Customer Stories

Crisis Management: A Guide for Business Leaders

Art Wittman, Content Director, Brainyard
May 8, 2020

This story originally appeared on Brainyard at Crisis Management: A Guide for Business Leaders with a U.S. focus.

In short:

  • What are the three main phases of crisis management? From pre-crisis preparation to post-crisis repair, we outline key elements
  • Here’s how to put together a crisis management team that’s expert enough to understand challenges — and nimble enough to address them
  • CEOs need to lead crisis communications efforts, remembering that your company gets only one chance to make initial outreach and protect its reputation

Despite a business’s best efforts, encountering a crisis may be inevitable for many. What changes the outcome is the reaction—from preparedness to post-crisis repair, this can be the difference between thriving and being left behind. The Institute for Crisis Management defines a crisis as “any issue, problem or disruption which triggers negative stakeholder reactions that can impact the organisation’s reputation, business and financial strength. Crises can be situations threatening or doing harm to people and property, serious disruptions to operations, product recalls, labor issues, social media attacks, lawsuits, highly negative media coverage or allegations of wrongdoing against employees or leaders.”

COVID-19 falls into the first situational bucket, and the harm being done to people and property will take years to fully understand. However, Deborah Hileman, the ICM’s president and CEO, says that only about half of all organisations worldwide have crisis plans in place for problems that aren’t in the black swan category, and that’s a potentially expensive oversight.

Leaders looking to up their crisis management games need to consider a number of factors. We’d argue, though, that they must filter their strategies through the lens of human nature. As a species, we’re better at reaction than proaction. You’d think that after a few million years of evolution, homo sapiens would have learned to focus on preventing recurrences of known risks — like, say, pandemics — rather than expending resources on largely theoretical hazards.

And yet.

There’s plenty of evolutionary science behind why people do seemingly irrational things, like hoard toilet paper, but it boils down to feeling that we’ve done something — anything — to regain control.

In this guide, it’s our goal to help you think more proactively, prevent the crises you can and better handle the ones you can’t.

What Is Crisis Management? A Process

Say your company makes both tennis and golf supplies, and your shipping department accidentally sends 500 golf balls to a tennis club customer. That may not seem like a crisis, but you can bet that when the shipping clerk spotted the error, her pulse quickened, her mouth went dry and she started running through scenarios on how to make it right.

That “fight or flight” reaction has served us well for many thousands of years, after all.

While the golf ball snafu isn’t on the most serious end of a crises, it is a problem that needs prompt attention to preserve revenue, customers and reputation. So, for our purposes, it’s a crisis.

Now let’s look at how the company might respond.

Initial action: Do you ask the tennis club manager to ship the golf balls back? No. Arrange to have a truck pick them up and drop off the correct product.

Crisis communication: There’s a golf course manager somewhere wondering why he has a few hundred tennis balls. Find out who, and proactively communicate how you’ll fix the problem.

Reputation repair: The customer needed something from you and didn’t get it. Now is the time for some elevated attention.

Financial assessment: Estimate potential revenue loss and operational disruption. Say you don’t charge for either the tennis or golf balls and dispatch an employee to make the swap. What does that cost?

Then there’s escalation. If your warehouse burned to the ground or a defective product caused harm to customers, the crisis is existential, and top executives must be involved in shaping the response. However, in this case, a first-line manager should be empowered to make the call on how to fix the mix-up. Then, she should report the issue upstream, so process owners can figure out what went wrong and put procedures in place to prevent recurrence.

Crisis Best Practice: Remove guesswork as much as possible. Foreseeable crises should be categorised by your response team so that everyone knows what to do and time isn’t wasted.

But will she? Informing the chain of command of manageable problems goes against human nature, because notification itself creates a crisis of uncertainty, especially when the person who made or found the error doesn’t know how the boss will respond. The shipping manager will be tempted to limit reporting to her immediate supervisor, or she may even cross her fingers and think, “What they don’t know won’t hurt them.”

That might work out fine. But what if the owner of the company runs into the manager of the tennis club and has no idea there was a problem?

No-fault learning is a tenet of many high-performing organisations. That is, no one is punished for bringing a problem to light or making a mistake — not immediately, and not the first time, anyway. Errors are seen as opportunities to improve. In the context of our crisis management case study, by escalating the ball mix-up, the owner, or an account rep or regional manager, could decide to call the affected customers, thus turning a crisis into an opportunity to demonstrate responsiveness.

If you take nothing else away from this paper, remember these four points when developing a crisis management plan:

  1. Empower people to act quickly when a crisis is within their spheres of responsibility.

    • Actions should be based on established procedures, and
    • Employees should be required to report the issue, response, operational and revenue implications and other relevant factors to their immediate supervisors, who then escalate to the level appropriate. Shaming or punishment won’t be tolerated while the crisis is ongoing.
  2. Favour procedures that emphasise customer care and satisfaction in the face of a poor experience, even if they’re costly. Acquiring new customers is almost universally more expensive than keeping current ones.

  3. Err on the side of overcommunication. More information is better.

  4. Analyse the root cause of the crisis and put processes in place so that reoccurrences become less frequent.

The critical element here is that team members and their immediate supervisors are trusted to address crises in scope, able to spot systemic weaknesses and empowered to continuously improve processes so that mundane emergencies become rare.

Organisations adept at handling day-to-day crises tend to also handle the bigger ones properly. So get good at the small stuff. Track errors, and work to drive down their frequency and fine-tune team responses.

Resources:

Strategies for Learning from Failure, Harvard Business Review

Stronger, fitter, better: Crisis management for the resilient enterprise, Deloitte

Major Crises

Big crises are newsworthy. And since news reports are trackable, we can understand what crises are most common. The Institute for Crisis Management does just that and provides an annual breakdown of where institutions broke down.

The chart below comes from the Institute’s latest report. We’ve highlighted the crises that account for 5% or more of news stories tracked by the ICM.

Crisis Categories

ICM classifies crises as either “sudden” or “smouldering” and says that in 2018, just 33% of crises were sudden. That suggests that companies generally have lead time to head off problems before they hit the press.

Category

2018

2017

2016

Activism

2.30%

5.80%

6.90%

Casualty Accidents

0.60%

1.60%

0.02%

Catastrophes

8.20%

4.10%

0.20%

Class Actions

0.70%

3.70%

3.90%

Cyber

12.80%

4.50%

5.20%

Defects/Recalls

2.80%

2.90%

3.20%

Discrimination

14.30%

18.00%

21.80%

Environmental Damage

3.00%

4.50%

2.70%

Executive Dismissals

1.00%

4.20%

3.70%

Financial Damage

0

0.10%

0.10%

Hostile Takeovers

1.20%

1.30%

0.10%

Labor Disputes

9.40%

3.80%

0.10%

Mismanagement

22.10%

26.80%

30.90%

Sexual Harassment

9.40%

0.70%

0.50%

Whistleblowers

5.50%

6.60%

6.60%

White Collar Crime

5.40%

11.00%

11.00%

Workplace Violence

1.40%

0.20%

0.30%

Source: Institute for Crisis Management

Assessing news stories isn’t a perfect measure of the financial and operational impact of classes of crises. Convicted sex offender Harvey Weinstein dominated multiple news cycles last year and early this year, and that coverage gave rise to the #MeToo movement. That in turn caused a spike in disclosures, so the number of sexual harassment stories eclipsed those of what the ICM classifies as “catastrophes,” even as it’s likely that more immediate economic damage was caused by wildfires and hurricanes.

Let’s look at the ICM’s most common crisis categories and how to prepare, cope and respond.

Employee-Practices Related Crises

HR-related crises were common in 2018 and likely at least as prevalent in 2019. Labor disputes and sexual harassment and discrimination accounted for one-third of the crisis stories that hit the press. Clearly, management needs to take workforce relations seriously, and executives would do well to take the golden rule to heart.

Pre-crisis preparation: At minimum, HR should document how different local statutes govern treatment of your workers, particularly if you operate in multiple countries. However, we recommend going further and exploring additional training.

Crisis Best Practice: Contracting with external experts for regular evaluations of the state of your HR, financial and IT security is a best practice — as long as you follow recommendations. Otherwise, it’s a waste of money and time.

It’s difficult for management teams to honestly assess their own company cultures. But when one-third of newsworthy crises are caused by poor HR practices, it becomes clear that outside evaluation of policies, culture and risk is a good investment. Your HR team is there to ensure that you have the right talent in place and avoid practices that will land your firm in court, but these professionals are not well-positioned to drive cultural change.

Crisis response: When Uber engineer Susan Fowler went public with allegations of a culture of sexual harassment, she created a firestorm. Experts say then-CEO Travis Kalanick took the right steps. According to NBC, Kalanick immediately stated that what Fowler described was “abhorrent and against everything Uber stands for and believes in” and promised an “urgent” and independent investigation led by former U.S. Attorney General Eric Holder and board member Arianna Huffington. The mea culpa was public, did not attack Fowler and laid out a plan to improve, all good moves.

Post-crisis strategies: When an employee-related incident goes public, expect ongoing scrutiny. In Uber’s case, Fowler’s revelations contributed to the ouster of Kalanick. His replacement, Dara Khosrowshahi, has won praise for transparency and using the crisis to rebuild Uber’s brand.

Culture can be changed, with top-down leadership and the will to take sometimes Draconian corrective actions. If misdeeds rise to anything near criminal levels, those responsible must be held to account. If the CEO knew or should have known, it’s probably time for new management — a difficult move for closely held companies. At minimum, reparative measures need to be demonstrated. Even if employees don’t leave, a toxic culture is a hiring impediment of the first order.

Resources:

HR and Risk Management – An Ideal Match, Human Resources Director

HR Planning for Crisis Management, Seif Athamneh

Management-Driven Crises

Next on the ICM list, if you take mismanagement, whistleblowers and white-collar crime together, is management-caused crises.

Pre-crisis preparation: No executive acting in good faith wants to believe that the actions of her peers will land the company on the wrong side of a business-gone-bad news story. It’s therefore critical to get regular outside evaluations to ensure your code of conduct and ethical guidelines are being followed. Business consultants with vertical expertise are one potential source; just make sure they’re giving you an unvarnished, objective view.

Crisis response: For closely held companies, the immediate threat is to credit worthiness and valuation, if you’re considering a sale. If the misdeed understated tax liability, hid a product fault or failed to protect customers or employees, bring in the lawyers and let them lead.

Don’t try to hide the extent of the problem. When Volkswagen admitted in 2015 to the existence of a device to defeat emissions control tests, the original estimate was that some 500,000 U.S. customers were affected. Volkswagen quickly, and wisely, admitted that 11 million cars on the road had the devices installed.

Begin estimating the financial impact, to the extent you can. VW immediately set aside $6.7 billion and recalled some 8.5 million vehicles. However, that was just a down payment. In June 2016, the carmaker settled with three federal agencies for $14.7 billion, by far the largest clean-air fine to date. In many cases, VW must buy back vehicles that it can’t easily resell or export.

Post-crisis strategies: Realise that it’s a long road back from a management crisis, even for companies that do everything right. VW took responsibility, admitted the extent of the fraud, paid to fix the problem and cover fines, spent five years figuring out how to make its signature diesel engine meet emissions standards and changed executive leadership. Yet as of March, the company’s stock price still had not rebounded to its pre-fraud level.

Resources:

Understanding White-Collar Crime, Harvard Business Review

The Board’s Role in Crisis Management, Saylor Academy

Catastrophic Crises: When Mother Nature Strikes

Catastrophes are forces of nature — bushfires, earthquakes, floods, droughts and pandemics. Major natural disasters are increasing in frequency and severity; from the recent cyclone and flooding in Jakarta, Indonesia, to Australia’s devastating bushfire season that burned more than 12.6 million hectares, the impact of this is being felt across APAC.

Without an action plan, catastrophes are existential threats. Plans must be comprehensive and consider the increasing scope and severity of natural disasters. Go beyond business continuity to include responses to stresses on the community and your ability to serve customers as you recover business operations.

Pre-crisis preparation: In all cases, it’s an up-to-date, well-tested, comprehensive business continuity plan backed up with stockpiles where it makes sense. Catastrophes require unique, prescriptive actions that you can’t figure out after disaster hits.

Vetted continuity plans and guides have been developed by leading companies and many governments, such as AustraliaIndia and Singapore. These can also be available by industry from relevant bodies, particularly in finance.

Process is critical, too. It’s a problem if only one person can do the month-end close or knows the passwords to cloud accounts and servers. This means cross-training among employees is essential for continuity.

Crisis response: This is largely dependent on the catastrophe and the critical functions of the business. For most companies, Lockson says to focus first on restoring access to the applications employees depend on — email, calendar, finance systems, payroll — and making sure you can communicate with your employees, customers and partners.

Post-crisis strategies: The goal is resumption of business operations, with all departments operating as normally as possible. Once you get as close as possible, eliminate any single points of failure that negatively affected operations. If the internet went down at headquarters, get a backup connection. If you were without power for a few hours, get a generator. Second-sourcing materials, implementing a durable work-from-home plan and ensuring that at least part of your business can continue to generate revenue are vital to operating well and reliably in modern times.

Develop an after-action report — what went well, what areas need improving — as soon as possible, while events are fresh. It’s tempting to skip this step. Don’t.

After severe catastrophes, such as a pandemic, corporate goals and objectives may need to be reevaluated.

Resources:

How are C-suites managing the COVID-19 crisis? Human Resources Director

Post-Crisis Recovery: Golden Opportunity for Boards, Wall Street Journal

Cybercrime

Cybercrime is big global business: The World Economic Forum tracks attacks by industry and estimates that, between 2019 and 2023, approximately USD$5.2 trillion in global value will be at risk.

For most businesses, ransomware attacks and data breaches are the most likely hazards. Physical security also must be considered.

Pre-crisis preparation: It’s financially infeasible to protect against every possible attack. Rather, evaluate your risk. Do you handle personal data, such as healthcare records or bank details? Do you accept credit cards? Then you’re subject to regulations potentially including PCI, GDPR and NDB. While “compliant” does not automatically equal “secure,” following the guidelines laid out in these standards is a good place to start.

Then, have your team or a consultant assess your individual risk. Using a pre-determined framework can help accurately identify the measures your business needs to takes to be secure and follow best practice.

Crisis Best Practice: While every company needs a master business continuity plan, each department, including HR, IT and finance, should work through how they will complete the mission in a crisis. Those plans should be reviewed by a central team to ensure all parts of the company are rowing in the same direction.

Ransomware gangs don’t take Visa, so fund a Bitcoin wallet before you need it.

Another best practice is to purchase cybersecurity insurance. These policies are designed to address data-breach-related expenses including forensic investigations; monetary losses, such as for ransom payments, a key purchase driver; customer and supplier data loss notifications; and ensuing lawsuits. 

Crisis response: For ransomware, if you pay within the prescribed time limit, the bad guys may reverse the process. So move quickly, especially if your IT team cannot restore your data from a backup. In the case of data theft, notify customers as soon as possible.

Moving on-the-fly to infrastructure and software as a service transfers much (though not all) security responsibility to expert teams at cloud providers while also increasing business resilience. By definition, cloud-based systems are securely accessible from any internet connection. That’s often not the case with on-premises systems.

Post-crisis strategies: In cases of data theft, virtually all states require you to report data loss, and with GDPR in Europe and the Notifiable Data Breach legislation in Australia now in force, you can be liable for significant fines on top of the cost of remediating your systems and notifying customers.

Every day, top-tier IT teams who thought they had security in hand fall to attackers. Use the experience to improve. That gives you a positive story to tell customers, employees and the press.

Resources:

No More Ransom Initiative, consortium

Cyber Regulation in Asia Pacific, Deloitte

How to Create a Crisis Management Committee

In between mis-shipped golf balls and bushfires are mundane crises, like a pipe bursting in the warehouse or the resignation of a key employee, and the not-so-mundane, like the loss of a very large customer or a supply chain disruption.

Figuring out what could go wrong is the role of a cross-functional crisis management committee comprising representatives from each major department as well as a triage team that jumps quickly into crisis situations.

The committee’s mandate is to:

  • Annually or semi-annually audit companywide and departmental business resilience plans for completeness, timeliness and relevance to outside forces, like changing regulations.
  • Review departmental plans, which should be tested quarterly. Get reports from operations, finance, HR, IT, legal and other stakeholders.
  • Work with the CFO to analyse the financial impact of actions called for by the master plan.

The committee should include one or more top business executives as well as department heads, communications and marketing managers, HR leaders, corporate council and a board representative where appropriate.

That’s a big group — too big to make critical decisions on the fly. For that you need a triage team that’s smaller and flexible in its makeup. Standing members might include the COO, CIO, facilities director and VP of engineering or HR, depending on your business.

Keep the triage team both lean and high-ranking, so it can analyse what happened and craft an initial response quickly. This team reports to the CEO, who will add other players as needed. The first issue at hand is to make sure that the emergency is in fact understood and contained — the fire is out. The leak is stopped. Unsafe facilities are evacuated.

The finance team will have a big part to play once the triage team understands the issue. There’s a cost to get back to normal operations, and there may be lost revenue while a service or production facility is down.

Understanding the financial ramifications of a disaster and its cure is critical, as is determining how far to go in preventing future occurrences. Cures need to be better than the issue. If the problem is big enough, finance may need to work with creditors to secure the funds needed to return to normal operations.

The triage team is responsible for advising the CEO on the tenor of initial communications. It’s also responsible for determining involvement of other teams and setting a rough timeline for returning to normal operations.

How to Handle Crisis Communications

The ICM describes crises as either sudden — a product is dangerous and needs to be pulled immediately — or smoldering and likely to draw ongoing attention.

Determining whether a crisis will linger with employees, customers and the media and general public is an important function, and how initial communication is handled often determines how affected constituencies react.

CEOs need to lead initial communications, with corporate PR or, in extreme cases, a crisis communications consultant. Lawyers, HR, COOs, CFOs and others may have input, but you get only one shot at initial outreach. Our advice is to remain factual, advise on steps constituents should take and establish a timetable and channel for further information.

This is your Day 0 response, and it should be all about the welfare of employees, customers, suppliers and the public. Looking out for the well-being of the balance sheet by obfuscating or being deceitful almost always has exactly the opposite effect. Be honest, brief and direct.

Crisis management can follow the ‘three E’s’, to engage community, empower decision-makers and evaluate. This provides a simple framework for businesses to prepare for any future crises.

The Three Es of Crisis Management

Engage community. Empower decision-makers. Evaluate.

Preparation

Initial

Maintenance

Resolution

Draft and test messages

Express empathy

Explain ongoing risks

Motivate vigilance

Develop partnerships

Explain risks

Segment audiences

Discuss lessons learned

Create plans

Promote action

Provide background information

Revise plan

Determine approval process

Describe response efforts

Address rumours

 

Source: CDC Crisis & Emergency Risk Communications Manual

As you move ahead with your crisis plan, continually assess the accuracy of initial communications. If you said the wrong thing, fix it.

How To Implement Crisis Reputation Management

If you have a strong social media presence, this is not the time to go silent. In fact, social listening is the best way to understand if your message is resonating.

Carefully crafted, honest communications will be key to maintaining your corporate reputation. The style of communication, your honesty about what’s happening to your business and, when appropriate, messaging on how your company is aiding an affected community is critical.

COVID-19 and Business Resilience

In early April, we surveyed the Brainyard community about COVID-19 and their expectations for the future, asking about actions taken so far or that might be taken in the next 60 days.

COVID-19 is a smoldering crisis. There was no catastrophic Day 1 event, like a fire or chemical spill, that could be remediated. Instead, businesses will understand the effects only over time. In the case of our respondents, most feel that their businesses will do better than the economy overall. The nature of the crisis gave many time to prepare.

Companies that can weather smoldering crises tend to be resilient. One impactful business result of COVID-19 will be an introspective look at whether businesses could have been made more adaptable prior to the pandemic, at an acceptable cost.

Consider offering replacement products or free repair services, even if you aren’t contractually obligated to do so. Would you rather be right, or would you rather keep your customers? It’s usually not a hard choice.

Reputation repair can take more than some comped service if the crisis was caused internally by faulty products or services or management malfeasance. In these cases, you need to prove that the cause has been found and dealt with appropriately. WeWork and Uber are examples of cases where toxic leaders were not removed quickly enough to prevent brand damage.

In a major crisis, cash flow is king. But as you get back to normal, it’s your employees and customers that will make your business flourish. It’s virtually impossible to sacrifice those in the short term and not suffer long-term reputation damage. Consumers want to do business with companies that share their values. In times of crisis, that means exhibiting compassion and helping affected communities to the extent you can.

Crisis Resolution: What Next?

If all of this sounds laborious and expensive, it is. But the process of creating and executing a crisis management plan will make your organisation more resilient. Risk management and mitigation are intrinsic to business planning, and risks are brought into sharp relief as you assess the impact of losing a key supplier or customer, an internet connection falling victim to a backhoe or a store or manufacturing site being destroyed by a hurricane.

In each of these cases, there are steps you can plan to take in the moment, and then there are moves you can make when times are good that will not only lessen the impact of a crisis but benefit your business.

Humans are built by evolution to spot and react to crises. What’s not so instinctual is doing it well. Preparing and taking the right measures – even if they can be challenging or uncomfortable at the time – will help businesses weather the storm of a crises and emerge on the other side.