[CM] [OCBC] [E1] [C10] During Crisis - Crisis Response and Decision-Making

Chapter 10

Introduction

In a crisis situation, the effectiveness of an organization’s response is paramount to ensuring business continuity and minimizing long-term impact.

The response process must be swift, coordinated, and aligned with established crisis management protocols.

This chapter outlines the key components of OCBC Bank's crisis response and decision-making framework during a crisis, in alignment with ISO 22361:2021 and best practices for crisis management.

1. Crisis Activation and Escalation Protocols

Crisis Activation:

The first critical step in any crisis is the activation of the Crisis Management Team (CMT). Crisis activation is initiated when a potential or actual crisis is identified, and it is determined that the situation requires a coordinated, strategic response.

OCBC Bank’s Crisis Activation Protocol involves the following:

• Assessment and Identification: Any employee, department, or external partner can trigger the activation by identifying a crisis based on predefined triggers such as significant service disruption, security breaches, or operational failures.
• Immediate Notification: Key stakeholders, including the CMT, senior leadership, and relevant departments (e.g., legal, communication, operations), are notified immediately via established communication channels.
• Crisis Severity Classification: The severity of the crisis is assessed using the predefined Crisis Severity Matrix, which categorizes the event into tiers (e.g., Tier 1: Minor, Tier 2: Major, Tier 3: Catastrophic). This classification determines the escalation level and resources required.

Escalation Protocols:

In ISO 22361, crisis escalation refers to the process of moving from one level of crisis response to another as the situation develops. During a crisis, the decision to escalate follows these steps:

• Level 1: Localized Response – Managed by the affected department with oversight from CMT.
• Level 2: Regional Response – Cross-departmental coordination led by the CMT to handle broader operational impacts.
• Level 3: Full-Scale Crisis – The full CMT takes charge, and external agencies may be involved. This may also involve the OCBC Crisis Response Group (CRG), which includes government authorities and external partners.

2. Incident Command System (ICS) for OCBC Bank

The Incident Command System (ICS) is a standardized, hierarchical structure used during a crisis to ensure clear roles, responsibilities, and accountability. For OCBC Bank, ICS is a central part of the crisis response and decision-making framework, facilitating an organized and efficient response.

Key components of the ICS at OCBC Bank include:

• Incident Commander (IC): The IC is the senior leader who has the authority to make final decisions during a crisis. Typically, this is the CEO or an appointed CMT member who oversees the entire crisis response.
• Crisis Response Team: The response team is divided into functional units with clear lines of communication and responsibility:
  • Operations Unit: Manages immediate operational issues and resource allocation.
  • Communications Unit: Handles internal and external communications, ensuring consistency and accuracy.
  • Legal and Compliance Unit: Ensures that crisis responses comply with legal requirements, especially in highly regulated sectors like banking.
  • Human Resources Unit: Coordinates the safety and well-being of employees, manages staffing issues, and supports employee communications.
  • IT and Security Unit: Focuses on mitigating any technological or cybersecurity threats that may have triggered the crisis.

Each unit reports directly to the Incident Commander, and the Crisis Management Cell ensures that key decisions are made with a full understanding of the situation's impact.

3. Crisis Response Procedures for Different Scenarios

OCBC Bank’s crisis response procedures are adaptable to various types of crises, such as natural disasters, cyberattacks, reputational crises, and financial fraud. For each scenario, predefined procedures and action plans are set in place to address the specific needs and challenges posed by the event.

3.1 Natural Disasters (e.g., Earthquakes, Floods, Typhoons)

• Preparedness: In the event of a natural disaster, OCBC Bank activates its Business Continuity Plan (BCP) to ensure minimal disruption to critical operations, especially in affected regions.
• Evacuation and Safety: The bank follows its emergency evacuation procedures, which include staff safety measures and shelter arrangements.
• Recovery: The bank coordinates with emergency services and local authorities to facilitate rapid recovery and restoration of services, such as ensuring backup power and communications systems.

3.2 Cybersecurity Incidents (e.g., Data Breaches, Ransomware Attacks)

• Initial Containment: The IT Security Unit will isolate affected systems to prevent further damage and start forensic analysis to understand the scope of the breach.
• Incident Mitigation: The CMT works with external cybersecurity experts to neutralize the threat and prevent further intrusion.
• Regulatory Compliance: The legal and compliance team ensures that the incident is reported to relevant authorities, such as the Monetary Authority of Singapore (MAS), and takes necessary steps to comply with data protection regulations.

3.3 Reputational Crisis (e.g., Customer Complaints, Negative Media Coverage)

• Monitoring and Communication: The Crisis Communication Unit closely monitors media coverage and social media platforms to assess the level of public concern.
• Response Messaging: Predefined messaging frameworks are used to ensure consistent and transparent communication with stakeholders, including customers, media, and regulators.
• Reputation Management: The bank’s leadership will engage with stakeholders directly and, where necessary, issue public apologies or corrective actions.

3.4 Financial Crisis (e.g., Fraud, Market Crises)

• Immediate Impact Analysis: The CMT works with finance and risk teams to assess the crisis’s potential impact on liquidity and financial stability.
• Regulatory Engagement: The legal unit will engage with MAS to report the crisis and ensure compliance with any reporting requirements.
• Internal Control Measures: Any financial fraud will trigger an immediate review of internal control processes and an audit to identify any weaknesses or breaches.

4. Crisis Communication Execution (Internal & External)

Effective communication is crucial during a crisis. It helps maintain control over the narrative, provides clear instructions to stakeholders, and ensures that relevant information is disseminated swiftly. OCBC Bank has established a structured Crisis Communication Plan, which includes both internal and external communication strategies.

4.1 Internal Communication

• Crisis Information Channels: OCBC Bank uses secure and reliable internal communication channels, such as intranet, emergency email alerts, and text messaging systems, to provide real-time updates to employees.
• Key Messages: Clear, concise, and accurate messages are developed to inform staff about the crisis, the actions being taken, and their roles in the response.
• Leadership Updates: Senior leadership conducts regular briefings with employees to ensure that everyone is aligned with the ongoing response and recovery efforts.

4.2 External Communication

• Public Information: The Crisis Communications Team coordinates with the media and other external stakeholders to issue public statements. This includes press releases, interviews, and social media updates.
• Customer Communication: For customer-facing crises, the bank ensures that timely, clear, and transparent communication is sent out via email, SMS, and social media channels. FAQs are also made available to address common customer concerns.
• Regulatory Reporting: In accordance with ISO 22361, OCBC Bank maintains a strong relationship with regulators and ensures that all required reports are submitted promptly.

In line with ISO 22361, OCBC Bank’s crisis response and decision-making process are designed to provide clear guidance, quick action, and efficient communication during a crisis.

By following structured activation protocols, employing the ICS framework, developing tailored response procedures, and executing a well-coordinated communication strategy, OCBC Bank ensures that it is prepared to manage a wide range of potential crises effectively, minimizing operational disruption and safeguarding its reputation and stakeholders.