Does a centralized crisis management structure make sense?
My colleague Christopher Rivera attended an inter-agency exercise where he had a few heated discussions on the topic. He argued in favor of a decentralize model with centralize support (Lootok’s philosophy), whereas a number of his colleagues at the table argued for dedicated central crisis management team that did everything. His colleagues at the table believe in Power to Center, where Lootok believes in Power to the Edge.
The desire to centralize is our natural predilection to try to simplify things and codify procedures to create predictability and reduce errors. The problem with Power to Center, an autocratic centralized model, is that it requires control, prediction, time, and universal knowledge of everything. Unfortunately, control is not possible in complex adaptive environments where there are many independent actors. Control requires prediction as well adequate levers of manipulation. Both requirements are in little supply in the crisis environment. Time is always working against us in today’s global 24/7 environments. In global organizations, knowledge of the local environment and threat effects are necessary to be able to optimally manage and respond to a spectrum of threats. The centralize desire to take the human element out of everything, which is the most important factor in the equation, is almost irresistible.
In complex environments, orderly processes and centralized decision making are ineffective. We also can’t codify a set of procedures for a nonlinear complex event because we have to take the context into account. Independence and improvisation are essential. Decentralize structure (local, country, regional) works best when the threat is within the leadership command and control accountability and responsibility.
Why? Because hidden beneath any crisis is a problem. Once that problem has been identified, we can generate options and solutions and evaluate what to do. This is why the first step in a command and control framework is to Understand.
We begin by understanding what we know, what we don’t know, and what we need to know about the problem. We perform this process by using problem-solving framework (we like Dan Roam and his creative approach described in “Back of the Napkin: Solving Problems with Pictures”), identify missing information (critical information requirements), and using our intelligence system (ISR - intelligence surveillance reconnaissance) to develop situation awareness, intent, and common ground. With Understand, we answer basic questions such as 1. What is the problem? 2. What is our involvement in the problem? 3. Why is it important? 4. What is the historical perspective? Once we understand where we are (point A), we can define our desire end state (point B) through a visualization process.
Visualization is the second step in a command and control framework. Through the visualization process we define our area of operation (area of conflict + area of influence), define variables, estimates, and measures, as well as define intent and common operating picture. Once we have broad concepts of how to shape the current conditions into our desire end state we can describe our understanding and visualization that brings clarity to the situation as well as facilitates action.
Underpinning Understand, Visualization, and Describe are the goals and solutions we determine appropriate for the situation. Goals determine how we assess the situation and the more we learn about the situation changes the nature of the goals. The entire process is dynamic, unpredictable, and based on context.
Each organization is unique and requires a model that works best for them; however, general structure and characteristics are necessary for any crisis management structure. The crisis management primary goals are to create conditions for success, facilitate planning, and provide leadership. Here are three (3) considerations when evaluating an organization’s crisis management structure:
… or EPS—which usually stands for “earning per share,” but we commandeered the acronym because decentralized model will help protect your EPS.
First Consideration: The Risk and Crisis Environment
Before we do or decide anything, we need to consider the attributes and characteristics of the crisis management environment. The crisis environment is defined as a nonlinear, complex, environment, which is a situation with high stakes, time constraints, inadequate information, ill-defined goals and procedures, unclear starting and ending points, and extreme dynamics. This environment is riddled with uncertainty, friction, chance and chaos.
Decentralize – Managing and responding to a specific local threat requires decentralized model.
In the crisis environment, prediction is low and adequate levers of control are limited, making orderly processing and centralize decision-making ineffective, because control is not possible in complex and adaptive environment. The best we can do is to ensure behavior stays within acceptable bounds. We also cannot codify a set of procedures for a nonlinear, complex, event. Why? Because we have to take the context of the situation into account. Under such conditions, teams in contact can often see and act on immediate opportunities and threats better than their superiors can. Delegating authority to subordinates helps teams adapt to the situation quickly and better respond to the threat.
Centralize - People in the crisis can quickly become overburdened with communication requirements, status updates, and support requests. A centralize function, such as a global security operation center (GSOC), can assist by acting as a clearinghouse for communication, updates, and coordination of stakeholders, while the local team is focused on the situation. The centralize communication hub needs to accommodate internal and external messaging. Additionally, the centralize mechanism can collect and aggregate information from multiple global sources to produce intelligence that the teams “on-the-ground” can use in their decision-making. It can assist with coordinating efforts across environments and entities.
Second Consideration: People
Leadership is responsible for the company’s culture. Culture contributes to crisis management by providing a set of principles that give people the confidence and comfort needed to make decisions. It suggests a course of action to take—people make decisions, have relationships, and take action. One goal for a leader in risk and security management - crisis management is to train their organization to survive and thrive in uncertainty—an environment of instability and a continuous state of persistent threats. Leaders delegate authority for decision making to the levels that can acquire and process the information adequately.
Decentralize - In crisis situations we need people with experience, tacit knowledge, and intuition. The crisis management structure must allow people to improvise and act independently. People closest to the situation will need to respond with a combination of situation awareness and situation leadership. That’s why a proper risk and security management – crisis management system supports freedom of action and decision-making—both attributes improve team performance and allow the team to recognize opportunities and react without needing to get permission first. With that improvisation and independence comes a desired trait of a delegation to expertise, not to a title or position. Local leaders are typically familiar and knowledgeable about local and regional threats. These leaders know how the system works—economically, politically, culturally, legally, etc.
Centralize – Nonetheless, certain decisions and problems are solved best with a centralized mechanism. Depending on the local operations, type of situation, and local expertise, a centralize function can step in and take over control. Situational leadership will be defined by the situation as it relates to the operating environment.
Third Consideration: Structure
The crisis management structure must align with the business model and accountability, value proposition, channels to market, and product/service characteristics. The people in charge, by rank or assignment, are responsible for crisis management. They need a structure that is unified, synchronized, and fluid. The specific crisis management structure depends how the threat relates to accountability, roles, responsibilities, required expertise, and the context of the situation. The structure will define the reporting process and how decisions get made.
Decentralize - Evaluate the Areas of Operations (AO) to assist in determining a structure. AO includes the physical and informational areas of influence (i.e., what we can directly influence) and interest (i.e., what concerns us). Locally, crisis teams will need to integrate, coordinate, and collaborate with local business partners, government agencies and authorities, as well as their local communities.
Centralize - The centralize structure, which comprises of full-time expertise, can fill multiple roles depending on the situation. For example, a centralize function can deploy what is sometimes known as a “tiger team”—a group of people that can assist the local team. The centralized structure serves as advisory unit and administrative support. A good example is product recall, the number of which has escalated over the last decade (see this CNN article for an enumeration). A local site may be better suited for product incidents, whereas a centralized function may be better at product recalls.
The Role of Centralized Capability
The role of a centralized crisis management capability is to provide infrastructure—common, consistent, and standardized processes, training, and tools, as well as specific expertise. It ensures compliance through monitoring, tracking, and reporting. A desired trait of a crisis management structure is to centralize crisis support such as administrative tasks (e.g., auditing, methodology, training, after action review [AAR], reporting). Centralize support encompasses items that are expensive (e.g., global security operation center, mass notification tools), specific expertise (e.g., infectious disease expert, threat intelligence partner), and procurement. The structure should allow the organization to think globally, yet act locally.
A centralized capability provides time-of-event support by assisting with building, and maintains common operating picture (COP), situation awareness (SA), threat intelligence, and communication at a higher level, but also for the organization and stakeholders. The goal is to foster freedom of action and decision-making.
But we don’t want everyone doing whatever he or she wants before, during or after a crisis. Managing crises and incidents isn’t everyone’s day job, and leaders can and do go rogue. A centralized capability provides the support needed when needed. People will need guidance and advice. A centralize function needs the authority to impose consequences to ensure expected behavior, standards, and quality are met. Centralized function provides the necessary controls measure to ensure people and teams do not impede on one another.
The above desired traits of a crisis management structure are necessary to be able to manage and respond to a spectrum of threats, creating conditions for success, and still run the business. The principles in this article can be used to manage the downside—and—upside of risk.