ISO 22361:2022 - Crisis Management Guidelines: a closer look

In November 2022 ISO released a new guidance standard,  ISO 22361:2022, to provide a structured approach to crisis management. In this article Hilary Estall MBCI, IRCA BCMS Principal Auditor reviews ISO 22361 and picks out the key points.

“Crisis? What crisis?” This phrase has been used in music titles and political books amongst other things. In this article, I take a look at the definition of ‘crisis’, its application and how ISO 22361 walks us through developing a structured approach to crisis management by applying a set of principles on which a crisis management framework can be developed.

Crisis management has been considered in previous ISO and BS documents, notably PD CEN/TS 17091:2018 and BS 11200:2014. ISO 22361:2022 supersedes both of these aforementioned documents, which have now been withdrawn. It has drawn on previous content, in particular from 17091:2018, applying existing methodologies but taking into consideration the broader perspective that many management system standards / guidance documents apply today. It is not the aim of this article to provide a gap analysis between the two documents and accepts that a number of elements overlap.

What’s the difference between a crisis and an incident?

The term ‘crisis’ is often muddled with ‘incident’. The number of crisis management plans I’ve been presented with, only to find they are in fact incident management plans, is alarming. Why are people, or their organizations, so quick to call an incident, a crisis? Are we all hard wired to have a fatalistic approach to life?

For clarification, here are the definitions of both ‘crisis’ and ‘incident’ according to ISO 22361.

A crisis is an “abnormal or extraordinary event or situation that threatens an organization or community and requires a strategic, adaptive and timely response in order to preserve its viability and integrity.”

Various notes follow this definition which include terms such as; “complexity, instability, uncertainty, capability, flexible and dynamic”. You get the picture.

An incident is an “event or situation that can be, or could lead to, a disruption, loss, emergency or crisis.”

The difference between an incident and a crisis is clear.

Another definition I want to include is crisis management because it has altered from 17091. It is now defined as “coordinated activities to lead, direct and control an organization with regard to crisis”. 17091 defines it as “development and application of the process, systems, and organizational capability to deal with crises”. This enhancementinto leadership is seen throughout ISO 22361 and again, is a reflection of the shift in focus and expectation of management system standards.

Crisis management – context, core concepts and principles

ISO 22361 includes a helpful table defining the characteristics of both incidents and crises. The characteristics are broken down into; Predictability, Onset, Urgency and pressure, Impacts, Scrutiny by public, media and other interested parties and Manageability through established plans and procedures. The differences are clear and can be summarised as follows:

Incidents are generally more predictable, provide little or no notice of occurring as well as potentially being the result of a gradual failure. They tend to instil a high sense of urgency, rarely have long term impacts on an organization or render it defunct. If managed successfully, an incident is less likely to attract significant or long term attention. Existing plans and procedures are generally adequate to manage and curtail the long term impact of an incident.

Crises on the other hand are generally unique or rare events, may emerge from an incident as well as occur without prior warning, will always require urgent attention, can impact an entire organization thus potentially having a catastrophic and/or finite impact on it. Crises will undoubtedly attract significant interest and scrutiny from multiple parties and may prove beyond the reach of predefined plans and procedures.

Having, hopefully, clarified the differences between incidents and crises, from here on in, I will focus solely on crises and how to identify and manage them.

Crisis identification, response, and management

As well as strong leadership, responding to a crisis requires flexibility. Being able to consider and apply a response which may fall far outside a ‘normal’ reaction to a situation is critical. Decisiveness, a clear mind, as well as maintaining the organization’s strategic vision, are imperative. Decisions may need to be taken which have uncomfortable consequences but may still be the best solution, or have the least fallout, given the circumstance. Decisions need to be made quickly and with confidence and always based on solid information and situational awareness. Individuals with a responsibility to respond and manage a crisis situation must be competent and have undergone suitable training to be able to endure the pressures of the crisis. The ability to respond to a crisis and obtain the best outcome should not be under estimated.
What might be the source of a crisis? It could;

• Originate from within or outside the organization;
• Be a purposeful act; malice, breach of safety regulation, spreading of miss-information;
• Be politically motivated;
• Result from action taken by a competitor or a takeover threat; or
• Result from a previous incident not managed effectively or caused by an underlying, undiscovered issue.

A crisis may occur following one or more trigger points.

The Principles for crisis management have been clearly laid out for us in ISO 22361 and should be taken as being the bedrock of sound crisis management. They are fairly self-explanatory but come with brief commentary. In summary, they are:

• Governance – the need for clearly understood structures, roles, responsibilities, and competence.
• Strategy – Leadership, clear objectives, allocated resource.
• Risk Management – requires an acute awareness of risk and ability to assess and respond appropriately.
• Decision Making – based on sound information.
• Communication – accurate, credible, and timely information to interested parties.
• Ethics – response should be driven by an organization’s core values and ethical expectations.
• Learning – exercise, training, and learning through experience.

Building a crisis management capability

This is by far the most detailed section of ISO 22361 (Clause 5) but can be summed up very well by the diagram, Figure 1, located in the Introduction:

Source: BS EN ISO 22361:2022 (reproduced with permission).

When reading this section, the words previously used to describe the context, core concepts, and principles are seen again and I can’t help but feel there is an element of padding in Clause 5. That said, further ‘meat on the bones’ is generally considered a good thing if you are starting out in unfamiliar territory and I am sure many readers will find this section helpful. To emphasise my point some of the key phrases we see again are;

• Strategic direction and core values
• Objectives (what and how to be used to manage a crisis)
• Roles, responsibilities, authorities and accountabilities
• Risk awareness
• Organizational awareness
• Competence
• Timeliness
• Value awareness (ethics, sustainability and codes of conduct)
• Information management (identify, filter, prioritize etc.)
• Situational awareness.

Of particular value are the sections covering the Crisis Management Plan (5.3.4.2) and CMT Response (5.3.5.2) which provide the reader with clear guidance to follow in terms of what a Plan should include (and importantly, that it should NOT include specific scenarios), suggested composition of the CMT, (which is likely to be similar to an Incident Management Team i.e. Strategic decision makers and representatives from key business functions). Again, the bullet points for ‘Response’ focus on the need for situational awareness, applying a formulaic approach to meetings, information dissemination, and issuing communications that are easy to digest and follow.

Crisis leadership

Helpfully, we are reminded that organizational status does not automatically transfer into suitable crisis management skills. The need for confidence and to instil a stabilizing effect on those around are key. A comprehensive set of crisis management skills is set out in Figure 4, broken down into four skill sets;

• Tasks
• Interpersonal
• Personal
• Stakeholder Management.

Nothing too surprising here but by breaking it down it helps to reinforce the competencies and should be applied wherever possible to ensure the best fit. It should be the starting point in identifying suitable training, if required.
Thereafter, we have a list of responsibilities for a crisis leader. Helpful, in theory, and possibly a good starting point for a CM exercise, but how easy it is to keep an appointed leader in check during an unfolding crisis I’m not sure. It comes back round to the selection process. Of course it’s not just about the crisis leader. The CMT members all have an important part to play and the effects of a crisis on them must not be underestimated. Suitable support, including training, well-being, fatigue management, and psychological support need to be available and should be extended beyond immediate responders, as required.

Strategic crisis decision-making

This is a particularly useful section when trying to understand what’s behind someone’s ability to make critical decisions in a timely manner whilst trying to avoid a bad outcome. It may be that such a decision doesn’t exist and the best decision available will still lead to a bad outcome, just not the worst outcome.

I won’t try to paraphrase Clause 7 as it’s worthy of your full attention. Needless to say, strategic decision-making should form a significant part of any exercise, crisis management training and learning lessons from real life crises.

Crisis communication

Not surprisingly, this clause contains an assessment of what good crisis communication should look like. We’re used to seeing requirements such as holding statements, approved media channels, and media relations and spokespeople in incident and business continuity management requirements. These are similarly described here, along with other useful pointers such as crisis communication flow, adopting clear and consistent messaging, and identifying barriers to effective communication (avoidable if you develop a good communication strategy).

There is a reminder that use of social media and the opportunities and threats it presents to an organization should, wherever possible, be used to its advantage.

Preparation and practice of crisis communication plans is key. We know one wrong word, sentence, or inflection can cause untold harm.

Training, validation and learning from crises

As well as providing a list of skills crisis team members should be trained in, the most telling statement in this section (in my opinion) is “the strategic crisis management training provided by the organization should address the ability to improvise, innovate and should be flexible when a situation is not addressed by current plans.”

Human instinct is to follow procedures and known paths. We are not easily manipulated and practising these skills, through training, exercising or other means, will be vital to a successful outcome.

The author

Hilary Estall MBCI, IRCA BCMS Principal Auditor is a business continuity practitioner and seasoned management system standard professional. Hilary is a member of the BSI (UK) Technical Committee responsible for input into ISO 22301 and other, business continuity and resilience related management system standards and guidance documents, including ISO 22361. https://pslinfo.co.uk/