Crisis Management for Biobanks

Abstract

All organizations are subject to risk and uncertainty. Adverse events may disrupt normal organizational activity and may even cause complete failure of business operations. Biorepositories are also at risk and there have been instances where multiple samples or entire collections have been destroyed. Biobank guidelines accordingly recommend the establishment of contingency plans to reduce risk to an acceptable level. In this review article, we will use general theory on risk management and illustrate how such principles can be used to establish a practical crisis management plan for any biobank organization.

Introduction

Biobanks have been affected by fire, hurricanes, flooding, earthquakes, and adverse publicity.^1–5 In the best practice document for biorepositories published by the International Society for Biological and Environmental Repositories, it is stated that “Repositories should have a written disaster recovery/incident response and business continuity plan for responding to a wide variety of emergency situations.”⁶ However, neither in this document nor in other guidelines on biobanking^7–9 is it stated how such a contingency plan should be developed and maintained. In this article, we will therefore review key concepts of crisis management and show how these can be used in practice. Our intention is not to discuss theoretical aspects as such, but to show how biobanks can develop and maintain a crisis management plan based on sound theoretical concepts. The issues discussed are generic in nature and can be applied for biobanks of all sizes and in all contexts.

Definitions and Main Theories

Crises and risks

The terms “crisis” and “risk” are key concepts in crisis management. Broadly speaking, one can state that a crisis is a situation to be avoided, and that the way to do so is by reducing the impact of potential threats (risks).

There is no universally accepted definition of “crisis,” but most authors focus on the potential negative outcome of a crisis. According to Hermann, a crisis (i) threatens high-priority values of the organization, (ii) presents a restricted amount of time in which response can be made, and (iii) is unexpected or unanticipated by the organization.¹⁰ Seeger et al. have argued that all three conditions need not be present, but that the perception of a serious and credible threat is a requisite feature of a crisis.¹¹ In this review, we will use the term crisis to describe “an event that may bring an organization into disrepute and imperils its future.”¹²

Definition Box 1: Crisis

A crisis is an event that may bring an organization into disrepute and imperils its future.

The term “risk” can be defined as “an opportunity for exposure to adverse consequences,”¹³ or quite simply the chance that something undesirable can happen.¹⁴ Risk is often expressed numerically as the probability (that some undesired event might occur) multiplied with the impact (that particular event would have).¹⁴ By using a numerical scale ranging from 1 (very low) to 5 (very high) with respect to both probability and impact, calculated risk can be grouped into risk categories. It is common to use three or four risk categories and to illustrate risk acceptance levels by colors (Table 1). The numerical values used for the various risk acceptance levels are not fixed values, but decided by the person(s) undertaking the risk analysis.

Table 1.

Risk Can Be Expressed Numerically as Probability Multiplied by Impact

Using numerical values ranging from 1 (very low) to 5 (very high) for both probability and impact, calculated risk values can be grouped into risk categories. A risk matrix with four risk categories is illustrated; low (green), intermediate (orange), high (yellow), and very high (red). The numerical values used for the various risk acceptance levels are not fixed values, but decided by the person(s) undertaking the risk analysis.

Definition Box 2: Risk

Risk is an opportunity for exposure to adverse consequences.

Risk can numerically be expressed as Risk = Probability × Impact.

Crisis? What crisis?

The understanding and consequences of similar events possibly leading up to a crisis will vary between different individuals. A possible event will not pose a risk unless the individual doing the assessment ascribes some kind of value to it. In a study on a Swedish public transportation administration, it was found that organizational risk conceptions derive primarily from what managers consider to be of value.¹⁵ The risk of such a limited scope is that such values can be in discordance with values of other stakeholders, particularly outside the organization itself.

Crisis theories

Theories on organizational crisis encompass sense making, chaos, and organizational learning.¹⁶ In the step-by-step practical approach for crisis management outlined below, we lean on theories from organizational learning.

Crisis management

There is no common definition of the term “crisis management,” but in this review, we will use the term for “the systematic attempt by an organization to avert crisis or to effectively manage those that occur” (modified from Ref.¹⁷).

Definition Box 3: Crisis Management

Crisis management is the systematic attempt by an organization to avert crisis or to effectively manage those that occur.

All processes related to (i) the identification and handling of risks potentially leading up to a crisis, (ii) the handling of the crisis itself, and (iii) the activities undertaken after a crisis to improve organizational learning should be included in the concept of crisis management. These activities are closely related to the frequently used three-stage model of a crisis: the precrisis stage, the crisis stage, and the postcrisis stage (Fig. 1).^18–21

FIG. 1.

Illustration of a three-stage crisis model with corresponding main components of a crisis management plan.

Crisis management plan

Following the reasoning outlined above, a crisis management plan can be defined as “an organization's written documentation on how to prepare for, handle, and learn from a potential crisis.”

Definition Box 4: Crisis Management Plan

A crisis management plan is an organization's written documentation on how to prepare for, handle, and learn from a potential crisis.

The successful development and implementation of a crisis management plan require a clear organizational decision that someone should do something. The decision must be a valid top-down decision made known to all relevant organizational members. The decision must empower named individuals to establish an organizational framework for crisis management and undertake a valid process for the establishment, implementation, and maintenance of a crisis management plan. The organizational framework should include an overall strategy on risk and crisis management, a clear definition of roles and responsibilities, and a culture where input, including warning signals, from individuals is encouraged and not seen as unwanted noise.^20,22 The process related to the establishment, implementation, and maintenance of a crisis management plan should be based on sound principles for continuous quality improvement such as the plan–do–study–act cycle.

Crisis management is about handling unexpected events. The handling of such a nonroutine issue requires a process where a variety of organizational members, and possibly external parties, are involved. The individuals engaged must establish a common agreement on goals, priorities, and possible solutions.²³

Crisis Management in Practice

A biobank can be established in a wide variety of settings, from a single person starting to collect material using an already established infrastructure within an existing organization, to the creation of a completely new organization with brand new infrastructure. Independent of setting, the establishment of a biobank should be considered a project with distinct phases: (i) initiation, (ii) planning, (iii) execution, (iv) monitoring and controlling, and (v) closing. Following these five project phases, normal biobank operation ensues (Fig. 2, lower half).

FIG. 2.

The establishment of a biobank should be considered a project with distinct phases: (1) initiation, (2) planning, (3) execution, (4) monitoring and controlling, and (5) closing, followed by daily operation (lower half). The aim of a risk management process is to reduce the initial high risk level to a predefined acceptable level. This is always best achieved with a thorough risk management process in the planning stage of a biobank (upper half).

The best results with respect to risk reduction are always obtained when risk management is done appropriately in the planning phase of a biobank (Fig. 2, upper half). However, risk management is an iterative process and must be undertaken both in the biobank setup phases and in the subsequent operational phase.

The precrisis phase

In the following, we will walk through the generic blueprint for the crisis management process illustrated in Figure 1, using real-life examples from the authors' own experience. The process is independent of organizational size, can be attuned to local needs, and does not necessarily require large resources. The examples used are for illustrative purposes only, and the readers should bear in mind that the crisis management process will always be context dependent.

Establish a crisis management team

It is possible to establish one crisis planning team for the development, implementation, and maintenance of a crisis management plan and another team for the handling of an acute crisis. However, in our opinion, it is better to establish a single core crisis management team to handle all aspects of crisis-related issues. Crisis management teams comprising members with prior interactions (such as in a precrisis planning stage) will probably function better than teams without prior interaction.²⁴

Recommendations on whom to include in a cross-functional crisis management team will depend on the type of organization in question. Representatives from top management, lawyers, human resource managers, information technology experts, finance managers, and communication personnel are among the types of organizational members recommended.^25–27 However, an effective crisis team may not be defined by the formal title of the individuals included, but by other personal and team characteristics. Heterogeneous teams, where members have diverse opinions and values, tend to out-perform homogenous groups.²⁴ Independent of group composition, the crisis management members must be given the authority to act as they find appropriate in a crisis situation.

Example Box 1: Crisis Management Team at the Wales Cancer Bank

The Wales Cancer Bank, being embedded within a large university and university hospital, has established a crisis management team consisting of the following five persons:

• The biobank manager

• The biobank administrative officer

• The biobank IT-manager

• One member from Cardiff University Facilities Management

• One member from the Department of Pathology, Cardiff and Vale University Health Board

Risk identification

Risks are usually categorized into main types.^12,28 However, one must guard against the danger of ignoring risks that do not fit into categories in a predefined scheme. In our opinion, categorizing potential risks should be looked upon as a useful tool in the process, not as a definite set of possibilities.

The process of identifying risks can be done by using (i) checklists based on own experience and/or literature, (ii) (semi-)structured interviews of individuals with particular knowledge in the field, (iii) brainstorming sessions, and/or (iv) assumption analysis. The latter is a process where underlying, usually unspoken assumptions are listed and challenged.²⁹ In our experience, the following risk categories are useful in the initial risk identification process for a biobank:

• Adverse perception/publicity: Both publicly stated and less well-known opinions

• Change in regulatory framework: For example, change in privacy legislation

• Economic: Funding and/or cost recovery

• Malevolence: Both from within and outside the biobank

• Management and human resources failure: For example, loss of key personnel, mismanagement, skewed values, discrimination

• Natural disasters: See Ref. 30

• Product/service failure: For example, when biological samples, associated information, and/or analysis based on these do not meet the end user's expected standard of quality

• Technological and structural failure: For example, failure of building components, equipment, and software.

With respect to the majority of categories listed, there are to our knowledge, no “definitive” checklists available. The identification process must be based on a combination of the risk team's own knowledge, the context of the individual biobank, and elements previously described in the literature. However, regarding natural disasters, there is a checklist available,³⁰ and an abbreviated list is shown in Table 2. With respect to the risk category “Technological and structural failure,” we recommend that the best practice document for biorepositories published by the International Society for Biological and Environmental Repositories⁶ is used as a basis for establishing a checklist deemed relevant for the biobank in question.

Table 2.

Natural Disaster Categories That Can Be Used as a Checklist for Risk Identification

Disaster group ³⁰	Disaster main-type	Disaster subtype
Biological	Animal stampede
	Epidemic	Bacterial, fungal, parasitic, prion, and viral infectious diseases
Climatological	Extreme temperature	Cold wave, drought, extreme winter conditions, forest fire, heat wave, land fires
Extraterrestrial	Asteroid/meteorite
Geophysical	Earthquake	Ground shaking, tsunami
	Mass movement (dry)	Avalanche, landslide, and rockfall, subsidence
	Volcano	Volcanic eruption
Hydrological	Flood	Flash flood, general (river) flood
	Mass movement (wet)	Avalanche, landslide, rockfall, storm surge/coastal flood, subsidence
Meteorological	Storm	Extratropical cyclone, local/convective storm

As noted earlier, risk identification and assessment undertaken by a limited number of organizational members may cause important issues to be ignored or downplayed. Engagement with key stakeholders,³¹ both internal and external, is therefore recommended as a way to reduce the risk of a crisis.³² At which stage in the risk management process such a dialogue should take place is open for debate. Doing it in the risk identification phase has the advantage of obtaining feedback as early as possible. On the contrary, one might appear to be unprepared and spend resources to receive no additional information from that already developed by the crisis management team. We recommend targeted stakeholder engagement to be done in the risk prioritizing stage (see Prioritize risks section). This still allows the biobank to make necessary adjustments before starting on the next step, to decide how to cope with prioritized risks.

Risk assessment

Having identified a number of risks, one must analyze their potential negative effect on the biobank. There are several ways of doing this, but in the initial stage, we recommend a simple 2 × 2 impact–probability matrix. Such an assessment related to natural disasters is shown in Figure 3.

FIG. 3.

Risk assessment of natural disasters as undertaken by the Wales Cancer Bank.

In the subsequent biobank planning and execution stages, a more thorough approach to risk assessment is necessary.³³ Risk factors can then be analyzed based on their potential influence on the following four areas:

• Health and safety of human beings

• Monetary values/economic issues

• Environmental impact

• Organizational reputation

Impact and probability can both be graded using five-level scales as shown in Tables 3 and 4, respectively.

Table 3.

Example of a Five-Level Risk Impact Scale Used for Risk Assessment

	Area of influence
Value (label)	Health and safety of human beings	Monetary values/economic issues	Environmental impact	Organizational reputation
5 (catastrophic)	Likely deaths and many with serious injuries	Economic loss >60 million EUR	Large uncontrolled release.	International media attention. Public inquiry. Organization must close down.
			Regional impact with reparative effort >10 years.
4 (very critical)	Possibly deaths and many with serious injuries and/or grave diseases	Economic loss 12–60 million EUR	Large release.	International media attention. Public inquiry. High impact on organization.
			Local impact with reparative effort 3–10 years.
3 (critical)	Some with serious injuries and/or grave diseases	Economic loss 1–12 million EUR	Significant release.	National media attention. Public inquiry. Moderate impact on organization.
			Reparative effort 1–3 years.
2 (dangerous)	Few with minor injuries and/or diseases	Economic loss 10,000–1 million EUR	Small release.	Possible local media attention. Possible public inquiry. Low impact on organization.
			Detectable damage with reparative effort <1 year.
1 (not dangerous)	Minimal or no harm to persons	Economic loss <10,000 EUR	Minor release.	Just organizational attention. Just limited impact on organization.
			No detectable damage.

Table 4.

Example of a Five-Level Risk Probability Scale Used for Risk Assessment

Value (label)	Description
5 (very high probability)	>1 event per year
4 (high probability)	>1 event per 10 years
3 (probable)	>1 event per 50 years
2 (low probability)	>1 event per 100 years
1 (very low probability)	<1 event per 100 years

Identified risks, with corresponding estimated impact and probability, are then estimated as shown in Table 5. A risk matrix can then be created as shown in Table 6. Such an analysis requires involvement of individuals with sufficiently detailed knowledge of the various risk factors evaluated. It is common to predefine levels of risk acceptance (see Prioritize risks section) before the detailed risk assessment is undertaken.

Table 5.

Estimation of Probability and Impact for Seven (Out of Many) Identified Risks for a Biobank

Event	Probability	Impact
		Health and safety of human beings	Monetary values/economic issues	Environmental impact	Organizational reputation
1: Temperature too high in freezer	5 (very high)	1 (not dangerous)	3 (critical)	1 (not dangerous)	3 (critical)
2: No access to freezer	2 (low)	1 (not dangerous)	1 (not dangerous)	1 (not dangerous)	1 (not dangerous)
3: No alarm signals	4 (high)	1 (not dangerous)	3 (critical)	1 (not dangerous)	3 (critical)
4: Flooding	3 (probable)	1 (not dangerous)	3 (critical)	1 (not dangerous)	1 (not dangerous)
5: Failure of cooling machinery	5 (very high)	1 (not dangerous)	3 (critical)	1 (not dangerous)	1 (not dangerous)
6: Interrupted power supply	1 (very low)	1 (not dangerous)	4 (very critical)	1 (not dangerous)	1 (not dangerous)
7: Fire	1 (very low)	4 (very critical)	4 (very critical)	1 (not dangerous)	2 (dangerous)

Values for probability range from 1 (very low) to 5 (very high) (see Table 4 for details). Values for impact range from 1 (not dangerous) to 5 (catastrophic) (see Table 3 for details).

Table 6.

Calculation of Risk for Seven (Out of Many) Identified Risks for a Biobank (See Table 5 for Further Descriptive Details on Events)

Values for probability range from 1 (very low) to 5 (very high) (see Table 4 for details). Values for impact range from 1 (not dangerous) to 5 (catastrophic) (see Table 3 for details). Using color codes for four predefined risk categories (Table 1), risk levels can be visualized: Risk category (calculated risk values)—very high (15, 16, 20, 25; red); high (8, 9, 10, 12; yellow); intermediate (4, 5, 6; orange); and low (1, 2, 3; green).

Prioritize risks

After assessing risks, one must prioritize which one(s) to address by assessing the risk tolerance of the biobank. This is the risk level the biobank is prepared to tolerate, which in practice is a balance between the importance of the risk and the cost (in finance, time, or impact) of limiting the risk. Risk deemed to be of high probability/high impact must be addressed first. Whether to address further risks in other categories will in most instances depend on resources available. We do recommend, however, that the crisis management team establishes a risk register²⁹ containing a log showing how the crisis management team decided to respond to the individual risks identified. Such a register should also include a note on which organizational unit has “ownership” of a particular risk. The risk register should be a “living” document and undergo regular review to ensure that it is fit for purpose.

Risk responses

There are six ways to respond after having identified and assessed risks (Fig. 4)²⁹:

FIG. 4.

Risk management process for the precrisis phase.

• Risk acceptance: Accept the risk because there is no countering strategy available, or when the risk is considered to be of little significance or its chances of happening are considered remote (e.g., accept the risk of a meteorite impacting the biobank) or the cost of using other risk responses would outweigh the benefits gained.

• Risk avoidance: Choose a course of action in which the risk is not encountered or prevent it from having impact (e.g., not use water as an extinguishing agent in order not to damage electrical equipment).

• Risk reduction: Reduce the likelihood of the risk happening and/or limit the impact (e.g., do not place mechanical freezers in a basement if there is a historical record of frequent floods in that area).

• Develop base plans: The term “base plan”³⁴ is used here to describe plans developed to handle specific incidents (e.g., how to handle a fire) to lessen its impact after the incident has occurred.

• Risk transference: Transfer the responsibility for the risk to a third party (e.g., use a commercial handling agency for transport of samples to and from the biobank). With respect to the risk transference option, other stakeholders may have a different view on this to the biobank itself. In cases where a third party formally agrees to provide a particular service (such as transport or insurance), other parties may still feel that the biobank in question would be wholly or partly to blame if something negative were to occur. Such adverse perception may then have a detrimental affect even if the biobank bears no formal responsibility for the incident in question.

• Contingency provision: Providing resources for handling risks materializing (e.g., establishing a flexible, general contingency plan). This option is discussed further in the Establish a contingency plan section below.

After deciding on a main type of response to a prioritized risk, the organization must resolve whether to develop specific base plans and/or a more generic plan for risk handling (see Establish a contingency plan section).

Webb has pointed out that a sound organizational structure and culture for risk and crisis management is a prerequisite for such a risk management process to work as intended.²⁹ Lack of lines of communication, lack of formal authority granted to the crisis management team, personal inabilities of the crisis management team members to make clear-cut decisions, and cultural emphasis on punishment for “wrong” decision-making instead of encouragement and support for making decisions are among factors that can impede a good risk management process.

Independent of the type of response(s) chosen, the overall organizational risk situation must continuously be monitored. This can be done by the crisis management team itself or/and by requesting reports from the units having “ownership” of prioritized risks.²⁹

There are some general guiding principles relevant for any organization establishing a system for monitoring risks³⁵:

• Employees should be encouraged to report possible risks. It is important to avoid an organizational culture where such actions are frowned upon.

• There should be a well-known organizational structure for responding to reported risk signals, both from organizational members and from outsiders. All reported issues should be logged, and this log should be reviewed regularly by the crisis management team. It is important to provide timely feedback to persons having reported risk-related issues, and we recommend feedback (provisional or final) within 1 week.

• The individuals evaluating risk signals should have sufficient knowledge and authority to evaluate, and to act if deemed necessary.

Establish a contingency plan

A “contingency plan” can be defined as a second level of plan, a description of how to respond to threats associated with a base plan, incorporating reactive responses to uncertainty identified by proactive risk management planning.³⁴ In this review, we use the term to describe “an organization's written documentation on how to handle risks potentially causing a crisis.” Such a definition covers the “handling” part of the three elements of a crisis management plan (prepare for, handle, and learn from).

Definition Box 5: Contingency Plan

A contingency plan is an organization's written documentation on how to handle risks potentially causing a crisis.

To be effective, a contingency plan must be communicated to all relevant personnel and should include information on the following:

• Who the crisis management team members are and how to get in touch with them. This also requires a plan for how to cope with a situation where ordinary lines of communication (telephone, e-mail, etc.) are not working. Alternative members of the crisis management team should also be appointed to ensure that someone can be reached on short notice if core members are unreachable.

• A clear statement that members of the crisis management team have been granted the power to act in a crisis.

• Specific base plans developed for handling preidentified risks.

• A generic plan for handling (i) risks associated with base plans, but not entirely covered by these, (ii) risks where no base plans have been developed, and (iii) nonidentified risks.

• A plan for how to communicate openly and quickly with relevant stakeholders.

• A plan for how to test the contingency plan regularly.

Every biobank should have a contingency plan. How detailed this should be will depend on the biobank in question. Aiming too high may discourage an organization from developing a plan, and a very detailed plan may also be too rigid to be applicable when the actual crisis happens.³⁶ In general terms, there should be base plans for obvious high-risk scenarios, and a generic plan for other identified and nonidentified risks.

Testing elements of the contingency plan can be considered to include two somewhat different elements: (i) testing specific base plans for preidentified risks (such as fire) and (ii) testing the generic components of the contingency plan. A biobank must, as any other organization, undertake regular fire drills. Such drills address base plans, but usually do not involve crisis management team members. However, a real test of the contingency plan and the crisis management team could be an unexpected fire drill in combination with a simultaneously false warning of a complete power failure in the biobank.

Another way of testing the contingency plan is scenario methodology. Crisis management team members (and others) walk through an emergency scenario trying to cover basic questions such as “what, where, when, and who.”³⁷ Such a scenario is shown below.

Example Box 2: Scenario Methodology Testing

Your biobank is to receive very rare human biological samples from individuals in another country. The transport of this material, from source organization to the biobank, is out-sourced to a commercial company. Air transport is chosen, and the samples are kept on dry ice. Flying over central Europe, the flight is disrupted by an unexpected volcanic eruption, and the plane is forced to land at a small airport with no source of dry ice. Furthermore, the crew is forbidden to take the biological material off the plane. What to do???

A volcanic eruption was not even considered a possible risk affecting the biobank (Fig. 3). Furthermore, the biobank is not formally responsible for the transport. However, the team members believe that destroyed samples will cause negative press reports and thereby possible detrimental future relationship with both donors and the collaborating biobank.

Reviewing the risk management process, the team decides that the triggering event (volcanic eruption) is so unlikely that it cannot be prioritized in the planning process. The team finds that both out-sourcing transport and using dry ice for keeping the samples frozen is valid. Bringing extra dry ice onboard the plane is possible, but this will only temporarily solve the situation. Assuming that one cannot “force” officials in another country to accept that the samples should be temporarily removed from the plane, the team has to accept that the samples must remain onboard for an unknown amount of time. However, a possible solution is suggested in the brain storming session, what if small mechanical cooling units are brought along? If a power line is stretched to the plane, one might cool such units down to −20°C before the dry ice in the transport boxes has sublimated. The team accordingly decides to raise this issue with some commercial transport companies to see whether this solution can be used. If yes, this will be a generic solution covering a number of other situations where a flight might be delayed or diverted.

The Crisis Phase

The crisis phase is preceded by a stage where crisis warnings are missed (failure to perceive and/or to act upon) until a triggering event makes the organization realize that it is seriously threatened.³⁵ This recognition is the start of the crisis phase. Crisis containment is the second stage, while return to (almost) normal daily operation is the third and last stage of the crisis phase.

Not all organizational members may perceive a given event as a crisis triggering one. The level of perceived seriousness is determined by three factors: (i) perceived values of possible loss, (ii) the probability of loss, and (iii) time pressure.³⁸ The initial human psychological response to a crisis is often denial. This natural response, combined with a situation with limited and/or confusing information, can seriously hamper an individual's ability to make the right decisions sufficiently quickly. On an organizational level, there is also a tendency that top management tries to avoid responsibility for the crisis and thereby to reduce the potential legal damage to the organization.³⁸ The combination of individual and organizational factors means that initial responses may be delayed, are not decisive enough, and that communication to external parties is understated and vague. Retrospective surveys of various crises suggest that such inadequate initial responses may actually be the ones causing a crisis-triggering event to expand into a major catastrophe.³⁸

Given the wide variety of crises, only general principles for how a crisis should be handled in the crisis containment stage can be given:

• Members of the crisis management team must take command, act quickly and decisively, and be on the scene

Taking command does not mean that members of the crisis team should personally control or interfere with action taken by other individuals. If base plans are already enacted, there is no reason for the crisis team to become involved. The team should prioritize, coordinate, and initiate if needed. All such decisions must be made as quickly as possible and without ambiguity. The balance between “dangerous action, which produces understanding, and safe inaction, which produces confusion,” will, however, always be difficult.³⁹ Being on the scene may not be necessary from an operational point of view. However, the psychological effect of those in charge being present at the scene is important.

• Contain and limit the damage if possible, but always put human life first

The number one priority is always to save human life. In extreme cases, the life and health of a limited number of people may be put at risk to save others, but with respect to biobanks, the well-being of living humans is more important than trying to save samples.

• Communicate quickly and openly to both internal and external stakeholders

Even though there are many alternative strategies for communicating a message, ranging from apportioning blame to taking full responsibility,⁴⁰ Seeger et al. recommend that organizations should communicate openly about what has happened and provide stakeholders with relevant information. Using phrases such as “based on what we currently know” can help prevent the organization compromising itself and still provide stakeholders with necessary information while conveying a positive image of organizational honesty and transparency.³⁸ Communication to stakeholders should contain information on what has happened, whether it poses health risks to anyone, what has been or will be done to correct the situation, and when return to normal operation is expected.

• Declare the end of the crisis

From both a symbolic and operational point of view, it is important that the crisis team formally declares that the crisis is over when daily operation is (more or less) back to normal. Such a decision is partly subjective and must be based on local knowledge. Following a fire in a biobank storage facility in Norway, the crisis was considered over when facilities management had decided that necessary precautions had been taken to ensure adequate health and safety issues in the facility. End users could enter the premises ∼20 hours after the fire department had left.¹

• Gather facts and document actions

To inform the postcrisis phase (see Postcrisis Phase section), the crisis team should try to gather facts and document actions throughout the crisis as comprehensively as possible. The aim of this is to enhance later organizational learning, not to assign blame.

As discussed before, crises are unpredictable in nature. The purpose of predefined crisis plans is to cope better with unfolding events, not to follow the plan blindly. If the situation dictates, members of the crisis team must have the knowledge and power to deviate from the plan to improve the outcome.

Postcrisis Phase

There are three chronological stages in the postcrisis phase: (i) salvaging legitimacy, (ii) learning, and (iii) healing. However, organizational processes may simultaneously be in two or more of these stages.⁴¹

• Salvaging legitimacy: Salvaging legitimacy requires the organization to seek out the opinions of key stakeholders and assure them that the organization can and will function within or exceed the norms of society.⁴¹ In some instances, this means that an organization must modify some of its goals, objectives, or operational procedures.

• Learning: The learning process tends to start with a retrospective sensemaking process. This (biased) hindsight process usually materializes into an after-action report.^1,42 In general, this report contains information on what happened, why it happened, if there were deviations from established procedures, and recommendations for change. Reshaping the organizational structure is far more difficult than looking backward, but is essential for moving forward. On the contrary, no changes should be made just for the sake of appearance. Organizational members must believe that changes will improve the issue in question. The learning process should also include a review of how other organizations have handled, badly or successfully, similar crises.

• Healing: Postcrisis healing is described as a multifaceted process that allows the organization and its stakeholders to reconstitute themselves and move past the crisis.⁴¹ Initially, individuals seek explanations and meaning to what has happened. Negative feelings are then gradually replaced with positive emotions, particularly for events or processes in which the individual is participating actively. Shunning or trying to forget the crisis is not advisable. Organizations should reframe the crisis so that their recollection creates a positive frame of reference. Ceremonies commemorating bravery and resourcefulness can be important tools for this.⁴¹

In some instances, an immediate process of almost complete organizational renewal engaging most or all organizational members and key stakeholders can significantly reduce the backward looking processes described. Seeger et al. cite examples of destructive factory fires where organizational leaders immediately afterward committed to rebuild and to provide financial support for the employees. All energy was focused on what to achieve collectively, and stakeholders accordingly responded in a similar manner.

Cost Considerations

Many countries require a formal risk assessment of work-related risks. Likewise, many organizations also require a formal risk assessment (of all risks) to be undertaken as part of ordinary project planning when the issue is considered complex and/or costly. In our experience, costs for such assessments are mainly related to man-hours used, and an estimate of this should be included in the project cost estimate.

What is far more difficult is to weigh the economic benefit of introducing risk reducing elements against increased project cost. In the planning phase of a biobank storage facility for 28 mechanical freezers in Norway, a gas extinguishing system was chosen despite the increased construction cost because it was considered that other extinguishing systems could cause too much damage to the mechanical freezers (economic loss) and thereby also cause loss of biological material (economic loss).¹ How this economic balance act is managed must be decided by each individual biobank. Independent of choices made, a written protocol should document this process.

Concluding Remarks

What constitutes a crisis can be subjective; one person's crisis is another's mild inconvenience. However you define a crisis, events do not have to be of catastrophic enormity to adversely affect the daily operation of a biobank. Whatever scale of magnitude is attributed to an event, being prepared and knowing how to effectively manage the situation should be common to all. The level of preparedness will directly impact on the ability of the biobank, its staff, and stakeholders to manage and recover from the crisis. However, the single act of drafting a crisis management plan does not, in itself, provide protection against identified (or unidentified) risks materializing and complacency should be guarded against. The process is an iterative one and all documents, plans, and scenario simulations should be regularly reviewed, tested, and updated to ensure that small, apparently negligible, changes are not allowed to become the norm and multiply until crisis point is reached. Horizon scanning to identify new potential risks should be part of the biobank's regular review process and continuity management plan.

The plan presented in this review is flexible, scalable, and achievable even with limited financial input. A biobank is a precious resource that is vital for research and every effort should be made to ensure the continuing safety and utility of the samples and data it contains. All biobanks, whether large or small, must devote thought, time, and effort to risk identification and crisis management and make this part of the daily, operational management of the resource.

Footnotes

Acknowledgments

The Wales Cancer Bank is funded by the Welsh Government and Cancer Research Wales and is hosted by Cardiff University.

Recommended Literature

1. Seeger MW, Sellnow TL, Ulmer RR. Communication and Organizational Crisis. Westport, CT. Praeger; 2003.

2. Webb A. The Project Manager's Guide to Handling Risk. Aldershot, England: Gower; 2003.

Relevant Standards

1. International Standard. Risk Management—Principles and Guidelines (ISO 31000:2009). Geneva, Switzerland: International Organization for Standardization (ISO); 2009.

Author Disclosure Statement

A.P.-.J, J.H, and R.B. declare no conflicting financial interests. D.S.-D. owns the company “Medservice” and provides consulting services for biobanks.

References

Bjugn

, Hansen

. Learning by erring: Fire! Biopreserv Biobank. 2013; 11:202–205.

Mintzer

, Kronenthal

, Kelly

, et al. Preparedness for a natural disaster: How Coriell planned for hurricane Sandy. Biopreserv Biobank, 2013; 11:216–220.

Roswall

, Halkjær

, Overvad

, et al. Measures taken to restore the Danish Diet, Cancer and Health Biobank after flooding: A framework for future biobank restorations. Biopreserv Biobank, 2013; 11:206–210.

Morrin

, Robinson

. Sustaining a biobank through a series of earthquake swarms: Lessons learned from our New Zealand experience. Biopreserv Biobank, 2013; 11:211–215.

Cunningham

, O'Doherty

, Senecal

, et al. Public concerns regarding the storage and secondary uses of residual newborn bloodspots: An analysis of print media, legal cases, and public engagement activities. J Community Genet, 2015; 6:117–128.

International Society for Biological and Environmental Repositories. Best practices for repositories: Collection, storage, retrieval, and distribution of biological materials for research, 3rd ed. Biopreserv Biobank, 2012; 10:79–161.

Organisation for Economic Co-Operation and Development.. OECD Best practice guidelines for biological resource centres. Paris; 2007. Available at: www.oecd.org/sti/biotech/38777417.pdf Accessed August 26, 2016.

National Cancer Institute.. NCI Best practices for biospecimen resources. Bethesda, MD; 2016. Available at: http://biospecimens.cancer.gov/bestpractices/2016-NCIBestPractices.pdf Accessed August 26, 2016.

NCRI Confederation of Cancer Biobanks.. Biobank quality standard: collecting, storing and providing human biological material and data for research. London; 2014. Available at: http://ccb.ncri.org.uk/wp-content/uploads/2014/03/Biobank-quality-standard-Version-1.pdf Accessed August 26, 2016.

10.

Hermann

. Some consequences of crisis which limit the viability of organizations. Admin Sci Quart, 1963; 8:61–82.

11.

Seeger

, Sellnow

, Ulmer

. The nature of organizational crisis. In: Communication and Organizational Crisis. Westport, CT: Praeger; 2003:3–20.

12.

Lerbinger

. Understanding crisis. In: The Crisis Manager: Facing Disasters, Conflicts, and Failures, 2nd ed. New York, NY: Routledge; 2012:5–23.

13.

Webb

. Appendix I: Terms used in the discussion and description of risk analysis and management. In: The Project Manager's Guide to Handling Risk. Aldershot, England: Gower; 2003:163–168.

14.

Webb

. Understanding the nature of risk. In: The Project Manager's Guide to Handling Risk. Aldershot, England: Gower; 2003:17–26.

15.

Corvellec

. Organizational risk as it derives from what managers value: A practice-based approach to risk assessment. J Conting Crisis Manag, 2010; 18:145–154.

16.

Seeger

, Sellnow

, Ulmer

. Theories of organizational crisis. In: Communication and Organizational Crisis. Westport, CT: Praeger; 2003:21–43.

17.

Pearson

, Clair

. Reframing crisis management. Acad Manage Rev, 1998; 23:59–76.

18.

Hough

, Spillan

. Crisis planning: Increasing effectiveness, decreasing discomfort. J Bus Econ Res, 2005; 3:19–24.

19.

Lerbinger

. Risk management: preparing for the worst. In: The Crisis Manager: Facing Disasters, Conflicts, and Failures,, 2nd ed. New York, NY: Routledge; 2012:25–44.

20.

Seeger

, Sellnow

, Ulmer

. Crisis development. In: Communication and Organizational Crisis. Westport, CT: Praeger; 2003:85–103.

21.

Veil

. Mindful learning in crisis management. J Bus Commun, 2011; 48:116–147.

22.

Luecke

(writer). Crisis recognition: where there's smoke, there's fire. In: Crisis Management: Master the Skills to Prevent Disasters. Boston, MA: Harvard Business Press; 2004:53–64.

23.

Daft

. Decision-making process. In: Organization Theory and Design,, 10th ed. Mason, OH: South-Western; 2008:450–489.

24.

King

. Crisis management & team effectiveness: A closer examination. J Bus Ethics, 2002; 41:235–249.

25.

Fink

. Crisis management plans. In: Crisis Management: Planning for the Inevitable. Lincoln, NE: Backinprint.com; 2002:54–66.

26.

Mitroff

, Pearson

, Harrington

. The systematic nature of CM: More extensive training and preparation for CM. In: The Essential Guide to Managing Corporate Crisis: A Step-by-Step Handbook for Surviving Major Catastrophes. Oxford: Oxford University Press; 1996:99–118.

27.

Seeger

, Sellnow

, Ulmer

. Crisis teams and decision making. In: Communication and Organizational Crisis. Westport, CT: Praeger; 2003:185–199.

28.

Seeger

, Sellnow

, Ulmer

. Crisis type. In: Communication and Organizational Crisis. Westport, CT: Praeger; 2003:45–64.

29.

Webb

. The risk management process. In: The Project Manager's Guide to Handling Risk. Aldershot, England: Gower; 2003:89–102.

30.

Below

, Wirth

, Guha-Sapir

. Working paper: Disaster category classification and peril terminology for operational purposes. Louvain. Catholic University of Louvain; 2009. Available at: www.emdat.be/node/2091 Accessed August 26, 2016.

31.

Bjugn

, Casati

. Stakeholder analysis: A useful tool for biobank planning. Biopreserv Biobank, 2012; 10:239–244.

32.

Ulmer

. Effective crisis management through established stakeholder relationships: Malden Mills as a case study. Manage Commun Q, 2001; 14:590–615.

33.

Webb

. Managing with risk analysis methods. In: The Project Manager's Guide to Handling Risk. Aldershot, England: Gower; 2003:124–139.

34.

Chapman

, Ward

. Uncertainty, risk, and their management. In: Project Risk Management,, 2nd ed. Chichester, England: John Wiley & Sons; 2003:3–15.

35.

Seeger

, Sellnow

, Ulmer

. Communication and the precrisis stage. In: Communication and Organizational Crisis. Westport, CT: Praeger; 2003:105–123.

36.

Seeger

, Sellnow

, Ulmer

. Crisis planning. In: Communication and Organizational Crisis. Newport, CT: Praeger; 2003:163–184.

37.

Alexander

. Scenario methodology for teaching principles of emergency management. Disaster Prev Manage, 2000; 9:89–97.

38.

Seeger

, Sellnow

, Ulmer

. Communication and the crisis stage. In: Communication and Organizational Crisis. Westport, CT: Praeger; 2003:125–139.

39.

Weick

. Enacted sensemaking in crisis situations. J Manage Stud, 1988; 25:305–317.

40.

Coombs

, Holladay

. Helping crisis managers protect reputational assets: Initial tests of the situational crisis communication theory. Manage Commun Q, 2002; 16:165–186.

41.

Seeger

, Sellnow

, Ulmer

. Communication and the postcrisis stage. In: Communication and Organizational Crisis. Westport, CT: Praeger; 2003:141–160.

42.

Savoia

, Agboola

, Biddinger

. Use of after action reports (AARs) to promote organizational and systems learning in emergency preparedness. Int J Environ Res Public Health Aug, 2012; 9:2949–2963.