Responding to a crisis is much easier to do when youâve already planned for it, and know exactly who is involved and what steps to take. This is why Amber Freeman, Legal Manager at Aerobotics, uses risk and scenario analyses to build crisis management plans, like the one they used in response to COVID-19. It not only helps her team find the weaker points of their systems, tech processes, and workflows, but helps them respond faster and more effectively if and when a crisis hits.
Here is Amberâs advice on how to set up your own crisis management plan using a scenario analysis, and what impacts it had for her team in responding to COVID-19.
Do your own risk and crisis management plan - for yourself, or for your team - by downloading Amberâs template here and following the steps below!
Transcript
[04:37] Amber:
There goes my pen. I don't know why I need a pen, I just like to fiddle with it.
[04:44] Jomiro: Yeah, it feels like you're actually getting some stuff ... I know when I'm thinking, I tend to fiddle with things because I feel like I'm at least productive.
Amber: I always just fiddle. Yeah. Yeah, me too.
[04:52] Jomiro: Let's start with your role at Aerobotics. Tell me a little about what you do, what kind of interactions you have with the tech team, in terms of legal work?
Amber: Okay, cool. I'm the legal manager at Aerobotics, I'm actually the legal team. I work with most departments across the business.
In terms of the tech side, I think the biggest thing that I work with the tech guys on is a lot of our IP strategy. So, when new products are being developed, looking at how we can commercialise those, what protections we can implement there. As well as on the data privacy side, which is a big one. Then, it comes into a lot of the regulatory stuff as well, because we have a global business. The flow of data between entities, and between countries has to be managed properly, so I work a lot with them as well, on that side. It's pretty interesting.
[06:01] Jomiro: Just out of interest, could you tell me a bit more about - when you say data privacy - what kind of data are you keeping private, or you're working with, in terms of privacy?
Amber: Sure. There are a couple of sides. One is, obviously, from an employment side, but that's obviously not too much on the tech side.
On the tech side, it's more because at Aerobotics, we work with farmers, we work with their business, and we'll go and we fly their farms. In terms of the tech side, we collect data from farmers, so we'll process their data. It'll go through our models, it'll analyse it, and give them various outputs. The data we keep on hand is separated out, so we'll have rural imagery data that's collected from drones that's processed through our models, and stored in the cloud. And then, we'll also have, obviously, our source codes, and what the guys have developed, that's also stored in the cloud. Then, we'll also have personal information, our farmers, for example, names of businesses, addresses. Obviously, we've got bank account information and stuff like that, for payments.
There's a lot of different pieces that come in and out there, so we always have to make sure that we keep our clients data safe, as well as our own proprietary information, our source code, and all of that safe as well.
[07:25] Jomiro: I think what's interesting there is your work around, or how you think about, IP and data privacy. Diving straight into the main focus of the conversation, when COVID-19 first hit, you as a company, as Aerobotics responded in a number of ways, from setting up your team remotely, having certain plans in place for your clients and your customers as well. But, one of the things that you did specifically, as a legal manager, was to set up a crisis management plan.
I'm quite interested to hear, especially from a technical perspective, the kind of thinking and the set up that setting that crisis management plan up involved. So for developers, I think problem solving in the way you had to do is something they could relate to. But, I'd also like to understand if I were a developer, how I could set up my own CMP, and also then implement it based off what you learned.
Before we dive into the process you followed, in simple English, what is a crisis management plan? Who needs it, and what do they need to do, what situation? Yeah, maybe just in simple terms, give me a little bit of a definition, so I know what a crisis management plan is?
Amber: Sure. To me, and from my experience, a crisis management plan is a forward looking document, or policy that you have on hand, which has three different aspects to it. One is that it provides a complete overview of either your workstream, or your business if you're the owner of a business, and it looks at the sensitive points, or risk points, in your workstream. Then, it will run a scenario analysis on what would happen in a crisis, and how those risk points would be affected. The last portion of it would be an action plan as to how you would deal with a worse case scenario, and how you would deal with all those scenario analyses. That, to me, is a crisis management plan.
[09:40] Jomiro: Who needs a crisis management plan? And, in what kinds of situations would you use one?
Amber: I think, as every person involved in a business, and every business owner would need a crisis management plan. From a legal perspective, for example, I ran my own team. Maybe, if you're a developer, you're working on certain workstreams, you always want to know where you would, and what you would do if things had to somehow go wrong, because obviously you're responsible for that set of work.
As a business owner - so, I've put Aerobotics as a business - as a whole, it was super important to get every department's, maybe I could call it a mini crisis management plan, to correlate it, so that they could have a company wide policy to get us through, for example, this COVID-19 situation, in a really clear and set up manner.
[10:41] Jomiro: Thinking about what a crisis is, I think COVID-19 is obviously an example of a scenario, which I think is really interesting. But maybe just give me an idea of what other scenarios do you, as a legal manager for Aerobotics, consider a scenario for a crisis? What other things count as a crisis?
Amber: I mean, there's many things that could be a crisis. One could be an employment strike. Two, could be from a tech side. What if you have a security attack, a security attack on all of your platforms, your employees are locked out? What if your code is stolen, what if there's a breach in privacy? That would be a huge crisis management plan. There could be some regulatory law that comes up, that prevents you from operating the way you do. In our perspective, if South Africa suddenly said tomorrow, "Drones are no longer allowed to be used," that would be a huge crisis for us. Yeah, that kind of thing.
[11:39] Jomiro: Do you think about a crisis management plan for every single scenario? You could say, "If Armageddon struck tomorrow, we'd have to have a crisis ..." Do you have one for every scenario, or do you do it on a case by case?
Amber: In my mind, any crisis, even though there would obviously be quite specific issues that would come up, every crisis would normally have pretty much the same kind of results. One, is it would be extremely difficult to operate properly, that would obviously affect your day-to-day parts, from an employee's perspective. Two, it would obviously affect the business from a revenue perspective, if you're not allowed to operate properly, or if it becomes extremely difficult. And three, it would put you in a position where you would have to make very quick decisions, with quite a small amount of preparation time.
So, I think you can almost generalise what would happen in a crisis, and an important part of that is to do a risk analysis on the business, which I do a lot just because of my position. I think that can be customised into whatever situation comes up later.
[12:58] Jomiro: Yeah, I'm really excited to dive into some of the details there. But, just to make sure I'm understanding correctly, this idea of a crisis management plan, in essence, you can use for planning ahead, and thinking about how you would handle a crisis if you were to fall into one. But, there's some element of painting a scenario that would be a difficult one, and that would match a number of criteria which speaks to your idea of generalising.
So, it doesn't have to be COVID-19 specifically, but you generalise you and you say, "If we couldn't come into the office, if our clients were potentially limited in how they could operate their businesses, if we had a huge decrease in revenue because of those businesses not being to operate," and that you use those generalisations to then customise it. And say, "We are in a crisis. Do we have a management plan for this kind of crisis?" And then, you work forward from there. That crisis can literally be, like you said, our code is stolen, our business cannot go into the office, you can have any level of crisis that these kinds of things can be useful for.
Amber: Exactly. Like I said, I think it's always good to be prepared for any kind of scenario, and there are definitely things you can do, in terms of a crisis management plan, that would suit any situation.
[14:21] Jomiro: So, diving into yours in particular, can you tell me a little bit about the kinds of things your crisis management plan for COVID-19 included?
Amber: Sure. For COVID-19, in my personal plan, we have to look at a review of all of our relationships across the business. So whether that was with clients, or whether that was with suppliers.
For example, we had to think about okay, what if our storage facility, our cloud storage facilities, weren't able to perform properly, what would we do there? What if we weren't able to provide our services to clients for a specific period of time? How can we manage those relationships, to make sure that we're not at risk of, obviously, a litigation perspective? And also, that we're not at risk of stopping to operate, or suspending to operate at any time. That was a big thing to do, an overview of exactly what relationships and what operations needed to stay in place for us to continue during this time. It involved a lot of negotiation, and chatting to our suppliers, and to employees, and to our clients, and to, for example, drone pilots, to make sure that we were doing the right thing there.
Another was, we have to look at our people - we always want to, first and foremost, take care of our people as well as our clients. So it was looking at what we were allowed to do and not allowed to do, in terms of continuing at the office, remote work, if somebody got sick, all of that.
Another important one was looking at the relief available. So if things went really, really badly, what the government was offering, where we could use the advantages in terms of reporting and stuff like that. We also had to be really, really aware of all the restrictions that were put in place in a bunch of different countries, obviously we're a big, global business, and keeping tabs on all the companies that we used in all those different countries, to make sure that their situations hadn't changed. Something that was very specific to us as well was, obviously, we needed to look to make sure that we were still allowed to have drones fly over areas, to continue operating.
Another important part was communications to employees and to clients, in terms of a marketing perspective. Then also, just to generally provide good practice advice, just along the way. I think was is pretty difficult about this kind of crisis is that everything changes so quickly that just need to have to make sure you keep tabs on everything that's going on.
From a tech perspective as well, which was super important, with everybody working remotely you have to make sure that your systems are secure, that you have to be sure that if you're dealing with proprietary or sensitive information at home, that you're keeping that private, and make sure employees are keeping that private as well. You don't want somebody walking past, and seeing somebody's financial information, or something like that. So making sure that we implemented those kinds of processes, there, and making sure we had good data privacy practice in place as well, and making sure that continued even though everybody was working remotely, and accessing things from different devices. That was a big part of it, from the tech side as well.
Then, just look at, from a larger business perspective, is working with a lot of the team leads and our executive team on strategy, and to collate this information into one big plan that the company could use, going forward.
[18:27] Jomiro: I mean, that is a long list of things. How did you know when you had enough covered? How did you know you were covering all your bases? I can imagine, you could go on, and on, and on about we've got to consider this, and this, and this, and this, and that. How did you know when you were like, "Cool, we have covered all of our basis?" How do you approach that?
Amber: It's definitely, in terms of a collaborative team effort, I think to know you've covered all your bases is to know that you've looked at every part of the business, and to run scenario analyses there. Obviously, there has to be some kind of stop, and it is an ongoing thing because the laws and regulations and things are changing, every five minutes, we still have to keep looking at that.
But, I think a good skeleton to use is to say okay, these are my day-to-day processes. Could these be impacted? If they could be impacted, then this should go into my crisis management plan. Even if it is a broad number of things, it is better to be over prepared than under prepared, in my opinion.
[19:39] Jomiro: So you look at the day-to-day operations for the different departments in your company, and you use that as a skeleton for the kinds of things you have to think about.
Amber: Exactly. I think what a good thing to do there is when you look at day-to-day operations and you think, if one of these processes had to stop, or be suspended, or something had to go wrong because of this crisis, if that was a possibility, then that would go in under that department's heading. Then, to collate that information, and put that into one action plan going forward. There needs to just be judgment on what is the most likely to happen, what is the least likely to happen, which will depend on what your business is and where you're working.
[20:30] Jomiro: Do you have an example - just on that âlooking at a particular processâ - an example from your case? Just to illustrate the kind of processes you thought about, that might be impacted.
Amber: I'm thinking of, if I want to say from a development side, one of the processes was we actually turned it into an advantage, because we looked at, okay, our customers normally need a lot of labor workers on their farms. Our solution, obviously, allows for automation of those processes, so let's focus on that and make sure that we help farmers to deal with this time, by automating their processes and just having one pilot to go out there. But, is the pilot allowed to go out there? If the pilot wasn't allowed to go out there, how are we going to still assist farmers, and plan for that? Luckily, we were fine on that basis.
[21:28] Jomiro: Right.
Amber: I don't know if that's a good enough example.
[21:32] Jomiro: No, absolutely. I think that also points to, I think, something you alluded to earlier, you can't create a CMP in isolation, you have to be talking to all of your teams, and you have to be coming up with the scenarios.
Maybe we can jump back to something you said earlier: These scenario analyses you do with these teams, and with the people in your company, to figure out what could go wrong, how would we respond. What does a scenario analysis look like? How do you think about one? How would I do one, if I was to start now?
Amber: Sure. In terms of a scenario analysis, what we would need to do is say, "Okay, this is a risky part of the business."
So for example, let's say, okay, we're all working remotely, everything is stored in the cloud. We have a security problem with the cloud and we can't access it, we're locked out. The scenario analysis would be, okay, what would be a likelihood of that happening? What would be steps taken to avoid that happening?
For example, okay we need to contact our cloud service provider, and make sure that they are fine, and nothing is going wrong on their side, step one. Step two, if for some reason this still had to happen, what would be the process, and what would we need to do in order to make us whole again? Three, what would maybe be the commercial and financial impact on us, if this had to happen, and the effect on day-to-day processes? Or, who would need to be involved in that process, and making sure that they would be prepared to do what they needed to do, to get us back to continuing normally?
[23:15] Jomiro: Why is the likelihood important to consider? You mentioned that you assess the likelihood of that happening. Why do you include that in the scenario analysis?
Amber: I think it's just important to think about what you can control, and what you can't control. When I say likelihood of it happening, I'm saying likelihood of it happening despite, maybe, action taken to stop that from happening.
For example, if it's something out of your control, like it's completely dependent on another supplier for example, there could be a higher likelihood of it happening because it's not within your realm of control. I think, also, when you look at a crisis management plan, I think you alluded to it earlier as well, you can go on a complete tangent and just say, "What if this happens, what if this happens, what if this happens?" But, you need to be rational, and logical, and just apply your judgment to see what would be the most likely to affect the business, and how you would deal with that.
Then, if something else comes up which you didn't foresee, unfortunately that may happen, but at least you can try to be the best prepared you can be.
[24:30] Jomiro: What format does this scenario analysis take? How do you capture that information? Do you just have a big meeting, and you all throw your ideas into a doc? Or, do you record the conversation? How do you capture that data, so that it's easy to access and to read?
Amber: Sure. In my experience, and it's just my - obviously, everyone's different - but in my experience it's better to look inwards first, so look at yourself first.
I created a doc to say, "These are the workstreams I'm dealing with, this is what I think could happen, this is how I would deal with it." The wider teams in the business, our exec teams and everything... everyone should do the same thing.
Then, you collate that into one plan, which looks at multiple departments, and then it would obviously just be a discussion surrounding all the information you have, to maybe cut it down. Or, put it into a more reader friendly format. But, to definitely have some kind of policy on hand, and I would almost make it a business policy in the business, which is set up in a document so that it's clear for everyone to see.
[25:39] Jomiro: Does everyone take ownership of their own workstream? Like, you did this crisis management plan for your day-to-day tasks, someone else in a different department did the same for theirs. Then, you compile that into one easily accessible doc?
Amber: Yes, that was our experience to do that. I think when someone's working on something day-to-day, they know the job best. It's best to let people make their own documents first, and then it can be discussed at a wider level. Obviously, it's very important to get input from the wider business as well.
[26:18] Jomiro: Cool. I guess, if you have a template for that, it's easy enough for people to work with that, they don't have to do too much heavy lifting. You can say, âhere is a template for this thing, think about the risk pointsâ - I think you said earlier âwhat those would be, where stuff would break down, and what you would do.â I think that step by step for the scenario analysis is a really cool, useful way to set up those templates.
So you've done the scenario analysis, you've thought about all those risk points where, for this particular thing, might go wrong, and what you would do. You then collate all the different risk points that people have put together, you compile that into a doc. What did you do next, for your process? What was the next step for that?
Amber: So, for our process, we collated an intro doc. For my specific one, it was implementing certain action plans that I suggested.
So for example, if I saw that there was risk with, maybe, one of our suppliers, the next step would be to have a conversation with our supplier, speak to them about potentially negotiating some other kind of deal. Or maybe from the tech side, from a security perspective, running tests, making sure that everything's fine on that side. The next step, to me, would be the mitigation tasks, if I can call them that.
Then also, in our experience, we obviously have investors, and shareholders, and stakeholders to report to, so this document was so useful to report to those people who have a vested interest in the business, to say, "We're covered, here. We're planning, and we know what to do, and we have a contingency plan in place for this kind of thing."
[28:06] Jomiro: Yeah. I was going to ask, and you've sort of answered that now. It's like, what impact or value did having a CMP have on your team, and on your business?
Amber: Sure. That would obviously be one of the things, it just shows that the business is prepared. I think, for me personally, and in my experience when facing some kind of crisis like this, you can really lose your head a little bit. For me personally, having a set process in place just calms everyone down, and lets them know what they want to do. Thankfully, we have an amazing team, and everybody's willing to do everything they can to help. So having that step-by-step structure to say, "Okay, in this situation, what do I need to do? Let me go do that, and try," had huge value.
Another great spinoff from it was that it was such a great collaborative task, everyone got involved, and worked together to create this plan for the business, which was just a really cool process to go through, despite the current situation.
[29:17] Jomiro: To your point earlier, of having to be aware of things changing - which is a reality especially for a crisis like COVID-19 - how often do you revisit those scenario analyses you do? Or, how often do you go back and adjust, or tweak, or edit? Is that something that's included in your workflow for a CMP?
Amber: Yes, definitely. What I would suggest, and what we did, is we allocated specific people to the plan, to say you can almost make them an administrator of the plan, for example. For me, just because of where I am in terms of the legal perspective, it obviously falls on me to keep track of regulations. So it's an ongoing thing, every time a new regulation comes out which would affect the plan, I would update my various information. Then, I think it was just expected of each team to say, if something else came up, or they needed to update, they would update.
It's pretty much done on an ad hoc basis, and just giving everyone the responsibility to make sure that the information was up to date.
[30:25] Jomiro: Do you have a particular way of making sure you remember to update certain things? Like, do you have a mental trigger for, oh wait, this might affect that scenario that I did three months ago, I need to go and update it? Or, how do you personally manage that? Because I can imagine if you have many, many CMPs, and many different scenarios, you might lose track, to some degree. Or, forget to make a change because it's a minor detail.
Amber: Definitely. For us, I think, it would match our reporting timelines. For example, if your team needs to provide a quarterly report, or monthly report, then I would update it on the same basis, just to make things a bit easier for yourself.
[31:06] Jomiro: So just stack it with stuff you're already doing? That makes sense. Yeah.
Amber: Stack it with stuff you're already doing, and add it to your to-do list. Then, I think just always keep it in the back of your mind.
[31:15] Jomiro: Yeah. Maybe, in retrospect, having worked with CMPs before, what is one of the biggest lessons that you've learned? That maybe you would give to anyone who is struggling to think about a CMP, or even that you would give to yourself, maybe a few months ago before you started thinking about this really intentionally. What was one of the biggest lessons, or pieces of advice you've gotten?
Amber: I think one of the biggest lessons that I've learned is to make this a priority, because you never really know what's going to happen on a day-to-day basis. I mean, we've clearly seen that now. And to make sure that you're constantly thinking about your day-to-day processes, and how maybe they can be updated or improved, I think that was one of the lessons that I really did learn here. There were definitely things that could have been done before, that would have helped manage this kind of situation better.
Just advice that I would give is try and not get panicked about doing this kind of work, it looks like a huge amount of work. It looks like such a big project at the beginning, but if you just structure it out and say, "Okay, what do I do every day? Let me put that down. What are my big projects? Let me put that down." Then you just think, okay, how could this be impacted, how could this be improved? You just put it in a doc, or whatever way suits you, you'll see that it just comes together nicely. As long as it's structured, and you've got at process in place, you'll feel a lot better about it, that it's somewhere, and that you can always go to it, if need be.
It's also great, as an employee, or an owner of a business, or anything, it's a really good thing to have, to show that you're committed to reviewing your work, or your business, and done this kind of thing to make sure that you're prepared. It's a really good thing to do.
[33:32] Jomiro: If I'm looking at this huge project of the CMP, and you may have already said it now, but what's the best first step? What's a really good entry point to start? How have you made an effective way of starting the seemingly big project?
Amber: For me personally, what I did was I started with a document, and I opened one up and I said, "Okay, where does my role touch this business? What do I do on a day-to-day basis? If one of these processes went wrong, or something happened, what would need to be done in that situation?" Call that as a mitigating action. If I couldn't save the situation, and it was worse case scenario, what would need to be done there, in terms of who would I need to alert? Where we could potentially get help, what could be best done to put the business in the best situation. Then, just go with each task, just do it from there.
Then, once that was all done, you can imagine it was quite big, and quite messy. I just bullet pointed it up, and made it a bit more ... I cut some of the fat out of it, and just made it more easy to read. Which took some time, it is a big task to do, it's a time consuming task, but definitely, those kinds of steps made me deal with it a lot better.
[35:04] Jomiro: I think what's really cool is once you've done it once, you can generalise it, and use it over and over again, for a bunch of similar crises. So actually, you're being kind to your future self, as they would say.
Amber: Exactly. It's just, actually, a really good exercise to see, sometimes you forget to think about what do I do every day, things get away from you. It's always good to have that kind of information at hand.
[35:32] Jomiro: Absolutely. Yeah, it's a nice way of doing a sanity check, or a sense check, on the day-to-day stuff that you don't think about anymore, just because it is a day-to-day thing.
Amber: Exactly. It can also remind you of things that you've forgotten about.
[35:45] Jomiro: So a very revealing exercise, all in all.
Amber: Very revealing exercise, yeah.
[35:53] Jomiro: Yeah, I think that's a fantastic wrap up of what a crisis management plan was, in your case, and obviously helped you and your team quite a lot. As you said, the benefits went from, obviously, having an action plan that you could follow, calming people down, the collaboration of the entire thing, bringing people together. And also, just being a good - what do you call it, a grooming thing? A spring clean - of some of your operations, and figuring out, oh wow, this is actually quite a risk point, we should maybe think about this going forward. I think it's a really cool process to have gone through, in any case. Definitely sounds like a positive to have come from COVID-19, whatever.
Thanks for sharing your insight, and taking the time to chat to me about it.
Amber: Sure, no problem. Happy to, this is great.
[36:48] Jomiro: Yeah, great. Now, we are all prepared for the next global pandemic, should it ever come.
Amber: Yeah, ready to go. I hope we donât get there, but we're ready to go if it is.
[36:58] Jomiro: I was going to say, I'm hesitant to say bring it on, because I don't really want anyone to bring it on. But, if and when, we're ready.
Amber: Exactly. Hopefully, this will help a couple of other people be ready as well.