AU2244_C000.fm Page i Thursday, November 16, 2006 2:22 PM C RISIS M ANAGEMENT P LANNING AND E XECUTION AU2244_C000.fm Page ii Thursday, November 16, 2006 2:22 PM OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Assessing and Managing Security Risk in IT Systems: Information Security Management Handbook, A Structured Methodology Sixth Edition John McCumber Harold F Tipton; Micki Krause ISBN: 0-8493-2232-4 ISBN: 0-8493-7495-2 Audit and Trace Log Management: Consolidation and Information Security Policies and Procedures: Analysis A Practitioner's Reference, Second Edition Phillip Q Maier Thomas R Peltier ISBN: 0-8493-2725-3 ISBN: 0-8493-1958-7 Building and Implementing Security Certification and Information Security Risk Analysis, Second Edition Accreditation Program Thomas R Peltier Patrick D Howard ISBN: 0-8493-3346-6 ISBN: 0-8493-2062-3 Information Technology Control and Audit, The CISO Handbook: A Practical Guide to Securing Second Edition Your Company Frederick Gallegos; Daniel P Manson; Michael Gentile; Ronald D Collette; Thomas D August Sandra Senft; Carol Gonzales ISBN: 0-8493-1952-8 ISBN: 0-8493-2032-1 The Complete Guide for CPP Examination Preparation Intelligence Support Systems: Technologies James P Muuss; David Rabern for Lawful Intercepts ISBN: 0-8493-2896-9 Kornel Terplan; Paul Hoffmann ISBN: 0-8493-2855-1 Curing the Patch Management Headache Felicia M Nicastro Managing an Information Security and Privacy ISBN: 0-8493-2854-3 Awareness and Training Program Rebecca Herold Cyber Crime Investigator's Field Guide, ISBN: 0-8493-2963-9 Second Edition Bruce Middleton Network Security Technologies, Second Edition ISBN: 0-8493-2768-7 Kwok T Fung ISBN: 0-8493-3027-0 Database and Applications Security: Integrating Information Security and Data Management The Practical Guide to HIPAA Privacy and Bhavani Thuraisingham Security Compliance ISBN: 0-8493-2224-3 Kevin Beaver; Rebecca Herold ISBN: 0-8493-1953-6 The Ethical Hack: A Framework for Business Value Penetration Testing A Practical Guide to Security Assessments James S Tiller Sudhanshu Kairab ISBN: 0-8493-1609-X ISBN: 0-8493-1706-1 Guide to Optimal Operational Risk and Basel II Practical Hacking Techniques and Countermeasures Ioannis S Akkizidis; Vivianne Bouchereau Mark D. Spivey ISBN: 0-8493-3813-1 ISBN: 0-8493-7057-4 The Hacker's Handbook: The Strategy Behind The Security Risk Assessment Handbook: Breaking into and Defending Networks A Complete Guide for Performing Security Susan Young; Dave Aitel Risk Assessments ISBN: 0-8493-0888-7 Douglas J Landoll ISBN: 0-8493-2998-1 The HIPAA Program Reference Handbook Ross Leo Strategic Information Security ISBN: 0-8493-2211-1 John Wylder ISBN: 0-8493-2041-0 Information Security Architecture: An Integrated Approach to Security in the Organization, Surviving Security: How to Integrate People, Process, Second Edition and Technology, Second Edition Jan Killmeyer Tudor Amanda Andress ISBN: 0-8493-1549-2 ISBN: 0-8493-2042-9 Information Security Fundamentals Wireless Security Handbook Thomas R Peltier; Justin Peltier; John A Blackley Aaron E Earle ISBN: 0-8493-1957-9 ISBN: 0-8493-3378-4 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail: [email protected] AU2244_C000.fm Page iii Thursday, November 16, 2006 2:22 PM C RISIS M ANAGEMENT P LANNING AND E XECUTION E S. D DWARD EVLIN F R L. A OREWORD BY ICHARD RNOLD Boca Raton New York Auerbach Publications is an imprint of the Taylor & Francis Group, an informa business AU2244_C000.fm Page iv Thursday, November 16, 2006 2:22 PM Auerbach Publications Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2007 by Taylor & Francis Group, LLC Auerbach is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-10: 0-8493-2244-8 (Hardcover) International Standard Book Number-13: 978-0-8493-2244-0 (Hardcover) This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the conse- quences of their use. No part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www. copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC) 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Devlin, Edward S. Crisis management planning and execution / Edward S. Devlin. p. cm. Includes bibliographical references and index. ISBN 0-8493-2244-8 (alk. paper) 1. Crisis management. I. Title. HD49.D483 2006 658.4’056--dc22 2006048419 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the Auerbach Web site at http://www.auerbach-publications.com AU2244_C000.fm Page v Thursday, November 16, 2006 2:22 PM CONTENTS Foreword...................................................................................................................xv Preface.....................................................................................................................xvii About the Author.....................................................................................................xxi 1 The Crisis Management Plan — What Is It?..............................1 1.1 Introduction.............................................................................................1 1.1.1 Plan Should Be Inclusive...........................................................2 1.1.2 Plan Viability................................................................................3 1.1.3 When Did the Concept Start?.....................................................4 1.2 What Is a Crisis?......................................................................................4 1.2.1 The American Red Cross............................................................5 1.2.2 “Opens the Door” Effect............................................................7 1.2.3 Cook County Administration Building, Chicago, Illinois.........8 1.3 Types of Crises........................................................................................9 1.3.1 Nonphysical Damage Crises: Definition and Examples.........10 1.3.1.1 Product Issue: Credibility...........................................10 1.3.1.2 Product Issue: Defective............................................11 1.3.1.3 Product Issue: Safety..................................................11 1.3.1.4 Product Issue: Tampering..........................................12 1.3.1.5 Negative Public Perception of Your Organization....13 1.3.1.6 Market Shift.................................................................13 1.3.1.7 Financial or Cash Problem.........................................14 1.3.1.8 Industrial Relations Problem......................................14 1.3.1.9 Adverse International Event.......................................15 1.3.1.10 Workplace Violence...................................................16 1.3.2 Physical Damage Disasters: Examples.....................................17 1.3.2.1 Earthquake..................................................................17 1.3.2.2 Tornado.......................................................................18 1.3.2.3 Flood............................................................................19 1.3.2.4 Hurricane.....................................................................19 1.3.2.5 Fire...............................................................................21 1.3.2.6 Leak.............................................................................21 v AU2244_C000.fm Page vi Thursday, November 16, 2006 2:22 PM vi (cid:2) Crisis Management Planning and Execution 1.3.2.7 Power Outage.............................................................22 1.3.2.8 Bombing......................................................................23 1.3.2.9 Arson............................................................................24 1.4 How to Determine Which Crises Could Strike Your Company........25 1.4.1 Analyze the Threats..................................................................26 1.4.2 Predictability..............................................................................26 1.4.3 Frequency..................................................................................26 1.4.4 Crises That Could Be Missed...................................................27 1.4.4.1 Crisis Caused by a Supplier or Vendor: Examples...27 1.4.4.2 Crisis Caused by a Bad Exercise: Examples............28 1.4.4.3 Crisis Caused by the Action of an Employee: Examples.....................................................................29 1.4.4.4 Crisis Caused by the Action of the Human Resources Department: Examples...............30 1.4.4.5 Crisis Caused by the Actions of the News Media: Examples.....................................................................30 1.4.4.6 Crisis Caused by an Owner Liability Issue: Examples.....................................................................31 1.4.4.7 Crisis Caused by an Industrial Espionage Incident: Examples.....................................................................32 1.4.4.8 Crisis Caused by the Unexpected Death of CEO, or of a Number of Senior Executives: Examples....33 1.5 Why Companies Need a Crisis Management Plan.............................34 1.5.1 News Media Can Make or Break You....................................37 1.6 Preventing a Crisis from Occurring.....................................................39 2 Business Continuity Planning: What Is It?..............................43 2.1 How Does the Crisis Management Plan Fit into the Business Continuity Plan?.....................................................................43 2.1.1 The Prevention Element: Introduction....................................44 2.1.1.1 The Risk Management/Risk Analysis Process..........46 2.1.1.2 The Security Plan........................................................52 2.1.1.3 The Facilities/Building Engineering Plans................55 2.1.2 The Emergency Response Plan................................................61 2.1.2.1 The Incident Response Plan......................................62 2.1.2.2 The Life Safety Plan...................................................65 2.1.2.3 The Damage Assessment Plan...................................70 2.1.3 The Business Resumption Plan................................................73 2.1.3.1 The Information Technology-Disaster Recovery Plan.............................................................74 2.1.3.2 The Business Unit’s Business Resumption Plan......76 2.1.3.3 The Crisis Management Plan.....................................81 2.1.4 History of Business Continuity Planning.................................84 2.1.4.1 Contingency Plans, 1965............................................85 2.1.4.2 The Fire in Hawthorne, New York, 1972: The Incident That Changed the Scope from Contingency Plans to Disaster Recovery Plans........87 AU2244_C000.fm Page vii Thursday, November 16, 2006 2:22 PM Contents (cid:2) vii 2.1.4.3 The Fire in Philadelphia, Pennsylvania, 1978..........89 2.1.4.4 Fire in Minneapolis, Minnesota, 1982.......................90 2.1.4.5 Bombing in New York City, 1993............................92 2.1.4.6 Bombing in Oklahoma City, Oklahoma, 1995.........95 2.1.4.7 The Millennium Change (Y2K), 2000.......................96 2.1.4.8 The Terrorist Attack on the World Trade Centers in New York City........................................................99 2.1.4.9 Business Continuity Plan: Reassessment.................101 3 Stages of a Crisis......................................................................107 3.1 Introduction.........................................................................................107 3.1.1 The Pre-Crisis Stage................................................................107 3.1.2 The Acute-Crisis Stage............................................................108 3.1.3 The Post-Crisis Stage...............................................................108 3.2 The Pre-Crisis Stage............................................................................108 3.2.1 What Is the Pre-Crisis Stage?..................................................108 3.2.2 When Someone Discovers a Potential Crisis Developing, What Should They Do?...........................................................110 3.2.3 Pre-Crisis Actions Taken.........................................................110 3.2.4 Organizations Apparently Are Very Effective in Managing Pre-Crisis Situations...............................................110 3.2.5 Why Do Crises Move from the Pre-Crisis Stage to the Acute-Crisis Stage?...................................................................110 3.2.5.1 Underestimate...........................................................111 3.2.5.2 Overestimate.............................................................112 3.2.5.3 Not Aware.................................................................113 3.2.5.4 Intentionally Ignore the Warning............................114 3.2.6 Some Pre-Crisis Warnings Are Obvious, While Others Are Not So Obvious........................................118 3.2.6.1 Sprinklers...................................................................118 3.2.6.2 Fires during Renovations.........................................120 3.2.6.3 Workplace Violence.................................................121 3.2.6.4 Many Pre-Crisis Warnings Are Either Missed or Ignored by the EMT..................................................122 3.2.7 Why Is Crisis Management Important?..................................124 3.2.7.1 Look for the Pre-Crisis Warning..............................125 3.2.7.2 Executive Has Missed the Warning........................125 3.2.7.3 Could Our Product Be Harming Our Customers?...125 3.2.8 What Is the Pre-Crisis Stage?..................................................126 3.2.8.1 Apparently Organizations Are Very Effective in Managing Pre-Crisis Situations.................................127 3.2.8.2 Why Do Crises Move from the Pre-Crisis Stage to the Acute-Crisis Stage?.........................................127 3.3 The Acute-Crisis Stage........................................................................127 3.3.1 When? — After the Crisis Is Known Outside the Organization............................................................................128 3.3.2 Result: Managing May Be Weakened....................................129 AU2244_C000.fm Page viii Thursday, November 16, 2006 2:22 PM viii (cid:2) Crisis Management Planning and Execution 3.3.3 Disgruntled Employees Attempt to Take Revenge: Examples..................................................................................129 3.3.4 Product (or Services) Come under Attack: Examples..........130 3.3.5 Creditors Become Concerned and Want to Be Satisfied: Examples..................................................................................131 3.3.6 Shareholders Are Concerned and Begin Dumping Their Stock: Examples............................................................134 3.3.7 Damage to a Company’s Reputation Can Have Serious Consequences: Examples........................................................136 3.3.8 Managing the Organization Becomes Difficult.....................137 3.3.8.1 Problem: Loss of Personnel.....................................138 3.3.8.2 Loss of Key Employees............................................139 3.4 The Post-Crisis Stage...........................................................................140 3.4.1 How Long Will This Last?......................................................140 3.4.1.1 Take Notes................................................................141 3.4.1.2 Guilt by Association.................................................142 3.4.1.3 The Worst Example of a Crisis Will Not Go Away...142 3.4.1.4 Learn from Other Crises...........................................143 3.4.2 Evaluating the Organization’s Handling of the Crisis..........143 3.4.2.1 Evaluating the Organizations’ Handling of the Crisis — Objective: Recoup Losses.........................143 3.4.2.2 Evaluating the Organizations’ Handling of the Crisis — Objective: Show Consumers You Care about What You Did to Them.................................147 3.4.2.3 Evaluating the Organization’s Handling of the Crisis — Objective: What Are You Doing to Prevent This from Happening Again......................149 3.4.2.4 Evaluating the Organization’s Handling of the Crisis — Objective: Organizations Are Too Weakened to Continue Operations.........................151 3.4.2.5 Evaluate the Organization’s Performance during the Crisis — Objective: Investigations........153 3.4.2.6 Evaluating the Organization’s Handling of the Crisis: Investigations.................................................155 3.4.2.7 Evaluating the Organization’s Handling of the Crisis: Change Is Needed.........................................158 4 Steps in Managing a Crisis......................................................161 4.1 Introduction.........................................................................................161 4.1.1 Take Charge Quickly..............................................................162 4.1.1.1 Activate the Crisis Management Team....................163 4.1.1.2 Establish the Crisis Management Command Center...163 4.1.1.3 Identify the Person Who Will Manage the Crisis....165 4.1.1.4 Let People within Your Organization Know Who the Crisis Manager Is.......................................166 4.1.1.5 Take Charge Quickly — Before the Organization Weakens.............................................166 AU2244_C000.fm Page ix Thursday, November 16, 2006 2:22 PM Contents (cid:2) ix 4.1.2 Establish the Facts...................................................................171 4.1.2.1 Facts Not Completely Known..................................171 4.1.2.2 Information Tainted..................................................171 4.1.2.3 Gather Information: Use Crisis Communications Team Members..........................................................172 4.1.2.4 Prepare Your Story...................................................172 4.1.2.5 Get and Give Facts as Early as Possible................172 4.1.2.6 Difficulty in Getting an Accurate Story out Quickly...172 4.1.2.7 Inaccurate Information.............................................174 4.1.3 Tell Your Story........................................................................175 4.1.3.1 Spokesperson: Who Should Be the Spokesperson?...175 4.1.3.2 Make Contact with the Media.................................176 4.1.3.3 Dealing with the Media...........................................177 4.1.3.4 Make Contact with the Employees.........................179 4.1.3.5 Make Contact with the Customers..........................180 4.1.3.6 Make Contact with the Shareholders or Investors....182 4.1.4 Fix the Problem.......................................................................184 4.1.4.1 Recoup Losses...........................................................185 4.1.4.2 Make Any Changes That Were Identified as Being Needed...........................................................187 5 The Executive Management Team..........................................191 5.1 Introduction.........................................................................................191 5.1.1 The Executive Management Plan...........................................191 5.1.2 Who Are the Members of the Executive Management Team?.......................................................................................192 5.1.3 Is There a Predefined List of Executives Who Comprise the EMT?.................................................................192 5.1.4 Do Organizations Not Already Have an Executive Management Team?.................................................................194 5.1.5 What Do They Do When They Are Made Aware of a “Developing Situation”?...........................................................194 5.1.5.1 What Does the Executive Management Team Do?...195 5.2 EMT Role during the Pre-Crisis Stage...............................................195 5.2.1 Remove the Threat..................................................................196 5.2.1.1 Avoid the “Opens the Door” Crisis........................196 5.2.2 Look for the Pre-Crisis Warning............................................199 5.2.2.1 Warnings Missed.......................................................200 5.2.3 Seek the Support of Outside Consultants.............................202 5.2.3.1 Selecting an Outside Consulting Firm....................202 5.2.3.2 Outside Consulting Firms and Specialists...............203 5.3 EMT Role during the Acute-Crisis Stage...........................................205 5.3.1 How Does the EMT Allow a Pre-Crisis Situation to Move to an Acute Crisis?........................................................206 5.3.2 Activate and Empower the Crisis Management Team to Take Action..............................................................................207 5.3.2.1 Support the Crisis Management Team....................208