Stuff happens. We may not like it, we may even consider it unfair, but it is a fact of life. In the business environment, the question is: Are management and the Board prepared to respond?
Two years ago, I had the opportunity to talk with the Chairman of the Board for a major institution. He observed he had talked with some of his peers about recurring situations across America that had caused a reputation hit. There was a train of thought in this discussion that there had to be a connection between an organization’s risk assessment and its crisis management. In other words, should the risk assessment process inform the organization’s crisis response team?
It’s a fair question. And it’s important. Even the proudest organizations and brands are not immune to being called out by the unexpected.
Rapid Response Teams
To improve response readiness to a crisis, many companies form a rapid-response crisis communications team because everyone knows you can’t fight a fire with a committee. A rapid response team might consist of representatives from executive management, leadership of affected business units and leadership of such functions as human resources, finance, operations, information technology, public relations and legal. If necessary, a suitable crisis management consultant might be engaged. This team typically authorizes a pool of individuals who are trained to serve as spokespersons to speak on behalf of the organization in times of crisis to the media, internally at employee meetings and/or externally at public meetings.
An effective response plan emphasizes the importance of transparency, straight talk and effective deployment of social media. Messaging emphasizes the company has a plan, compassion for any victims and, as appropriate, the company’s efforts to investigate to ascertain what happened. Holding statements, prepared with the assistance of public relations and pre-approved by legal, express concern for the safety and well-being of any victims and buy time for the response team to investigate the incident and take appropriate steps to reduce the chances of another occurrence. Most importantly, the response team’s actions must back up the messaging.
That’s for starters. A rapid-response team should formulate a crisis management plan and ensure it is updated and tested periodically and supported by the communications plan discussed above. Key internal and external stakeholders who matter most to the organization should be identified and a reliable system should be in place to notify them when a crisis emerges.
Is a crisis response capability enough? Not necessarily. Not all crises are equal. Depending on the nature of the potential crisis, the response plans will vary in terms of specifics. For example, one Fortune 100 company has long stressed the vital importance of contingency planning. Its corporate crisis management plan is supported by 17 standing crisis response teams that deal with matters such as financial issues, security, plant safety, environmental matters, weather phenomena and terrorism. These teams are prepared to respond immediately to a crisis. Once a crisis worthy of evoking the crisis management plan emerges and its cause and nature is determined, the appropriate teams are activated to determine what needs to be done while the others stand down. This company’s crisis management plan offers remarkable versatility.[1]
The Risk Assessment Process Can Enhance Preparedness
Properly focused, the risk assessment process provides insights as to the appropriate crisis response teams to have in place. Traditional risk maps, heat maps and risk rankings based on subjective assessments of severity of impact and likelihood of occurrence often leave an organization with a list of risks and, with respect to the high-impact, low-likelihood risks, little insight as to what to do next. And once the exercise is completed, the question still remains: What is the organization going to do if any of these events were to occur?
Throwing darts at the wall to guess at probabilities to determine that a particular risk is remotely likely to happen isn’t going to eliminate the threat. That’s why, when assessing risks, it is important to consider the following factors in addition to significance of impact and likelihood of occurrence:
• Velocity to impact once an event occurs (e.g., does the scenario or event have an immediate impact once it occurs, allowing little time for reaction, or does it smolder for years mired deep into the company’s processes until the day of reckoning finally arrives?);
• Persistence of the impact (e.g., does the scenario or event have a lasting headline effect or will it quickly become yesterday’s news?); and
• Resiliency of the company in responding to the scenario or event.
These additional criteria help management evaluate high-impact, low-likelihood threats to identify areas where preparedness must be improved.
Another approach is to undertake an “extended end-to-end enterprise” perspective by looking at the value chain that summarizes the entire life cycle of value creation; that is, management should look upstream to key suppliers and downstream to key customers to identify the key dependencies that really matter. For example:
• Which suppliers do we depend on for essential raw materials and component parts? What would happen if we were to lose one of them for any reason? How long would we be able to operate? Are there other qualified sources of supply that can be readily available?
• Have our key suppliers performed their own risk assessment, looking at their suppliers? Do they have effective plans for taking corrective action in time of disaster? How do we know?
• What if there were temporary shortages in raw materials? Or serious defects in supplier raw materials and component parts? Or material volatility in prices?
• Are there customers we can’t afford to lose? What if major customer contracts were not renewed? What if major customers were to consolidate? What if we were to lose a major distribution channel?
• What if there were significant disruptions in the transportation system?
When assessing the potential impact of a disruption, consider its velocity and persistence as well as the organization’s response readiness. When these additional factors are considered, risk management begins to intersect with crisis management. This analysis may point to one or more areas requiring a rapid response team.
In summary, it is an imperative for executive management and the Board of Directors to build a rapid-response crisis management capability for sudden and unexpected high-impact, high-velocity and high-persistence events. A world-class response to a persistent crisis is vital to the company’s ultimate recovery from it. Simply stated, early preparation improves an organization’s ability to respond to a crisis, reduces damage to a company’s brand image and reputation and minimizes regulatory sanctions, penalties or fines.
[1] “DuPont’s Swift Response to the Financial Crisis,” Ram Charan, Bloomberg Business Week Magazine, January 7, 2009.
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.