Crisis management and emergency preparedness

Crisis management and emergency preparedness

Crisis management is important for companies and organizations that want to control quality, environmental responsibility, and safety. ISO 14001 and ISO 45001 include explicit requirements for emergency preparedness and response. ISO 9001 requires risk-based planning and relevant contingency measures where risks can affect products, services, customers, or process results.

This chapter separates the standards’ requirements and turns them into practical work.

ISO 9001, ISO 14001, and ISO 45001 share the same basic idea: the organization should understand risks, plan actions, and follow up whether the chosen ways of working work. But they do not set identical crisis-plan requirements.

• ISO 9001 requires risk-based planning where risks can affect products, services, customer requirements, or process results. That may lead to contingency procedures, but the standard does not require a general crisis management plan for every type of crisis.
• ISO 14001 requires the organization to prepare for and respond to potential emergencies that can affect the environment. Procedures should be tested where practicable and updated when needed.
• ISO 45001 requires emergency preparedness and response for situations relevant to occupational health and safety. The work should consider hazards, OH&S risks, and the people who may be affected.

A practical preparedness plan should therefore connect scenarios to the business:

1. Which events can affect customers, the environment, or occupational health and safety?
2. Who alerts, decides, and communicates?
3. Which first actions reduce harm or disruption?
4. Which exercises, checks, and updates are needed so the procedure works?

Practical examples of crisis include natural disasters, technical failures, and cyberattacks. Regardless of the situation, organizations must have clear procedures and plans in place to effectively manage crises, minimize damage, and protect staff and operations.

For example, suppose a company is experiencing a significant data breach. In that case, their crisis management plan should include steps to isolate the issue, inform stakeholders, conduct an investigation to identify the cause of the breach, resolve the problem, and then implement measures to avoid future breaches.