when the worst scenario comes true...

Digital Health companies and their products/services by their very nature are dependent on digital services and systems. Simultaneously, they face an increasing swarm of cyber?threats. Well-designed cybersecurity can help shield a company’s operations and?ensure that it will be able to utilize the benefits?provided by digital technology in every domain?of its business. But, we will not cover cybersecurity in this edition of Enabling Digital Health. We will cover Crisis Management - when the worst scenario comes true...

Most digital health organizations have no plan in place to deal with a crisis, whether that crisis is deliberate or fortuitous, internally caused or not,?can produce an imbalance in an organization regarding its products service, clients, patients, employees, affecting or damaging its?healthcare products or medical devices, public image and reputation, with the consequent economic loss or legal non-compliance, and?which may jeopardize its economic viability and/or professional future.

Having dealt with crises, whether security breaches, ransomware attacks, natural disasters, and urgent product failures (ultimately resulting in recalls), every crisis involves decision-making under pressure, with limited time and information,?on several fronts in parallel, and with many actors and people involved. The management and processes required to deal with a crisis are not improvised?when a crisis arises; they must be developed in advance so that everything is ready when that?moment comes.?

It is important to note the importance of the prior work required to?ensure that the organization is prepared when a crisis arises: risk analysis, the development?of action plans, and the establishment of appropriate management structures shall indicate that a?foresight exercise is constantly developed so that it is possible to anticipate the problem by designing a way to manage it at the slightest?sign of materialization.

Use the following to create your own model in dealing with a crisis. They work. They are simple. They are inexpensive. The likelihood of an event that can have a major impact on your organization and its services will depend on the?degree of prior preparation of the organization: it will be very small if preventive?measures have been taken, and progressively higher as the volume of prevention work decreases.

Plan

It is important to lead, take and maintain the initiative during the crisis and, if lost, to look?for opportunities to regain it. Taking reasonable measures is almost always better than doing?nothing but on the basis of a previously agreed plan and preparation. It will be easier to take?appropriate action in a short period of?time (which is usually the case in such?situations) if there is some kind of prior?work than if there is not. In this way,?nervousness or improvisation, which?are all too common at this time, can be?avoided.

Crisis plans shall be developed in normal times. Let's repeat. Crisis plans shall be developed in normal times.

Anything that is not foreseen previously?is practically impossible to improvise during an emergency. It is true that perfect prevention is?practically unattainable: zero risk does not exist, but one of the keys to effective crisis management?is determined by the ability to anticipate and identify the most vulnerable areas (risk?management) that may lead to critical situations.

I strongly recommend for Digital Health companies draw up Crisis Management?Plans which describe the tasks required to develop?crisis management capability and identify the main actions to be taken in response to a serious?situation or a disaster. These plans usually include a Crisis Manual that serves as a reference framework to count on a script of actions to be carried out in terms of continuity, contingency,?communication, and human resources, with a clear assignment of responsibilities. These plans are to be disseminated among the organization and its management?through exercises or training sessions.

Do

1. Create a Crisis "Tiger Team" ("CTT") that would be the?highest decision-making body for the unified?management of a crisis situation. Its main task will be?to accelerate the decision-making process to?resolve incidents by defining priorities and?establishing the strategy and tactics to be?followed. The CTT shall set the main?scenarios to be taken into account, determine?how to act and report the situation and lead?all the recovery and communication teams.?Like any other Tiger Team, the CCT should be made up of a small group?of people with different profiles, executive?and highly decisive, with the capacity to react?to stressful situations and agility in team?management and decision-making. This is why it is so important that, at the?first warning of a crisis, the CCT reacts?quickly and decisively by making an initial?notification without undue delay and takes the?initiative. Be proactive rather than reactive, make?decisions quickly, and position CCT to take?the lead.
2. Create a "Stakeholder Map" where you identify those who may be affected by the crisis. Stakeholders are people or groups in the organization’s environment that may be affected?by any activity carried out by the organization. During a crisis, it is very likely that there will be?interaction with some of them, either because they are an active part of the situation or because?they are as much or more affected than the organization itself.?
3. Prepare key messages, understand and formalize the format and the channel or medium

• Informal meetings;
• Videoconferences;
• Distribution?lists;
• Phonecalls;
• Face-to-face interventions; and
• Shareholder meetings.

Check

Good crisis management focuses on continuous?action that includes the availability of information that is both correct and sufficient, decisions?that are based on knowledge, and the measures?used to alleviate risks. Your organization must?assess and adapt its crisis management measures to?the changes in your organization and this is why it is vital that you also have?the correct tools at your disposal to assess the?effectiveness of the measures that your organization has implemented.?

Check the effectiveness of the Crisis Management plan. Must include:

• Key internal and external contact information.?
• Clear escalation paths (for example to upper management) and predefined?processes for critical decisions and formation of the CTT.
• A clear division of responsibility and a clause that states whether this applies to?regular working hours or if it is always valid.
• A general flow chart or process description for the entire lifespan of a crisis.

Practice - Consider a Crisis Management Exercise.

A crisis management exercise consists of simulating a scenario, but not a real one. It takes place over a limited period of time, in a context designed for the occasion and is based on handling the management of a crisis that occurs at the time the scenario is played. In order to encourage players to participate and get involved, the simulated fictitious events must be based on credible events. A crisis exercise must under no circumstances have a real impact on the organization’s activities.

A crisis exercise should not be intended to surprise or trap participants but to guide them in a structured training session based on defined, communicated, and shared goals. A crisis exercise would be considered successful when it has engaged all the participants, enabled them to learn from the exercise, and encouraged them to repeat the experience.

Act

It is important to dedicate time and?resources to assess the effectiveness of your crisis management plan and, above?all, to collect lessons learned and implement?them, as well?as to communicate the crisis closure, both internally?and externally. Simply carrying out the relevant?analyses, drawing conclusions, defining?an action plan, and monitoring its implementation are indispensable steps in?closing a hypothetical (or real) crisis.

Communication is key to the effective management of a crisis. The organization shall previously identify all the interest groups or?stakeholders to whom it is necessary to inform and it shall know?what to say and how to say it at all times.

Additional Information

• There is a new ISO standard under development, ISO 22361 Security and resilience – Crisis management – Guidelines that can be used as a framework to identify the nature, characteristics, and origins of a potential crisis, with the intent to prepare organizations to establish stages of the response and recovery from a crisis.
• There is a great resource by the Commonwealth of Australia, the Department of the Prime Minister and Cabinet, Australian Government Crisis Management Framework that would give you an idea on how to set up your own crisis management plan. The Australian Government’s continuum comprises seven phases of crisis management and recovery. The phases defined are:

1. Prevention measures to eliminate or reduce the severity of a hazard or crisis;
2. Preparedness arrangements to ensure that, should a crisis occur, the required resources, capabilities, and services can be efficiently mobilized and deployed;
3. Response actions are taken in anticipation of, during, or immediately after a crisis to ensure that its impacts are minimized and that those affected are supported as quickly as possible;
4. Relief meeting the essential needs for those affected by a crisis event
5. Recovery short and medium-term measures to restore or improve assets, systems, and activities, and "build back better"?to avoid or reduce future disaster risk.
6. Reconstruction implementing longer-term strategies post-incident to "build back better" from a crisis, including identifying sustainable development approaches and mitigation measures and
7. Risk reduction of future risk and identifying measures that may be taken to reduce the impact of future crises.

Looking forward to your comments and suggestions for the next edition of Enabling Digital Health.