Two Crisis Experts Share Tips to Prompt More Active Crisis/Risk Readiness
Many organizations take careful steps to prepare for, and deal with, sudden crises. They devote significant resources to attaining, and maintaining, regulatory and industry-specific compliance. They build risk management systems with protocol checklists and current contacts and backups. Some even conduct recurrent trainings to build strength in response and to build.
But how many can claim that they are resilient? That they have what it takes to make the business and the brand/corporate reputation bounce back after a crisis? What separates a resilient company from one that is just prepared?
Business resiliency requires that companies go a step beyond with active engagement and discipline. Resilient companies not only avoid disruptions, but quickly buttress any weaknesses that can lead to subsequent problems. It’s a vital component of issues and crisis management that is either overlooked by organizations, under-resourced, or lacks an enterprise-wide, integrated focus.
Two experts in the field — Vanessa S. Vaughn, founder and resilience officer of Asfalis, a boutique-consulting firm focused on crisis management and business continuity; and James Donnelly, senior vice president, crisis management, for Ketchum, a leading global communications firm – discuss how and why many organizations fall short in business resiliency. And they outline steps needed to rectify it.
What exactly is “business resiliency”? Isn’t it just another phrase for “risk management”?
Vaughn: Business resilience is simply your organization’s ability to absorb the impact and bounce back. The road to resiliency is an integrated effort across multiple business units to provide the organization with a wholistic, strategic view of risks. Historically, and based on my experience, many organizations look at risk management as insurance – a check in the compliance box, an audit. But being resilient means looking at the broader picture, and examining all potential vulnerabilities, plus the short- or long-term impacts of a crisis on the entire company.
Security may own a piece of it. Or enterprise risk management (ERM). Or the facilities manager. But the challenge is, none of these areas usually looks at the big picture due to silos across the company.
Donnelly: Many clients I work with treat risk management as a compliance function combined with insurance policy management. It’s about meeting thresholds needed to keep legal and regulatory satisfied. Resiliency goes way beyond compliance. Resiliency needs an owner that has a foot in all these worlds, who can be at the nexus of planning and response. Someone who is willing to spark conversations about what could come around the next corner, and that could truly knock the company to its knees.
Why aren’t more companies ready to be resilient?
Vaughn: I believe it’s a lack of awareness about how crisis management, business continuity, disaster recovery and enterprise risk work from a governance perspective. Business Resilience should tie into your organizational purpose and strategic objectives, while enhancing how risks are managed and viewed across the enterprise at the appropriate level.
Also, Resiliency is a program, not a project and therefore needs to have adequate resources so the organization can fulfill its vision.
Donnelly: I know this sounds strange, but I think companies are too focused on preparedness, which is having plans in place for all vulnerabilities. But resilience means being aware of what’s happening in the world today, and taking measures to stay a step ahead of those trends, even if they occur.
Maybe 5% of clients I work with are truly resilient, and look at issues and crisis as an active and ongoing responsibility. For example, these companies are having active conversations on sexual harassment, given recent horrific headlines. Do we have cases in the past that could be exposed? Do we have strong enough policies and approaches now to help a harassed person or whistleblower to know we’d protect them? Do we need to train against this?
You each approach resilience from a different perspective. Why isn’t there more alignment between communications/PR and continuity/crisis management?
Vaughn: J.D. alluded to this earlier: For most organizations, different areas have different responsibilities when it comes to issues and crisis. They work in silos. And that’s the biggest gap they face; figuring out how this all ties together. Crisis Management and Crisis Communications are a piece of the resilience pie that are often viewed from a reactive perspective, versus an integrated stakeholder.
And who is in charge? If the executive leadership team isn’t engaged, nothing will happen.
Donnelly: I agree. Sometimes and still far-too-often, the communicators are completely out of the loop until a crisis hits the media, and then are expected to say something in response, immediately. That’s too late to get started.
Sometimes, I see communicators stirring the pot, saying, “Hey, this thing is happening in Hollywood or on a college campus. How clean are we on this subject?” In those instances, and they’re rare, PR brings all the different disciplines to the table. Before the crisis strikes or issue peaks.
What is driving the interest in business resiliency today? Has anything changed, recently, that makes the need even more acute?
Donnelly: Yes. The speed and sensationalism with which media approach crises today. It’s astounding that media will go with a highly sensational story, without doing the editorial due diligence that is vital. Allegations become stories before they’re proven.
A second reason – connected to the first – is that the public is more empowered. Social media and social networking have created a public that is no longer latent, no longer waiting to be told the story. If they have a question, they’ll go directly to the company. That want answers … now.
Vaughn: I think the reason resiliency is so critical today is because our world seems, sometimes, like it’s sputtering out of control. Mass shootings. Trade wars. Sudden changes in immigration policies. Sexual abuse scandals.
So many dynamics can batter a company, in an instant. And affect their ability to operate and be profitable.
What must organizations do to get on the road to resilience?
Vaughn: They need to get educated, first. Secondly, bring the key players who manage some aspect of risk across the organization to the table. They may not think about resiliency until something happens, and then it can be too late. There is literally no organization that doesn’t need to prepare for resiliency. And once you’re aware, you won’t ever go back to business as usual.
Donnelly: I think there are two easy steps to take. One, appoint a senior level person accountable for holistic resilience. The second is, have meetings – at least twice a year. Get a cross-functional, multidisciplinary team in a room. Look at what may be on the horizon. War game a little bit, and constantly ask, “What if?” If the answer is, something bad could happen – then work together to be ready to handle it. Before, during and after a crisis. This is what separates and active and resilient organization from a compliance- or checklist-focused one.