Reducing the likelihood of a foreseeable crisis seems like a logical first step on the path to crisis readiness. However, we have observed that risk management activities are too often siloed, based exclusively on regulation or financial loss, focused on one particular area of acute risk, or otherwise informal or incomplete. Enterprise risk management (ERM) programs are too often ‘enterprise’ in name only. One consequence is the absence of linkages between activities that reduce the likelihood of disruption and those that reduce their impact.
In fact, when asked about their programs, those responsible for crisis management almost always describe their organization’s capabilities in terms of reduction of impact. They highlight crisis response teams, plans and exercises, but hardly ever mention any efforts taken to first reduce likelihood. In contrast, in everyday life the reduction of impact and likelihood go hand in hand. Think about it: We install alarm systems in our homes to help mitigate the impact if someone were to break a window and try to enter, but we also reduce likelihood by installing signs to alert potential intruders to the existence of the alarm system. A family moving into a home with a swimming pool would get swimming lessons for all family members to mitigate the impact of someone accidentally falling in, but they would also put a fence around the pool to reduce the likelihood of such an accident happening in the first place. So why do companies fail to embrace a similar mentality when it comes to their profitability, reputation and brand? Likelihood-reducing activities require commitment, resourcing and investment.
There’s no getting around that. But the question is: Would you invest USD 100,000 today in a compliance program if it helps prevent a future fraud that costs the company millions in financial and reputational damage? Or USD 300,000 in IT infrastructure and security measures if it prevents a debilitating and humiliating cyber attack in the next few years? You need not look far for real-life examples where inadequate understanding of the risk and subsequent underinvestment had detrimental and destructive impacts. The Inland Regional Center, the site of the San Bernardino attacks in 2015, is still facing lawsuits from victims and families of patients alleging that adequate job applicant screening and broader security measures had not been in place at the time and could have prevented the incident. The Panama Papers scandal, fueled by a cyber attack and the leak of millions of private records, forced Mossack Fonseca, once a top-five global provider of offshore financial services, to cease doing business and shut down for good. In October 2015, TalkTalk, a large British telecommunication provider, was hacked leading to the theft of personal data (including bank account numbers, birth dates and addresses) of almost 157,000 customers. Elizabeth Denham, the information commissioner, said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” TalkTalk lost 101,000 customers and suffered costs estimated up to GBP 60m – in addition to the record fine of GBP 400,000. So how can organizations evolve to combine activities that mitigate likelihood with those that mitigate impact?
Your gut feeling is not good enough anymore
Understanding and assessing your organization’s key threats and risks at the outset and using those to inform your program have long been part of crisis management orthodoxy. More mature programs recognize that these threats and risks will change over time and can be influenced by both internal and external factors that could be out of the organization’s control. Sounds obvious? You would be surprised at how many organizations we work with lack the basic risk management processes and protocols needed to make informed decisions. And for those companies that do see the value in understanding these risks, we find, unfortunately, that risk management processes are often based on static and uninspiring risk assessments that periodically raise awareness of risks and issues largely based on historical performance and ‘gut feelings’ rather than data and analysis. Threat and risk assessments need to be thorough, and they should be done periodically, with an external, objective pair of eyes – regularly our clients are surprised at what their most harmful, i.e. likely and impactful risks actually are.
Threat and risk assessments must not be a one-off
With the speed of change in today’s threat environment and the resulting expansion of the variety of reasonably foreseeable risks, organizations must take a new approach. Crisis management professionals must ensure that the foundation of their programs remains dynamic. They should join forces with their colleagues responsible for core risk management activities across the organization to ensure that risk assessments are consistently refreshed using reliable and comprehensive analysis. For companies with a focus on crisis avoidance, this information becomes a powerful tool to inform both likelihood and impact mitigation activities. It allows them to make investment and resourcing decisions both during the strategy setting process but also throughout the year as internal and external factors drive changes in their business.
Make use of technology
Leading organizations with a commitment to crisis avoidance are moving beyond basic risk assessment techniques and invest in real-time capabilities. The convergence of risk monitoring and incident response functions within global security operations centers (GSOCs) is part of that evolution. Control Risks is helping more mature organizations use intelligence analysis, forecasting tools, social media aggregation, internal alert data and other monitoring tools to not only predict and interdict potentially disruptive events before they happen but also to allow organizations to initiate their incident and crisis response plans quickly and efficiently. As GSOCs begin to go beyond tactical alerts and align more closely with critical business risks, they will become even more useful tools for all-hazards crisis managers.