Professional Documents
Culture Documents
Crisis Management
Crisis Management
• WHAT’S AT STAKE?
• WHAT THE FUTURE HOLDS
oo Introduction by CPNI
oo Deterrence Communications
• ANNEX
1
CIPR FOREWORD CIPR FOREWORD
2
3
CIPR FOREWORD
4
5
RESEARCH
6
WHAT’S
AT STAKE?
Introduction by Director, CPNI
7
WHAT’S AT STAKE?
8
Deterrence Communications:
thwarting hostile actors from
targeting your site or organisation
COMMUNICATIONS CAN
HELP DETER TERRORISTS
A hostile actor will plan and prepare for Hostiles will not necessarily be discouraged
an attack. Once a hostile has fixed on by security provision, per se; simply having
the site, sites or organisation they wish to CCTV, guards or a particular fence or lock
target for a potential attack, they will want will not suffice. An organisation needs to
to make sure that they give themselves promote these security measures effectively
every chance of success. To that end, they to the hostile. If a hostile believes a site
will gather information from a range of has excellent security measures due
sources including people, online research to what they’ve read online, seen on a
and physical reconnaissance to inform poster or witnessed through their physical
their plans. And it is this information reconnaissance, it may be enough to
that is within the gift of communications deter them from their target altogether.
professionals to control and manage. This process has the added benefit of
reassuring staff and visitors; they will
What this will take is thinking like a hostile feel that they are in a safer environment.
and asking the question “What can we
say that will put off a hostile, but not CPNI has helped organisations develop
upset our normal customer or site user?”. ‘Security-Minded Communications’
The answer to the question is the use of messaging and campaigns. These assets,
‘security-minded’ communications to deter; along with guidance materials, can be
dissemination of messages that will hint at provided by CPNI; see Annex 2.
security measures in place without giving
the game away.
9
DETERRENCE COMMS
PARTNERSHIP: POLICE,
PUBLIC AND INDUSTRY
The cooperation between the
police, public and industry is a
powerful defence against terrorism.
Consequently, attacks have been
prevented and lives saved.
10
COMMUNICATIONS
TOOLKIT
WORKING WITH For example, the organisation will
THE POLICE*
be required to work closely with the
police to disseminate police-originated
Fundamental to handling a terrorist communication; this will ensure
incident on the ground is the police lead information is accurate and anything
on communication; organisations should placed in the public domain does not
not communicate directly to external compromise a criminal investigation.
audiences on anything related to the
The same rules will apply for any
incident. Police forces work to a shared
major incident where there is a criminal
‘Major Incident Plan’ and as such are
element or a natural disaster, such as
set up to communicate directly to the
fire, flooding where the circumstances
public en masse during a major incident.
are outside of the organisation’s control.
What is incumbent on the organisation All risks should be considered as part
is to have a relationship in place with of the organisation’s risk assessment and
the local police prior to any incident preparedness. The police will always be
occurring. This will include understanding the first port of call, but depending on
the well-rehearsed procedures and the incident, it may be that a government
processes the police have in place for the agency will take the lead; your local
operational and communications aspects police contacts will be able to advise
of a terrorist incident. you on the correct protocol given the
nature and cause of the incident.
* in a non-cyber incident.
11
A TOOLKIT IN THREE STAGES: TOOLKIT
12
THE IMPORTANCE
OF LEADERSHIP
An essential part of being prepared is having Other factors that contribute to
the right communications leader in place. a security focused culture include:
They will head up the crisis team and be
• Empowerment: staff should know
expected to make fast, clear decisions under
how they can contribute to security in
pressure, manage resources effectively and
terms of precautionary action, ongoing
demonstrate a range of responses on behalf
maintenance and response to incidents
of the organisation they represent, both
practical and emotional. • Awareness: customers/visitors should
understand the need for security, how
The organisational leader, for example the it will impact on their experience and
CEO, must also demonstrate leadership in what to do if they suspect a problem
a crisis. As the most senior representative
of the business, they are expected to show • Relationships: strong relationships
compassion and reassure stakeholders that should be cultivated at all levels within the
the organisation is in control. They will need business, and with external stakeholders
to work closely with the communications including contractors, suppliers, local
leader both during and after the crisis to authorities, the police and other emergency
ensure that the organisation is as effective services, community groups and nearby
as possible. businesses.
The ultimate aim is that organisations are
Good leadership starts before a crisis.
doing all in their gift to deter potential
A strong security conscious culture must be
hostile actors from targeting them, and are
embedded within the business from the start.
fully prepared if an incident does happen.
This can help prevent a potential crisis and
ensures that the foundations are in place if
something does happen. Communicators
should contribute to contingency plans,
lead the crisis communications strategy,
put the right skills and resources in place,
and develop positive relationships with
key partners and stakeholders in advance.
13
TOOLKIT
14
MAKE A PLAN
A crisis communication plan should be • Holding statements: a selection of This plan should also cover what to do after
a core component of any organisation’s responses suitable for a range of incidents, the initial crisis, including how to help the
risk preparations. It should be developed ready for issue (with minor amendment) team and organisation recover (see page 22
following a detailed risk analysis looking in the initial phase of the crisis for more).
at potential issues and possible solutions. • Roles and responsibilities: within the
Typically, these issues relate to an organisation, including the designated
organisation’s people, assets, property person for emergency planning and PUTTING IT INTO PRACTICE
and operations, and the plan is there managing crises. Identifying spokespeople
to guide action and communications. and team member’s specific job roles, Once the plan has been approved, it is
and externally, with appropriate partners. important to test it. Training and desktop
For incidents involving hostile actors exercises are a great way of doing this.
• Wellbeing: the crisis lifecycle can be It involves bringing the team together that
on the ground, further preparation is
lengthy and involve 24/7 working. Shift
required. As with other crises, these will be working together in the event of
patterns and recovery time should be
happen without warning. However, as a crisis.
identified. Potential partners (e.g. extra
they often involve public safety, there resource from an external agency or
is further pressure to get things right; another internal department, such as The internal team should include:
understanding how police processes marketing or HR ) should be included. • Communications department
and protocols work is key to planning.
• Contact list: key team members • Other company departments,
It is important that the plan is adapted and external stakeholders,
relevant to the crisis, e.g.
over time. This should reflect changes including media (as required)
oo Designated person for managing
in the organisation, new potential risks, • Systems: details of logins, process
updated guidance, and insights gained for corporate channels (e.g. amending the crisis
from test incidents and crises elsewhere. website or switching to dark site), oo Security
technical guides, building access details oo Legal
While the course of action will vary • Resources: templates, action plans, oo IT department (if it is a cyber-attack)
for different crises, the principles
corporate imagery and briefing materials
of the plan will be the same. • Core management team
(e.g. fact sheets), communications log,
and executive board
email and WhatsApp groups, “grab
Suggested areas for inclusion are:
bags” (e.g. phone charger, water, change • External PR support (if the plan requires it,
of clothes, basic toiletries, information for example at the recovery stage)
• Communications policy: the
packs). If the police are taking the lead
communications process for an incident, Externally, familiarise yourself with the
there will still be a requirement for the
internal chain of command, police role of your Local Resilience Forum (LRF).
organisation to provide supporting
protocols, expectations of staff, and LRFs are multi-agency partnerships made up
resources, but your comms will not be
activities (including relevant channels) in the front line for communication to of representatives from local public services,
the media. including the emergency services, local
15
TOOLKIT
authorities/councils, the NHS, the Environment
Agency and others. These agencies are TOP FIVE
LESSONS LEARNT:
known as Category 1 Responders, as defined
by the Civil Contingencies Act. They work in
emergency preparedness, and take the lead 1. Communications team is aligned
on training. LRFs have a communications with operations within the business
sub-group and they will be your main point and key decision makers, from
of contact for your own incident planning. management through to key
department heads
It is important to do this in “peace-time.”
This allows you to test processes and, 2. Security culture has been built
more importantly, build relationships and is consistently reinforced
with the people you will be working with if
something goes wrong. This effort will be 3. Relationships have been built
hugely beneficial if a crisis does occur; the in advance with strategic
key people will already know each other and partners (e.g. police and other
have a level of rapport. They will also already emergency services)
have tested out the systems and processes
and spotted any gaps or issues that need 4. Detailed plan is in place, including
to be addressed. policy, holding statements (including
provision for following the police
It is also a good idea to look beyond the lead), roles and responsibilities
organisation and the crisis team, and build and resources
relationships with any nearby residents or
businesses. They will also be affected in 5. Crisis plan is regularly revisited
the event of an attack, and will look to the and tested
organisation for guidance and reassurance.
16
Communication during an incident
By planning well, practising frequently PUTTING THE PLAN control methods to remain in control
and having in place a co-ordinated effort; of the messaging to your staff, and be
as well as understanding the vital role INTO ACTION appraised of police communication.
of strategic communications; a crisis can
As we have said on page 15, practising your
be well handled and well communicated.
WORKING WITH
plan for an incident is vital. For now, when
the incident has hit, you need to ensure your
THE POLICE
Communicating bad news well, is now
expected of all major organisations. As the role as the lead communicator is conducting
result of actions of a hostile actor, the police a well-rehearsed orchestra, not scrabbling
During a terrorist-related incident on
will have the lead role in communicating to around for the music stands.
the ground, organisations will be required to
external audiences in an effective and timely disseminate police-originated communication;
“You cannot do enough planning. If the
fashion. However, the target organisation this will ensure the information is accurate
will remain important and should reinforce computers are down, you need to have
and anything placed in the public domain does
messaging and ensure that consistency a hard copy of the communications plan.
not compromise the criminal investigation.
and accuracy are maintained. If the police, Grab bags with phone chargers, boots
or government department are not the and waterproofs etc. At Parsons Green The police will have a pre-prepared, and
designated point of contact for the media, I was there for 12 hours. And you need rehearsed, communications plan including
the organisation should act quickly to take to know where the car parks are near messages, holding statements and lists of
the lead, and position itself as a source your base if public transport is down.” media contacts. It will be down to them to
of truth. Jo Hall, Police force. communicate around the incident, whether
that be telling the public what they should
“The person in charge of communications If you have not practised, this stage will do if they are caught up in the incident, or
must have the gravitas, confidence and be worse than difficult. The research providing reassuring messages. Sensitive
experience to be able to contest and report states the importance of communication around casualties is strictly
suggest messages.” ‘Practice. Practice. Practice’. controlled by the emergency services.
Laurie Bell, Wiltshire Council.
Your plan should be clear, concise
and most importantly have very clearly DO NOT FORGET THE
stated roles and responsibilities. INTERNAL AUDIENCE
Ensuring everyone knows who oversees Any organisation has an internal audience
what, and who has authorising powers is who can quickly become external detractors,
vital. Even in non-hierarchical organisations, or advocates. You will have very little time
you must now employ command and to get them involved. The golden hour
17
TOOLKIT
18
LOOK AFTER YOUR TEAM WORKING IN PARTNERSHIP SOCIAL MEDIA
The communications team are likely to need It is more common for public sector Be guided by police advice on social
back up, for example to triage media calls and networked organisations to have media use.
and, updating of website, or circulation of arrangements in place to share staff when
hard copy information internally if online a hostile act occurs e.g. terrorism attacks. The public is looking for personality
systems fail. Ensure you have that in place Police forces will move communications from social media. Organisations must
and call on it. This may include shadow staff around the country to support other show some emotion in times of attack,
members of staff, drawn from elsewhere in forces, and the NHS has a long history of but should lay down ground rules for
the business and with an understanding of sending in staff from other organisations what is acceptable. The police will be on
how the communications function works. to support the organisation under hand to advise on what should be shared
Send some of your team home as soon as attack. Ensuring they can hit the ground with the public, but avoid images of the
the incident hits, it will be hard for them, running is vital. If your organisation is part incident itself or traumatised members
but you will need at least one experienced of a network, e.g. local CBI, Chamber of of the public. Instead, focus on safety
communications lead for every shift. Commerce or Small Business Forum (e.g. police onsite), tributes or recovery.
consider calling on colleagues to assist
Be aware that in terrorist attacks, some you. The Chartered Institute of Public Twitter is first, then Facebook.
of the team may be concerned about work Relations may also have contacts who can Keep consistency and keep in control.
colleagues or their own family members; assist. Do not be afraid to ask for help. Even if you have nothing to update, say so.
be on hyper alert and ensure there is
support from across the organisation “To keep continual relationships with If the organisation is issuing its own media
and from partner agencies. stakeholders (i.e. local businesses, statements, be prepared for more complex
emergency services etc) so that if there sign off, especially if the situation becomes
“Sending press officers to the scene – IS a crisis, you know the people and a criminal incident or one of national
not sure that was such a good idea as can count on their immediate support.” importance. Her Majesty’s Government
they can be traumatised later and unable (HMG) will get involved if this is the case.
to do their jobs as fully as they might.” Leisure.
Police force. (For additional staff brought in to support “It is a play off between speed of messaging
the team) “have packs ready of stuff they and accuracy. People expect information
Think carefully about what staff may see need to know – where the toilets are, and immediately. It does not matter if it is
when visiting the incident site. In a terrorist the canteen, logins for access to email.” totally accurate – but it is important to
incident, it may not be necessary to send a
member of staff to the site. However, if a visit acknowledge something is happening
Police. immediately. Operations colleagues prefer
is necessary, it is often valuable to buddy
up a communications team member with to wait for all the information and then
an operational member of staff or member put out a message. But it doesn’t work.”
of your security team. Ensure consideration Transport.
is given to the provision of ongoing
professional counselling support.
19
TOOLKIT
TOP FIVE
LESSONS LEARNT:
1. Review your resources and try
to have a back-up team in place,
from a partnership organisation,
other parts of your own organisation,
or an external source.
20
21
TOOLKIT
22
23
TOOLKIT
XXX
Ensure all staff, not only those who have Make sure you undertake some evaluation.
been on the frontline of the incident, have Debriefing and allowing people to talk is
access to support and be aware that it may important. Ensure you capture what went
be some time before people realise they well and what could you do better next time;
need support; organisations should have and reiterate the offers of help to staff.
a rolling programme of easy to access,
confidential support.
24
CONSISTENTLY DON’T PLAY INTO
CONSISTENT THE HOSTILE’S HANDS
Keep monitoring social media, and ensure It is important to use the right language
that you are continuing to offer messages and not to glorify, nor to make value
of reassurance and assurance that your judgements or exercise partiality when
organisation is learning from the incident it comes to descriptors around terrorism.
and changing the way it operates.
For example, use of the word “terrorist”
The leadership team must be visible to describe the perpetrator is generally
to staff and stakeholders, consistently not advised.
communicating that a comprehensive
action plan is in place, supported by See Annex 3 for links to further information
a strong two-way communications plan on this.
to rebuild trust with all of those who’ve
been affected; service users, customers,
stakeholders, regulators, et al.
25
TOOLKIT
XXX
26
Dealing with different types of incidents
27
MASS ATTACK
28
A CYBER ATTACK
Cyber attacks bring the focus incident quickly. There will also be • NDAs may be in place which constrain
onto the organisation possible repercussions, in terms of both communications, preventing full
the impact on the data subject and the transparency and the dissemination
Cyber attacks come in a range impact on the organisation’s reputation. of information
of forms. Examples include:
In terms of the data subject, their security In addition, information disclosure can
• Denial of Service (DoS) attack, which be of benefit to the hostile actor, making
is at risk. They should be contacted as
seeks to “crash” websites by having it difficult to communicate truthfully.
soon as possible to say their data may
multiple traffic sources accessing
have been compromised, so that they
the server at the same time “We had to strike the right balance of
take precautions while the organisation
how much disclosure; on the one hand
• A virus that infects the network causing investigates more fully. This is both good
we wanted to be truthful and honourable
systems failures practice and a requirement under GDPR,
but without giving ammunition to
which states a duty to report personal
• Data breaches, where compromising the bad guys. We were ahead and in
data breaches to the relevant authorities
information is accessed, such as staff control of the story and this stopped
within 72 hours.
records or customer payment details some of the negative points being used
Further communications should follow, against us. It is a balancing act in the
There is a different dynamic with cyber
sharing the findings of any investigations communications sphere.”
attacks as the IT department often takes
the lead and not the police. However, and how further breaches will be prevented. Cyber.
the communications team should not
be overlooked. The same approach Challenges with a cyber attack: The way the organisation handles this
described elsewhere should be followed, situation has the biggest impact on
• The problem can originate as a result reputation. If poor processes have resulted
with communications professionals
of non-compliance by a third party, in the issue then blame will be apportioned.
bringing the relevant people together
for example an operator of the system, A proactive response to solve this issue
to prepare for and manage the crisis.
or supplier testing the relationship can mitigate this and help the organisation
Using a data breach as an example, speed • The involvement of suppliers and move forward from the crisis.
is of the essence as it often compromises third parties in the technical space can
user privacy. It is important to understand obfuscate roles and responsibilities
the potential nature and scale of the for comms teams
29
CYBER ATTACK
30
THE STAGES OF A CRISIS
Flowchart
The flowchart below sets out the key
considerations for the planning, handling
and recovery stages of a crisis.
CRISIS PLAN PRACTICE EVENT
DEVELOPED CARRIED OUT
While every crisis has its
differences, these actions should
all occur in some form. It is
important that consideration is
given to both the operational MEDIA AND UPDATES AS
and emotional needs of the SOCIAL APPROPRIATE
organisation and its stakeholders, MONITORING • People first
and sufficient time is allocated • Show empathy
(Intervention as required)
for planning and recovery. • Be in control
• Internal and external
Source: CIPR audiences
RESOURCE
MANAGEMENT
(Including team welfare
as crisis continues) CRISIS ENDS
31
FLOWCHART
KEY:
Before During After
PLAN MAINTAINED
CRISIS HOLDING
AND UPDATED
OCCURS STATEMENT
AS REQUIRED
SCHEDULED
CRISIS PLAN CRISIS TEAM
ACTIVITY
ACTIVATED MEETS
CANCELLED
32
WHAT THE FUTURE HOLDS
From the CIPR and CPNI
As this guidance goes to press the threat good sense in terms of risk management this initiative will pave the way for a range
level for the UK from international terrorism and communications readiness. of training and publicity activities.
– i.e. from groups such as the Islamic State
in Iraq and the Levant (ISIL) and Al Qaida–as Although there are some fundamental The CIPR has communicated this guidance
set by the Joint Terrorism Analysis Centre differences between a terrorist incident to its members, and through them to the
(JTAC) is ‘severe’ which means “an attack and a more conventional crisis compromising organisations they work for as well as to
is highly likely”. But as the recent events product or service operation – the principle a network of representative organisations
of Christchurch New Zealand have thrown of having a communications plan in place across the UK. CPNI likewise will be rolling
into sharp relief, the threat is not just from and rehearsed is no different. The impact out the guidance to its security fraternity.
international terrorism but from “extremist, of a terrorist attack on your organisation CIPR is planning a Webinar followed by a
right-wing" terrorism. or site is no less damaging on business series of practitioner workshops; at these
continuity, reputation and share price than we will share what organisations have told us
It is a stark reminder of the breadth and a conventional crisis but with the added worked well and less well in their handling of
depth of terrorist causes in the UK and dimension of human loss and complexity. crises. The guidance will also be publicised
around the world. No organisation can It is to be expected that there will be widely within the communications and
afford to be complacent to their potential a multiplicity of stakeholders involved security industries.
vulnerability. The UK – its citizens and from central government, the counter-
businesses – need to be vigilant and on their terrorism and security agencies and the Fundamental to the success of this work,
guard for activities in public places and in emergency services. and ultimately the improved readiness of
the corporate environment that strike them UK-based business for a terrorist incident,
as being unusual or suspicious. The role We hope by dint of our endeavours is the need for collaboration between the
of your publics–staff and customers alike we can make ourselves less of a target. security and communications functions.
– is key here. And while it is never going to This guidance is a first and marks the And although the partnership between
always thwart the planning of a hostile act, beginning of the work the CIPR and CPNI CIPR and CPNI will facilitate this, it is up
it is possible on the one hand to reduce are doing jointly to educate and train the to seniors representing these functions
vulnerability to being the target of one, and twin professions of communications and to make that collaboration work in practice.
on the other to plan for the worst. Planning security. Both organisations lead the way The research undertaken to inform this
for a terrorist-inspired incident – whether and provide best practice in their fields guidance material shows that relationships
in the physical or cyber world – makes and the partnership we have forged through between security and communications
33
THE FUTURE
34
Annex 1 – About the research
PROFILE OF
ORGANISATIONS
METHOD & SAMPLE ORGANISATION
& SECTORS
& CRISIS HANDLED
Police forces
• Oxford St. (suspected incident)
• Parsons Green
Local Authority
• Finsbury Park
Education • 7/7 (2005, London bombings)
• Salisbury novichok poisoning
• Cyber attacks including WannaCry
Note – Market Research Society (MRS) guidelines and respondent requests for anonymity preclude disclosure of further information
on research participants.
35
Annex 2 – ‘Security-Minded Communications’ ANNEX
Security-Minded Communications is What characterises communications strategy and shape security messaging.
an approach developed by CPNI. It is undertaken by organisations in furtherance The guidance can be requested by emailing
designed to equip organisations that of this approach is the active and visible detercomms@cpni.gov.uk
manage sites, venues and events with promotion of the security provision at the
the ability to utilise communications as site/s. Typically activity will comprise a mix
part of their protective security measures. of digital and ambient communications that
Security-Minded Communications is disseminate security messaging, including
designed to help disrupt the hostile actor but not limited to:-
and therefore reduce the likelihood of
criminal activity from taking place. • Digital channels
oo Organisation/site website
It is an approach that many organisations
have taken to help deter hostile actors from –– E.g. banners on the home page
targeting them. One such is a leading events with links to a page that provides
organiser, whose Security Manager says of more security related information
Security-Minded Communications: “It is the oo Social media channels: original
most cost-effective security measure we have
content and reposting of
implemented.” However, for the approach
relevant content from partners,
to be successful the communications team Security-Minded Comms – interactive PDF.
emergency services and police
has to work closely with the security team
to implement. Furthermore, security minded oo Emails to customers and visitors
communications is only as good as the
security provision that underpins it. • Promotional materials and advertising
36
Annex 3 – Resources and further reading
FROM CPNI:- FROM THE POLICE:-
Embedding Security Behaviour Change: Action Counters Terrorism:
https://www.cpni.gov.uk/embedding-security-behaviour-change https://act.campaign.gov.uk/
Identifying the Right Security Behaviours: ACT Awareness eLearning is a CT awareness product that provides
https://www.cpni.gov.uk/identifying-right-security-behaviours nationally recognised corporate CT guidance to help industry better
understand, and mitigate against, current terrorist methodology.
Secure online presence:
https://www.cpni.gov.uk/secure-online-presence Reporting terrorist activity:
www.gov.uk/ACT
Understanding Hostile Reconnaissance:
https://www.cpni.gov.uk/understanding-hostile-reconnaissance Every year thousands of reports from the public help the police
tackle the terrorist threat. If you see or hear something unusual
Recognising the Terrorist Threat: or suspicious trust your instincts and ACT by reporting it in
https://www.gov.uk/government/publications/ confidence at gov.uk/ACT. Reporting won’t ruin lives, but it could
recognising-the-terrorist-threat save them. Action Counters Terrorism. Remember, in an emergency,
always dial 999.
37
ANNEX
Training Courses:
(available from CIPR via www.cipr.co.uk)
Creating your crisis communications plan
Crisis communication
Risk issues management & crisis
Social & digital crisis management
Qualifications:
(available via www.cipr.co.uk)
Specialist Diploma (Crisis Communications)
38
www.cipr.co.uk www.cpni.gov.uk