By Allen Forbes, Kimberly Somerholter Moros, and Dan Billquist
-Crisis Planning Specialists from My R2P2

Ring, Ring, “Susanne, it’s Bob. Jim is in my office with an email detailing a computer attack on the hospital’s oxygen control system unless specific demands are met.”

An extortion note? My CFO wouldn’t tell me this unless it was credible. The threat to a vital system sharpened my focus. Preventing interruptions to our Oxygen systems is one of my critical information requirements. My staff knows my “CEO Critical Information Requirements.” This short-list assists my staff and me to focus on the key information we need to be situationally aware and facilitates our ability to make informed decisions.

Both Bob and I heard enough. Our focus and situational awareness shifted to crisis mode. We are in “Observation” stage of decision making. We need our staff to be engaged and focused in order to “Orient” us to respond correctly and quickly. It was time to pull together our Operational Planning Team and initiate crisis response measures.

The Harvard Business Review tells me that my job as CEO is to link the outside world (society, economy, technology, customers) with the inside world (my organization). I needed a crisis planning process that enables this when we are under attack. – “What Only the CEO Can Do” by A.G. Lafley From the Magazine (May 2009)

Sun Tzu is often quoted in the boardroom but rarely translated into action. A favorite quote of mine has always been: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Last year, we suffered through a cyber-attack on our electronic billing system, but at what cost? Countless hours of wasted management time, motivational issues for my technical staff, unforeseen staff augmentation to manage workload and remedy requirements, unknown loss of data, compliance reporting delays, and a sense of dread and fear of what would come next.

Most of my MBA level leaders were accustomed to deliberate planning with a degree of thoughtful certainty for outcomes. In crisis planning we discovered that the hacker, saboteur, hostage taker or otherwise belligerent has a vote. They are actively trying to impose their will on us and do not recognize any “Environmental, Social, and Governance” limitations.

The legacy of the attack on our billing system became a real distraction. At the time, there was plenty of finger-pointing and questioning of how we responded. People were fearful for their jobs, feeling unappreciated, overlooked, and ignored by our responses and how the situation was handled. The aftermath of the attack was uncomfortable for many and I know it contributed to the loss of productivity.

I needed a process that didn’t penalize the making of a decision. In a crisis, I need informed and swift decision making and action. We had to learn to assume the attacker would become aware of our response actions. Whether or not they chose to counter, a new situation was created. We needed to be current in our situational awareness and how our organization was oriented to it. A repeatable system that enabled us to “Decide” and prepared us to “Act” as the situation changed was needed.

We also learned that it’s hard to act as one. Our technology response may not align with our legal position. If we follow our predictable compliance rules, does that afford the attacker advantages? Will our actions match our marketing position? Can our procurement department respond to emergency requirements? Does our insurance cover this? Are the service providers we are dependent upon conflicted?

Clearly, our old ad hoc reaction was not a suitable approach to meet the standards set by the Harvard Business Review or Sun Tzu. Both were telling me I must know my organization, but did I really? I wasn’t aware of many of the downstream issues last year’s billing hack would create. Before the hack, I didn’t know how long the billing system could be offline before irreversible consequences would manifest.

After that event last year, it became apparent we needed a repeatable process with predictable steps and identified decision points to improve our response to unexpected events. The previous contingency response was basically an unstructured, opinion-based, self-preserving, and personal risk mitigation collection of well-meaning smart people. Making decisions is risky business. Making crisis decisions, even more so, with a potentially high cost of blood and treasure. We had to find a way to separate decision-making personal risk from organizational risk, validate assumptions, and act with purpose.

Crisis decision-making is different than deliberate or strategic planning. For one thing, we can witness the effects of our crisis decisions much sooner. Our actions will cause an effect and we needed to be prepared to observe how the crisis evolves as we are acting. Is the effect what we want? Is it worsening this hot mess? We lacked the organizational maturity to re-orient to the situation.

Before we started our process, our reactions to crisis situations were very energetic, and, shall I say, overpopulated. The fear of missing out “FOMO” was in full effect. It seemed to take more time to inform various managers of what the status was than actually deciding and acting. An active hack into our billing system last year was a decisive moment for us. At first everyone had to be involved for right and political reasons. Managing a conference call with 18 managers and three technicians created unnecessary delays in decision-making.

In summary, our new process allows us to anticipate and/or respond to potential situations, create standardized responses through analytical decision-making, and act on responses to restore operational capability within hours of a crisis development. It synchronizes the company across time and space ensuring C-Suite planning is aligned with the CEO guidance and intent.

Per our standard operating procedures for response crises, I knew Bob had instructed Jim, our CIO, to form the team. They would be assembling now in Conference Room 3. Calls are being made, people are assembling, communications are being established, and our process is commencing. Knowing that the team needed time to gather and get started, I wrapped up the task I was working on.

About 10 minutes later came the call I was expecting from our lead crisis planner. Eric is our “Utility Infielder”. He’s a manager in Administrative Services, pretty sharp, knows his way around, is mission-oriented, and has the additional duty of shepherding our Rapid Response Planning Process (R2P2). When we initiate the R2P2, he is empowered as my personal representative. Eric’s call confirmed receipt of what information we have, advised me of the response team’s status, and of any CEO-level challenges.

Conference Room 3 is immediately repurposed to our R2P2 integrated planning “Situation Room”. Any other use of the room is immediately suspended. In preparation of crisis planning, the room was pre-stocked with normal conference room supplies including video conferencing, big screens, dedicated power, and full-access communication features. There was not a system or database in the company that cannot be accessed from that conference room.

The R2P2 team has an unrestricted budget. If they need something, they get it. I want to reduce all friction points affecting my planning team. Time is working against us. Tempo is our friend.

Just look at the untold effects the jammed shipping tanker had in the Suez Canal in April 2021. It took months to recoup and billions in loss. I need to know what “Suez Canals” exist in my organization. I set about the task of discovery. I need to establish a defined set of information requirements to focus my staff’s efforts. These are essential items I must know, and they will advise me the moment the conditions are met. We call these “CEO Critical Information Requirements” and they are essential to facilitating timely decision-making.

Developing a CCIR is not a trivial task; many organizations built for crisis use them and developed processes for creating them. The military uses CCIR as a cornerstone of its commander’s decision-making process and offer this insight: “CCIR are not a hard set of reporting requirements limited to specific actions or events, but more a philosophy of command and feedback that can generate opportunities and decision space.” – A former Commander of the United States Central Command

Now, we have an opportunity to determine if all our work since the billing system hack are worth the effort. Have we improved our situational awareness, crisis responses processes, and staff focus to be better prepared to cycle our Observe, Orient, Decide and Act loop on this threat effectively and quickly?

Return next week on June 24th, for the second part of this two-part series on a fictional, but highly effective response to a cyberthreat in a healthcare facility.

This article is the first in a series of informational aids for the C-Suite reader. Attackers are becoming more sophisticated and creating real world impacts affecting every aspect of daily life. We need to actively plan and rehearse our operations in this new environment as we steer in these hostile waters. As William Shedd once said, “A ship is safe in harbor, but that’s not what ships are for.”

Our series will respond to questions such as:

-How do I create and manage CCIRs?

-Do I understand the R2P2 method, or “What is actually going on in Conference Room 3?”

-What decision have to be made?

-How are people are empowered during crisis?

-Is our succession planning in place, and what does the delegated decision making tree look like?

-Do I have enough information to make a decision?

-What is the impact of delaying a decision?

-How do leaders manage tempo through decision-making?

Read Part Two in the series

ABOUT THE AUTHORS

Allen Forbes

Allen Forbes is a retired reservist Lieutenant Colonel of US Marines and President of PMCAP, a service-disabled veteran-owned small business. Allen has 30 years of experience in crisis planning and decision making in national security and international commercial environments. From preparing for and managing cyber and physical crisis events at start-up through Fortune 100, to planning military special operations and coordinating space-based resources, Allen is a decorated practitioner, planner, and mentor. In 2016, Allen added Thunderbird School of Global Management to his list of Master’s degrees.

Kimberly Somerholter Moros

Kimberly Somerholter Moros is a retired US Army Colonel who served for 28 years. Kimberly’s years of experience in crisis planning, communications, influence and decision making made her the go to when developing strategic communications strategies and mentoring international decision makers.  Kimberly is active in national security as a strategic international engagement advisor who develops and implements strategic communications plans for targeted engagements.

Dan Billquist 

Dan Billquist recently retired as a Lieutenant Colonel from the US Army after 28 years. Dan served as lead influence planner for US Special Operations and NATO forces for 11 years, overseeing operations in the Baltics, Central Asia, the Middle East, and East Africa. For his final assignment, he was selected to serve on a mobile training team that assisted senior military leaders and their staff with contingency response planning and decision-making. As a graduate of the Naval Post Graduate School, he earned a Master’s of Science in Joint Information Operations.