Crisis Management, Emergency Management, BCM, DR: What's the Difference and How do They Fit Together?
There has been significant growth in the number of companies seriously planning for crises, emergencies, and disasters. With this growth comes an abundance of new buzzwords such as Business Continuity Management (BCM), Disaster Recovery (DR), Crisis Management, and more. In his book, The Definitive Handbook of Business Continuity Management, Third Edition, Andrew Hiles provides useful insight as to the intricate differences between each term, and how they work together:
The Business Continuity Management (BCM) profession has been developing over the past three or four decades, having its genesis in early Information Technology, when large companies became highly dependent upon mainframe computing to process large amounts of data into useful information quickly. Outages were considered ‘disasters,’ although that term was most often applied to far less catastrophic events than explosions, fires, floods and the like. Over time, the focus broadened to address critical business operations, giving rise to BCM. However, with this growth came considerable confusion about the terms used by various practitioners. This chapter will address commonly used terminology and put each term into perspective.
Rather than recapitulate the rich history of how BCM came to be, the current state of affairs as a profession will be used as the basis for this discussion, comparing and contrasting Crisis Management, Emergency Management, Contingency Planning and Disaster Recovery, all of which fall under the Business Continuity Management field. Two non-profit organizations jointly established what are referred to as the Ten Areas of Professional Practice in Business Continuity Management: the Disaster Recovery Institute International (DRII) in the US and the Business Continuity Institute (BCI) in the UK. These Ten Areas of Professional Practice will also be used as a reference point within this discussion. The BCI has now merged some of the Ten Areas of Professional Practice into six, in line with BS 25999, but the six incorporate the original ten.
One will note that there is a far broader scope of these 'areas' than one may normally consider to be a part of BCM activities, a fact which gives rise to the core topic of this discussion: terms as used by BCM practitioners and others.
Common Terms in BCM Practice
The following is a collection of terms commonly used by practitioners and organization executives and managers to describe programs being implemented throughout their organizations. Due to the lack of consistency across organizations and even within the industry, therein lurks the cause of much confusion among BCM practitioners and the various parties with whom they interact.
The Disaster Recovery Journal (DRJ) Glossary defines Crisis Management as:
'The overall coordination of an organization's response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization's profitability, reputation, and ability to operate.'
Any number of events may constitute a crisis to an organization: a product liability lawsuit, ethical misconduct of executive management, workplace violence, supply chain breakdown, labor action, loss of a primary manufacturing facility or a drastic drop in share price. These and many more will challenge executive management to act decisively and correctly to protect the revenue stream, stockholder and stakeholder confidence. But notice how widely varied the types of crises are. Some are inter-organizational issues to be negotiated or litigated; others are physical catastrophes, some including loss of life. The important distinction is in separating the processes for responding to each type of crisis. Some examples:
- A factory suffers an explosion. This is a disaster, a disruptive and usually destructive event, often causing loss of property and life. It is also a crisis requiring management on two fronts: dealing with media, the Board of Directors and shareholders, and initiating a recovery of the capabilities lost in the disaster.
- A bank faces bankruptcy and it is found to have approved loans to people who didn't meet customary standards of loan underwriting, because rising property values would offset the risk exposure. This is a crisis that must be addressed by executive management, although, due to government regulation, their options are limited and they may be replaced by new management.
- A Category 4 hurricane is forecast to make landfall in the Carolinas in three days. This is both a crisis and a disaster, but one that allows time for significant risk mitigation. Although the actual location where the storm will strike is difficult to predict accurately, managing the impending crisis is preparing for the known impacts of a hurricane: extremely high, gusting winds that can propel all kinds of debris, causing severe damage, power outages lasting several weeks, disrupted road, rail and air transportation and flooding, especially in coastal plains where the surge wall 1 comes ashore.
It is important to note that Crisis Communications, one of the Ten Areas noted below, is a distinctly separate activity from Crisis Management, though they operate in tandem during a crisis. Crisis Communications plans in advance how executive management, emergency and recovery response teams, employees and their families and news media will each be kept apprised of a crisis situation.
Emergency Management is the series of efforts to ensure preparedness for when an event causes property damage and/or personal injury. The DRJ Glossary defines Emergency Preparedness as:
'The capability that enables an organization or community to respond to an emergency in a coordinated, timely, and effective manner to prevent the loss of life and minimize injury and property damage.'
This entails an initial assessment of the types of events likely to occur, given the locale, regional weather, seismic faults, flood plains, etc., and the nature of damage that may result. Preparedness measures are developed to mitigate potential losses. Some examples:
- A strategy for tornadoes is identifying shelter-in-place locations within available buildings. Building evacuation plans are essential, especially in large buildings and in campus-type settings, where people may spend time in other buildings with which they are less familiar.
- Training teams of employee-volunteers to act as early responders, able to treat injured personnel sufficiently to stabilize them until public emergency resources arrive. In a regional disaster, organizations cannot rely on local fire and ambulance services to give them any particular priority, so this is a valuable and important mitigating measure. Advanced programs often include 'victims' made up with 'moulage' (simulated wounds, such as scars, blood, body parts, etc.) to prepare team members to cope with eventually facing a seriously injured person.
This term has some connection to military strategy, where different elements of an impending battle cannot be predicted with certainty, so each plausible variation is a contingency-something that can happen–and a plan for dealing with each such contingency is formed. This term can be misleading, since generally accepted practices in BCM avoid 'scenario-based' plans. However, the term is still applicable, since many emergency plans are focused upon specific threats, such as the hurricane example above. The DRJ Glossary defines Contingency Planning as:
'The process of developing advanced arrangements and procedures that enable an organization to respond to an undesired event that negatively impacts the organization.'
BCM extends beyond what preparations are made to what decisions can only be made and actions taken after the disaster occurs and the extent of the impact to organization operations is known. For this reason, well-constructed BCM plans address how response team management evaluates damage assessment reports in light of current organization operations, customer needs and expectations, market share and the like, and determine the priority given for recovery resource allocations. These are often called Recovery Action Plans, since they reflect decisions made at the time of a disaster, when actual losses are known. This discipline is also referred to as Business Continuity Planning. Some examples:
- One form of Contingency Planning is when a site-specific threat is being addressed. Because the corporate offices are located in Omaha, Nebraska, which falls within the area known as Tornado Alley, buildings were retrofitted to withstand a Force 5 windstorm and office windows were glazed with impact-resistant glass. Further, all building floor plans were re-designed to include shelter-in-place areas in the center of the structure, to maximize protection from blowing and falling debris.
- Another form of Contingency Planning is, as mentioned above, when actual disaster impacts are known and response teams' priorities are defined for implementation. Reports from the Damage Assessment Team (DAT) indicate severe impact to the work areas where final assembly of products is done in the manufacturing building. This directly affects product shipments and, thus, billing and accounts receivable. A Recovery Action Plan is written to give restoration of this area top priority for allocation of replacement equipment procurement, delivery and set-up. Another DAT report states that damage to the shipping and receiving areas is extensive. Since this area supports product shipment, the Recovery Action Plan incorporates its restoration in the manufacturing building schedule, so it will be ready when products are ready to ship.
This term was first generally used in the early days of mainframe computing to describe the practice of backing up data on tape reels, so if the system crashed, most of the data wouldn't be lost. Over time, system recovery became a 'well-oiled' process, and the reliability of mainframe computing became legend. But the term Disaster Recovery, or DR, remained linked to Information Technology long after open architecture systems began to proliferate. But from a purely linguistic view, planning to recover anything after a disaster is considered DR. Ironically, from the BCM perspective, it is common to see advertisements for 'Business Continuity services' that, given more scrutiny, only address recovery of IT services. This also holds true for employment postings: many positions seek 'BC Consultant' or 'BC Planner' talent, but most are entirely IT recovery, with nothing involving business operations recovery. The DRJ Glossary defines Disaster Recovery as:
'The technical aspect of business continuity. The collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications and data) at an alternate site following a disruption of IT services.'
Disaster Recovery includes subsequent resumption and restoration of those operations at a more permanent site. IT Disaster Recovery solutions are covered in the chapters on strategies for ICT, communications and data recovery.
Inter-Relationships Between Terms
Within the profession, there is no set model that states how each of these areas must interact or how they must report. The structure may be impacted by such things as organizational culture, number of locations, employee competencies and organizational size. An example of how they may be structured is shown:.
In this example, the Business Continuity and Disaster Recovery Teams are local to a location and therefore report to the local Emergency Response Team. The advantage of this structure is that the incident can be handled locally, thereby providing 'on the ground' knowledge of what is actually occurring. Often in an incident, it is difficult to manage the details of the incident remotely. This allows for local response and action. The disadvantage of this structure is that if it is a geographical incident or an incident resulting in injuries, the people performing the recovery may also be impacted.
In the structure shown below, the Business Continuity and Disaster Recovery Teams report directly to the Crisis Management Team. This may allow for better coordination throughout the organization, particularly if the incident is an organizational wide incident.
In either structure, the Crisis Management Team provides the overall coordination, communication, command and control for the incident. While the full structure is implemented, only those pieces needed to respond to the incident are activated for response.
From The Definitive Handbook of Business Continuity Management, Third Edition by Andrew Hiles. Copyright 2011 John Wiley & Sons, Inc. All Rights Reserved. Used by arrangement with John Wiley & Sons, Inc.