Authors: Claudio Todaro, Vincenzo Iavarone, Katia Petrini, Stefano Di Traglia
Rome (Italy), 27/04/2020
The serious health emergency caused by COVID-19 has determined the need for the Italian Government to use the capacity of the “Country System” to deal with the dramatic situation.
The sudden communication of the pandemic and its rapid spread “with geometric progression” caused, in a very short time, a sharp reduction in economic activities, the almost total block of private mobility and the social isolation (lockdown mechanism).
We found ourselves faced with an unimaginable scenario, which – although hypothesized in the academic literature – was however unpredictable in the management of its effects, in times and in ways. This fact determined, by national and local institutions, the taking of urgent and limiting decisions on the civil rights (constitutionally attributed to citizens) and with restrictions on the country’s economic production, with the absolute priority of effectively combating the uncontrolled spread of the virus.
The rapid occurrence of the events was accompanied by an acceptable discipline in the behaviours of almost all citizens and by a media communication, however not always coherent, first reassuring and then forced to touch – also through “war metaphors” – the emotional strings of fear (real and perceived).
The contingent situation determined serious consequences for the entire socio-economic system of the country, with high risks for the goods & services availability of primary collective interest.
The immediate activation of public instruments (operational and financial) by the competent departments, coordinated by the Prime Minister, allowed to meet the most urgent needs, avoiding general paralysis and maintaining adequate levels of social stability. At the same time, efforts for emergency management could be maximized, including the creation of some thematic “task forces”.
In this crisis scenario, it was clear – as important National Security topic – the need to protect “strategic industrial assets”, defined as infrastructures and production chains for which the partial or total block of its operating capacities can cause damage to security & wellness conditions of the community.
This project aims to analyze this issue, proposing an organizational model with which the economic operator (asset manager) can prepare an integrated plan for safety management, operational continuity & crisis communication to be applied in case of “state of emergency “.
This model takes into account the best practices of risk management already introduced effectively in the sector of counter-sabotage/counter-terrorism protection of critical infrastructures and sensitive sites, usefully considering the “hall-hazard approach” as meticulous and concrete at the same time, oriented itself to organizational optimization.
Primarily, the interested production sectors are related to utilities (electricity, gas, water resources, waste management), hi-tech industry (defense, aerospace, etc.), health (biomedical research, chemical-pharmaceutical production, etc.), telecommunications (IT products, radio and television broadcasters, etc.), transport system (land, air and sea), steel production, petrochemical sector and agri-food chain.
The proposed organizational model is applied to the so-called crisis scenarios, intended as unconventional situations in which external factors – not foreseeable in the effects – can cause serious prejudices to the operational functionality of the unit itself. Typical crisis scenarios are health emergencies, war events, terrorist acts and socio-economic crises.
There are two categories of organization management: ordinary (in a situation of normal operation) and extraordinary (in a crisis situation).
The operational management of the strategic asset in crisis scenarios must be defined, implemented and validated in ordinary periods.
The protection plan is defined on the basis of a specific protocol, already developed for National Security needs in the context of critical infrastructures and now completed with a section dedicated to the management of communication, of particular relevance in crisis situations, emerged in this pandemic as a further element of risk and as a tool for mitigating it (also useful in executive conduct for mass-behaviour).
The activity is based on a rigorous risk management methodology with the primary target of protecting the organization’s tangible and intangible assets (human resources, goods, technological know-how) and its financial structure.
The protocol is mainly aimed at mitigating the risks deriving from threats of physical, biological, cybernetic and financial nature by hostile national and foreign entities, which have goal of interdiction and sabotage for operational activities or malicious acquisition of technological capabilities.
The threats are classified as follows (in an ascending order of severity):
– perceived threats (possible threats, but without precise information)
– widespread threats (generic threats due to the presence on the territory of criminal groups, unstable socio-political situations, etc.)
– indirect threats (threats addressed to external infrastructures, but with possible repercussions on the asset)
– direct threats (threats aimed specifically at the asset)
Each possible hostile event (for each considered threat) is assessed in its impact and in its probability of occurrence on the basis of the acquired information (in cooperation with the national public security and intelligence departments, responsible for the purpose), defining the so-called “level of risk” (according to the categories: acceptable, medium, unacceptable).
The need for mitigation intervention is also established for each level of risk, which may involve organizational, operational, technological and financial options.
Finally, the protocol provides for the integration of an operations continuity plan and a crisis communication plan.
In the operations continuity plan, the “MPL indicators” (minimum performance level) are defined regarding type and measure of activities which shall be guaranteed, based on the degree of emergency (according to the scenario analysis previously carried out for each threats).
For each of these activities, it’s necessary to define the resources to be deployed at the time of the emergency.
In extraordinary situation, the MPL indicators constitute a prior objective compared to the normal corporate objectives, defined by the organization for the ordinary situation (which can therefore be partially or completely waived in consideration of the changed needs).
The crisis communication plan is a powerful tool for operational risk management of asset, internally improving organizational cohesion and externally mitigating the use of possible destabilizing factors, including those of a hostile nature (disinformation campaigns, excess of information or “infodemics” , not-controlled escalations in equity capital, etc.).
From an operational point of view, the communication plan provides for the definition of internal targets (management, employees, etc.) and external targets (stakeholders, institutional departments, customers, suppliers, public opinion, etc.).
The communication must take place according to the criteria of completeness, clearness, transparency, coherence and efficacy, even more important in crisis situations where the attentions of the entire organization are more focused on operational aspects and the flow of information between internal and external can be placed in the background (significantly increasing system vulnerabilities).
In this sense, the protocol considers the communication plan as a fundamental tool during all phases of the emergency to minimize operational risks (due to confusion, uncertainty and disorientation) and reputational risks (due to false, incomplete or inappropriate information), which can be – if not adequately contrasted – an amplifying element of impacts relating to each threat.
In conclusion, the working group (author of this project) deemed it appropriate to define a methodology applicable to the so-called critical industrial assets for all those emergency situations which can severely degrade their own physical security conditions with direct consequences on operational capacity.
The preparation of an integrated security management, operations continuity & crisis communication plan, according to the criteria showed here, can certainly lead to a significant improvement in the degree of resilience of the organization.
The insurance sector will also have to take on more frequent financial risks deriving from special emergency events and – also in order to limit its excessive exposure to risks of partial or total default of the insured organizations (with consequent strong increase of the premiums for related contracts) – it will promote a fast and effective implementation of mitigation tools, in the interest of all counterparties.
Therefore, the COVID-19 emergency highlighted the drama in its social consequences, imposing a new and coherent approach to analyzing vulnerabilities in the complex organizational systems of the national production area.
Current events show that emergencies (in various critical levels) will be in the future an operating scenario with a high probability of occurrence for any industrial activity.
Consequently, with reference to the economic operators (responsible for strategic assets) and in a scenario of global threat, each organization will be called to greater commitments in crisis management (in terms of measures for security & business continuity), while the State – as a representative of the general interest – will continue to guarantee the necessary instruments of protection and financial support, thus creating a virtuous and synergistic mechanism for an efficient “integrated national system”.
V. Iavarone/C. Todaro – Protection of critical infrastructures – Ministero della Difesa / Rivista Militare nr. 1/2013
C. Todaro/V. Iavarone – Protocol for counter-sabotage/counter-terrorism risk assessment – 2012 ISO 31000:2018 – Risk Management – Principles and Guidelines
ISO 31010:2019 – Risk Management – Risk Assessment Techniques
ISO/IEC Guide 73:2002 – Risk Management – Vocabulary
United Nations – Guidelines for Security Risk Management – 2004
United Nations – Security Risk Management – Learning Module – 2009 US/Department for Homeland Security – Risk Assessment Methodology – Report for Congress – 2007
United Nations – World Health Organization – Communicating risk in public health emergencies – 2017
(expert for “counter-sabotage/counter-terrorism security risk management”)
(expert for “critical infrastructures security & crisis management in not-conventional scenarios”)
(expert for “corporate communication & social media”)
Stefano Di Traglia
(journalist, expert for “political & institutional communication”)
The original article is published on the website https://www.safetysecuritymagazine.com/