Crisis readiness and response starts with prevention

While management has primary responsibility for the company’s crisis readiness and prevention, the board plays a critical role in understanding and overseeing the company’s efforts.

Crisis readiness has taken on increased importance and urgency for boards and management teams. The list of potential crises that companies can find themselves facing today looms large—from major product recalls, data breaches, and health scares to natural disasters, terrorist events, and ailing business leaders, to name just a few. And thanks to social media, the speed with which news of a crisis (accurate or inaccurate) can spread has been reduced to mere minutes, making the company’s ability to respond quickly and effectively to a crisis increasingly critical. As postmortem media reviews of numerous crises have demonstrated, when a company’s response is deemed to have fallen short, a question that is always asked is, “Where was the board?” This is particularly true in cases where a crisis was preventable, early warning signs were ignored, or the crisis was attributable to the company’s culture or tone at the top. The message for boards: Crisis prevention is integral to crisis readiness and response.

Crisis readiness and response starting with prevention

Continue reading or download PDF

While management has primary responsibility for crisis readiness and prevention, the board plays a crucial role in understanding and overseeing the company’s efforts—in particular: management’s crisis prevention activities; tone at the top, culture, and incentives; and the company’s crisis readiness, particularly whether it has a robust crisis response plan.

Crisis prevention. Crisis prevention goes hand-in-hand with risk management, as risk management involves identifying and anticipating risk events that could occur and become crises, and putting in place a system of controls to prevent such risk events and mitigate their impact should they occur. We are clearly seeing an increased focus by boards, particularly audit committees, on key operational risks across the extended global organization—e.g., supply chain and outsourcing risks, information technology and data security risks, etc. Among the questions audit committees are addressing with management are:

  • Does the company understand its critical operational risks?
  • What has changed in the operating environment?
  • Has the company experienced any control failures?
  • Is the company sensitive to early warning signs regarding safety, product quality, and compliance?
  • How sound are the company’s disaster recovery plans?
  • Is internal audit focused on the adequacy of controls around key operational risks?

Audit committees should probe to determine whether management has a sound system of controls in place to mitigate critical risks and avoid crises.

Tone at the top, culture, and incentives. While a robust risk management process is essential to avoid and mitigate risk events, it is not enough. Many of the crises that have done the most financial and reputational damage to companies have been caused by a breakdown in the organization’s tone at the top, culture, and incentives. As a result, boards are paying particular attention to these “capital R” risks, which may pose the greatest risk to the company. In today’s business environment, it is more important than ever that the board be acutely sensitive to the tone from, and example set by, leadership; reinforce organizational culture (i.e., what the company does, how it does it, including a commitment to compliance and the management of risk); and understand the behaviors that the company’s incentive structure may encourage.

Crisis readiness and response. A key role for the board is to work with management to develop and approve a robust crisis response plan tailored to the company’s specific risk profile, periodically engage in disaster rehearsal exercises, and test and refresh the crisis response plan as appropriate. A critical component of any crisis response plan is the communications protocol:

  • Who gets notified—the board, regulators, customers, shareholders and other stakeholders—and when?
  • What channels will be used to communicate internally and externally?
  • How will the company monitor and manage reputational issues—particularly via social media?

Even the best-prepared companies will experience a crisis—and there is rarely a perfect response. The ability to avoid disaster—and avoid mismanagement of the situation—will largely be determined by the effectiveness of the company’s crisis prevention efforts and crisis response plan.

Crisis readiness and response starting with prevention
Crisis readiness has taken on increased importance and urgency for boards and company management.