Organisations are increasingly finding themselves embroiled in inquiries, inquests, regulatory investigations and prosecutions. The experiences and insights I have gained working with many of these organisations, across a wide range of industry sectors, has enabled me to work effectively with them putting in place strategies that will avoid events that lead to damaging and costly enforcement action.
What is often apparent after the event is how easily these events, and their consequences, could have been avoided or significantly mitigated by more thorough assessment, planning and transparent communication. It never ceases to surprise me that many organisations struggle to identify where the most damaging risks to their business are likely to arise, let alone understand the severity of the impacts.
They find themselves unprepared when one of those risks develops into a major event leaving them completely exposed to a bad outcome. Enforcement action and fines are only the beginning because adverse commercial and reputational impacts must be factored in, which, as Boeing will be able to confirm after the 737 MAX scandal, can be felt for some considerable time afterwards. As famously said by Warren Buffett: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
The way organisations respond within the first 24-48 hours of a major event is generally crucial to the eventual outcome. It is for this very good reason that crisis management has risen to the top of the corporate agenda.
When an event threatens the viability or integrity of business operations, you have a crisis on your hands. Traditionally, these events have arisen from major fires, serious workplace accidents, natural disasters and more recently, a public health crisis. However, cyber security breaches have been rated by Allianz Insurance as the number one threat on its risk barometer for 2022. The situation has escalated to such an extent that the Insurance Times has reported UK cyber insurance rates climbed by 92% in Q4 2021 – up from 73% in the previous quarter.
The rise, it said, was driven by the increase in the frequency and severity of ransomware claims, as well as insurers tightening the terms and conditions of cover. Criminals have become more organised and better resourced. Extortion demands have more than doubled while business interruption losses have escalated as larger companies and their supply chains are targeted.
Last week, multiple oil transport and storage companies across Europe were dealing with what appeared to be coordinated cyber-attacks. In May last year a ransomware attack on US oil supplier, Colonial Pipeline, saw supplies tighten across the US and multiple states declare an emergency. Also last week, KP Snacks reported being the victim of a ransomware attack and was assessing the impact this would have on the supply of its products.
Situations like these are becoming commonplace and will be beyond your immediate control – but whatever the event is, you will have to deal with it.
The Covid-19 public health crisis forced companies to address how they can survive while grappling with a crisis of massive proportions. It seems that business organisations are finally ‘getting it’ about crisis preparation, whether we’re talking about crisis communications, disaster response or business continuity.
The KP Snacks response to its crisis demonstrated that they had anticipated such an event by immediately deploying an effective pre-prepared (and possibly well-rehearsed) plan. The transparency of KP’s communications is likely to have given suppliers, customers, employees and shareholders the impression that the situation was well under control:
“On Friday 28 January we became aware that we were unfortunately victims of a ransomware incident. As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation. Our internal IT teams continue to work with third-party experts to assess the situation. We have been continuing to keep our colleagues, customers and suppliers informed of any developments and apologise for any disruption this may have caused.”
When a healthy organisation’s CEO or CFO looks at the cost of preparing a crisis management plan purely as an unwanted/unnecessary cost, it has been common for them to conclude ‘it can’t happen to us’ or ‘if it happens to us, we can handle it relatively easily.’ That attitude must change.
With little or no crisis management infrastructure in place, the cost of being exposed to a badly handled crisis will have far reaching and damaging financial, commercial, and reputational implications. Just ask the CEOs of VW (the emissions scandal) or, as previously mentioned, Boeing. With a less forgiving society, and greater choice available, the outcome could be catastrophic.
If the MD of Merlin Entertainments was now asked whether he would rather have invested more heavily in developing the organisation’s crisis management infrastructure or incur the £5m fine that was imposed following the Smiler rollercoaster accident, plus all the other attendant losses that will have been suffered, the answer would be very easy. When imposing the fine, Judge Michael Chambers QC said the accident was the result of “catastrophic failure” by the company to ensure basic health and safety. Hindsight is easy but there are clear warning signs for the rest of us.
The Merlin fine pales into relative insignificance when compared to data breach fines imposed on the likes of Amazon (€746m), WhatsApp (€225m), Google Ireland (€90m), H&M (€35m), British Airways (€22m) and Marriott (€20.4m).
Prudent risk management should be considered a necessary investment, not a cost. Preparedness is the key to crisis management; preparation must be consultative, the information up-to-date, accessible and the plan rehearsed. When is the best time to prepare for a crisis? Now, before you are in one.
The cost of a badly handled crisis can be seriously damaging to your business. Doing nothing really isn’t an option.