Organizations face challenges that present varying levels of severity. But handled poorly, even a seemingly minor shock has the potential to escalate into a crisis that threatens the viability of a business. A crisis can disrupt operations, damage reputations, destroy shareholder value, and trigger other threats.
The following five steps (See Figure 8), when taken with care and commitment from the board of directors on down, can help ensure the enterprise is well prepared to protect itself when a crisis occurs.
Step 1: Establish a Crisis Management Committee to Evaluate Corporate Governance, Risk Management, and Internal Controls
The Crisis Management Committee will need to have clear ‘Terms of Reference’ which include its goal, the authority of the committee, objectives & outcome measures, in/out of scope, whom to involve, role/responsibilities, frequency of meetings and ways of working, etc.
Organizations must commit to a regular evaluation of their corporate governance, risk management practices and internal controls. When addressed together, these three components provide the pillars for a strong CM program. Through a regular review of these pillars of effective governance, corporations can identify new and emerging risks, assess existing risks, and make the policy and process changes needed to address the behaviors that could lead to significant damage to the enterprise—before they evolve into a crisis.
Step 2: Identify the Most Probable Crises and Assess Their Potential Impact
Several kinds of crises are possible in every organization, including natural disasters, unexpected injury or death of employee or customer, harassment or discrimination, workplace violence, employee malfeasance, cybercrime, white-collar crime, litigation or class action, fraud, mismanagement, and product defects/recalls. Other categories may be unique to the business. An enterprise-wide vulnerability assessment using clearly defined risk indicators will help to uncover the kinds of crises for which the organization needs to plan and prepare. Extra attention should be given to those crises that are deemed either highly likely to occur or to have the highest potential impact on the organization.
Step 3: Create and Train a Crisis Management Team
Arguably the most important step in an effective ERM and crisis response program is having the crisis team in place. Internal and external experts should be identified, and roles and responsibilities delineated. Regular training and crisis exercises are vital to assuring that the team is prepared to execute important response strategies and tasks. Internal expertise should include senior executive management, operations leaders from key areas, and leaders of compliance, internal audit, corporate communications/PR, human resources, legal, sales and marketing, among others.
External expertise may be needed to supplement the internal team and should include established relationships with outside providers of PR and communications, and legal and forensic counsel, among others. By having these key vendors in place well in advance, they can get to know the company and its leaders, facilitating better, faster responses when a crisis is declared.
Step 4: Develop and Implement a Crisis Communication Plan
Effective communication response to a crisis has never been more important than in this highly charged age of instant communication. Organizations no longer have the luxury of waiting days to respond when an issue arises. Crisis communication plans act as blueprints for the company in times of crisis so that they can respond immediately and it is also an important component of a business preparedness program. A business must be able to respond promptly, accurately, and confidently during an emergency in the hours and days that follow.
Effective crisis communication plans include details on not only what to do but how to do it. Policies and processes, chains of command, roles, and responsibilities for communication should be detailed. Best-practice plans contain quick response guides for the most probable crises identified in the vulnerability assessment, including initial strategy and messaging that has been vetted and preapproved by management and legal. It is an emergency plan that includes the following steps of communication and future prevention to help prepare and navigate through unexpected crises.
Step 5: Develop a Crisis Response Plan
The Crisis Management (CM) team needs a written plan to effectively manage the crisis. The plan should address levels of crisis with thresholds for activating the team and implementing the plan. It should identify who will lead the response for each type of crisis. Procedures to assess, investigate, and mitigate the crisis are vital. Operational roles and responsibilities should be detailed, and external support services identified and engaged. As the business community has learned through the COVID-19 pandemic, it’s more important than ever for leaders to anticipate and plan for the possibility of an unplanned event. The more prepared you are to manage shocks, the less likely you’ll fall victim to the serious harm a crisis has the potential to inflict.
The CM plan is often embedded into the Business Continuity (BC) plan or vice versa. This is not a problem unless the execution and responsibilities are delineated in both plans. During a crisis, your organization is expected to execute the CM plan, and during a disaster, the BC plan. The decision-making process for the handling of the crisis or disaster is shouldered by the senior management team. The execution of the necessary crisis response and should there be a denial of access to the “people, process, and technology infrastructure,” the recovery activities under recovery strategies and BC plans will be executed.