· 公众号:业务连续性+ 原文链接 ↗

《ISO 22361 - 危机管理 指南》中文简译(上)

写在前面:业务连续性、应急和危机管理虽各有侧重但又密切关联,相关专业人员在精通本领域知识、方法和技能的同时,必须了解(进而掌握)其它领域的知识和方法,方能在实践中有效协同,成功处置突发/扰断/危机事件。ISO 22301系列标准是业务连续性管理领域全球最佳实践的集大成者,之前我和一些专家志愿者团队翻译过相关资料(见下面译文及链接),这次,我带来了《ISO 22361:2022 – 危机管理 指南》的中文简译,供专业人员参考,也请各位专家多提修改意见。

《ISO 22301:2019中文简译》(2020年11月)

《ISO 22313:2020中文简译(上)》(2020年11月)

《ISO 22313:2020中文简译(下)》(2020年11月)

因中英文对照版全文较长,超过37000字,拆分为上、下两篇发布。

王曙 2024.04.21

ISO 22361 安全与韧性 - 危机管理 – 指南

ISO 22361 Security and resilience – Crisis management - Guidelines

前言(Foreword)

ISO(国际标准化组织)是国家标准机构(ISO成员机构)组成的全球联盟。编制国际标准的工作通常通过ISO技术委员会进行。每个对已成立技术委员会的主题感兴趣的成员机构都有权派代表参加该委员会。与ISO有联系的国际组织,包括政府和非政府的,也参与了这项工作。ISO与国际电工委员会(IEC)在电工标准化的所有问题上密切合作。

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

ISO/IEC导则第1部分描述了用于编制本文件和进一步维护的程序。特别地,宜注意不同类型的ISO文件所需的不同批准标准。本文件根据ISO/IEC导则第2部分的编辑规则起草(见www.iso.org/directives)。

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

请注意,本文件的某些要素可能是专利权的主题。ISO不应承担识别任何或所有此类专利权的责任。在文件编制期间识别的任何专利权的详细信息将在引言和/或收到的ISO专利声明清单中(见www.iso.org/patents)。

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

本文件中使用的任何商品名称都是为了方便用户而提供的信息,不构成背书。

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

关于标准自愿性的解释、与合格评定相关的ISO特定术语和表达的含义,以及关于ISO遵守世界贸易组织(WTO)技术贸易壁垒(TBT)原则的信息,请参阅www.iso.org/iso/foreword.html。

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.

本文件由技术委员会ISO/TC 292(安全和韧性)与欧洲标准化委员会(CEN)技术委员会CEN/TC 391(社会和公民安全)合作,根据ISO和CEN之间的技术合作协议(维也纳协议)编制。

This document was prepared by Technical Committee ISO/TC 292, Security and resilience, in collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/TC 391, Societal and Citizen Security, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna Agreement).

对本文档的任何反馈或问题都宜直接提交给用户的国家标准机构。这些机构的完整清单可在www.iso.org/members.html上找到。

Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.

引言(Introduction)

本文件旨在帮助设计和持续发展组织的危机管理能力。它规定了所有组织所需的原则和实践。

This document has been developed to aid in the design and ongoing development of an organization’s crisis management capability. It sets out principles and practices needed by all organizations.

危机给组织带来了复杂的挑战,也可能带来产生深远影响的机遇。组织的危机管理能力及其管理不断变化的环境的能力是决定一种情况或事件是否有可能对组织及其环境构成严重或生存威胁的关键因素。影响一个组织的危机可能是更广泛危机的一部分。

Crises present organizations with complex challenges and, possibly, opportunities that can have profound and far-reaching consequences. An organization’s crisis management capability and its ability to manage a changing environment are key factors in determining whether a situation or incident has the potential to pose a serious or existential threat to the organization and its environment. The crisis affecting an organization can be part of a broader crisis.

为确保危机管理能力达到预期结果,组织宜提供:

— 有担当的领导者;

— 结构(如资金、沟通、关系和联系、设备、设施、信息管理、原则、过程和程序);

— 鼓励性文化(如价值观、道德规范、行为准则);

— 胜任的人员(如知识、技能和态度、灵活的思维)。

To ensure the crisis management capability has the desired outcome, the organization should provide:

— committed leadership;

— structures (e.g. funding, communications, relationships and linkages, equipment, facilities, information management, principles, processes and procedures);

— a supportive culture (e.g. values, ethics, code of conduct);

— competent personnel (e.g. knowledge, skills and attitude, flexible thinking).

组织的危机管理能力会受到与其他相互依存领域的关系的影响,如风险管理、业务连续性、信息安全、物理安全、安全、民防、事件响应和应急管理。

An organization’s crisis management capability will be influenced by its relationship with other interdependent areas such as risk management, business continuity, information security, physical security, safety, civil protection, incident response and emergency management.

组织宜采用结构化的危机管理方法,应用一套原则来制定危机管理框架。这些相互关联的原则、框架和适用的过程要素支持以有目的、一致和严格的方式实施危机管理能力(见图1)。

关键:██原则(见4.5)

框架(见5.2)

过程(见5.3)

图1 - 建设危机管理能力- 原则、框架和过程

The organization should adopt a structured approach to crisis management by applying a set of principles on which a crisis management framework can be developed. These interrelated principles, framework and applicable process elements support the implementation of a crisis management capability in a purposeful, consistent and rigorous manner (see Figure 1).

Figure 1 — Building a crisis management capability — Principles, framework and process

本文件的结构如下:

— 描述危机管理的核心概念(见条款4);

— 然后概述建设危机管理能力的框架和过程(见条款5)。

The structure of the document is as follows:

— the core concepts of crisis management are described (see Clause 4);

— then the framework and process for building a crisis management capability are outlined (see Clause 5).

随后的条款提供了更多详细信息:

— 危机领导力(见条款6);

— 战略危机决策(见条款7);

— 危机沟通(见条款8);

— 培训、验证和从危机中学习(见条款9)。

The clauses that follow provide more detail on:

— crisis leadership (see Clause 6);

— strategic crisis decision-making (see Clause 7);

— crisis communication (see Clause 8);

— training, validation and learning from crises (see Clause 9).

持续改进是本文件所有要素的组成部分(见5.3.7),因此,它是过程的一部分,它也涉及所有的能力要素。

Continual improvement is a component of all elements of this document (see 5.3.7), so that while it is part of the process, it also addresses all capability elements.

1 范围(Scope)

本文件为危机管理提供指导,帮助组织策划、建立、保持、评审和持续改进战略危机管理能力。本指导可以帮助任何组织识别和管理危机。需要考虑的因素包括:

— 环境、核心概念、原则和挑战(见条款 4 );

— 发展组织的危机管理能力(见条款 5 );

— 危机领导力(见条款 6 );

— 危机小组在行动中面临的决策挑战和复杂性(见条款7 );

— 危机沟通(见条款 8 );

— 培训、验证和从危机中学习(见条款 9 )。

This document provides guidance on crisis management to help organizations plan, establish, maintain, review and continually improve a strategic crisis management capability. This guidance can help any organization to identify and manage a crisis. Elements for consideration include:

— context, core concepts, principles and challenges (see Clause 4);

— developing an organization’s crisis management capability (see Clause 5);

— crisis leadership (see Clause 6);

— the decision-making challenges and complexities facing a crisis team in action (see Clause 7);

— crisis communication (see Clause 8);

— training, validation and learning from crises (see Clause 9).

它适用于在任何组织中对提供危机管理能力负有战略责任的最高管理者。它也可以被那些在最高管理者指导下工作的人员使用。

It is applicable to top management with strategic responsibilities for the delivery of a crisis management capability in any organization. It can also be used by those who operate under the direction of top management.

本文件承认与多个学科的关系和相互依存,但与这些主题不同。

This document acknowledges the relationship and interdependencies with various disciplines but is distinct from these topics.

2 规范性引用(Normative references)

下列文件中的内容通过文中的规范性引用而构成本文件必不可少的条款。其中,注日期的引用文件,仅该日期对应的版本适用于本文件;不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。

ISO 22300,安全和韧性 — 术语

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 22300, Security and resilience — Vocabulary

3 术语和定义(Terms and definitions)

ISO 22300界定的以及下列术语和定义适用于本文件。ISO和IEC在以下地址维护用于标准化的术语数据库:

— ISO在线浏览平台:https://www.iso.org/obp

— IEC电子百科:http://www.electropedia.org/

For the purposes of this document, the terms and definitions given in ISO 22300 and the following apply. ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https://www.iso.org/obp

— IEC Electropedia: available at https://www.electropedia.org/

3.1 能力

在特定条件下以既定的预期结果完成任务的本领。

注1:组织能力依靠可用的资源和组织原则、框架(领导作用、结构、文化、人员能力)和过程。

3.1 capability

ability to accomplish an undertaking with a defined intended outcome and within specified conditions

Note 1 to entry: An organizational capability depends on the available resources and organizational principles, framework (leadership, structure, culture, competences) and processes.

3.2 危机

威胁组织(3.13)或共同体的异常或特殊事态或情况,需要采取战略性、适应性和及时的响应措施,以保持其生存能力和诚信。

注1:事态或情况可能具有高度的复杂性、不稳定性和不确定性。

注2:事态或情况可能超出组织的响应规模或能力(3.1)。

注3:鉴于危机的本质,除了所有预先演练的计划和程序外,还需要采取灵活和动态的方法。

注4:威胁可能影响组织的运作能力、声誉、品牌、实体、政治或知识产权、组织结构以及人力、环境和经济因素。

注5:“组织”一词还包括公共部门中的政府和非政府机构、国家当局,以及非政府组织和慈善机构。

3.2 crisis

abnormal or extraordinary event or situation that threatens an organization (3.13) or community and requires a strategic, adaptive and timely response in order to preserve its viability and integrity

Note 1 to entry: The event or situation can include a high degree of complexity, instability and uncertainty.

Note 2 to entry: The event or situation can exceed the response capacity or capability (3.1) of the organization.

Note 3 to entry: Given the nature of a crisis, a flexible and dynamic approach is needed in addition to any rehearsed plans and procedures.

Note 4 to entry: Threats can impact upon the organization’s ability to function, its reputation, its brand, its physical, political or intellectual property, its organizational structure and its human, environment and economic factors.

Note 5 to entry: The term “organization” also includes governmental and non-governmental agencies and national authorities in the public sector, as well as non-governmental organizations (NGOs) and charities.

3.3 危机管理

在危机(3.2)方面领导、指导和控制组织(3.13)的协调的活动。

3.3 crisis management

coordinated activities to lead, direct and control an organization (3.13) with regard to crisis (3.2)

3.4 危机管理小组CMT

职能上负责领导组织(3.13)危机管理(3.3)响应的一组人员。

3.4 crisis management team CMT

group of individuals functionally responsible for leading the organization’s (3.13) crisis management (3.3) response

3.5 危机管理计划 CMP

具体说明在危机(3.2)中由谁和在何处应用哪些程序和相关资源的文件。

3.5 crisis management plan CMP

document specifying which procedures and associated resources are to be applied by whom and where in a crisis (3.2)

3.6 事件

可能导致扰断、损失、紧急情况或危机(3.2)的事态或情况。

[来源:ISO 22300:2021, 3.1.122,修改 — 定义中增加了“或情况”。

3.6 incident

event or situation that can be, or could lead to, a disruption, loss, emergency or crisis (3.2)

[SOURCE: ISO 22300:2021,3.1.122, modified — “or situation” has been added to the definition.]

3.7 相关方/利害干系人

能够影响、受到决策或活动影响或认为自己受到决策或活动影响的个人或组织(3.13)

3.7 interested party / stakeholder

person or organization (3.13) that can affect, be affected by, or perceive themselves to be affected by a decision or activity

3.8 治理

指导、监督和问责组织(3.13)以实现其既定目标的<组织>人基系统。

3.8 governance

human-based system by which an organization (3.13) is directed, overseen and held accountable for achieving its defined purpose

3.9 情况报告

概述事件(3.6)或危机(3.2)当前状态、可能发展以及响应措施的口头或书面概要。

3.9 situation report

summary, either verbal or written, outlining the current state and potential development of an incident (3.6) or crisis (3.2) and the response to it

3.10 态势感知

在一定的时间和空间范围内感知环境中的要素,理解其含义并预测它们在不久的未来的状态。

3.10 situational awareness

perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and a projection of their status in the near future

3.11 最高管理者

在最高层指导和控制组织(3.13)的一个人或一组人。

3.11 top management

person or group of people who directs and controls an organization (3.13) at the highest level

3.12 问题

目前不存在但可能发展为对组织(3.13)的战略目标、声誉或生存能力产生长期或重大负面影响的事态或情况。

注1:有效响应新出现的问题可以成功规避危机(3.2)。

3.12 issue

event or situation that does not currently present, but can develop into, a long-term or significant negative impact on the strategic objectives, reputation or viability of the organization (3.13)

Note 1 to entry: Effectively responding to emerging issues can result in the successful aversion of a crisis (3.2).

3.13 组织

为实现目标(3.20)而具有自身职能及职责、权限和相互关系的一个人或一组人。。

注1:组织的概念包括但不限于个体商户、公司、集团、商行、机构、企业、政府机构、合营公司、慈善机构或研究机构,或上述组织的部分或组合,无论是否为法人组织、公有的或私用的。

3.13 organization

person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives

Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.

3.14 危机沟通

向内部和外部相关方(3.7)提供信息、更新和指令的内部和外部沟通

注1:充分的危机沟通还可以保护组织(3.13)的声誉和品牌,维护其公众形象。

3.14 crisis communication

communications both internal and external to provide information, updates and instructions to internal and external interested parties (3.7)

Note 1 to entry: Adequate crisis communication can also protect the organization’s (3.13) reputation and brand and maintain its public image.

4 危机管理 – 环境,核心概念和原则(Crisis management — Context, core concepts and principles)

4.1 危机的本质(The nature of crises)

危机可能与高度复杂的问题有关,其全部影响和性质在当时可能尚不清楚。可能的决策和行动可能会产生严重的负面后果,各级决策者有时不得不选择危害最小的解决方案(见7.4),并解决(或承认和接受)基本的战略困境。这可能意味着每个选择都伴随着某种不利后果,不存在理想的解决方案。

Crises can be associated with highly complex issues, the full implications and nature of which can be unclear at the time. Possible decisions and actions can have severe negative consequences, and decisionmakers at all levels sometimes have to choose the least detrimental solution (see 7.4) and resolve (or recognize and accept) fundamental strategic dilemmas. This can mean that every choice comes with a penalty of some kind and there is no ideal solution.

对于管理危机的行动或程序,草率或考虑不周的决策可能会造成重大后果,并造成额外的伤害或加剧危机态势,宜避免。如果正在考虑的可用的一系列选项可以减少危机的影响但对其他组织目标产生不利后果,则可能需要选择对组织造成最小损失或破坏的选项。

Premature or ill-considered decisions on actions or processes to manage a crisis can have potential to cause significant consequences and cause additional harm or exacerbate the crisis situation and should be avoided. If the range of available options being considered can reduce the impact of a crisis yet have adverse consequences upon other organizational objectives, it can be necessary to choose the option that has the potential to create the least amount of loss or disruption to the organization.

危机通常涉及对人员、环境、资产(如财产或信息)或声誉的威胁。

Crises often involve threats to people, the environment, assets (such as property or information) or reputation.

危机可能要求组织审查其目标、机会、战略、政策、实践或程序和文化,并作为持续改进的一部分。

A crisis can require the organization to review its objectives, opportunities, strategies, policies, practices or procedures and culture and as part of continual improvement.

管理得当的危机可以展示组织的正面品质并提高其声誉。

A well-managed crisis can demonstrate the positive qualities of an organization and enhance its reputation.

4.2 危机的特征(Characteristics of a crisis)

危机可能是复杂和具有挑战性的,但也可以为组织提供展示核心价值观、有效控制、治理、危机响应、审查和学习的机会。

A crisis can be complex and challenging and can also provide opportunities for an organization to demonstrate core values, effective controls, governance, crisis response, review and learning.

尽管许多危机看起来是独特的,但往往具有一致的特征。了解这些特征有助于通过理解它们的差异来提高危机管理能力。

Although many crises appear to be unique there are often consistent characteristics. Understanding these characteristics enables the improvement of the crisis management capability by comprehending their differences.

通常,危机是由一个事件引发的。事件和危机都有一些共同的特征。表1突出显示了一些差异,图2显示了事件和危机之间的关系。

Often, a crisis is precipitated by an incident. There are some common characteristics found in both an incident and a crisis. Table 1 highlights some of the differences and Figure 2 shows the relationship between an incident and a crisis.

表1 – 事件和危机的关键特征(Table 1 — Key characteristics between incidents and crises)

问题可能升级为事件,然后是危机。组织宜认识到情况的变化并保持灵活性,以便能够相应地调整其响应措施。

图2 问题、事件和危机之间的关系和特征

An issue could escalate to an incident, then a crisis. The organization should recognize the change in the situation and be flexible so it can adjust its response accordingly.

Figure 2 Relationships and characteristic between an issue, incident and crisis

4.3 危机的可能起源(Potential origins of crises)

危机可能通过多种方式引起,包括:

具有直接和战略意义的破坏性事件:这些事件可能源于恶意行为、不当行为或疏忽,或未能(感知或实际)交付符合预期标准或质量或安全法律要求的产品或服务、不受欢迎的(政治)决定或行动、谣言和虚假信息;

经营波动,例如市场公开报告的变化、相关方的偏好、技术发展、法律法规的变化、竞争和收购威胁;

管理不善的事件以及潜在和隐藏问题的出现,对组织声誉和品牌的信任造成不可接受的后果;这些问题可能会随着时间的推移而“孵化”,通常是由于:

治理不当,导致质量、可靠性、安全或管理控制标准逐步和渐进式下滑不受控制,并被接受为一种正常的工作方式;

例如,由于流程过于复杂、时间表不切实际、长期人员短缺和监督松懈,方便但非官方的“变通”策略成为惯例;

监督和过程监控方面的缺陷,促使人们期望“摆脱”不良行为,或能够在不报告的情况下度过轻微故障,或过度依赖控制来发现所有错误,而不是期望只发现偶尔问题的质量检查;

指责文化鼓励掩盖风险和问题,缺乏共同的使命感和目标感,从而在人员和管理层之间、组织的不同部分之间以及组织与外部相关方之间产生了防御性的(如果不是敌对的话)“他们和我们”的态度;

组织单个高管、高管们或整个组织的不良行为(或被认为是不良行为的行为),如撒谎、歪曲服务或产品和结果、在知道产品对购买者或公众构成危险时未修改决策或召回产品、与组织价值观冲突的行为,非法活动或故意违反法规;

人员和管理人员培训和发展不足,或技能和知识逐渐丧失;

人为因素,包括疲劳、压力、个人问题和在不熟悉的环境中工作;

人力资源管理不力(如未能从历史事件中吸取教训、日程安排不切实际、人员长期短缺和监管松懈);

可能影响组织人员、运营、声誉、技术和资产(包括有形和无形的)的外部因素,如极端天气事件、关键供应商或数据丢失引发的事件;

处理事件的准备(计划、程序和组织)不足;

由于能力、选择或文化原因而未能适当升级。

Crises can be caused in a number of ways, including:

a) disruptive incidents that have immediate and strategic implications: these can arise from acts of malice, misconduct or negligence, or a failure (perceived or actual) to deliver products or services that meet the expected standards or legal requirements of quality or safety, unpopular (political) decisions or actions, rumours and false information;

b) operating fluctuations such as changes in the public reporting in the market, and interested parties’ preferences, technological development, changes in laws and regulations, competitions and threats of takeover;

c) poorly managed incidents and the emergence of latent and hidden issues with unacceptable consequences for trust in an organization’s reputation and brand; such issues can “incubate” over time, typically as a result of:

  1. inadequate governance allowing for gradual and incremental slippages in standards of quality, reliability, safety or management control to go unchecked and become accepted as a normal way of working;

  2. convenient, but unofficial, “workaround” strategies becoming the routine, due, for example, to overcomplicated processes, unrealistic schedules, chronic personnel shortages and relaxed supervision;

  3. flaws in supervision and process monitoring, which promote an expectation of “getting away with” undesirable behaviours or being able to survive minor failures without reporting them, or over-reliance on controls to catch all errors, rather than an expectation of quality checks that catch only occasional issues;

  4. blame cultures that encourage risk and issue cover-ups and the lack of a shared sense of mission and purpose, which generates a defensive (if not hostile) “them and us” attitude between personnel and management, between different parts of the organization and between the organization and external interested parties;

  5. poor behaviour (or what is perceived to be poor behaviour) by the organization’s executives, a single executive or the organization as a whole (such as lying, misrepresenting services or products and results, failure to revise decisions or recall products when knowing they pose a danger to their purchaser or the public, actions which are in conflict with the organization’s values, illegal activity or willingly breaching regulations);

  6. poor training and development of personnel and managers, or incremental loss of skills and knowledge;

  7. human factors including fatigue, stress, personal issues and working in unfamiliar circumstances;

  8. ineffective human resource management (such as failure to learn from historical events, unrealistic schedules, chronic personnel shortages and relaxed supervision);

  9. external factors that can impact the organization’s people, operations, reputation, technology and assets, both tangible and intangible, such as extreme weather events, and incidents triggered by critical vendors or data loss;

  10. inadequate preparation (plans, procedures and organization) for dealing with incidents;

  11. failure to escalate appropriately due to ability, choice or culture.

危机总是有多种促成因素,可能来自组织内部或外部。它们可能以复杂的方式相互作用,使其难以识别和管理,因此需要灵活的策划方法。虽然事件的起源在起始时似乎很简单,但进一步的审查可能会暴露组织管理方式中的系统性弱点。如果事件没有得到有效管理,它可能会升级为危机。

Crises invariably have multiple contributing factors, which can originate from inside or outside the organization. These can interact in a complex manner, making them difficult to identify and manage, resulting in the need for flexible planning approaches. While the origin of an incident can seem simple at the onset, further review can expose systemic weakness in how the organization is managed. If an incident is not managed effectively, it can escalate into a crisis.

危机管理策略和行动宜反映组织的目标和价值观。不坚持其核心价值观可能会使情况变得更糟。

Crisis management strategies and actions should reflect the organization’s objectives and values. Failure to adhere to its core values can make the situation worse.

4.4 响应和恢复准备(Readiness to respond and recover)

危机态势的不确定性要求人们了解危机角色和责任,并明确和系统地监督和指导行动。决策宜与组织的核心价值观相一致。组织宜准备好面对艰难的决策,并强调在危机期间采取明确和一致的行动和沟通的重要性。

The uncertainty of crisis situations demands that crisis roles and responsibilities are understood, and actions clearly and methodically overseen and directed. Decisions should be intrinsically linked to the core values of the organization. The organization should prepare to face difficult decision-making and emphasize the importance of clear and coherent actions and communications during the crisis.

组织宜确定调动其危机管理资源和启动相关过程的方法。及时响应危机至关重要。战略决策者的否认、自满或拖延会提升影响和组织的脆弱性,阻碍响应,并降低恢复能力。危机可能是非常苛刻的,不宜对(任何资历、级别或经验的)人员管理危机和带领组织走出危机的能力做出任何假设。

The organization should determine ways to mobilize its crisis management resources and activate the associated processes. Timely response to a crisis is critical. Denial, complacency or delay among strategic decision-makers can increase the impact and the organization’s vulnerability, hamper response, and degrade capacity to recover. Crises can be so extraordinarily demanding that no assumptions should be made about the ability of personnel (of any seniority, grade or experience) to manage them and steer the organization out of a crisis.

成功的危机管理需要灵活性和创造性。它可能涉及超越组织或其商业环境的正常“规则”,并准备为其行为辩护或辩解。对于组织的领导者来说,这需要清晰的思考、战略眼光、果断和以反映组织核心价值观的方式行事的能力。特别地,领导者宜对那些受危机影响的人表现出同情心,并期望和鼓励整个组织的这种行为。

Successful crisis management requires flexibility and creativity. It can involve stepping outside the normal “rules” of the organization or its business environment and being prepared to defend or justify its actions. For the organization’s leaders, this requires clarity of thought, strategic vision, decisiveness and the ability to act in ways that reflect the core values of the organization. In particular, leaders should behave with compassion toward those affected by the crisis and expect and encourage this behaviour across the whole organization.

4.5 危机管理原则(Principles for crisis management)

4.5.1 总则(General)

4.5.2至4.5.8中给出的原则是建立和建设以行动能力为支撑的组织危机管理能力的基础。

The principles given in 4.5.2 to 4.5.8 are the foundation for establishing and building the organization’s crisis management capability that is underpinned by operational capability.

4.5.2 原则A:治理(Principle A: Governance)

危机管理取决于组织各级的有效治理。

Crisis management is dependent upon effective governance at all levels of the organization.

危机管理能力取决于对结构、角色、职责和人员能力的清晰理解。

A crisis management capability is dependent upon clearly understood structures, roles, responsibilities and competence.

员工响应危机的能力受到他们对自己角色和责任的理解、接受充分培训以胜任和自信地满足危机要求的影响。

The capacity of employees to respond to a crisis is impacted by their understanding of their roles and responsibilities, being adequately trained to competently and confidently meet the demands of the crisis.

4.5.3 原则B:战略(Principle B: Strategy)

危机管理是一种战略能力。

Crisis management is a strategic capability.

建设和保持危机管理能力依赖于领导层向组织传达其价值观和重要性,设定目标并分配资源来实现这些目标。

Building and maintaining a crisis management capability is dependent upon leadership communicating its value and importance to the organization, setting objectives and allocating resources to achieve these.

危机管理能力以组织的核心价值观、优先事项以及危机的潜在后果和影响为指导。

The crisis management capability is guided by the core values, priorities of the organization, and the potential consequences and impact of the crisis.

4.5.4 原则C:风险管理(Principle C: Risk management)

危机管理能力是动态的,建立在风险管理的基础上。

The crisis management capability is dynamic and is founded upon the management of risk.

自适应和及时的危机管理取决于态势和风险感知,使组织能够积极监测其内部和外部环境,并评估其潜在的脆弱性和机会。

Adaptive and timely crisis management is dependent upon situational and risk awareness, enabling the organization to actively monitor its internal and external environments and assess its potential vulnerabilities and opportunities.

有效管理变化、风险和动态环境使组织能够预见、识别和响应危机。

Effectively managing change, risk and a dynamic environment enables the organization to anticipate, identify and respond to crises.

组织管理危机的能力是衡量其在变化环境下转化和适应、创造机会以及以敏捷和灵活方式工作的能力。

An organization’s capability to manage crises is a measure of its capacity to transform and adapt, to create opportunities under changing circumstances, and to work in an agile and flexible manner.

组织宜将其风险管理活动与核心业务功能相结合,以提高其预见和响应潜在危机和不断变化的环境的能力。

The organization should integrate its risk management activities with core business functions to increase its capacity to anticipate and respond to a potential crisis and changing circumstances.

4.5.5 原则D:决策(Principle D: Decision- making)

有效的决策依赖于良好的信息管理、态势感知以及对相关方的需要和期望的理解。

Effective decision-making is reliant upon good information management, situational awareness and an understanding of the needs and expectations of interested parties.

整个组织的领导者宜通过态势感知和信息管理寻求理解,以便根据证据、逻辑和判断以及对潜在后果影响的理解做出决策。

Leaders across the organization should seek an understanding through situational awareness and information management in order to make decisions that are based on evidence, logic and judgement and understanding of the impact of potential consequences.

组织宜在所有决策中考虑其战略目标、核心价值观和优先事项。

The organization should take into account its strategic objectives, core values and priorities in all decisions.

4.5.6 原则E:沟通(Principle E: Communication)

危机管理需要有效的沟通。

Crisis management requires effective communications.

组织宜向相关方(包括组织内部的相关方)传达准确、可信和及时的信息,以提高其危机管理效能并保护其声誉和诚信。

The organization should communicate accurate, credible and timely information to interested parties (including those within the organization) so as to increase its crisis management effectiveness and protect its reputation and integrity.

4.5.7 原则F:道德规范(Principle F: Ethics)

组织对潜在或实际危机的响应是以其核心价值观和道德期望为指导的。

An organization’s response to a potential or actual crisis is guided by its core values and ethical expectations.

展示适当的道德规范和价值观可以增加相关方的支持,建立信任,并有助于保护和提高品牌和声誉。

The demonstration of appropriate ethics and values increases interested party support, builds trust, and helps to protect and enhance brand and reputation.

4.5.8 原则G:学习(Principle G: Learning)

组织的危机管理能力通过组织学习得到增强。

An organization’s crisis management capability is enhanced through organizational learning.

组织通过培训、演练和从内部和外部经验中学习,确保具有危机管理角色和职责的人员能够胜任,从而进行学习。

An organization learns by ensuring people with crisis management roles and responsibilities are competent through training, exercising and learning from internal and external experience.

5 建设危机管理能力(Building a crisis management capability)

5.1 总则(General)

完善和嵌入的危机管理能力可以帮助组织以保护其资产和目标的方式预见、响应和从危机中恢复。

A well-developed and embedded crisis management capability can assist the organization in anticipating, responding and recovering from crises in a manner that protects its assets and objectives.

危机管理宜包括:

— 识别需要启动危机管理的情况;

— 有能力并负责快速分析态势、制定策略、确定选项、做出决策和评估其潜在影响的人员;

— 对支撑危机管理的基本原则有共识;

— 将决策转化为行动、分配活动和评估结果的结构和过程;

— 能够分享、支持和执行最高管理者的愿景、意图和政策的人员;

— 及时应用适当资源来支持解决方案的能力;

— 支持和保持持续危机响应能力的组织结构;

— 支持危机管理原则的文化。

Crisis management should include:

— recognition of situations that require activation of crisis management;

— people who are competent and responsible for quickly analysing situations, setting strategies, determining options, making decisions and evaluating their potential impact;

— a common understanding of the principles that underpin crisis management;

— structures and processes to translate decisions into actions, assign activities and evaluate the results;

— personnel who are able to share, support and implement top management’s vision, intentions and policies;

— the ability to support solutions by applying the appropriate resources in a timely manner;

— an organizational structure that supports and maintains the ongoing crisis response capability;

— a culture that supports the crisis management principles.

为了建设危机管理能力,组织宜建立框架和过程。该框架包括领导作用、结构、文化和人员能力。危机管理过程包括预见、评估、预防和缓解、准备、响应和恢复。宜持续改进该框架和过程。

To build a crisis management capability, the organization should establish a framework and a process. The framework includes leadership, structure, culture and competence. The crisis management process includes anticipation, assessment, prevention and mitigation, preparedness, response and recovery. The framework and the process should be continually improved.

5.2 危机管理框架(Crisis management framework)

5.2.1 总则(General)

危机管理框架的目的是协助组织将危机管理整合进其活动和职能。危机管理框架用于支持危机管理原则、危机管理的核心特质以及受危机管理原则影响的管理过程的关键要素之间的关系。采用该框架宜有助于理解危机管理过程与其他管理过程之间的关系。

The purpose of the crisis management framework is to assist the organization in integrating crisis management into its activities and functions. The crisis management framework is used to support the relationship between the crisis management principles, core attributes of crisis management and the key elements of the management process that are informed by the crisis management principles. Adopting the framework should facilitate an understanding of the relationship between the crisis management process and other management processes.

5.2.2 领导作用(Leadership)

最高管理者参与危机管理是发展和持续改进危机管理能力的关键。最高管理者宜确保:

— 危机管理目标与组织的战略方向和核心价值观一致;

— 危机管理是根据组织环境定制的;

— 展现对危机管理能力的承诺;

— 指导和支持危机管理,以实现预期结果;

— 宣传危机管理的重要性和益处;

— 将危机管理融入组织过程;

— 危机管理资源的可用性;

— 促进危机管理的持续改进。

Top management engagement in crisis management is pivotal in developing and continually improving a crisis management capability. Top management should ensure:

— crisis management objectives are compatible with the strategic direction and core values of the organization;

— crisis management is customized to the organization’s context;

— demonstrated commitment to the crisis management capability;

— direction and support for crisis management to achieve its intended outcome;

— communication of the importance and benefits of crisis management;

— integration of crisis management into the organization’s processes;

— availability of resources for crisis management;

— promotion of continual improvement of crisis management.

最高管理者宜制定危机管理方针并形成文件。该方针宜作为与策划和实施危机管理安排有关的进一步活动的基础。该方针宜:

— 公布最高管理者对危机管理的承诺;

— 概述管理危机时的目标;

— 概括地描述如何实现目标;

— 确定交付组织危机管理能力关键要素的优先事项和指导,以及相应财务、技术和所需的人力资源;

— 确定负责其不同要素、整体协调和整合的人员;

— 确定实施所需的角色、职责和危机管理能力,形成文件并传达;

— 包括审查和确保方针持续得到支持并与组织的总体战略目标保持一致的机制,并根据商定的交付成果监测和评估进展;

— 定期审查以确保其保持最新。

Top management should define and document a policy for crisis management. The policy should serve as the basis for the further activities related to the planning and implementation of crisis management arrangements. The policy should:

— state top management’s commitment to crisis management;

— outline the objectives in managing a crisis;

— describe in broad terms how the objectives are intended to be realized;

— establish priorities and guidance for the delivery of key elements of the organization’s crisis management capability, as well as corresponding financial, technical and human resources required;

— identify those responsible for its different elements, overall coordination and embedding;

— identify, document and communicate the roles and responsibilities required to implement and the crisis management capabilities;

— include mechanisms to review and ensure that the policy continues to be supported and remains consistent with the overall strategic objectives of the organization, and that progress is monitored and evaluated against the agreed deliverables;

— be reviewed periodically to ensure it remains current.

最高管理者负责组织的整体韧性,宜任命一名(或多名)具有适当权限的人员对发展和实施危机管理能力负责,并在整个组织中保持和管理危机管理能力。最高管理者还宜考虑能力每个要素所需的资源,以及培训、演练和测试相关要求。

Top management is responsible for the overall resiliency of its organization and should appoint a person(s) with appropriate authority to be accountable for the development and implementation of the crisis management capability, and to maintain and manage it across the whole organization. Top management should also consider the resources needed for each element of the capability and the associated requirements for training, exercising and testing.

5.2.3 结构(Structure)

组织宜建立组织结构并提供发展和持续改进危机管理能力的方法,包括:

— 角色、权限、职责和问责(这些可以不属于并与日常角色和职责不同);

— 参与、信息和沟通的规定和指导;

— 过程和方法;

— 设施和工具;

— 质量保证和控制;

— 存储和共享/转移知识的系统,尤其是在最高管理者变动的组织中。

The organization should establish an organizational structure and provide the means to develop and continually improve a crisis management capability including:

— roles, authorities, responsibilities and accountabilities (these can sit outside of and be different to day-to-day roles and responsibilities);

— regulations and guidelines for involvement, information and communication;

— processes and methods;

— facilities and tools;

— quality assurance and control;

— a system for storing and sharing/transferring knowledge, especially in organizations with changing top management.

组织宜将危机管理与其他相关的组织活动结合起来。

The organization should integrate crisis management with other relevant organizational activities.

5.2.4 文化(Culture)

组织宜鼓励所有员工发展积极的态度和文化,维护组织的核心价值观,并始终如一地应用其期望、政策和程序,同时认可:

— 风险意识:利用现有能力,持续识别和理解组织风险;

— 对危机管理的承诺:承诺和承认危机管理的重要性;

— 早期预警:鼓励人们处理潜在的早期预警信号;

— 组织韧性:支持韧性策划,并鼓励每个人了解他们在帮助组织成功方面的作用和贡献;

— 组织意识:通过培训和演练公开交流目的、目标和愿景;

— 心理安全:帮助进行“适当的挑战”或帮助人们在提出可能升级的小实例时感到自在。

The organization should encourage the development of a positive attitude and culture among all employees that uphold the organization’s core values and the consistent application of its expectations, policies and procedures, recognizing:

— risk awareness: continual identification and understanding of organizational risks, leveraging available competence;

— commitment to crisis management: commitment to, and acknowledgement of, the importance of crisis management;

— early warning: encouraging people to address potential early warning signs;

— organizational resilience: supporting resilience planning and encouraging everyone to understand their role and contribution to helping the organization succeed;

— organizational awareness: open communication of goals, objectives and visions through training and exercises;

— psychological safety: helping with “appropriate challenge” or helping people feel comfortable in raising the small instances that can escalate.

组织宜发展其能力,以发现、评估和沟通组织内部和外部(无论是单个或组合)的潜伏状态,以促成成功的危机管理文化。

The organization should develop its ability to detect, assess and communicate the latent conditions internal and external to the organization, individually or in combination, that contribute to a successful crisis management culture.

5.2.5 人员能力(Competence)

重要的是要了解在危机管理的各个方面建立人员能力水平的期望状态、成功标准和步骤。

It is important to understand the desired state, success criteria and steps to establish competency levels in all parts of crisis management.

组织宜将危机管理整合到发展和保持人员能力以及组织学习的方法中。这种整合宜包括:

— 在个人、团队、组织和组织间层面发展危机管理意识、知识、技能和积极态度;

— 在危机管理中利用人员能力管理过程和程序;

— 与危机管理有关的审查和学习的系统化过程;

— 组织学习作为持续改进危机管理能力的手段。

The organization should integrate crisis management into the approaches taken for developing and maintaining competence and organizational learning. This integration should include:

— development of crisis management awareness, knowledge, skills and positive attitude at individual, team, organizational and inter-organizational levels;

— utilization of competence management processes and procedures within crisis management;

— systematic processes for reviews and learning related to crisis management;

— organizational learning as a means for continual improvement of crisis management capability.

5.3 危机管理过程(Crisis management process)

5.3.1 预见(Anticipation)

组织宜通过建立以下方面预见潜在的危机:

— 远景扫描过程,以识别中长期可能出现的,以及那些可能在几乎没有预警的情况下出现的潜在危机;

— 识别潜在危机和管理如何将预警升级到适当级别并为危机响应提供信息的过程;

— 对潜在危机提供早期预警的系统;

— 对决策和策略提出适当质疑的环境。

The organization should anticipate potential crises by establishing:

— horizon scanning processes to identify potential crises that can emerge in the medium to long term, and those which can emerge with very little warning;

— processes which will identify potential crises and manage how to escalate the warning to the appropriate level and inform the crisis response;

— systems to provide early warning of potential crises;

— an environment for appropriate challenge to decisions and strategies.

5.3.2 评估(Assessment)

组织宜通过建立以下方面评估潜在的危机:

— 了解组织运营环境中的风险;

— 充分理解并整合风险管理活动、业务运营和领导作用之间的关系;

— 承认并接受无论现有控制是否有效,危机都可能发展,组织需要准备好有效管理这些危机;

— 促进态势感知的行为;

— 及时识别和升级问题和事件。

The organization should assess potential crises by establishing:

— an understanding of the risks in the environment in which the organization operates;

— a well understood and integrated relationship between risk management activities and the business operations and leadership;

— a recognition and acceptance that crises can develop regardless of the effectiveness of existing controls and that the organization needs to be prepared to manage these effectively;

— behaviours that facilitate situational awareness;

— timely recognition and escalation of issues and incidents.

5.3.3 预防和缓解(Prevention and mitigation)

组织宜认识到危机可能通过不同的方式引起,并尝试使用组织、技术和人力的结合来预防它们。组织宜考虑预防和缓解策略,以防止和尽量减少升级。

The organization should recognize that crises can be caused in different ways and try to prevent them using a combination of organizational, technical and human efforts. The organization should consider both preventive and mitigation strategies to prevent and minimize escalation.

组织宜将危机预防与其他危险、威胁和基于风险的活动相结合。

The organization should integrate crisis prevention with other hazard, threat and risk-based activities.

此外,组织宜制定政策、实践和程序,为员工和相关方提供以下方面的指导:

— 通过有效的风险管理实践进行预防和缓解;

— 价值观意识,包括认可和遵守道德规范、可持续性和行为准则等价值观;

— 通过在早期阶段通报潜在风险进行早期预警,以便适当关注和评估潜在后果;

— 以相称、有意义和协调的方式响应不断变化的情况的能力;

— 冗余和适应,在遇到意外情况和需要时确保组织的灵活性。

In addition, the organization should establish policies, practices and procedures that provide employees and interested parties guidance on:

— prevention and mitigation through effective risk management practices;

— value awareness, involving the recognition and compliance to values such as ethics, sustainability and codes of conduct;

— early warning by communicating potential risks at an early stage to enable appropriate attention and assessment of potential consequences;

— capacity to respond to evolving conditions in a proportionate, meaningful and coordinated manner;

— redundancy and adaptation, which ensure organizational flexibility when experiencing unanticipated circumstances and needs.

危机预防宜是一项持续的努力。

Crisis prevention should be a continual effort.

5.3.4 准备(Preparedness)

5.3.4.1 总则(General)

组织宜通过为每个CMT职能任命主要和候补代表并确保所有CMT成员都经过适当的培训、能胜任和有充足的资源履行其职责,从而确保CMT结构的韧性。它还宜通过发展通用能力为危机做好准备,使其能够在任何情况下作出适当响应。这包括制定以下关键要素:

— 危机管理计划(CMP)和任何其他相关计划;

— 信息管理;

— 共享态势感知;

— 危机管理小组(CMT)的结构、组成、权限和期望,并进行适当的治理。

The organization should ensure resilience in the CMT structure by appointing primary and alternate delegates for each CMT function and ensuring that all CMT members are suitably trained, competent and adequately resourced to perform their duties. It should also prepare for crises by developing generic capabilities that will enable it to deliver an appropriate response in any situation. This includes the development of the following key elements:

— the crisis management plan (CMP) and any other relevant plans;

— information management;

— shared situational awareness;

— structure, composition, authority and expectations of the crisis management team (CMT), with appropriate governance.

为了能够及时和有条不紊地进行响应,组织宜:

— 知会和通告CMT的适当成员;

— 提供信息管理和态势感知。

To be able to respond in a timely and well-organized manner, the organization should:

— inform and notify the appropriate members of the CMT;

— provide information management and situational awareness.

5.3.4.2 危机管理计划(Crisis management plan)

组织宜制定一个简明的CMP,在需要之前就可以理解、实施和演练,并在危机发生时使用。CMP不宜依赖于情景,但可以包含处理具体危机的信息,并包括:

— 法律和法规要求;

— 危机响应的启动和升级机制及其运作方式;

— 危机中决策和行动的权力和责任的分配;

— 发生危机时要联系的主要和候补人员的详细信息;

— 整个组织中响应级别的详细信息(即,就什么级别的问题要联系谁)和显示行动顺序的流程图;

— CMT的结构和角色以及对它的期望;

— 确定实际或虚拟会议地点以及所需的设备和支持;

— 危机沟通(内部和外部)(见条款8);

— CMT会议议程、态势报告以及决策和行动记录的模板。

The organization should develop a concise CMP that can be understood, implemented and exercised before it is needed, and used when a crisis occurs. The CMP should not be scenario dependent but can contain information for dealing with specific crises and include:

— legal and regulatory requirements;

— the activation and escalation mechanism for a crisis response and how it works;

— the assignment of authority and responsibility for decisions and actions in a crisis;

— primary and alternative details for personnel that are to be contacted in the event of a crisis;

— details of levels of response across the organization (i.e. who is to be contacted for what level of problem) and a flow chart showing the sequence of actions;

— the structure and role of the CMT and what is expected of it;

— the identification of physical or virtual meeting locations and the equipment and support required;

— crisis communication (internal and external) (see Clause 8);

— templates for CMT meeting agenda, situation reports and record of decisions and actions.

可以通过制定关于CMT工作方式的方针和更多程序性要素以及必要的培训和评估安排来支持该计划,但这些不宜影响计划本身。宜以适当的时间间隔定期审查该计划,特别是联系方式。

The plan can be supported by setting out the policy and more procedural elements about how the CMT works and the necessary training and evaluation arrangements, but these should not detract from the plan itself. The plan should be reviewed periodically at appropriate intervals, especially the contact details.

CMP宜:

— 提供适用于现有程序和实践未涵盖的事态和情况的通用响应能力;

— 提供灵活性和临机响应(“跳出框框思考”);

— 利用现有的多学科专业知识制定可行的响应;

— 考虑危机在实际制约下展开时可获得的正式和非正式信息来源;

— 鼓励灵活的思维和行动,并认识到通常无法预测的危机不可能进行精确详细计划。

The CMP should:

— provide for generic response capability that will be appropriate for events and situations that are not covered by existing procedures and practices;

— provide for flexibility and improvisation (“thinking outside the box”);

— produce viable responses using the available multidisciplinary expertise;

— consider formal and informal sources of information available as the crisis unfolds under real constraints;

— encourage flexible thinking and action, and recognize the generally unforeseeable crises that are impossible to plan for in precise detail.

组织宜提供工具和模板来支持CMP,包括:

— 危机态势的物理和虚拟可视化方法;

— 相关信息的来源;

— 备忘录、标准议程以及关键决策点和所需行动的检查表;

— 明确的角色和职责;

— 实际响应所需物品清单;

— 帮助管理社交媒体监测和参与的工具和系统;

— 一份相关方清单,以及用于对其相关性进行分类和排序的工具;

— 决策记录和态势报告的模板。

The organization should provide tools and templates to support the CMP including:

— methods for physical and virtual visualization of the crisis situation;

— sources of relevant information;

— aides-memoires, standard agendas and checklists of key decision points and required actions;

— defined roles and responsibilities;

— a list of items necessary for a practical response;

— tools and systems to help manage social media monitoring and engagement;

— a list of interested parties and tools for categorizing and prioritizing their relevance;

— templates for decision logging and situation reporting.

5.3.4.3 信息管理(Information management)

不确定性是危机的决定性特征之一,因此查明正在发生什么并理解其意义至关重要。有必要接受并理解,在做出决定和采取行动时,信息可能不完整或不正确。这需要预先策划和适当的培训。

Uncertainty is one of the defining features of a crisis such that finding out what is happening and understanding the implications are of paramount importance. It is necessary to accept and understand that information can be incomplete or incorrect when decisions are taken and acted upon. This requires pre-planning and appropriate training.

在响应危机时,组织宜能够:

— 识别和收集危机的相关信息;

— 过滤、分析、排序和理解可用信息;

— 从有效性、质量和与危机的相关性方面评估信息;

— 管理危机的模糊性、不确定性、复杂性和多变性;

— 考虑保护机密或敏感数据;

— 以适当的形式及时向决策者提供信息;

— 根据需要在组织内部和外部沟通信息。不宜这样理解,即向公共当局隐瞒重要信息,因为这对于防止对公众的威胁很重要。

When responding to a crisis, the organization should be able to:

— identify and gather relevant information on the crisis;

— filter, analyse, prioritize and understand the available information;

— evaluate information in terms of validity, quality and relevance to the crisis;

— manage the ambiguity, uncertainty, complexity and volatility of the crisis;

— consider protecting confidential or sensitive data;

— present information to decision-makers in an appropriate form in a timely manner;

— communicate the information within the organization and externally as required. It should not be understood in such a way that important information is withheld from the public authorities where this is important for the prevention of threats to the general public.

5.3.4.4 共享态势感知(Shared situational awareness)

为了建设共享态势感知,组织宜制定政策、实践和程序,鼓励在其领导层、员工和主要相关方之间形成共同的理解。这将有助于创造一种环境,尽早发现造成危机情况的因素及其潜在影响。

To build shared situational awareness, the organization should establish policies, practices and procedures that encourage the development of a shared understanding across its leadership and among its employees and key interested parties. This will help create an environment in which factors that contribute to crisis situations and their potential impacts will be clearly identified at the earliest opportunity.

这将为以下方面提供更广阔的视野:

— 正在发生什么以及可能对目的和目标产生什么影响;

— 不确定性的程度;

— 可控制的程度;

— 恶化的问题;

— 卷入的其他组织及其关系;

— 未来会发生什么。

This will provide a broader perspective on:

— what is going on and what the impacts can be on goals and objectives;

— the degree of uncertainty;

— the degree of control;

— exacerbating issues;

— other organizations involved and their relationships;

— what can happen in the future.

此外,宜了解更高层级当局的任何现有要求。

In addition, any existing requirements of higher-level authorities should be understood.

这些信息加上远见,可以为组织的危机决策提供信息(见条款7)。

This information, together with foresight, can inform the organization’s crisis decision-making (see Clause 7).

在危机中,获得态势感知本质上是困难的,因为通常正在发生很多事情,变化速度很快,对因果关系的多种解释都可能是合理的,并且影响和潜在影响的传播尚不清楚。

Attaining situational awareness is inherently difficult in a crisis because usually many things are happening, the rate of change is rapid, various interpretations of cause and effect can be plausible, and the spread of impacts and potential impacts is unclear.

组织宜鼓励参与管理危机的人们形成共识,认识到:

— 故意向他人隐瞒信息可能出于各种原因;

— 可能需要技术知识或专业技能来解释某些事实;

— 术语并不总是被普遍理解。

The organization should encourage a common appreciation among the people involved in managing the crisis, recognizing that:

— information can be deliberately withheld from others for various reasons;

— technical knowledge or specialist skills can be required to interpret certain facts; — terminology is not always commonly understood.

组织宜从一系列来源收集信息,并对从未知或未经核实的来源获得的新信息的可信度进行评估。然后,宜系统地整理、分析、评估这些信息,并以适合态势的形式提交,这可称为“态势报告”。随着信息的变化,报告宜更新。

The organization should collect information from a range of sources and assess the credibility of new information if received from unknown or unverified sources. The information should then be systematically collated, analysed, evaluated and presented in a format appropriate to the situation, which can be called a “situation report”. As information changes, the report should be updated.

组织不宜假设其有能力在正常运营的基础上建设危机中的共享态势感知。它需要努力了解要求并开发满足这些要求所需的结构、过程和人员能力。为了建设态势感知,组织宜具备以下:

— 在危机期间获取有关信息的可信渠道;

— 在没有现有渠道时查找有关信息的工作方式。人们有依赖新闻媒体的倾向,但即使是大型新闻公司的及时性和可靠性也不能被认为是理所当然的,尤其是在危机的早期阶段。

— 分析和评估信息与危机态势的质量和相关性的结构和流程,因为并非所有在危机期间流通的信息都同样可靠或不可靠。至关重要的是,组织拥有对来源可靠性、相对准确性、及时性和相关性做出明智判断的技能和工作方式。

— 分析、解释、理解和将危机态势的信息转化为情报的能力。这种情报可以为组织增加价值,并提供有针对性和特定的背景为响应工作的优先级和方向提供信息,这可能需要专业技能或特定的技术、产品或政策知识。

— 考虑现有信息的含义、影响和可能的其它解释的能力。宜记录决策及其理由,以便为潜在的事后审查或调查提供可审计的线索。组织的技能清单可以使他们能够为危机响应快速招聘。

— 以最有效的形式向决策者提供信息的方式。危机的具体情况以及决策者的要求和利益将决定什么是合适的。那些担任决策支持角色的人员需要了解决策者的特定关切、背景知识和其他要求。

The organization should not assume its ability to build shared situational awareness in a crisis on the basis of normal operations. It requires effort to understand the requirements and develop the structures, processes and competence needed to meet them. To build situational awareness, the organization should have the following:

— Trusted channels to source relevant information during a crisis.

— Ways of working to find relevant information when there are no existing channels. There is a tendency to rely on the news media but the timeliness and reliability of even the major news corporations cannot be taken for granted, especially at the early stage of a crisis.

— Structures and processes to analyse and evaluate the quality and relevance of the information to the crisis situation as not all information circulating during a crisis is equally reliable or unreliable. It is vital that the organization has the skills and ways of working to make informed judgements about source reliability, relative accuracy, timeliness and relevance.

— The capacity to analyse, interpret, understand and turn information about the crisis situation into intelligence. This intelligence can add value to the organization and provide targeted and specific context to inform the prioritization and direction of the response effort, which can require specialist skills or specific technical, product or policy knowledge.

— The capacity to consider the meaning, implications and possible alternative interpretations of the available information. Decisions, and the rationales for these, should be recorded to provide an auditable trail for potential post-incident review or investigations. An inventory of skills in the organization can enable their rapid recruitment to the crisis response.

— The means to present information to decision-makers in the most effective format possible. The specifics of the crisis and the requirements and interests of the decision-makers will determine what is appropriate. Those in a decision-support role need to understand the specific concerns, background knowledge and other requirements of the decision-makers.

5.3.4.5 危机管理小组(CMT)的构成和职责(Composition and responsibilities of the crisis management team (CMT))

CMT通常宜包括最高管理者,因为它可以提供战略愿景,在危机情况下做出决策的权威,并行使其领导职能。宜任命具有适当级别权限、经验和能力的个人加入 CMT。

The CMT should generally include top management because it can provide strategic vision, the authority to make decisions in a crisis situation and enact its leadership function. Individuals with the appropriate level of authority, experience and capabilities should be appointed to the CMT.

CMT宜得到行动和战术小组的支持。这可以使CMT在其思维和方法上保持战略性,为战术小组的策划和行动小组的积极执行提供指导。

The CMT should be supported by operational and tactical teams. This can allow the CMT to remain strategic in its thinking and approach, giving direction to the tactical team for the planning and then the operational team for active implementation.

CMT的规模因组织的规模和危机的性质而异,但通常由战略决策者和关键业务领域的代表组成。小组可以根据需要扩展以纳入内部或外部专家或专业知识。角色可以包括以下:

领导者:负责领导CMT,并作为危机响应行动要素的主要联系人。领导者宜是一个权威的、受人尊敬、具有长远眼光的资深高管,他值得信任、果断而不冲动。重要的是在CMT中保持适当的代表性,在管理危机的同时,不要让更广泛的业务失去领导。

人力资源(HR):确保人员问题得到解决。角色持有人宜具有广泛的人力资源专业知识或能够联系适当的资源。他们宜能够快速访问员工数据,以便进行人员问责,联系家属,并可以根据需要处理创伤支持和创伤咨询。

运营:确保持续服务和业务优先事项的交付得到适当维护和协调。该职能宜能够根据需要在整个组织中应用优先级,并在需要时分配额外的资源。

法律:为小组提供法律顾问,并在必要时安排外部法律支持,参与沟通准备,并就其他具体危机问题提供建议。

沟通:制定沟通策略并协调媒体回应,其中宜纳入所有沟通的法律建议。沟通负责人负责起草、监督批准过程,并代表组织向所有有关的内部和外部相关方传播所有定案的消息。沟通在保护组织的品牌和声誉方面发挥着关键作用(另见8.3和8.9)。

财务:评估危机和组织响应的财务影响,监测事态发展,并就应急预算和紧急支出提供建议/授权。

记录管理员:危机小组的重要组成部分,负责管理所有决策和行动的正式记录,以备日后查阅和用于审查和报告、保险或责任问题、查询或调查。

业务连续性代表:就适当的恢复措施提供建议。

其他业务小组:风险、设施、安保、信息安全和信息技术(IT)等专家团队为核心团队提供额外支持,他们评估损失并就适当的恢复计划和可用设施提供建议。

行政支持:根据危机的程度,领导者和CMT可能需要行政支持,可能包括保存记录、更新信息板和系统、跟踪文件、更新小组成员和监控信息渠道。

The size of the CMT varies according to the size of an organization and the nature of the crisis, but typically consists of strategic decision-makers and representatives from key business areas. Teams can be expanded to include internal or external specialists or expertise as required. Roles can include the following:

Leader: responsible for leading the CMT and acting as the primary contact for the operational elements of the crisis response. The leader should be an authoritative, respected senior executive with a long-term perspective, who is trusted and decisive without being impulsive. It is important to maintain appropriate representation with in the CMT that does not leave the wider business without leadership while the crisis is being managed.

Human resources (HR): ensures that people issues are being addressed. The role holder should have broad HR expertise or be able to contact an appropriate resource. They should be able to provide quick access to employee data for personnel accountability, contacting next of kin, and can need to address trauma support and trauma counselling as required.

Operations: ensures that delivery of the ongoing services and business priorities is maintained and coordinated appropriately. This function should be able to apply priorities across the organization as needed and allocate additional resources if required.

Legal: provides legal counsel to the team and arranges for external legal support as necessary, participates in communication preparation, and advises on other crisis-specific issues.

Communications: prepares the communication strategy and coordinates the media response which should incorporate legal advice for all communications. The communications lead is responsible for drafting, overseeing the approval process, and disseminating all finalized messaging on behalf of the organization to all relevant internal and external interested parties. Communications has a key role in protecting the brand and reputation of the organization (see also 8.3 and 8.9).

Finance: assesses the financial impact of the crisis and the organization’s response, monitors developments, and advises on/authorizes contingency budgets and emergency spending.

Log keeper: an essential part of the crisis team who maintains a log of all decisions and actions for later reference and use with reviews and reports, insurance or liability issues, enquiries or investigations.

Business continuity representative: advises on appropriate recovery measures.

Other business teams: additional support for the core team is provided by specialist teams, such as risk, facilities, security, information security and information technology (IT), which assess damage and advise on the appropriate recovery plans and available facilities.

Administrative support: depending on the extent of the crisis, the leader and CMT can require administrative support, which can include record-keeping, updating information boards and systems, tracking documents, updating team members and monitoring information channels.

5.3.5 响应(Response)

5.3.5.1 总则(General)

CMT宜对危机做出响应,并根据危机的动态和复杂性质采取适当行动。CMT宜注意到,每次危机都是独特的,并包括考虑:

贯彻态势感知,小组确认他们(个人和共享)对态势及其动力学的理解,并不断对其进行审查;

检查和监测危机对正常业务的影响和管理;

识别问题和风险,做出决策,分派行动并确认行动的执行和结果;

为响应设定运作节奏,以便会议、简报、信息传播、新闻发布、商讨等能够有条理地安排,可能需要 24/7或长期的资源配置;

管理会议议程并确保简洁;

通过设定响应目标来确定(并不断审查)响应的战略方向;

确认和审查内部和外部沟通、策略和媒体(包括社交媒体)监测;

审查和监测危机管理响应,以确保清晰理解优先事项,并确保其绩效和信息流符合形势的需要;

持续识别、监测和监督,并审查与相关方互动的分析,以确保正确的人收到正确的消息和信息,并积极寻求他们的意见、建议和帮助;

监督和审查任何下属团队的目标和效能,确保他们的活动保持一致;

主动监测和远景扫描态势,包括现实的最坏情景策划,以便在响应期间随时向所有CMT成员通报升级、潜在和主动的缓解活动;

监测组织内部或外部是否存在级联效应或隐藏的相互依赖关系,以及需要额外或新响应的新发展;

确保战略性危机响应和利益或资源冲突得到管理;

确保尽早开始恢复策略的策划。

The CMT should respond to the crisis and take appropriate action depending on the dynamic and complex nature of crises. The CMT should note that each crisis will be unique and include consideration of:

pursuing situational awareness, with the team confirming their (individual and shared) understanding of the situation and its dynamics, and continually reviewing it;

examining and monitoring the impact and management of the crisis on business as usual;

identifying issues and risks, making decisions, assigning actions and confirming the implementation and results of actions;

setting an operating rhythm for the response, so that meetings, briefings, information dissemination, press releases, conferences, etc., can be arranged coherently and can require 24/7 or protracted resourcing;

managing meeting agendas and ensuring brevity;

defining (and continually reviewing) the strategic direction of the response by setting response objectives;

confirming and reviewing internal and external communications, strategy and media (including social) monitoring;

reviewing and monitoring the crisis management response to ensure that priorities are understood clearly and that its performance, and the flow of information, are appropriate to the demands of the situation;

continual identification, monitoring and oversight, and review analysis of interactions with interested parties, to ensure that the right people receive the right messages and information, and that their views, advice and assistance are actively sought;

monitoring and reviewing the objectives and effectiveness of any subordinate team to ensure their activities are aligned;

active monitoring and horizon scanning of the situation, including realistic worst-case-scenario planning to inform escalation, potential and proactive mitigatory activities during the response to all CMT members at all times;

monitoring if there are cascade effects or hidden interdependencies within or outside the organization, and new developments requiring additional or new responses;

ensuring that strategic crisis response and conflicts of interest or resources are managed

ensuring that strategic planning for recovery starts as early as possible.

5.3.5.2 CMT响应过程(Process for CMT response)

组织宜建立并监控一个通用和持续的CMT响应过程,包括以下内容(见图 3):

— 态势感知:CMT宜通过促进所有CMT成员的积极参与和利用相关信息来建立共享态势感知。

— 潜在后果评估:CMT宜评估具体情况带来的潜在后果。评估宜包括对重要价值观和职能的潜在后果的评估,如人员、环境、组织的诚信(例如道德、责任和声誉)及其生存能力(如资产、生产和服务)。

— 确定目的和目标:CMT宜明确与组织战略一致的目的和目标。

— 策划和优先排序:尽管组织已经为危机制定了预定义的通用计划,CMT宜为处理当前危机的可能性制定针对具体情况的计划。计划宜包括目标和相应的战略活动(如人力资源、沟通、生产、法律、财务)。活动的责任宜视情况而定,并加以协调。CMT宜根据其目标和能力确定其活动的优先次序,以确保最重要的战略决策得到优先考虑。

— 实施:CMT宜根据其职责,确保优先的工作流和相应的战略措施得到正确执行。宜促进团队合作,确保资源的最佳利用和目标的最优实现。

— 评价:CMT宜确保对执行情况进行必要的反馈,以评价进展情况。评价宜与CMT共享,作为持续改进共享态势感知、潜在评估和具有相应目标和优先事项的具体情况计划的基础。批判性思维宜是评价不可分割的部分。

图3 — 危机管理小组响应过程

The organization should establish and monitor a generic, continual process for the CMT response, including the following (see Figure 3).

— Situational awareness: the CMT should develop a shared situation awareness by promoting active participation and utilizing relevant information from all the CMT members.

— Assessment of potential consequences: the CMT should assess the potential consequences introduced by the specific situation. The assessment should include assessment of the potential consequences to important values and functions, such as people, environment, the organization’s integrity (e.g. ethics, liability and reputation) and its viability (e.g. assets, production and services).

— Defining goals and objectives: the CMT should define goals and objectives that align with the organization’s strategy.

— Planning and prioritization: although the organization has established a predefined generic plan for crisis, the CMT should establish a situation-specific plan for handling the current crisis’ potential. The plan should include objectives and corresponding strategic activities (e.g. HR, communications, production, legal, financial). Responsibilities for activities should be specific and coordinated, as appropriate. The CMT should prioritize its activities based on its objectives and capacity, to ensure that priority is given to the most important strategic decisions.

— Implementation: the CMT should ensure proper implementation of the prioritized work streams and corresponding strategic measures according to its responsibilities. Teamwork should be promoted to ensure the best use of resources and to optimize achievement of objectives.

— Evaluation: The CMT should ensure necessary feedback on implementation for the evaluation of progress. The evaluation should be shared to the CMT as the basis for continual updating of the shared situation awareness, potential assessment and situation-specific plan with corresponding objectives and priorities. Critical thinking should be an integral part of evaluation.

Figure 3 — Process for the crisis management team response

为了符合响应过程,CMT宜至少确保战略会议的会议议程包括:a)态势,b)可能性,以及 c)计划(目标、工作流和优先事项)。

To conform to the response process, the CMT should, as a minimum, ensure the meeting agenda for the strategic meetings to include: a) situation, b) potentials, and c) plan (objectives, work streams and priorities).

会议和执行的时间宜保持平衡,以确保策划和执行能力的良好组合。

The time of meeting and implementation should be balanced to ensure a favourable mix of planning and execution capability.

CMT宜在适当的时间策划从响应到运营恢复的过渡,以重新确定优先事项和目标。在以下情况下可以考虑:

— 组织的生存能力和诚信在很大程度上得到保证;

— 组织的响应规模或能力是足够的;

— 大部分即将到来的挑战和任务是可以预见的;

— 大部分任务都可以策划。

The transition from response to recovery of the operations by the CMT should be planned at an appropriate time to refocus priorities and objectives. It can be considered when:

— an organization’s viability and integrity are largely assured;

— the response capacity or capability of the organization is sufficient;

— the majority of upcoming challenges and tasks is foreseeable;

— the majority of tasks can be planned.

可以通过以下方式实现过渡:

— CMT商讨之间的间隔更长或会议时间更短;

— 将任务移交给日常业务运营;

— CMT的重点和资源变化;

CMT的工作结束后,宜将其传达给参与人员,包括询问联系人的信息。

The transition can be implemented by:

— longer intervals between CMT conferences or shorter meetings;

— transfer of tasks to business as usual operation;

— change in the focus and resources of the CMT;

When the work of the CMT concludes, it should be communicated to those involved including information on who is the point of contact for enquiries.

响应和恢复活动不一定连续,但可以重叠。

The response and the recovery activities are not necessarily consecutive and can overlap.

5.3.6 恢复(Recovery)

恢复阶段涉及处理危机的影响,以及返回“正常”的方式,或适应新的情况,特别是在危机后发生重大变化的情况下。在整个恢复过程中,决策仍宜考虑风险和修正风险的选项。恢复期间中未发现和解决的新兴问题可能会造成进一步的伤害,并可能引发另一场危机。

The recovery phase involves dealing with the effects of a crisis and how to return to “normal”, or adapting to new circumstances, particularly if a major change has taken place following the crisis. Throughout recovery, decisions should still consider risk and options for modifying risk. Emerging issues that are not identified and addressed during recovery can cause further harm and can give rise to another crisis.

计划和协议宜认识到从响应阶段到恢复阶段存在过渡和交接。作为响应的一部分所做的决策可能直接影响到恢复策划。长期恢复目标和问题可以为正就眼前问题做出决策的响应管理者提供信息。恢复小组由CMT的一名成员领导,并配备充足的资源。

Plans and protocols should recognize there is a transition and handover from the response phase to the recovery phase. Recovery planning can be directly affected by decisions made as part of the response. Longer-term recovery objectives and issues can inform response managers who are making decisions on immediate issues. The recovery team should be led by a member of the CMT and adequately resourced.

恢复工作可能是长期的,可能在响应阶段结束后很长一段时间还需要资源。通常以声誉受损、投资者担忧、经济影响以及持续的法律和保险挑战为特征的问题可能会持续相当长的一段时间。组织还宜考虑恢复需要有足够的资源。

The recovery effort can be long term and can need resources long after the response phase is over. Issues often characterized by reputational damage, investor concerns, economic impacts and ongoing legal and insurance challenges can continue for a considerable period of time. The organization should also consider that the recovery needs to be adequately resourced.

宜考虑社会成本,因为相关方可能受到影响。除了物理重建或更换基础设施外,组织还可能被要求支持警察或监管机构的调查或问询。CMT还宜认识到,在个人及其家人直接受到事态影响的情况下,康复和悲伤的自然过程具有敏感性。

The social cost should be considered as interested parties can be affected. In addition to the physical rebuilding or replacement of infrastructure, the organization can be required to support investigations or enquiries by the police or regulatory authorities. The CMT should also be aware of sensitivities attached to the natural processes of healing and grieving, where individuals and their families have been directly affected by the events.

作为恢复的一部分,组织宜:

— 从一开始就制定恢复的战略方向;

— 尽早开始恢复;

— 考虑战略机会。

As part of recovery, the organization should:

— have a strategic direction for recovery from the outset;

— start recovery as early as possible;

— consider strategic opportunities.

对恢复工作给予充分的战略关注可以防止前功尽弃,避免忽视与相关方的关键关系,以及未能实现潜在的机会。

Giving adequate strategic attention to the recovery effort prevents good work from being undone, the neglect of critical relationships with interested parties, and a failure to realize potential opportunities.

失去的机会可能包括未能:

— 再生组织;

— 停止有问题的活动;

— 提出长远发展规划。

Lost opportunities can include a failure to:

— regenerate the organization;

— cease problematic activities;

— bring forward long-term development plans.

恢复可以为组织再生、重组或改组提供机会。恢复的本质不一定是返回以前的正常状态。它可能需要转向代表新常态的运营和组织结构模式,直面严酷的现实并实现危机所揭示的潜在机会。

Recovery can present an opportunity to regenerate, restructure or realign an organization. The essence of recovery is not necessarily a return to previous normality. It can entail moving towards a model of operations and organizational structures that represent a new normality, confronting harsh realities and realizing potential opportunities revealed by the crisis.

5.3.7 持续改进(Continual improvement)

持续改进是危机管理的核心要素(见条款9)。演练和危机事件的经验支持这一目标。

Continual improvement is a core element of crisis management (see Clause 9). Experiences from exercises and crisis events support this objective.

组织宜:

— 对危机或演练进行审查,包括对响应、计划和程序以及工具和设施的评价,以确定需要改进的领域;

— 确定需要吸取的教训,提出变革建议,包括推动变革前进的责任和时间表,并确保完成变革;

— 从危机和演练中学习,做出改进以更好的准备和建设韧性,包括组织、人员、计划和程序的变更;

— 与危机涉及的个人、团队和相关方进行简报和后续沟通,以确定学习机会;

— 反思教训并采取行动,使潜在的问题和脆弱性不会持续存在,使组织不会诱发未来的危机。

The organization should:

— undertake a review of the crisis or exercises, including an evaluation of the response, the plans and procedures, and the tools and facilities, to identify areas for improvement;

— identify lessons to be learned and make recommendations for change, including the responsibilities and timelines to drive changes forward and ensure they are completed;

— learn from the crisis and exercises and make improvements to become better prepared and build resilience, including making changes in the organization, its people, its plans and its procedures;

— conduct debriefs and follow-up communication with individuals, teams and interested parties involved in the crisis to identify learning opportunities;

— reflect and act on lessons so that latent problems and vulnerabilities do not persist and predispose the organization to future crises.

……未完待续。

原文发表于公众号”业务连续性+” | 原文链接