- Pricing and telematics lead the charge as insurtech patents jump 40pc
- FCA puts general insurance pricing practices under review
- Volvo and Baidu reach agreement to produce autonomous vehicles
- Cyber and D&O exposures increasingly intertwined, Airmic report finds
- Arch selects Touchstone for cat risk modelling
Written by Peter Power
Alongside other industry advisers, Peter Power has just spent three years working with the Cabinet Office and the British Standards Institution to produce the official guidance on crisis management, PAS 200. Here, he outlines his view on best practice
“Crisis? What crisis?” So said Prime Minister Jim Callaghan in 1979, upon his return from sunny Guadeloupe to a damp, strike-ridden UK with rubbish piled high on street corners and even the dead unburied in some cities. Or so history says. The fact is, Callaghan never actually said these words. Instead, Larry Lamb of the Sun newspaper invented them as a headline that caught the popular impression of an out of touch organisation, caught in the headlights. A few months later, Callaghan’s party was no longer in government. It may be 33 years ago, but have we really learned any lessons since then? Have we become any better at crisis management (CM) and if so, what are the key features we should be looking for?
There is generally a strategic need in many high-profile organisations for joining up, preparing, managing, communicating and recovering actions as a series of integrated activities, creating a simple model that in different shapes and sizes is progressively helping many organisations to reduce overheads, streamline actions and protect corporate reputation. I believe there are some immediate and cost saving ideas that can be parachuted into all organisations, not least as the threat landscape is hardly improving these days – and is probably a lot worse since 1979.
When assembling a crisis management plan it is worth considering that crisis scenarios often do not link to business continuity, such as damage to reputation, and do not always lend themselves to rigid or highly structured responses. Consequently, such plans seldom, if ever, benefit from highly prescriptive lists of actions or activities. CM usually needs flexible capabilities, rather than inflexible highly scripted response procedures. To quote PAS 200: “Business continuity does not subsume crisis management, nor is it subordinate to crisis management; they are complementary activities”.
An effective crisis management team should set an operational rhythm (sometimes referred to as the ‘battle rhythm’) for the response, making decisions (often on the basis of scant information, rather than waiting for the elusive complete picture), identifying actions, specifying reporting deadlines, setting the next formal meeting or review point and so on.
In a possible crisis any organisation should consider how you look from the outside looking in, rather than the other way round. It is not just the newspapers and broadcast news channels that need prompt, accurate and timely information, but social network sites, such as Twitter, which, although often full of seemingly banal chatter, still have a remarkable and growing effect on forming public opinion. Not completely unrelated, consider who tells the press; just because a nominated press spokesperson has been ‘media trained’ does not mean they are automatically competent.
Being trained to promote your company is quite different to being trained to defend it. Make operational crisis management documents user-friendly with the vital features in summary form at the front, often in the form of a few flow charts, noting there will always be conflicts of interests. Most decisions will require a ‘trade-off’ sometimes implying a ‘least bad’ option and when things start to happen there may be too little, or too much, information – some or all of which may be ambiguous, contradictory, unreliable, unverifiable or wrong.
Crisis managers may have to choose the ‘least bad’ solution and might have to resolve (or at least recognise and accept) fundamental strategic dilemmas. Crisis decisions that focus more on one area, can neglect another – but decisions still have to be made, for example, accuracy versus speed (see diagram above from PAS 200). These might mean that every choice comes with a penalty and there is no ideal solution. Above all, the capability to manage crises should not be seen as something that can simply be developed as and when needed.
Reputations can be lost and organisations can fail because external relationships, popular perceptions and media portrayals are not given due attention. On the other hand, there are many cases when organisations have actually gained reputation in a crisis by showing they are capable, caring and good communicators.
In my experience, the highest number of catastrophes are caused by organisations that fail to prevent a crisis from getting worse and then only waking up when things have deteriorated to the point of likely disaster. With this in mind the present drivers for crisis management tend to be:
•Protection of reputation and brand
•Legislation / Regulation / Corporate governance
•Increased complexity of business operations
CM guidance exists to deal with abnormal threats to an organisation’s strategic focus and/or reputation. It compliments BS 25999 / ISO 22301 which only deals with incidents, normally at a tactical level. Crises on the other hand, are usually strategic where every choice comes with a penalty of some sort and there is seldom an ideal solution. I personally feel PAS 200 might become an ISO in due course, but I fear people may then comply with the standard rather than the spirit of what it is we are trying to achieve.
When it comes to applying CM standards across different sectors and different types of company, it is vital to identify the core ingredients that transcend market silos. Leadership, decision making and avoiding the first stage of most crises: denial. However, the real focus has to be on corporate resilience and not perpetuating a silo based response. In this sense business continuity, CM, risk management, governance and information security are all part of a single jigsaw.
Several organisations in the private sector have actually increased investment potential by successfully demonstrating strong crisis leadership as a positive feature of wide scale crisis management in the ‘abrupt audit’ of a real drama. For example, British Midland in 1989, Commercial Union in 1992, and Nokia in 2000.
In all of these cases timely, inspirational and effective crisis management leadership and good communications positively enhanced the organisation’s reputation. CM should not therefore be seen as a ‘grudge purchase’. In other cases, such as the Coca Cola contamination in Belgium and the BP oil spill in the Gulf of Mexico, failure to properly lead and communicate did untold damage.
So what have we learned since 1979? When it comes to CM it is not just the actions you take but the actions you are seen to take.