Recovering from a crisis
- Creating a Secure Organisation
- Resolving Critical Issues and Crises
- Creating a Resilient Organisation
- Delivering Growth and Opportunity
Recovering from a crisis
At our founding in 1975, Control Risks’ sole mission was to help organizations respond to and recover from acute crises. Since then we have partnered with our clients to meet the challenges of a wide range of disruptive events – some contained and tactical and some uncontained and enterprise threatening – across more than 150 countries. We have seen some of the best organizational responses to issues such as corporate malfeasance, cross-border regulatory infractions, terrorist attacks, kidnaps, expropriation, political interference and cyber compromise. Unfortunately, we have also seen organizations make critical and impactful errors. Throughout our history, there remains some enduring orthodoxy.
Organizations can emerge stronger regardless of the type of crisis, if they: Put people first Lead with their organizational values Focus on recovery from the start of and throughout the response Holistically attack impact while determining root cause, not after Enable their crisis leaders with authority and decision-making abilities Use lessons learned from previous crises That said, organizations are being pushed ever harder to evolve the way they approach crisis and incident response itself. They are forced to rethink the response process and support model that organizations need to ensure stability and effectiveness in their response while focusing on core organizational performance.
Key points for the further evolution of crisis and incident response are:
1. Support from experts Successful crisis management that focuses on impact reduction and rapid recovery in today’s world also includes looking outside one’s company walls and recognizing the need for external assistance. Many companies have external counsel and/or crisis PR firms on retainer but external needs often go beyond that. Social media and other platforms have connected disruptive events around the world directly to mass global audiences who are empowered to pass their own judgments and assign blame. In this rapidly developing environment, organizations focused exclusively on conveying the right tone from the top struggle to ‘own the narrative’ during a crisis. While it remains important to execute well-prepared and well-timed PR and crisis communications messaging, holistic, tangible and immediate action – wherever the crisis has hit – has never been more important for a successful corporate crisis response. With that in mind, we are also seeing a rise in organizations partnering with crisis response providers that have localized on-the-ground expertise and can provide in-the-moment support during any crisis, including in far-flung geographic areas.
2. Alignment of on-the-ground action and strategic management at headquarters The nature and speed of disruptive events requires that this on-the-ground support remain closely linked to and in alignment with the headquarters team managing the incident, which is focusing on core elements of strategic crisis management and a strong recovery. For these teams, Control Risks has long used a proprietary First Response Protocol. This protocol is often placed within the crisis management plans of our clients and used throughout a response to help teams follow an orderly process that focuses and refocuses them on assumptions, facts, stakeholders, communication and objectives. As the complexity of crises increases, organizations will increasingly need to embrace intelligence-led scenario planning. This approach focuses on evaluating factors such as the organization’s operating model, culture, geographic footprint and industry across best, worst and most likely case scenarios. These are informed by intelligence feeds supplied by in-depth knowledge of local realities and/or expertise on the specific type of incident and the relevant background on it, to help companies determine what might happen next in an evolving disruptive event and inform their actions to limit its impact.
3. Use of technology for real-time risk monitoring To power scenario planning during an incident or crisis and provide critical information on the internal and external context, we are increasingly seeing organizations using either their GSOC functions or external providers for real-time risk monitoring. They receive this advice and support via a variety of engagement models, ranging from access to online tools to retainer-based approaches, all of which are informed by both local and global intelligence and data. By working with providers whose job is to monitor the global risk environment and provide intelligence and analysis to businesses, companies can utilize that information to minimize the impact of crises and also to reduce their likelihood.
4. Consider insurance cover to manage costs Despite the increasing complexity of crises, crisis- and continuity-related budgets have been reduced in many sectors, and organizations taking a thoughtful and business-centric approach are naturally concerned about the cost of crisis response services, premium rates and expensive consulting contracts. They are seeking tools to provide cost certainty and ensure availability of multi-disciplinary expert capability. To meet this need, many are exploring specialized insurance policies, such as the Hiscox Security Incident Response (SIR) insurance policy, which ensures a 24/7 indemnified response to 38 different incident and crisis types. The policy taps into Control Risks’ 43 years of crisis management expertise and ensures our engagement without additional in-the-moment costs. Premiums for these policies not only cover response services when crises emerge, but also allow for portions of the premiums to be applied to a wide variety of preparation and mitigation services aimed at reducing both likelihood and impact. This approach reinforces an organization’s readiness to respond long before a disruptive event strikes. This often includes, but is not limited to, services such as crisis management governance, planning, exercising and training as well as threat information feeds, security awareness training and travel security membership.
Embracing continuous adaptation and improvement
Let’s be honest – the term ‘continuous improvement’ gets tossed around a lot and is often met with eye-rolling and disinterest. Why? Because all too often the term is used in an ambiguous way, implying that an organization is theoretically interested in getting something right but not motivated enough to be specific about driving change. In other words, it is a ‘business-as-usual’ cliché, built out of convenience, with built-in excuses.
But when it comes to crises, business-as-usual goes out the door and so should a lukewarm reception to continuous improvement. In fact, a failure to embrace continuous adaptation and improvement will not only minimize a company’s chances of reducing the likelihood and impact of crises, but also potentially doom its ability to survive, let alone thrive, during a crisis. There lies an opportunity in a crisis situation to not only recover, but to adapt and change for increased resilience in the post-crisis environment.
So how do companies truly embrace continuous improvement and reap its benefits for greater resilience?
The good news is that if you are already embracing the first two principles discussed above (aka focusing on likelihood and impact reduction), you are halfway there. For instance, exercises are a fantastic way to continually improve response skills and readiness for whatever a company may face. Regularly revisiting team membership and structure, and the plans and tools that support them, often improves response capabilities and minimizes in-the-moment inefficiencies. But organizations should not only improve capabilities before a crisis hits, but continuous improvement needs to extend beyond the crisis response and into the recovery phase as well. Unfortunately, we often see companies skipping this vital step. Relieved to have managed through a crisis and eager to resume business as usual, many companies do not take the time to pause, reflect on what they learned during the crisis (good and bad), and make changes to ensure they are better prepared next time.
With that in mind, we recommend companies formalize mechanisms that allow them to review their performance during a crisis and dig into not only how they responded but also how well prepared they were for it in the first place. These types of reviews are called a variety of things: lessons learned analysis, post-incident reviews, and post mortems. Most software solutions that support the readiness and response phases also have powerful reporting functions that assist in reviewing every step taken. Regardless of what they are called, they have proven to be an underutilized but incredibly powerful tool to aid helping prevent history from repeating itself during subsequent crises.
In order to fully embrace continuous improvement, these reviews must result in action. Leading practice organizations not only share these results with leadership for both awareness and support, but also formally assign responsibility for resolving identified gaps as well as monitoring progress. Where possible, it is helpful to share these risks and issues across the organization as many of these discoveries point to organization-wide issues and could be connected to other risks being addressed in the company by related risk management efforts (e.g., enterprise risk management).
Post-incident reviews have been around for quite some time, raising the question: What changes are required to meet the demands of today’s changing environment? The answer is ongoing risk monitoring. If one of the goals in recovery is the avoidance of similar crises in the future, there are fewer more effective tools than proactive risk monitoring. Once again, this should be informed by global and local intelligence, should be designed to identify emerging trends early on, and should lead us back to our first principle focused on increasing a company’s chances of avoiding a crisis.