A crisis doesn’t make an appointment. An event escalating into a crisis can occur at any time. From the 2020 global pandemic and higher frequency of global natural disasters to the recent Optus and Medibank data breaches impacting millions of people, it is clear that executing a swift and effective response along with an overarching crisis management strategy can be very challenging for many public and private sector organisations. These challenges are well documented:
- An independent review into Australia’s response to COVID-19 identified five overarching lessons learnt and made six recommendations to be better prepared for the next health crisis.
- Various performance audits by the NSW and Victorian audit offices found major gaps in how agencies and councils prepare, update and execute their business continuity plans.
- Optus come under intense media and government scrutiny about several elements of their response to the data breach.
- Medibank did not pay a $15M ransom and sensitive, personal data was published on the dark web.
In a more complex and volatile world, organisations need to be well prepared and ready to respond anytime. Crisis management is not an optional extra!
There is a Zen proverb that says – It takes a wise person to learn from their mistakes but an even wiser person to learn from others.
There are many case studies of good and poor crisis management. What are some of the things that can make the difference between good and poor crisis management? The InConsult team take a close look at some of the typical failure points in crisis management to learn from the failures and mistakes of others.
1. Failure to foresee and address the many possible disruption scenarios
A risk that has not been identified can be hard or impossible to manage. Similarly, an unforeseen disruption can be a challenge.
Organisations need to identify the wide range of plausible disruption scenarios they may be exposed to. Once the various risk scenarios are known, organisations must identify the controls that are in place designed to prevent, detect and correct the risk.
The identification and treatment of the various disruption risks should be evaluated in line with the organisations risk management framework. Formal risk treatment plans should be developed for the control gaps and weaknesses identified.
2. Failure to plan for a wide range of disruption scenarios
Having controls that are designed to prevent and detect disruption risks is only part of the solution. Each disruption scenario should have a suitable response plan that addresses all elements of the response from invocation to de-activation of the plan. The extent of the response plan should be proportionate to the level of risk. For example:
- An Emergency Evacuation Plan that deals with the safety of people is not only a legal requirement, but critical for larger workplaces e.g. hospitals, hotels.
- A Business Continuity Plan that deals with maintaining continuity of critical businesses via temporary workarounds is critical for organisations where customer tolerances for outages is very low or zero e.g. the payroll or front line customer service functions.
- An IT Disaster Recovery Plan and Data Breach Response Plan that deals with restoring business critical information and protecting privacy is essential for organisations highly dependent on information systems to transact business e.g. Financial institutions who operate 24/7 and web based businesses like Ebay, PayPal and AirBNB.
- A Financial Contingency Plan that deals with the various levels of financial stress is critical for financial service organisations such as banks and insurance companies.
- A Local Emergency Management Plan that identifies the key hazards impacting a community and making reference to the designated emergency management arrangements and responsibilities ensures emergency services are better prepared.
3. Failure to appoint a capable crisis leader
Crisis management needs strong leadership and a capable crisis leadership team. Some organisations assume that the CEO should be the crisis leader, but this may not always be the case.
A good crisis leader should have a number of important personal qualities that include:
- Responsible enough to take ownership of the situation.
- Goal oriented to set short and long term goals, assigning them and following through to completion.
- The ability to stay calm and handle stress and uncertainty.
- A great listener to take in and analyse large amounts of information from different perspectives.
- Capable facilitator to draw out issues and possible solutions.
- Making decisions under pressure and sometimes with little or no information.
- Excellent communicator to articulate the complexities of the situation and response.
- Open minded to look at situation and solutions from multiple perspectives.
When pilot Chesley “Sully” Sullenberger decided his airplane could not execute an effective emergency landing at a nearby airport after losing power from a bird strike, he demonstrated crisis leadership when he made the courageous decision to land the plane in the Hudson River off Midtown Manhattan. All 155 people on board were rescued by nearby boats, with only a few serious injuries.
Also, the best crisis leaders we have seen have a very deep understanding of their organisation’s business activities, stakeholders, various response plans and the skills and strengths of the other crisis team members.
4. Failure to conduct a suitable risk analysis and business impact analysis
Disruption risks can have a different risk profile to other operational risks. Many disruption risks often only rate as a medium level risk due to their lower likelihood rating, often rated as ‘rare’. But nothing could be further from the truth.
Disruption risks require comprehensive analysis of the impacts, controls, dependencies, inter-dependencies and what-if analysis of possible failure points. This is achieved through a more comprehensive business impact analysis (BIA). The objective of the BIA is to identify the effects of a disruption of business functions and objectives and provide strategies to mitigate and minimize the risk to your organisation.
The BIA can also be useful during a disruption. For example, one client who did not have a pandemic plan at the commencement of the 2020 pandemic, used their comprehensive BIA spreadsheet, developed 12 months earlier, to inform the response. They were able to quickly identify critical processes and overlay a more specific pandemic related risk analysis, effectively saving them weeks in analysis.
5. Failure to regularly train your team to build confidence and capability
It can be a challenge to keep plans up to date and cover all possible disruption risks. To compensate, you will need a highly capable and confident response team.
Building capability starts with regular business continuity awareness training. The training helps to:
- Familiarise key people with your business continuity management framework and plan.
- Ensure members of the crisis management team/response team understand the organisations recovery procedures.
- Ensure key people understand their respective roles to guide the organisation through a major crisis
The training sessions should be regular (every 12-18 months) and more frequent if there is a change in staff or major changes to the plans. This is what is often covered in the Business Continuity Awareness Training session.
6. Failure to update and exercise your plans
Having conducted the BIA, developed the plan and trained your response team, the next step is to exercise the plan and keep it updated.
Regular exercising of a response plan helps ensure:
- The plan and actions are appropriate.
- Any contact list information is accurate.
- The assumptions around recovery options and timeframes are reasonable.
- Any gaps in the plan are identified and remediated.
- Provide the response team confidence in their plan.
The exercise can range in scope and complexity. For an inexperienced response team, we recommend starting small with a desk-top exercise that is more of a discussion. As their confidence builds, introduce more complex scenarios, restrict the information provided and use more challenging injects during the exercise.
7. Failure to conduct an initial impact assessment and start the response early
Acting quickly in a crisis is critical. A simple, scalable framework for rapid decision-making is a must.
Analysis paralysis is a major risk and can easily result is response delays. The best leaders quickly process available information, rapidly determine what matters most, and make decisions with conviction.
It is rare that a response plan will contain all the answers you need in a crisis. Every plan requires an initial assessment of the situation and a regular, ongoing reassessment.
At the commencement of a crisis, information can be limited, so decision making is hard, but necessary. As more information becomes available, it requires analysis and possible refinements of the response.
The impact assessment should consider people, systems, infrastructure, processes and all internal and external stakeholders.
8. Failure to identify and consider the needs of all stakeholders impacted
An organisation will have multiple stakeholders and not all stakeholder interests are aligned. The response must consider the needs of all stakeholders.
The response plan should typically identify all stakeholders and their interests. We recommend considering the following:
- Stakeholder/stakeholder group.
- Key message content.
- Message delivery.
- Frequency of communication.
Better practice is to have a communication plan with templates for a range of scenarios for a range of stakeholders.
9. Failure to communicate quickly and honestly
We live in a 24-hour news cycle where the sharing of information doesn’t sleep and means companies have to act swiftly to manage issues in real-time.
Too slow to respond or responding poorly can have seriously negative reputational and financial impacts. The risks are falling share prices, loss of customers and the all-important social licence to operate.
What is required is a combination of good leadership, quick impact assessment, quick decision making and ready-to-go communication templates and methods.
If you don’t have all the information, you still need to communicate quickly and honestly by providing some holding statements.
10. Failure to provide regular updates
It is often said that the 3 most important things in crisis management is communication, communication and communication. Sure this is a bit ‘tongue-in-cheek’ but the importance of good, honest and regular communication cannot be emphasized enough.
In an age of social media and a 24-hour news cycle, taking control of the narrative through good communication via media releases and web-based press conferences is critical.
11. Failure to maintain situation awareness
Situation awareness during a crisis or disruption is critical. Situational Awareness is a concept that has been around in emergency and disaster management for many years.
Situational awareness is about knowing what is going on in the environment. It requires:
- Understanding what is happening.
- Knowing were to get the information from.
- Knowing what is relevant and what isn’t.
- Understanding the impacts of the event.
Ultimately, situation awareness helps the crisis leader make better decisions about actions. Without it, you could be blindsided.
12. Failure to use all available resources you have to respond
During a disruption, the crisis leader needs to evaluate not only what has been impacted by the disruption, but also what has not been impacted. This allows the crisis team to use its systems and resources that are still operating normally to assist in the response.
The organisation should also look at resources outside the organisation. For example, in the recent data breach at Optus, Optus made the decision to use the media as the fastest way to inform all its customers of the data breach.
13. Making assumptions without all the facts and decisions not made on best available information
This failure arises from a combination of poor situation awareness and being inadequately prepared for a disruption.
The combination of a risk analysis, comprehensive BIA, response plan, regular training and regular exercising are all designed to help you confidently make decisions during a disruption.
14. Failure to conduct a lessons learned
Soon after any incident or crisis, it is important to conduct a lessons learned review. Every disruption event and crisis presents an opportunity to improve different elements of the plan and response.
The lessons learned review should be performed as close to possible to close out of the event. It should include all the people who participated in the response as well as representatives from the different stakeholder groups so everyone feels they have contributed.
Strengthening your crisis response and management capabilities starts here
Don’t play the waiting game. Be prepared.
We believe that improving crisis management and resilience should be a strategic goal for the board and the leadership team. Improving crisis management is also important for good governance, good business practice and effective risk management.
We have extensive experience in risk management, business continuity, resilience, cyber risk management, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management and pandemic planning.
If you would like support in becoming a more resilient organisation and better prepared to respond to a crisis, contact us to discuss your needs.