V.F.3 Crisis or Emergency Management
Crisis or emergency managementThe financial services industry uses the terms “crisis management” and “emergency management” interchangeably. is the process that allows the recognition of a crisis, activation of a BCP, and management of emergencies. Crisis or emergency management includes the ability to recover from a major event through predefined leadership and communication. Not every event warrants a crisis or emergency management response. Management should consider the impact of a crisis or emergency on the entity’s reputation and personnel. For example, management may invoke crisis or emergency response procedures during a natural disaster, cyber attack, or other high-profile event.
The crisis or emergency management portion of the BCP should address coordination with regulatory agencies, local and state officials, law enforcement, and first responders. Scenarios should detail disruptions, and not be confined to a single event, facility, or geographic area. Also, crisis or emergency management plans should address simultaneous disruptions of telecommunications and electronic messaging, including between the entity and third-party service providers.
Management should designate key personnel from applicable departments to act during a crisis or emergency situation, commensurate with the entity’s size and complexity. Designated personnel should be authorized to make decisions in a timely manner. Key personnel may include:
- Senior management for leadership.
- Facilities management for safety and physical security.
- Human resources for personnel issues, travel, and relocation.
- Media relations for managing communications.
- Finance and accounting for funds disbursement and financial decisions, including unanticipated expenses.
- Legal and compliance for legal and regulatory concerns.
- IT, including information security, and operations for specific tactical responses.
Communication protocols for a crisis or emergency event should include contact lists and other viable methods to reach personnel and other stakeholders who may be called upon during a crisis. The contact list should be distributed and accessible to key personnel and should be verified and updated regularly. Management should be able to communicate with personnel located in isolated areas or dispersed across multiple locations. Procedures should enable employees to report their status in a centralized manner and obtain current information. Crisis or emergency management communication protocols should include provisions to contact the entity when normal communication channels are inoperable.
Notification systems can be manual or automated. In less complex environments, manual communication techniques, such as call trees, are often used; however, information gathering can be time consuming, and responses can be unreliable in a crisis. Maintaining contact information can become unwieldy for large entities; therefore, automated solutions may be used.
V.F.2 Disaster Recovery