Building organizational crisis resilience seems like a never-ending game. New teams come on board; new business streams, operations, or production sites launch; and new markets open—all of which provide fresh opportunities, but also increase the risks of failures and exposure.
Furthermore, external threats like climate change, security threats, socio-economic shifts, cybercrime, and the interdependencies of a globalized world—just to name a few—continue to provide the risk, crisis or business continuity manager with plenty issues to tackle. Yet many organizations are not as prepared as they believe themselves to be.
A new crisis survey conducted by PRNEWS and CS&A International, a global risk, crisis and business continuity management consultancy, highlights some concerning gaps in organizations’ overall crisis readiness. Data from the survey of more than 200 respondents across industry sectors fielded in October shows that 62% of organizations have crisis plans, but just 49% of those plans are up-to-date.
Christine White, a recently retired global director of crisis management and international risk management at a large multinational food and beverage company, says she is “concerned that only 26 percent responded that the [crisis] plan is well known to crisis management team (CMT) members.” A total of 33% said “most of the members of the CMT are familiar with it.” Yet 31% said they “weren’t sure” and 10% said “no.”
The importance of practice
Another striking finding is that nearly 40% of respondents told PRNEWS that they have never conducted a crisis exercise. Twenty-one percent said they “weren’t sure” how often their company runs a crisis exercise.
“Organizations do not realize the ROI of having periodic exercises/round table discussions to review their crisis management plans using real or hypothetical scenarios,” White says. “The value this provides…is not clearly understood.”
Learn from the past
One third of respondents say they don’t have a system in place to learn from past crises.
Dirk Lenaerts, senior partner at CS&A International, says “Once a crisis is over, people want to forget about it and move on as quickly as possible. As a result, a large number of companies have nothing in place to learn from…or to share within their organization. A best practice is to capture lessons from crises and ensure that all employees with a crisis responsibility are adequately introduced to documented cases.”
The increasing threat of cybercrime
Also surprising, the survey shows that cybercrime, an increasingly frequent source of crises, isn’t getting enough attention. When asked which crises are most likely to affect their industry, respondents listed ethics and compliance, major accidents, product/service quality issues, mismanagement, and third-party hostile action (terrorism, mass shooting, kidnapping, hostage-taking, riots, etc.) ahead of cyberattacks and extreme weather.
Today, according to a University of Maryland report, a computer is hacked every 39 seconds. The average cost of a data breach next year will be US$150 million, according to Juniper Research. While the majority of cyber-crime is concentrated in three sectors (health, retail and government), nearly every business is susceptible to attack. Still, relatively few respondents (39 percent) identified cybercrime as a potential crisis area.
Crisis preparedness is not a destination but a journey. It is not possible to be 100% prepared, as the risk landscape is ever-changing and organizations are in perpetual flux. The Crisis Management Culture Ladder below provides a road map to increase your organization’s readiness and resilience.
As part of your budget planning cycle, build in resources to ensure that you bring your crisis plans up to date, conduct a training needs analysis, schedule exercises, and comply with audit requirements.
The following 10 questions might help you to determine what your priorities are, where the gaps in your planning lie, and what you can realistically accomplish in the next calendar year.
Crisis resilience checklist
|Are your risk registers and issues catalogues up to date?||Conduct a risk and vulnerability assessment|
|What is the state of your crisis readiness?||Find out by doing a crisis preparedness scan.|
|Have you experienced a major organizational change?||Update your crisis plan.|
|When were your crisis team members last trained in crisis management?||Conduct a crisis leadership refresher training.|
|When did you last practice your plans?||Organize a crisis exercise.|
|Are your executives ready to face the media?||Conduct crisis media training.|
|Does your organization know how to engage social media in a crisis||Develop a social media crisis policy and practice it on a secure, dedicated platform.|
|Do you still use email during crises? Does your crisis team have a way to communicate securely virtually?||Move to a secure real-time crisis management and communication tool.|
|How will you respond to family and public inquiries in the event of multiple fatality/injuries?||Assign and train first responders.|
|How will you sustain crisis management skills in your organization?||Use e-learning modules developed by crisis management professionals|
With this checklist in hand, you are equipped to assess your organization’s level of readiness and establish a robust and professional crisis resilience plan. Naturally, the best approach is one that is customized to fit your needs and adapted to your organization.