An ongoing concern
A different approach to crisis management
Cyber attacks, natural disasters, social and political unrest, financial crimes—in today’s business environment, an organizational crisis can take countless forms. And with the public spotlight shining brighter than ever, it’s never been more critical for organizations to hone their crisis management capabilities.
Despite this, many companies continue to assume they’re prepared to face crises—without taking any steps to confirm the accuracy of their assumptions. In a recent Deloitte study, 90 percent of respondents said they were prepared to handle a corporate scandal, while only 17 percent had tested the assumption through a simulation exercise. In a similar vein, 70 percent were confident in their ability to handle a product recall, but only 22 percent had actually taken steps to prove their confidence was warranted.
These responses show that, despite crises being almost inevitable, most organizations continue to cross their fingers and hope for the best rather than take a proactive approach to crisis management. Hoping for the best is not a strategy.
To equip your organization to expect the unexpected, approach crisis management along a lifecycle—as a continuous process of preparation, response, and recovery. The ultimate goal shouldn’t be to avoid crises but rather to prepare as much as possible, minimize the damage when one occurs, recover swiftly, and apply all lessons learned to the next cycle. Fortunately, there are specific steps you can take to foster this level of organizational resiliency, and avoid falling victim to unwarranted overconfidence.
Create a living, breathing crisis management plan
A successful crisis management framework starts with a strategic risk assessment and a robust plan that outlines pertinent risks and establishes a clear road-map for response. But it doesn’t end there. For such a plan to truly be effective, it needs to evolve in line with your organization.
This means companies should conduct reviews on a frequent basis, looking at the potential impacts of things like new markets, shifting stakeholder demands, and other changes in the business. By revising your crisis management plan regularly—and making small, incremental changes as needed—you can make sure your crisis management procedures, training requirements, and subject matter expert involvement are where they need to be when disaster strikes.
Because businesses evolve at different paces, there’s no optimal level of frequency for conducting these reviews. A manufacturing company, for instance, will likely have to look at its crisis management plan less frequently than a financial institution. That said, certain events may trigger the need for a review. For example, if your risk function identifies new risks that may affect the business or if IT sees a new cybersecurity threat on the horizon, this probably suggests it’s time to update your crisis management plan.
Get your people ready in advance
Crises happen fast—and when they do, every member of your organization has a role to play.
That’s why it’s essential to develop a solid response plan that key people across your organization are familiar with.
Such a plan should outline step-by-step actions for your people to follow in a crisis situation—starting with how to identify a crisis scenario. Too often crises start out under the radar, like slow-burning embers that go ignored before ‘suddenly’ catching everything ablaze. By defining the triggers and helping your employees and management team identify a crisis situation in progress (or better yet, snuffing out an issue before it becomes an incident), you’ll be able to assess whether it’s time to launch crisis management procedures or whether it’s just business as usual.
Training shouldn’t stop with senior management. To bring the crisis response skills of all staff up to snuff and empower them to fulfill their roles should they need to, the old adage rings true: practice makes perfect. Simulations are one of the most effective ways to minimize crisis-induced jitters and give every member of your team a clear understanding of how to behave throughout a crisis event.
Turn weakness into strength
When crisis does strike, a successful response and recovery hinges on many things, but knowing your organization’s level of crisis management maturity is, in many ways, on top of the list. Businesses are too often unaware of their internal deficiencies, making it difficult to know whether they require outside support—such as external cybersecurity specialists, forensic IT professionals, data recovery specialists, or crisis communication professionals—during or following an attack.
For this reason, it’s important to honestly evaluate your organization’s level of crisis management maturity before a crisis hits. Companies with low maturity, for instance, typically have no organized plan to drive their actions in the event of a crisis—either because they don’t believe they’ll ever face a crisis or because past crises weren’t that severe. Those with medium maturity tend to have some procedures and actions in place (e.g., engaging a PR agency to help respond to media in a crisis), but don’t typically have documented procedures to guide their direction.
An assessment of your crisis management maturity before any trouble hits will not only make it easier to navigate a crisis as it’s occurring, but it will also help guide your post-crisis assessment and allow you to identify areas for improvement.
By approaching crisis management as a continuous cycle rather than a one-and-done event, it becomes normalized, part of a business’s day-to-day activities. The act of discussing possible worst-case scenarios matter-of-factly—without an associated element of fear—enables organizations to see the opportunities in crises and identify ways to become a stronger, more resilient company.
In future posts in this series, we’ll delve deeper into the various elements of a successful crisis management strategy. We’ll start with how to devise an effective simulation program.