​Crisis Overconfidence

A recent survey shows that many companies overestimate their crisis-response capabilities.

Comments Views

​Companies are overconfident about their ability to cope in a crisis, and executive leadership on the issue may also be sorely lacking in some organizations, according to a new report. Research by professional services firm Deloitte has found that nearly 60 percent of crisis management and other executives surveyed believe organizations face more crises today than they did 10 years ago.

They are not wrong. In the past two years, 80 percent of organizations worldwide have had to mobilize their crisis management teams at least once, with cyber and safety incidents topping the list of crises requiring management intervention. And the impact of a crisis on organizations is immediate: nearly three-fifths experienced a leap in customer complaints, usually on social media.

More than four in five respondents say their organizations have a crisis management plan in place. However, Deloitte's study, Stronger, Fitter, Better: Crisis Management for the Resilient Enterprise, has uncovered dramatic gaps between a company's confidence that it can respond to crises and its level of preparedness. It found that while nearly 90 percent of respondents are confident in their organization's ability to deal with a corporate scandal, only 17 percent have tested that assumption through a simulation exercise. Similarly, 70 percent of organizations are confident in their ability to manage a product recall, though only 22 percent have carried out a simulation exercise.

The survey, which included participation from more than 500 crisis management, business continuity, and risk senior executives across 20 countries, also found that organizations feel more confident in confronting some types of risks rather than others — particularly IT risks because they feature so prominently on risk agendas. For example, nine out of 10 respondents have fairly or very high levels of confidence in their organization's ability to tackle system failures, with similar numbers confident in their organization's ability to respond to regulatory and policy changes (89 percent), corporate scandals (88 percent), and cyberattacks (87 percent).

Deloitte's research found that experiencing a crisis teaches organizations to avoid them. For example, nearly 90 percent of organizations surveyed have conducted (largely internal) reviews following a crisis, and while these crises were not always foreseen, companies recognized that they might have been averted. As a result, organizations are now more likely to take action to forestall future crises.

Indeed, a crisis management response plan is critical. Deloitte found that nearly half of respondent organizations that did not have a plan in place saw their finances negatively impacted when a crisis struck. For those organizations with a plan, it was less than a third.

"Crisis management shouldn't start with a crisis — at this point it may already be too late," says Peter Dent, Deloitte Global crisis management leader. "With the rapid pace of change facing companies worldwide, and with crises on the rise, it is critical for organizations to be ready to respond with skilled leadership and plans that have been tested and rehearsed."

Crisis plans work best when the board and senior management are involved in shaping them and sponsoring them. And to secure their participation, the study's authors say that it is important to keep the plan relevant to them so that it addresses the issues that "keep management awake at night," such as the impact on reputation and the bottom line.  

Organizations should also ensure that they set up a crisis management plan specifically for the board, because when a crisis hits executives may need to play a very different — and more interventionist — role from normal. For example, if the crisis is causing significant damage to reputation, affecting share price, or resulting in regulatory sanctions or litigation, it may be up to the board to plan the company's continuity and survival. And in terms of succession planning, it may be appropriate to recruit board members with prior crisis management experience, Deloitte says.

Leadership commitment to crisis management is critical. But nearly a quarter of respondents cite the effectiveness of leadership and decision-making as one of the greatest crisis management challenges their organizations face. In fact, leadership commitment — or lack of it — was deemed to be the primary challenge for respondents, followed by effectiveness of teamwork, familiarity with the crisis structure/response process, and clarity of roles and responsibilities.

Part of the problem, Deloitte says, is that leaders are unprepared for crisis management. Therefore, organizations should establish a leadership structure for a crisis to help define roles and responsibilities, and training should be provided, particularly around communicating with stakeholders. Organizations should also identify the leadership styles of particular executives and managers, and work out who would be best placed to deal with certain aspects of the crisis response: in a high-pressure environment, leaders will tend to rely heavily on their most natural leadership style — which may not be suitable.

Deloitte's research found that crises often emanate from the actions of third parties such as suppliers and alliance partners, but at the same time, these third parties often play an important role in helping to manage and mitigate the problem. Recognizing this, 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties' crisis plans, or both. In Europe, the proportion is 80 percent.

As a result, the researchers say that companies should determine which outside organizations need to be in the fold when managing a crisis. These could include advisors such as lawyers, public relations firms, or specialist cyber defense organizations, as well as crisis advisors. In addition, they say, critical service providers, joint venture partners, resellers, distributors, and any other entity that could trigger a crisis (or be affected by it) should be involved in crisis preparations too.

The report adds that — depending on the scenario — these outside parties should also be included in simulations and exercises where appropriate, and should also share their contingency plans and provide regular updates on response readiness. Companies should stress the benefits of such collaboration, and even consider stipulating in contracts and agreements that such information should be shared.

"Crises aren't inevitable," Dent says. "Many of them are avoidable, which is why smart business leaders invest in crisis management capabilities. These strengths can help their organizations avoid costly, and sometimes irreparable, damage to finances, employee morale, brand, and reputation."

Neil Hodge
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Neil HodgeNeil Hodge<p>​Neil Hodge is a freelance journalist based in Nottingham, U.K.</p>https://iaonline.theiia.org/authors/Pages/Neil-Hodge.aspx

 

Comment on this article

comments powered by Disqus
  • Gleim_Oct2018_Premium 1
  • IIA CERT CIA_Oct2018_PRemium 2
  • IIA CIALS_Oct2018_Premium 3