Airmic EXPLAINED Guides: Crisis Management

CRISIS MANAGEMENT A short guide 2018 Acknowledgements

Gallagher Business Continuity Institute

Founded by Arthur Gallagher in Chicago in 1927, Gallagher Founded in 1994, the BCI defined a set of practices for has grown to become one of the largest insurance brokerage individuals to be able to demonstrate their individual and risk management companies in the world. With significant capability in business continuity management. These reach internationally, the group employs over 26,000 people Professional Practices form the stages of the business and its global network provides services in more than 150 continuity management lifecycle and are described in the countries. BCI’s Good Practice Guidelines.

In an increasingly unstable political environment where The BCI is the world’s leading professional association security threats can cause serious disruption, a robust crisis responsible for improving organizational resilience through management and risk control strategy is more important than building business continuity capability and professional ever before. Gallagher’s Crisis Management team brings development of individuals all over the world. together over 100 years of practical operational and insurance market experience in the counter terrorism, kidnap and ransom, The BCI vision is a world where all organizations, recall and political risks fields. This experience allows them to communities and societies become more resilient. assess their clients’ organisations, objectives and the security and operational situations that could put them at risk and The BCI core values are professionalism, reliability, develop insurance solutions and crisis management strategies and inclusivity. The BCI is built on the principle of which help to mitigate this risk. professionalising business continuity practice, and continues to be the authoritative and reliable source of information on all aspects of business continuity theory and practice for professionals, and offers a wealth of online resources via www.thebci.org

The Good Practice Guidelines have been revised as part of the BCI’s process of continual improvement and ongoing development of our body of knowledge to remain relevant to professionals worldwide.

PB 2 2 Contents

Introduction 4 Implementing a strong crisis Social media impact and uses 34 management strategy 16 The four pillars of crisis Chapter 4: Recover 46 management 5 Implementing safe travel policies 17 Conclusions 50 Chapter 1: Anticipate 7 Implementing natural disaster risk Bibliography 51 What is a crisis? 7 plans 20

Why crisis resilience is so Cyber resilience healthcheck 23 important 8 Chapter 3: Respond 24 Duty of care 10 Tools to manage in the event of a Understanding the risks to the crisis 25 organisation 11 The immediate crisis response Chapter 2: Prevent 12 process 28

Building a culture of resilience 12 Tools and technologies in action 31

Roles and responsibilities within the organisation 15 Media and crisis communications process 33

2 3 Introduction

As trade becomes increasingly global and dependence on digital technology increases, the potential for disruption is rising exponentially. Risks are becoming more complex and more connected, and it’s no longer just major organisations or cities that are at risk - events can happen anywhere, at any time. Threats, such as terrorism, political other hand, are unique or unforeseen loss of life. violence, kidnap and ransom, cyber events and can have dire consequences risks or product recall can cause serious for your organisation. Failure to respond The key to a successful crisis operational disruption, financial loss or to a crisis in the correct manner could management plan is to start as early adverse publicity that can impact your potentially cripple your organisation and, as possible and have a clear strategic organisation and its profits. That’s why as this is not something which is part of direction including clear communication, it’s important to understand crises and day-to-day management, you will need effective leadership and a detailed record the steps you need to take to manage to allocate the time and resource to of all decisions taken. Companies them. introduce a crisis management plan. need to shift their mind-set and take a comprehensive approach to building The British Standards Institution (BSI) Research undertaken in 2017 by effective resilience aligned to four key defines crisis as an “abnormal and Gallagher, in conjunction with YouGov, pillars of activity: ‘Anticipate, Prevent, unstable situation that threatens the shows that UK companies are keenly Respond, Recover’. organizations strategic objectives, aware of the need to build a culture of reputation or viability" and crisis crisis resilience against the main threats This guide practically outlines certain management as "development and their organisations face, but managing key principles in the Airmic ‘EXPLAINED: application of the organizational and responding to security threats like Business Continuity Management’ guide, capability to deal with crisis". While you cyber extortion, terrorism and emergency BSI standards publications – ‘BS65000: may have an incident response plan, repatriation is easier said than done. Guidance on organizational resilience’ incidents are usually something which These incidents are low frequency but and ‘BS11200: Crisis Management – can be predicted in advance and can high impact – increasingly causing guidance and good practice’ as well as be resolved quickly before long-term or damage to brand and reputation, as well Airmic's ‘Roads to Resilience’.

permanent impacts occur. Crises, on the as financial loss and personal injury or

PB 4 The four pillars of crisis management The four pillars of crisis management

ILIENCE BU RES ILDING

TY RI IT CU S E ER S V IC E S ANTICIPATE Calculate the likelihood of an attack or crisis through vulnerability analysis,

K threat modelling and risk S I monitoring H R R G

N R Effective crisis management is much I

E D

S L I more than a written document. It has I L

U PREVENT I

E B RECOVER

multiple components, including risk Use risk management & N E Get your business back mitigation techniques to C

C analysis, employee training, security on track faster through E

N prevent being caught up in

B E

I effective business planning a crisis where possible eg U

protocols, emergency procedures, and L I

security policies & procedures, I

and support from specialist L

S D

risk transfer. It takes time, effort and E claims & investigations safe travel programme and

F I R

executive resilience N

I N teams G the right stakeholders to build this, L A A N G rather than just big budgets or simply C E E L buying insurance. RESPOND Ensure you and your people can respond effectively to any security crisis through training & awareness, co-ordinated crisis management planning C and comprehensive insurance O M placement M U TE NI A CA ST TI E ON AL S RE R G ESILIENCE BUILDIN

4 5 It’s also important to place crisis management within the framework of enterprise risk management (ERM) and business continuity management (BCM). The best way to describe this is as a ‘continuum’ of actions which exist before and after a negative event:

Prevention & tracking

1 Identify Incident objectives for 2 Immediate and short-term actions survival and the minimum required resources to 3 Short & medium term arrangements achieve them

4 Medium & long-term arrangements

Disrupted Restored or operating enhanced levels operating levels

Figure 1: The phases of a business continuity response

PB 6 Chapter 1: Anticipate Chapter 1:

The first step in effective crisis management is to understand the definition of a crisis and to anticipate those crises in the context of your business or organisation. Anticipate What is a crisis?

In BS11200:2014, Crisis management - Guidance and good practice, the British Standards Institution (BSI) define a crisis as an ‘abnormal and unstable situation that threatens the organization's strategic objectives, reputation or viability’. While this may immediately lend itself to events such as a terrorist act, product contamination or serious production line failure, there are in fact many types of crises each ranging in severity and requiring a different response.

Types of threat

SECURITY THREATS NON-SECURITY THREATS

A deliberate attempt to incite panic or disrupt ‘Acts of god’ and other non-man made threats day-to-day operations. These threats can also be which can inflict serious damage on an organisation. DEFINITION planned attacks with the aim to extort money or These threats can be hard to predict and can also inflict reputational damage on an organisation. cause significant business interruption.

• Cyber extortion • Terrorist attacks • Flooding • Product tamper EXAMPLES • Hurricanes • Assault • Storm damage • Hostage situations • Kidnap and ransom threats

6 7 Why crisis resilience is so face. What companies need to think important about now are non-damage business interruption and denial of access to their premises for both employees Changing security threat and customers, merely by finding environment: an example of dynamic themselves on the wrong side of a change in the global environment security cordon. The denial of access caused by events such as London’s You only need to glance at the headlines Borough Market attack in 2017 can to understand why crisis resilience have a significant financial impact is a hot topic for many companies. on your organisation, which without The terrorism landscape is changing effective BCM appropriate controls as remote bombings are increasingly including insurance cover, can be replaced with attacks orchestrated difficult to recover from. by lone-shooters or cars targeting pedestrians. It is no longer just major Current perceptions cities that find themselves at risk of terrorist attacks. Attacks can happen Statistics show that a large proportion anywhere at any time and the damage of the organisations sampled in our they can cause extends from financial survey¹ have experienced a threat or loss to reputational damage and in the incident within the last 24 months. worst case scenario, injury or loss of life. Almost twice as many large companies anticipate a risk in the future compared Terrorism remains a very real threat to to small and mid-sized organisations companies, but they are rarely the direct (SME)s, highlighting the need for crisis target and physical damage and loss resilience for organisations that fall of life are not the most likely risks they within this category in particular:

¹ http://www.ajginternational.com/news-insights/articles/news/2017/one-in-four-large-uk-firms-concerned-about-their- crisis-resilience/ PB 8 Chapter 1:

Extortion & threats Physical incidents People risks Anticipate

60% 38% 41% 25% 20% 20%

see a risk in experienced see a risk in experienced see a risk in experienced the future in the last 24 the future in the last 24 the future in the last 24 months months months

8 9 Duty of care • Ensure that employees update to employees – but that means a third and maintain their own personal did not.² While the risk of an incident in the information and emergency workplace is very low, the risk in contacts held by the organisation. the wider community is increasing, particularly in public spaces. • Create a robust process and Preparation and planning now might clear awareness of travel make all the difference. emergency response, including medical assistance information, Organisations have a duty of care evacuation and repatriation to their employees, customers, procedures, together with contact stakeholders and the general public details. which is why they need prepare (as best they can) to satisfy their duty of • Manage accumulation risk care and take appropriate action to: exposures and insurance limits effectively – in respect of both • Ensure all employees understand travel arrangements and key which colleagues control and are office locations. part of the Crisis Response team, and have relevant contact details. As the Manchester and London 68% terrorist attacks in 2017 showed, • Maintain real-time information no-one can become complacent of respondents acknowledge they of colleagues’ movements and when it comes to safety during a have a duty of care to employees – provide them with an effective major incident. In Gallagher’s 2017 but that means a third did not information flow regarding safety- survey on crisis resilience readiness, critical issues. over two-thirds (68%) of respondents acknowledge they have a duty of care

² http://www.ajginternational.com/news-insights/articles/news/2017/one-in-four-large-uk-firms-concerned-about-their- crisis-resilience/ PB 10 Chapter 1:

Understanding the risks to the organisation

The next step is to anticipate crises by creatively considering what threats the organisation may face. To ensure their resilience, Anticipate companies should begin by conducting a threat and risk assessment, this is carried out as part of the Analysis stage of the BCM lifecycle, and is preferably undertaken with the support of a risk consultant or qualified insurance broker. This process will help an organisation anticipate and understand where its specific vulnerabilities lie. The risk assessment should include multiple components and cover a wide range of potential threat scenarios.

Physical risk Digital risk Human risk Reputational risk Minimising business Minimising loss of life or Minimising damage to Minimising data loss or leak Definition interruption risk injury reputation Denial of access Reputational damage Impact on Loss of resource Financial losses Loss of revenue Loss of customers Issues with PTSD Loss of customers organisation Costs for recovery/repair Financial losses Cyber security audit to Calculate the impact and Calculate the impact and determine, for example, the Calculate the impact of likelihood of low frequency, likelihood of low frequency, vulnerability of payment and a crisis on the brand and high-impact threats such high-impact threats such as online booking systems and reputation, in particular Analysis required as non-damage business business interruption after a the company’s preparedness from digital and human risk interruption after a terrorist terrorist attack for a ransomware attack situations. attack such as WannaCry Management information Social media External security intelligence from the IT department/ International and local media companies CISO Management information Data available to Management information Social media Social media from the HR department from the communications help anticipate International and local media Online digital vulnerability External security intelligence team of the organisation threat Management information databases companies Public Relations advisors from the security team Cyber security company and the press notifications and alerts

10 11 Chapter 2: Prevent

Building a culture of resilience Most companies have some kind of to the identification, approval and insurance cover for threats such as review of risks contributes hugely to Building a culture of resilience takes terrorism and ransom, and they can disseminating responsibility for crisis, time and effort – it’s not a quick point to business continuity, disaster security, continuity and resilience solution, but it is a comprehensive recovery and crisis management across the organisation. The graphic one. Getting it right means more plans. These are all important tools, overleaf demonstrates how risk can be confidence and trust throughout the but they provide a false sense of identified, consolidated and review at company and from stakeholders that security if they are not joined up into a each level of the organisation. risks can be prevented or responded comprehensive plan of action. to without damage to people, organisational operations and brand That means achieving an appropriate reputation. balance between identifying, preventing and responding to risks 24% By taking a comprehensive approach and getting organisations back to to resilience and putting plans in normal. Crisis management plans Almost a quarter of place that are regularly tested, most should be short, principle-based and respondents were companies are able to reduce the total genuinely stress-tested to enable rapid concerned about their cost of managing risk. Insurance is an decision-making and communication resilience or were not sure important part of the overall picture, when there is a vacuum of information, how resilient their business but it is a big spend and may not panic and pressure from stakeholders was cover the key risks a company might on all sides. face and only helps with the recovery process, not resilience. By focusing Enterprise Security Risk Management more on anticipating, preventing and and Enterprise Crisis Management fall responding to risk, insurance can shift within the wider remit of Enterprise from centre stage and become just Risk Management: like any element Source: Building a Culture of Resilience³ one part of a true culture of resilience. of ERM, an escalated approach

³ https://uk.ajginternational.com/crisis-resilience-report/

PB 12 Chief operating Review global risk register and submit to senior management officer

Provide Receive all regional security Security risk Review after six initial threat risk registers - consolidate into months manager information global

Receive site risk assessments Regional Review after six - consolidate into regional months directors register

Carry out site security risk Review after six Site assessments in a workshop months managers with key staff

When forming part of an ERM programme, security risks should be presented at senior levels of the organisation alongside the range of other risks that the organisation faces (including health, safety and environment, sustainability, information technology, reputation and brand, and supply chain risk). Integrating the security risk management programme into a wider ERM framework will help the organisation ‘compare apples with apples’, and will prepare for a range of complex crises in a risk-led way.

12 13 “Resilient organisations are discerning about risks they take; identify the importance of emerging trends; manage the impact and consequences (both beneficial and detrimental); cope with unexpected adverse events; rapidly bounce back stronger from a crisis; constantly adapt to change; and embed the lessons learned into their business enablers” Roads to Resilience, Airmic 2014

PB 14 Chapter 2:

Roles and responsibilities within the organisation Security Prevent In addition to incident response procedures, your organisation should have a crisis management team IT HR which is able to put strategies in Services place and make key decisions in crisis situations while carrying out a leadership role. Each member needs not only to be clear-headed and calm, but also equipped with Risk / Production the appropriate level of authority, Insurance experience and capabilities to carry Board out their roles.

The size of the team will vary depending on the size of your organisation but it should consist of Finance Operations a cross-section of top management and key organisational area representatives. As far as possible, the team should include the Comms & Legal representatives of each key core PR function who might need to have a say in the process including:

14 15 If certain key functions are outsourced, incident and crisis management structure how they work together, for example, PR, Insurance and exercises as a formed team without allowing this to limit their Legal, representatives from the response options relevant organisations should be • They understand the strategy of present at each meeting of the crisis their organisation • They understand the specific management team. dynamics of risk to their • They are action-oriented and organisation – without becoming The team should be responsible for consider their input into the wider mired in the technical detail identifying issues, making decisions conversation very carefully and implementing solutions as well Implementing a strong crisis as continuously reviewing the crisis • They represent Operations, HR, response plan as a whole. They IT, Communications, Finance, management strategy should also confirm and monitor the Legal, Security (physical and internal and external communications digital), Risk and Production • A consistent cross-departmental should a crisis occur, making sure that approach is required to ensure the information that is disseminated is • They have the complete buy-in of that the crisis management consistent and coherent. senior leadership strategy that you introduce are understood and implemented. To After an event they will be in charge • They have the mandate to achieve this you should: of assessing the impact on operations make decisions, engage with as usual and ensuring that recovery outside stakeholders and place Identify and agree: begins as quickly as possible. accountability on other areas of the organisation to get things • Critical organisational processes; There are several characteristics of a done great crisis management team: • Interdependencies between these • They religiously adhere to a critical processes and other parts • They have taken part in regular crisis management process to of the organisation;

PB 16 • Recovery priorities for these organisation will be able to mitigate critical processes; and the risk of an incident.

• Minimum resources required Implementing safe travel for the recovery of these critical processes. policies

After this has been achieved you Every organisation should have should: a safe travel policy for business travellers. This should be split Establish: into sections including before departure, during the journey, on • Incident management and arrival, while travelling, during communication lines; your stay and on departure.

• Business continuity strategies; You should objectively assess your travel management • A plan framework, structure and process: this should apply content; and escalating measures to low, medium and high risk trips. • The roles of people and priorities The diagram below shows to apply. the types of activities that should be undertaken for The better your people understand each level of trip risk, and their roles and responsibilities and some key questions to who they should report to if they ask of the entire travel have a concern, the more likely your management process.

16 17 Key to all trips undertaken Key to medium and high risk Key to high and very high risk trips trips

Access to online Identify specific risk Carry out a policy and resources (such as reduction measures from procedure review to Carry out trip risk country information) for the trip risk assessment: assess your existing assessments based on useful and detailed travel what security measures? planning and process trip details provided by advice travel teams or travellers: What insurance? these should look specifically at the trip to Carry out workshop inform the decision to Senior leadership review training and review for travel, hotel locations, and approval of high risk all functional managers methods of travel, and trips, and preparation for covering the trip risk timings of a trip managing a possible crisis assessment process

Are you receiving notifications/keeping updated on high risk countries your travellers are visiting? Are these timely and detailed enough?

How are you keeping insurance coverage appropriate and consistent? Are your trip risk assessments focussed on the trip itself, not just the country?

Are you clear on when you should activate crisis management plans? Are you getting additional support for long term travellers?

Do you have operations room support in an emergency, if required? Is this already provided by insurance coverage?

PB 18 Chapter 2:

Pre-departure luggage label, but do use your • Register with your national business address and phone embassy if required. • Make sure that somebody in the number. Prevent office has a copy of your itinerary • Only leave your passport at and contact details. On arrival reception if required by law, and retrieve it as soon as possible. • Make photocopies of your • Arrange to be met when you passport, visas and tickets and arrive. Agree a discreet way of While some of this may seem like keep them separate from your identification in advance to avoid common sense, it is important that passport, wallet or purse. the use of signs displaying yours all employees take the correct steps or your company’s name. Confirm to ensure their safety while travelling • Know the laws of the country you the credentials of the person who to reduce the risk of assault, robbery, are in and do not break them. is meeting you. kidnap and ransom. These are just Find out if anything, such as some of the things employees should alcohol, is banned. • Only use an official and not an consider while travelling. Your risk independent taxi. management and HR departments During the journey should carry out an assessment • When you check in, do not of the likely risks employees will • Travel in casual clothes. Do disclose your occupation, face and provide suitable advice not wear expensive watches company name, position, or the for your organisation’s individual or jewellery, or use expensive name of the organisation you are circumstances. luggage. visiting.

• Carry any sensitive information in During your stay your hand luggage. • Confirm your arrival to your office • Do not use a business card as a and call in regularly.

18 19 Implementing natural As well as the correct cover, if your • Allocate flood responsibilities disaster risk plans organisation is located in a high-risk such as turning off the electricity, area then a tried and tested flood alerting your insurer and speaking response plan is also essential should a to customers and suppliers, Weather-related crises can be just flooding incident occur. Providing your making sure you know who is as destructive as a security threat. broker and insurer with a thoroughly responsible for what They can interrupt trading and require prepared water risk response plan, as a costly clean up, resulting in a part of an effective BCM programme, • Document your supply chain significant loss to your organisation. helps demonstrate you appreciate the including critical vendors, While the UK is unlikely to experience risk and can respond effectively. It may contractors, partners, suppliers a natural disaster on the scale of also enhance your risk profile for a and customers 2017’s Hurricane Harvey or the fire potentially lower premium and may be damage experienced in California in a deciding factor in securing your cover • Document your key equipment 2017, flooding can also cause mass in a marginal situation. A flood plan or machinery and identify damage. should include the following steps: contingency replacements From heavy downpour to coastal • Check your existing property • Document your key information flooding, water damage can occur in cover for exclusions including finance, legal, banking, many ways and it is near impossible HR and insurance files to anticipate when a flood will strike. • Listen to the weather forecasts You should double-check that you daily or set up a severe weather • Back-up your computer data and have the correct insurance in place warning so that you can prepare systems and store them off-site to protect your organisation should it for flooding incur any damage as well as business • Make a contingency plan interruption cover to help you get back • Have an evacuation plan and test including alternative office on your feet. it regularly – just like you would locations and emergency with a fire drill communications such as a switch

PB 20 Chapter 2:

to mobile phones

• Communicate and test the plan Prevent so that everyone knows what to In May 2017, the WannaCry Ransomware virus do and when infected thousands of computers, preventing • Annually review the plan and affected users from accessing their data until a revise it where it is no longer ransom was paid. This included Nissan, FedEx, relevant and critically, the NHS where staff were unable to Cyber resilience healthcheck access patient’s test results, X-rays and records and as a result operations and appointments were As a starting point, we recommend you complete the checklist overleaf. cancelled. The amount collected globally was less Whenever you have answered ‘Yes’ to than $75,000 and it is suspected the impact on the questions in bold you may have an exposure. If you have answered ‘No’ the NHS was unintentional. Yet whether or not the to these questions there is less likely hackers intended to cause this damage, out-of-date to be an exposure so, provided that you are confident in your answer, you software allowed the virus to spread at a rapid pace, can move on and ignore the questions reinforcing the importance of regularly assessing and under that heading. addressing any cyber risks.

20 21 Heading Exposures Do you keep employee or customer information electronically? Yes No Are customer credit card or bank details kept on your systems? Yes No Are these details encrypted? Yes No Loss or theft of employee or Do you have an IT policy in place regarding the handling of this type of data? Yes No customer information from organisation's computer Do you have a stable finance team? Yes No systems Do you use temps in your finance team? Yes No

Compliance with the Do you update security software as soon as advised? Yes No requirements of the General Do you have a privacy policy in place governing your collection of private data? Yes No Data Protection Regulations Are there automated checks and audit trails built into the financial systems? Yes No (GDPR) Do new supplier bank details need FD approval? Yes No Are checks made monthly on funds leaving the organisation's account? Yes No Are there flags set to highlight where and when donor information leaves the system? Yes No Do you operate a website? Yes No Do you regularly check for spoof websites, e.g. using Google Alerts? Yes No Spoof websites - establishment of websites that may look and Do you have a process in place if someone reports a spoof website? Yes No feel just like yours, but is taking Have you discussed what to do with spoof websites with the police? Yes No funding away from you Have you discussed what to do with spoof websites with your Internet Service Provider? Yes No Have you been successful in identifying spoof websites to date? Yes No

PB 22 Chapter 2: Prevent Heading Exposures Do you operate a website that provides you with an income or provides your customers Yes No with assistance? Are you PCI compliant? Yes No Denial of service attacks on websites - resulting in Do you have someone monitoring your website for attacks? Yes No you being unable to collect Do you have a process in place if your website is attacked but the attack is not successful? Yes No payments, issue sales invoices, Do you have a process in placeif your website is successfully attacked/corrupted? Yes No or just provide information to your customers, employees or Have you discussed what to do with your Internet Service Provider? Yes No suppliers Have you discussed what to do with the police? Yes No Is there an established recovery process? Yes No Has the recovery process been successfully triggered before? Yes No Do you permit data to leave your system? Yes No Loss of supporter data by Do you ghave a contract with a third party that clearly defines what they can and cannot third party suppliers/partners Yes No do with your data? - whether by human error or deliberate act and the release Do you conduct due diligence to ensure that the contract is being complied with? Yes No of personal information to your Are you certain that third party staff are well trained on data protection? Yes No supporters. Are you certain that third party staff are all employed and not temporary in nature? Yes No

22 23 Chapter 3: Respond

Your organisation and people must of staff and customers from the the difference between life and death be empowered with the tools needed building usually due to a fire or and are relatively easy to write into a to respond in the event of an incident other incident within the building. policy and rehearse. The success of or crisis. Ensure you and your people response is again founded in excellent can respond effectively to any security • Invacuation – staff and planning. Cool heads should prevail, crisis through training and awareness, customers made aware of an which is much more likely when coordinated crisis management emergency and moved to the delegated individuals – the crisis planning and appropriate insurance most sheltered areas within the coordinators – take the lead to ensure cover. All employees should know building (away from external everyone follows an agreed crisis their roles and responsibilities should windows and other exposed response plan. These plans won’t be a crisis occur and plans should areas). Invacuation is typically detailed for every scenario. Instead the be tested regularly to help reduce employed if moving outside would plans should be short, principle-based panic. Organisations should take a increase the risk to staff e.g. a and stress-tested to enable rapid cross-departmental approach where bomb threat nearby, toxic fumes decision-making and communication functions such as risk, HR, security, in the air. at times when there will be a vacuum finance, communications, legal and IT of information and panic and pressure work together to understand, prevent • Lockdown – Lock external doors from stakeholders on all sides. and respond effectively to the broad and windows and take immediate Emergency contacts for insurers, IT range of threats and risks that exist. shelter in a secure location such providers, and other incident and crisis Risks need to be modelled realistically as a cupboard or locked meeting response experts should be carried by and managed well. Educate your room until such time as the all coordinators at all times. Response is people on how best to recognise clear signal is raised. Lockdown also where the value of your people and respond in a crisis. Your incident would typically be invoked as a training will become clear. and crisis management team should response to a security incident/ coordinate training in areas such as: threat. In most cases of terrorism, the ‘run, hide, tell’ advice of the UK’s counter- • Evacuation – the orderly removal These emergency drills can make terrorism police should be followed.

PB 24 Chapter 3:

Every team member with computer The key plans you should have in access should also be trained in the place are: ways of identifying and responding Respond to common cyber-security threats like phishing e-mails and social engineering ploys. The latter seek to obtain access to systems by Business scamming employees into revealing continuity sensitive information, or clicking on dangerous links to unwittingly download malware.

Tools to manage in the Disaster Crisis event of a crisis recovery management In the event of a crisis, it is important to have a well-rehearsed plan in place which provides guidelines on how to respond to potential threats. With so many varying threats, it is clear that one plan will not be suitable for every Emergency circumstance which is why you need management to have a number of different plans in place which respond to varying levels of severity.

24 25 Business continuity Crisis management Emergency management Disaster recovery

This type of plan aims to Crisis management plans Emergency management anticipate and reduce the outline how the organisation planning outlines ways to risk of an event before it will respond in the event coordinate and manage the happens. It is normally This plan takes place after of a major crisis such as first response team should made up of a number an event occurs and is a terrorist or cyber-attack. an incident or crisis occur. of different approaches designed to assess what These events can have This includes how to staff an including crisis management has happened, how it could considerable impact on your emergency response team plans and insurance. The be prevented in future and organisation, stakeholders including how to assess overall aim is to understand how the organisation can and the public and if potential performance, how this can impact your get back on its feet. poorly dealt with, can incur how to plan emergency organisation and provide significant financial and arrangements and how to a clear method for dealing reputational damage. train your chosen staff. with potential threats.

For each plan you should use the four pillar ‘Anticipate, Prevent, Respond and Recover’ process, taking the time to identify any gaps and ensure that these are accounted for. Once again, each plan should be regularly tested so that everyone is aware of their responsibilities and adapted if it is no longer fully relevant.

PB 26 Chapter 3:

"Communicating internally during an incident can be one of your biggest challenges if you have not considered all of the options and made adequate Respond preparations. Many of the tools you would use to find contact details and send messages will be missing or severely impacted. It's essential you know how to make contact with key people and prepare in a way that's right for your organisation and its culture.

Your communication planning needs to articulate in detail how this will work in practice for the crisis management team as well as how to cascade messages across the organisation in a clear, consistent way. By discussing, documenting, regularly updating and testing this process, you will save time, energy and valuable resources during a time of crisis. Issuing regular communications internally, even when there is seemingly no "new news" will help to maintain a sense of calm, especially when people feel disconnected during an incident, and will allow your crisis management team to focus on other concerns."

Global law firm

26 27 The immediate crisis response process

Once the plans have been formulated, the following process should be enacted at the beginning of the crisis and followed through. The diagram below shows how the initial issue which causes the crisis is communicated, and to whom, during its early stages. Crisis team Set the Inform Manage the leader is scene senior crisis notified leadership

Issue Urgently Go through the questions identified convene the process on page 28 to analyse team the situation

Set responsible, accountable, consulted and informed (RACI) matrix, identify roles & responsibilities

WHO, WHAT, HOW, WHEN

PB 28 28 Once the Crisis Management team has been convened it should begin to answer some key questions to inform decision- making: this is the point at which teamwork, and the dynamics of the group, will have an important impact on the quality of the outputs and, to a great extent, the overall management of the crisis.

Priorities Strategy Evidence What are the priorities of How could this issue damage What evidence do you have the organisation and crisis the organisation's strategy that you know to be correct? management team?

Scoping Hypothesis Next steps Establish the best case, Identify your hypothesis of Identify all the immediate worst case and most likely what might have happened actions you need to take scenarios

Audiences Messaging

What audiences need to hear What's the message of the your message? How is it tailored? organisation to these audiences?

28 These analytical questions serve to create four sets of work streams – when put together, they form the core of the roadmap to manage the crisis in a dynamic and pragmatic way. The complex and rapidly changing nature of a crisis means that it is not easily managed using long, verbose plans developed in advance: training and exercising the crisis management team, and carrying out one-on-one mentoring with crisis team members, will ensure they have the confidence to use this analytical process to identify the activities which will have the greatest positive impact on the situation at hand.

Decision points Actions

What decisions still need to be made? What can be done now?

What dependencies? Who does it?

Who makes the decision? Who resources?

Information Messaging

What do we not know? What are we saying?

Who do we know? How should this change?

Do we have this information yet? Different for which stakeholders?

30 Natural Instincts in a Crisis

“Survival training isn’t so much about training people what to do – you’re mostly training them not to do certain things that they would normally think to do,” says John Leach, a psychologist at the University of Portsmouth who survived the King’s Cross fire disaster in 1987. He estimates that in a crisis, 80-90% of people respond inappropriately.

In a disaster, the speed at which we think through our options goes from bad to worse. The brain’s first port of call is to flood with the “feel good” hormone dopamine. This may seem counter-intuitive, but though it’s usually associated with reward pathways, dopamine also plays a crucial role in preparing the body to face danger. It triggers the release of more hormones, including adrenaline and the stress chemical cortisol. And this is where it gets messy.

This cocktail of hormones shuts down the prefrontal cortex, which sits behind the forehead and is responsible for higher functions such as working memory. Just when we need our wits the most, we become forgetful and prone to making bad decisions.

If we can’t rely on our natural instincts, the best way around the mental fallout is to replace unhelpful, automatic reactions with ones that could save your life.

Extracts from an article by Zaria Gorvett 12 July 2017 http://bbc.com/future/story/20170711-what-not-to-do-in-a-disaster

30 31 Tools and technologies in following questions – attempting to • How will we get access to specific action come up with ways of working in the organisational IT systems? middle of a complex incident will only distract from the objectives at hand. • How are we going to record and There are myriad tools and technologies preserve evidence which could be available to assist modern crisis • How are we going to record needed in court or by the police? management teams: some of them high information in the room? tech (such as social media monitoring Use the above questions as a platforms or shared incident reporting) • How will the team interact with tick-list when assessing tools or and some of them low tech (such as each other? technologies: how many of these whiteboards, posters and pens). A good questions does the tool or technology crisis management set-up should have • How will we communicate securely answer? What would be the return on a mix of these – the only commonality is across the organisation? investment given the cost of the tool that any tool should: or technology? If you begin looking • How will we take account of our at multiple tools or technologies • Have a purpose in the overall crisis people? which would have to be used in management plan; parallel, ensure there is some kind • How will we communicate and of interoperability – but this doesn’t • Be suitable to the organisation’s monitor on social media? always have to be technical. A structure and culture; whiteboard will work just fine with a • How will we disseminate actions social media monitoring platform, it • Be trained into members of the across the organisation in support just means some human effort might crisis management team and their of crisis management? be required. supporting staff. • How are we going to escalate When considering technology Any crisis management team should to senior leadership or specific solutions it’s also critical to assess have tools prepared to answer the functions? their resilience: if there is no internet

32 access, for example, how would it • Customers (wholesale/retail) be used? Such technologies should always fit into the organisation’s • Transportation companies broader disaster recovery arrangements. • Security Management Gather Consultants facts Media and crisis • Crisis Public Relations communications process • Product Safety In the London terrorist attacks in specialists Review Analyse 2005, mobile phone networks were closed to the public as part of the • Laboratory Analysts Metropolitan Police emergency response. That means organisations • Trade bodies should also look to other media for their communications channels as • Health & Safety part of their response plans to arrange Executive for employees to either request contacts Make assistance or ‘check in’ as safe. Communicate • The Press decisions An up-to-date list of contacts should be compiled and maintained to ensure that prompt contact with the right people is made in a time of need including:

32 33 Social media impact and uses

Details of the incident emerging on social media from members of the public can have a detrimental impact on how the Crisis Management team navigates the issue, escalate it further and cause longer lasting reputational damage. For much of the 20th century a crisis was managed ‘at the speed of sound’: traditional media such as print, television and radio broadcast snippets of news at easy to expect intervals. Teams had more time to prepare cohesive statements, competently link their message to actions already being taken, and generally had a better understanding of how to engage with a far smaller number of journalists and commentators which set the overall news agenda.

Crises now play out ‘at the speed of light’ and often in public view.

34 Chapter 3:

Communications are transmitted falls into two phases: the ‘initial spike’, initial drops in share value in a knee- globally in a fraction of the time and and the ‘long tail’. jerk reaction by markets. form part of a constantly evolving Respond storm of opinions, conversations and Phase 1: The initial spike The ‘initial spike’ is characterised by: conflicts which can temper or inflame the message which has been carefully A social media component to a crisis • An exponential increase in social crafted by a crisis management team. isn’t always guaranteed. Many serious media chatter involving the Social media can also create new issues faced by organisations remain organisation. components to the crisis, or transform intensely private and may never existing problems faster than an generate any media interest: kidnaps • A period of between 12-36 hours. organisation can effectively deal with are a good example of this. But when them. the crisis does hit the mainstream • Widespread misinformation news the social media response is regarding the crisis, the Conversely, social media is also likely almost always immediate. organisation and its response. the greatest crisis management tool ever developed. It has democratised The ‘initial spike’ is the period where • A very pronounced ‘peak’ after the way in which brands can the crisis is under an intense spotlight. which social media engagement engage with millions of customers, Thousands or hundreds of thousands drops precipitously. stakeholders and influencers. There’s of social media posts per hour relating no excuse for a crisis management to the brand and the issue at hand This period does, though, present team to shy away from utilising overwhelm corporate communications some key opportunities that any this tool to tailor its crisis response teams and muddy the already difficult well-trained crisis management team and spread its message to a much task of navigating the complex issues should take advantage of. The vast wider audience than was possible surrounding a crisis. This is the period amounts of information generated previously. in which missteps can have significant on platforms such as Twitter and initial consequences, and publicly Facebook can be used by the team The social media response to a crisis traded companies experience sharp to better understand the scope and

34 35 nature of the crisis it’s facing: physical security incidents, for example, begin to be documented in almost real time through videos, images, eyewitness accounts and live streams. Similarly, this information can be used to tailor the response to reputational crises by understanding popular grievances against the brand.

The two images on the right demonstrate the power of the initial spike: in April 2013, an Associated Press Twitter account was compromised and the attacker used this access to post a false report of an attack at the White House. The reaction was immediate – the tweet was shared thousands of times, and major stock markets like the Dow Jones went into freefall until the situation was resolved.

36 Chapter 3:

Crisis management teams should look proactively managed and what period of heightened interest in the to do the following during the ‘initial actions are being taken to remedy organisation and the issue at hand: spike’: the problem. social media chatter is not as high Respond as the ‘initial spike’, but it remains • Ensure that there is a dedicated • Ask staff not to share their own at consistently elevated levels social media monitoring team that inputs or opinions on social for a period of two weeks to one can provide two inputs into the media to ensure this doesn’t month. This is the phase in which overall process: dilute the message of the crisis investigative journalists will begin management team, and also to to probe and analyse the response • Specific, operational avoid a member of staff’s opinion to the crisis and the organisation’s information sourced from being taken as fact or an official successes and failures: this is where social media (such as statement. the real judgement begins to take eyewitness accounts). place, and key stakeholders such as Phase 2: The long tail investors, suppliers and large B2B • An analysis of sentiment customers form lasting opinions of the (positive, negative, indifferent) The ‘initial spike’ drops off as quickly organisation. towards the organisation and as it appeared. Online communities its response, and a summary move onto new topics of discussion, The ‘long tail’ is characterised by: of popular opinions and the market self-corrects shareholder grievances which can be value, and the news cycle begins to • Consistent and elevated social used to tailor social media be dominated by other international media interest in the organisation. messaging. events. What is left is the ‘long tail’. • A reduction in misinformation • Make social media a key pillar of In many ways, this period can be the being shared as influencers such the corporate communications most damaging to an organisation’s as journalists provide greater strategy, and provide regular reputation, credibility and value in context. updates on how the crisis is being the long term. The ‘long tail’ is a

36 37 • Greater damage being done Crisis management teams should look • Share selected findings from by leaks from the organisation, to do the following during the ‘long post-crisis investigation and possibly outlining a poor or tail’: be open and candid on social botched response to a crisis. media about what may have • Provide clear direction on the gone wrong, why, and how • Connections being made between organisation’s message regarding it will be remedied. the recent crisis and previous the crisis itself, and its response actions or decisions taken by the to it. • Engage very organisation which contributed to proactively from or exacerbated the issue. • Ensure there is very close liaison organisational social between social media teams and media accounts • The formation of long-term crisis/corporate communications with ‘influencers’ opinions and judgements as to to ensure everyone reflects that who are still the efficacy of the organisation’s message accurately. discussing response to the crisis. and • Continue taking concrete analysing This is also the period where actions which can be shared the crisis. organisations experience a false on social media to reassure sense of security, as at face value stakeholders that the organisation it seems the crisis has ended, and isn’t neglecting post-incident so neglect ongoing social media responsibilities. crisis management activities which could have a real effect on long • Begin internal investigations and term opinions. This is the time to be lessons-learned processes to proactive even though overall social identify the root causes of the media engagement has reduced. crisis and the effectiveness of crisis management actions.

38 "Understanding the tools you have available during an incident and ensuring people know how to use them is critical. Emergency messaging tools are different and it is important that tools are suitable for your organisation and how you plan to use them. For example, if using WhatsApp groups on personal rather than work mobile phones, consider whether people are willing to share personal contact details and if so, do they have the app installed and know how to send and receive messages, add people to the group if required, and keep unnecessary chat to a minimum. Setting ground rules at the outset is essential. Also be mindful of legal and regulatory considerations when using personal rather than work devices."

Global law firm

38 39 We have identified three crises to demonstrate the characteristics of social media response.

United Airlines – 9th April 2017

A passenger became injured and bloodied after he was dragged from his seat by airport police before a flight departed from Chicago to Lexington, Kentucky. A video of the incident involving the passenger, David Dao, was captured on a video phone by a fellow passenger. The video rapidly went viral and tapped into a broader frustration with major airlines, suspicion of the actions of large corporates, and anger over the actions of isolated law enforcement officers in other parts of the United States.

It was obvious the incident had escalated into a corporate crisis, and United began to experience the power of social media – both the difficult to control ‘initial spike’, and the even more damaging ‘long tail’ phase.

Social media activity:

The graph below shows all Twitter activity one month before and one month after the United Airlines incident, where one high activity peak can be identified and a subsequent three week period where there was heightened social media engagement compared to the norm.

40 Chapter 3:

Share price activity:

The graph below indicates how incidents have both short and long-term effects for company’s share prices. There Respond was a temporary steep decline in United Airline’s share price directly after the incident, though the price soon returned to previous levels within a fortnight, after United laid out fresh plans to shift the policies and culture of the company. However, the graph also shows longer term effects on the price of shares as analysts discovered United was falling short of promises made by management post-incident.

40 41 PepsiCo advertisement – 4th April 2017

PepsiCo released a video advert starring Kendall Jenner in April 2017, sparking controversy as it was widely criticised for appearing to trivialise pro-social justice demonstrations and being insensitive to the ongoing Black Lives Matter movement. This is a good example of a purely reputational crisis which was inflamed as influencers began to link PepsiCo’s actions to the ongoing, and highly politicised, issue of civil disobedience in the West.

Social media activity:

The graph below shows all Twitter activity one month before and four months after the Pepsi advertisement, where one initial spike of high engagement can be identified.

42 Chapter 3:

Share price activity:

Pepsi’s share price fell slightly in the immediate aftermath of the advertisement’s release in April and social media Respond backlash as the markets experienced a knee-jerk reaction to the news. At the end of May PepsiCo Inc were in talks to acquire All Market Inc, causing a related spike of its share price. From this point on the company’s value can be seen to fluctuate, until it reached a peak during mid-to late August. On 4th September, Kendall Jenner broke her silence about the advertisement saying, “It feels like my life is over”. This brought the topic back into the media and initiated a fall in share prices directly after.

This is another good example of a company’s focus on the ‘initial spike’ on social media which precipitated the crisis in the first place, and was broadly successful, but suffering greater damage in the ‘long tail’ phase.

42 43 Borussia Dortmund – 11th April 2017

At approximately 7pm local time the Borussia Dortmund football team were traveling to their home Champions League quarter-final match in Germany against Monaco when three explosive charges detonated, injuring one policeman and player Marc Bartra. A Russian-German man was arrested ten days later and accused of carrying out the attack to cash in the inevitable drop in the club’s share value. In the hours before the attack the suspect had bought 15,000 ‘short stock’ options for the team, effectively betting on a drastic fall in price.

Social media activity:

The graph below shows all Twitter activity one month before and one month after the Borussia Dortmund incident, where one high activity peak can be identified (the ‘initial spike’) and several smaller subsequent peaks which would constitute the ‘long tail’. The initial social media interest in this case stemmed from its connection to football, a professional sport with high levels of social media engagement, and the ‘long tail’ was generally focussed on the unusual motive of the attacker and did not damage the club’s long-term reputation.

44 Chapter 3:

Share price activity:

The bombing had the outcome the assailant had hoped for in that it caused an immediate drop in the price of the team’s Respond shares. However, after the suspects arrest and news emerged of his motive, the price of shares rose once more to pre- attack levels. The Borussia Dortmund bombing is a unique case: the explicit objective of the attack, to cause a long term drop in the club’s share price, meant that it ended up having the opposite effect. The club experienced a surge in solidarity and the bombing had very little long-term effect on shareholder value.

44 45 Chapter 4: Recover

When events do happen, a key goal is the swift return to business-as-usual After the Borough Market attacks as far as possible, by use of effective BCM. From a financial perspective, in London 2017, Cannon & Cannon recovery requires the collection of indemnities for insured losses such butchers said that the stock, as business interruption, and the swift repair of systems. A relocation plan trade and employment damages may need to be executed. If a crisis elsewhere impacts upon supplies, pre- they have occurred as a result of arranged back-up alternatives should the attack were around £30,000. be implemented. As their head office is located in Dealing with business interruption While many organisations have some Borough Market they were unable form of terrorism or crisis resilience cover in place, they are often unaware to trade and as a result they have that it may not extend to losses from business interruption such as those lost one of their largest supply incurred after the Borough Market terrorist attack in July. This is why contracts – potentially putting their it’s important to have an insurance policy which protects against non- entire organisation at risk.4 damage business interruption, where an organisation cannot trade due to an event which is not situated directly on 4 http://www.insure24-7.co.uk/terrorism-insurance-cover-vital-businesses/

46 Chapter 4:

their premises. Organisations need to ask themselves is not a one-off task; it should be some serious questions – will they reviewed regularly and edited Most companies recognise its let employees go after a loss and wherever responses are no longer Recover importance, with our survey5 indicating then re-recruit when the organisation relevant. The plans should be tested that 82% of respondents considered is back up and running? Is their regularly so that should the worst BI to be the most important insurance indemnity period appropriate, not happen, each employee knows to have in the event of a terrorist just to recommence trading but to their responsibilities and is able to attack. For many organisations, get back to the same position as respond in as cool and calm manner however their BI insurance is not before the loss? Organisations may as possible. Being prepared and adequate. Property and BI policies not consider themselves to be at introducing a culture of resilience generally exclude the risk of terrorism direct risk of a terrorist attack, but can make all the difference in case of and will not respond if the loss is they should consider whether they are a crisis. caused by a terrorist act. in the vicinity of a potential target or customers or suppliers to a potential The role of leadership Companies need to arrange separate target. If the answer is yes, then they cover specifically for terrorism, are automatically at a higher risk than As the above information but calculating the correct sum to they might have thought. demonstrates, crises can have a insure can be difficult, with many significant and sudden impact on a organisations struggling to get this Reviewing plans and processes business and so it is crucial that the right due to lack of understanding, leadership team deals with these in a poor advice, a desire to save While we have discussed this at timely, informed and objective manner. premiums and, often, the belief that numerous points through this guide, Whether the “leadership” in a crisis it will not happen to them. When we cannot stress the importance situation comes from the business’ calculating insurance gross profit of developing a programme which executive leadership team or its crisis figures, risk managers need to give responds to a number of different management team, it is their role to proper consideration to what costs eventualities from risk management ensure: can be excluded. to crisis response to recovery. This 5 http://uk.ajginternational.com/crisis-resilience-report/

46 47 • Plans are in place to, as much as • Decisions and actions are recorded and reviewed post-incident. possible, avoid a serious crisis situation, and that all employees are Decision making in a crisis can be extremely challenging and can have serious aware of the business continuity and negative psychological effects, so preparation and training are vital in providing emergency procedures to follow. leaders with the tools and techniques needed to make informed, strategic decisions in a situation characterised by uncertainty. • Crisis communications procedures are followed in a timely manner and that all key parties have a Business Interruption Insurance thorough understanding of the situation at hand and are therefore You can purchase a Business Interruption policy that insures against loss of profit and able to respond consistently and increase in cost of working / higher overheads resulting from, for example, fire, storm appropriately. damage or machinery breakdown. Most Business Interruption policies will include increased cost of operation to provide reimbursement for additional expenditure • Decisions, however complex or incurred by you in order to avoid or reduce a reduction in turnover following an insured stressful, are made and are based event. You will need to identify the extra costs that could arise and also determine on all information available at the how long it will take you to get back to business as usual. Finally, you will also need time thus removing any potential to think about whether all of your customers will return immediately when you get bias, assumptions or premature back to normal operation. Losses can seriously disrupt cashflow, and your insurance actions. arrangements will need to provide appropriate protection. • Strategies, objectives and Additional cover is available to protect interruption to your business due to supply processes put in place by the crisis chain disruption. management team are followed in each crisis situation, are informed by EXPLAINED: Buying insurance and buying business insurance - an Airmic Guide 2016 a cross section of the business and are reviewed on a regular basis.

48 Office flood – getting the immediate decisions to secure the external teams and tasks being site, make safe and have operations understood and actioned without fuss basics right transferred to one of the retailer’s other and with full knowledge and backing of London offices. senior management. Pre-planning, rehearsals and great communication and This transfer was possible because of The internal insurance team was at the collaboration across business pre-planned contingency arrangements hub of the recovery communications units proved to be key to with ‘hot desking’ and technology and actions with early notification to managing a major flood at a solutions which allow flexibility of the premises landlord and identification Central London office. managed space within the portfolio of the party responsible for causing of the retailer’s premises within the the water damage - so the costs were Having key empowered individuals Capital. minimised and substantially recovered managing the incident and recovery led from other parties. to a successful outcome Emergency contractors and ‘salvage’ teams were immediately enlisted The individuals leading the ‘on the A UK based retailer who has head with the cause of the water ingress ground’ emergency and recovery office facilities in central London quickly identified. Communication work and the insurance department suffered a major flood in the basement with affected colleagues was quick personnel involved were all area of one of their offices - the and efficient due to up-to-date contact experienced incident managers who basement being occupied as office information and practiced ‘call tree’ knew what to do, where to go for space exercises. assistance and the routes to solving problems – all with clear goals, The retailer had plans in place for The business was not interrupted in namely; minimum disruption, clear incident reporting, communications any noticeable way and recovery back communication to all and minimum and response which ensured that the to normal operations was speeded cost. matter was escalated quickly with local up due to pre-planning, excellent management empowered to make collaboration across internal and

48 49 Conclusions

Recent events have proved that attacks took place, or unplanned In conclusion, a tried and tested the world can be a dangerous and evacuations due to heightened threat risk management plan such as the unpredictable place. From Las levels. ‘Anticipate, Prevent, Respond and Vegas to Barcelona to Manchester Recover‘ strategy can help your and London, indiscriminate terror This doesn’t mean that your organisation to save lives and ensure attacks are increasingly becoming organisation cannot reduce the that you can respond and safeguard the norm and new technologies risks you face. Your organisation those to whom you owe a duty of mean that anything including needs to be resilient and adaptable care. vehicles and homemade explosives to today’s threat environment and can be used to incite terror. No while insurance is a key part of this, organisation should shelter under so is a robust risk management the misconception that they are too scheme teamed with a culture small or unlikely to be targeted, as of resilience. You should work to many attacks are indiscriminate. anticipate threats wherever possible and put measures in place to help It is a sad reality that these fast- prevent them occurring. In the event evolving security threats can impact of a crisis you should have a plan organisations of any size, sector or to help your employees to safely geography and while the greatest respond to the threats they face risk exposure does come from including emergency management terrorism, it is actually non-damage and evacuation procedures. Finally, business interruption which can you should have a recovery plan wreak the most havoc such as in place to help your organisation denial of access to premises after back on its feet after a crisis and to being caught inside a large security help your employees recover from cordon, loss of trade due to people’s any emotional trauma following the nervousness to frequent areas where event.

50 Bibliography and other useful resources Conclusions

• BS65000: Guidance on organizational resilience. British Standards Institution – 2014 • BS11200: Crisis management – guidance and good practice. British Standards Institution – 2014 • Roads to Resilience – Building dynamic approaches to risk to achieve future success – A report by Cranfield School of Management on behalf of Airmic – 2014 • Roads to Ruin – A study of the major risk events; their origins, impact and implications A report by Cass Business School on behalf of Airmic – 2011 • Building a Culture of Crisis Resilience – A report by Gallagher, in conjunction with YouGov – 2017 • BCI Good Practice Guidelines 2018 edition: The global guide to good practice in business continuity – Business Continuity Institute – 2018 • EXPLAINED: business continuity management – Airmic 2017 • EXPLAINED: risk and managing risk – Airmic 2018 • Travel risk management Guide – Airmic 2017 • EXPLAINED: buying insurance and buying business insurance – Airmic 2016 • GDPR Guides – Airmic 2017 and 2018

50 51 52 6 Lloyd's Avenue London EC3N 3AX

Ph: +44 (0) 207 680 3088 Fax: +44 (0) 207 702 3752 Email: [email protected] Web: www.airmic.com EXP-0012-0218