Steps to prepare emergency response guidelines

First find out the real risk level of the scene you are in, then break down what each character has to do into unambiguous executable actions, and finally run through the closed loop of verification iteration - those standardized processes on the Internet that often take more than ten steps are essentially an extension of these three core links, and you don't need to be confused by fancy templates.

There are actually two completely different risk management ideas in the industry now. There is no distinction between high and low, and they are suitable for different teams. One is the "scenario exhaustive method" favored by old-school practitioners who have been in emergency management for more than ten years, which is to pull out all the emergencies that have occurred in the same industry and the same size in the past 3-5 years, even marginal low-probability events. When I helped a leading e-commerce company make the 618 system emergency guide last year, I first listed 27 risks with products and operation and maintenance. Finally, I asked Lao Zhou, who had worked in the operation and maintenance department for 12 years, to squat by the computer room and chat for an afternoon, and then added "Off-campus operator owner" The dry optical fiber was dug out by the construction team" and the "temporary power outage in the office building exceeded 4 hours and the backup generator failed" were two scenarios that no one had thought of before. Later that year, 618 actually encountered the incident where the optical fiber was almost dug out, and the plans made in advance were directly used. The other is the "extreme pressure backwards method" that has become popular among small teams in recent years. Instead of getting hung up on the minutiae, first determine what the worst-case scenario is. For example, how much loss can be accepted at most if the trading system is completely down for 3 hours, and then backwards estimate the core risks that must be covered. It is suitable for an entrepreneurial team with only a few people or a dozen people. You can't spend half a month exhausting scenarios just to write a guide, and you don't have to do any business. Just choose the one that suits you. There is no need to listen to so-called experts who say that all risks must be 100% covered. Unrealistic requirements are essentially hooliganism.

After exploring the risks, the next step that is most likely to be pitted is the writing of disposal actions. I have seen too many guides written with correct nonsense, such as "report to the relevant leaders as soon as possible" and "relevant personnel handle it in a timely manner". When an accident really happens, everyone is confused. Who knows who the relevant leaders are? Who are the people involved? Those who write this kind of thing are basically made up by people sitting in offices who have never dealt with real accidents. Qualified disposal actions must meet the "three requirements": they can be implemented, they can be held accountable, and they can be implemented quickly. When I went to a chemical company to communicate before, I saw their hazardous chemicals leakage disposal card. The page for the security guard at the door wrote three lines: 1. When you see smoke/smell a pungent odor, immediately turn off the power, shut down the main ventilation valve of the factory area. ； 2. Use the intercom to call the security director. If there is no answer within 1 minute, directly dial the mobile phone number of the vice president in charge (two phone numbers are printed directly on the back) ； 3. Stand upwind about 100 meters away from the factory entrance and block irrelevant personnel from entering. There are no empty words, even if the security guard is new, just follow the instructions. There is also a controversial point here: should the disposal process be written in more detail, or should it be more flexible? In fact, it depends on the scenario. In fields with zero error tolerance, such as hazardous chemicals, firefighting, and civil aviation, you must know the order of each action. One more step or one less step may lead to big troubles. ； However, for scenarios such as public opinion response and user disputes, which are inherently ever-changing, you only need to draw clear red lines. For example, the public opinion guide I made for a consumer brand only included three prohibitions: no saying "we are not responsible for this", no private promises of compensation beyond the authority, no quarreling with users, and the rest of the communication skills can be flexibly adjusted by yourself. If it is really stuck, it will easily have counterproductive effects.

Many people think that once the process is written, printed, and bound, everything will be fine. In fact, the most easily overlooked and core step is the subsequent verification iteration. I have come across something very funny before: Last year, an offline education and training institution had an incident where parents besieged the campus. The person in charge pulled out the emergency guide that he had prepared before and called the compliance director. After calling the number three times, the number was empty. When I asked, I found out that the person had left his job half a year ago, and no one had touched the guide since it was written. There is no unified standard for verification methods. Medium and large enterprises with money and energy can conduct desktop deductions every quarter. A few people sit down and play out the scenario. For example, if the system is completely down, what will you do in the first step of operation and maintenance? Who will the customer service contact in the first step? If you go through it, you will find many loopholes that were not considered before. ； A small team doesn't need to be so formal. Every time there is a small incident, you can just make a few changes to the guide during the review afterwards. For example, last time the customer service was complained because they didn't know how to respond to the user's special request, so they added the corresponding reference skills. After half a year, the guide will be particularly practical.

Finally, I would like to say my sincere words after working for so many years. Don’t make those kinds of exquisite color manuals with dozens of pages. No matter how beautiful the printing is, front-line employees will not be able to flip through it. The best way is to correspond to an A4 paper for each position. Print the 3-5 core actions you need to do on the front, and print the phone numbers of all emergency contacts on the back. Sticking it next to the workstation is better than anything else. And when writing, don’t let the administration or HR sit alone in the office. You must talk to the front-line workers. If you ask the administration who knows where to open the server room door to write the emergency steps for operation and maintenance, it will be strange if what you write can be useful.

To put it bluntly, the essence of the emergency guide is to give everyone reassurance. When an accident happens, you don’t have to make panic decisions. It is enough to be able to solve 80% of common emergencies. The remaining extremely low-probability incidents cannot be solved by paper procedures.