8.6 Privacy, Business Continuity, and Crisis Response

People Risk Is Central To Enterprise Resilience

The workplace domain includes risks that can disrupt both employees and business operations. Employee privacy, business continuity, and crisis response require HR to coordinate with legal, information security, operations, communications, finance, facilities, safety, and executive leaders. In SHRM-SCP scenarios, the best answer recognizes people impacts early and builds disciplined response systems.

Employee data is sensitive because it may include identity information, pay, benefits, health, performance, location, complaints, investigations, demographics, biometrics, or family information. HR should know why data is collected, who can access it, how long it is retained, where it is stored, and when it may be shared. More data does not always mean better decisions if governance is weak.

Privacy And Resilience Risk Map

Business continuity planning asks how the organization will keep critical operations running during disruption. Events may include severe weather, public health emergencies, cyber incidents, facility outages, labor disruptions, supply chain failures, travel crises, leadership loss, or violence. HR should identify critical roles, succession coverage, remote-work feasibility, pay and leave implications, employee contact methods, safety obligations, and wellbeing support.

Crisis Response Sequence

1. Confirm facts and assess immediate threat to people.
2. Activate the appropriate response team and escalation protocol.
3. Communicate accurate, necessary information to affected audiences.
4. Support employees, managers, and families as appropriate.
5. Maintain critical operations through continuity plans.
6. Document decisions and conduct an after-action review.

A common exam trap is overcommunicating sensitive details or waiting for perfect information while employees face risk. Crisis communication should be timely, accurate, and limited to what stakeholders need. HR should protect privacy, avoid speculation, and coordinate with communications and legal leaders. Silence can create rumors, but careless disclosure can create harm.

Privacy and crisis response often intersect. During a health, safety, or security event, leaders may want broad access to employee information. HR should help determine what information is necessary, who needs it, and what safeguards apply. The goal is to support response without normalizing unnecessary disclosure.

After a disruption, senior HR should lead learning. The organization should evaluate response speed, communication quality, staffing coverage, employee support, policy gaps, technology access, vendor dependencies, and leadership decisions. The strongest SCP answer closes the loop: prepare, respond, recover, and improve the resilience system before the next event.