Today, it is vital to have a well-rehearsed response framework, but how many companies take their crisis management plans seriously? Rebecca Pardon investigates. This article is from Communicate magazine's print edition.

When all hell breaks loose, the final thread of hope that organisations can cling to is crisis management. It is then that the executive team may begin proceeding through the carefully and well-honed steps of their crisis plan.

Typically, this process will have been thoroughly rehearsed, so that the shrill chorus of phones trilling is no distraction. Previously, the CEO will have already taken time to assess the most acute points of vulnerability across the business. A dedicated crisis management team of specialised individuals from across departments promptly assembles, tasked with uncovering the scope, cause and impact of the issue.

As the day drifts into the afternoon, there is an understanding that careful and considered action is vital. The communications lead may suggest issuing a statement by 3pm, to which the CEO urges caution: it is better to gather the facts first. Finally, confident but conservative steps are taken to contain the risks where necessary while causing as little impact to the rest of the organisation as possible, and clear internal and external communications are issued. At no point does the CEO slam an office door or snap shut the blinds.

Chris Butler is resilience director at Databarracks, a business continuity specialist, and works closely with organisations to develop such plans. Ahead of speaking to Communicate magazine, he had spent the day with a client rehearsing the steps of their crisis response. When disaster strikes, however, it is difficult to imagine corporations calmly walking through such steps.

So how many organisations do stick to their crisis plans? According to Butler, very few. “The essence of a good plan is that it's easily usable at the time of the crisis,” says Butler. “We try to make plans short and usable, and written in plain language. But many plans are too big, long and cumbersome. Those plans never get opened. They will sit on the desk; they might get them out, but they won't read them.”

For those organisations that do have a crisis plan stashed somewhere, the time to review it feels pertinent. PwC’s Global Crisis and Resilience Survey last year found that business leaders tend to overestimate their preparedness for disruption. This is particularly concerning as 91% of organisations have experienced at least one disruption other than the pandemic, while 96% have experienced disruption in the past two years. A recent survey by Economist Impact of 600 primary legal decision-makers globally found that close to 70% lack a cross-functional crisis response team or pre-selected external advisers, leaving them unprepared for future events. 

Some of the most recent examples of risk management failures have come from the banking sector. The highly publicised collapses of Silicon Valley Bank (SVB) and Credit Suisse last year were followed by numerous business publications clamouring to analyse the missteps of the banks’ leadership and the lessons to be learnt to avoid similar crises in the future. And yet, the failure of crisis management in both instances has barely been mentioned, with SVB and Credit Suisse both having lacked actionable strategies that may have prevented these disasters.

“‘Communications is often seen as a post box, a message-sender, but today the world of communications is incredibly complex’”

Steve Andriole is Professor of Business Technology in the Villanova School of Business and offers several reasons why companies may struggle to invest seriously in crisis preparation. “Very often, the first issue is that companies don't like to define anything as a crisis because then it presents them with a responsibility to respond,” Andriole explains. “They think ‘we can handle it; it’s not really a crisis’ and, therefore, they get off the hook. Secondly, they often don’t have crisis management plans – as the data suggests – and thirdly, if someone else may have developed a plan, they may not want to take it.

“To have an entire crisis management team that does nothing but develop these plans, which, by definition, have to be fluid because the nature of the crises will keep changing, is expensive.”

At what point, then, should a business start preparing for a potential crisis? Should you wait for a noticeable financial impact? Or until industry peers are affected, and hope it doesn’t happen to you first? “It’s all a function of the number and the frequency,” says Andriole. “So, if a pandemic occurs every 50 years, no one is going to have the same kind of discipline for planning for pandemics as they do around cybersecurity.

“Climate, though, is an interesting twist, because much of the problems companies face are due to climate change. So, if the number of those increases – and we all know they will – you may see the kind of discipline and formality around planning for those as we do around cybersecurity.”

With supply chain disruption being ranked as the second largest concern by business leaders in PwC’s study, second only to cyber attacks, it seems sensible to start preparing for climate change risks. According to recent findings by the Business Continuity Institute (BCI), 80% of organisations’ supply chains were disrupted over the past twelve months, with most experiencing between one and ten disruptions. 

Despite this, 20% report low or non-existent commitment from top management to handling supply chain risks. It is put to Andriole that discipline around climate change crises is overdue. “But that proves the point; leaders don't really act,” Andriole says. “They don't do things proactively. It is too late, but that's what drives companies to act: when the frequency rises, then they have no choice.”

According to a 2023 Gallagher report, around half of UK businesses are already facing operational disruptions due to climate impacts like flooding and heatwaves but are cautious about investing heavily in prevention measures without stronger regulatory or financial incentives. Armen Dallakyan advises financial organisations on risk management and ESG integration. “Physical climate risk is something that is playing out over a longer time period. It has obviously started, with devastating consequences. The stress tests that this entails are not likely to happen at scale anytime soon. And, therefore, people kind of postpone key decision making.

“In the EU, climate risk management is a very high priority item for banks,” Dallakyan continues. “That’s driven by the regulators and the key shareholders of these institutions. If you visit other places, although climate risk is equally important for those countries, you will probably experience less urgency to tackle climate risk.

“That is due to there not only being less pressure on them from regulators and shareholders, but also because they believe that climate risk is not something that is particularly impactful in the near-term.”

“‘Very often, the first issue is that companies that don't like to define anything as a crisis because then it presents them with a responsibility to respond’”

Dallakyan observes that Covid-19 altered many organisations’ approach to risk management more generally, however. In 2019, he was senior credit analyst, and responsible for business continuity, at Moody’s Ratings. “There had been the sense that Moody’s understood that crisis management was needed, but they also understood that there was a very, very low probability of risk. But the pandemic shifted this mindset, because they understood that even big crises can happen, and therefore these plans can be very helpful.

“Of course, over time, if we don’t have another crisis, people will become blunter again; that’s human nature, that’s how society operates,” Dallakyan continues. “But, at this point, because the memories of the pandemic are still fresh, these kinds of issues still have high priority.”

Unlike the global financial crisis, none of the biggest, recent risks to the financial sector have had a fundamentally financial nature. Most of the repercussions on financial services have been second-order or even third-order effects. “Broadly speaking, we see clearly some trends in companies starting to identify non-financial risks as a separate discipline, which includes ESG-related climate issues and other risks, but also lots of operational cyber-related risks,” says Dallakyan. “Now, they are trying to bring them under one umbrella, wrapped up in what is now called ‘operational resilience’.”

A decade ago, few businesses would have been exposed to a cyber attack, the disruption of global supply chains or an international energy emergency as a potential crisis for them, whereas now it is a sober reality for most companies. Today, cyber experts have become increasingly important as businesses have undergone digital transformations and become exposed to a wider range of hacking threats. More recently, a shift to remote working, and an increased threat of cyber warfare amid heightened geopolitical tensions – notably, around the Russia-Ukraine conflict – have elevated internal security roles further.

Cybersecurity remains one of the top risks for UK companies, with data breaches, phishing, and ransomware among the leading concerns. The UK government’s Cyber Security Breaches Survey from 2023 indicate that 32% of UK businesses have faced a cyber attack or breach, most often through phishing. This year, data security continues to be a high priority for companies due to both reputational risks and regulatory penalties from authorities like the Information Commissioner’s Office (ICO) in the event of data leaks affecting customers.

In 2023, a report by the World Economic Forum found around half of companies lack a dedicated cyber crisis plan and those that do fail to update or test them regularly. Nevertheless, cyber security has become more of a priority for business leaders who, according to Butler, have come to understand it as a broader business issue, rather than just an IT concern. “Companies find it really difficult to get their head around all the risks that they're facing from climate change, extreme weather events, geopolitical threats, cyber, future pandemics and things like economic migration; these are all risks that companies have to consider. Even five years ago, company executives, company leadership leaders would see this is not a problem. Now, I think 85% to 90% of them get that it's a business problem, not an IT problem.”

But what does it mean to be ‘prepared’ for a cyber attack? Despite the technical complexity of cyber threats, preparing for one is not dissimilar to other crises, as Butler emphasises the importance of calm and consistent communications during such events. “Business leaders want to get straight into fixing the issue. So, the stress and pressure lead them to rush into things, which means they might try and dive into problem solving straight away.

“‘There is the expectation that this person, whoever he or she may be, can solve a problem, whatever kind of problem is thrown at them. And that, of course, is wrong. But it is part of the pedestal on which we place CEOs’”

“It’s really important to take a deep breath, because good crisis management requires three things: finding out what exactly has happened, working out what it means for you and then, finally, taking action – people tend to dive into point three,” he continues. “I’m sure Communicate magazine’s readers will understand the importance of crisis communications, getting on the front foot and getting ahead of the messaging. This is especially true when you have a cyber attack.”

Such advice is applicable to crises more broadly. Amanda Coleman is director at Amanda Coleman Communication Ltd and acknowledges the importance of crisis management plans but agrees that they are rarely valued. She emphasises the importance of those people at “the top” of an organisation in setting the tone around crisis planning. “You’ve got to have that level of interest at the top because otherwise everything else starts to fail; you need that structure to support a response to any kind of crisis.

“I hesitate to put too much pressure on communications professionals as they have a lot to do, but they have to be a strategic advisor, because they know the public mood and the tone of what is happening. Communications is often seen as a post box, a message-sender, but today the world of communications is incredibly complex.”

While communications may be vital during times of crises, practitioners often describe struggling be heard by executive teams. Coleman believes a new approach is needed. “You've got to think about what matters to them, and what matters to them is the bottom line: how much is this going to cost? Can you quantify this in some way, and can you assess the financial impact of this situation going awry? I think we've got to recognise what matters to senior people in the business and frame it accordingly.”

The ease with which this can be done, however, depends on an organisation’s internal culture. Dallakyan points out that one of the integral issues in the collapse of Credit Suisse was its long-term quality of management. “Everyone, from time to time, would hear about some issue at that bank and, ultimately, with things becoming very challenging in both investment banking and wealth management, that eventually led to the downfall of the bank.

“Because, if things get tougher, and you are not the strongest one, you are likely to be the one out. It's not just about the overall culture of the organisation, leadership and strategy, but also how you manage risks, including those that are arising from certain crisis events.”

In order to ascertain the greatest risks posed to an organisation, it needs to be prepared to admit that it is vulnerable to any risks at all. And yet, this is something many business leaders struggle with, preferring to appeal infallible. “There is the expectation that this person, whoever he or she may be, can solve a problem, whatever kind of problem is thrown at them,” Andriole observes. “And that, of course, is wrong. But it is part of the pedestal on which we place CEOs. Especially in the US, business leaders are almost like mini gods; there’s an expectation there.”

This is despite the fact that, when a crisis does occur, as it inevitably will, it is often the CEO who takes the fall: there are abundant cases of star CEOs who have faced their downfall in recent years, often due to poor management and a healthy dose of hubris. To balance this out, Andriole believes that, although it is ultimately the responsibility of the CEO, more emphasis and responsibility could be placed on the board of directors, which is typically seen to be “in the CEO’s pocket”.

Although the fundamental bones to crisis planning remain for any event, geopolitical conflicts pose a unique challenge: they are entirely beyond an executive team’s control, often long-lasting with an indefinite point of resolution and implications that are difficult to anticipate, and, for companies local to the event, can bestow a new sense of purpose. In Ukraine, crisis management has become part of day-to-day procedure. As well as being important to immediate stakeholders, business resilience is also crucial to the country’s economic strength and morale.

“There are abundant cases of star CEOs who have faced their downfall in recent years, often due to poor management and a healthy dose of hubris”

Jock Mendoza-Wilson is director of international and investor relations at System Capital Management, Ukraine’s largest managing company. He says that, during a such crises, business is as important to stability and morale as state governments. “War is extraordinarily expensive. What I think [economic performance] gives everybody is a mission and a purpose that keeps people positive and moving forward.

“It is hard to prepare for war because you’re not sure of the impact it’s going to have on you directly. But the process of having people who understand how to deal with crises, the speed of the response required, spokespeople ready to speak, the discipline of being able to respond – and quickly – is important,” Mendoza-Wilson continues. “That’s the part that you can practice and that’s why, whichever business you’re in, this sense of having a preparedness for crisis communications, and a system that you can follow, is important – you don’t want to be making it up on the spot.”

As potential crises become more complex, there is, nevertheless, a case against being excessively risk-averse: facing uncertainty, there is the possibility that the instinctive response is to defer big investment decisions, especially ones involving capital and people. Such behaviour from companies and investors can dampen dynamism in some economies. Taking a look at the bigger picture may offer some understanding for business leaders’ reluctance to invest in risk management strategies: fewer businesses have been going bust. Until recently, such bankruptcies in the US, UK and Europe were running significantly below historical averages.

This can be paired with a sensible and robust approach to planning, however. It is a lesson that western companies could learn from their counterparts in emerging economies, where managing turmoil, turbulence and volatility has long been an important part of business operations. Andriole believes this will be inevitable. “If you believe that the number of crises is going to increase over time, as the world gets more complex and as we see climate crises occur – now all over the world – then the requirement to build these crisis management plans will skyrocket.

“We have seen that over the past three-to-five years. But what companies do best is they wait for a terrible event to occur, then they respond socially, economically and politically. I don’t see that changing.”