Any company can be hit by a crisis. The key to survival is managing your way out of it. And the first few hours can be vital.

Any company can be hit by a crisis. The key to survival is managing your way out of it. And the first few hours can be vital. Strategic Risk asked an expert panel to examine recent high profile cases, with advice on better containment next time.

Pollution alert
In February, unusual weather caused the Esmeralda Exploration cyanide spill in Eastern Europe, resulting in significant river pollution. How should companies minimise and deal with this type of pollution exposure?

Nick Chown, Association of Insurance and Risk Managers (AIRMIC) chairman of captives and risk financing special interest group (risk manager, The Post Office) believes that this potential scenario should have been identified during the risk assessment phase of a robust, structured business continuity planning (BCP) exercise so that the company knows and plans for the possibility of it happening.

"Post-incident, the key issue is crisis management, and probably the most important aspect of that is managing the media. We all know what happens when a CEO/MD travels to the scene straight away, calls a press conference, and says all the right things (which can be done without admitting liability - inevitably the lawyers/insurers will be in the background).

"Perversely, and as the Deborah Pretty study (The impact of catastrophes on share value) showed very clearly, acting promptly in the event of an emergency and saying (and doing) the right things can actually have a beneficial effect on a company's reputation and share price. Equally, trying to 'hide away' and appearing callous and uncaring will almost certainly have the reverse effect."

Chown also stresses that managers won't handle a crisis well without training: pre-incident preparation is essential.

David Gamble, AIRMIC executive director, outlines a hands-on approach, giving detailed suggestions on post-incident management. They include:

  • giving an hourly update on radio/TV/website on the movement of the spill
  • giving an immediate explanation of the chemical composition of the spill
  • liaising with health and safety authorities
  • putting expert company teams - trained to cope with such spills - on site from both local and international parts of your organisation
  • bringing in special equipment as soon as possible, including special protective clothing for clean-up crews from outside the company
  • providing bottled drinking water to all local households until the problem is solved
  • nominating a spokesman to ask wildlife groups (with which the organisation will previously have been engaged in conservation efforts) to suggest additional actions to protect wildlife. It's important to be seen working with groups such as the Royal Society for the Protection of Birds, the World Wide Fund for Nature, and so on
  • giving clear explanations of how the organisation will prevent spills in future and how much it will spend on rectifying processes
  • setting up a restocking programme to be carried out with .the local wildlife groups, with reports on progress.

    Gamble says that all these elements should be communicated to shareholders via the web and, wherever possible, in writing too. He also stresses the need to advise shareholders, in advance, of the action that would be taken in this sort of crisis, and of the expense that might be incurred. This is part of good corporate governance, and ensures that shareholders understand the risks that the company may be running, and also what it may cost to rectify them.

    Falsified data
    The discovery of falsified safety data at Sellafield earlier this year threatens to affect BNFL's ability to retain business and increase profitability. How, if at all, can an organisation recover from this type of incident?

    Chown identifies fundamental cultural issues as the main problem. A lax safety culture, in an industry where safety is imperative, means that there is "an accident waiting to happen". Standard crisis management techniques will not be adequate, because the problem goes to the heart of the company's ability to run effectively. And there can be massive damage to reputation.

    "This kind of situation, like the Gerald Ratner comments on his firm's products, has to be avoided. In this scenario, reputation and brands can suffer massive damage." Chown emphasises the need for a company to have a way of working that discourages employees from deliberate falsification of records, for whatever reason. "The attitude of senior management and the need to role model appropriate behaviour are crucial".

    Gamble suggests drastic damage limitation strategies:

  • have the CEO as the company spokesman
  • have him put his job publicly on the line
  • have him appoint his successor so the market knows who will succeed
  • bring in respected outside reviewers for a fast (three or five day) report
  • send the full report to customers, discuss the recommendations with them, and add anything they consider important
  • advise all shareholders via the web what action is being taken
  • suspend all those who could be responsible pending investigation
  • at next AGM, CEO to offer to resign, leaving the shareholders to decide.

    A recent power surge blew out Charles Schwab's electronic channels, crashing its web and phone trading operations. How should you deal with e-risks of this type?

    Chown feels this is a situation where robust pre-incident Business Continuity Planning will enable the company to identify the risk and provide the appropriate contingency arrangements. "In this case, those arrangements would probably consist of'hot site' alternative accommodation. This would be specially equipped to allow phone trading operations to recommence. It would also allow the web site to be up and running again in time to avoid significant damage to the business - the 'denial tolerance' to use the jargon. The company should not forget that the phone trading operations require people as well as a building and IT systems."

    Gamble emphasises the need for good communication, with the company having a second site set up to which customers can be directed so that it can inform them of what's happening. He also suggests emailing all customers, acknowledging a problem, and detailing solutions with another email when the problem is solved, so that cus-

    tomers can immediately get back on line. "Once again, you also need to tell people what remedies you will be putting in place to avoid a reoccurrence."

    Mark Butterworth, AIRMIC chairman (Prudential), believes that, although this is a classic e-com-merce operational risk, the consequences may be more damaging than the initial loss of transactions during downtime. "I start to wonder what the regulator's views are when 'instant access' or 'instant trading' website services become unavailable for whatever reason. For example, how will customers be compensated if they are unable to access instant sharedealing services and are unable to deal at the price they want?"

    He suggests that e-commerce operators should consider risk prevention measures similar to those in high-risk human safety situations, such as public places. These would require duplicate systems, layered loss prevention, and a big investment in contingency planning.

    William Baird plc was among other suppliers to Marks & Spencer who lost a major slice of business as a result of M&S reviewing its brand management and philosophy. The risk experts' view of this type of scenario was that businesses that depend too heavily on one customer inevitably leave themselves vulnerable.

    Says Graeme Lee, AIRMIC council member (Tibbet & Britten): "All businesses have an exposure to lost contracts, which is viewed as a 'business risk' and is minimised by ensuring as wide a spread of contracts as possible, both in terms of customers and in terms of market sector. If you do not do this, you are obviously vulnerable."

    In a similar vein, Butterworth comments: "This is a fairly basic business strategy decision that management go into with their eyes open - if you don't like the risk of losing all, don't take the risk!" Gamble, while in agreement about the need for a diversified customer base, considers that supply

    contracts with a rolling notice period would allow some mitigation of the problem. Chown suggests that risk profiling has a role to play in alerting companies to their potential vulnerability.

    "Whilst ensuring a high standard of quality of service will help to protect contracts, it will not protect against the decision of a major customer to change suppliers for reasons other than quality of service, for example, sourcing overseas to reduce costs. A robust, structured risk profiling process should identify an over-reliance on individual customers or suppliers."