Sharing CritSit Handling Practices

Sharing critical situation handling best practices presents a problem. On the one hand, the industry desperately needs people to share best practices and lessons learned so that all of us, as an industry, can better fend off the constant and increasing set of threats by closing off vulnerabilities in ways that are working for others. On the other hand, people and organizations often do not share such practices with their industry colleagues. The often-cited reason is that they do not want to share anything that might create a risk for them for a current or future hot issue.

This lack of sharing creates a problem. As an industry, it keeps us on our back foot relative to those who create and exacerbate critical situations. We must find ways to share what is efficient and effective so it others can duplicate the practices and our successes. Otherwise, we perpetuate an already grim situation. So how do we, as an industry, get past this?

Let’s start by saying that we should not share anything that would create a risk for a current or future hot issue or any organization specifics. These are no-no’s, as sharing such information would be foolish.?

So, what does that leave us regarding what we can and should share? We should share things that are sanitized (i.e., that contain no situation or organizational specifics) that are generic and useful. Here are some ideas:

• Meeting agendas, e.g., for post-situation analysis and follow-up in the aftermath
• Messaging templates and checklists for vetting communications, e.g., for holding messages
• Checklists that support the quality of any activity or deliverable, e.g., situation room prep checklists, press conference prep checklists, drill and exercise prep checklists
• Best practices for collaborating and sharing knowledge in critical situations using ubiquitous tools, e.g., Microsoft 365, Zoom, etc., and channels, e.g., chat, email, telephone, chatbot, etc.
• Recommended rhythms and cadences, e.g., for drills and exercises, reporting, and reviews
• (Sanitized) lessons learned
• (Sanitized) methods, including telemetry and instrumentation, for understanding vital information in-situation, e.g., where are we, did our message land, etc.
• Principles that guide behavior, e.g., for decisions, actions, and communications
• Terminology definitions and artifact specifications, i.e., ‘here is how we define when the aftermath phase of situations should begin,’ and ‘here are the elements we include in our tabletop drills’
• Best practices for managing the experiences of stakeholders in moments of truth in all situation phases, e.g., for communicating with key suppliers
• Best practices for integrating stakeholders into critical situation handling, e.g., suppliers
• Best practices for choosing where to invest in building critical situation capabilities, i.e., balancing costs, risks, time, effort, and outcomes to optimize value
• Best practices for balancing investments in building critical situation handling capability development among people, processes, information, and technology
• (Generic, sanitized) best practices for improving critical situation handling capabilities
• (Generic, sanitized) best practices for maintaining legal and regulatory compliance in critical situations
• Best practices for breaking down silos and fostering collaboration in critical situations across the teams involved, e.g., Legal, Regulatory Compliance, C-Suite, Exec Comms, Employee Comms, and IT
• Best practices in using techniques, models, and conceptual frameworks, e.g., design thinking, value stream analysis, fault tree analysis, Kanban, etc.
• Sharing your analysis of other organization’s critical situations and best practices to do what they did well and to avoid what they didn’t do well
• Best practices for practices, e.g., for running a post-mortem, what should the steps be, who should be involved, and what should the outputs and outcomes be?
• Best practices for escalations in all phases of critical situation handling, e.g., for escalating when drills and exercises are overloaded with surrogates
• Best practices for facilitating agility, speed, and quality in critical situation handling
• Best practices for making the business case for budgets or critical situation handling capability development
• Best practices for integrating critical situation handling into ‘business as usual, i.e., to build capability into business as usual that is useful in critical situation handling
• Best practices for ensuring all involved in critical situation handling understand its key activities and moments of truth and their purpose, and their part in it

This, of course, is not a comprehensive list. But what you should see is that clearly, there ARE things that can be shared that would benefit the industry as a whole that DO NOT, through their sharing, put you or your organization at risk.

I encourage you to start sharing. The need is great. We all win when the industry pulls itself up by its bootstraps. And that can only start in one place: with you. It will never happen if we all wait for others to begin to do it. So let’s end this vicious cycle and get into a virtuous one. We’ll all be glad we did. Well, maybe not the bad actors ??.