Crises provide the ultimate challenge for organizations and management teams. Conventional management practices are inadequate to maintain stakeholder confidence, and the pressure of time can overwhelm decision-making. And the world is only getting riskier. Research conducted by Oxford Metrica during the past 25 years showed that major crises were occurring more often than a casual observer might think.
And the frequency and challenge of crises are getting steadily worse for three reasons:
In the past 20 years, multinational companies have introduced far more complexity to their business models. Consider what your car can do today that it couldn’t just five, 10 or 20 years ago. And now, it could be hacked. We have more complex manufacturing processes, producing more intricate and advanced staples of everyday life. We have more complex chemicals, more sophisticated computing structures and biopharmaceuticals. These advances enable a better world and better lives. Yet, more complexity generally means more opportunities for parts or sub-systems to fail, especially with new technology that cannot yet boast years of real-world user experience.
As individuals and as companies, we’ve become dependent on sprawling support structures that we don’t fully understand. Today’s international supply chains often have multiple layers of subcontractors with little transparency beyond the prime, and many companies have outsourced their entire IT operation, providing administrator credentials and source code access to vendors. A rogue vendor employee with that access could be devastating.
Furthermore, a crisis in the supply chain can produce knock-on impacts across entire industries. And a crisis in one company could affect a range of industries. With everything connected, the dominos are in place.
Lack of understanding
As technology and business have advanced, most of us no longer know how the things we rely on function — from household gadgets to complex supply chains to telecommunications to cutting edge science and technology operations. Even basic things we rely on are beyond our control and understanding. As a result, crises occurring in that support structure undermine our collective sense of security and safety. They provide shocking reminders of our personal vulnerability, and they produce outrage.
Moreover, stakeholders lack the expertise to understand the corporate explanation either for what happened or the solution. What may appear simple or straightforward, might actually be very complicated, fraught with technical nuances and the potential for unintended consequences. As a result, stakeholders may evaluate corporate responses incorrectly.
What companies should be doing
The crisis plans companies have relied on no longer provide adequate preparedness. As the world gets riskier, crisis preparedness must become an ongoing discipline that builds, monitors and constantly evolves the organization’s overall readiness.
Here are a few things we recommend to clients:
Integrate corporate risk functions
Ensure enterprise risk management, business continuity planning, legal/compliance and crisis management work together to ensure the organization is truly resilient. Each has a critical role in identifying risk, mitigating it and preparing the company to respond to crisis scenarios. Make them work together to produce a dynamic, actionable and ongoing program.
Make it accountable
Boards of directors should be more demanding of crisis preparedness as they protect shareholders’ interests. Risk and resiliency reports to the board should include input from all the functions listed above, and the reports should come with evaluations of progress against measurable objectives on a quarterly basis.
Know your stakeholders
Truly understand critical stakeholders and, more specifically, how they might react in a crisis. Market researchers and political pollsters today have protocols to determine how stakeholders will respond in a crisis and how they’ll react to various combinations of actions and messages from the company. Rather than guessing whether a message will work, companies should proactively test responses to a crisis and ensure they will get the results they want.
Dynamic risk identification systems
With a thorough understanding of stakeholders, companies can also understand how shifts in public opinion — especially regarding social issues — could affect stakeholders’ perceptions. Seeing these shifts is the first step. Applying information on stakeholder wants, needs and preferences then allows companies to understand why one issue may affect their business more than another, or produce greater outrage in a crisis.
Practice, practice, practice
Crisis management skills are no different than any others: they only stay sharp when used regularly. Companies should conduct tabletop exercises monthly, even if they’re smaller in scale and only require an hour of time and minimal preparation. These rehearsals give the crisis management team — and its partners and suppliers — opportunities to regularly think through what they’d do in certain scenarios.
“Red team” your organization
CEOs regularly ask us what vulnerabilities they face. While risk management may have an answer, it may not be specific enough to be actionable. Once a year, major companies should ask their external crisis consultants to produce a “red team” report, detailing scenarios in which the top three risk areas turn into public crises. The narratives “red teaming” produces turn conceptual risk areas into real world problems that executive teams can solve. That makes mitigation strategy and priorities much clearer.
Rehearse major policy decisions
The toughest crises today require complex solutions that take a long time to enact and require substantial cost and effort. This often includes revisiting or changing major company policies, unwinding deeply integrated vendor or supplier relationships, or even shifting the company’s business model or cost structure. These decisions can only be fully evaluated in the moment, in the context of a specific crisis scenario, and the surrounding narrative. Companies should do executive simulations on an annual basis, and each one should focus on rehearsing these tough decisions. It’s the only way to pressure test the choices management may be forced to make, and it’s better to consider these options and think through the decisions before the pressure of a crisis.
As the world becomes steadily more dangerous for companies, corporate resiliency programs need to meet the challenges rather than simply being a tool to satisfy regulatory burdens. And the investment required pales in comparison to what it costs to dig out of a badly handled crisis.
Chris Nelson is Senior Partner and Crisis Lead, Americas, at FleishmanHillard.