Crisis Management Audit Plan

Author: Denys Martin, MBA, CIA, FCPA

Contributed 8/30/99 by Denys Martin, <denysmartin@yahoo.com>

Background and Rationale

You come to your office for the beginning of your workweek and because of some unforeseen
event there are no employees, no working telephones, no functioning computers, no utilities.
You're the Chief Executive. What would you do? Where would you start? Unquestionably this is
a crisis. Remember that you have access to almost none of your regular business tools. If this had
been an actual incident; such as many businesses experienced in Wellington, New Zealand in
1997, it would already have been too late to concern yourself with developing a Crisis
Management Plan! You need to have a Plan in place to ensure continuity of operations. But,
what kind of Crisis Management Plan is an effective one?

You need to ask: "What is a crisis for my organisation?" For this audit, the following definition
will be used:
A crisis can be defined as any unplanned event, occurrence or sequence of events that has a
specific catastrophic consequence.

Natural disasters, IT viruses, financial manipulation, societal disruption, pollution and stringent
regulations are but a few examples of potential crisis situations. The reasons for focusing on
these issues may result from a commitment to protect the public, the employees, to comply with
government regulations or to protect their organisation from possible liabilities and litigation.
The consequences for not focusing on these issues can be disastrous.

Audit Standards:

A cohesive Crisis Management Plan should have the following components:

• Compliance
• Preparedness
• Training & Resource Development
• Information Management

Critical aspects that must be in the Crisis Management Plan:

• Effective coordination of activities within the organisations ;

• Early warning and clear instructions to all concerned if a crisis occurs;
• Continued assessment of actual and potential consequences of the crisis;
• Continuity of business operations during and immediately after the crisis.

A brief synopsis of the common weaknesses in Crisis Management planning may prove helpful.
Possible weaknesses to verify:
Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 1 of 5
 Crisis Management Audit Plan
Author: Denys Martin, MBA, CIA, FCPA

1. No systematic collection of planning information. This includes such aspects as risk analysis,
organisational information, relevant laws, company policy procedures and location specific
data.
2. No systematic dissemination of planning information.
3. Failure to identify and establish an incident command structure. This is a common pitfall as
many planners try to fit their organisation into a standard incident command system not
designed around their particular needs.
4. No, or minimal, coordination with affected entities. Poor communications with external
dependencies such as the community, neighboring industries, identified support entities (fire,
police, hospitals, etc.) can lead to confusion and chaos during an emergency. A simple issue
such as who is the primary contact for offsite agencies during an emergency can cause major
disruption during an incident.
5. Lack of, or poorly defined, Organisational Responsibilities. Failure to provide clear, concise
procedures defining a person's functions, duties and tasks upon assuming their emergency
organisation position.
6. Once developed the Plan is not or is, at best, poorly maintained. The Plan may have been
developed to meet a regulatory requirement.
7. There is no provision for testing and review or continued evaluation and periodic update of
the material. For example, changed information, such as telephone numbers maybe buried in
various paragraphs throughout the plan.
8. The material that was developed is not user-friendly. The plan may contain too much
information. Unfortunately, the user has to be a brain surgeon to figure out his/her role in its
implementation. There should be simple, easy-to-use supplemental materials that can be used
as a quick reference guide during an emergency.
9. Training relevant personnel on the plan and their role in its implementation.
10. The plan needs to be disseminated to the authorities. Failure to include appropriate parties on
the distribution list most often leads to failure on their part to respond in the manner hoped
for.
COMPLIANCE
The risk assessment is the initial step, toward reducing vulnerability. All relevant levels of
management should become part of the Crisis Management Plan.
This can be achieved in several ways:

1. Senior manager directly responsible to top management and the board of directors. The
formal assignment of a senior manager to the position such as "Crisis Management Plans,
Director," or some other appropriate title, can accomplish the initial portion of this item.
Additionally, there should be within the individual's job description some measurement
standard to evaluate performance.

Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 2 of 5

 Crisis Management Audit Plan
Author: Denys Martin, MBA, CIA, FCPA

2. Set aside specific time for reports on crisis management preparedness issues. This can be
accomplished by preparing an agenda for senior staff and board of director meetings that
includes a discussion of crisis management preparedness as a mandatory item. They should
give it more than lip service though. Also, they must make the discussion substantive.
Provide more than the dull and tiring statistics on reportable accidents, etc. Include all levels
of personnel in the presentation process.
3. Make crisis management planning issues part of the strategic planning process. In one aspect,
government regulations are defining strategic implications for companies.
4. Communicate compliance through all levels of the organisation through company policy and
procedures. This can be accomplished through formal adoption of policy at the highest levels
of the company. Generally, this will require the approval of the Board of Directors.
PREPAREDNESS
Preparedness used in the broadest context means any and all measures taken to prevent, prepare
for, respond, mitigate and recover from a crisis. It's with this perspective that we begin to
breakdown the aspect of Preparedness. Preparedness consists of four critical aspects:
• Preparation and Prevention
• Detection and Classification
• Response and Mitigation
• Reentry and Recovery
Preparation and Prevention:
Any set of activities that prevent a crisis, reduce the chance of a crisis happening, or reduce the
damaging effects of a crisis. Preparation and Prevention activities include, but are not limited to:
• Development and implementation of the Crisis Management Plan
• Development and implementation of Crisis Management Plan Implementing Procedures
• Development and implementation of Crisis Management/Response Training
Detection and Incident Classification:
Actions taken to identify assess and classify the severity of a crisis. Detection and Classification
activities include, but are not limited to:
• Activation of Crisis Management Systems
• Escalation of Crisis Management Plan Implementing Procedures
• Escalation of the Crisis Management/Response Organisation
Response and Mitigation:
Actions taken to save lives prevent further damage and reduce the effects of the crisis. Response
and Mitigation activities include, but are not limited to:

• Crisis Management/Response operations

• Subsidiaries Crisis Management/Response operations

Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 3 of 5

 Crisis Management Audit Plan
Author: Denys Martin, MBA, CIA, FCPA

• Continuity of business operations

Recovery:
Actions taken to return to a normal or an even safer situation following the crisis. Recovery
activities include, but are not limited to:

• Activation of the Recovery Plan

• Coordination with subsidiaries
TRAINING
The training of the Crisis Management/Response Organisation is one of the critical success factors
that must be addressed if an adequate response is to be achieved. The development of the
compliance Plan, involvement of all levels of management and establishing preparedness is only part
of the overall process. To ensure an adequate response, a trained organisation is required.

A "systems" approach to preparing effective training Plans should consist of:

1. TASK ANALYSIS: determine the skills, knowledge and procedures required for satisfactory
performance of each task.
2. INSTRUCTION: Lessons are systematically presented using appropriate instructional methods.
Instruction may include lecture, self-paced or group-paced mediated instruction, simulation and
team training.
3. EVALUATION: Performance standards and evaluation criteria are developed from the learning
objectives. Each trainee's performance is evaluated during the course and during field
performance testing.
4. DRILLS: In addition to the formal training Plan, need drills and exercises.

INFORMATION MANAGEMENT
The need to establish and maintain an ongoing dynamic Crisis Management Plan is essential.

In order to facilitate planning requirements, a record of all initiatives should be retained. These
records serve to document the accomplishments, requirements, commitments and reports relating to
various Plan requirements. The identification of commitments in the areas of compliance, emergency
preparedness and training is vital. The establishment of a defined information management system
structure will ensure that documentation will be available when needed.
Senior management must be kept well informed. Information is a corporate asset. Information is
expensive. It must be shared and managed effectively. Information management is also critical
during a crisis. The need for active systems to provide information on materials, personnel,
capability information on materials, personnel, capabilities and processes is essential. It is extremely
important to have a system (and adequate back-up systems) in place that serves to identify, catalog,

Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 4 of 5

 Crisis Management Audit Plan
Author: Denys Martin, MBA, CIA, FCPA

set priorities and track issues and commitments relating to crisis management and response
activities.

QUALITY ASSURANCE

The Crisis Management Plan should be independently audited for quality assurance from an
independent source who can certify the adequacy of the process.

Denys Martin, MBA, CIA, FCPA 08/30/99 5:53 AM 5 of 5