At our founding in 1975, Control Risks’ sole mission was to help organisations respond to and recover from acute crises. Since then, we have partnered with our clients across more than 150 countries to overcome challenges caused by a wide range of disruptive events. some of which can be contained, while others are more disruptive to business operations. We have seen some of the best organisational responses to issues, such as corporate malfeasance, cross-border regulatory infractions, terrorist attacks, kidnaps, expropriation, political interference and cyber compromise. Conversely, some organisations have made critical errors that have had a lasting impact on their operations and reputation.
We can draw comfort from the fact that organisations can emerge stronger regardless of the type of crisis, if they hold dear to several principles. These include putting the welfare of their employees first, adhering to organisational values, and focusing on ensuring proper recovery and response throughout the crisis. Furthermore, organisations need to take a holistic approach to crises by vesting key executives with the authority to make critical decisions during a crises, understanding the root causes of the disruptive event and distilling learnings from previous crises.
Organisations are under increasing pressure to change their approach to handling crises. They are forced to rethink their response processes and the resources they need to bring about an effective response while focusing on core organisational performance.
Key points on the evolution of crises and incident response
1. Get support from experts. In some instances, successful crisis management, with the aim of ensuring impact reduction and rapid recovery, requires organisations to seek external assistance. While many organisations have access to external counsel and crisis PR firms, they need to be better supported. Today, information on disruptive events is quickly transmitted by social media to mass audiences, who are quick to pass judgment and assign blame. In this rapidly developing environment, organisations often struggle to “own the narrative” and convey their key messages. While it remains important to disseminate well-crafted and properly timed crisis messaging, it is equally important that organisations take holistic, tangible and immediate action to respond to a crisis. With this goal in mind, organisations are tapping crisis-response providers that have on-the-ground capabilities for support during any crisis, even in far-flung locations.
2. Align on-the-ground action with priorities of crisis management team. The nature and speed of disruptive events require that the on-the-ground support remain closely aligned with the goal of ensuring business continuity and a strong recovery. Control Risks has traditionally used its proprietary First Response Protocol in crises. These procedures, which are embedded in our clients’ crisis management plans, enable teams to follow an orderly process that focuses on assumptions, facts, stakeholders, communication and objectives. As the complexity of a crisis increases, organisations would need to undertake intelligence-led scenario planning. This approach focuses on evaluating factors, such as the organisation’s operating model, culture, geographic footprint and industry, against best, worst and most likely case scenarios. These assessments, which are made by people who have in-depth knowledge of the local environment and expertise relating to the specific type of incident, are critical in helping an organisation determine what might happen next and the actions it should take to limit the impact of the event.
3. Use technology to carry out real-time risk monitoring. To facilitate scenario planning in a crisis, organisations are increasingly asking their GSOC (global security operations centres) functions or external providers to conduct real-time risk monitoring. They receive advice and support through various engagement models, ranging from access to online tools to retainer-based approaches, all of which are informed by both local and global intelligence and data. By working with providers responsible for monitoring the global risk environment and providing intelligence to businesses, organisations can use the insights to minimise the impact and likelihood of crises.
4. Consider insurance cover to manage costs. Despite the increasing complexity of crises, crisis- and continuity-related budgets have been reduced in many sectors. Organisations are naturally concerned about the cost of crisis response services, premium rates and expensive consulting contracts, and are looking for tools to provide cost certainty and to ensure easy access to experts. Many organisations are exploring specialised insurance policies, such as the Hiscox Security Incident Response (SIR) insurance policy, which ensures a 24/7 indemnified response to 38 different incident and crisis types. The policy harnesses our 43 years of crisis management expertise without additional in-the-moment costs. Premiums for these policies not only cover response services when crises emerge, but also allow for portions of the premiums to be applied to a wide variety of preparation and mitigation services that aim to reduce likelihood and impact. This approach reinforces an organisation’s readiness to respond long before a disruptive event occurs. This often includes services, such as crisis-management governance, planning, training as well as threat information feeds, security-awareness training and travel-security membership.
Adaptation and improvement
“Continuous improvement” is a phrase that is often bandied about by organisations but met with indifference. While an organisation might be interested to get something right, it might not be motivated to take concrete action to drive change. The calculus of a crises are different; failure to adapt to a myriad of situations and to improve procedures would reduce an organisation’s ability to recover from a crises and build resilience.
Organisations that focus on likelihood and impact reduction are well on their way to achieving these goals. For instance, exercises are a great tool to improve response skills and readiness, as are efforts to review team structure. That said, organisations should improve capabilities before a crisis hits as well as during the recovery phase.
Unfortunately, some companies, eager to resume their business operations, neglect to pay attention to recovery and learning from the crises. Organisations would do well to put in place mechanisms that would enable to review their performance during a crisis and how prepared they were for it. In the spirit of continuous improvement, these reviews must bring about action. It is a good practice to share these results with the leadership, to assign responsibility to stakeholders to resolve gaps and to monitor progress. Where relevant, these issues and solutions should be communicated across the organisation.
To stay nimble and responsive, we need to continually ask, what changes are required to meet the demands of today’s changing environment? The answer is continuous risk monitoring. If one of the goals of recovery is the avoidance of similar crises in the future, there are fewer more effective tools than proactive risk monitoring. Organisations need to ensure that they identify emerging trends early on and that risk assessments are based on reliable global and local intelligence.