It’s a common coping mechanism. Avoid planning for or discussing something that you don’t want to face and it will go away as if it never existed. While we know that’s a not prudent strategy, it might explain some answers in a recent crisis survey from PR NEWS and CS&A International, a specialist risk, crisis, and business continuity management consultancy.
There’s a computer hacked every 39 seconds, a University of Maryland report says. According to Juniper Research, the average cost of a data breach next year will be $150 million. While the majority of cybercrime is concentrated in three sectors (health, retail, and government), nearly every business is susceptible to attack. Still, relatively few respondents (39 percent) identified cyber as a potential crisis area (see chart 1).
This surprised Caroline Sapriel, CS&A International’s managing partner. “We noted immediately that cyberattacks ranked fourth,” she says. Yet “when contemplating realistic crisis scenarios…a cyber attack is always on the table.” In her experience, “Clients typically steer clear of ethics and compliance or mismanagement scenarios.”
Yet slightly more than half (55 percent) of the 200 communicators who responded listed “ethics and compliance” as likely crisis starters. Compliance and ethics “should be strongly embedded at all levels… in a company,” said an executive who requested anonymity. The survey was fielded in October. Respondents overwhelmingly were senior and middle managers (87 percent); 43 percent of respondents said they’d been involved in a crisis.
‘WE HAVE A PLAN, BUT…’ The next two charts (2 and 3) are meant to be looked at together. Chart 2 shows a majority of respondents (62 percent) told us they have a crisis plan. That figure is roughly in line with other crisis surveys. Of course, it means almost 40 percent lack a crisis management plan.
In addition, chart 3 shows that just 49 percent have an updated plan. Says Sapriel, “It is striking to see how many companies believe that they are prepared to handle a crisis because they have a plan in place, which may or may not be up-to-date.”
Christine White, a recently retired global director of crisis management and international risk management at a large multinational food & beverage company, is “concerned that only 26 percent responded that the [crisis] plan is well known to crisis management team (CMT) members.” A total of 33 percent said, “Most of the CMT members are familiar with it.” Yet 31 percent said they “weren’t sure” and 10 percent said “no.”
Having an updated plan is a good preliminary step. Chart 4 looks at necessary additional measures. As you can see, nearly 40 percent of respondents told us, “We’ve never conducted a crisis exercise.” 21 percent said they “weren’t sure” how often their company runs a crisis exercise.
“Organizations do not realize the ROI of having periodic exercises/round table discussions to review their crisis management plans using real or hypothetical scenarios,” White says. “The value this provides…is not clearly understood.”
Sapriel adds, “If you look at how many companies are actually organizing crisis training, we can only conclude that far too little is done in that respect.” One executive linked a lack of consistent practice of crisis plans with the results of chart 5. “Many companies struggle with reacting quickly and getting organized when crises strike.
This is yet another reason why practicing is so important,” says Dirk Lenaerts, senior partner at CS&A International. Indeed, respondents chose “reacting quickly” as “the most difficult aspect of crisis response.”
Lenaerts adds, “The process may be clearly noted in a crisis plan, but if people don’t know it and don’t practice it, they will tackle each crisis by improvisation,” which seldom leads to strong outcomes.
LESSONS LEARNED Chart 6 harkens to the idea mentioned at this article’s start. If you don’t think about something unpleasant, it never really happened.
Says Lenaerts, “Once a crisis is over, people want to forget about it and move on as quickly as possible. As a result, a large number of companies have nothing in place to learn from…or to share within their organization.” A best practice is to capture learnings of crises and ensure that all employees with a crisis function are properly introduced to this documentation, he adds.
Comments