Putting victims at the heart of a crisis response
Insights from crisis response
On a regular basis we at Deloitte look at what we have learnt from the recent live crisis responses on which we have supported our clients, as well as others in the public eye. Whilst we cannot name the clients we have helped, we can use our experience to bring new insights to some familiar principles of crisis management and we can make recommendations to organisations looking to improve their crisis capability.
As part of an on-going series of insights from crisis response, in this edition we look at how organisations responding to crisis need to keep victims at the heart of the crisis management strategy.
Victims, villains and heroes
Almost all crises have victims. The term crisis suggests something catastrophic has happened – or at least something extremely serious – and that usually means people will in some way have been impacted.
The last six months have seen a terrible fire and terror attacks in the UK, causing loss of life, life-changing injuries and leaving victims and families of those who died struggling to put their lives back together.
The media reported many human interest stories as communities, emergency services and others pulled together in the face of adversity.
In any crisis, the first days will bring immense pressure and scrutiny upon the organisation(s) at the heart of the response. This will include the emergency services, usually portrayed as the ‘heroes’ of the piece by the media and stakeholders. But as well as heroes, the media is looking for victims and villains. Being the focus of blame and anger is often unavoidable given the circumstances. So, when the organisation is under more pressure than it may ever have been, when the instinct might be to be defensive and inward looking and when the crisis is unfolding in a very negative stakeholder context, the challenge is to keep looking at the situation from the outside in, with an absolute focus on the victims and doing the right thing for them.
This is a challenge of both organisation and decision making: getting organised to bring order from chaos by implementing an existing crisis response capability (which all businesses should have in the form of structures, processes and trained people to implement them); and making the right decisions with the right objectives and all stakeholders in mind. Top of the stakeholder list must always be the victims and this means the organisation must be able to rapidly identify the actions they will take and the commitments they will stand by in support of them; and then to communicate these effectively and deliver on the promises made.
A long-term approach to supporting victims
In physical incidents where life-safety is or has been an issue, emergency care, often delivered in the media and stakeholder spotlight, is eventually replaced by the need for long term support. Care pathways happen over many years, but the planning for this starts – or should start – immediately. Early missteps in the provision or promise of long term care are not easily forgotten, especially when stakeholders perceive that the aforementioned ‘villains’ need to show remorse and commitment to putting the situation right. Victims want to be reassured that the organisations at the centre of the crisis will commit to them in the long-term, and it is in their interests to push for this whilst the media and stakeholder scrutiny remains intense.
For organisations at the centre of physical crises like this, it is vital to maintain a long-term commitment to supporting those impacted. The relationships between the organisation and the victims of the crisis might last for many years, and it is easy with the passing of time for these relationships to turn sour, especially when legal proceedings start to dominate the crisis aftermath. But organisations must do whatever they can to prevent these relationships deteriorating because, if they begin to be characterised by conflict, there is only one ‘winner’ of this conflict in the eyes of the public. The ‘victims-versus-villains’ story can play out over many years.
It is important to remember that it is not just longterm care and compensation that victims and their representatives may want and need. Many want to feel they are involved in any change that may come from the crisis. This may partly be driven by a sense of needing justice, and not trusting the organisation or authorities who are identifying and learning the lessons of the crisis to do so without representatives of the victims. It is also driven by a need to feel that their injuries or the deaths of the loved ones is in some way recorded and that they can help ensure that others don’t have to experience what they have been through. Wherever possible, organisations should try to find a way to include victims as they try to learn the lessons, and make changes and improvements.
Victims in ‘non-physical’ crises
Not all crises are physical crises, however, and not all victims are physical victims. Even crises such as corporate scandals, frauds, services outages and product failures will have victims. These can be passengers who cannot get to their destinations (a wedding or a funeral for example) because an airline’s systems are down; bank customers who cannot access their accounts (and run out of cash or miss their mortgage completion); patients whose dependence on vital medicines is compromised by the aftershock of a cyber event or system outage affecting the drug manufacturer. Even investors (or, in media terms, pension holders) can be portrayed as victims when a company in crisis sees its share price crash. Whilst these examples may seem trivial compared to loss of life, in crisis management terms there are still victims at the heart of the crisis that need to be treated as such by the organisation(s).
Cyber-attacks – who are the victims?
In the last few months we have supported a number of organisations who have been hit hard by cyber-attacks, and we have observed others responding to similar situations. Cyber-attacks present a different challenge in the ‘victim’ discussion. They are illegal acts committed to cause operational or reputational harm to an organisation, often in an attempt to extract money. It would be easy for an organisation, struggling to deal with the many impacts of a ransomware or malicious attack, to assume it is the victim. But however aggrieved an organisation feels, it should play the victim card with extreme caution.
Public sector organisations, often perceived to be short of funding, can sometimes be seen as the victims of a cyber-attack, but private sector organisations cannot. Corporates just can’t portray themselves as victims. Stakeholders will see the success of an attack as a failing of resilience at the organisation which has a responsibility to protect itself and those that depend on it.
So if the organisation itself is not the victim in a cyber-attack, who is? It could be consumers, customers, suppliers or others who are impacted.
These are key stakeholders for any company and must be recognised as the victims who will need to be heard, communicated with, involved and potentially recompensed. Above all they will want to know what actions you are taking and commitments you will make to put things right, what measures they can take to protect themselves from further damage and they will want to see you deliver on those commitments.
Employees can also be victims, especially in an attack that targets an organisation’s ability to go about its day-to-day business. The importance and complexity of internal communications has been a key observation from recent cyber experience. Such cyber-attacks can prevent an organisation’s staff members from logging in, doing their work, operating their systems, managing their customers and indeed doing any part of their job. This puts pressure and worry on to them which, if the attack hits multiple parts of an organisation in multiple locations, all add up to a major communication challenge.
Those managing the incident/crisis need to remember that, whilst an internal stakeholder might be ‘one of us’, they may also be – or perceive themselves to be – victims and need to be treated as such. Tone and empathy in communication is important here: a corporate or cold response does not maintain trust; warmth and empathy does. Internal communication in these circumstances may seem simple in structure and content – explaining what has happened, what we know and don’t know, what we are doing about it, how we feel about it, what you can do to help, when and how you will receive information – but this simplicity is also full of challenge.
One key challenge is that the situation and/or the organisation’s understanding of it will be constantly evolving, but at the same time it will rarely meet the expectations of those impacted. ‘Why can’t you tell us more?’ is a common refrain. Another challenge is expectation management about the solution and the speed in which it will come. In recent cyber situations, we have observed frustration based on a (misplaced) perception of a slow response. A third challenge is the means of communication in a cyber-attack. How do you communicate with victims – and indeed all stakeholders – when many communications channels have been compromised or switched off? We have all read the stories in the past of victims/families being given important and often terrible information by text, but what if there are few other ways of communicating?
Victims come first
In summary, the approach we advocate is to think through each crisis from the very outset with stakeholders in mind and to remember that victims are both stakeholders in their own right and the focus of the concerns of most other stakeholders.
Any decision, action or communication that looks like corporate interest is being put before the interests of those impacted will be potentially heavily criticised. One company we have been working with recently got this right early on. On day one, it recognised that helping the victims of the incident (in this case physical) and being seen to be doing the right thing was more important than clarifying exactly what had caused the problem and if they were at fault. Had they waited to be 100% sure that the blame for the incident lay at their door, they would have waited over a week. The reputational damage for being seen not to address a problem could have been serious. Instead they were praised for helping to sort a problem. This was a good example of an organisation understanding the difference between the court of public opinion (immediate and emotional) and the court of law (longer term and rational).
Some practical recommendations
- Identify ways to support victims: During ‘peace time’ and when considering different crisis scenarios (e.g. in crisis simulation exercises), carefully think through all ways in which you might support victims, the resources and specialist abilities this will take. For physical incidents, for example, know where to find trauma and other specialists. Where customers may be affected, understand the options for redress.
- Make victims a priority: When considering stakeholders, think ‘victims first’ – who are the primary victims? Are there other secondary victims? This will help you see the crisis through their eyes from the beginning and throughout.
- Maintain a central focus on victims: In a crisis with physical victims, consider putting names, facts, figures and even pictures of the victims on display in the incident and/or crisis response room. Again, this will help maintain a victim-centred focus.
- Train leaders: Help your leaders, through training, to feel comfortable with expressing emotions and setting the appropriate tone.
- Put an effective communication plan in place: Consider not only what you will do and what you will say to and about the victims of a crisis, but also how you will say it: don’t assume the usual channels of communication will be appropriate or even available.
- Focus on delivery: Once you’ve decided on the actions you will take and the commitments you will make, maintain absolute focus on delivery through the long-term and communicate transparently on progress against them.