MANAGEMENT SPECIAL Being Ready for a Crisis
An
effective response starts long before the catastrophe occurs, with governance
and relationships, advance preparation, and the ability to test your practices.
Of the many well-publicized cyber-attacks that have occurred in
the past decade, at least one was noteworthy because it failed to bring a
company down. On the morning of Jan. 16, 2012, millions of people awoke to the
news that every online shopper dreads: Zappos, a leading retailer of shoes,
apparel, and accessories, had been the victim of a cyber-breach that captured
information from as many as 24 million customer accounts. Major news outlets,
financial websites, and security blogs all published headlines covering the
crisis at Zappos, which had been acquired by publically traded Amazon just
three years prior in a deal worth US$1.2 billion.
The online retailer immediately announced the launch of measures
to reduce the impact of the crisis. But the most critical factor in surviving
the attack didn’t need to be launched. The company had already put preventive
measures in place, long before the hack was discovered. For example, it had
stored customer passwords and credit card information on a separate server from
other customer details, a server that was ultimately found to be uncompromised
by the cyber-attack. Zappos also had used hashtag encryption to conceal
customer passwords. Had the hackers accessed the relevant server, they would
have seen “##########” in place of the actual passwords.
These precautions were considered leading-edge practices for
protecting customer information from cyber-attack, but they were most
noteworthy for something that had little to do with technology. They were part
of a comprehensive crisis response plan that articulated the capabilities that
Zappos would need if a cyber-attack — or any other type of business-disrupting
crisis — occurred.
For instance, Zappos had developed a protocol for notifying key
stakeholders in a crisis. Thus, when the breach was discovered, the company
immediately notified internal staff about the issue and the company’s planned
response. Then, before news hit the press, Zappos sent an email to all
customers with registered accounts, letting them know that it was proactively
resetting all their passwords. The message contained an email address for
questions or help creating new passwords. By providing this alternative to its
call centers, Zappos ensured that far fewer customers would wait anxiously on
hold; thus, fewer would develop a negative perception of the company. It also
gave the call centers more time to respond to individual messages; it had
figured out in advance that customers were more patient with email than with
phone calls. Finally, having already given its staff readiness training, Zappos
could easily shift people from other functions to surge support for customer
service.
All this preparation paid off. Customers and security experts
commended Zappos’ communications strategy and transparency throughout the
crisis. Three weeks after the breach was announced, Amazon’s share price was
higher than before it happened, and though the company was the target of a
class action lawsuit from nine states as a result of the breach, Zappos
ultimately settled for a mere $106,000.
Zappos’ approach and similar responses we’ve seen from other
companies — including those affected by the WannaCry attack — demonstrate a
basic principle: You develop the capability to handle a crisis long before you
need it. This capability should be broad enough to cover any type of crisis,
including an operational disruption, a cyber-breach, a terrorist attack, a
major accident, a natural disaster, a crime, a pandemic, a food safety scare, a
major labor dispute, a financial meltdown, a product failure, a sexual
harassment case, or your company’s ethical scandals coming to light. It also
should be focused enough to fit your company’s unique culture, practices, and strategy.
Ideally it should help you not only manage crises but avoid some self-inflicted
ones. You can’t put this kind of crisis preparation capability in place
overnight — you need to develop it as a way of life.
Crises Are Inevitable
The likelihood that your
business will be hit by a highly threatening, unexpected event has never been
higher. In a PwC survey of 164 chief executives around the world, launched in
2017 and known as the CEO
Pulse on Crisis, 65 percent of respondents reported experiencing at least one
crisis since 2013; 15 percent had experienced five or more. Forty percent
expected to experience a crisis in the coming three years, and an additional 33
percent expected to experience more than one or even many more during that time. According to another
PwC survey (pdf), conducted in 2015–16 with more
than 1,400 global CEOs, two-thirds believe that their businesses face more
threats today than three years ago.
They are right to be worried. In 2015, cybercrime alone was
estimated to cost businesses $375 billion, up from $3 billion in 2013. The
10-year average for insured and uninsured losses from natural catastrophes is
$194 billion. This doesn’t take into account the costs of fraud, corruption,
pandemics, labor disputes, or the many other types of crises that organizations
may face today. Episodes like this don’t affect just a few “bad apples”; they
have challenged every type of organization, including those with good
reputations, highly loyal customers, and long track records of success.
Whether the original crisis is self-inflicted or caused by
external events, lack of preparation almost always makes the outcome much
worse. And only one in 10 companies is prepared, according to the law firm
Freshfields Bruckhaus Deringer, whose lawyers interviewed 102 crisis
communications specialists who had worked on 2,000 significant reputational
risk incidents in 80 countries. Only one in five companies had ever simulated what
a crisis might look like, four in 10 had no plan at all, and 53 percent of
companies struck by crisis did not regain their previous share price.
Why is good crisis preparedness so rare? Probably because it
requires many organizational moves that can feel uncomfortable at first:
collaborating closely across organizational boundaries, raising awareness of
potential problems, and closing the gap between strategy and execution. If you
assume the buck stops at the CEO’s desk, and that any problem can be solved if
the top leaders make the right decisions, you might miss the need to build
operational capabilities throughout the enterprise. Conversely, if you invest
in operational capabilities around the world, you still may have difficulty
getting the right signals communicated up the hierarchy quickly. Crisis
preparedness also runs counter to the natural impulse to minimize potential
problems, to deny that they exist, or to try to cover them up.
Fortunately, even the most devastating events generally start as
small incidents. The sooner your company can recognize these incidents’
potential for trouble, the more effectively it can respond. To build the
capability for responding, you need to consider three critical dimensions:
people (your governance structure and relationships), preparedness (planning
and execution), and testing (rehearsing your actions in advance). As you gain
proficiency in all three dimensions, you become better equipped for managing
crises before one is already upon you. Then, it will be too late to learn; now,
you still have time.
People: Governance Structure and Relationships
Imagine that you are the head of a company that builds and
maintains long-distance natural gas pipelines. These tend to run underground
for hundreds of miles, far from your headquarters or anywhere you directly
conduct business. One morning, a pipeline bursts under a community of thousands
of people. Families are evacuated, and some individuals are badly hurt.
Unexpected accidents of this sort leave many companies paralyzed; it can take
years to recover their reputations.
We know of several energy companies that have found themselves in
this situation. Their ability to handle the crisis depended almost entirely on
how well they had prepared for it. In the cases that worked well, the top
leaders of the company, and the board, were directly involved in the
preparations, along with everyone up and down the line.
In the pipeline example, within two or three hours of the
explosion, the company is ready to issue a statement expressing concern for the
injured and the community. Updates to the news media rapidly follow, explaining
how the company plans to respond.
Legal issues — not just preparations for liability claims against
the company, and for any class action suits that might follow, but for
regulatory approval as well — are involved. Parts of the pipeline will have to
be shut down, and gas deliveries may have to be suspended while the company
begins to check the cause of the damage. That will mean customers have to find
alternative sources of energy. The company must check every other part of its
pipeline network for similar weaknesses, and it must keep up community
outreach, maintaining contacts with local reporters and potentially a website
or app devoted to revealing the company’s efforts. It must also reach out to
investors, assuring them that measures are in place that will allow the company
to recover, without downplaying the financial expenses of investigation and
repair — expenses that could rise in some cases to the billions of dollars.
Sooner rather than later, the company’s leadership — ideally the
CEO — will have to make a public statement. Advisors have talked regularly with
the CEO, planning these statements and perhaps even rehearsing them, ensuring
that they avoid any sign of self-concern or glib assurance (such as talking
about the time the CEO has spent addressing the problem, or saying there’s
nothing to worry about). Other roles, including the technical and public
relations posts, are also rehearsed and planned. Because they have talked
through the process, company employees don’t assume that someone else is taking
care of everything; they know just how they will step in to manage part of the
crisis. Indeed, everyone in the company understands the part they must play in
guaranteeing recovery and future safety.
In this way, even after a gas main explosion or similar
catastrophe, a company can restore its reputation and go on stronger than it
was before. But everything depends on the relationships within the enterprise
from the CEO on down, and with key external officials and regulators. Human
connection is central to crisis preparation. People need to know what they need
to do next, who to report to, and who they can rely on.
The critical importance of the CEO’s involvement was demonstrated
after a horrific accident that tested the crisis management ability of Merlin
Entertainments, a Luxembourg-based company whose United Kingdom facilities
include the Alton Towers theme park just north of Birmingham. On June 2, 2014,
two cars on a roller coaster crashed. Sixteen people were trapped, and
four were seriously injured; two young people had to have their legs amputated.
Though the park did not perform well in overall preparedness (it took 17
minutes for the staff to notify emergency responders), there was a clear,
engaged response by Merlin CEO Nick Varney as soon as he learned of it.
First, the company immediately closed the park, providing a full
refund to anyone who arrived after the incident or the following week. Varney
took responsibility, appearing the following day on BBC Radio’s “Today”
program. “Clearly we’re absolutely devastated by what happened,” he said, “and
our thoughts are with those who were injured and our hearts go out to them and
their families. As a business, we are all about giving safe, fun,
memorable experiences with the emphasis on safety. Clearly something went
terribly wrong.” When the interviewer asked what caused the accident, he
replied, “We’re trying to find the causes of an accident that shouldn’t have
happened. All roller coasters are designed so that two cars can’t be on the
track at the same time but clearly they were. I’m not going to sit here and
make excuses; I simply do not know what made the accident happen.” As for the
share price, he said, “You’ll forgive me if I’m not really focused on the share
price at the moment.”
No one but the CEO could have credibly made statements of that
sort, and they would have been meaningless unless they were backed up by the rest
of the company. Indeed, during the following months, Merlin Entertainments paid
the fines and damages demanded by the Health and Safety Executive (the U.K.’s
regulatory bureau) without contesting them (essentially pleading guilty), and
immediately put in place a series of safety measures.
To establish a web of relationships that will be valuable during a
crisis, look at both formal and informal connections. The formal governance
structure encompasses reporting relationships (the chain of command, or “lines
and boxes” on the org chart) along with the escalation or decision rights given
to key individuals — and their backups if they are not available. Spell out
explicitly what is expected of key employees and key retainers with supporting
third parties. If outside contractors are involved, formal arrangements can
include signed memorandums of understanding so that there is no ambiguity about
who is responsible, for example, for keeping IT systems working.
Although you can’t know what type of crisis you will encounter,
you can specify many of the tasks that must be handled under altered
circumstances, and who will handle them. Some participants will be designated
as makers of public announcements, others as information gatherers; still
others will be assigned to provide communications help, logistical help, or
legal advice. Make sure the plans are flexible and holistic enough to handle
variations — for example, key people may be on vacation when the crisis occurs.
Augment these formal arrangements with informal working
relationships, cemented by opportunities to meet together and ideally work on
common projects — including, but not limited to, the design and development of
the crisis capability. Look for aspects of your culture that reinforce the
values you want to be present when a crisis occurs. For example, Zappos drew on
its well-established cultural values of building open and honest relationships
with customers. If your employees have worked together on a day-to-day basis,
if they trust one another’s reliability and competence, and if they put
customers first, then all of these behaviors will still be in place when the
company is faced with a crisis.
Most arrangements will combine formal and informal elements.
Inside your company, cement the formal reporting relationships with group
sessions, retreats, or other opportunities for collaboration. Externally,
reinforce them with networking. For example, your crisis managers undoubtedly
have contact information for local law enforcement officials. But the officials
will be far more prepared to act effectively if your crisis teams have ongoing
conversations with them, and they feel comfortable with each other. The same is
true of other relevant external parties, such as lawyers, logistics experts,
and public relations professionals. Get to know them in advance.
Relationships with groups you perceive as opponents are also
critically important. This could include local interest groups, industry
bloggers, and activist investors. In any disaster, there will be people who,
rightly or wrongly, feel justified in taking your company to task. They may
threaten lawsuits or otherwise address you through formal means, but there may
also be an opportunity to reach out to them in candid conversation and ask,
“What would convince you that we are acting in good faith?” If they are honest
in their answer, you may find they are interested in something you hadn’t
considered important, such as a high level of transparency or the willingness
to answer questions.
If you’re reluctant to engage with people this way, ask yourself
if it’s because your capabilities are weak. You can build those capabilities by
designing good governance structures as “guardrails” and then practicing,
through regular conversations, your ability to talk informally with groups you
might have avoided in the past.
Preparedness: Planning and Execution
Companies that are prepared tend to come out of a crisis
relatively unscathed. The WannaCry cyber-attack that began May 12, 2017, the
largest-scale ransomware attack in history, was possible because of a software
vulnerability generally believed to have been made visible through a leak of
U.S. National Security Agency hacking tools. Some companies weathered the storm
simply because they had put in place the software patch that Microsoft
distributed in March after news of the leak broke. These companies were primed
to do this quickly because they were prepared — not for this specific event,
but for any changes that might affect their prevalent operating systems.
A similar level of preparedness was important to Home Depot in
September 2014. In a cyber-attack that month, data from 56 million credit and
debit cards was stolen. The company had a plan in place, as well as the
technical ability to eliminate the malware as soon as it was discovered. Within
a day, Home Depot announced that the threat had been removed, and it promised
customers that they would not bear the cost of any fraud and that the store
would offer them free identity theft and credit monitoring services. The chain
also announced the adoption of chip-based credit card scanners more rapidly
than had been planned. It took two years to settle a class action lawsuit for
$19.5 million, but during that time, the company’s share price continued on an
upward trend.
Companies that are not well prepared can compound their difficulties.
Even if they accept responsibility — for example, by announcing an independent
audit of the situation — there is a time gap involved for those that are not
prepared. During this time, while you are busily organizing and deciding how to
respond, the world is waiting for you. People are speculating. If there’s a
perceived problem with a product you manufacture, for example, the retailers
that carry it may feel pressed to withdraw the product temporarily, which will
raise more questions. It could even create a snowball effect in which other
retailers follow suit. Your product may be deemed free of problems in the end,
but the episode will have added a great deal of unnecessary damage to your
reputation and distribution network.
Build a single plan for your overall acumen. There are at least
seven categories of crisis to prepare for: financial (for example, an abrupt
drying up of credit), legal (a shift in regulations),
technological/intellectual (a patent theft), operational (a supply chain failure),
human capital (a harassment case), humanitarian (a terrorist attack), and
reputational (a major ethical failure coming to light). Within each of these
categories are countless permutations. Few companies have the resources to
prepare for all of them separately, and if they did, they would create silos
that duplicate or even undermine one another’s efforts. Moreover, many
disasters combine two or three types of crisis at once. One well-managed crisis
plan, and the ability to execute it by drawing on people throughout your
organization, will set you up for a broad array of contingencies. For the
leaders of this effort, pick people who are good observers and skilled at rapid
organization. They should be able to recognize a crisis early, glean the
causes, assemble the response team, handle issues requiring immediate attention
(such as plugging a leak or putting out a fire), alert the rest of the
organization, and align everyone with the process.
You can’t predict which crisis will strike or when, but you can analyze
your preparedness for the crises most likely and relevant to you — for example,
a retailer is vulnerable to cybertheft, an energy company to environmental
crises, and a manufacturer to operational failures. Having a plan in place is
not enough; you need to be sure you can execute. Look closely at the
capabilities you already have and how they could help you. At most
medium-sized to large companies, this type of crisis-ready analysis takes 10 to
16 weeks and involves pulling together the relevant players to explore what
would happen when the storm hits and to answer questions like these: Have your
risk professionals played a key role, integrating their enterprise risk
management plans into this new effort? Does the legal team know the current
compliance regulations for resolving an operational accident, and how to work
with communications to send the right messages at the right times? Are terms of
reference in place for outside consultants? Run through contingencies and
what-ifs, drawing on sources of expertise throughout your company. For example,
your 24-hour customer service hotline can be redeployed as a 24-hour crisis
triage center for customers and investors. There’s no need to reinvent or
duplicate expertise.
Make sure that people have paper copies of the crisis plan, and
have memorized critical telephone numbers. The plan is not worth anything if
the paper is lost or the computer is inaccessible. Many companies are also
building apps for their crisis plans that are tailored to each crisis team member’s
role. This allows for easier updates and ready access when it’s needed.
Finally, start now. The PwC CEO Pulse on Crisis survey of 164
global chief executives found that 25 percent had not even started planning for
simple contingencies. But of those who had plans in place, 83 percent reported
that their companies had been in a crisis, that planning had helped them
respond effectively, and that they had bounced back financially afterward.
Testing: Rehearsing Your Actions
Accepted practices for risk preparedness tend to vary by industry.
In financial services, for example, government compliance requirements have
mandated the need to provide backup IT systems and tests of the robustness of
contingency and continuity plans. These common standards have an effect; when
the crisis management teams of 140 banks went through a scenario exercise in
September 2016, they were all similarly prepared. Other industries, such as
consumer products, are much less regulated — and the variation in preparedness
from one company to another reflects their lack of shared knowledge.
In this context, financial-services companies have an edge; their
industry has primed them to test risk policies in advance. But they will not
benefit unless they follow through. The only way to learn what to do is to
rehearse a simulated crisis that requires you to show that you have
contingencies covered. That’s where you’ll discover that good plans can
collapse because you’ve overlooked a logistics or IT issue, or because people
required to execute the plan haven’t figured out all the details. Testing of
this sort also helps you avoid the kind of awkward moment when a CEO asks the
head of communications how the firm will respond to a customer Twitter storm,
and there’s only silence in reply.
The testing process is also important for engaging top management.
Given their fiduciary responsibilities, most chief executives and corporate
board members recognize the value of risk preparedness. But ask them if the
company has a crisis management plan, and you may find they know very little
about it, even though they will play a critical role. They, like everyone else,
need to rehearse their part.
In designing your test, emulate the financial sector, which has
statutory requirements to walk through virtual crisis simulations. There are a
growing number of computer-based role-playing exercises for teams, with video
clips, mock social media feeds, and other electronic simulacra to provide the
look and feel of an actual crisis. (PwC has produced one that enables managers
to live through a simulated crisis, gaining a sense of the real-world
repercussions of their decisions.) Simulations can also be tailored to rehearse
particular crises, such as a natural disaster or a terrorist attack, to
evaluate the quality of your response and fill in the gaps.
Be sure to test your speed. Bad news travels fast. When a crisis
breaks, comments are often posted on social media within an hour. In a
cyber-attack or an explosion, as we’ve seen, reaching out to affected people
ahead of the news can be extremely important. But most companies take more than
24 hours to issue a statement. At one company that suffered a severe system
outage, senior managers had different opinions about what to do. The chief
information officer did not want to go public with the problem, no one was
willing to make a final decision, and some executives failed to attend key
meetings, so consensus became nearly impossible. The delays damaged the
company’s reputation and led directly to lost business.
Murphy’s law is not a myth: The worst is likely to happen. You
have to start now to be ready. It might take six to 12 months to evaluate your
readiness, put in place the right governance structures and relationships, and
design and test your plan. But that will serve you better than waiting until a
crisis comes and winging it. The three dimensions above — people, preparedness,
and testing — can give you the confidence you need to survive, recover, and
avoid more crises in the future.
by Melanie
Butler, Sloane
Menkes, and Marissa
Michel
https://www.strategy-business.com/article/Being-Ready-for-a-Crisis?gko=bbd2a&utm_source=itw&utm_medium=20170518&utm_campaign=resp
No comments:
Post a Comment