Chapter #1
Four categories of crises
Some crises are constant. Others are temporary.
Crises tend to fall into one of the following four categories:
- Hidden: Hidden crises lurk within an organization but have yet to be detected. Examples may include fraud, financial manipulation or personal impropriety (e.g., affair with a colleague). In one recent instance, the cyber breach of a major US software company went undetected for more than a year. In addition to the impact to the company, the cyber attack affected tens of thousands of its customers when the company unknowingly pushed an update that included the malicious code.
- Creeping: Creeping crises are present or suspected but have not yet been taken seriously or addressed by management. These may include regulatory changes or cyber attacks. Environmental, social and governance (ESG) issues can present a range of creeping crises from harmful environmental incidents (e.g., oil spills) and global health events to modern slavery, the #MeToo movement, data privacy, whistleblowing, and cyber-related crises. Indeed, the risks may feel endless but they can be even more challenging when the crisis emerges from "perception" by stakeholder groups rather than being based on real facts. Either way, the impact can be equally harmful to an organization.
- Sudden: Sudden crises happen without warning and are often beyond the organization’s control. These can include (but are not limited to) disease, terrorism, environmental disaster (e.g., hurricanes, earthquakes, floods, volcano eruptions or typhoons) or product tampering.
- Bizarre: These types of crises are the least recognized because of their low likelihood. Bizarre crises could range from an airplane crashing into a building to food poisoning at an executive leadership retreat. These are sometimes called “black swan” events — a phrase coined by Nassim Nicholas Taleb, who argued that outlier events, those with low probability and high consequence, are universally under-identified.
Some of these threats are constants (e.g., cyber, climate change, geopolitics and intellectual property theft), while others are temporary (e.g., supply chain issues, rapid inflation and the Great Resignation). All have the potential to turn from threat to full-blown crisis. Rather than trying to map crisis risks by likelihood and impact, organizations should identify the full spectrum of risks, and then make clear choices about how much and where to invest to prevent or mitigate crises that arise.
Chapter #2
The right team makes all the difference in a crisis
Crisis management professionals can help internal teams navigate the inordinate complexity of a crisis.
When a crisis strikes, the Chief Crisis Officer will be required to activate the organization’s crisis response and lead a predetermined team of diversely skilled professionals trained for crises. The team should include representatives from safety and security, enterprise health and safety, HR, legal, IT, finance, privacy, ethics, marketing, corporate communications, and any other areas or functions deemed critical to the crisis response.
Who fills the role of Chief Crisis Officer will depend on the organization and the talent pool. The Chief Crisis Officer could be anyone in the C-suite. Ideally, it is someone who possesses innate communication skills and is good under pressure. The role is most often additive to another role, such as Chief Operations Officer (COO), general counsel or Chief Risk Officer (CRO), rather than a full-time board position. The Chief Crisis Officer will be well trained to step into this role in a crisis, freeing up the CEO and others to continue with strategy and critical relationships.
For the Chief Crisis Officer to be as effective as possible in mobilizing and responding to the crisis, they need timely and accurate information — from feeds and inputs set up long before the event. Operational, resource and capability strains during a crisis can mean that the organization has insufficient resources to rapidly access and analyze the data. In these instances, some organizations may opt to bring in a third-party forensics or rapid response team. Such teams can help the company access information from disparate sources across myriad networks and systems, and multiple languages; and bring it together in a way that enables the organization to act decisively. Ideally, this capability is set up months or years before being needed. Organizations will need to invest time and effort to build capacity before bringing it into use.
With the right information available, the Chief Crisis Officer can feed a coherent strategy through to decision-makers and enablers, such as external legal counsel and crisis communications teams, to understand the liabilities, and devise the right messaging to share with stakeholders and the wider community.
It is critical that every single department knows what to do in the event of a crisis and how to respond. If there is a huge explosion in a factory, how do the HR, operations, logistics, real estate, tax and security departments respond? Inevitably, almost every function within the organization will have a role to play in responding to the crisis, and aiding in recovery efforts at different times and for the duration of the return to normality. As such, it is important that the Chief Crisis Officer and their team of appointed crisis managers throughout the organization undertake crisis planning, training and simulations — so that they are well prepared to deal with the threats that arise.
Chapter #3
The four R’s of crisis management
Firstly, recognize the broad spectrum of crises before making conscious investment decisions.
An effective response to a crisis requires preparedness. However, many still find themselves inventing a response in-the-moment and focusing on being good firefighters. Leading organizations focus on preparedness as the ability to avoid, adapt and mitigate the fire, and only then accept that being the best at response is a competitive advantage compared with peers. Organizations need to understand what to look for in preparedness — both internally and externally. What are the signs to be recognized that indicate the worsening of a situation or the thresholds at which a full response is necessary?
Recognize the broad spectrum of potential crises
The best response to a crisis is to not let it become a crisis in the first place. This requires organizations to fundamentally reframe how they think about crises. “Given the speed and intensity of crises today, there is little sense in asking: How do we get ahead of the constant stream of crises? Instead, leaders should reframe the question as: How do we become adaptive and confident to navigate in a crisis-filled world?” states Katharina Weghmann, EY ESG Leader, Forensic & Integrity Services.
Organizations will want to begin by assessing their value chain to anticipate areas that could lead to a crisis. Like any risk assessment, a crisis assessment should identify where along the value chain the biggest risks lie. For some, it could be supply chain. For others, it may be data privacy or cybersecurity.
Active 24-hour threat monitoring can also help to detect, prevent and deter — both constant and temporary — hidden and creeping crisis threats. With a robust threat-monitoring program in place, organizations can evaluate the threat landscape on an ongoing basis to determine where and how to prioritize resources, and how to shift priorities as potential crises increase — either in likelihood or impact. Use of real, or realistic, threats often provides the best way to road test current plans and organizational capability.
Ready the organization
Once the organization has an idea of the potential crisis threats, it can begin to develop a strategy for responding. This should include establishing, or reviewing and updating the crisis governance policy, frameworks and crisis playbooks that provide leadership, and operational guidance around specific crises and business unit impacts — to facilitate agility and the ability to pivot when needed as the crisis evolves. Wherever possible, many of the big decisions can be pre-empted within the playbook and agreed ahead of time, when debate and clarity do not distract from the speed required in the heat of response.
To this end, organizations will want to run an exercising program, including simulations for a broad spectrum of potential crisis events, to help business functions understand the threats and refine how teams would react, while updating the playbook to reflect key learnings. These will integrate and build end-to-end capability over time, reinforcing the top-to-bottom links and relationships critical to a successful response.
Organizations also need to make principled, conscious choices about where to focus their investments first — based on good horizon scanning. Some investments can offer relatively low-cost solutions that give the organization more opportunities to pivot during a crisis. These solutions can be premade and available whenever the organization needs them, when suitably considered and assessed during planning.
Respond with integrity
Crises can be ambiguous, which is challenging for people. It is hard to pre-plan and manage in situations that are, by their very nature, uncertain. Crises can be made even more difficult because of crisis events being both global and local, across multiple time zones, with differing legal and regulatory ramifications, and with resultant customer and supply chain issues. The complexity can increase when such events require a focused response to specific audience and stakeholder needs.
With a playbook in hand and the crisis leader mobilized, organizations should have the tools to respond. However, they may also want to rely on a team of trusted advisors to help them navigate the legal, regulatory, public relations, communication, environmental, supply chain, HR, data and technology, tax, and all other aspects of a crisis. The scale of addressing all these challenges often surpasses the resources within the organization, and skilled crisis facilitation becomes a valuable commodity which can be planned in and integrated from external advisors.
During this phase, organizations must continue to live by the values of the organization and what it stands for. It can be easy for organizations to divert from their values when under duress.
Equally, organizations need to recognize the emotional and physical toll that crises take. Organizations do not respond and then go back to business as usual. Crises are both organizationally and individually fatiguing. Organizations are not designed to operate in a crisis for any length of time.
“I’ve seen clients that have a plan to deal with the crisis. But in the center of the storm, there’s no coordination of how to actually react. This can lead to mismanagement, serious cost implications and the loss of highly valued talent all because the emotional toll of a poorly executed response was enormous," says Brenton Steenkamp, Lead partner, Forensic & Integrity Services.”
Recover and reflect on lessons learned
Once the immediate crisis has passed, the organization will need to flip into recovery mode. This may include harnessing the experience of the crisis to strengthen or reinforce response plans and to improve agility. Recovery may be an opportunity to emerge stronger than before and to reset priorities.
While organizations often rely on business continuity or resilience plans for recovery from disruption, true crises often present challenges that those plans have not anticipated in either scale or spread. It is useful to use the prior planning stages to challenge the underlying assumptions in recovery capabilities and ensure that they really match organizational need.
“The impact of a crisis invariably may cast long-term implications for organizations. In Southeast Asia, suppliers that are dependent on international markets are particularly sensitive to crises because of the cascading impact they can have. The imposition of sanctions, import restrictions or the termination of a contract by a major client due to any adverse media publicity can quickly topple all its businesses in other markets and with key clients. The road to recovery in these instances tends to be long and it is crucial to act on the valuable lessons that have been learned,” says Ramesh Moosa, EY Asean and Singapore Forensic & Integrity Services Leader.
Chapter #4
Be aware and be prepared
A robust crisis management program can help organizations recover faster and emerge stronger.
Too many organizations are unprepared for a crisis. “Outdated crisis management plans, a lack of up-to-the-minute intelligence, or teams that haven’t been adequately trained in responding to a crisis can slow the response time, which may have both immediate and longer-term implications,” remarks Sallet.
A robust crisis management and incident response program that follows the four R’s can help organizations be aware, be prepared, and be capable of gaining rapid access to information that can provide the right insights to respond quickly, effectively and with integrity. Often, this leaves companies capable of recovering faster and emerging stronger than they were before securing a competitive advantage compared with peers.
Summary
Every single crisis begins as a risk, yet too many organizations are unprepared for a crisis. The key is to recognize risks and prepare a robust and effective response. Once a crisis strikes, it is crucial to access intelligence from across the organization and externally. With this intelligence, the crisis teams can execute their plans effectively. A robust crisis management and incident response program allows organizations to be aware, be prepared, and be capable of gaining rapid access to information that can provide the insights to respond quickly, effectively and with integrity, which ultimately helps an organization recover and emerge stronger.