Home' RMIA : RMIA 2015 Contents 7
• cyber event
• natural disasters.
Let's now look at the RMIA survey findings about the four
key plans, and see how they compare to other surveys and
studies around the globe.
Per the survey, here are the percentages of respondents who
said that their organisations had the following plans in place:
• Business Continuity Plan
75 per cent
• Crisis Action Plan
33 per cent
• Cybersecurity Crisis Response Plan 26 per cent
• Crisis Communication Plan
21 per cent
The business continuity plan figure matches closely with
the results of a recent survey by a major United States
That survey found that while larger businesses had business
continuity plans in place, about half of all small businesses
were operating without a business continuity plan -- and
many thought that having insurance was good enough.
Other surveys covered the other plans. A European public
relations survey showed that 65 per cent of organisations
had a crisis action plan in place, but only about 20 per cent
felt that they were adequate, and that they were prepared
to handle a crisis.
While 70 per cent of respondents to the RMIA survey felt that
cybersecurity was a major risk area, only about one-quarter
had a response plan. This is mirrored internationally in a recent
study that found that 60 per cent of companies only had a
partial process in place for cyber defence -- and 11 per cent
reported no process at all. Only about 15 per cent reported
that they were well prepared for a data breach.
While more than half of larger companies had a
Cybersecurity Crisis Response Plan, very few of them were
integrated with their Crisis Action Plans, or supported by
their Crisis Communication Plans. For those organisations,
cybersecurity is seen as an IT issue, not an enterprise one.
Small businesses, which are also being hit at a growing rate,
are even more unprepared. Only 10 per cent have an internal
IT manager who is focused on technological defences and
issues, and few have a cyber plan of any kind.
The RMIA survey results, showing that only about one in
five organisations had a Crisis Communication Plan, reflect
results found in other international surveys.
Most of those surveys also showed that few organisations
had clearly defined communication processes for
identifying and reporting a crisis, or clearly defined
roles, such as who would speak to the media and to
stakeholders on behalf of the organisation.
And yet, as I've said before, communications is one of the
most important functions during a crisis.
What can you do?
What are some things that you can do at your organisation,
based on the results of the survey of your peers?
First, find out if your organisation has each of the four key
plans (even if only partially). If they don't exist, then point out
the risk that this absence poses to the organisation.
Second, since thorough risk assessment is the foundation
of the development process for all four key plans,
your role as risk manager is crucial to ensuring that
your organisation starts with the most complete and
appropriate threat and risk assessments. Take action, and
be a part of any plan development.
Based on your input about risk, better decisions can be
made on what's needed, and how to mitigate or respond to
those threats and risks through the four key plans.
Third, work with your communications team to help explain the
risks, develop the crisis communication plan and its supporting
products, and ensure that critical communication elements
and processes are identified and included in all of the plans.
Finally, become a proponent of testing, reviewing and
training to the plans as part of the overall mitigation for risks
and threats. Thorough exercising and testing will reveal
gaps and problems in the plans that need to be fixed.
Training helps staff members to understand their roles in
processes that they might not perform normally. Just having
a plan won't mitigate or reduce risk if no one knows what
the plan is or what their role is.
Some trends and issues
To wrap up this article, I will summarise several trends
and issues that emerged from some of the questions and
discussions during and after the keynote events.
Links Archive RMIA 2016 Navigation Previous Page Next Page