Stacking the deck: Effective crisis response

Perspectives

Stacking the deck: What’s an effective crisis response?

CFO Insights

While some crisis planning can happen in advance, this issue of CFO Insights discusses some essential tactics CFOs can employ in crisis response and why learning these tactics can help to preserve a crucial level of trust and confidence among the impacted company’s many stakeholders.

How to increase your odds of an effective crisis response

It is out there: the fraud incident, the data breach, the safety lapse, the technological meltdown. Your next crisis could manifest itself in a number of ways, and, almost by definition, you will not see it coming. How quickly and effectively your organization responds, stems the overflow of information, and communicates with stakeholders throughout the event will have a lasting effect on how your company is judged—demonstrating grace under pressure or exacerbating the damage of the crisis.

This reality is not lost on CFOs, who are well aware of the types of crises they are prepared for—and those they are not. Deloitte’s second quarter 2015 CFO Signals™ survey found that while 97 percent of CFOs considered cyber attacks to be a major threat, only 10 percent thought their companies were well prepared to respond.1 Similarly, 85 percent of CFO respondents identified malicious attacks, such as terrorism and tampering, as major threats, but only four percent said they were well prepared to deal with them.2

Prepared or not, companies have to respond when called. The response can be extremely challenging for C-suite leaders as they try to sort out myriad concerns in real time, including defining the crisis, determining its cause, and generating options to stanch its impacts. While some crisis planning can happen in advance, this issue of CFO Insights discusses some essential tactics CFOs can employ in crisis response and why learning these tactics can help to preserve a crucial level of trust and confidence among the impacted company’s many stakeholders.

1CFO Signals™: Q2 2015, Deloitte LLC, 2015.
2Ibid.

Back to top

An introduction to response tactics

As businesses become more complex and interconnected, confronting some sort of crisis is almost inevitable. Many companies recognize this trend, which is why corporate functions and business units typically have well-practiced risk mitigation plans in place to address routine issues. Some of these plans include safety for manufacturers, recall plans for food companies, and liquidity plans for financial institutions, along with disaster recovery and security plans for companies across industries. However, even with these initial steps taken, when a profoundly different, rapidly evolving crisis event hits—when that crisis has an impact that extends beyond the organization’s capacity to respond, and when it has exceptionally high stakes and an even higher degree of uncertainty—it is impossible to write a plan for what to do.

To face off against crisis events, a culture of crisis preparedness is required. This includes defining roles and responsibilities, establishing incident protocols, and identifying leaders to run the response—all before a crisis hits. Crises disrupt the operations of a company, as well as threaten its strategic imperatives, viability, and reputation.

Such crises include:

  • Multiple events occurring at the same time (e.g., domestic terrorism);
  • Events with wide-ranging impact (e.g., natural disasters that breach levees or flood nuclear reactors);
  • Black swan events that simply lie beyond an organization’s imagination.

Whatever form the crisis may take, business leaders, including CFOs, should develop a common response approach. They should understand that there is a common approach to responding to a severe, franchise-threatening crisis, regardless of its origin. At the strategic decision-making level, the crisis leadership skills required to respond to a cyber breach are the same as those needed for a chemical spill, a bribery scandal, or a regulatory violation. At the tactical level, the response to these crises will differ. For many of these scenarios, however, company leaders will have to improvise and learn to adapt to the alternate universe that a crisis brings. This means thinking strategically even when the surprise is a factor; it means acting decisively in the face of time pressures. Add the challenge of sorting through misinformation or simply not having enough facts on hand and executives face a dilemma:

  • Make decisions quickly at the risk of basing them on incorrect or inadequate information; or
  • Wait for the perfect set of data, thereby essentially freezing in the headlights and making no decisions at all.

The odds of an effective crisis response increase if the unknowns are dealt with in an organized way. Then, when a crisis strikes, the situation can be managed by relying on that pre-established culture of crisis preparedness and by employing three tactics for response: leveraging the golden hour, developing a common operating picture, and prioritizing stakeholders.

Back to top

An introduction to response tactics

Leveraging the golden hour

The concept of the golden hour originated in emergency medicine during World War II. Medics found what they did in the first hour of a patient’s arrival—both in terms of assessing the situation and mobilizing appropriately—profoundly affected the patient’s chances of survival. Applied to a business crisis, what happens during the onset of an event greatly affects the extent of damage and eventual outcome of the crisis, as well as determines the course of action in the weeks and months to come.

Leading crisis responders first conduct a mobilization meeting to share emerging information about the crisis, create an understanding of the potential impacts across the company, and start to define roles and make decisions about initial response actions. During this precious time, executives should avoid the temptation to try to understand why the crisis happened—this will come later. Instead, executives should mobilize promptly and start by focusing on what they know, and what they want to know.

During the mobilization meeting, executives should determine the “CEO’s intent,” including the definition of success for the response and the timeframe for accomplishing it. These guidelines will enable C-suite executives to align their actions to the overall objective and galvanize the rest of the organization to work toward that common vision. A CEO’s intent that stresses financial preservation could result in one set of actions, while a CEO’s intent that expresses the need to maximize customer retention could result in a different response. The CFO can offer suggestions and serve as a sounding board to the CEO to help shape the intent of the crisis response. Companies should emerge from the golden hour with a clear strategic direction, set at the CEO and executive level, that will guide the hours and days that follow it.

The CFO may not be the person chairing this initial call or meeting, but he or she is crucial to identifying interdependencies. For example, if the nature of the crisis is a liquidity crisis, the CFO may naturally be the subject matter specialist and work with business units to assess the impact of the problem and brainstorm possible responses. Even if the crisis is not related to finance, however, the CFO is crucial to identifying functional impacts. In a crisis like a cyber breach, those functional impacts may include determining insurance coverage, deciding if the event must be reported to regulators, and estimating the costs of the breach. Overall, the full C-suite should work in concert as a cross-functional leadership team—and the CFO is central to that team.

To conclude the mobilization meeting, participants should agree on when to convene next and take initial steps toward the second tactic: determining what is known, what is unknown, and how that information builds a common operating picture for the response.

Back to top

Leveraging the golden hour

Developing a common operating picture (COP)

During a crisis, information is inaccurate, contradictory, and sporadic. Additionally, managers’ responsibilities often shift during a crisis, with some assuming more wide-ranging duties than they typically perform, while others may be embroiled in unfolding events and completely unavailable. In this splintered environment, developing a COP can help organize the response team. Simply stated, the COP is a single, identical display of relevant information that can be shared across the whole team. It includes information, such as facts (what do we know? what do we want to know that we don’t yet know?); impacts across lines of business, functions, and stakeholders; and decisions and actions, both planned and completed.

The benefits to a COP are threefold. First, the tactic helps to reduce white noise. During a crisis, it is often difficult to discern critical information from misinformation. No matter what, executives have to make decisions with the information they have, so the COP provides a mechanism for capturing the known information in one place as a single version of the truth. Second, an enormous amount of time is usually spent keeping everyone on the response team in the loop. The COP can streamline these efforts and save precious minutes. Lastly, using the information stored in a COP is a leading practice when creating communications related to the event, whether the messages are internal or external, to ensure the organization speaks with one voice based on one set of facts.

As circumstances change, the common operating picture will need to be updated (updates should occur multiple times per day). With the required care and maintenance, the COP provides a dynamic snapshot of what is known or not known at a particular point in time, and tracks the actions in play.

Back to top

Developing a common operating picture

Prioritizing stakeholders

The actions that are taken during a crisis, if they are ill-conceived, can create a loss of trust between a company and its stakeholders. Maintaining trust involves quickly identifying who is impacted and what their concerns entail (see Addressing different stakeholders in a crisis). While companies need to demonstrate empathy for all those affected, they also have to assess who is the most impacted and who has the most influence and then develop a very deliberate way of stratifying different categories of stakeholders.

Stakeholder prioritization involves advance planning that provides a quick payoff during the crisis. Impacted stakeholders are generally known in advance of different types of crises. For natural disasters, a company may prioritize employees and community members; for a cyber breach, the response may begin with the customer or law enforcement; in an accident involving the CEO, the board and shareholders may be first engaged.

After identifying the stakeholders for each type of crisis, leading companies will categorize them by the impact the event will have on them and their level of influence during the event.

Some important questions to consider include:

  • Who will be most impacted and how?
  • Can turning the opinion of influential stakeholders create business advocates?
  • Are there stakeholders who you merely need to keep in the loop? How do you prioritize them?

By categorizing the different interested parties, you can devise a strategy for how to engage with each of them, in what order, and to what extent. Stakeholders who both have influence and are impacted by the event will be the most critical to engage with first.

Throughout a crisis, communication and empathy with stakeholders will be important. Effective communications should address the myriad of reactions stakeholders may have to the event, including anger, concern, and anxiety. Honesty, transparency, and inclusiveness are also critical to an effective response.

Back to top

Prioritizing stakeholders

Flexible deployment of these tactics

This article rests on the idea that having an overarching culture of crisis preparedness and implementing associated tactics will enhance a company’s ability to protect and preserve value and maintain or enhance stakeholder confidence in the event of a crisis. The mobilization meeting, COP, and stakeholder prioritization are tried and tested approaches to crisis response. By identifying effective crisis leaders, including the CFO, before a crisis event and empowering them with these tactics, companies can successfully manage their responses to almost any event.

Back to top

Addressing different stakeholders in a crisis

Depending on the type of crisis, stakeholders have varying levels of importance. The following stakeholders typically need to be considered during a crisis and CFOs should pay special attention to their needs:

Shareholders. Overall, CFOs work effectively with investors when they approach an issue with a mindset of transparency and realism. Such a mindset in a crisis allows CFOs to clearly and concisely define the problem and relay the company’s planned response. Depending on the crisis, though, shareholders are going to have some very specific questions: By how much will we miss earnings? Is our credit rating vulnerable? How much cash might we bleed?

Regulators/auditors. Both regulators and auditors will want to know what policies and procedures may have been impacted. Communication with these stakeholders depends on the nature of the crisis and the regulatory and compliance requirements involved. Failing to notify a regulator within the prescribed time risks incurring a fine. For example, the Occupational Safety and Health Administration (OSHA) and the Environmental Protection Agency (EPA) both have thresholds for when to report workplace accidents or environmental spills. Other regulators may need to be notified if there is an incident involving product tampering or quality. Such requirements should be documented and adhered to in the crisis communications plan.

Customers. The impact to the customer base is one of the earliest assessments companies should make. Unfortunately, one of the very real consequences of a crisis may be that customers flee. Mitigating that risk requires strong communication, a commitment to action, and some degree of humility. Customers will want to know who is to blame and what steps are being taken to correct the situation (especially to protect their data). More important, customers will want the company to explain how and why the crisis will never happen again.

Back to top

Addressing different stakeholders in a crisis

CFO Insights, a bi-weekly thought leadership series, provides an easily digestible and regular stream of perspectives on the challenges you are confronted with.

View the CFO Insights library.

About Deloitte's CFO Program

The CFO Program brings together a multidisciplinary team of Deloitte leaders and subject matter specialists to help CFOs stay ahead in the face of growing challenges and demands. The Program harnesses our organization’s broad capabilities to deliver forward thinking and fresh insights for every stage of a CFO’s career—helping CFOs manage the complexities of their roles, tackle their company’s most compelling challenges, and adapt to strategic shifts in the market.

Learn more about Deloitte’s CFO Program

Back to top

Did you find this useful?