Crisis is inevitable. Every organisation is going to face a significant crisis and many more minor incidents in the near future. This is why having a crisis management plan, that is understood, tested, and rehearsed is crucial. All effective enterprise risk management frameworks will consider business continuity and crisis management.
Supply costs can skyrocket – your supplier in Turkey is raising costs beyond what you can afford because inflation in Turkey is at 38 percent; your key supplier of cement in Russia refuses to cell to you because of your construction contracts; you suffer a major lawsuit; the impact of a natural disaster; or a data breach. All of these problems can put your business plan at risk. The nature of the potential damage varies based on the nature of the crisis. A crisis can affect health or safety of employees and customers, the organisation’s finances, the organisation’s reputation, or a combination of these. If the issue or incident is beyond the scope and capacity of business continuity systems, then you have a crisis.
As well as different types of crises, they can also originate in different areas. A crisis can either be self-inflicted or caused by external forces. Examples of external forces that could affect an organisation’s operations include natural disasters, security breaches, conflict and war that impacts supply chains, and false rumors that hurt a business’s reputation. Self-inflicted crises are caused within the organization, such as when an employee smokes in an environment that contains hazardous chemicals, downloads questionable computer files, offers poor customer service that goes viral online. An internal crisis can be managed, mitigated, or avoided if a company enforces strict compliance guidelines and protocols regarding ethics, policies, rules, and regulations among employees.
Business Continuity versus Crisis Management
I am often asked about the difference between business continuity and crisis management. Business continuity planning is the management process for risk identification, their impact and likelihood, and developing preparedness and response plans to ensure regular business operations can and do continue. The objective of business continuity planning is to increase organisational resilience to business disruptions and to minimise the impact of realized risks. It is clear that conducting business impact assessments are an important component of developing your business continuity plan. Risk analysis and foresight is the process of identifying adverse events that may occur and estimating their likelihood of occurring. By conducting simulations and scenario planning, risk managers and leadership teams can assess the likelihood of a risk occurring and the potential impact on business operations. Businesses that put a continuity plan to increase their chances of continuing regular operations and protecting their most valuable assets in cases of unforeseen events can mitigate the effects of a negative event with good planning, training, and external international risk management support.
Crisis management processes and systems however, and what occur when the incident or issue is beyond the scope and capacity of regular business operations. A crisis is a situation requires dedicated and trained resources to successfully resolve the situation and return to regular business activities. Crisis management seeks to minimize the damage a crisis causes and to return the organisation to a positive position and resume regular business operations as quickly as reasonable.
In my experience working with executive teams from many different industries around the world, I have seen all of the above. The good news is I have seen leadership teams navigate through difficult waters and manage to resume regular business operations quickly. Unfortunately though, I have also seen other companies fall into complete disarray because of poorly planned or untested crisis management plans.
it is hard to imagine, but over one in four companies don’t have an up-to-date crisis management plan, and even less companies regularly rehearse and practice their crisis management systems. We know that 86 percent of hospitality businesses are affected by crisis in the last year, 80 percent of manufacturing and automotive companies, 77 percent of government and public services, 76 percent of financial service companies, and 65 percent of health service providers.
What are the stages of a crisis?
Pre-Crisis
The first part of crisis management is preventing potential crises. Create a crisis management strategy, train your staff on these strategies and perform practice exercises, creating systems of communication to save time if an emergency situation occurs.
It is imperative to have systems in place, and access to the right support so you have complete assurance for your business in any potential crisis. These systems and relationships must be established and tested before a crisis occurs, and in different circumstances (with warning and without warning, and at different times of the year and different times of day).
As important as it may be to identify risks and plan for ways to minimize those risks and their effects, it is equally important to establish monitoring systems that can provide early warning signals of any foreseeable crisis. These early warning systems can take a variety of forms and differ widely based on the identified risks.
In order prepare for a crisis, establish a combined crisis management team comprising the organisations internal critical event management team with support from outside specialists and risk management consultants. Every minute a crisis goes unmanaged, the costs and other negative affects will increase dramatically. The longer your company and workers go without clear guidance and trained processes, or worse, have to wait to execute new corporate crisis management plans, the more likely it is that your situation will escalate negatively, very rapidly and at great cost. Have robust crisis management systems in place, that are communicated, understood, and rehearsed will ensure a better crisis response, and also lead to increased employee, management, and government confidence in operating capacity.
Post-crisis
After a crisis has occurred, your post-crisis systems and support mechanisms should commence. Your organisation should have the capacity (in house or through an external international risk management company) to conduct an extensive analysis of events and write up a detailed review for your business’s team to learn and grow from?
Crisis management versus risk management
Risk management means looking for ways to minimize risks. Crisis management involves figuring out the best way to respond when an incident does occur. So whilst crisis management begins with risk analysis, it should not be confused with risk management.
Risk analysts generall work together with forecasting professionals to identify emerging risks and identify effective ways to minimize future negative unforeseen effects. All entities are exposed to risk. What risk management is concerned with is minimizing the likelihood of risk leading to failure, and identifying the right balance between taking appropriate risk that is in accordance with the organizational risk appetite, and reducing or avoiding all other risks.
Organisational responsibility and crisis management
Today, all major corporations, non-profit entities, and public sector organisations should have robust and tested crisis management systems in place. Developing, practicing and updating a crisis management plan is a critical piece of ensuring a business can respond to unforeseen disasters. Crisis management is an important component of enterprise risk management for all organisations, and your crisis management team, and your risk management team, although not the same, should be closely linked, and perfectly aligned.
Due to the volatile nature of global events, many organisations have robust systems in place identify emerging risks before they negatively impact their business interests. When a crisis occur however, organisations must be able to quickly adapt their activities in order to successful navigate the new circumstances and operating environment.
Pingback: Strategic Decision Making and Risk – The International Risk Podcast
Pingback: Russia sanctions and the impact on international risk – The International Risk Podcast
Pingback: Operational risk and governance – The International Risk Podcast