What Is Crisis Management?
Crisis management refers to the identification of a threat to an organization and its stakeholders in order to mount an effective response to it. Crisis management helps an organization and its stakeholders perceive threats and mitigate them with predetermined methods. It’s equal parts diagnostic, vigilance, and action — often within a compressed timeline. Decisions have to be made quickly and definitively. But until the unforeseen — yet inevitable — crisis occurs, all the organization can do is plan ahead.
Crisis management is essentially about making a plan, one that anticipates the unpredictability of world events and the dependability of the organization. In short, a solid crisis management plan expects the unexpected.
No organization is immune to a potential crisis. From the quaintest mom-and-pop shop to blue-chip, Fortune 500 companies, each has inherent vulnerabilities that, when the right (or wrong!) circumstances arise, can balloon into a full-blown crisis. With each situation comes material costs to the organization, whether in the form of property damage or lost sales. There are also intangible costs such as reputational damage, which can take years to reverse. The organizations that survive these crises are the ones that are prepared.
Understanding Crisis Management
Due to the unpredictability of global events, many modern organizations attempt to identify potential crises before they occur in order to sketch out plans to deal with them. When and if a crisis occurs, the organization must be able to drastically change course in order to survive.
The COVID-19 crisis that began in early 2020 can be expected to become a textbook example of crisis management. Businesses around the world were forced to shut their doors. Millions of employees were sent home. Essential services struggled to function. History will judge how effective the powers-that-be were in their crisis management skills.
Any business, large or small, may run into problems that negatively impact its normal operations. A crisis can take many forms. Businesses that put a continuity plan in place in case of unforeseen contingencies can mitigate the effects of a negative event. The process of having a business continuity plan in place in the event of a crisis is known as crisis management. Crisis management is not necessarily the same thing as risk management. Risk management involves planning for events that might occur in the future; crisis management involves reacting to negative events during and after they have occurred.
Why Does Crisis Management Matter?
For a variety of reasons, some organizations still adhere to the old adage “If it ain’t broke, don’t fix it.” However, the best time to hatch tomorrow’s plan isn’t today but yesterday. And certainly well before something’s “broke.”
Letting people know there is a plan in place for dealing with a crisis can help provide a level of confidence. Planning ahead may save the company if a crisis occurs. If not managed properly, a crisis can negatively impact an organization’s image, reputation, stability, and future. It could also open it up to legal liability, lawsuits, and litigation. Insurance premiums may go up while employee morale dips down.
Types of Crises
A crisis can either be self-inflicted or caused by external forces. Examples of external forces that could affect an organization’s operations include natural disasters, security breaches, or false rumors that hurt a business’s reputation.
Self-inflicted crises are caused within the organization, such as when an employee smokes in an environment that contains hazardous chemicals, downloads questionable computer files, or offers poor customer service that goes viral online. An internal crisis can be managed, mitigated, or avoided if a company enforces strict compliance guidelines and protocols regarding ethics, policies, rules, and regulations among employees.
A financial crisis occurs when a business loses value in its assets and the company can’t afford to pay off its debt. Typically, this is caused by a significant drop in demand for the product or service.
In these cases, the company must move funds around to cover immediate short-term costs. Then, they’ll need to reanalyze their revenue sources to look for new ways to generate long-term income as well as increase their margins.
Personnel crises occur when an employee or individual who’s associated with the company is involved in unethical or illegal misconduct.
Whether it’s within the workplace or an employee’s personal life, these situations can result in a serious backlash against the company. Since the organization employed or supported this individual, its lack of judgment is reflected onto the company’s reputation.
In these cases, it is important to examine the scope of the situation, determine appropriate disciplinary action, and if necessary, provide a written or verbal statement. It’s important to first fully evaluate the situation and determine how severely the individual violated company values.
If the situation has drawn media attention, it is critical to be transparent and provide information and actions being taken with media outlets.
Organizational crises are situations where the company has significantly wronged its consumers or employees. Rather than creating mutually beneficial relationships, these businesses use their customers as a means of benefiting the company, or abuse their employees to “save face.”
The three types of organizational crises are:
Crisis of Deception: This type of crisis occurs when a company knowingly lies about public-facing product information or tampers with public-facing data.
Crisis of Management Misconduct: This type of crisis is a result of management willingly and knowingly engaging in illegal activities. Examples of misconduct include withholding information, exploiting customers, and misusing managerial powers.
Crisis of Skewed Management Values: This type of crisis results when senior leadership emphasizes short-term financial gains over social responsibility and neglects the interests of stakeholders, customers, and employees.
In today’s tech-driven age, businesses heavily rely on technology to perform day-to-day functions. So, when that technology crashes, they have a lot more to worry about than a few missing emails. Ecommerce sites and software companies can lose millions of potential leads if their servers suddenly break. That’s not only a huge loss of potential revenue, but it’s also a major hit to the product or service’s reputation.
The first step to managing these crises is to work with the IT department or a tech provider to resolve the issue immediately. The concern should be to prevent the issue from affecting any more customers. Once software is back online, the next step is to work to determine what happened to the system and set up safeguards to prevent it from occurring again.
While it may be rare, natural disasters like hurricanes, earthquakes, and tornados can make a significant impact on business. The best way to handle natural crises is to be proactive. Build the office in a structure that’s resilient to weather and prepare an evacuation plan in the event of an emergency. It will also help to prepare a contingency plan for business operations in case offices become unavailable.
A confrontation crisis can arise in any number of ways. Employees may fight. A disagreement may spiral out of control amongst senior leadership. Or, public discontent with the company can result in a public outcry. In all cases, the parties involved are looking to get their demands met. This may result in a public boycott or resignations en masse.
To handle a confrontation crisis, first validate the concerns of those who are confronting the company. It’s important to recognize that if they were led to this point, the issue must be significant. Next, review the demands, if any, that the parties have issued. Can change be affected that results in those demands being met? If not, then carefully and tactfully state those reasons. If the confrontation crisis is happening internally, use conflict resolution skills to defuse the situation before it escalates further.
Workplace Violence Crisis
A workplace violence crisis occurs when a current or former employee commits violence against other employees. Unfortunately, these crises can come on suddenly, and it could be difficult to act before it escalates further or becomes fatal.
The best course of action, especially when de-escalation isn’t possible, is to involve law enforcement as quickly as possible. If an employee was harmed, send the employee immediately to the nearest hospital to get medical help.
Crisis of Malevolence
A crisis of malevolence occurs when a company’s opponents use criminal or illegal means to destabilize a company, harm its reputation, extort it, or even destroy it. Examples include tampering with a company’s product to create large-scale harm, using a company’s products in illegal or unaccepted ways, or hacking into a company’s system to steal encrypted data.
General examples of this type of crisis include cybersecurity threats, hacking, kidnapping, spreading of false rumors, and product sabotage — all with the objective of harming an organization, its stakeholders, and its public image. When dealing with a crisis of malevolence, securing employees’ and customers’ safety is the first priority— whether by involving law enforcement, patching a cybersecurity risk, or recalling a product that has been tampered with. Next, address the perpetrators, when possible, through legal means.
Five Parallel Paths to Resolution
It helps to think of a crisis in terms of “primary threats” (the interrelated legal, technical, operational, and financial challenges that form the core of the crisis) and “secondary threats” (reactions by key stakeholders to primary threats). Ultimately, the organization will not begin its recovery until the primary threats are addressed, but addressing the secondary threats early on will help the organization buy time.
When a crisis hits (or is about to hit), one of the first actions should be to create a cross-functional team to construct a detailed scenario of the main primary and secondary threats, allowing the company to form early judgments about which path the crisis may travel. This helps the organization set out major decisions it needs to make quickly and is the first step toward wresting back control—improving the headlines of tomorrow, rather than merely reacting to the headlines of today.
While it is rare to get everything right at this stage, it is equally rare to get most of the second-order effects wrong. People are innately overoptimistic, of course, as we know from work on cognitive biases, but even being half right about how things will unfold is valuable at this early stage. It will provide a strong basis for tackling the five broad issues we see as critical to the outcome of a crisis: controlling the organization, stabilizing stakeholders, resolving the immediate primary threats, repairing the root causes of the crisis, and restoring the organization over time. While all five need to be started early, they will likely require different levels of emphasis at different stages.
Control the organization
Normal rules for how the organization operates get torn up quickly in a crisis. Informal networks founded on trust and the calling in of favors can dominate over formal organizational reporting structures. Those previously opposed to the status quo can quickly become vocal, sparking a turf war and delaying action. Some key executives may themselves be implicated and unable to lead the response. Managers may start executing an uncoordinated set of actions with the best of intentions but incomplete or inaccurate information. No longer able to build consensus, they end up with unwieldy organizational structures that have dozens of decision makers around a table, with the result that the effort becomes dispersed and disconnected.
All this explains why an effective crisis team is central to mounting a satisfactory response. The best crisis organizations are relatively small, with light approval processes, a full-time senior leader, and very high levels of funding and decision-making authority. The team should be able to make and implement decisions within hours rather than days, draw a wall of confidentiality around the people who are responding, and protect those not involved from distraction in their day-to-day activities.
A common error is to choose an external expert as leader of the company’s crisis response. External hires typically struggle to motivate and organize the company in a crisis situation. The right leader usually will be internal, well known, and well regarded by the C-suite; will have served in an operational capacity within the industry; and will enjoy strong informal networks at multiple levels in the company. He or she should possess a strong set of values, have a resilient temperament, and demonstrate independence of thought to gain credibility and trust both internally and externally.
The ideal crisis organization includes a set of small, cross-functional teams, typically covering planning and intelligence gathering, stakeholder stabilization, technical or operational resolution, recovery, investigation, and governance.
In the first phase of a crisis, it’s rare for technical, legal, or operational issues to be resolved. At this stage, the most pressing concern will likely be to reduce the anger and extreme reactions of some stakeholders while buying time for the legal and technical resolution teams to complete their work.
For instance, an emergency financial package may be necessary to ease pressure from suppliers, business partners, or customers. Goodwill payments to consumers may be the only way to stop them from defecting to other brands. Business partners might require a financial injection or operational support to remain motivated or even viable. It may be necessary to respond urgently to the concerns of regulators.
It’s tempting and sometimes desirable to make big moves, but it is tough to design interventions that yield a tangible positive outcome, from either a business or a legal standpoint. What usually works is to define total exposure and milestones stakeholder by stakeholder, then design specific interventions that reduce the exposure.
Resolve the central technical and operational challenges
Many crises (vaccines in pandemics, oil wells during blowouts, recalls in advanced industries) have a technical or operational challenge at their core. But the magnitude, scope, and facts behind these issues are rarely clear when a crisis erupts. At a time of intense pressure, therefore, the organization will enter a period of discovery that urgently needs to be completed. Frequently, however, companies underestimate how long the discovery process and its resolution will take.
Companies’ initial solutions simply may not work. One manufacturer had to reset several self-imposed deadlines for resolving the technical issue it faced, significantly affecting its ability to negotiate. Another company in a high-hazard environment made multiple attempts to correct a process-safety issue, all of which failed very publicly and damaged its credibility.
It’s best, if possible, to avoid overpromising on timelines and instead to allow the technical or operational team to “slowdown in order to speed up.” This means giving the team enough time and space to assess the magnitude of the problem, define potential solutions, and test them systematically.
Another frequent problem is that the technical solution, mostly due to its complexity, ends up becoming a black box. To avoid this, technical and operational war rooms should have an appropriate level of peer review and a “challenge culture” that maintains checks and balances without bureaucratic hurdles.
Repair the root causes
The root causes of major corporate crises are seldom technical; more often, they involve people issues (culture, decision rights, and capabilities, for example), processes (risk governance, performance management, and standards setting), and systems and tools (maintenance procedures). They may span the organization, affecting hundreds or even thousands of frontline leaders, workers, and decision makers. Tackling these is not made any easier by the likely circumstances at the time: retrenchment, cost cutting, attrition of top talent, and strategy reformulation.
For all these reasons and more, repairing the root cause of any crisis is usually a multiyear exercise, sometimes requiring large changes to the fabric of an organization. It’s important to signal seriousness of intent early on, while setting up the large-scale transformation program that may be necessary to restore the company to full health. Hiring fresh and objective talent onto the board is one tried and tested approach. Other initiatives we’ve seen work include the creation of a powerful new oversight capability, the redesign of core risk processes, increased powers for the risk-management function, changes to the company’s ongoing organizational structures, and work to foster a new culture and mind-set around risk mitigation.
Restore the organization
Some companies spend years of top-management time on a crisis, only to discover that when they emerge, they have lost their competitiveness. A large part of why this happens is that they wait until the dust has settled before turning their attention to the next strategic foothold and refreshing their value proposition. By this stage, it is usually too late. The seeds for a full recovery need to be sown as early as possible, even immediately after initial stabilization. This allows the organization to consider and evaluate possible big moves that will enable future recovery, and to ensure it has the resources and talent to capitalize on them.
Much of the training top executives receive around crisis management is little more than training in crisis communications—only one part of the broader crisis-response picture.
Companies—and boards—should consider clearly defining the main “black swan” threats that may hit them, by conducting regular and thorough risk-identification exercises and by examining large crises in other industries as well as in their own. Once they do this, they should lay out, for each threat, what the trigger may be and how a hypothetical scenario for a crisis might unfold, based on patterns of previous crises. This allows the company to examine critical areas of weakness across the organization, and to consider what actions could offset them. For instance, should the company consider revisiting terms and conditions for key suppliers and building in a “cooling period,” rather than being forced to change the terms of accounts receivable in the heat of the moment? What other measures would provide short-term liquidity and steady the ship financially? Should the company invest in an activist-investor teardown exercise to assess key vulnerabilities that may surface in the midst of a crisis?
Once such an assessment is complete, the company should train key managers at multiple levels on what to expect and enable them to feel the pressures and emotions in a simulated environment. Doing this repeatedly and in a richer way each time will significantly improve the company’s response capabilities in a real crisis situation, even though the crisis may not be precisely the one for which managers have been trained. They will also be valuable learning exercises in their own right.
Risk prevention remains a critical part of a company’s defense against corporate disaster, but it is no longer enough. The realities of doing business today have become more complex, and the odds of having to confront a crisis are greater than ever. Armed with the lessons of the past, companies can prepare in advance and stand ready to mount a robust response if the worst happens.
Crisis Management Plan
A crisis management plan (CMP) outlines how to respond to a critical situation that would negatively affect an organization’s profitability, reputation or ability to operate. CMPs are used by business continuity teams, emergency management teams, crisis management teams and damage assessment teams to avoid or minimize damage, and to provide direction on staffing, resources and communications.
Public relations are often an integral aspect of the crisis management process. An organization may choose to enlist outside public relations help to handle communications aspects, such as dealing with the media. With a public crisis response, an organization can counter any misleading and false information and seek to ease concerns. If an organization resolves a crisis situation quickly enough, bringing the event to the attention of the public may not be necessary and could even bring unwanted attention.
Crisis management planning spans preparation, development of processes, and testing and training.
An effective CMP should tackle the following initiatives:
- Identify crisis management team members.
- Document what criteria will be used to determine if a crisis has occurred.
- Establish monitoring systems and practices to detect early warning signals of any potential crisis situation.
- Specify who will be the spokesperson(s) in the event of a crisis.
- Provide a list of key emergency contacts.
- Document who will need to be notified in the event of a crisis and how that notification will be made.
- Identify a process to assess the incident, its potential severity and how it will impact the building and employees.
- Identify procedures to respond to the crisis and emergency assembly points where employees can go.
- Develop a strategy for social media posting and response.
- Provide a process for testing the effectiveness of the crisis management plan and updating it on a regular basis.
Communication is key to getting through a crisis because it keeps all the necessary players, ranging from a single office to a global audience, informed. As the crisis develops and evolves, the organization should update its communications. During a crisis situation, employees look to management for leadership and guidance. Without the proper communication, people may speak or act erroneously. Lack of communication could also cause a safety issue.
An organization should designate a crisis communications team. All communications should be clear, concise and truthful. For the sake of speed, an organization could proactively draw up a template with potential scenarios, designate the appropriate channels for communication and then plug in the necessary information if the actual incident occurs.