Crisis Management Manual

FORM M – MEDIA INQUIRY LOG 149
Responder details
Responder Name:
Date:
Time:
Caller information
Journalist’s name:
Publication/broadcast station:
Deadline:
Contact details:
Key questions / areas of interest

Additional information requested

Broadcast media interview request details
Deadline:
Live or pre-recorded:
Likely duration of interview:
Preferred location of interview:
Who else will be interviewed (if any)?

Part 5 Crisis Communication Plan

FORM N – STAKEHOLDER CONTACT INFORMATION

Organization Contact Name Work Mobile Email Fax Relationship
and Title Telephone Telephone Owner

Government

Ministries

Embassies

Governmental
Agencies

Neighboring
Governments
(e.g. Bahrain,
Jordan)

Commercial

Customers

JV Partners

Investors

Industry
Associations

Financial

Banks

Insurance
Brokers
Assessors

Shareholders

Market Analysts

Utilities

Saudi Electricity
Company

National Water
Company

Saudi Arabian
Railway

Saudi Arabian
Airlines

Emergency Services

Police and Civil
Defense
Armed Forces

Coast Guard

Medical Services

Saudi Air
Ambulance

Regulators

High
Commission for
Industrial
Security (HCIS)

Part 5 Crisis Communication Plan 151

Deputy Ministry of
Mineral Resources

Royal
Commission for
Jubail & Yanbu

Capital Market

Authority

Media (national, regional and international)
Local Media
Regional Media
International
Media
Financial

Media
Trade Media
Television
Radio
Print
Online

Social Media

Interested Parties

Neighboring
Communities

Neighboring
Facilities

Non- Governmental
Organizations
(NGOs)

Internal Parties
Employees
Executives
Boards
Relatives
Support Functions
Contractors
Suppliers
Lawyers
Local Municipalities

Part 5 Crisis Communication Plan 151

FORM O – POST-CRISIS DEBRIEF

The questions below are designed to provide a basis for evaluating Ma’aden’s Crisis
Communication response and to document lessons learned and incorporate future
improvements.

• In what ways, if at all, could the crisis have been avoided or reduced in magnitude from a

communications perspective?

• What worked well during the initial crisis response? What did not work well, causing problems,

surprises and disappointment?

• How effective were communications within and between the teams handling the crisis? By

following planned and structured approach when dealing with a crisis, the following ten common
pitfalls should be avoided:

• Failure to plan & rehearse
• Failure to act
• Overreaction
• Bending the facts or being ‘economical with the truth’
• Lack of empathy, sympathy or concern
• Attempting to blame others when culpable
• Accepting blame when not culpable.
• Communicating too much or too little
• Rushing to judgment
• An absence of teamwork
• Restriction of information to the internal audience
• What little things made a difference in our response? What little things might have made a

difference if they had been available?

• How well did our existing operations and communication plans work? What needs to be changed

to make them more useful?

• What’s our assessment of the news media coverage and the impact of the coverage on the

organisation: employees? customers? partners? management? reputation?

• In what ways, if at all, could we have managed media coverage more effectively?
• Who in our organisation (and outside) really stood out—positively and negatively—in terms of

their contribution to the crisis response? In what ways should these people be recognised and
rewarded?

• What would we do differently if we had to do it all over again?

Part 5 Crisis Communication Plan 153

4. Plan Maintenance & Exercising

4.1. Plan Maintenance

To ensure the continued suitability, adequacy, and effectiveness of this plan, it shall
be reviewed and updated at least annually. However, a more frequent review and
update process may be required as strategic changes occur in the organization or as
and when the Corporate Communication Department deems necessary. The following
scenarios may trigger the need for review and potential update of this plan:

• Major changes in business processes or organization structure
• Major changes in technology/applications used
• Significant changes in the environment in which MA’ADEN operates
• Findings raised by internal and external audits
• Changes raised by BCM exercises
• Changes raised by corrective or preventive actions
• Changes in stakeholders and relationships
• Changes in location of current facilities
• Significant changes in operating procedures
• Acquisition of or merger with another company
• Following post-crisis reviews of incidents that resulted in invoking the plan and

minor incidents that might indicate shortcomings in response capabilities

Additionally - transfers, promotions or resignations of department personnel may also
trigger changes;

especially assigned roles and responsibilities and contact information.

4.2. Plan Exercising

This plan shall be exercised periodically per the requirements defined in MA’ADEN’s
BCM Manual. Plan exercising shall be coordinated, and results recorded by the
Corporate Communication Department. The objectives of exercising are to:

Part 5 Crisis Communication Plan 153

• Determine the state of readiness of this plan to respond to and cope with a
disruption.

• Ensure that staff understands their respective roles during a disruption.

• Determine whether responsibilities, tasks, and steps are adequate to support
selected MA’ADEN continuity strategies

• Determine if information and actions documented in the plan are accurate and
viable.

• Critique results to determine changes required to the plan for it to remain viable.

• Determine the effectiveness of interactions with other functions carrying crisis
roles such as the Group Crisis Management Team (CCMT).

• Determine whether the plan has been properly maintained and updated to reflect
Ma’aden’ crisis communication requirements.

Part 5 Crisis Communication Plan 153

Part 6

Maintenance,
Exercising and
Training

Table of Contents 155

PART 6 157

6. Maintenance, exercising and training 157
157
6.1. Maintenance 157
6.1.1. Introduction 158
6.1.2. Validation 158
6.2. Training 158
6.2.1. Executive training 159
6.2.2. CMT training workshop 159
6.3. Exercising 160
6.3.1. Objectives 161
6.3.2. Responsibilities 161
6.3.3. Pre-exercise preparation 162
6.3.4. Post-exercise reporting 162
6.3.5. Facilitation 162
6.3.6. IT systems 162
6.3.7. Business continuity 164
6.3.8. Timetable 166
Appendix A - Exercise Plan Appendix B -
Post-exercise Report

Part 6 Maintenance, Exercising and Training 156

6. Maintenance, exercising and training

6.1. Maintenance

6.1.1. Introduction
In line with international best practice principles, maintenance is a critical part of
keeping Ma’aden’s crisis management framework responsive, operationally effective
and in a constant state of readiness (phase 4 below).

Assess risk and threats

Maintain plans Develop strategies
and systems

Implement plans

Figure 1: Control Risks’ approach to crisis management – this model draws on international standards, including ISO 27001
and BSI-Standard 100-4.

6.1.2. Validation

Regular review ensures the crisis management framework keeps pace with changes
within Ma’aden and its operations. The crisis management framework must be
controlled centrally by the Corporate Industrial Security Department, to ensure that
only the most up-to-date and current documents are in circulation.

CRITERIA FREQUENCY RESPONSIBILITY
Annually
Crisis management Corporate Industrial Security
Department
framework document (all

PARTS)

Part 6 Maintenance, Exercising and Training 157

Contact information and Quarterly Corporate Industrial Security
team membership Department

Crisis management escalation Annually or when ERM risk Corporate Industrial Security

criteria register changes Department

Equipment and working Quarterly Corporate Industrial Security
order of the designated Department
crisis command center

Crisis management training Annually Corporate Industrial Security
workshop (each CMT) Department

Crisis management Annually Corporate Industrial Security
exercise (each CMT) Department

6.2. Training

Prior to any exercise, each CMT and its members will be taken through a training
module:

6.2.1. Executive training
Prior to any group training workshop, individual CMT members will be taken
through a personal session to ensure they have a comprehensive
understanding of their individual:

• role in the CMT
• responsibilities
• issues / concerns they might need clarifying
6.2.2. CMT training workshop
Following on from the individual training, a workshop (held once per year) will allow
each CMT to familiarize themselves with:

• The forum (CCC)
• The core components of a robust CM capability
• The Ma’aden crisis management plan
• The R-A-C-E-R process
• The ‘First Response Protocol’
• Individual roles and responsibilities

Part 6 Maintenance, Exercising and Training 158

• Group dynamics (right people doing the right job)

• Practice a table-top* exercise

* Table-top exercise scenarios will be based upon the Ma’aden’s quarterly risk review. This will ensure the scenarios properly
reflect the risks associated with the company’s operations. Table-top scenarios allow for discussions as participants work through
realistic crisis situations. This will help define the crisis management policy and plan.
The table-top exercise is facilitated and includes structured facilitator questions designed to encourage interaction among team
members. A series of ‘snapshot’ scenarios should be used, and the exercise is typically conducted over a three to four-hour time
period in a CCC setting.

6.3. Exercising

Exercising is an important step in assuring that all crisis management and corporate
preparedness elements within Ma’aden are aligned and well-integrated. Building a
response capability is more than just having a plan - it is IMPERATIVE that teams
rehearse to give members an opportunity to practice implementing what they have
learnt and to validate the concepts, processes and protocols in the plan under
hypothetical semi-live* scenarios.

Teams will be exercised one time per year. The exercise can be conducted with
participation from a

single CMT, or in combination with other CMT members from the organization.

*Semi-live exercises scenarios last four to six hours. Participants are afforded the opportunity to demonstrate individual and
team crisis management capabilities by reacting and taking actions based on a simulated crisis or emergency situation. Rather
than simply discussing what the Team would do under the scenario (as in a tabletop exercise), the Team actually carries out
their decision-making, response actions and communications process in real-time in a fast-paced, pressured environment.
Semi-live exercises typically use role-play and interactive media for realism.

6.3.1. Objectives

The exercises should test Ma’aden’s crisis management teams across a
comprehensive range of indicators and elements, to include:

• Initial response to an incident

• Reporting an incident

• Assessing the severity of the incident and classifying it class1 to 4

• Convening [mobilization]

• Roles and responsibilities [full team present and correct]

• Executing the ‘First Response Protocol’ [initial agenda on convening]

• Appropriate escalation [both upwards and downwards]

Part 6 Maintenance, Exercising and Training 159

• Delegation of tasks [both upwards and downwards]
• Internal communications between teams

• External communications with stakeholders and the media

• Ability to control social media
• Testing of alternates [back-up CMT members]

• Decision making [fast and effective actions based on the information available
at the time]

• Resolve
• Crisis command center [functional forum]

6.3.2. Responsibilities

The Corporate Industrial Security Department is responsible for:

• Over-sight of all phases of the training and exercise (e.g. determining the training
objectives, planning, preparation, delivery and evaluation of the training).

• Preparation of training facilities

• Pre-exercise preparation and preparation of an exercise plan (an exercise plan
report template can be found in Appendix A)

• Ensuring the correct people are available and present for the exercise itself
• The suitability of documentation for each exercise phase, to ensure it is both

appropriate and relevant

• Facilitation of the exercise

• Collation of the training exercise results to ensure the implementation of
improvements identified during the training (a post-exercise report template
can be found in Appendix B)

• Post exercise reports must be aligned, standardised and consistent across
the Group.

• Recommendations being actioned and centrally registered. This will ensure the
CM framework is constantly improved upon and lessons are learnt.

Part 6 Maintenance, Exercising and Training 161

6.3.3. Pre-exercise preparation
The brief exercise plan should be produced, circulated, discussed and agreed prior
to any exercise. As a minimum this exercise plan must include:

• exercise aim or the object of testing
• identification of constraints on the exercise or test process
• exercise performance/success criteria
• selection of type of exercise or test
• choice of a location
• date and time of the test
• preparation requirements/facilities
• participants attending
• any business risks the test/exercise may introduce
6.3.4. Post-exercise reporting
At the end of each exercise an exercise report should be written, distributed and
agreed with the crisis management owner. As a minimum the exercise report must
include:

• the exercise aims and objects, whether they were met and if not the reasons
why

• the exercise performance/success criteria and whether they were met
• any constraints on the exercise
• details on the type of exercise/test
• the location of the exercise
• the date and time of the test
• facilities provided as part of the test
• the participants who attended/took part
• any business issues resulting because of the test
• actions arising from the exercise, with dates and times

Part 6 Maintenance, Exercising and Training 161

• approval/sign-off from the senior person present during the exercise

6.3.5. Facilitation

Each exercise should have a nominated facilitator from the Corporate Security
Department. The facilitator should be responsible for the planning, facilitation and
pre/post-exercise report production.

6.3.6. IT systems

A separate schedule should be developed to plan and coordinate IT system testing.
This should be coordinated and owned by the IT department
and follow the relevant industry standards (for example ISO 27031 - ICT
Guidelines for BCM readiness).

6.3.7. Business continuity

The business continuity team should maintain and execute a schedule for the
individual and collective testing and exercising of the business continuity plans in
accordance with internal guidelines, industry requirements and recognized industry
best practice and standards (such as ISO 22301 - Business continuity management
systems — Requirements and ISO 22313 - Business continuity management systems
— Guidance).

6.3.8. Timetable

A timetable of tests has then been constructed based upon each CMT conducting:

• 1 x training session T

• 1 x individual semi-live exercise SLE

• 1 x integrated semi-live exercise ISLE

The following timetable will need to be discussed and agreed upon with each
Business Unit

EXERCISE SCHEDULE 2015

DEPARTMENT Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

HQ Group Crisis T SLE ISLE
Management
Team (Group)

Part 6 Maintenance, Exercising and Training 167

Phosphate T SLE
Crisis T SLE
Management
Team (Local)

Aluminum Crisis
Management
Team (Local)

MGBM Crisis T SLE
Management T SLE
Team (Local) T SLE

MWSPC Crisis
Management
Team (Local)

IMC Crisis
Management
Team (Local)

* One member of the Local affiliate level CMT to be present at the Group level SSLE (Affiliate Vice President)

Part 6 Maintenance, Exercising and Training 167

Appendix A

Exercise Plan

Part 6 Maintenance, Exercising and Training 167

CRISIS MANAGEMENT EXERCISE PLAN Exercise Time:
Exercise Name:
Planned exercise Date:
Exercise Location
Planned Exercise Attendees:

Exercise aims & objectives:

Exercise constraints

13

24

Exercise performance/success criteria

14

25

36

Type of exercise Desktop Y / N Semi-live Y / N

Exercise facilities/requirements

Business risks due to the exercise 4
1 5
2 6
3
165
Part 6 Maintenance, Exercising and Training

Appendix B

Post-exercise
Report

Part 6 Maintenance, Exercising and Training 166

[Type here]

CRISIS MANAGEMENT EXERCISE PLAN Exercise Time:
Exercise Name:
Planned exercise Date:
Exercise Location
Actual Exercise Attendees:

Exercise aims & objectives: Achieved (Y / N) Reasons / details

Exercise constraints

1 3
4
2
4
Exercise performance/success criteria 5
6
1 Reason

2

3

Exercise performance/ success Met (Y/N)
criteria

1

2

3

4

5

6

Part 6 Maintenance, Exercising and Training 167

[Type here]

Type of exercise Desktop Y / N Semi-live Y / N
Exercise facilities/requirements

Business risks due to the exercise

1 4
5
2 6

3

Lessons learnt from the exercise

1

2

3

4

5

Actions arising

# Action description Due date Responsibility
Signature
1

2

3

4

5

6

7

Approval / Sign-off

Name Date

Part 6 Maintenance, Exercising and Training 168

Part 7

Glossary
of Terms

Table of Contents 169

PART 7 171

7. Glossary of terms 171
172
7.1. Acronyms
7.2. Terms

Part 7 Glossary of terms 170

7. Glossary of terms

7.1. Acronyms

ACRONYM TERM
BCM Business Continuity Management
BS British Standard
BSi British Standards Institute
CCC Crisis Control Centre
CMC Crisis Management Committee
CMP Crisis Management Plan
CMT Crisis Management Team
CRO Chief Risk Officer
EMC Emergency Management Centre
EMP Emergency Management Plan
EMT Emergency Management Team
IMT Incident Management Team
IMP Incident Management Plan
GCMT Group Crisis management Team
GIRT Group Incident Response Team
ISO International Standards Organisation
MAC Mining Association of Canada

Part 7 Glossary of terms 171

7.2. Terms DEFINITION

TERM The approach taken to quantity and/or qualify the severity of
Assessment impact to the organisation by an incident using the assessment
table detailed in the crisis management framework Part 3 –
Business Continuity Assessment and escalation.

The strategic and tactical capability of the organisation to plan for
and respond to incidents and business disruptions in order to
continue business operations at an acceptable, predefined level.

Business Continuity The Institute of Professional Business Continuity Managers and
Institute Practitioners.

BCM Lifecycle A series of business continuity activities which collectively cover all
aspects and phases of the BCM programme. BCI use the same
lifecycle as the British Standards Institute in BS 25999/ISO 22301.

A holistic management process that identifies potential threats to an

organisation and the impacts to business operations that those

Business Continuity threats – if realised – might cause, and which provides a framework
Management for building organisational resilience with the capability for an

effective response that safeguards the interests of its key

stakeholders, reputation, brand and value-creating activities.

Business Continuity A top management group to give direction, advice, guidance and
financial approval for the BCM programmes undertaken by the BCM
Steering Committee Manager and various BC Coordinators.

Crisis Is an abnormal, unstable and complex situation, with a wider impact
than that of an incident or emergency, but which threatens the
strategic objectives, reputation or existence of the organisation.

Crisis Management Is the process by which an organization manages an abnormal,
unstable and complex situation, with a wider impact than that of an
incident or emergency, but which threatens the strategic objectives,
reputation or existence of the organisation.

Emergency Is an incident which is outside the control or scope of the immediate
management and requires additional authorities, or tactical decisions,
or which requires a timely response due to its magnitude and potential
for further escalation into a crisis.

Part 7 Glossary of terms 172

Emergency Is the management process of coordinating response to an
Management incident which is outside the control or scope of the
immediate management and requires additional authorities, or
tactical decisions (a Major Incident), or which requires
a timely response due to its magnitude and potential for further
escalation into a crisis.

Describes the requirements for establishing plans, systems and

trained resources to prepare for and respond to a broad range of

Emergency Preparedness emergency situations, such as fires, explosions, medical incidents,

Plan severe weather, security threats, acts of terrorism or other

emergencies that could potentially affect the location.

Emergency Response Is the individual with primary responsibility for implementing a
Coordinator or Incident location's organized response to emergency incidents.
Commander
Is a written, location specific plan, that describes how the location
Emergency Response shall comply with applicable laws and regulations in the event of an
Plan emergency. The emergency response plan describes the planning,
controls, procedures, and training necessary to prevent or minimize
the potential harm caused by fire, explosion, chemical release,
release of hazardous substances, wastes or oils, medical incident,
weather, bomb
or security threat, or other emergency that could occur at the location.

Emergency Response Is a team of designated employees that have been organized, trained
Team and equipped to manage one or more emergency situations that may
occur within the plant property such as fire, hazardous materials
release, medical or special rescue.

Evacuation Is exiting a location to a safe distance from buildings or other
structures.

First Response An agenda to be used by the CMT when they meet to guide the
Protocol approach to reviewing an incident, clarifying its potential impact and
deciding on the appropriate response.

MAC Mining Association of Canada
Governance
A framework of responsibilities and activities discharged by
executives and senior management that consists of
leadership, organisational structures and processes to ensure
Ma’aden sustains, protects and supports the achievement
of Ma’aden’s strategy and objectives through consistently
monitoring, assessing and responding to incidents that can affect its
people, essential services and activities along with their supporting
facilities and infrastructure.

Part 7 Glossary of terms 173

Incident Is an adverse or disruptive event that has the capacity to lead to the
Incident Command loss of or a disruption to an organization’s operations, services, or
functions – which, if not managed effectively can escalate into an
emergency, crisis, or disaster.

is a structured emergency response organization, headed by an
incident commander or emergency response coordinator that
provides the support needed to establish and maintain command and
control in emergency situations. For smaller locations using outside
emergency response services, incident commander or emergency
response coordinator duties may be limited to meeting outside
responders and directing them to the appropriate location. The
location emergency response coordinator would at that time turn over
command to the outside response agency.

Incident Management Is the management of an adverse or disruptive event that has the
capacity to lead to the loss of or a disruption to the organization’s
operations, services, or functions – which, if not managed
effectively can escalate into an emergency, crisis, or disaster.

Issue A point or matter in question or in dispute, or a point or matter that
ISO 22301 is not settled and is under discussion or over which there are
PEARS opposing views or disagreements.
Project
Program The international Standard for a Business Continuity
RACER Management System.

Risk An acronym used within the RACER process (see below) to help
clarify the priority to be applied to protection and strategy when
responding to an incident and/or crisis (People, Environment,
Assets, Reputation, Stakeholders)

A set of interlinked activities with a defined start and end date,
which achieve a specific objective.

A set of interlinked projects or groups of activities which have a
defined start and end date and achieve a set of objectives.

The 5-step process adopted by Ma’aden for notifying and assessing
an incident, activating the CMT and managing the incident through to
resolution.

Effect of uncertainty on objectives.
NOTE 1:
An effect is a deviation from the expected – positive and/or negative.
NOTE 2:
Objectives can have different aspects (such as financial, health and
safety, and environmental goals) and can apply at different levels
(such as strategic, organisation-wide, project, product and process).

Part 7 Glossary of terms 174

Risk Appetite The amount and type of risk that an organisation is willing to pursue or
Risk Mitigation retain.
Risk Tolerance
The elimination or reduction of the frequency, magnitude or severity
of exposure to risks, or minimisation of the potential impact of a threat
or warning.

The organisation’s or stakeholder's readiness to bear the risk, after risk
treatment, in order to achieve its objectives.

Part 7 Glossary of terms 175

www.maaden.com.sa 176

Part 7 Glossary of terms