For most, an incident is a low level or localized problem that does not have a serious impact, which can be dealt with by routine procedures and does not require the involvement of senior management of an organisation. More complex in many ways is the comparison to “emergency”; a term more emotive and much used by the emergency services and local authority community (and the Emergency Planning Society) relating generally to either a wide scale problem or one requiring Emergency Service support, but not usually one which threatens the survival of an organisation.
A badly handled emergency will almost always give rise to a crisis: “A time of instability for an organisation in which the impacts of event(s) threaten its operations, survival, or reputation”.
The origins of a crisis can either be external, where the organisation is seen as a victim of an event beyond its control (e.g. natural disasters) or internal, where a crisis occurs due to accidents in the workplace (e.g. technical errors), or due to systemic, preventable errors (e.g. human breakdown accidents, organisational misdeeds causing injury, or the occurrence of a situation that is outside the current capacity and experience of the management team, as a result of, for example, key personnel not being available at a particular point in time.
Crises are unique or rare and unpredictable events that come as a surprise to an organisation. The key characteristics of crisis are:
Crisis Management is a process, delivered by integrated capabilities, which focuses not only on preparedness activities and what to do in the midst of a crisis, but also on the identification and forecasting of why crises happen, and how to recover and learn from incidents. It is a three stage process, involving pre‐crisis preparation, crisis response, and post-crisis recovery.
Crises are unpredictable, but do not have to be entirely unexpected. Thus, while not all can be prevented, managers should develop and embed a wide range of resilience‐building processes and activities to enable an organisation to both prevent and mitigate the impact or duration of those crises that do occur.
Pre-crisis preparation involves crisis management planning and the creation of structures to deliver a crisis response. The Crisis Management Team must be supported by a crisis management plan or manuals (including a Crisis Management Plan, a Crisis Communications Plan and an Information Management strategy).
Crisis Management response involves a number of steps:
While the crisis may end (e.g. in so far as that the building may no longer be burning), the organisation may well be left with a major recovery problem. Post-crisis recovery involves dealing with the longterm effects or impacts of an event and how to return to “business as usual” or the new “normal”, if major change has taken place, in the days, weeks, and sometimes months following the event, when more details and facts about the event emerge. Crisis Management processes may be handed over from the CMT to a Recovery Team in this final phase; however, it is still an integral part of the overall management process.
Crisis Management does not replace Business Continuity nor does it challenge such programs, but it is an associated and often supporting discipline.
Although often it is the lead discipline in times of crisis where a “continuity” response is not required, ORBIT allows the management of testing and Crisis management and the link between (incident management and emergency management).
The extension of the analysis to all assets and business processes, in relation to impact and vulnerability, requires a tool that is able to respond not only to the impact assessment but also to the degree of process resources: ORBIT also covers this need with Risk Impact Analysis.