13 common mistakes when building global crisis readiness programs
- Security Risk Management
- Organisational Resilience
- Investor Services
Building a global crisis readiness program: 13 pitfalls
For decades at Control Risks, we have assisted our clients in building crisis readiness programs (crisis management, business continuity and resilience), rolling those programs out across their global enterprise, and assisting them in responding and recovering when disruptions occur. We have seen things go extremely well, and we have seen them go off the rails. Regardless of the sector, size or the geographic location, there are a number of common mistakes that we see as organizations establish global readiness programs. Getting these wrong will likely lead to a plan that sits unused on a shelf when disruptions occur. Getting them right will help ensure the global adoption of a sustainable, flexible and practical program that will facilitate effective monitoring, appropriate escalation, limitation of impact, rapid response, business-centric recovery, and ultimately protection of organizational growth, profit and reputation.
13 common mistakes when building global crisis readiness programs:
1. Missing opportunities to avoid locally driven crises and disruptions
A logical but often overlooked part of any organizational readiness strategy is to avoid the disruption in the first place. Companies that have risk management functions that are informed by global threat intelligence and monitoring either through a Global Security Operations Center (GSOC), third-party information feed or other integrated analytical capabilities are better at seeing disruptive events early and avoiding them altogether or containing incidents before they become full-blown crises. In the event of incidents and crises, leveraging contextual information from sources at the coal face helps crisis management teams to build local context-driven scenario analyses. This ensures that they have an accurate picture of the situation, worst-case and most-likely scenarios and are able to make critical impact-limiting decisions with the most perfect information possible.
2. Not securing global response assets ahead of time
In building a readiness program, organizations often consider retained assistance from outside counsel or public relations firms as part of the strategy. However, they often forget the ‘boots on the ground’ that are required in response to many types of disruption around the world – from a terrorism or security event in the Philippines to a compliance and regulatory investigation in Brazil. How will the organization actually execute the response activities? In some cases, there is an assumption that the local business will dedicate or locate the resources, but this is often poorly communicated and not based on actual capability. In other cases, while most organizations have Master Services Agreements with response providers that cover them in some geographies and for some hazards, few have done a deep dive to match their responsive capabilities (both internal and external) against their most critical assets, high-threat geographies and risky activities. While of course it remains possible for teams to establish retainer-based relationships across geographies and technical specialties, many find this time-consuming and inefficient. Insurance can play a role here. Hiscox for one is helping organizations fill this gap with the creation of the Security Incident Response policy, which provides 24/7 access to Control Risks experts across the world and across subject matters to execute an incident response against 38 separate hazards on an insured basis. It guarantees that the assets will be in place where they are needed and with the right technical know-how and local contextual understanding to mitigate the impact of disruptions and help ensure business recovery.
3. Failure to capitalize on local knowledge and business units
There is no better way to understand what doesn’t work in a disruption than by assessing past response performance. The combined institutional knowledge of staff who have worked through incidents and crises in the past is a trove of lessons learned that must be harnessed before any readiness program is implemented at scale. While building a global program, leaders should conduct local interviews, look through past history and integrate findings into the program. This will also help achieve local buy-in and a sense of local and business unit ownership.
4. Lack of executive sponsorship
While executive sponsorship is important for any organization-wide program, buy-in and active advocacy from the top is particularly critical for the roll-out of a global crisis management program or readiness program. The chances are that independent business units and regional management have a way of doing things that they think works just fine and has become hard coded into their local cultural DNA – and possibly even proven effective in responses to significant disruptions. While working-level grass-roots buy-in would be ideal, it helps if there is a perception that someone with a C in their title is mandating an enterprise approach.
5. Setting the sights too narrow
Organizations too frequently design programs in a way that reeks of tunnel vision. Crisis management is perceived as a security or a public relations or a legal issue. Considering it from one viewpoint and focusing solely on the impacts related to that viewpoint is a guarantee that a program will become irrelevant. Successful global roll-outs create programs focused on roles and responsibilities and not on individuals and personalities. Meanwhile, multi-disciplinary workshops help demonstrate the extent to which different functions rely upon others. Additionally, tying the program to the Enterprise Risk Management (ERM) matrix helps ensure it is fit for purpose.
6. Setting the sights too wide
Teams charged with rolling out a global program often set about trying to ‘boil the ocean’. In the pressure to meet personal objectives or program KPIs, they push to check the enterprise-wide box as quickly as possible at the expense of true adoption and sustainability. Depending on the organization’s structure, culture, risk landscape and other contextual circumstances it is often a better idea to roll the program out with a methodical step-by-step approach prioritizing business units or regions based on criticality, risk or quick-win potential. Consider showing success and gathering critical early lessons in the first phases of this approach before tackling the entire enterprise. Additionally, some organizations overweight the size and complexity of the corporate team, causing gears to grind to a halt during a response. A good corporate-led program does not necessarily require a huge core team.
7. Failure to leverage technology
Coordinating across languages and geographies – particularly during intense moments of a disruption or crisis – remains a challenge for any organization. But technology is making it easier every day. Too often, organizational crisis management structures still rely on paper- or email-based plans and structures that impede real-time coordination. Technology platforms in the crisis management space including Crisis Resilience Online now integrate mass notification, work flow, plan hosting and real-time meeting coordination on a seamless global web-based platform.
8. Under-escalating a crisis, over-escalating an incident
The corporate ‘mother ship’ may often have a different definition of what constitutes a crisis from the regional or business unit leaders. That is natural and to be expected. Local and business unit leaders often do not have the full enterprise picture and can’t independently judge when the impact of a disruption has crossed the line from local incident to enterprise crisis. In other cases, for reasons of pride or protectionism, they may decide to continue to try to solve problems locally that should have been escalated to the corporate crisis management team (CMT) long ago. In other cases, individual managers may routinely escalate even minor incidents as a means of protecting themselves or because of a perceived corporate hunger for information. A well-structured readiness program and global roll-out informed by substantive input from across the organization will include agreed and established escalation criteria and definitions.
9. A single-region approach to a global enterprise
This pitfall occurs when organizations have an established readiness program at the corporate level or in a single region and try to simply copy it and change the addresses to match different business units and geographies. They do not take into account local and business-unit context or unique operating environments when building the enterprise-wide program. For most organizations that take this approach, there are significant parts of the business that feel left out of the process and stuck with plans that do not work for the realities of their business. As a result, in a real crisis, these plans remain on the shelf and the regions/units revert to an ad hoc or independent approach that works for them.
10. Risk assumptions don’t reflect enterprise-wide concerns
Readiness programs should be tied to and informed by the organization’s ERM register. Leaders responsible for global crisis management roll-out need to understand the risks that have been agreed by the executives to be the most critical for the organization. They need to understand their businesses and where they are going. If there is no ERM program in place, they should engage local and business unit management to ensure that all risk concerns are heard and prioritized. Too often, headquarters-driven program setups miss large revenue drivers and risk sets that sit outside of the immediate corporate view. Risk workshops that include representation from across the enterprise will inform the creation of the risk-based program as well as drive buy-in and a sense of ownership across the organization.
11. Lack of cultural nuances
In establishing a global program, headquarters-based leaders often fail to account for local cultural, contextual or practical nuances or don’t assign them an appropriate level of importance. For example, in parts of the world where it is dangerous for women to take public transportation, business continuity and incident management plans must account for alternative transportation arrangements. Meanwhile, in other parts of the world, it would seem inappropriate to put such gender-specific considerations in a corporate document. While there is no easy answer for some of these nuances, they must be considered and discussed during roll-out to achieve local adoption, relevance and trust.
12. Global crisis exercises fail to include regions or business units
Scenario-based exercises are the cornerstone of the maintenance and continuous improvement strategy for any readiness program. They not only validate the plan, but also help ensure that the CMT can achieve the levels of stability and perspective that are needed to navigate real-life disruptive events when they occur. While most owners of global programs have a regular exercise schedule, too few include regional or business unit incident management teams (IMTs) or stakeholders in those exercises. While it is important to roll out the exercise program across the enterprise – ensuring that individual IMTs run scenario-based sessions to an agreed standard – it is also critical that parts of the business feel included in corporate scenarios as they would in real life. Particularly for more mature programs, CMT exercises should incorporate real-time call-ins and escalations from regional or unit teams or stakeholders. While these ‘semi-live’ exercises require more planning and coordination support, they are invaluable in reinforcing an enterprise approach to readiness.
13. Forgetting the practical issues
Expanding a readiness program from a centralized corporate capability to a global capability with established teams, stakeholders and interdependencies carries a wide variety of intensely practical challenges that fall into the miscellaneous category, but in aggregate are critically important, particularly in a real-life disruption. Time zones, local holidays and customs, connectivity issues and available materials must all be considered early rather than assuming that a real incident will follow a course that is convenient for the corporate entity. As an example, a company that wants to centrally manage media monitoring resources in North America during a crisis will either go dark at critical times or require arrangements for shift work, if that crisis is emanating from Australia. To mitigate this risk, companies might pre-arrange a follow-the-sun model. In many cases, tighter coordination between the crisis management organization and the capabilities of the GSOC – bringing GSOC owners in to program development – helps drive efficiencies, facilitate global coverage and ensure a more rapid response.
When creating a global crisis readiness program, avoiding these pitfalls can be the difference between a program that enables the business by increasing resilience and operational cooperation across the enterprise and a plan that sits on a shelf during a crisis. There is so much to consider when going through the program development process, and you don’t have to do it alone. Control Risks’ approach leverages lessons learned from the successes and failures of thousands of clients across multiple sectors and geographies.