Crisis? What crisis? Peter Power on the importance of preparing for and dealing with the worst when it happens
Some years ago, businesses only talked about ‘disaster recovery plans’ which, as their title suggests, dealt specifically with trying to recover operations post-event, rather than increasing resilience and planning to continue key activities irrespective of the crisis scenario. Quite often, disaster recovery plans only dealt with IT restoration and the rest of the organisation was more or less ignored.
Nowadays, this has changed considerably. It has become clear that all critical business or operating needs should be capable of sustainable existence, albeit on a reduced scale, if any organisation is going to continue operating when a crisis occurs – especially in a world of increasing threats, risks and rising insurance premiums. There are three basic reasons for getting to grips with this:
- Moral. All organisations have a duty of care towards staff and other stakeholders, to the efficient running of all operations and to exercise best practice and compliance with regulations.
- Physical. The need to demonstrate robustness by using intelligent security measures to deter incidents and better contingency plans to apply if anything does happen.
- Conceptual. To understand risks and threats as an end-to-end process and examine exposures caused by anything from supply chain failure to terrorist bombs.
The corporate response also has to embody three features to ensure success. It has to be feasible, relevant and attractive, and there is also the issue of foreseeability. We have all been warned about the inevitability of terrorist attacks, but is terrorism the only major threat to worry about? Although the threat from al-Qaeda and others is extremely real, the majority of disasters in the UK are seldom anything to do with terrorism. They range from fires and floods to corrupt data and supplier failure. So what can a business do in case disaster happens?
The response has to come from the top. They may not always see it this way, but the directors of any company and the partners of any law firm have a responsibility to avoid being crisis-prone and to demonstrate more than just routine savvy. Add up the implications of the Turnbull Report on internal controls/risks, Basel II, Sarbanes-Oxley, the implications of corporate social responsibility and a whole host of other considerations such as the Human Rights Act, the new Civil Contingencies Bill, the Fire Precautions (Workplace) Regulations 1997, the Management of Health and Safety at Work Regulations 1999 and the emerging corporate killing legislation, and the task can seem daunting. But it is not all about being pushed by fear of prosecution.
Several organisations have actually increased investment potential by successfully demonstrating crisis leadership in the abrupt audit of a real crisis.
In 1992, the IRA exploded a massive bomb in the City of London that seriously damaged the Commercial Union (CU) head office and did huge damage to Norton Rose’s offices. In the case of CU, the company immediately formed an executive crisis management committee and gave priority to informing all stakeholders what it was doing. The next day it placed an advertisement in several newspapers, which adapted its own advertising slogan, “We won’t make a drama out of our crisis”, and quickly produced a video of the damage and open conference meetings to outline its recovery plans.
As a result, stakeholders were reassured that the management team were on top and in control so that no loss of business followed. Indeed, it is said CU actually attracted more business.
British Midland Kegwoth air crash
In 1989 a British Midland Airways Boeing 737 crashed on the M1 in Leicestershire, killing 47 people. British Midland chairman Sir Michael Bishop lost no time going to the scene and telling the press that as the head of the company, he was responsible. There was no hiding behind official inquiries or any sense of obfuscation. His crisis leadership technique was clear, sympathetic, positive and transparent. The person in charge was visible, coherent and reassuring. Bishop always kept the press informed of the inquiry and what British Midland was going to do next. Consequently, his lead during a time of intense crisis is noted as a good example of crisis management from the top. Despite an enormous tragedy caused by technical and human failings, the company remains a profitable enterprise.
Nokia v Ericsson
In 2000, a small fire at the Philips semiconductor plant in Albuquerque in the US blazed for only 10 minutes, but far away in Scandinavia the fire sparked a corporate crisis that shifted the balance of power between two of Europe’s biggest mobile phone companies, Nokia and Ericsson. Both organisations were heavily dependant on microchips from Albuquerque, but only Nokia immediately spotted a glitch in the supply chain. Without actually knowing what was wrong and not settling for reassuring words from the Philips factory, Nokia made rapid crisis management decisions that resulted in it flying to Albuquerque and giving the factory owners a series of ‘non-negotiable’ instructions if they wanted Nokia to remain a customer. Nokia also secured chips from just about every other producing company in Europe and so maintained supplies at the time of the mobile phone boom. Ericsson, on the other hand, left it too late to react and paid the ultimate price (evidenced by the current crop of Sony Ericsson phones).
In all these cases, timely and effective communications positively enhanced the company’s reputation. In others, such as the Coca Cola contamination in Belgium, failure to communicate did massive damage. Often the real threat to corporate reputation has come not from what has happened, but from what people think has happened.
Perception is what counts in getting your business and your reputation back on the rails as soon as possible. It is not just the actions you take, but the actions you are seen to take.
The trouble is, when a drama does start to happen the situation immediately becomes a crisis, so you call for the executive crisis team only to discover it has no idea about its role in the business continuity (BC) plan and has never been coached to work as a crisis manager in any case.
Experience suggests that when suddenly faced with any catastrophe, directors and managers, among others, have a tendency to try and follow routine or familiar references from the outset, sometimes just to keep sane – a displacement action in a world suddenly full of ‘un-ness’ (unimaginable, unnecessary, unprepared for, unusual, unacceptable events). The more disturbing the situation, the stronger the urge is to take refuge in familiar procedures. However, such procedures are going to be the most inappropriate ones to take, as familiar procedures do not work for unfamiliar situations. So what can you do?
Developing your own BC plans
- Understand your entire business and dependencies. Understanding your business provides the basis upon which all subsequent BC policies and processes are based and, therefore, should not be rushed.
Carry out a business impact assessment.
Having identified the mission critical processes and functions it is important to determine what the impact would be if a crisis happened. This process should assess the quantities (such as financial and service levels) and the qualitative (such as operational, reputation, legal and regulatory) impacts and loss that might result from a crisis, and the minimum level of resource for recovery.
Complete a 360-degree risk assessment.
This is used to determine the internal and external threats that could cause loss or disruption and their likelihood of occurrence. Utilising recognised risk techniques, a scoring can be achieved, such as high-medium-low, one to 10 or unacceptable/acceptable risk.
Develop a feasible, relevant and attractive response.
There are two parts to this stage, developing the detailed response to an incident and the formulation of the BC plans that support that response.
Plan exercising, maintenance and auditing.
A BC plan cannot be considered reliable until it has been tested. Exercising the plan assumes considerable importance as a plan untested becomes a plan untrusted.
Lloyd’s chairman Lord Peter Levene hit the nail on the head when he recently talked about new global risks that threaten corporations, including, but not limited to, business interruption costs, corporate fraud and increased liability claims. “Looking ahead 10 years,” he said, “I firmly believe that the most successful, least crisis-prone businesses will be those whose boards have shown firm resolve and taken decisive action. Effective, integrated strategies for dealing with tomorrow’s risks require a change in culture at board level now.” Does anyone disagree?
Peter Power is managing director of Visor Consultants