From an accident that disrupts your supply chain to a firestorm on social media, companies manage minor crises all the time. However, dealing with a major crisis is a different matter.
A single mega-event - or a combination of them - can trigger crises that threaten the very survival of the business. These kind of crises lay bare the readiness and responsiveness of an organisation.
They test a company's values, leadership, and character at a time when there is no room for error. The Caribbean is the location of choice for many organisations.
However, the risk of devastating weather events as well as other natural and man-made threats require organisations to protect their most important assets. Natural disasters, financial crimes, cyberattacks and other potential disasters present a clear and rising danger for all organisations.
The impact of such events hugely depends on an organisation's crisis management plans as well as its readiness in respect to exercising those plans effectively.
As the Caribbean was reminded again during the hurricane season in 2017, natural disasters with long lasting impact are an inherent risk for many islands in the region and, when such a crisis strikes, seconds count. According to Taron Jackman, Deloitte Risk Advisory leader for the Caribbean and Bermuda countries: "It is paramount to accept the possibility of the threats. Crises demand the very best our clients can muster, testing their strength of character."
When crises are managed well, stakeholder value can actually increase. And, of course, the opposite is also true. There is no surer way to destroy value than in failing to manage a major crisis effectively. Thus, executive management should consider key crisis management l e s s o n s learned in the aftermath of global and Caribbean disasters, such as recent Hurricanes Harvey, Irma and Maria as well as many recent cyber incidents.
FIVE KEY CRISIS MANAGEMENT LESSONS
Waiting until a crisis hits is too late. Monitoring, preparation, and rehearsal are the most effective ways to prepare for a catastrophic event. Businesses need to undertake a Business Impact Analysis regularly to help determine priority areas in the event of a disaster. In addition, organisations that regularly plan and rehearse potential crisis scenarios greatly improve their ability to respond effectively when a real crisis hits.
Every decision during a crisis can affect stakeholder value. Threats to an organisation's reputation can destroy value much more rapidly than operational risks. In today's world, technology and social media have dramatically increased the visibility of crises, which can lead to even greater reputational risk.
Response times should be in minutes, not hours or days. When a real crisis emerges, a traditional business continuity plan may be insufficient, especially if it has not been tested. To mitigate the risks, your crisis management team must take control quickly, lead decisively, communicate fluently, and inspire confidence in everyone both inside and outside your organisation. This will require expansive thinking and innovative approaches to solving problems. Playbooks to address "common" catastrophes are a critical starting point at these times.
You can emerge stronger. Crisis can be an opportunity, not just a threat. Almost every crisis creates opportunities for organisations to rebound, however you must be looking for them and be able to swiftly recognise them and act effectively.
Even when you think a crisis is over, it probably isn't. The work continues long after you breathe a sigh of relief.
The way you capture and manage data, log decisions, manage finances, handle insurance claims, and meet legal and regulatory requirements on the road back to normal can determine the strength of your recovery.
ARE YOU PREPARED?
Certainly, there are unique elements to every crisis, but having a systematised approach is key. It is critical for an organisation to be prepared to navigate the entire lifecycle of a crisis, from readiness, to response, to recovery.
Readiness: Preparing for crises using advanced simulation, monitoring, strategy, testing, and planning techniques to anticipate existing, new, or previously unforeseen threats.
Response: Responding to crises effectively and in real-time to bring stability and preserve reputation and stakeholder value.
Recovery: Helping uncover and exploit opportunities to rebound from crises and emerge stronger than ever.
Because crisis is unpredictable in the magnitude of chaos and distress that it can cause organisations, executives need a documented crisis management plan in addition to their more conventional risk management strategies
LESSONS LEARNED FROM DELOITTE'S EXPERIENCE WITH CRISIS MANAGEMENT
The mistake many organisations make is to focus their crisis planning on reactive measures. While the actual recovery is important, with a broad lifecycle approach to risk awareness, scenario planning and simulation, an organisation can retain control of the process even when it does not have control of events.
As Deloitte learned through assisting their clients and operating the Deloitte Resilience Center in the Cayman Islands, organisations can build resiliency that has the potential to turn unforeseen events into unforeseen advantages.
The Deloitte Resilience Centre's Citrus Grove location was constructed to withstand hurricanes and other catastrophic conditions.
The building was tested during Hurricane Ivan and all post-mortem improvements were successfully executed, which made the Deloitte Resilience Center a location of choice not just for Deloitte, but also for other tenants, including both public and private sector organisations.
The Deloitte Resilience Centre facility is designed to protect people, secure critical systems and data, and maintain the continuity of business operations. Mr Jackman said, "We understand the importance of readiness and offer our clients annual pre-hurricane simulations."
Through this exercise, the Deloitte staff and clients alike become better acquainted with each other and with the DRC invocation procedures, and their respective organisation's recovery procedures. Based on the lessons learned from helping clients and establishing the Deloitte Centre for Crisis Management, we would like to highlight the importance of several key components:
- Business continuity planning is critical for organisations to understand the threats and potential impact to the business functions.
- Crisis simulation is the only way to know if your "model" will work when crisis strikes. During a crisis simulation, an organisation stress-tests crisis response plans in a simulated environment to evaluate crisis preparedness. An immersive experience helps executives identify potential gaps in their overall crisis readiness.
- Real-time response includes establishing rapid-action teams operating under a Crisis Management Office. The teams should have demonstrated experience in the relevant functions, sectors and event types.
- 24/7 monitoring is necessary in order to track all the relevant sources of data for potential business disruptions and to follow post-crisis developments.
- Deloitte and other organisations offer solutions to constantly track and monitor sources of internal and external data to provide real-time situational awareness and identify leading indicators for potential crises.
Crisis communications should be a part of the plan and the response. It is critically important during a crisis to not only manage the inflow and outflow of pertinent details to all stakeholders but to also control your message and to protect your company's reputation.
Typically, the established Crisis Management Office works with clients to help them navigate critical messages across social and traditional media channels to inform stakeholders while pre-empting reputational threats.
ABOUT THE AUTHOR
Alexandra Simonova is a Senior Manager in the Deloitte Cayman Islands practice. She has over 11 years of experience in IT management and over 7 years of performing Cyber Risk, Strategic Risk and Operational Risk services for Deloitte's clients. This includes work in the financial services, private and public sector on various projects including advising on cybersecurity strategy and governance, cyber resilience programmes for business continuity and cyber incident response. Alexandra manages security programmes for clients including security assessments and cyber simulations and also is a frequent speaker at information security conferences in Cayman and the Caribbean. Alexandra graduated with a Masters Degree in Computer Science and is working on her PhD in Information Assurance and Security. Alexandra is a Certified Information Systems Security Professional (CISSP) and a Certified Project Management Professional (PMP).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.