Table of contents
Every company and every organisation can fall victim to a crisis. The right crisis management is decisive for the course of the crisis. This includes not only acute management, but also prevention. Whether it is a major industrial incident or a minor incident, capable employees and agile crisis management help you to make the right decisions at the right moment. In this article, we discuss what basic measures there are for crisis prevention as part of the crisis management process.
Let’s go!
Crisis prevention (Prevention)
The term crisis prevention consists of measures that enable an organisation to avoid, prevent or limit the effects of a disruption (ISO/PAS, 2007). With regard to natural, man-made and technological hazards, the United Nations International Strategy for Disaster Reduction (UNISDR, 2009) again sees prevention as the total avoidance of the negative effects of hazards and related disasters. However, since this is not always feasible, it often amounts to mere damage limitation. Therefore, the terms prevention and damage limitation are also often used synonymously.
However, there are other related concepts: risk reduction, for example, is a term very similar to crisis prevention. According to UNISDR, risk reduction refers to systematic efforts to analyse and manage the causal factors of disasters, including reduced vulnerability of people and property, wise management of land and the environment, and improved preparedness for adverse events. Risk reduction, in turn, comes close to what is called risk treatment in the ISO 31000 standard.
The prerequisite and at the same time the goal for successful crisis prevention and damage limitation is a corresponding organisational culture in which this is possible at all. In the field of emergency management, this is also referred to as safety culture. A functioning safety culture consists, on the one hand, of a solid risk analysis and planning, the appropriate technical equipment and, above all, well-trained staff. The essential thing is that pre-crisis prevention and mitigation are not just one-off measures, but are embedded in organisational culture and practices.
Let’s look at a few ways of crisis prevention below:
Risk prevention and elimination
Risk avoidance is a company-internal measure in which the company essentially stops all activities and processes associated with the risk and the probability of occurrence of a risk approaches zero. If risks can threaten the existence of the company as a whole because of a high probability of occurrence and/or a large impact or amount of damage, risk avoidance is a good option. Even if there is no other strategy to reduce the respective risk and its impact to an acceptable level.
Since corporate activities can have an impact not only on the company itself, but also on customers, suppliers or on society as a whole, national and international regulations, e.g. in the areas of public health, the environment, construction and spatial planning, often limit risks through requirements and prohibitions. This is especially true for companies whose activities can have a strong external impact, as is the case with Critical Infrastructures.
In ISO 31000 parlance, “risk elimination” is a clearly separate option from risk prevention. It refers to the elimination of the source of a pre-existing risk. However, the concept of risk prevention is often also used for risk elimination. In fact, it is sometimes difficult to draw a clear line here. In any case, risk elimination can be understood as the possibility of, for example, completely changing or eliminating an existing risky technology or business practice.
Reducing the likelihood and consequences of a risk
Risk reduction involves taking measures that positively influence the probability of occurrence and/or the consequences of a risk. Provided that both strategies have carried out a risk assessment in advance and the risks are known, the risk is reduced to an acceptable level for the company and possible asset losses are limited. Guidelines and limits define at a practical level what risks may be taken and up to what level.
Depending on the risk and context, other measures include safeguards such as controls, changes to management systems, special human resources strategies, the use of contracts, financial incentives and insurance. In principle, risk mitigation is suitable for those risks whose potential impact only affects the company’s bottom line.
However, suitable security measures can also be determined by identifying risk factors. In principle, this should already have been done during the risk assessment. However, as a general checklist, they also serve the risk manager as an early crisis detection tool to identify indicators of crises as early as possible and to take or improve the appropriate protective measures. The most common indicators include human factors as well as technological, organisational, governmental, social and cultural factors.
Risk transfer or risk sharing
If a risk can no longer be prevented or eliminated, companies can share the burden among several shoulders. With risk transfer, therefore, the risk remains with all its consequences. Neither the probability of occurrence nor the effects of a risk are eliminated. Only the bearer of the risk changes. Risks can be transferred in part or in full.
The best-known form of risk transfer is insurance, which assumes insurable risks in return for premium payment. In return, the insurance company may require risk controls on the policy, or vary the amount of the insurance premium. Another common method is the transfer of risks to contractual partners, e.g. by outsourcing to suppliers for the production of certain components. All these measures are intended to ensure liquidity and capital after the risk has occurred.
However, the major disadvantage of the above methods is that risk perceptions and interests may differ between partners, leading to conflicts or under- or over-insurance. Moreover, there is no insurance market that covers all possible risks of a company.
Risk retention
Despite all measures, risks cannot be completely eliminated. There always remains a residual risk, which must be borne by the company itself as a consciously assumed risk. In ISO terminology, this is referred to as “retaining the risk by informed decision “* ISO 31000:2018). Aspects such as risk tolerance and perception of the parties involved play a major role here.
But how does one draw the line for this risk tolerance in practice? One way is to minimise risks to a reasonable and feasible level, known as the ALARP principle (As Low As Reasonably Practicable). ALARP is the level of risk that is tolerable and where the benefit of reducing the risk is greater than the effort or cost involved. Whether the benefits outweigh the residual risk can be assessed using a risk-benefit analysis.
When the risks are minimal, it is sometimes better to simply accept the risk and go on with business as usual. Here, the best strategy may be to react only when the risk actually occurs. Most of the time, these are risks with a low probability of occurrence and a low impact or amount of damage. Clear risk criteria and limits must be set for the risks that are to be borne by the company itself. In practical terms, this means, for example, setting aside reserves for the potential risk that will be used up when the risk occurs.
Risk-taking as prevention
Risk-taking is the opposite of risk avoidance and means that a risk is consciously taken because it is not only seen as a threat but also as an opportunity. This risk option results from the generic approach of the ISO standard.
Why risk taking is understood as an option in risk treatment plans in the context of ISO 31000 is because the standard also takes into account those institutions that deal with financial and commercial risks anyway and therefore consider risk taking as quite normal and legitimate options.
Indeed, in companies, uncertainty is often seen as an essential source of entrepreneurial value creation. However, a prerequisite for successful risk-taking is a corporate culture that facilitates and encourages the urge to change and adapt organisational processes to significant changes in the environment. Indeed, it is argued that companies that are successful at taking risks are also successful at mastering the processes of risk monitoring and strategic responsiveness.
Crisis prevention in a nutshell
Crisis prevention is thus on the one hand about the importance of the safety culture of a company or organisation, and on the other hand about more concrete prevention and risk reduction strategies, which are based on the ISO 31000 standard. According to this standard, risk assessment is followed by risk treatment. This in turn includes strategies such as avoiding the risk altogether, changing the probability and consequences or sharing the risk, to name but a few.
Since crises cannot be avoided completely despite all preventive measures, crisis preparation plays a decisive role. We will take a closer look at this in the next part of our blog series.
Lesen Sie weiter: Was ist Krisenmanagement? Teil 5 - Krisenvorbereitung.