BS 11200-2014 Crisis management Guidance and good practice《危机管理 指南和良好实践》.pdf

1、BSI Standards PublicationBS 11200:2014Crisis management Guidance and good practicePublishing and copyright informationThe BSI copyright notice displayed in this document indicates when the documentwas last issued. The British Standards Institution 2014Published by BSI Standards Limited 2014ISBN 978

2、0 580 81196 8ICS 03.100.01The following BSI references relate to the work on this document:Committee reference SSM/1Draft for comment 13/30274342 DCPublication historyFirst published May 2014Amendments issued since publicationDate Text affectedBS 11200:2014 BRITISH STANDARDContentsForeword iiIntrodu

3、ction 11 Scope 22 Terms and definitions 23 Crisis management: core concepts, principles and developing acapability 34 Building a crisis management capability 75 Crisis leadership 156 Strategic crisis decision-making 187 Crisis communications 218 Training, exercising and learning from crises 25Biblio

4、graphy 29List of figuresFigure1Aframework for crisis management 9Figure 2 Strategic decision-making in a crisis 19Figure 3 Crisis communication flow 24List of tablesTable 1 Distinctions between incidents and crises 4Table 2 Key principles of crisis communications 23Summary of pagesThis document comp

5、rises a front cover, an inside front cover, pages i to ii,pages 1 to 30, an inside back cover and a back cover.BRITISH STANDARD BS 11200:2014 The British Standards Institution 2014 iForewordPublishing informationThis British Standard is published by BSI Standards Limited, under licence fromThe Briti

6、sh Standards Institution, and came into effect on 31 May 2014. It wasprepared by Technical Committee SSM/1, Societal security management. A list oforganizations represented on this committee can be obtained on request to itssecretary.SupersessionThis British Standard is based on PAS 200:2011, which

7、is withdrawn.Use of this documentAs a guide, this British Standard takes the form of guidance andrecommendations. It should not be quoted as if it were a specification or a codeof practice and claims of compliance cannot be made to it.Presentational conventionsThe guidance in this standard is presen

8、ted in roman (i.e. upright) type. Anyrecommendations are expressed in sentences in which the principal auxiliaryverb is “should”.Commentary, explanation and general informative material is presented insmaller italic type, and does not constitute a normative element.Contractual and legal consideratio

9、nsThis publication does not purport to include all the necessary provisions of acontract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunity from legalobligations.BRITISH STANDARDBS 11200:2014ii The British Standards Institution 2014Introducti

10、onThis British Standard sets out the principles and good practice for the provisionof a crisis management response, delivered by the top management of anyorganization of any size in the public or private sector. The intention of thestandard is to aid the design and/or ongoing development of an organ

11、izationscrisis management capability.The standard is intended for:a) top management with strategic responsibilities for the delivery of a crisismanagement capability; andb) those responsible for implementing the crisis plans and structures and formaintaining and testing the procedures associated wit

12、h the capability, whooperate under the direction of, and within policy guidelines, of topmanagement.The standard provides guidance for:1) understanding the context and challenges of crisis management;2) developing the organizations crisis management capability throughplanning and training;3) recogni

13、zing the complexities facing a crisis team in action; and4) communicating successfully during a crisis.The standard has close links with other standards and documents, published andin preparation, including those on:i) business continuity (BS ISO 22301);ii) resilience (BS 65000);iii) information sec

14、urity (BS ISO/IEC 27001, BS ISO/IEC 27002 andBS ISO/IEC 27032);iv) exercising and testing (PD 25666).The standard is not set out as a specification, recognizing that crisismanagement varies from organization to organization and sector to sector. Thestandard is concerned chiefly with the principles b

15、ehind crisis management andthe development of the necessary capabilities that are applicable to any size oforganization.A capability to manage crises is one aspect of a more resilient organization,where resilience is the ability of the organization to endure and continuethrough all manner of disrupt

16、ive challenges, and to adapt as required to achanging operating environment. Resilience requires effective crisismanagement, which needs to be understood, developed, applied and validatedin the context of the range of other relevant disciplines that include, amongstothers, risk management, business

17、continuity management and securitymanagement.The capability to manage crises cannot simply be deferred until an organizationis hit by a crisis, in the hope that it will never happen. It requires aforward-looking, systematic approach that creates a structure and processes,trains people to work within

18、 them, and is evaluated and developed in acontinuous, purposeful and rigorous way. The development of a crisismanagement capability needs to be a regular activity that is proportionate to anorganizations size and capacity.BRITISH STANDARD BS 11200:2014 The British Standards Institution 2014 11 Scope

19、This British Standard gives guidance on crisis management to help the topmanagement of an organization to plan, establish, operate, maintain andimprove a crisis management capability. It is intended for any organizationregardless of location, size, type, industry or sector.2 Terms and definitionsFor

20、 the purposes of this British Standard, the following terms and definitionsapply.2.1 business continuitycapability of the organization to continue delivery of products or services atacceptable predefined levels following disruptive incidentSOURCE: BS ISO 22301:2012, 3.32.2 business continuity manage

21、mentholistic management process that identifies potential threats to an organizationand the impacts to business operations those threats, if realized, might cause,and which provides a framework for building organizational resilience with thecapability of an effective response that safeguards the int

22、erests of its keystakeholders, reputation, brand and value-creating activitiesSOURCE: BS ISO 22301:2012, 3.42.3 media communications managementpro-active engagement with the media to ensure that:a) accurate information is provided;b) coverage in the media, including social media, is monitored to ass

23、esspositive and negative stories; andc) action is taken to provide accurate counterbalancing information where theorganizations reputation is being damaged2.4 crisisabnormal and unstable situation that threatens the organizations strategicobjectives, reputation or viability2.5 crisis managementdevel

24、opment and application of the organizational capability to deal with crisesNOTE See Figure 1 for a general framework for crisis management.2.6 incidentadverse event that might cause disruption, loss or emergency, but which doesnot meet the organizations criteria for, or definition of, a crisis2.7 in

25、terested partyperson or organization that can affect, be affected by, or perceive themselves tobe affected by a decision or activitySOURCE: BS EN ISO 9000:2005, 3.3.7NOTE Often referred to as “stakeholder”.2.8 risk managementcoordinated activities to direct and control an organization with regard to

26、 riskSOURCE: ISO Guide 73:2009, 2.1BRITISH STANDARDBS 11200:20142 The British Standards Institution 20142.9 situation reportsummary, either verbal or written, produced by an officer or body, outlining thecurrent state and potential development of an incident or crisis and theresponse to it2.10 situa

27、tional awarenessstate of individual and/or collective knowledge relating to past and currentevents, their implications and potential future development2.11 top managementperson or group of people who directs and controls an organization at thehighest levelSOURCE: BS EN ISO 9000:2005, 3.2.73 Crisis m

28、anagement: core concepts, principles anddeveloping a capability3.1 Understanding crises and how best to manage themThe definition in 2.4 captures the essence of crises, notably their extraordinarynature and strategic implications for an organization. An organization mighthave established processes f

29、or managing routine disruptions. However, crises canbe dynamic and unpredictable, and become difficult to manage. Crises challengeorganizations, their people, functions and processes unusually, and requirededicated and dynamic management and response.Crisis management is the developed capability of

30、an organization to prepare for,anticipate, respond to and recover from crises. This capability is not normallypart of routine organizational management, and should be consciously anddeliberately built and sustained through capital, resource and time investmentthroughout the organization.Understandin

31、g the conceptual and practical relationship between incidents andcrises is important, and Table 1 summarizes the key distinctions.BRITISH STANDARD BS 11200:2014 The British Standards Institution 2014 3Table 1 Distinctions between incidents and crisesCharacteristics Incidents CrisesPredictability Inc

32、idents are generally foreseeable andamenable to pre-planned responsemeasures, although their specific timing,nature and spread of implications isvariable and therefore unpredictable indetail.Crises are unique, rare, unforeseen orpoorly managed events, or combinationsof such events, that can createex

33、ceptional challenges for anorganization and are not well served byprescriptive, pre-planned responses.Onset Incidents can be no-notice or short noticedisruptive events, or they can emergethrough a gradual failure or loss ofcontrol of some type. Recognizing thewarning signs of potential, actual orimp

34、ending problems is a critical elementof incident management.Crises can be sudden onset or no-notice,or emerge from an incident that has notbeen contained or has escalated withimmediate strategic implications, orarise when latent problems within anorganization are exposed, withprofound reputational c

35、onsequences.Urgency andpressureIncident response usually spans a shorttime frame of activity and is resolvedbefore exposure to longer-term orpermanent significant impacts on theorganization.Crises have a higher sense of urgencyand might require the response to runover longer periods of time to ensur

36、ethat impacts are minimized.Impacts Incidents are adverse events that arereasonably well understood and aretherefore amenable to a predefinedresponse. Their impacts are potentiallywidespread.Due to their strategic nature, crises candisrupt or affect the entire organization,and transcend organization

37、al,geographical and sectoral boundaries.Because crises tend to be complex andinherently uncertain, e.g. because adecision needs to be made withincomplete, ambiguous information, thespread of impacts is difficult to assessand appreciate.Media scrutiny Effective incident management attractslittle, but

38、 positive, media attention whereadverse events are intercepted, impactsrapidly mitigated and business-as-usualquickly restored. However, this is notalways the case and negative mediaattention, even when the incidentresponse is effective and within agreedparameters, has the potential to escalatean in

39、cident into a crisis.Crises are events that cause significantpublic and media interest, with thepotential to negatively affect anorganizations reputation. Coverage inthe media and on social networks mightbe inaccurate in damaging ways, withthe potential to rapidly andunnecessarily escalate a crisis.

40、Manageabilitythroughestablishedplans andproceduresIncidents can be resolved by applyingappropriate, predefined procedures andplans to intercept adverse events, mitigatetheir impacts and recover to normaloperations.Incident responses are likely to haveavailable adequate resources as planned.Crises, t

41、hrough a combination of theirnovelty, inherent uncertainty andpotential scale and duration of impact,are rarely resolvable through theapplication of predefined proceduresand plans. They demand a flexible,creative, strategic and sustainedresponse that is rooted in the values ofthe organization and so

42、und crisismanagement structures and planning.BRITISH STANDARDBS 11200:20144 The British Standards Institution 20143.2 The potential origins of crisesIt is important for people at all levels of an organization to recognize thewarning signs and understand that crises can be initiated in a number ofdif

43、ferent ways, summarized in the following three groups.a) Extreme disruptive incidents that have immediately obvious strategicimplications. These can arise from serious acts of malice, misconduct ornegligence, or a failure (perceived or actual) to deliver products or servicesthat meet the expected st

44、andards of quality or safety.b) Those stemming from poorly-managed incidents and business fluctuationsthat are allowed to escalate to the point at which they create a crisis.c) The emergence of latent problems with serious consequences for trust inan organizations brand and reputation. Such problems

45、 can “incubate” overtime, typically as a result of:1) a lack of governance allowing gradual and incremental slippages inquality, safety or management control standards to go unchecked andbecome accepted as a normal way of working;2) convenient, but unofficial, “workaround” strategies becoming thenor

46、mal routine due, for example, to overcomplicated processes,unrealistic schedules, chronic personnel shortages and lax supervision;3) flaws in supervision and process monitoring, which promote anexpectation of “getting away with” undesirable behaviours or beingable to survive minor failures without r

47、eporting them, or over-relianceon controls to catch all errors, rather than an expectation of qualitychecks that catch only occasional problems;4) blame cultures that encourage risk and issue cover-ups and the lack of ashared sense of mission and purpose, which generate a defensive (if notactually h

48、ostile) “them and us” attitude between staff andmanagement, between different parts of the organization and betweenthe organization and external interested parties; and5) poor training and development of staff and managers, or incrementalloss of skills and knowledge.Many crises have characteristics

49、of more than one type. For example, an extremedisruptive event might appear to have a relatively simple immediate cause, butfurther enquiries might expose systemic weaknesses in how the organization ismanaged, for example, relating to health and safety, exacerbating the initialcrisis and further damaging the organizations reputation. Alternatively,attempting to manage an extreme disruptive event as an incident rather than acrisis can introduce a delay before the crisis is given meaningful strategicattention.Crisis management strategies and act