Despite the perception that crises are becoming more frequent, a 2018 Deloitte study finds that organizations’ confidence exceeds crisis preparedness.
Employees, investors, and other stakeholders are keenly aware of the increasing threat of a crisis—everything from weather-related events to global cyberattacks. They have good reason to be concerned. Nearly 60 percent of the respondents to our survey of more than 500 crisis management executives believe that organizations face more crises today than they did 10 years ago. Further, at least some respondents feel that the magnitude, as well as the number of crises, is growing. “Crises are becoming more intense as the world becomes more dynamic,” says one respondent. “Any event can turn a simple situation into a massive one.”
Putting a finer point on the level of threat, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once in the past two years, with cyber and safety incidents topping the list of crises requiring management intervention (figure 1). And crises aren’t always “big bangs” or immediately visible. For example, many cases of financial fraud and other forms of corruption may simmer under the radar for some time before boiling over.
The chances of mounting crises are not spread evenly around the world. Organizations based in the Asia-Pacific region (APAC) and in the Middle East and Africa (MEA) are more likely than organizations in other regions to have experienced more than one type of crisis in the past two years. In the Middle East and Africa, nearly half have had to deal with three or more types.
Crises can have devastating effects on a company’s financial performance, employee morale, sales, and reputation. For example, of the companies reporting damage to reputation, nearly three in five (57 percent) experienced a leap in customer complaints. Complaining customers often express their ire on social media and defect to competitors. As one respondent puts it: “The environment of crisis has changed. What was once just an accident is now a crisis thanks to the use of social media.”
Explore the Behavioral Economics and Management Collection
Subscribe to receive updates on Behavioral economics
In a hurry? Read a brief version from Deloitte Review, issue 24
Create a custom PDF or download Deloitte Review, issue 24
To keep the confidence of all stakeholders, management must be able to mitigate the risks of major crises and steer organizations effectively through them. And indeed, perhaps spurred by the rising frequency of crises, organizations are taking action. For example, the vast majority of survey respondents say their organizations have crisis management plans in place. However, our findings also suggest that much more needs to be done if companies are going to avoid the financial and reputation damage that a major crisis can inflict.
Our analysis of the survey responses revealed five central insights:
Nearly 90 percent of organizations have conducted reviews, mostly internally, following a crisis. The major insight from these examinations is that, although recent crises were not always foreseen, they might have been averted. This appears to prompt organizations to take action to forestall future crises: Respondents identified the need to improve detection and early warning signals, invest more effort in prevention, and do more to identify potential crisis scenarios as the top three lessons learned from their organization’s most recent crisis (figure 2).
The ability to prevent a crisis can be fortified by looking at the entire life cycle of a crisis instead of just readiness and response (figure 3). Crisis management shouldn’t start with a crisis. At that point, it may be too late to contain most of the damage.
When most successful, crisis management is a continuum of activities that starts with the assessment of internal and external data that can signal potential change or conflict in the organization’s environment. It is crucial to overcome any biases to ensure that the board and senior management look closely at risks—even those they believe aren’t likely to happen. In fact, if leaders believe that there are certain types of crises they will never encounter, those are probably a good place to start.
Organizations should also pay attention to whistleblowers, supplier complaints, and cybersecurity reports. They should push leaders to examine unchallenged beliefs to determine with confidence that management has sufficient controls in place to prevent a crisis.
When issues arise that could turn into an ugly dilemma, organizations should use many of the same principles and approaches they would in a full-blown crisis. These include:
Taking such steps early and proactively may help head off a crisis. Should a crisis erupt nonetheless, the organization should thoroughly examine the factors that caused and accelerated the event, and install new operational and governance structures to strengthen the organization’s overall ability to navigate such events.
Leading in calm seas is a very different matter than navigating an organization through a crisis. Nearly a quarter (24 percent) of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face (figure 4).
When responding to a crisis, strong leadership skills and great situational awareness are critical. These skills include mainstays such as remaining calm under pressure and using an inclusive management style that strengthens the ability to seek counsel from others—one never knows where great insights may come from. Depending on the phase of the crisis, leaders may need to flex their leadership styles to deal effectively with different situations. For example, in the early stages of a crisis when the nature of the situation is often ambiguous, leaders can benefit from not making hasty decisions. Further down the road, when the facts and figures make the situation clearer, leaders will have to switch gears and become more decisive.
To help leaders apply their craft successfully in a crisis, companies should consider the following:1
The barriers to providing more leadership development often center on an intuitive but faulty assumption—namely, that a leader with a strong performance under normal circumstances will probably be effective in managing a crisis as well. This, however, may not be at all true. Keeping this in mind, organizations would be well served to prepare their leaders to effectively steer their organizations through a crisis, no matter how well they lead in the ordinary course of business.
This year’s study found dramatic gaps between a company’s confidence in its ability to respond to different types of crises and its level of preparedness for those crises, as inferred from the percentage of organizations that have conducted simulation exercises for various crisis situations (figure 5). For example, nearly 90 percent of respondents are confident in their organization’s ability to deal with a corporate scandal. Yet only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, but only 22 percent have proven that to themselves via a simulation.
This gap suggests that companies are setting the maturity bar very low. Indeed, this year’s results echo findings from our 2015 survey of boards of directors, which posited a vulnerability gap between awareness of threats and how prepared organizations were to tackle them. For example, the 2015 report found that 76 percent of board members believed their companies would respond well if a crisis struck tomorrow. Yet only 49 percent said their companies had playbooks of likely scenarios. Even fewer, 32 percent, reported that their companies engaged in crisis simulations.
This year’s study found that the vast majority of respondents—86 percent—view their organization as fairly or very mature in terms of crisis preparedness. APAC respondents are least likely to see themselves as mature—78 percent. MEA organizations, on the other hand, are notably more confident in their crisis management maturity. Nearly all (96 percent) respondents in this region rate their organization as mature, and more than three-quarters (77 percent) rate their organization as very mature in terms of crisis preparedness.
Organizations feel more confident in confronting some types of risks rather than others. For example, nine in 10 (90 percent) have fairly or very high levels of confidence in their organization’s ability to tackle system failures, with similar numbers confident in their organization’s ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent). The proportion drops precipitously when respondents are asked about product recalls—only 70 percent are confident in their organization’s preparedness for these.
Respondents are also confident in the crisis response capability of many functions in their organization. IT units are most often viewed as prepared—92 percent of respondents believe so. Supply chain functions are at the other end of the spectrum, though 77 percent still see the function as prepared.
The widespread perception of IT organizations as prepared may result from their frequent participation in crisis simulations and exercises. Nearly 70 percent of IT functions have done so in the last two years. “Cyberattacks and system failures are increasing with the development of new technology,” according to one respondent. “Internet safety and constantly increasing threats to information security are crises that will be faced in the future.” Because IT functions are accustomed to mobilizing around many smaller but significant incidents on a regular basis, it may come as no surprise that so many executives view them as prepared for larger-scale crises as well.
Our recommendation on this front is straightforward: Run crisis simulations as part of the organization’s crisis management program. A crisis simulation will quickly reveal an organization’s strengths and where it needs to improve. The simulation should be set in the company’s own market and reflect its internal structure and operations. It should accurately simulate the crisis’s impact on lines of business and functions across the enterprise.
Simulations should be carefully prepared. If they are not, the exercise can turn into a perfunctory event. As well, the simulation needs to test everyone in the organization who would be involved in a real crisis, including those who would be expected to support the crisis management team. Thus, simulations should ideally not be created and run by people who will need to take part in the simulation, but instead be managed by a separate group.
For most types of crises, effective simulations typically last between four to six hours, and much can be learned in that time. However, for complex issues that are likely to play out over many months or even years, allowing a longer time frame for a simulation, such as two days, is often beneficial. This need not mean that senior executives are solidly tied up for the entire period, but it does mean that they need to be alert and ready to respond during that time—just as in a real crisis.
More than four in five (84 percent) respondents say their organizations have a crisis management plan in place, separate from other resiliency efforts such as business continuity and incident management plans. This is true across all regions and industries. Among other benefits, having a plan can reduce financial fallout: While about a third (31 percent) of organizations with a crisis plan report that finances had been negatively impacted by a recent crisis, for organizations without a plan, that proportion jumps to 47 percent.
Both our 2015 report and this year’s study found that board-level support is critical to the success of a crisis management plan. For example, 21 percent of companies with board participation in the crisis management plan say the number of crises has declined over the last decade. Among companies without board involvement, only two percent think so. Additionally, if board members or senior executives are involved in creating an organization’s crisis plan, our survey found that they are far more likely to have also participated in crisis exercises. Businesses whose board members are involved in crisis management readiness are also far more likely to have cross-functional engagement to help manage the situation.
Board and senior management participation in crisis exercises is critical, as is their involvement in developing an organization’s crisis plan. To secure their participation, it is important to keep the plan relevant to them so that it addresses the things that “keep them awake at night”; to track crises in the media; and to create case studies outlining the impact on finances and reputation should one hit. In addition, organizations should have a crisis management plan specifically for the board, which may need to play a very different role from management. While management—the organization’s senior executives—must be able to and be seen to lead in good times and bad, there are also circumstances when the board will need to do more than support, but intervene. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company’s continuity and survival. It can be very beneficial, in terms of board preparedness for such situations, to recruit board members with prior crisis management experience.
Crises often emanate from the actions of third parties such as suppliers and alliance partners, and the same third parties often play an important role in helping to manage and mitigate crises. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties’ crisis plans, or both. In Europe, the proportion is 80 percent.
The larger an organization’s global footprint, the more likely it is to fold external parties into crisis management exercises. Seventy percent of global organizations (operating on every continent), 65 percent of international entities (operating in two to eight countries), and 55 percent of companies with only a national scope did so. This likely reflects the greater complexity that comes with operating in more locations. “The operations of the company are becoming more complex and involving more dimensions,” says one respondent. “When dealing with third parties, the company will surely encounter more troubles and problems. But I believe we can solve these issues very well.”
Companies should start by determining which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, PR firms, or specialist cyber defense organizations as well as crisis advisors—and the company should have identified these parties in advance.
In addition, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis or be affected by it should be involved in crisis preparations. Depending on the scenario, these outside parties should also be included in simulations and exercises where appropriate. They should share their contingency plans (specific to the provision of their service or product to the organization) and provide periodic updates on response readiness. Should external parties hesitate to invest in these activities, companies can point out that their participation will strengthen their relationship with the company and its long-term viability. If the relationship is important enough, these activities can even be stipulated in contracts and agreements.
A full-court press to attack a crisis will also require substantial resources from within the organization and the participation of a wide range of groups and functions across the enterprise, such as communications, HR, IT, customer service, and operations. Plans for responding to a crisis should therefore be comprehensive, multilayered, and integrated across the organization. All need to know what they are expected to do and how they will work together. They need to be ready to move at once in a well-orchestrated fashion, since situations can easily escalate beyond a given plan and team.
To facilitate a coherent response on the part of these internal groups, each should develop well-formed plans to deal with high-risk scenarios identified in the organization’s overall risk management plan. Businesses should also implement a “command and coordination” structure that defines how the various groups will work together. All groups should take part in simulations, and they should actively share knowledge and updates to their individual plans so that everyone is on the same page.
The number and sources of crises are not likely to diminish any time soon. Bad actors are hacking computer systems in ever-increasing numbers, and a corporate scandal could strike at any moment. Regulatory challenges also loom on the horizon, and they can emerge quickly when science and public opinion come together to demand change. For example, in a number of countries, the use of plastics in disposable consumer products is currently under regulatory scrutiny, and many businesses may find themselves in a tight spot depending on where the regulations go. At the same time, global expansion exposes organizations to more risks in environments they may not be familiar with. Making matters worse, C-suite tenure is gradually declining, which reduces the level of crisis preparedness skill and experience at the top.
Effective crisis management capabilities matter—and as our study found, most organizations must still overcome several challenges to be ready to navigate a crisis. Many companies still need to secure board and senior leader involvement in crisis management to drive effective leadership and decision-making, and many also need to invest in developing their leaders to handle a crisis. Aligning different functional teams and disciplines to clearly define their roles is another challenge. Weaknesses here can significantly inhibit teamwork when the company may need it most.
The benefits of being proactive and prepared are not small. Though many companies may overestimate their crisis management capabilities, this is not a time for hubris. As one respondent succinctly points out: “The world has become more global, but not more secure. And that trend cannot be reversed.” Following through on our recommendations will help make you stronger, fitter, and better—a more crisis-resilient organization.
