What risk managers need to know about managing a crisis

Crisis management is rapidly evolving from a discipline deployed in physical emergencies – fires and explosions, say – into one that’s commonly used to fight intangible threats. Industries such as oil and gas, and airlines, traditionally called on crisis management methods the most, but now banking, telecoms, media and food production are all strengthening their crisis teams. International standards in crisis management are emerging, and regulators are eyeing the discipline as part of a wider focus on corporate resilience.

“The world is changing and, because crisis management responds to business in context, it is changing as a discipline,” says Airmic’s technical director, and an expert in business continuity, Julia Graham. “The top risks for many organisations today are damage to systems, damage to reputation or breach of regulations.

“It’s a very different risk profile than 20 years ago, and people have to plan for many more intangible events than they used to,” adds Graham, who is drafting guidance, to be published by Airmic this year, on how to run a crisis scenario exercise.

Dangerous escalation

The rise of 24-hour news media, and the power of public sentiment on social media, means a relatively minor event can escalate into a crisis capable of destroying an organisation’s value fast. The crisis management community is abuzz with examples of communications gone wrong, from former BP boss Tony Hayward’s trial by social media after the Deepwater Horizon spill, to Volkswagen chief executive Martin Winterkorn’s departure as the emissions scandal broke. Then there was TalkTalk chief executive Dido Harding, who was sharply criticised in the UK last year for lacking the full facts about a cyber breach.

“The biggest change I’ve seen is the need for faster responses,” explains the director of crisis communications for a well-known global pharmaceuticals corporation. “If you have a site incident like a fire or explosion, there’s always been a need to react very quickly, but for more complicated, slow-burning issues, for example around a product or a person, you used to have time to search for facts, and to put together a plan and a statement. Now, it’s an instant response.”

The upshot is that now corporate leaders must be trained in crisis communications, or kept out of the media glare. “You saw with BP and VW the boss saying, ‘I don’t know what’s happening,’ and that is something you cannot have,” says Adrian Clements, general manager, operational risk management, at multinational mining corporation ArcelorMittal.

“We cannot have it that Mr Mittal says, ‘I know nothing about it.’”

To judge when it’s appropriate to enter crisis mode and to call the chief executive, most organisations differentiate major incidents from full-blown crises. One way to quantify events is to use a version of the Boston Grid, a chart developed by Boston Consulting Group in 1970, with frequency along one axis and severity along the other. “That top right corner should cause the crisis management team to step up,” says Tim Cracknell, partner, head of consulting risk practice at JLT Specialty. “Organisations also have their own criteria. Casualties, for example, automatically trigger a crisis response, and in the food sector, allegations about product go to the top of the pile.” Another way is to size up the potential threat to the company’s stated objectives, to its stock market value, and to its ability to continue operating.

Crisis managers looking for an effective operational blueprint for categorising and managing incidents and crises often borrow the gold, silver, bronze command structure used by UK emergency services. This might then trigger use of the appropriate crisis management plan and process, which often exist within or alongside business continuity frameworks, or operational risk activity. Many corporations develop their own frameworks, which are typically also three-tiered: plant, country, and global corporate is used by ArcelorMittal; while a country, regional and global crisis structure is preferred by one high-profile bank. In crisis management consultancy circles, the advice is to create a tiered structure by crisis function: leaders, communicators, operations.

Team effort

An effective crisis plan should firstly ensure that the right people are available to form a team at short notice, whether bringing them together in the same room or in a digital workspace. Crisis teams are usually formed of representatives from senior management, communications, human resources, IT, legal, finance, and security, with any combination of these available at all times.

“You need delegated authority to deal with issues and to move fast, that’s the key, and has to be properly understood,” explains Alex Martin, director, crisis and security consulting at Control Risks. “You want to bring the resources of the organisation together to manage the crisis, and ideally they understand that it’s a team effort. Authority must be clearly established, as well as lines of communication; a plan; and actions, with the authority to effect those actions, agreed and recorded; and the crisis plan being continuously reviewed as the situation develops.”

Martin adds that resourcing a 24-hour global crisis management capability can be made easier by technology. “In the past, a crisis management plan might’ve been a dusty tome that sat on a shelf; now, it’s a living, breathing, online dynamic – it’s evolving. Previously, if you wanted to activate a crisis management team, you might have phoned up the members, updated them on the situation, dusted off their plans. Now, they receive a voicemail, are automatically bridged to a conference call, log into an online collaboration workspace and instantly see a synopsis of the situation.”

A more command-and-control style of management is usually appropriate during a crisis, and lines of reporting may be shorter; while experts agree that crisis management frameworks are most effective when they complement the existing risk management process within an organisation.

Says Graham: “Crisis management is when something hits the fan, it’s one of the tools in your risk management toolbox. You don’t develop it in isolation. A crisis management framework ought to be part of the business continuity framework, which in turn is part of the overall risk management framework.”

The opportunity for risk managers now is to step up to the plate on crisis management. As board-level executives contemplate horror stories like BP and VW, they are increasingly willing to accept that major events are a question of when, not if.