Stronger, fitter, better Crisis management for the resilient enterprise
- Crises are on the rise. Are organizations prepared?
- Experiencing a crisis teaches organizations to avoid them
- Leaders need more development for crisis management
- Confidence outstrips preparedness
- Being at the ready significantly reduces crisis impact
- Third parties are part of the problem—and the solution
- Stronger, fitter, better
Despite the perception that crises are becoming more frequent, a 2018 Deloitte study finds that organizations’ confidence exceeds crisis preparedness.
Crises are on the rise. Are organizations prepared?
Employees, investors, and other stakeholders are keenly aware of the increasing threat of a crisis—everything from weather-related events to global cyberattacks. They have good reason to be concerned. Nearly 60 percent of the respondents to our survey of more than 500 crisis management executives believe that organizations face more crises today than they did 10 years ago. Further, at least some respondents feel that the magnitude, as well as the number of crises, is growing. “Crises are becoming more intense as the world becomes more dynamic,” says one respondent. “Any event can turn a simple situation into a massive one.”
Putting a finer point on the level of threat, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once in the past two years, with cyber and safety incidents topping the list of crises requiring management intervention (figure 1). And crises aren’t always “big bangs” or immediately visible. For example, many cases of financial fraud and other forms of corruption may simmer under the radar for some time before boiling over.
Asia-Pacific, Middle East, and Africa report more crises in the past two years
The chances of mounting crises are not spread evenly around the world. Organizations based in the Asia-Pacific region (APAC) and in the Middle East and Africa (MEA) are more likely than organizations in other regions to have experienced more than one type of crisis in the past two years. In the Middle East and Africa, nearly half have had to deal with three or more types.
Crises can have devastating effects on a company’s financial performance, employee morale, sales, and reputation. For example, of the companies reporting damage to reputation, nearly three in five (57 percent) experienced a leap in customer complaints. Complaining customers often express their ire on social media and defect to competitors. As one respondent puts it: “The environment of crisis has changed. What was once just an accident is now a crisis thanks to the use of social media.”
To keep the confidence of all stakeholders, management must be able to mitigate the risks of major crises and steer organizations effectively through them. And indeed, perhaps spurred by the rising frequency of crises, organizations are taking action. For example, the vast majority of survey respondents say their organizations have crisis management plans in place. However, our findings also suggest that much more needs to be done if companies are going to avoid the financial and reputation damage that a major crisis can inflict.
Our analysis of the survey responses revealed five central insights:
- Experiencing a crisis teaches organizations to avoid them. Undergoing a crisis galvanizes organizations to prioritize detecting and preventing crises in addition to managing them.
- Leaders need more development for crisis management. Helping leaders display their full range of competencies under the extreme pressures of a crisis can support effective decision-making and communication when they are most needed.
- Confidence outstrips preparedness. A company’s confidence in its crisis management capabilities is not always commensurate with its level of preparedness.
- Being at the ready significantly reduces the negative impact of a crisis. This is especially true if senior management and board members have been involved in creating a crisis plan and participate in crisis simulations.
- Third parties are part of the problem—and the solution. A number of companies are including partners and other outside organizations in crisis planning.
About the research
This report builds on the findings of our 2015 study A crisis of confidence, which surveyed more than 300 board members about crisis management and preparedness. For the current study, a quantitative survey was conducted via telephone by ComRes on behalf of Deloitte Touche Tohmatsu Limited. Fieldwork occurred between November 2017 and January 2018. All participants were crisis management, business continuity, and risk senior executives who were:
- In senior management positions, but below board level
- Working for large corporations in the private sector with an annual global revenue of at least US$5 billion for companies based in the United States, and at least US$1 billion for all other countries
The survey reached 523 crisis management, business continuity, and risk senior executives across 20 countries in five global regions: North America (109 respondents), Latin America (114), Europe (106), Middle East/Africa (69), and Asia-Pacific (125).
Experiencing a crisis teaches organizations to avoid them
What we found: Crises drive organizations to focus on steering clear of them
Nearly 90 percent of organizations have conducted reviews, mostly internally, following a crisis. The major insight from these examinations is that, although recent crises were not always foreseen, they might have been averted. This appears to prompt organizations to take action to forestall future crises: Respondents identified the need to improve detection and early warning signals, invest more effort in prevention, and do more to identify potential crisis scenarios as the top three lessons learned from their organization’s most recent crisis (figure 2).
What we recommend: Start managing crises before they occur
The ability to prevent a crisis can be fortified by looking at the entire life cycle of a crisis instead of just readiness and response (figure 3). Crisis management shouldn’t start with a crisis. At that point, it may be too late to contain most of the damage.
When most successful, crisis management is a continuum of activities that starts with the assessment of internal and external data that can signal potential change or conflict in the organization’s environment. It is crucial to overcome any biases to ensure that the board and senior management look closely at risks—even those they believe aren’t likely to happen. In fact, if leaders believe that there are certain types of crises they will never encounter, those are probably a good place to start.
Organizations should also pay attention to whistleblowers, supplier complaints, and cybersecurity reports. They should push leaders to examine unchallenged beliefs to determine with confidence that management has sufficient controls in place to prevent a crisis.
When issues arise that could turn into an ugly dilemma, organizations should use many of the same principles and approaches they would in a full-blown crisis. These include:
- Setting up an executive-led issue response or management team;
- Drawing on the necessary internal and external resources to support this team;
- Using scenario and contingency-planning techniques to help mitigate potential outcomes; and
- Developing and, where necessary, engaging in a stakeholder communication program.
Taking such steps early and proactively may help head off a crisis. Should a crisis erupt nonetheless, the organization should thoroughly examine the factors that caused and accelerated the event, and install new operational and governance structures to strengthen the organization’s overall ability to navigate such events.
Leaders need more development for crisis management
What we found: Effective leadership during a crisis is a top challenge
Leading in calm seas is a very different matter than navigating an organization through a crisis. Nearly a quarter (24 percent) of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face (figure 4).
What we recommend: Help leaders be crisis-ready
When responding to a crisis, strong leadership skills and great situational awareness are critical. These skills include mainstays such as remaining calm under pressure and using an inclusive management style that strengthens the ability to seek counsel from others—one never knows where great insights may come from. Depending on the phase of the crisis, leaders may need to flex their leadership styles to deal effectively with different situations. For example, in the early stages of a crisis when the nature of the situation is often ambiguous, leaders can benefit from not making hasty decisions. Further down the road, when the facts and figures make the situation clearer, leaders will have to switch gears and become more decisive.
To help leaders apply their craft successfully in a crisis, companies should consider the following:1
- Organize leaders ahead of time. The most advanced organizations have created a leadership structure for crisis management, usually in three tiers: tactical, operational, and strategic. It is critical that senior leaders determine beforehand how they want to organize themselves and define their various roles and responsibilities.
- Train leaders in the tools and techniques that can help them through a crisis. Certain tools and techniques can help leaders cut through the noise during a crisis and work decisively and collaboratively through all the stages of the event. For example, tools such as agendas and checklists may sound mundane, but they help leaders to focus on the challenges ahead rather than worrying about whether they have covered the basics. Put simply, such tools help leaders find valuable time and space, guiding them through the necessary process so they can focus on more difficult issues. Techniques needed for effective crisis leadership, such as communicating with stakeholders, should also be practiced and honed (communicating in a crisis is very different from communicating, for instance, a new product launch: The organization and its leaders may well be cast as the villain, requiring outreach efforts to take that into account).
- Identify, improve, and counterbalance for leadership tendencies and styles. In the high-stakes, high-pressure environment of a crisis, leaders will tend to rely heavily on their most natural leadership style—which, if that style is not what the situation calls for, may well stand out and cause trouble. For example, certain strengths, such as being quick to action, may be seen as rash if overdone in a crisis. Conversely, if an executive is prone to taking a long time to make decisions, he or she may not be able to act quickly enough to contain any potential damage. The countermeasure? Leaders should be aware of their “go to” leadership styles and seek to address any weaknesses in them—and, in a crisis, surround themselves with others who have complementary skills.
The barriers to providing more leadership development often center on an intuitive but faulty assumption—namely, that a leader with a strong performance under normal circumstances will probably be effective in managing a crisis as well. This, however, may not be at all true. Keeping this in mind, organizations would be well served to prepare their leaders to effectively steer their organizations through a crisis, no matter how well they lead in the ordinary course of business.
Confidence outstrips preparedness
What we found: Respondents believe they’re ready for a crisis, but most haven’t tested that belief
This year’s study found dramatic gaps between a company’s confidence in its ability to respond to different types of crises and its level of preparedness for those crises, as inferred from the percentage of organizations that have conducted simulation exercises for various crisis situations (figure 5). For example, nearly 90 percent of respondents are confident in their organization’s ability to deal with a corporate scandal. Yet only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, but only 22 percent have proven that to themselves via a simulation.
This gap suggests that companies are setting the maturity bar very low. Indeed, this year’s results echo findings from our 2015 survey of boards of directors, which posited a vulnerability gap between awareness of threats and how prepared organizations were to tackle them. For example, the 2015 report found that 76 percent of board members believed their companies would respond well if a crisis struck tomorrow. Yet only 49 percent said their companies had playbooks of likely scenarios. Even fewer, 32 percent, reported that their companies engaged in crisis simulations.
Most respondents view their organizations as mature in crisis preparedness
This year’s study found that the vast majority of respondents—86 percent—view their organization as fairly or very mature in terms of crisis preparedness. APAC respondents are least likely to see themselves as mature—78 percent. MEA organizations, on the other hand, are notably more confident in their crisis management maturity. Nearly all (96 percent) respondents in this region rate their organization as mature, and more than three-quarters (77 percent) rate their organization as very mature in terms of crisis preparedness.
Organizations feel more confident in confronting some types of risks rather than others. For example, nine in 10 (90 percent) have fairly or very high levels of confidence in their organization’s ability to tackle system failures, with similar numbers confident in their organization’s ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent). The proportion drops precipitously when respondents are asked about product recalls—only 70 percent are confident in their organization’s preparedness for these.
Respondents are also confident in the crisis response capability of many functions in their organization. IT units are most often viewed as prepared—92 percent of respondents believe so. Supply chain functions are at the other end of the spectrum, though 77 percent still see the function as prepared.
The widespread perception of IT organizations as prepared may result from their frequent participation in crisis simulations and exercises. Nearly 70 percent of IT functions have done so in the last two years. “Cyberattacks and system failures are increasing with the development of new technology,” according to one respondent. “Internet safety and constantly increasing threats to information security are crises that will be faced in the future.” Because IT functions are accustomed to mobilizing around many smaller but significant incidents on a regular basis, it may come as no surprise that so many executives view them as prepared for larger-scale crises as well.
What we recommend: Don’t assume, test
Our recommendation on this front is straightforward: Run crisis simulations as part of the organization’s crisis management program. A crisis simulation will quickly reveal an organization’s strengths and where it needs to improve. The simulation should be set in the company’s own market and reflect its internal structure and operations. It should accurately simulate the crisis’s impact on lines of business and functions across the enterprise.
Simulations should be carefully prepared. If they are not, the exercise can turn into a perfunctory event. As well, the simulation needs to test everyone in the organization who would be involved in a real crisis, including those who would be expected to support the crisis management team. Thus, simulations should ideally not be created and run by people who will need to take part in the simulation, but instead be managed by a separate group.
For most types of crises, effective simulations typically last between four to six hours, and much can be learned in that time. However, for complex issues that are likely to play out over many months or even years, allowing a longer time frame for a simulation, such as two days, is often beneficial. This need not mean that senior executives are solidly tied up for the entire period, but it does mean that they need to be alert and ready to respond during that time—just as in a real crisis.
Being at the ready significantly reduces crisis impact
What we found: Having a crisis plan in place significantly reduces crisis impact—especially if leaders are involved
More than four in five (84 percent) respondents say their organizations have a crisis management plan in place, separate from other resiliency efforts such as business continuity and incident management plans. This is true across all regions and industries. Among other benefits, having a plan can reduce financial fallout: While about a third (31 percent) of organizations with a crisis plan report that finances had been negatively impacted by a recent crisis, for organizations without a plan, that proportion jumps to 47 percent.
Both our 2015 report and this year’s study found that board-level support is critical to the success of a crisis management plan. For example, 21 percent of companies with board participation in the crisis management plan say the number of crises has declined over the last decade. Among companies without board involvement, only two percent think so. Additionally, if board members or senior executives are involved in creating an organization’s crisis plan, our survey found that they are far more likely to have also participated in crisis exercises. Businesses whose board members are involved in crisis management readiness are also far more likely to have cross-functional engagement to help manage the situation.
What we recommend: Boards and CXOs need to put skin in the game
Board and senior management participation in crisis exercises is critical, as is their involvement in developing an organization’s crisis plan. To secure their participation, it is important to keep the plan relevant to them so that it addresses the things that “keep them awake at night”; to track crises in the media; and to create case studies outlining the impact on finances and reputation should one hit. In addition, organizations should have a crisis management plan specifically for the board, which may need to play a very different role from management. While management—the organization’s senior executives—must be able to and be seen to lead in good times and bad, there are also circumstances when the board will need to do more than support, but intervene. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company’s continuity and survival. It can be very beneficial, in terms of board preparedness for such situations, to recruit board members with prior crisis management experience.
Third parties are part of the problem—and the solution
What we found: Most organizations involve external parties in crisis preparations
Crises often emanate from the actions of third parties such as suppliers and alliance partners, and the same third parties often play an important role in helping to manage and mitigate crises. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties’ crisis plans, or both. In Europe, the proportion is 80 percent.
The larger an organization’s global footprint, the more likely it is to fold external parties into crisis management exercises. Seventy percent of global organizations (operating on every continent), 65 percent of international entities (operating in two to eight countries), and 55 percent of companies with only a national scope did so. This likely reflects the greater complexity that comes with operating in more locations. “The operations of the company are becoming more complex and involving more dimensions,” says one respondent. “When dealing with third parties, the company will surely encounter more troubles and problems. But I believe we can solve these issues very well.”
What we recommend: Bring in outside organizations and coalesce internal teams
Companies should start by determining which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, PR firms, or specialist cyber defense organizations as well as crisis advisors—and the company should have identified these parties in advance.
In addition, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis or be affected by it should be involved in crisis preparations. Depending on the scenario, these outside parties should also be included in simulations and exercises where appropriate. They should share their contingency plans (specific to the provision of their service or product to the organization) and provide periodic updates on response readiness. Should external parties hesitate to invest in these activities, companies can point out that their participation will strengthen their relationship with the company and its long-term viability. If the relationship is important enough, these activities can even be stipulated in contracts and agreements.
A full-court press to attack a crisis will also require substantial resources from within the organization and the participation of a wide range of groups and functions across the enterprise, such as communications, HR, IT, customer service, and operations. Plans for responding to a crisis should therefore be comprehensive, multilayered, and integrated across the organization. All need to know what they are expected to do and how they will work together. They need to be ready to move at once in a well-orchestrated fashion, since situations can easily escalate beyond a given plan and team.
To facilitate a coherent response on the part of these internal groups, each should develop well-formed plans to deal with high-risk scenarios identified in the organization’s overall risk management plan. Businesses should also implement a “command and coordination” structure that defines how the various groups will work together. All groups should take part in simulations, and they should actively share knowledge and updates to their individual plans so that everyone is on the same page.
Stronger, fitter, better
The number and sources of crises are not likely to diminish any time soon. Bad actors are hacking computer systems in ever-increasing numbers, and a corporate scandal could strike at any moment. Regulatory challenges also loom on the horizon, and they can emerge quickly when science and public opinion come together to demand change. For example, in a number of countries, the use of plastics in disposable consumer products is currently under regulatory scrutiny, and many businesses may find themselves in a tight spot depending on where the regulations go. At the same time, global expansion exposes organizations to more risks in environments they may not be familiar with. Making matters worse, C-suite tenure is gradually declining, which reduces the level of crisis preparedness skill and experience at the top.
Effective crisis management capabilities matter—and as our study found, most organizations must still overcome several challenges to be ready to navigate a crisis. Many companies still need to secure board and senior leader involvement in crisis management to drive effective leadership and decision-making, and many also need to invest in developing their leaders to handle a crisis. Aligning different functional teams and disciplines to clearly define their roles is another challenge. Weaknesses here can significantly inhibit teamwork when the company may need it most.
The benefits of being proactive and prepared are not small. Though many companies may overestimate their crisis management capabilities, this is not a time for hubris. As one respondent succinctly points out: “The world has become more global, but not more secure. And that trend cannot be reversed.” Following through on our recommendations will help make you stronger, fitter, and better—a more crisis-resilient organization.