This post first appeared on Risk Management Magazine. Read the original article.
In today’s dynamic business environment, one of the few certainties is that organizations of all types and sizes are likely to confront an enterprise-defining crisis at some point. Despite the high probability of this occurrence, such an incident will still come as a shock for some.
A crisis is generally defined as a critical event or point of decision that, if not handled in an appropriate and timely manner, can turn into a catastrophe with the potential to harm people or property, seriously interrupt or completely halt business operations, damage an organization’s reputation with stakeholders, adversely affect overall enterprise value, spark employee departures, and/or create new opportunities for competitors.
Accepting the reality that a crisis will occur and rejecting the oft-repeated “we’ll handle it when it happens” or “there’s nothing we can do now since we don’t know enough” is the critical first step in constructing a durable strategic crisis preparation and response protocol.
Organizations that use “peacetime” wisely will be much better positioned to curtail the severity and duration when a threat does materialize. A battle-tested framework for effective crisis preparation and response includes:
Planning and preparation: At the outset, developing a written crisis plan requires a candid assessment—best led by independent experts—of the organization’s vulnerabilities. This analysis should consider all possible scenarios, from those perceived as likely to so-called “black swans.” The process to identify these risks includes interviews with the organization’s executives and operations-level leaders, review of its past crises (and how they were handled) along with peer or industry incidents, and open source research such as sell-side analyst reports, relevant federal and state regulatory filings, and macro-industry analysis.
Next, develop tiered and prioritized threat classifications outlining the ideal response approach and the follow-on tactical implementation appropriate for each tier. This should incorporate agreed-upon criteria including objective metrics such as the number of customers or external parties involved, potential financial impact, feedback/input from regulators, expected duration, and relation to other current high-profile issues. The resulting escalation and de-escalation matrix can accommodate the real-life situations in which most crises occur, especially by incorporating new information that changes the dynamics.
The organization’s response should be similarly flexible. Preparing materials mapped to each vulnerability discovered above is also essential. Done outside of the pressure of an evolving crisis, drafting everything from holding statements to deeply researched FAQs to potential social media communications will enable the organization to customize and, as needed, issue these communications quickly.
People: A small group of senior executives designated as the organization’s incident management team will provide the oversight and speed necessary in a crisis. Given the enterprise-wide scope of a potential crisis and the need to draw on a wide breadth of internal and external resources to manage it, the general counsel or the chief risk officer often leads this team on a day-to-day basis. The CEO and, when appropriate, the board of directors ultimately have the final say. The incident management team should comprise a range of members of the organization’s senior ranks representing each of its major stakeholders, from investors to employees to the media. Every team member should also have a backup.
Additionally, it is useful to identify a series of subject matter experts to advise the team. For example, in the event of a data breach, outside technology, forensic and potentially legal expertise would be immediately available. It is also important to institute a tested system for internally reporting a potential crisis to the designated crisis responders, as well as a clear pathway for communications and direction from the team to be transmitted and implemented across the organization.
Practice: Organizations are best served when they “pressure test” the crisis plan and protocols through the implementation of crisis response drills or table top exercises that simulate the pace, multiplicity of issues, and potential landmines that require deft navigation. Conducted by outside counselors (who alone know the full parameters and extent of the exercise), the results can be illuminating and provide the foundation for briefings to management and members of the board of directors. It can also be helpful to validate the details and implications of this exercise with a designated member of the crisis team (often the general counsel).
Post-Event Evaluation and Review: Whether a real or simulated crisis, the organization must incorporate lessons learned from any incident and address all demonstrated gaps in the crisis plan. Driving this information into the continuous improvement of the process, planning, and materials will enhance organizational preparation to successfully overcome future challenges.
In 2019 and beyond, time is the enemy for any organization in crisis. As response windows continue to shrink, organizations and their leaders are newly empowered through the creation of advanced planning and preparation capabilities to help them thoughtfully protect their people, assets, brands and even their personal reputations. Brands that perform well in trying times can minimize the negative impact, speed their reputational recovery, and stand out from competitors who may not have been as well prepared.