By Stephen Alfano, PMP®, CSM, Prosci 

There is no sure-fire way of predicting when (or how) a crisis will occur in an organization or a business environment. Crises, by their very nature, are all too often unpredictable and all-consuming events. 

However, with the practice of risk management, organizations and business leaders can assess potential crises and quantify their ensuing impact. More important, they can use the assessments to create mitigation plans to prepare for potential emergencies. 

One such mitigation plan is preparing a crisis communications plan. 

A crisis communications plan provides a framework for timely and clear messaging from when the crisis hits through its evolution. A crisis communications plan often extends well beyond the end of the crisis to ensure that everything and everyone is on the same page or narrative. Like most proactive business management strategies, crisis communications plans fall into categories that mirror the most critical operations and functional areas.

Here are the top five crisis communications plans and what they aim to mitigate.

• Financial Crisis Communications Plan: This plan focuses on controlling the narrative surrounding revenue loss or asset devaluation caused by external factors (like decreased customer demand) or internal factors (like poor purchasing decisions).
• Personnel Crisis Communications Plan: This plan focuses on controlling the narrative surrounding either illegal or unethical behaviors of staff or stakeholders which could damage the organization’s reputation. 
• Organizational Crisis Communications Plan: This plan focuses on controlling the narrative surrounding negative press coverage or media attention when an organization mistreats or manipulates customers in pursuit of profits or market data.
• Technological Crisis Communications Plan: This plan focuses on controlling the narrative surrounding technology failures, such as a customer-facing website crashing or errors in codes that disable business processes and limit or shut down operations. 
• Environmental Crisis Communications Plan: This plan focuses on controlling the narrative surrounding operations disruptions ranging from one-time or temporary delays or closures (like a power outage or gas leak) to sustained, long-term delays or closures (like a plant shutdown or a devastating hurricane). 

Most Crisis Communications Plans have the same core phases and steps, including:

Pre-crises Phase 

Step 1: Identify Potential Crises Risk

Step 2: Designate and Educate Potential Crises Risk Owners and Spokespeople

Step 3: Standup Notifications and Monitoring Systems

Step 4: Test Response Regularly

Post-crises Phase

Step 5: Assess the Situation

Step 6: Create and Rollout Key Messaging

Step 7: Wind down/Wrap up Response as Quickly as Possible

Step 8: Perform Postmortem of Response Steps

Step 9: Revise Plans with Postmortem Insight

For more insight into Crisis Communications, check out these links:

Your Survival Guide to Crisis Communication – HubSpot

3 Best Practices For An Effective Response Plan – Business 2 Community

Crisis Management: Communications Best Practices – Department of Energy

If you need additional information or support creating crisis communications plans explicitly designed to fit your organization or business, contact us to learn more! We would love to help!

About the Author: Stephen Alfano is an Organizational Change Management Consultant and Communications Expert. He has over 30 years of experience in leading and managing initiatives for both private and public-sector clients. His résumé includes providing both new business and business process improvement services to Apple, American Express, AT&T, California Department of Transportation, Chevron, Entergy, Levi Strauss & Co., Louisiana Office of Tourism, Mattel, Microsoft, Novell, SONY, Sutter Health, and Wells Fargo. Stephen currently works as an Executive Consultant with KAI Partners, Inc., providing change management and communications expertise and project management support services on several active contracts.

By Jamal Hartenstein, JD, CISSP, CGEIT, PMP

The Greater Sacramento Capitol Chapter of ARMA recently held its annual Records Knowledge Conference, which brought together records managers from city, county, and state clerk offices.

According to our local ARMA chapter, ARMA is dedicated to providing education and resources to those in the Records Management and Information Governance fields. They are committed to enhancing Records Management and Information Governance professionals through training, networking, leadership, and outreach.

The conference attendees brought a sense of eagerness to learn and share—ARMA chapter leadership gave event attendees a special opportunity to hear from world-class speakers—including and a lead researcher on the IBM Watson project, Dr. Ashish Kundu—on some of the most important and cutting-edge topics.

Along with a formidable group CEOs, I was honored to be asked to speak about Cybersecurity Threats to Information Governance. Highlights of the event and major takeaways included:

• Understanding what data you have, who accesses it, and where it goes is paramount.
• Conflicts among document retention policies, industry best practices, and laws suggest that we seek out and use the highest common denominator.
• Trending topics and buzzwords the government sector include players like Smart Communities, Artificial Intelligence (AI), Digital ID, Blockchain, NIST, and the KAI Partners approach to security assessments.
• Data Migrations are underway. Records Managers who respond to Freedom of Information Act (FOIA) requests for public records or subpoena must deliver records formats adhering to general business practices, which may be legacy.
• Regarding Third Party Risk Management (TPRM), cloud services, and Business Associate Agreements, liability points back to the data controller regardless of contracts with data processors or third parties.
• Mobile device management and data/device ownership remain a point of contention and confusion during public record requests.
• Innovation is forcing a cultural shift in workforce demands and understandings of emerging technologies.
• Artificial Intelligence (AI) solutions can be used to categorize and classify data, performing some of the tasks of current Data Custodians and Data Owners.
• While AI may not replace Records Managers, Records Managers who understand and embrace AI will inevitably replace those who do not.

Public sector IT innovation and modernization means systems and processes change rapidly. One example of this is California Assembly Bill 2658, recently signed into law by the governor. This new law updates the definition of an Electronic Record to include blockchain and smart contracts as legally recognized records. It sends a clear signal that digital records management, particularly blockchain technology and smart contracts, are priorities for a more innovative and dynamic public sector.

This new law impacts public records requests because entries logged in public agency-owned private blockchains are electronic records. These records are susceptible to the Freedom of Information Act (FOIA). Records Managers may benefit from technology that makes the identification and delivery of public records to requestors easier. It may also create convenience for those exercising Public Records Act (PRA) requests. It’s a double-edged sword; it streamlines the processes but increases PRA volume at the same time.

The discussion of the California blockchain law was one most important topics discussed at the ARMA event. Another popular topic was IT Security Assessments.

The urgency in public sector data governance and records management is an incredible opportunity to embed IT security controls for the public sector personnel working at the heart of the ever-expanding challenges.

KAI Partners performs security assessments to address the multitude of challenges facing the public sector. Our assessments help ensure secure and efficient delivery systems where the organizational objectives align with the development of strategic plans and programs. In addition, KAI Partners’ training division—KAIP Academy—works to address technical skills gaps. Our training courses include ITIL, Project Management, Agile/Scrum, and more.

Were you at the ARMA Conference? What were your biggest takeaways about public sector innovation?

About the Author: IT Security Program Manager at KAI Partners, Jamal Hartenstein is a cybersecurity legal expert who has helped some of the country’s largest financial institutions, healthcare companies, and federal agencies develop their IT Security Roadmap programs. In his current role, Jamal provides guidance to executive staff and security professionals on laws, frameworks, and policies that help shape their strategic plan, and helps organizations innovate safely and securely. Prior to working for KAI Partners, Jamal served as an Electronic Warfare Sergeant in the U.S. Army Military Intelligence Corps, where he was a steward for Defense Information Systems Agency (DISA) framework. He earned his undergraduate degree from Georgia Military College and his Juris Doctorate from University of the Pacific, McGeorge School of Law in California.

By Jamal Hartenstein, JD, CISSP, CGEIT, PMP

If organizations don’t have IT Security governance, risk management, and compliance measures in place, they are susceptible to breach, dissemination of data, or regulatory violations that can cripple the organization.

Case in point: The California Attorney General’s office filed a legal claim against an airline company for not having a privacy policy for their smart-phone app.

A regulatory violation (i.e., if an organization does not meet deadlines for disclosures) can mean legal penalties. Enterprises without an IT Security Strategic Plan are poorly suited to assess and manage IT related risks, in alignment with business objectives.

In any of these events, consequences include brand/reputational damages, increased cybersecurity insurance premiums, legal fees, and injunctions.

In addition to those risks, there’s a regulatory component to IT Security—the state of California mandates periodic risk assessments for public sector groups at the state, county, and city levels. To keep up with ever-changing mandates and to successfully meet regulatory mandates, you might need Strategic Risk Management Planning.

So, where do you begin to start this planning and make sure your organization is protected?

KAI Partners is your one-stop shop for IT Security services.

Whether public sector, private sector, non-profit, or small business, KAI Partners can offer IT Security services that allow your organization to operate and innovate safely.

Our IT Security services help ensure that the software, hardware, and policies you implement not only protect your organization, but also mitigate the threat of catastrophic litigation.

Members of the KAI Partners IT Security team hold credentials in Certified Information System Security Professional (CISSP), Project Management Professional (PMP)®, Certified ScrumMaster®, Certified in the Governance of Enterprise Information Technology (CGEIT), CompTIA Security+, Network+, Project+, A+, Microsoft Certified Professional (MCP), and more.

KAI Partners works together with Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, IT Security Managers, vendors, and other strategic partners to help your organization create and implement a comprehensive IT Security plan.

Some of KAI Partners’ IT Security services include:

1. Strategic Planning Development, aligned with IT Security Roadmap Program planning
2. Security Operations and Subject Matter Expert Staff Augmentation
3. Independent Security Assessments
4. IT Security Governance, Risk Management, and Compliance (GRC)

Legislation, regulations, and policy shape the way organizations conduct business today. The laws have a hard time keeping up with technology—and technology has a hard time keeping up with threats. KAI Partners can help you create and implement IT Security practices that are unique to your business objectives and help protect the privacy of your organization.

Interested in learning more about how KAI Partners’ IT Security services can help your organization stay safe and compliant? Contact us today!

About the Author: IT Security Director at KAI Partners, Jamal Hartenstein is a cybersecurity legal expert who has helped some of the country’s largest financial institutions, healthcare companies, and federal agencies develop their IT Security Roadmap programs. In his current role, Jamal provides guidance to executive staff and security professionals on laws, frameworks, and policies that help shape their strategic plan, and helps organizations innovate safely and securely. Prior to working for KAI Partners, Jamal served as an Electronic Warfare Sergeant in the U.S. Army Military Intelligence Corps, where he was a steward for Defense Information Systems Agency (DISA) framework. He earned his undergraduate degree from Georgia Military College and his Juris Doctorate from University of the Pacific, McGeorge School of Law in California.

By Stephen Alfano, CSM

Full disclosure, I made three assumptions before I wrote this blog post:

1. I assumed that project management mavens (and groupies) would overlook my obviously self-serving gambit and give me the professional courtesy to read beyond the first sentence.
2. I assumed that even the most courteous reader would grow impatient (bolt!) if I didn’t pen something provocative about an intentionally rigid project management subroutine that at times can seem mind-numbingly pedantic.
3. I assumed that only a handful of the readers would read all the way through the opening paragraph; while most of the readers who remained engaged beyond the gambit would have skipped down to the links leading to additional insight on the prescriptive and didactic data science behind validating assumptions.

If you are still reading this blog post (thank you!), you probably figured out my stratagem quickly and decided to chalk it up to a level-setting parlor trick used to underscore the “tricky” nature of assumptions. (You saw what I did: That statement is an assumption.) So, let’s move on, starting with an official, textbook definition of an assumption.

An assumption is, “a thing that is accepted as true or as certain to happen, without proof.” Of course, how would you know this definition is the definition you seek? How could you be sure it comes from a legitimate and “official” source? (Tricky, right?) In short, an assumption needs to be validated.

Validating Assumptions 101

• To properly validate an assumption, you need to start by capturing it into a database tool called an assumption log.
  • The assumption log lists assumptions by date.
  • The log is usually created and maintained by a project manager. However, everyone on the project team will have access to the log. More important, specific individuals or groups on the project team will be assigned assumptions to validate throughout the project lifecycle.
• Not all assumptions are equal, which is why the validation process begins by determining the level of impact or affect an assumption has on the project outcome.
  • Moreover, assumptions may also be project risks—either now or in the future. So, in addition to creating an assumption log, a project manager will produce an overlapping or supporting database called a risk register. The risk register is used to identify, manage, and mitigate risks.
  • The continuous alignment (interdependence) of the assumption log and the risk register is central to a project management plan.
• Once the level of impact or affect an assumption has on a project outcome is determined, project team members or groups are given the responsibility to validate assumptions by a specific date to keep the project on track.
  • Validation at its core is scientific probing—asking lots of “why” and “how” questions until the assumption can become a proof point. This probing supports the decision-making process towards delivering or realizing project goals. (At this point, I’ll assume you now know how important that is.)

For more insight on validating assumptions, check out these links below:

ASSUMPTIONS ARE MADE TO BE VALIDATED via Leading Agile

The Need to Validate Project Assumptionss via Business 2 Community

5 Tips to Make Sure You Are Validating Early and Often via Kissmetrics

Case Study: Using the 5 Whys to Validate Assumptions via iSixSigma

Identifying and Validating Assumptions and Mitigating Biases in User Research via UX Matters

Build Better Products: How to Identify and Validate Assumptions via Users Know / SlideShare

Now it’s your turn—what are some of your best practices to validate assumptions and reduce risk on your projects? Or, what other trouble spots does your project have—we’d love to cover some mitigation techniques in a future blog post!

About the Author: Stephen Alfano is Certified ScrumMaster® (CSM), Organizational Change Management Consultant and Communications Expert. He has 30 years of experience leading and managing internal and external program initiatives for both private and public-sector clients. His résumé includes providing both new business and business process improvement services to Apple, American Express, AT&T, California Department of Transportation, Chevron, Entergy, Levi Strauss & Co., Louisiana Office of Tourism, Mattel, Microsoft, Novell, SONY, Sutter Health, and Wells Fargo. Stephen currently works as Marketing and Communications Manager for KAI Partners, Inc., spearheading business development and leading the firm’s marketing and communications practice and line of business.

October is National Cyber Security Awareness Month! While we think cyber security should be at the forefront of everyone’s minds every day, we are glad to see a month dedicated to all things security. To help you be aware of the best insight and advice on this subject, we’ve rounded up some great infographics from around the Internet to share with you today. Take a look at these infographics to make sure you are applying the most up-to-date best practices to protect you and your business.

Remember, KAI Partners can help you to identify gaps in your security efforts. Email us at info@kaipartners.com to address and help minimize your cyber security risks.

Via Stay Safe Online (National Cyber Security Alliance)

Via Digital Guardian

Via Trend Micro