Companies, governments and society at large are coping with the rising incidence of crisis events including cyber-crime, natural disasters, major product recalls, pandemics, terrorism and war. Research shows that companies may face a major crisis at least once every five years. No company can immunize itself from the possibility of crisis, but they can be better prepared for them. Well thought-out crises response plans include an identified “incident commander” who is either authorized to make the call to convene the crisis team, or can engage the appropriate individuals to make that decision.
Companies, governments and society at large are coping with the rising incidence of crisis events including cyber-crime, natural disasters, major product recalls, pandemics, terrorism and war. No company can immunize itself from the possibility of a crisis, but they can be better prepared.
When do you declare a crisis? Delays can slow response times, potentially making situations worse or even leading to a larger crisis. Yet, delays are common, either because management doesn’t recognize what is happening, or because there’s concern with labeling the event a “crisis.”
Companies should consider defining in advance what constitutes a crisis for them and determining “trigger points” that once reached may indicate a crisis situation. These will be unique to each company and should take into consideration the company’s risk tolerance levels. Examples of trigger points include financial losses above a certain dollar amount, particular networks offline for a specified period of time, reaching specified threshold levels for damage to a physical plant, or even loss of life. Management should discuss their definition with the board.
If an event happens, having established trigger points can help in assessing whether or not there is a real crisis situation. Management and the board should discuss and exercise judgment on whether the situation is one for which the crisis response plan should be activated.
Well thought-out crises response plans include an identified “incident commander” who is either authorized to convene the crisis team, or can engage the appropriate individuals to make that decision. This person should be well-respected in the company. Often it’s the CIO, General Counsel or CFO, depending on the crisis.
“Companies can avoid a larger crisis by responding quickly and effectively and getting out in front of the issue,” said Sean Joyce, former FBI deputy director and co-leader of PwC’s Strategic Threat Management practice. “Speed and information sharing are of the essence, and precious time and opportunities are often lost in the early days of a crisis.”
Handling a crisis can take a tremendous amount of management’s time and energy; in the midst of a crisis it can be easy to lose the balance between managing the crisis and keeping the business on track.
The company needs to stay focused on getting back to day-to-day operations, particularly for those areas of the business less impacted by the crisis. Overlooked functions may include the supply chain, marketing, and product development – to name a few.
There are often hard choices. Decisions may need to be made around whether the company should move to different suppliers or delay filing reports. They may have to identify which business units should be brought back online first. Key decision-makers need to be engaged in the discussions. If not, the resumption of business operations can be delayed. In addition to the above, another question that should be considered in advance of a crisis is “what are the most critical assets we have that need to be operational?”
It is important to have a robust internal and external crisis communication plan. News of a crisis will inevitably reach customers, investors, employees and others, particularly as crisis stories go “viral” on social media. Stakeholders may begin to lose confidence in the company and some may take actions such as buying from competitors, closing lines of credit or changing jobs. This can exacerbate the situation.
Communicating during a crisis can be difficult because there may be limited information available and what is known can change dramatically in a short amount of time. There may also be differing opinions about whether management should communicate with stakeholders. The goals should be to maintain control of the messaging, be careful not to provide too much detail before all the facts are known, and not wait too long before speaking. It is a delicate balance and outside expertise may be needed. Social media can also be a valuable communications tool when leveraged correctly.
Companies often overlook the importance of communicating with employees. A company should share its perspectives and take actions to build employee confidence in order to manage the crisis effectively and get back to business as usual.
Some companies with robust crisis plans have responded impressively, while others have not. Frequently, the difference is preparation. Most directors say they at least moderately understand the company’s crisis response plan. But when a crisis happens, a crisis response plan is often forgotten, leading to inefficiencies and potential mistakes.
Scenario testing can improve the likelihood of effective execution. These “table-top exercises” can help a company understand how a crisis would unfold and help the board understand their role in that plan. In a typical table-top exercise, the management team runs through a crisis scenario, considering: who should be on the response team, the responsibilities of each team member, additional resources or outside expertise needed, the involvement of legal counsel and regulators, the communications strategy, and more. Many companies that have performed scenario testing begin to recognize the amount of work and coordination that goes into each step.
Patricia Oelrich, a director at Pepco Holdings , has gone through several table-top exercises during her career.
“A tabletop exercise can provide a board with an increased level of confidence that a company’s plan for responses and recovery is sound,” Oelrich said. “Communications is 97% of crisis management.”
She points to two benefits of such an exercise: (1) the board understanding its and management’s role in the crisis management plan, and (2) identifying the staff who will be involved in carrying out the plan and help walk the board through the process.
Preparation, testing, and table-top exercises build the “muscle memory” of a crisis team. However, in the midst of an actual crisis situation, they also need to remain agile and adapt the plan as needed.
1 PwC, 2013 Annual Corporate Director Survey, October 2013.