In its efforts to raise awareness and promote thought leadership of Enterprise Risk Management, IERP presented its first Tea Talk for 2020 on “The Need for Speed in the Digital Age of Crisis Management.” As with all its Tea Talks, this event was an opportunity for ERM practitioners who attended, to dissect and analyse experiences, share insights and generally increase knowledge of ERM, particularly as it pertains to sustainability, resilience and formulating the right risk strategies for their respective organisations. The Talk was presented by Ramesh Pillai, Board Director of AmInvestment Bank and Chairman of its Risk Management Committee.
Explaining that crisis management is one of the processes of ERM, he said that it is essentially about brand protection, and is one of the relatively few instances which necessitates the direct involvement of the Board. At the heart of crisis management is crisis communication which is vital to managing the crisis. Both crisis management and communication need to be activated as soon as an event is imminent, or immediately after it occurs. Speed is crucial because the credibility and reputation of the organisation hinges on its response to the crisis, and this response can only be understood if it is properly communicated to stakeholders.
“When the event happens, there is usually chaos, followed by panic,” he said.
“People are not prepared, but in actual fact, only about 29% of all crises happen without warning.” This means that on average, there were indications of an impending crisis when it came to the remaining 71%; the majority of crises therefore were not totally unanticipated. In today’s environment, news of the event spreads like wildfire. “Recent research shows that more than 25% of crises were known to international media within an hour, and two-thirds of crises reached media outlets worldwide within the first 24 hours,” he added.
The need for a speedy response becomes even more challenging when social media is factored in. As quickly as an organisation may move to contain the fallout of an incident, the information or disinformation about it tends to spread even quicker along the digital grapevine. The organisation will find itself with a double-barrelled problem on its hands: managing the incident, and getting the right message out, simultaneously. The longer it takes to communicate the situation, the more likely an “information vacuum” will form, with other parties filling the vacuum with speculation, disinformation and sometimes outright fake news.
Recognising the dangers of this situation, organisations need to ask themselves if they have crisis management and crisis communication plans ready to roll out, and how fast these can be activated, in the face of an actual event. The threats to businesses today are also more sophisticated and infinitely more damaging. Cyberattacks and data breaches are two of the most significant, and they can happen even without the knowledge of the organisation which is attacked. In most cases, cybercriminals have more advanced expertise of IT than the organisation itself; even more alarming is that the attacks can be launched from anywhere, including other continents.
The uncomfortable reality is that with speed enabled by technology, the news of an event affecting the organisation makes headlines well before the organisation can pull itself together to address the problem. Not responding quickly enough never reflects well on the organisation; it starts to look unresponsive, ineffective or apathetic to the public and its stakeholders. When public perceptions of the company are negative, the crisis can intensify. But what can be done to mitigate a situation like this, particularly when it may fall in the “29%” category? Every firm needs to first establish a crisis response team, which can be activated.
In the case of a cyberattack or data breach, the team will need to shut down or isolate networks, and work on a solution for recovery immediately. Ideally, the crisis response team should consist of people with the appropriate skill sets to manage a range of incidents. The crisis response team members should also be able to communicate effectively, because in all crises, even making brief statements about what is happening immediately strengthens your position. Even if the organisation cannot give a full explanation of the incident, moving quickly to make a statement, and continuing to provide information during the period of crisis, will cast the organisation in a positive light.
It is important also to determine if the crisis response team can be effective, and if all team members are oriented in the same direction. Team members should be selected with care, to ensure that they can collaborate with others at all levels. They should be appropriately trained, and the organisation’s crisis response plan should be stringently tested, including with a full simulation exercise, to confirm that it can be activated at need, and that all the necessary supporting resources will be available when required. Not least, the speed at which it can be activated, should be determined, and this response time must be assessed to align it with the organisation’s goals.
The assessment should include how to leverage technology in the event of an incident, although the incident itself may have been caused by technology. For example, managing the organisation’s social media channels effectively may mitigate the damage caused by the dissemination of incorrect information. Careful planning and putting the appropriate strategies in place before a crisis hits, will help organisations limit the damage it causes, effectively protecting both their bottom lines and reputations.
