Chris Twyford, director of security, Asia, Middle East and Africa (AMEA) at Mondelēz International, on managing a crisis in the internet era
The worst time to manage a crisis is during it. The problem is that too many companies attempt to do just that. A lot of companies seem to learn the hard way. Crisis Management (CM) today is different to any period in the past. The impacts are more overt and public – there can be damage not only to the bottom line, but also to the company’s reputation and that image can be permanent in the digital age.
Companies do tend to forget operational risk management, and solely focus on traditional financial risk modeling. Failure to have a sound compliance program, business continuity planning, cyber-security and crisis management infrastructure can also have a direct impact on the bottom line. All of the above are effective operational risk management controls.
The way companies manage risk will certainly change, and it is already changing. A convergence between operational risk management and financial risk management is taking place at some organisations. However, while companies are maturing, many of them still learn after they’ve had a significant issue. Sound CM planning and training will put companies in a far stronger position to foresee risks and prevent a manageable issue escalating into a full blown crisis.
So what do firms need for crisis management in the digital age? They need in-house risk and crisis management infrastructure and experience, alongside access to good external advisors. It is all about planning, preparation and stress-testing your plans with the in-house crisis management (CM) team. You do not actually have to invest a lot of time into it, but do need to put meaningful time into it. Companies often tend to see CM training as a chore with little value, and a mere “box ticking” exercise, and assume a lot of money has to be spent on this, when that is not the case.
The one thing I do see is the notion that crisis management is only played out in the media, which it is not the complete picture. Several recent corporate crises in Australia have demonstrated that companies have placed a lot of focus on managing the message, but they gave little thought to the other elements of crisis management.
While it is important to control the messaging, other parts are being missed such as actually owning the problem and being prepared to manage the variables – a recent unfortunate example occurred when a company’s crisis management and security team were captured publicly arguing with one another in a Middle Eastern country, in a high profile case.
You also need to get your risk matrix right first, have your risks in order of impact and likelihood, and then train towards managing your foreseeable risks. That will then give you a far more realistic notion of what you are facing. Often, the training on these risks is incomplete or not realistic enough - it can often be a case of “death-by-slideshow”.
In my opinion, a challenging interactive workshop with your leadership team tends to be more effective in producing better prepared CM teams. The whole idea is that you make mistakes in the classroom, so you do not in real life.
People are also often reluctant to challenge business leaders as no-one wants to ‘lose face’ if they give the perceived wrong answer – setting the right tone with training should alleviate this. An interactive and supportive training and advisory process can highlight weaknesses in the team and close gaps in the response capabilities.
Another aspect this modern crisis management landscape creates is the impact it has on the risk profession, and how that is viewed. The risk profession has been maturing, developing and changing greatly over the past 20 years. There are probably a lot more opportunities for risk managers currently and there will continue to be in the next five to 10 years, as companies learn how to manage risks better, and incorporate this expertise within their organisations.
The space for a risk manager is there in terms of opportunity, and recruiters are slowly starting to understand this. If you want to manage crises in the digital age, you will need highly competent risk managers and risk management teams who have a holistic view of both risk and crisis management.