Effective crisis management is much more than any written document or preordained policy. David Benyon reports

Ukraine crisis

Crisis management needs to be fast and proactive and begin with risk mitigation and prevention steps. The threats are myriad and could vary from terrorism or civil commotion, to product recall or regulatory censure, to financial losses or supply chain disruption. Media frenzy will likely add to the din.

Concern with people’s welfare – particularly risk to life, if applicable – should be the number one priority. Damage limitation to the brand and managing reputational fallout are other priorities, as are deciding which assets need most protecting, and righting the company to get back to business as quickly and resiliently as possible.

“Supply chain management, reputation, and retaining customers – those are the big three risks that we’re seeing,” says Mark LeBlanc, US-based head of crisis management at Swiss Re Corporate Solutions.

Planning for and managing crises was the topic of a recent seminar hosted by NYA, a crisis response firm, which partners with insurance companies on their policies for kidnap and ransom (K&R), reputational risk and cyber risk.

“Reaction times now need to be extremely fast, and you need to be extremely proactive,” said Tess Baker, director of security and crisis consulting, speaking at the breakfast event. “Crisis management starts with prevention and mitigation, and that’s where the enterprise risk management comes in.”

Defining a crisis goes beyond just a single incident. By its nature, events must have somehow gotten out of control, with a company having lost the initiative. Baker stressed that while the nature of a crisis means that events have got out of hand, companies should “prioritise what to salvage”, among “the many moving pieces of the puzzle”.

The British Standards Institution (BSI) defines a crisis as an “abnormal and unstable situation that threatens the organisation’s strategic objectives, reputation or viability”, and crisis management as the “development and application of the organisational capacity to deal with crises”.

Effective crisis management is therefore much more than any written document or preordained policy, as Airmic, the risk managers’ industry body in the UK, noted in guidance published this year.

“It has multiple components, including risk analysis, employee training, security protocols, emergency procedures, and risk transfer. It takes time, effort and the right stakeholders to build this, rather than just big budgets or simply buying insurance,” Airmic said.

Clawing back the initiative will require a mix of flexible thinking as well as having plans in place. Crisis communications and crisis management should be in place before the event, to consider scenarios, map out relevant stakeholders and develop communications frameworks.

“Organisations in crises struggle to do things like map out all the relevant stakeholders, internally and externally – one gets forgotten in the heat of the moment,” said Baker.

Airmic echoed this sentiment by urging firms to “anticipate” how crises might unfold, understanding the risks and their impacts to the organisation, and coming up with examples, to build resilience before a crisis erupts. Airmic’s second chapter emphasised “prevent” by building up a culture of resilience, clarifying roles within the organisation, and making a comprehensive plan of action.

“The size of the team will vary depending on the size of your organisation, but it should consist of a cross-section of top management and key organisational area representatives,” Airmic noted.

Priorities should also be clearly ordered, Baker at NYA emphasised, listing objectives in the following order: protect human life; prevent or minimise personal injury; reduce exposure of assets; optimise loss control for assets; and restore normal operations as quickly as possible.

Insurance plays its part. Swiss Re Corporate Solutions offers a crisis management suite of products that mixes product recall with political risk type covers such as kidnap and ransom (K&R), which share certain characteristics.

“Product recall is a good place to start, offering first party balance sheet protection,” says LeBlanc, based in the specialty insurer’s San Francisco office. “Product contamination and product recall fill the gap between property and general liability policies. It’s another cog in the wheel between first-party liability and third-party liability.”

He says the insurer’s crisis management products, although tailored, are geared towards product recall scenarios such as the contamination of a food product, such as a breakout of E.coli bacteria.

“That’s the type of risk we focus on. Product recall is an area that has taken off better than we’d anticipated, backed up by data and analytics,” continues LeBlanc. “The data focus on the frequency of events, what happens to the product, and the impact on processes. We have teams of engineers looking at chemical, food and transportation risks, where various bacteria can grow and problems with various metallurgies.”

The automotive, electronics, foods and pharmaceuticals industries are among the leading buyers. “Ultimately companies are buying coverage more and more to protect their own balance sheet,” says LeBlanc. “Behind the scenes, more and more companies are buying, and those buyers are not just at the last point of the chain between the product and the consumer.”

Insurers tend to partner with response consultancy firms, deployed to policyholders, notably to deal with media frenzy as well as the specifics of any given scenario. For example, AIG works with NYA on its K&R products, Hiscox work with competitor Control Risks, while Swiss Re Corporate Solutions partners with rival advisory Red24. “We focus less on PR and more on the rehabilitation of the brand,” says LeBlanc.

While noting that insurance is “an important part of the picture”, Airmic warned that having protection in place does not in itself make the organisation resilient. “By focusing more on anticipating, preventing and responding to risk, insurance can shift from centre stage and become just one part of a true culture of resilience,” the guidance noted.

Handling it well

Even if a company prepares well, it can still go haywire if a company panics or responds badly. Once a crisis occurs, there was a stark warning from Baker about making scapegoats, particularly of a crisis-hit firm’s own employees. “It never ends well,” said Baker.

She instead emphasised acknowledging the need for internal investigations, admitting procedural failings, and conceding inadequacies in pre-employment screening processes.

“The goal is to handle it well, and in that sense a crisis does produce an opportunity for an organisation to step up and show resilience,” said Baker.

She used the example of US supermarket chain Walmart, which amid the crisis of 2005’s Hurricane Katrina demonstrated community outreach, which reflected positively on the business after the storm. “It gave their reputation an enormous boost post event,” said Baker.

More numerous examples cited of crises badly handled included Volkswagen’s and Barclays’ responses to the emissions and Libor scandals, respectively. Another prominent example was BP’s handling of the Deepwater Horizon oil rig explosion and resultant environmental disaster in the Gulf of Mexico in 2010.

Media are likely to be more or less hostile to certain industries, Baker suggested, particularly in cases where corporate leaders are already known to have a troubled relationship with the press, such as BP’s former CEO at the time, Tony Hayward. “It was no surprise the media responded in kind,” said Baker.

Media messaging needs to be consistent, she suggested, and “no comment is not an option”, she said. “It absolutely doesn’t work. Always explain why if you can’t give the information required,” Baker added.

Politicians, charities and non-governmental organisations (NGOs) can add to the PR battle. One risk manager who spoke with StrategicRISK warned about opportunism not just among politicians seeking photo opportunities but also some NGOs, offering aid that, depending on the crisis scenario, is “more about boosting their own profile than about providing assistance”.

Ultimately, the nature of a crisis is that it will blindside an organisation, at least initially. “You can never think of everything,” warns the risk manager. “But you can learn lessons, and you can make preparations.”

Be sure to check out this feature on social media crisis management.

Also check out the slides below from NYA’s recent briefing.

Crisis management slide 1

Crisis management slide 2