Editor’s Note: During this crisis, The Cooperator family of publications will be passing along information, tips, and FAQs submitted by our network of industry professionals, including attorneys, managers, and other subject matter experts. The views and opinions expressed are those of the contributors, and as the situation evolves in the coming days and weeks, those views and opinions may evolve as well. We encourage readers to be mindful of this; check posting dates, make note of contributors’ locations and industries, and above all, consult with your own community professionals as you and your neighbors navigate this challenging landscape.
Hurricanes, construction fires, cyber-attacks, catastrophic flooding, and wildfires are just some of the many threats our industry faces on a daily basis. Given this unpredictable and volatile risk landscape, multifamily management firms must be proactive in readying their communities to handle and navigate any and all crises that might come their way.To manage risk effectively is to embed risk mitigation strategies across the enterprise—and that begins with the C-Suite. Whether it’s a cyber breach, impending wildfire or even a rare infectious disease outbreak, clear-minded, well-orchestrated decision making is key.
To ensure effective incident management, firms should start by creating a Crisis Team comprised of senior executives charged with developing the plan and carrying it out. This type of plan should be flexible and actionable, regardless of whether the management firm is facing a potential outbreak like COVID-19, or staring down a catastrophic hurricane. Team members should include personnel from the corporate suite, risk management, human resources, legal, information technology, and operations. And team members should have decision-making and spending authority.
Write a Plan
Having a written plan in place will help organize and streamline the incident response process. The incident response players must have clarity on roles, responsibilities and authority during an incident. Without clear instructions and authorizations in place, personnel will respond inconsistently, which can be especially damaging to an organization’s brand and can also create legal or regulatory risks. Similarly, without clearly identified procedures, organizations run the risk of departments duplicating efforts, wasting both time and resources. A written plan will help to provide structure, clarity and organization around the incident response process. The time to develop an incident response plan is not after your community is impacted directly.
Roles and Responsibilities
It is also imperative that the plan identify roles and responsibilities during the incident response process. The plan should clearly designate an Incident Commander who is ultimately in charge of the response process, and who has real-time decision-making authority. In particular, the plan should be clear about the scope of the Incident Commander’s authority and whether any approvals are needed before certain actions can take place, especially with respect to actions affecting company systems. Similarly, the plan should identify key incident response team members (including designated back-ups) and clearly define their roles and responsibilities for the incident response process.
Perhaps one of the most important aspects of the incident response process—and one which frequently causes problems for organizations—is the communications process. It is critical that the incident response plan establish clear communications protocols, including triggers for cross-functional coordination and escalation. Key personnel are unable to carry out their responsibilities if they are unaware of incidents that require their attention.
A common communications error is neglecting to engage the appropriate parties early enough in the incident process, so it's important to establish clearly-defined triggers for when certain departments and players need to be informed of and engaged in the response.
In addition, it's also necessary to establish clear protocols for when to escalate issues to senior management. The plan should be clear as to who is responsible for reporting to senior management, and when such reporting should occur.
Late engagement with the legal department is especially problematic. For example, if legal is not engaged early enough in the process, the risk for noncompliance with state or federal laws (e.g., breach notification requirements) increases, which can result in—or detrimentally affect—government investigations or litigation. Legal is also needed for ensuring attorney-client privilege protection, which can be important in related litigation or investigations.
The plan should also include clear procedures for external communications, including who is authorized to speak on behalf of the company, and what approvals are required for them to do so. Because public health incidents can be complex and have legal implications, early involvement by your firm's legal department is also important for reviewing and approving external communications—especially public statements to the media and press. Facts develop quickly, and many pieces of information are often unknown during the early stages of the incident response process. Apartment companies must develop a clear strategy for handling media inquiries at this early stage, such as cold calls from reporters. One way to manage this is by creating pre-developed templates or canned holding statements.
Relatedly, companies will frequently experience an influx of questions from customers as well as employees outside of the response process during early stages of an incident. Therefore, this process should be memorialized in the incident response plan, including who is responsible for drafting communications for this audience, how the information will be communicated, and any associated approvals required for doing so.
Finally, the plan should establish clear protocols for communications with third parties, such as law enforcement and first responders, public health officials, affected individuals and insurance or other business contacts. Requirements or expected communications with public officials and affected individuals is often dictated by state law, and can vary substantially across jurisdictions. Thus, legal counsel needs to maintain control and oversight of determining what, if anything, should be communicated, as well as when such communication should occur to these parties.
Test Yourself and Your Plan
A management company can have a plan that seems perfect on paper, but that can be rendered meaningless if the policies are not effective, or are not internalized by key players in the process. Companies that test their incident response policies have a significant advantage—from both a practical as well as a liability standpoint—over those who execute these procedures for the first time in response to a real-life crisis. Testing the incident response plan in a controlled environment allows the organization to identify and remediate gaps or deficiencies, and to use the experience to prevent making similar mistakes in the future.
Implementing a clear process for documenting 'lessons learned' after any type of crisis event—as well as ensuring those lessons are adequately communicated across the organization and accessible for review and consultation during future events—will help deflect any allegations that the company failed to learn from its past mistakes. Lessons learned meetings should be held regularly after live incidents, as well as pre-need incident response exercises to review the effectiveness of the plan and to identify necessary improvements to existing security controls and practices. The information gleaned from these meetings should be used to identify and correct any noted weaknesses and deficiencies in policies and procedures.
Follow-up reports generated for each resolved incident can be helpful not only for evidentiary purposes, but also for reference in handling future incidents and in training new team members. Multifamily firms should communicate these procedures and make these materials available to appropriate parties across the organization.
Kevin Donnelly is Vice President for Government Affairs for the National Multifamily Housing Council, with responsibility for representing the interests of the multifamily industry before Congress and federal agencies. Prior to joining the Council, Kevin served as a Legislative Representative for the National Association of Realtors.