SAMPLE NOTES © LSPR

RISK AND CRISIS MANAGEMENT

INTRODUCTION

Our daily lives and business operations are filled with risk. On a personal level we take risks cross-
ing the road, travelling by train and making investment decisions. From a business perspective,
risk is managed at many levels - operational, marketing, legal and financial. Traditionally, much
risk inherent in a business operation has been managed through insurance. However, managing
risk in this way is not a strategic approach to protect your corporation from negative publicity or a
damaged reputation. Insurance only insulates you against potential legal challenges or financial
loss after an event, and does not take into full account the potential long-term reputation damage.
Risk can no longer be managed on an ad hoc basis, but should be sewn into the fabric of corpo-
rate management. Without a clear understanding of the risk it faces, a corporation cannot make
the correct strategic choices to maximise performance.

People make risk decisions at all levels in an organization, ranging from individual responsibilities
to collective decisions made at Board level. Remember Nick Leeson, who lost Baring’s Bank $1.3
billion on trading derivatives, destroying Barings and its reputation within a short period of time. Al-
lowing individuals too much autonomy within an organisation can have disastrous consequences.
Consequently, compliance and adherence to regulations is important to all risk management pro-
grammes, which in turn have focused organisations on corporate governance as a form of man-
agement control. Risk analysis helps put in place checks and procedures that reduce the chance
of negative outcomes. As corporations come under increasing legal challenges from a wide range
of stakeholders, every opportunity should be taken to reduce the impact that legal cases can have
and the potentially high profile media attention that they often can attract.

Risk for many corporations has also been heightened by the consequences of globalisation. Mul-
tinational enterprises (MNEs), such as those operating in second and third world countries are at
risk from potential charges of exploitation of local communities and the natural resources that they
consume. Moreover, MNEs must increasingly communicate to suppliers and distributors how they
treat their employees and their record on human rights.

Risk and reputation are linked; negative outcomes can quickly affect the bottom-line: profit. In
order to protect reputations the scope of risk analysis has broadened way beyond just financial
concerns and now encompasses individual misconduct, and overall corporate misconduct. In the
wake of Enron, WorldCom, Tyco, Arthur Anderson, and other high profile corporate scandals, im-
plementing risk management programmes has become a priority for reputation managers. Central
to tackling corporate risk is the need to develop a strong risk culture and the recognition of the
degree to which an organisation will tolerate certain risks.

What is risk?

Risk means different things to different people. At its simplest, risk can be considered as uncer-
tainty of outcomes, based on probabilities. Any mathematician will inform you about probability, the
concept that gives a mathematical measure of risk. The focus of risk management is on potential
adverse outcomes, which can lead to a crisis.

Risk = uncertainty (or probability) x impact

Any analysis of most web sites that deal with risk management suggests that many aspects of risk
are currently driven by qualitative rather than quantitative analysis, yet it is quantitative risk analy-
sis that produces the most useful predictions. Globally, outside the insurance and banking sectors,
risk management has not developed a common framework by which it can be evaluated.

Two fundamental types of risk can be identified.

• Pre-entry risk involves analysing the risk of entering new markets or areas and having
the necessary contingency plans ready just in case things do not work out.

• The second type of risk is ongoing risk or issues management, in which a corporation
identifies and manages an issue. In this context, an issue is any potentially troublesome
topic that is emerging within an industry, which may be an increasing focal point for the na-
tional and trade media, but has not yet gained great attention from the public. It is when an
issue gains significant momentum, especially via the popular press, that issues can quickly
become crises for certain companies.

The main categories of risk include:

1.Operational
2.Strategic
3.Marketing
4.Brand reputation
5.Financial
6.Intellectual Property
7.Technology and e-business
8.Human or personal
9.Price or market
10.Legislative
11.Supply-chain
12.Information-security
13.Mergers and acquisitions
14.Event-based: political, terrorism, weather

What is risk management?

Risk management is the systematic ongoing process by which an organisation identifies, priori-
tizes and implements programmes to reduce the chance of negative outcomes on a business. The
process can be divided into a series of actions:

1.The identification and cataloguing of risk

2.The quantification (assessment) and prioritization of the risks identified

3.The development of programmes and actions to tackle risks: this can involve contingen-
cy plans and/or the outsourcing of risks to a third party. Risk tolerance boundaries should
be established.

4.Continuous evaluation of risks and the monitoring of existing programmes for effective-
ness. Also the analysis of new data in the assessment of risk.
Risk Audits:

Risk reputation management should start with some kind of risk audit. Such audits should be car-
ried out every quarter (depending on the associated risks), but at least twice a year is reasonable.
The process of identifying risk requires risk managers and officers to interview key personnel and
use SWOT analysis on areas that present the most exposure. It is important that audits examine
both internal and external risks and the implications of outsourcing the risk management function.

Risk audits are made much easier if management encourage a culture of risk reporting and ac-
countability. For example, is a system in place that encourages employees to report back any risk
concerns they may have about the company? Also important in developing a risk culture is the de-
gree of risk tolerance accepted for any given situation. Once a risk audit is completed, it is impor-
tant to present a summary of results to key employees in order to seek their reaction and input.

Sending executives and those in responsible positions on media training courses is a useful in-
vestment that helps militate against further risks caused by employees making insensitive or unfor-
tunate remarks on TV or radio.

Psychology of risk assessment: protecting against irrational decision making

Social influence and conformity cannot be ignored when considering risk evaluation. During corpo-
rate meetings, individual executives can easily be influenced into complying with decisions that the
rest of the board may agree upon, even if they have some reservations about the outcome. With-
out proper data or analysis of risk, such diffusion of responsibility and conformity to the majority
can result in “group think” within the organisation, with all its implications if the resultant decisions
are incorrect. Such blind conformity and poor judgement based on innumeracy can be significantly
reduced by the correct presentation of risk data.

As a result, risk management insulates and protects corporations from irrational decision making,
either by key individuals or by the board. Since the 1950s, psychologists have realised the power
of peer influence and “group think” on decision making. Most people are of the opinion that they
are independent minded and would not be influenced by the decision or opinions of others, but
research suggests otherwise. Many studies have demonstrated the affect of majority influence. In
majority influence, a group of individuals tend to have a convergence of judgement when present-
ed with data, thereby yielding to group pressure or expectations.

For example, a group of executives might meet to discuss which new software system should be
purchased to sort out problems within the existing customer relationship management systems.
One senior executive, with an extensive background in IT, is convinced that of the three options
presented, B will be the most effective in solving the problems. The other executives have equally
evaluated the options and most agree that A is both the most cost effective and has the best track
record. However, given that the executive who prefers option B has a significant background in IT,
they all keep quiet and agree with his recommendation.

What issues have raised the importance of proper risk management?

Failure by employees or their deliberate disregard for regulations can result in corporations getting
into serious trouble. Indeed, most of the recent corporate scandals were caused by failure of key
personnel and senior executives to comply with regulations and the law. With corporations under
the microscope for continuing failure to comply with basic regulations, the issue of corporate gov-
ernance has been much hyped in the media.
What are the consequences of not managing risk?

1.Injuries or fatalities
2.Financial loss and damage to share price
3.Long-term reputation damage
4.Product or service boycott
5.Problems with activists or NGOs
6.Imposition of harsh regulation and laws
7.Legal payouts

Ways of minimising the effects of uncertainty

• Implementing risk audits

• Encouraging all employees in understanding risk
• Use of probability assessments
• Understanding the difference between relative risk, propensities and frequency
• Use of decision tress
• Use of sensitivity analysis

Problems with communicating risk

Another major concern associated with risk management is its communication, or rather its mis-
communication to key stakeholders. In part, this has been caused by corporate inability to ad-
equately explain risk, but more importantly, the general public’s innumeracy. Depending on your
perspective, public innumeracy is either a good or bad thing. For example, the notion of relative
risk, (which is often used when communicating data from medical trials), is commonly misunder-
stood. In order to understand the concept of relative risk, people must first understand absolute
risk reduction.

It is important to communicate risk as simply and as transparently as possible in order to avoid

serious misunderstanding. However, as NGOs have been pointing out for years, corporations
often mislead with their statistics regarding risk and potential outcomes. Equally, NGOs can also
manipulate data for their own ends. Because the general public is fundamentally innumerate, com-
municating risk via conditional probability, relative risk or propensities is easy to do in a manner
that is correct, yet presented in such as way as to be potentially misleading. Even losses can be
presented as gains, and pressure groups can enhance fears about certain drugs, or food additives
by communicating data as relative risk.

When attempting to communicate risk, some basic rules should be applied, starting with the
source of risk. If the source of risk evaluation is not trusted, then all efforts can be compromised
and rumours can damage the credibility of the communications effort. Sectors, such as pharma-
ceutical, environmental, construction, transport, and medical can benefit from third party risk as-
sessment evaluation, but this ironically carries its own risk.

The Risk of Corporate Rumours

Managing rumour is one of the toughest jobs facing reputation and PR managers. Rumours carry
a considerable risk value. Three general types of rumour are recognised: commercial, contamina-
tion, and conspiracy. Commercial rumours refer to unverified rumours about specific brands or
corporations. For example, Procter and Gamble (P&G) and McDonald’s have both been victims of
rumour campaigns. P&G was supposed to have satanic links because its man in-the-moon logo
was thought to be a symbol of the devil! In addition, various other aspects of the logo showed the
figures 666 when held up against a mirror. The rumours spread rapidly in the Midwest and South-
ern parts of America, forcing P&G to alter its logo.

Similarly, McDonald’s was accused of using red worms in their burgers in the late 1970s, and as a
result, their sales fell by over 30% (Tybout et al, 1985). More recently, Coca-Cola sales have suf-
fered in the Middle East as a rumour has been circulating since 2000 that claims that if you view
the logo in the mirror (or upside down) it appears to read in Arabic as an anti-Islamic phrase. Coke
was so concerned by this that they sought help from a senior Egyptian mufti, Sheikh Nasr Farid
Wassel. He warned that such rumours could put thousands of Coca-Cola employees in Egypt out
of work.

Conspiracy rumours refer to undesirable corporate policy supposedly held by a corporation e.g.
corporations or CEOs with leanings to extreme political parties or outlawed associations.

Contamination rumours often affect fast-moving consumer goods, such as children’s products,
drinks or food. Packaging has improved considerably since the 1980s and following on from nu-
merous blackmail attempts by criminals trying to either discredit a corporation (often a disgruntled
ex-employee) or someone trying to extract money.

Other examples of rumours are those that propagate on the Internet. Harry Potter books had a
false claim that underlying messages within the book caused children to become Satanists. Anoth-
er claim was underarm deodorants that had anti-perspirants increased the risk of cancer. Other
mad Internet rumours included toxic children’s crayons and yellow sponges made by Procter and
Gamble contained Agent Orange, which would slowly kill you as you washed up!
Even banana sales dropped by $30 million when rumours started to spread about a flesh eating
bug all of which goes to prove the cost and damage false rumours can cause to a product, irre-
spective of how its reputation has been in the past.

Controlling rumours: the dynamics

Ignoring rumours has its own associated risk, but equally tackling a rumour can draw more atten-
tion to it! But what are the factors that influence a rumour, its impact, speed of travel and its reach
within a population? The Internet and wireless technology now enable rumours to spread with
incredible speed, across many different countries.

The characteristics that make a rumour strong depend on a number of interrelated factors. The
original research carried out on rumours and their transmission dates back to 1948 and the work
of Allport and Postman who studied war time rumours. Their work produced a basic law of rumour:
R = I x A, where R is reach, intensity and duration of a rumour; I is the importance of the rumour to
the receiver, if true; and A refers to the level of ambiguity or uncertainty surrounding the rumour.

If one recognises that importance and ambiguity are driving forces in the reach of a rumour, it al-
lows you the opportunity to prioritise what needs to be done to reduce that importance and ambi-
guity.

Those corporations whose credibility is already weak will suffer more from rumours as stakehold-
ers may have been partly conditioned to expect negative news about the company. Corporations
with structured reputation management programmes should be able to squash a rumour quickly,
especially if they correct false information and reduce ambiguity. Other factors that help in the
transmission of a rumour include its believability, originality and associated fear.
A note of caution

In 2001, a book by Bjorn Lomborg, The Skeptical Environmentalist, produced a storm of criticism
from scientists and environmentalists, resulting in high profile exchanges between the author and
scientists/environmentalists in both the Economist and Scientific American.

The publication challenged widely held beliefs about the continuing destruction and decline of the
global environment. Lomborg, an associate professor at the University of Aarhus, Denmark, was
openly critical of how scientists and NGOs had selectively presented data to reinforce the notion
that most aspects of the environment are getting worse. He accused the media of propagating
many of these negative reports because the news system sells best on negative and controversial
news. For example, Lomborg challenged the reports regarding genetically modified foods (GM).

Lomborg referred to reports that implicated GM foods with the decline of Monarch butterflies,
showing in various cases that GM was only the “hook” for an alarming story, but the reality was
that it was unrelated to the main issue. Corporations, such as Monsanto have suffered consid-
erable negative publicity as a result of such reports and their often misleading representation
in journals and the popular press. Even the language (Frankenstein Foods) that surrounds GM
foods is inflammatory, yet few people understand the implications, let alone the potential benefits.
However, corporations such as Monsanto are somewhat culpable through their inability to com-
municate risk effectively. Greenpeace ran a much more effective communications program during
Monsanto’s 1998 UK advertising campaign, catalysing the growth of the organic food industry.

Risk and Value-led Organisations

Many corporations routinely conduct a sensitivity analysis (often referred to as what if analysis?)
in which certain assumptions that underpin a defined strategy are challenged, thereby helping to
analyse the potential risks. Other traditional methods of analysing risk outcomes include economic
added value (EVA), net present value (NPV), internal rate of return (IRR) and total shareholder
return (TSR). However, since the 1980s, traditional financial analyses have been much criticised
owing to their limitations and their inability to evaluate market risk.

Various corporations, such as Cadbury Schweppes, Reuters, Coca-Cola and Lufthansa all adopt-
ed a consolidated approach to business, which is less scale driven and based more on managing
for value (MFV). Managing for value required corporations to question what contribution a certain
brand is making to the overall financial performance of the company. Performance could then be
measured by total shareholder returns (TSRs). Managing for value has helped corporations such
as Cadbury Schweppes develop projects such as Cadbury LAND, which have proved to be a suc-
cess. Furthermore, MFV also helped focus on strategic needs, thereby helping to reduce risks for
shareholders.

Corporations must also take into account the feasibility of a project in the time allocated, the re-
sources available, and whether the core competences to deliver the project are available.

Interdependence Risk

In order to make your corporations more resilient to the potential of business discontinuity it is
importance to realize the interdependence of risk, especially within a complex business network
environment. Too often risk management is done in isolation, with little risk analysis sharing or
strategic planning between departments. In order to recognise interdependencies, corporations
should map out their stakeholder relationships, paying particular attention to the vulnerability of the
supply-chain, communications, technological and public infrastructure.

A recent article in the business magazine Strategy+Business highlights a series of key questions
that can be asked in order to help diagnose a corporation’s enterprise resilience and its crisis prep-
aration. Some of the more important questions raised include:

1. Are interdependencies understood and interdependent risks identified?

2. How good is the corporation’s situational awareness?

3. Are the complexities of the extended enterprise and key earnings drivers across it transparent?

The article goes on to explain that current risk management practices have not kept up with the
gradual shift from centralized to networked organisations. It points out that many corporations’
risk management programmes fail to account for interdependencies across vertical and horizontal
operations, which result in them underestimating both the spectrum and severity of risk.

ISSUE MANAGEMENT

Describe earlier as a form of ongoing risk, the term issue management was coined by Howard
Chase in 1976. The concept is really a form of ongoing risk assessment. An issue arises when
some form of gap exists or develops between a corporation’s policies/actions and stakeholder
expectations. For example, genetically modified food was an emerging issue ten years ago as the
technology and research gathered momentum. When the real potential for commercial exploitation
became a reality, the issue started to develop rapidly. Then, in the early 1990s a GM cheese prod-
uct became available alongside GM tomato puree and activists and the media started to alarm the
public.

What is an Issue?

An issue is a potentially troublesome topic that is emerging within a business sector, which may
become a future focal point for the media, but may not have caught the attention of the general
public. Every issue has specific triggers, which if fired, can accelerate the pace of the issue, ma-
turing it quickly in its lifecycle. Therefore, if accelerated, an issue can quickly become a full blown
crisis.

Issues can either be broad-based or very specific. A broad-based issue may affect an industry
or sector, such as utilities, publishing, education, or farming. Many such issues are managed
through alliances or trade bodies that lobby the government or other key groups in order to influ-
ence change. Specific issues, such as security at a chemical plant or the supply-chain manage-
ment for a manufacturer need as much detail to attention as more broad-based issues, but pose
potentially the most risk.

Irrespective or the depth or breadth of an issue, if it is not correctly managed and monitored, it can
quickly develop into a crisis. The principle is analogous to preventative medicine. Those people
that go to their doctors on a regular basis aged over 40 years of age, stand a much better chance
of been screened for classic medical problems, such as heart disease, breast and colon cancer or
hypertension. As most people are aware, many cancers detected at an early stage of development
are treatable and curable. In exactly the same way, issues that are managed are crises hopefully
prevented.
What are the implications for failing to identify and monitor an issue? Long-term damage to reputa-
tion is a high risk outcome, plus rumours and the dissemination of false information, and ultimately,
a crisis or disaster.

BOX
Some issues for the milk industry in the UK

1. Bovine Somatotrophin (BST) or growth hormone in milk

2. Mycobacterium Para tuberculosis - transmission of tuberculosis in milk
3. Poor heat treatment – potential for spoilage
4. Foreign objects in milk – filtration process
5. Contamination seals – prevent tampering
6. Chemical contamination of milk during processing
7. Correct labelling
8. Source of milk – the auditing of farms and cattle
9. Dealing with activists – PETA
10. Health issues – extent of fat in full cream milk
11. Distribution of milk – ensuring temperature in kept low
12. Storage of milk
13. Bacteria in milk and alleged link with certain diseases
14. Milk and antibodies

What is Issue Management?

Issue management is a management function that involves corporations committing to long-term,

two-way dialogue with stakeholders in order to balance expectations and manage potential con-
flict. In effect, it helps close perception and attitude gaps.

The first issue management process model was produced by Chase in 1977 and consisted of five
key steps:

1. Issue identification
2. Issue analysis
3. Issue change strategy options
4. Issue action programme
5. Evaluation of results

Although all of the above steps are important, identification is the most critical, as without proper
identification of what factors may impact and disrupt a business corporations cannot strategically
alter their behaviour and policies. It requires a complex analysis of stakeholders and the recogni-
tion that corporations need to look beyond those that are consumers or suppliers. Developing a
dialogue with these groups and anticipating what might be their reactions can then be integrated in
communications and corporate strategies.

Furthermore, issue management also allows you to identify the resources that you need to muster
in order to tackle the issue correctly.
As part of strategy and planning, issue management involves:

1. Monitoring events and market research in order to identify potential triggers and public
attitude changes

2. Monitoring the internet and discussion groups – intelligence gathering

3. Monitoring all relevant anti-corporate activists on a daily basis

4. Educating the market

5. Community relations

6. Media management – gaining media support and third-party advocacy

7. Monitoring change, especially technological change (such as CRM systems)

8. Monitoring the lifecycle of issues

9. Integrating on and offline communications

Examples of badly managed issues

BSE
GM Food

Some characteristics of badly managed issues are:

1. Poor leadership and management vision

2. Inability (or incompetence) to fully appreciate the potential for damage
3. Short-term thinking
4. Poor identification and understanding of stakeholders’ reactions
5. Issue is too complicated or multi-dimensional for management to handle
6. Poor organisational systems and knowledge management
7. Weak risk culture
8. Reactive and defensive responses to problems
9. Inflexible management policies that produce one-way communications
10. Unwillingness to engage media and stakeholders for dialogue
11. Spin and manipulation of data
12. Outsourcing the responsibility
13. Putting saving measures in place without analysis of outcome

In the case of the BSE crisis, the UK government failed alongside the farming community to fore-
see the problems associated with intensive farming techniques, which were the primary cause
of the BSE outbreak. The government and its scientists were guilty of poor risk communication
and according to the BSE Inquiry, Lord Phillips suggested that a false impression was conveyed
that BSE posed no risk to humans. Since the BSE crisis, over 70 victims of the new variant CJD
disease have been identified in the UK. Furthermore, the report also commented on the issue of
how slaughterhouses often failed to remove key parts from the carcass of cattle, thereby allowing
infected animals to enter the food chain.
Activists – a real threat to corporations

Activists and NGOs have emerged since the 1980s in large numbers and pose a growing threat to
the corporate perception and reputation of many at risk organisations. The scope and numbers of
corporations at risk is vast, but the following are some of the most vulnerable:

1. Corporations that have an environmental impact

2. Those with a history of unfair treatment on their employees or with poor working conditions

3. Those organisations that overtly put profit before other social and environmental concerns

4. Corporations involved with animal research or any form of animal management

5. Multinational enterprises that invest their assets in funds that are deemed unethical

Monitoring and understanding activists’ objectives requires a dedicated and sincere understanding
of NGO mentality. Understanding the “mind-set” requires getting to know the enemy and engaging
in long-term dialogue.

In the UK, a worrying and extreme example of activist’s impact is Huntington Life Sciences (HLS).
Huntington has been fire fighting activists for many years and in 2001 its share price nearly col-
lapsed. Investment bank such as HSBC, Citibank have severed financial links with Huntington, in
view of the negative associations. Employees at HLS have been attacked and intimidated, with
some activists adopting a “zero-tolerance“toward board members. Huntington Life Sciences is
significant not just because of the pressure and success of the activists, but also because of the
precedence its sets for how activists engage corporations and their stakeholders.

However, the overwhelming majority of NGOs are peaceful open organisations that simply seek
to draw attention to either a single-issue cause or a wider range of issues. A key role for PR and
reputation managers is to encourage more business-NGO partnerships, such as those developed
by BP, Shell and Unilever, thereby helping to legitimize such organisations activities. Unilever
(www.unilever.com) is an example of an organisation that has formed links with NGOs, such as
the World Wildlife Fund (WWF) and the Marine Stewardship Council (MSC) to encourage suppli-
ers to source fish from sustainable fisheries.

CRISIS AND DISASTER MANAGEMENT

What is a crisis?

The Institute of Crisis Management in the USA defines a crisis as follows:

“..a significant business disruption which stimulates extensive new media coverage. The result-
ing public scrutiny will affect the organisation’s normal operations and also could have a political,
legal, financial and governmental impact on the business.”
Defining a crisis is also dependent on one’s perception of the situation and the degree to which
it can impact your organisation. What might be viewed as a minor problem for one organisation
could spell disaster for another.

Five basic categories of crisis can be recognised:

1. Human error
2. Mechanical failure
3. Management decisions/indecision
4. Technology failure
5. Acts of God

Crisis examples include:

Distillers - Thalidomide
Perrier - Benzene
J&J - Tylenol
British Midland - Kegworth
Shell - Brent Spar
Concord - July 2000 crash

Most crisis situations are known to corporations and their managers before they become public
knowledge, but occasionally, a crisis situation can emerge from out of the blue, caused by natural
disaster or circumstances that could not be easily predicted by management, such as fires or the
death of a key employee. Such crisis situations are much more stressful because the public often
have as much knowledge as the corporations e.g. the loss of a passenger aircraft.

Business Continuity Management

Post September 11th, corporations must take the threat of international terrorism seriously, espe-
cially those that involve large numbers of the public. Business continuity planning or management
is now rapidly developing, especially in the US. Failure to demonstrate the ability to recover capa-
bility is becoming a mandatory requirement for certain businesses. Failure to comply could result
in serious fines or legal action. During the September 11th attack, companies such as Morgan
Stanley were able to recovery control quickly over their operations and disperse work in order to
keep operational. Increasingly, corporations following on from September 11th are realising that it
is not a good idea to concentrate all their employees or activities in one central place and are now
dispersing resources and operations to prevent a single point of failure.

The terms crisis management and crisis communication are often used interchangeably. Strictly
speaking crisis management is a process by which a crisis management team (CMT) actively deal
with the reality of situation on an hourly basis, whereas crisis communication, which is a part of
crisis management, tackles the media and communicates to key stakeholders, thereby managing
the perception of the situation.

However, it is also quite sensible to argue that to separate the two issues is illogical, as it is im-
perative to integrate all corporate messages in a crisis and ensure that communications is the one
cohesive part of any plan.
Preparation and Crisis Planning

The process of preparing for a potential crisis is absolutely critical for the sake of your reputation.
Without any form of planning, a crisis, especially a sudden event, will have a much more damag-
ing impact on a corporation’s credibility, particularly when inadequate contingency planning is
demonstrated.

The basic steps include:

1. Risk assessment – auditing – see section on risk management

2. What procedures are in place to manage the risk if it becomes a crisis?
3. Do you have the necessary resources to handle a crisis?
4. Have you conducted a stakeholder analysis and anticipated those groups who will be
most impacted?
5. Is information available to employees and other key people (suppliers etc) in the event
of a crisis? How can technology help?
6. Have you conducted crisis simulations?
7. Have you identified and tested your crisis management team?
8. Have you identified and media trained your spokespeople?
9. Are staff and other key stakeholders aware of the contingency plans?
10. Is communication protocol agreed?

Bringing in outsiders
Many companies bring in outsiders to test their vulnerability to a crisis situation. Investigative jour-
nalists, specialist lawyers and PR specialists can be hired to help stage hypothetical situations and
monitor how a crisis team performs. Such simulations expose weakness within systems and are a
useful way to push staff to their limits. Other corporations employ hackers to probe into the weak-
ness of their IT systems, exploiting a “criminal mindset” so as to maximise vulnerability exposure.

Characteristics of good crisis management

1. Demonstration of decisive corrective action

2. Speedy and accurate communications

3. Ability to admit mistakes

4. Full appreciation of the needs of all stakeholders

5. Clear recovery strategy

6. Consistent corporate messages

What are the key steps that should be taken when a crisis hits?

Probably the most important single thing to do when a crisis hits is to marshal as many facts and
details about the situation as quickly as possible. Separating fact from fantasy or rumour is critical
to managing the rest of your campaign.
Assemble Your Crisis Team

All good crisis management planning and communicating is dependent on a crisis management
team (CMT). The team should ideally be kept small and the members should be totally familiar
with their respective responsibilities. Depending on the crisis, the industry sector and nature of the
situations, CMTs will vary in their structure. However, in general CMTs could be made up of the
following:

1. Team manager - in charge of coordinating the team

2. Media “gatekeeper” - all information flows in/out through this person
3. A spokesperson - acts as official media spokesperson
4. PR advisor - deals with and advises on how to handle media
5. Legal advisor - advises on all potential legal implications
6. Media monitor - monitors and tracks media opinion during crisis
7. Operations manager - key person for operational decision making
8. Finance and admin - helps in the deploying of resources and admin
9. Other key employees - product, technical, HR specialists

The rationale behind the crisis management team is to help in decision-making during a crisis
and assist with communications of required messages and operational response. Those selected
should be psychologically able to function under great pressure and should be trained together on
a regular basis. Under pressure, employees will fall back on their training and this is an essential
part of crisis preparation.

What resources should a CMT require?

Once again, this depends on the size of the organisation and the severity of the crisis. However,
the following list would be useful to all CMTs:

1. A CMT communications centre or crisis HQ equipped with TV, radio, internet, tele-
phones, faxes etc

2. A mobile crisis box – complete with torches, first aid, mobiles, cameras, etc

3. A media list and resources (media directories etc)

4. Access to employee and executive details and contact numbers, plus biographies

5. Relevant administrative supplies

6. The ability to establish a helpline that can take the volume of potential calls and an
Internet site that is regularly up-dated. Some companies create dormant crisis web sites
that can be quickly activated in the event of a crisis. This saves valuable time which can
be deployed elsewhere

Handling the Crisis

What key steps should be taken in order to mitigate a crisis situation? The following order of
events will differ depending on circumstances, but they represent the principal logical sequence
that crisis teams could follow.
STAGE 1: Assemble the crisis team

1. Brainstorm the situation and establish facts and details

2. Identify and agree exactly what is at stake
3. Agree communication objectives and a strategy to achieve them
4. Identify and prioritize stakeholder groups
5. Agree on messages and channels of communication
6. Access the legal situation
7. If required, develop a holding or media statement

It is important to remember that with evolving crisis situations, management must be prepared to
act quickly and adjust strategy if required.

STAGE 2: Internal Communications

1. Ensure that all employees and other impacted stakeholders are aware of the situation
before media get to them
2. Ensure that employees know roughly what to say if asked for comments

STAGE 3: Release a media statement

1. Release holding or general media statement that explains the facts as you understand
them, what is being done i.e. factory shut down, employee suspended, products being
withdrawn etc
2. It is important that the source of information is authoritative
3. Ensure that any statement released is also available on a crisis or contingency site

STAGE 4: Enter into crisis communications and monitor the situation

1. Engage in communications with stakeholders and the media

2. This stage could involved crisis release up-dates; press conferences etc
3. Stay on message
4. Monitor all information coming in and reassess the strategy
5. Monitor the media response and evaluate spokespeople

STAGE 5: Consolidate and continue to monitor progress and response

1. Keep on-message and maintain links with media, informing them about changes and
operational improvements etc
2. Continue personal communication with key stakeholders, providing up-to-date progress
reports
3. Continue to monitor opinions and conduct attitude surveys as well as market research/
intelligence gathering.

STAGE 6: Post crisis: recovery and opportunity

1. Evaluate the effectiveness and efficiency of the crisis team and outcomes
2. Understand lessons learned
3. Analyse media opinion and public perceptions and opinion
4. Prepare a final report for key stakeholders: both internal and external
5. Maintain contact with stakeholders, try to cement relationships e.g. site visit etc
6. Prepare case studies and educate all employees
7. Put into operation lessons learned and assimilate into contingency planning and simulations
Disaster Management

What is the difference between a crisis and a disaster? The simple answer to this question is prob-
ably the extent of human tragedy involved i.e. the total loss of life and the level of disruption that
has occurred. Disasters fall into three basic categories:

1. Human events
2. Technological events
3. Natural events

For example, natural events can be further sub-divided as follows:

1. Avalanches
2. Flooding
3. Fire
4. Earthquakes
5. Cyclones
6. Hurricanes
7. Tornadoes
8. Diseases
9. Wind damage
10. Drought
11. Volcanic eruptions
12. Severe weather conditions

With the threat from international terrorism highlighted since September 11th, many businesses
have had to seriously examine their disaster planning and contingency management systems.
When a serious loss of life is involved, the same principles as described for crisis management
are involved, except the stakes and resources that need to be focused are much higher. When an
airline suffers the loss of a commercial aircraft, hundreds of lives are lost and the emergency re-
sponse team and their training become critical. Dealing with large scale emergencies and disaster
management is beyond the scope of this chapter but useful resources include:

www.continuityplanner.com

www.globalcontinuity.com

Business Continuity Magazine: www.kablenet.com/bc

Conclusion

Since the early 1980s, too much emphasis has been placed on crisis management training and
far too little on addressing risk analysis and issue management. Although it is absolutely critical to
have a crisis plan and employees trained in crisis and disaster management, prevention is always
better than cure.

As insurance premiums keep rising and the threats from external forces become ever greater, over
the last decade, corporations have started to become more aware of the need to critically examine
their risk exposure and determine tolerable limits. Catalysts for this change include rising premi-
ums, regulations forcing organisations to access their risk (e.g. fire risk) and increased litigation
against corporations. But the ultimate aim for risk analysis and issue management is that it provide
a corporation with an excellent base for helping to steer and shape its own reputation.
Training courses abound in crisis and business interruption management, but courses in risk
analysis and issue management lag way behind, both in numbers and sophistication. But reputa-
tion managers must understand risk and the potential implications of failing to tackle it. Because
they are more abstract and complex risk and issues are sometimes brushed over by corporations
or outsourced, which incurs a risk in its own right.

Encouraging a more proactive focus by managing risk and issues, corporations stand a much bet-
ter chance of entering into more meaningful relations with stakeholders, including those whom are
impacted, dependent or intractable.
Risk evaluation acts as a counterbalance against risk situations and therefore provides a powerful
reputation management tool.

Crisis management cannot be divorced from risk and issue management. It builds on the knowl-
edge trapped within the system during risk assessment and any crisis, sudden or evolving , relies
heavily on the training and simulations given to the crisis management team and their individual
skills. Given the 24-hour and instance media response that is now so evident, key personnel
should be media trained and appropriately picked for their media acceptability.

EXERCISE AND DISCUSSION POINT

On which issues should your organization be focused and how will you manage these?

In addition, think up a crisis scenario and then simulate this as much as possible with your
employees. Analyse how they react and identify strengths and weaknesses.