Planning for a crisis is not about the doomsday scenario, but about ensuring organisations seize the opportunity presented by a crisis and create a more resilient body: one that is responsive, alert to future challenges and able to deliver to customers, stakeholders and meet shareholder expectations, writes Stuart Hughes, pictured, of Enterprise Security Risk Management.
Here are ten critical aspects relating to crisis management, including:
– Sponsorship: Senior executive engagement is critical to a successful crisis programme;
– Definition: Defining crisis, what it means and how the organisation should respond;
– Training: People need to be trained, as crisis leadership is not innate; many people have tried to avoid crisis training for a variety of reasons, so could have limited experience;
– Leadership: must be with ownership and humility, so too must communications (internally and externally);
– Clarity: Assigning roles and responsibility is critical;
– Assessment: Situation, information, thoughts, actions and communication must be assessed;
– Protection: Of people, brand and reputation;
– Response: should be consistent and at the speed of the incident, not that of the organisation;
– Recovery: should be as quick as possible in line with the recovery time objectives; and
– Debriefing: Learn and improve so as to be ready for next time.
These aspects were confirmed and underlined across numerous industries during a recent panel discussion I moderated covering crisis management and communications. The debate considered the impact of current high profile operational incidents, terrorism and cyber attacks and how organisations could best prepare and respond to the ever-changing risk and threat landscape. They are also in line with an industry survey by Steelhenge, where 46 per cent of respondents identified lack of senior management buy-in and support as the most significant challenge to prepare their organisation for a crisis efficiently.
Projects are unlikely to succeed without the support at a level that is senior enough and from an individual who has both the motivation and the political capital. Articulating benefits to stakeholders of a comprehensive programme, including horizon scanning and exercising, is vital to gaining buy-in and engagement. Commonly realised gains include increased efficiency and cost-savings through avoiding or pre-preparing for incidents, better cross-functional working, greater empowerment and motivation of staff.
One may think that defining what a crisis is would be a relatively simple task. Anyone dealing with either business continuity management or crisis management in a corporate environment has probably come across statements such as: “We handle crises every day,” or: “I will know what a crisis is when I see it”. We have seen many high-profile examples of crisis management recently. What becomes apparent is the response of those who are well drilled; usually they display slick actions, are efficient and instil confidence in those around them. What is equally clear is the responses from those whose crisis management protocols fall short of expected standards. One has only to look at the 2017 case studies of British Airways or United Airlines and their respective crisis communications as examples negatively affecting both brand reputation and shareholder value.
One dictionary definition of crisis is a ‘time when a difficult or important decision must be made; the situation has reached crisis point’. This primarily revolves around what constitutes a crisis and what sets it apart from a routine emergency. An element of pre-planning and mitigation can usually be put in place in relation to a routine emergency, owing to the likelihood or predictability of that scenario occurring. Although still challenging, there is an element of predictability, allowing for advanced preparation.
Desktop exercises allow any flaws in the plan, documentation or business processes to be understood while there is an opportunity to rectify them. Having facilitated exercises where the person responsible for the documentation is ‘100 per cent certain’ it is up to date, only to find incorrect phone numbers, or that someone left the business a year ago, is humorous during an exercise, but not as amusing when lives or the company are at stake. Keeping the strategic core team small enough to be efficient in decision-making and broad enough to cover core business is an important step. People or departments not included initially can be brought in as required. Defining who has overall responsibility at strategic, tactical and operational levels should usually follow departmental and organisational lines, with precise definitions of relevant considerations being outlined per department. Predefining this also saves time during any incident.
When assessing the crisis, one mnemonic used is SITAC:
– Situation: What has happened? Where? Who’s involved? Who’s nearby? Can we account for our team?
– Information: What do we know? What don’t we know? How will we fill in the blanks? You will rarely have all the facts;
– Thoughts: Of the strategic, tactical or operational teams (both within the organisation and external advisors such as the emergency services);
– Actions: What do we need to decide? What do we need to act on? By when? By who? and
– Communication: How often? To who? Consider internal and external stakeholders. What and when will we communicate to different populations?
Everything must be documented. Social media will often accelerate the speed at which the incident unfurls, particularly in relation to PR and communications. If adequate planning has occurred before any crisis, priorities will be understood across the business, enabling responses that match with – and are focused on – recovery time objectives. Debriefing is also imperative. How can you improve, if you don’t identify what went well and what needs further work?
