Article provided by Lance J. Ewing, Executive Vice President (EVP) of Global Risk Management for Cotton Global Disaster Solutions. He is former president of the Risk and Insurance Management Society (RIMS) and is a frequent keynote speaker on Crisis Management.
President John F. Kennedy once stated, “When written in Chinese, the word crisis is composed of two characters. One represents danger and the other represents opportunity.” The year 2020 certainly has qualified as a year of both. COVID- 19, economic and job impacts, protests, riots and unrest would all qualify as danger or challenges for this year. On the other hand, the opportunities have been to work from home or anywhere, increased use and innovation of technology, Federal, state and local reassessments and improvements on handling a pandemic, an increase in medical supplies and equipment and, most importantly, a full review by businesses of their crisis management plan. The timeworn saying is that “if you fail to plan, you plan to fail.” Clearly, 2020 demonstrates that planning is the key to success for private citizens, families and businesses. Not only should businesses plan for opportunistic events, they must also prepare for adversity. Every business should have a crisis management plan in order to cope with the unexpected and often the financial burden of catastrophic events. Businesses, no matter the size, who have a documented crisis plan, have historically been better prepared to weather a crisis, both reputational and with considerably less of a financial burden. Unfortunately, many businesses do not plan for a crisis and are merely reacting instead of responding with their plan to an emergency. Others are even less concerned as they mistakenly assume that a crisis will not affect them or their business. The Alfred E. Neuman (MAD magazine) motto, “What Me Worry?” is a guaranteed recipe for adding another crisis when a crisis does occur. No business is immune to the potential devastation of crises, and companies today with limiting resources are specifically vulnerable to the cataclysmic costs of crisis events.
The Crisis Plan Starts with Identification of Risks
The first step in any crisis management plan is to identify the risk that makes the business the most vulnerable. For example, if the business is on the Gulf, then adding a hurricane to the list of identified potential risks would be a starting point, If multiple locations or units in a broad geographic area, vulnerabilities should be identified regionally. Below are several crisis categories to consider when formulating a business crisis management plan.
Management Crisis. A management crisis can be a violation of a rule, a law or a regulation by an employee or officer of the company. It can be a litigated matter against the company. It can be a reputational issue that management needs to address. It can also be a problem related to the board or the chief executive officer (CEO).
Business Events. Business events could include product recall, shortage or overstock of a product, loss of a sole supplier or a primary customer, product defect, lack of skilled labor, franchisee v. franchisor disputes or an industry downturn.
Disease or Epidemic. COVID- 19 is only one of the varying outbreaks that have occurred in the U.S. business market. Anthrax, West Nile, SARS, E. coli, H1N1, Ebola and Zika all have happened in the United States within the last 20 years. Businesses and governments need to add disease or epidemic to the crisis vulnerability list.
Human Resources. Within this category are areas that relate to employees (e.g., unions, layoffs, hiring practices, workplace violence, discrimination, diversity/inclusion, sexual harassment and labor trafficking).
Operational Events. Operational events involve utilities and power failures that occur for an extended period, governmental shutdowns that impede business operations, political changes (e.g., Brexit) and market investment fluctuations.
Technological. Technological crises may include such events as cyber hacking or ransom, information technology (IT) server shutdowns, cryptocurrency and the use of Bitcoin.
Nature. Nature crises run the gamut of flood, fire, hurricane, tornado, earthquake, hail, mudslide, frozen pipes or roof collapse due to excessive snow.
Human. The human crisis category is more difficult to define specifically as human nature can be unpredictable, Examples may include active shooter, riots, looting, criminal activity, trespass, attractive nuisance, terrorism, bomb threat, sabotage and arson. Note that not all exposures will, or even can be, identified. These should be identified as potential, real risks the business can reasonably believe could occur. The business needs a plan of action to address possible incidents, and not ALL incidents can be foretold. Once identified, the crisis plan process can begin. While the likelihood of a crisis destroying a business tends to be remote, the chances increase dramatically when one of the categories of crisis occurs. The impact will be a disruptive event to the company and its employees, customers, operations and, importantly, the entity’s financial health. A crisis management plan involves identifying and minimizing the impact of an unexpected exposure crisis in the company’s life cycle.
Building the Crisis Response Team
As part of the crisis management plan, internal and external teams need to be identified to respond to each event that may arise. The crisis management team has a responsibility to manage catastrophic events and ensure that their role and responsibilities are carried out according to the crisis management plan. Many organizations have crisis management plans, trained teams and have established protocols and resources for crises. Several crisis teams may be established within the organization so that their expertise and specialization can provide leadership depending upon the type of critical situation. For example, if a cyber breach occurs, IT would be required, but not operations or accounting. Within the company, members of the crisis team could include risk management, communications, legal, quality control, security, operations, accounting, finance, IT and human resources. A crisis team job description should be developed for each team member, including roles, responsibilities, authority (decision making and financial) and their designated backup employee. One of the most important aspects of choosing and developing the internal company crisis management team is that its members work as a single unit. Those chosen for the team must be proficient in their given area, be able to multi-task (including doing their day-to-day job and handle the crisis) and deal with the stress of significant disruption. They must also leave their ego at the door, step outside of their comfort zone and provide calm leadership in a turbulent time. The crisis management external team members will be those trusted service providers that the business has leaned into through the years and, perhaps, may need to get to know better. Insurance brokers, disaster recovery solutions companies, forensic accountants, environmental, safety and health consultants, security firms, local fire departments, emergency medical technicians (EMTs), police departments and public relations companies are just a few of the external team members needed to be successful. The time to build these relationships is not when the disaster occurs (or just has occurred), but before. Getting Master Service Agreements (MSAs), contracts, purchase order (PO) numbers and all the legalese out of the way before the crisis will expedite the crisis response. Once the ”paperwork” is done, the internal and external teams should meet at least once per year to assure all the members understand each of their respective roles before, during and after the crisis occurs. The use of a tabletop scenario (a practical what-if event) can be exceptionally helpful to garner ideas, identify additional resources needed and formulate solutions with the internal and external team members. During the teams’ gathering, dependencies and interdependencies should be carefully analyzed among the groups. The combined meeting is also the ideal opportunity to enhance and upgrade the crisis management plan. Input from all team members is valuable to address a crisis. Disasters and crises do not always arrive at an ideal moment in time. Nor do they happen during regular business hours. But when they do come unannounced, having a crisis plan and a crisis management team can make the schedule a lot easier.
Article originally published in NBIZ magazine, August 2020.