Information – Friend or Foe?

The Information Risk and Treatment Balancing Act

Information is both a risk and a resource when thinking about organisational resilience, including business continuity. There are plenty of examples of information losses that have caused major embarrassment, cost a considerable amount of money to resolve and resulted in a loss of trust as well as clients. These have included hacking and cyber attack problems, lost memory devices, leaving files on the train or selling off filing cabinets with records still in them.  They even involve being photographed on the way to an important meeting carrying a document the content of which can be easily read from the photographs. Organisations involved have ranged from small business to multi-nationals and public sector bodies. The nature of information as a risk is well publicised, as a result, even if after the fact of its loss. The assessment and treatment of information risks is perhaps less well understood in practice as such losses continue to occur. How well thought through is your information risk strategy? Do you fully understand the nature of this risk and have you treated it properly? No one wants to see his or her organisation’s reputation in the gutter due to the loss of sensitive information, be it commercial or personal.

Information is also a key resource when it comes to business recovery. Systems and processes are not useable if the information they require is not available in an accurate, up to date and workable form. Often it may take longer to get information, with proven integrity, loaded back onto a system than to recover the hardware itself. Perhaps this was the problem when it came to the interruption to bank account access experienced in the UK and Ireland in the recent past. The concept of the Recovery Point Objective, the time by which information must be recovered to meet the Recovery Time Objectives of critical processes, is well documented but perhaps less well implemented. If you haven’t gotten into the weeds on this one your recovery strategies may well not deliver as you had hoped. In addition some recovery strategies themselves introduce information risks that may not have existed before the business disruption that caused the strategies to be invoked. Take for example home working. How secure is sensitive or personal information, including emails, when this is your selected recovery option? It is not clear that all organisations have assessed this risk and put in place appropriate steps to treat it. The UK Information Commissioner has had recourse, for example, to fine an organisation in the past for information uploaded onto the web accidentally from a home computer during home working.

There is legislation to cover information risks with the potential for significant fines and websites that name and shame those found responsible for the loss of personal and sensitive information. Currently the EU is reviewing this legislative framework and the outcomes of this work could significantly strengthen the approach taken with those organisations that compromise such information. Planning for this issue isn’t just about what do to when information may be lost but includes a more careful analysis of what information you gather in the first place, how you store it, for how long you keep it, who you allow to access it and how it can be recovered in time. Added to this is the complication of where information ends up and how people actually access it, sometimes without organisations perhaps being aware. This covers issues as diverse as portable laptops, photocopier memory storage and Bring Your Own Devices (BYOD) such as phones or tablets. The scale of the problem can be considerable.

A key place to start is with an information policy. Such a policy could useful set out the principles by which information is to be governed, from initial collation to storage and use/sharing. It should also include destruction and disposal guidance that can be applied to information no longer of use or technology that is not required or obsolete. Such guidance should also cover the eventuality of the invocation of recovery strategies as well as how damaged or irreparable equipment that could hold information is to be safely managed. You can find out much more about this issue at the ICO’s website. Go have a look and educate yourself on this risk and resource.

LEAD...FOLLOW...OR GET OUT OF THE WAY (PART 1)

Leadership?

When was the last time you were asked to define leadership?  Its the kind of thing we know what it feels like when its good or bad, but its hard (and maybe unnecessary) to define.  It might help to think of leadership as both a noun and verb; in other words its not just about what leaders do, its a phenomenon centred on interactions. Sometimes using these two lenses can be helpful, especially in challenging times.

Grappling with this concept I formed a view that there are three dimensions to leadership, namely the leader, their followers and the context(s) in which they are operating.  These three dimensions interact to produce 'leadership' (noun); when the leader and followers 'connect', working in tune with each other and with the context in which they find themselves, the result feels good and is effective.  When one dimension moves out of synch the whole suffers; leadership happens when all the dimensions align.  What then of the context of a crisis?  In Part 1 of this two part blog I'm going to briefly explore something of the art of followership in a crisis.

Followership

Leading commentators classify followers according to their level of engagement with the leader and with the organisation.  In 2008 Barbara Kellerman described four groups in her book "Followership": 

• Bystanders observe but deliberately stand aside, offering tacit support for 'whoever and whatever constitutes the status quo.'  
• Participants are engaged to varying degrees and will invest effort to 'try and have an impact.'
• Activists 'feel strongly about their leaders' and will work hard for or against them. Very engaged.
• Diehards are utterly dedicated to their perception of the leader and will give everything to act accordingly.

Followers wishing to have an impact ('the engaged') will use their engagement to actively support or undermine leaders; so from the leader's perspective followers may be good or bad, with positive or negative influences on 'leadership' (noun).

So What? 

So how might this rudimentary understanding help in relation to managing crisis?  I offer 5 points for consideration to add value to the quality of your followership in a crisis.

Crisis disrupts the balance.  By its very nature a crisis will disrupt the balance between the 3 dimensions of 'leadership'; its inevitable. This provides an additional challenge for leaders and followers alike. The context has changed and so may the roles and behaviours of everyone involved.  Adjustment from the norm will be required to re-synchronise the 3 dimensions; this doesn't constitute a free for all, but rather a concerted and well managed effort.  Its important for followers to understand these dynamics and react positively to enable meaningful progress in the early stages of a crisis.

Understand the context.  Different contexts require different types and speeds of action. The situation may require deference to experts, a degree of debate or just some quick decisions and action.  In the earliest stages of a crisis lengthy discussions to decide the optimal path are unlikely to help. Sometimes however, the situation (including a leader's behaviour), may require a more challenging approach from followers. Understanding the context and adjusting your followership behaviour accordingly are key.

Sometimes we lead, but all of us will follow sometimes. Part of understanding the context may also be recognising whether you are playing a leader's role or a follower's role.  As a C Suite Exec you may be in charge, or you may be following a designated CMT leader or perhaps deferring to a subject matter expert.  The same logic holds true throughout the organisation; where individuals may sometimes be leading, sometimes following. As a follower, its important to understand your role and recognise that this role may change throughout the crisis.

Stay in lane.  Its sometimes difficult for a 'day to day' leader to play a followers role.  As a follower who 'normally' leads, you may need to consciously suppress your desire to step in or to take over, especially in times of crisis; egos to the back, collective needs to the fore! 

Bystanders incubate crisis.  Prior to and during a crisis the less engaged followers will not say or do anything to change the status quo, no matter what they might really feel.  These followers incubate crisis.  By remaining silent or by failing to challenge leaders, crisis may be inevitable and some unchallenged decisions within a crisis may simply exacerbate the problem. Speaking up may be whats required, and recognising when its helpful to do so is vital.

So effective crisis management is also dependant upon effective followers who understand the context and adjust their behaviour and actions accordingly, recognising the need to play different roles accordingly, to maintain a balance with the leader and the context.  And similarly there are lessons for leaders, which will be explored in Part 2.

Counting the cost, and benefits, for business continuity - a Micro Business Perspective

This blog looks at Business Continuity Management at the micro business perspective. For those of you wondering what a micro business is well it is at the bottom end of the Small Medium Enterprise (SME) designator that is so often used. This may seem a trivial point but the reality is that most micro businesses will never reach the exalted status of being an upper end SME. This is because such an SME is defined, in EU law, as a business with up to 250 staff and a turn over of €50 million.  To put this into context the same EU law defines micro businesses as having less than 10 staff and a turnover of under €2 Million.

In the UK SMEs are a major employer and a significant part of the economy. This is even more pronounced when you look at it from certain regional perspectives outside of London or other major cities. According to the Federation of Small Businesses (FSB) SMEs account for 99.9% of all businesses in the UK, employ 24.3 million people, cover 59.3% of private sector employment and have a combined turnover of £3,300 billion. Micro businesses play a substantial part in these impressive statistics.

So what is the point? I suppose it is that in the main this seems to be a part of the business environment that is untouched by BCM.  There have been attempts to engage with upper end SMEs but with limited results, we know this from experience. It is less clear that such efforts have extended to micro businesses. Yet such businesses are clearly not immune to business disruptions. In fact they are more vulnerable due to limited resources, including cash and time, as well as extensive competition ready to step in. On a macro scale it has to be acknowledged that the economy as a whole is entirely insulated from the failure of a single micro business and, as the entire sector is unlikely to go under at the same time, that may limit the desire to raise this issue with this aspect of our economy. Alternatively micro businesses are best equipped to implement fully embedded, practical BCM that commands top management buy in, although many owners currently perceive it as an overly bureaucratic process even when offered free support.

Micro businesses form a part of the wider supply chain to top business as well as funding a big slice of their customer base.  It is therefore in the interests of major businesses and the Government, through tax receipts, that micro businesses survive and thrive.  Perhaps as an industry we too now need to look more closely at how we engage with our micro businesses over issues like Organisational Resilience.  A tricky proposition, as it is neither glamorous nor likely to be lucrative, and often the horse, when taken to the water, doesn't want to drink.

Communicating with Employees during a Crisis

In our previous post we looked at some tips for successful crisis communications.  Beverly Lowry rejoins us for this post to look specifically at the importance of communicating with employees during a crisis.  

Whilst many companies have plans in place to communicate with their external stakeholders during a crisis, few seem to have plans for communicating with their employees.  Sometimes, amidst the pressure and urgency of crisis, organisations overlook the importance of communicating internally and too often the focus is solely on dealing with the media and the customer response. 

Communicating with employees during a crisis and afterwards is essential if an organisation wants to work through the crisis with the respect and co-operation of its workforce.  If your organisation is under scrutiny, then unless you talk to your employees and provide them with as much information as you can, you will inadvertently fuel the rumour mill and encourage your employees to rely on other sources of information.

So, a crucial element of your crisis communications plan must be a section about how you will communicate with your employees.  Here are a few things to consider: 

• Plan which channels you are going to use:  Which channel is the fastest and most effective way of reaching your employees?  It may be email, the intranet or employee briefings, or a combination of these, depending on what works best for your organisation.  Don't discount using social media, and ensure the crisis isn't your first foray into that channel.
• Consider how to reach shift workers and those away from base:  Have you got enough managers to hold a short briefing at the start of each shift?  Consider how you will communicate with your overseas workers in different time zones and those based in locations across the UK and Ireland.  Consider also how quickly you can issue internal communications if the crisis occurs out of office hours.
• Leadership: Employees want to see leaders during a crisis.  Some chief executives hold regular employee briefings to explain what is being done about the situation and to answer questions.  This demonstrates leadership and openness and can be useful when dealing with a major issue.  Your senior team should be visible throughout the crisis, talking to and reassuring your people.
• Two-way dialogue: It’s important to address your employees’ concerns during a crisis by providing a forum for people to ask questions and to raise issues.  This can be through face to face briefings, online forums, team meetings, whatever works best for your organisation.  Some of your employees will be at the sharp end dealing with your customers. Informed employees reflect well on your company and they will be better placed to provide good customer service.  As a general rule, it’s very important to issue the same facts internally as externally.  You have to expect that information circulated internally will reach the public domain. 
• Maintain the integrity of your communication: Your communication needs to be accurate and candid.  It’s important to address the difficult issues.  It’s essential that your employees trust your organisation’s information and they will only do so if you demonstrate that you are willing to talk honestly about the situation.  This means being open even when your organisation has made a mistake. 

This two part blog clearly shows that effective crisis communications, both inside and outside the organisation, is a 'must have' capability.  Having a clear and workable crisis communications plan that identifies who you'll talk to, how and with what messages is an essential part of your crisis toolbox.  Develop and resource a communications plan and rehearse it to ensure it is actionable on the day. Your reputation, your staff and your customers deserve nothing less. Our thanks to Bev Lowry for sharing her experience and expertise in this important area. 

Keep an eye out for our future posts on the use of Social Media in managing crises.  Make sure you don't miss out by following our blog, using the links on the right....

Top Tips for Crisis Communication

In a previous post we looked at the top five tips for decision-making during a crisis.  In this post, communications expert Beverly Lowry shares her top five tips for communicating during a crisis.  

Whatever the issue or incident, your organisation’s reputation depends on your ability to communicate effectively. Here are five things to consider.

1.   Respond quickly

• Have a clear call-out procedure to inform the communications representative in your organisation about any major issue or incident.
• Aim to have your first media statement ready within one hour of an incident.
• Nominate and prepare a senior manager to be your broadcast spokesperson.

2.  Get additional resources

• If possible, set up a 24-hour communications response so that your organisation can respond quickly to developing media and social media issues.
• Make sure you have sufficient people to cover all aspects of the communications response, such as, writing statements, answering media calls, managing social media sites and preparing employee communications materials.

3.  Provide regular updates

• Issue regular media statements as the information becomes available.
• Keep your employees, customers and other stakeholders updated each day.

4.  Keep your statements factual

• Make sure your statements are an accurate and factual record of events.
• Don’t speculate about what has happened.
• Don’t be pressurised into guessing the facts.
• Don’t comment about issues that are the domain of regulators or other investigatory organisations.

5.  Provide the same information to all stakeholders

• Keep all internal and external stakeholder groups informed with the same set of facts. What goes internally will go externally.

Keep an eye out for our next post when Beverly shares some thoughts on the importance of communication with employees during a crisis.