embedded in its policies, frameworks, plans, procedures, training, behaviours, and people.

What is a ‘crisis’?

ISO 22361 defines a crisis as an “abnormal or extraordinary event or situation that threatens an organization or community and requires a strategic, adaptive and timely response in order to preserve its viability and integrity”.

This definition is instructive for a number of reasons:

• A crisis is unusual – it is not part of business as usual and crisis management is therefore different to business continuity management
• Crisis management is a function of top management and is strategic in its response – it may provide guidance to emergency and incident response teams, but it is not involved in the actual delivery of this response
• A crisis is an existential threat to the reputation and the viability of an organisation and therefore may require a whole of organisation response.

Many organisations confuse crisis management with emergency response and business continuity, so having this clear and succinct definition is helpful.

Understanding the potential origins of a crisis is another useful aspect of the new standard. As ISO 22361 sagely points out[2], crises can be triggered in many different ways, both from inside and outside an organisation. For example:

• Extreme disruptive incidents that have immediate and obvious strategic implications including serious operational events, malicious acts, gross misconduct, extreme negligence, the failure to deliver products or services to an expected or legal standard, and malfeasance.
• Crises stemming from poorly managed incidents or situations that are allowed to escalate thereby making the condition worse and eroding trust, reputation, and licence to operate. This can often include latent or unidentified issues that evolve and are allowed to grow.
• External shocks that impact markets, supply chains, competitive advantage, legislation, licensing, customers, and stakeholders.

Whilst this may appear obvious, most often in hindsight, it is a valuable reminder. History is littered with examples of organisations that missed the early signs of a crisis or failed to adopt the principle of prudent over-escalation at the beginning of a crisis. Identifying a crisis early, getting ahead of the game and not continually playing catch-up, is an important thing for crisis management teams to be able to do.

The need for strategic decision making

No matter the origin of a crisis, any organisational response requires strategic decision making by top management. Often these decisions need to be made in an extreme, high-pressure environment with incomplete or conflicting information. Sometimes decisions must be made that result in imperfect outcomes where the “least bad” option is required.

ISO 22361’s focus on strategic decision making is critically important. When crisis management teams fail, often the biggest mistake they make is ignoring their strategic role and getting bogged down in trying to respond to the actual incident. There should be other teams for the incident and emergency response. A crisis management team has a role in supporting these teams, but their primary focus should be on the big issues requiring strategic decision making. This requires discipline, practice, leadership, and the right structures around the crisis management team to ensure this focus.

Not a blueprint but a guide

ISO 22361 is an excellent reference to help any organisation help build their crisis management capability, but it is not a boilerplate that you can just copy and paste. Rather, it represents a distillation of international best practice and is a guide that can help your organisation on its crisis management journey.

FTI Consulting experts have extensive crisis management experience. With more than 7,000+ employees located in 30 countries and 85 cities across the globe, we have helped many clients across a range of geographies and sectors to build their crisis management capability.

If you want to know whether your organisation’s crisis management system aligns with ISO 22361 Crisis Management, our newly developed FTI Consulting Crisis Management Review looks at over 500 datapoints and compares it with the international best practice found within the new standard.

References:

[1] ISO22361, Section 4.5, Principles for Crisis Management

[2] ISO22361, Section 4.3, Potential origins of crises