Preparing a post-crisis report means asking who, what, why and when – but organisations can learn valuable lessons from the answers
As organisations come under greater scrutiny from regulators, evidencing exactly what happened during a crisis is increasingly expected. Add to this the valuable lessons that post-crisis reviews can provide, and crisis reporting is emerging as an indispensable way to build and demonstrate corporate resilience.
“In big crises, corporates may come under regulator scrutiny or even legal or government enquiries, and you need to provide evidence of what decisions were taken, when and why,” says Rick Cudworth, resilience and crisis management leader at Deloitte UK.
Last year, Deloitte produced a post-event review of the Bank of England’s response to the October 2014 outage of its real-time gross settlement system. The report, which prompted the Bank to make a series of improvements, identified the root cause of the incident – a vital piece of information for organisations that aim to improve resilience over time.
“Fixing a symptom isn’t enough, it’s going to happen again. You have to get right down to the root of why that went wrong in the first place,” says Elaine Heyworth, head of risk and insurance at the Royal British Legion. Heyworth recalls a finance system failure while she was working at Barclays Capital Wealth (BCW). “I asked, ‘What happened to the system?’ and was told, ‘It was in a building where all the power went off.’ I asked, ‘How the hell did all the power go off?’ and I heard, ‘BT were digging outside and put a spade through our power pipe.’ So I asked, ‘Hang on, why didn’t the landlord tell us so that we could activate our back-up systems?’”
Finding the problem’s root cause enabled Barclays Capital Wealth to claim on the landlord’s insurance and to reiterate the contractural obligation. “For me, you can’t have the same excuse twice. It’s about learning, and coming up with solutions to the root of the problem,” says Heyworth, adding that while she “may have given the landlord a hard time, post-event reviews are about learning, not blaming”.
Keep a record
Heyworth’s root cause analysis, covering all major incidents over the course of a year at BCW, resulted in an 80% reduction in events. “My chief operating officer asked me, ‘What’s happening?’ and I said, ‘I’m looking for a new job.’ We had no crises to manage. Our insurers were delighted, premiums came down. When you fix things at root cause, you reduce business disruption,” she says.
A post-crisis report should detail decisions and actions taken, with a timeline making up its backbone. Julia Graham, technical director at Airmic, says: “One of the first actions in a crisis is to assign a record-keeper, and the company should have a pre-agreed method for reporting. In chronological order: what did we agree, who has the authority to do it, when did they do it. It’s a record of actions and authorities. There’s no ambiguity about who said what, who had authority, and the outcome. As long as it’s pre-agreed and chronological, it’s a common sense approach.”
The company can use the details of who did what, when and why to understand more about how good decisions are made, and what leads to bad ones. Heyworth says: “I always start with a timeline. I want to know how quickly people reacted, what their reactions were and if they were appropriate or not. I had one incident where we waited half an hour to escalate it, but it was very clearly going to be a major incident. It’s about saying, ‘Look, when it’s water and electricity, let’s make that call straight away.”
Hindsight
A report should enable an organisation to check how closely the crisis team followed the crisis management plan and whether it needs updating. Alex Martin, director, crisis and security consulting, Control Risks, says: “Decisions can prove to be wrong, but that doesn’t make them bad. With hindsight, maybe it was wrong, but as long as it is defensible, and was the right decision at the time, that makes sense. You’re looking to see that you followed your crisis management plan and due process. The plan is a guide, you don’t have to follow it rigorously, but you should have a good reason to deviate from it.
“In some cases, a record of the crisis management process becomes the subject of an after-action review, in others it may be a court case or board of enquiry. Out of a review should come an action plan, with deadlines and rigour applied, to ensure that the process is improved. Additional training takes place, additional resources and tools are put in place; the crisis management plan is changed, if necessary. The important point is that institutions should benefit from the good or bad decisions that were made during previous crises.”
No comments yet