Emerging Trends and Early Lessons on Crisis Management and Business Resilience

Representatives from S-RM, Edelman and Krizo discuss their views on crisis management, cyber security and reputational risk management in the face of COVID-19.

Contributors:

From left to right:

John White, Head of Resilience Advisory, S-RM (UK)

Billy Gouveia, Senior Managing Director of Cyber Security, S-RM (US)

Jamie Singer, Senior Vice President, Crisis & Risk Management, U.S. Data Security & Privacy Group, Edelman (US)

Magnus Josias, Co-Founder & COO, Krizo (Denmark)

Q: How would you define a crisis?

John White

Our industry is rife with definitions of the term “crisis”, both academic and operational. More often than not, in an attempt to cover every possible concept of a crisis these definitions become unwieldy, sound too technical, and don’t land well in the boardroom.

As an example:

• ISO 22 300 suggests that a crisis is “an unstable condition involving an impending abrupt or significant change that requires urgent attention and action to protect life, assets, property or the environment”.
• NFPA 1600 defines a crisis as “an issue, event or series of events with potential for strategic implications that severely impact, or have the potential to severely impact, an entity’s operations, brand, image, reputation, market share, ability to do business, or relationships with key stakeholders”.

Looking further afield the dictionary offers some alternatives which are more accessible to the non-technical reader, suggesting a crisis to be:

• A time of great disagreement, confusion, or suffering.
• An extremely difficult or dangerous point in a situation.

• A stage in a sequence of events at which the trend of all future events, especially for better or worse, is determined.

So, lots to choose from. Ultimately I’m a fan of simplicity so if pushed to define I’ll simply say:

For me, if it doesn’t pose a material threat to the viability of the thing in question it’s not a crisis. An emergency perhaps, maybe an incident or a continuity event – but the term crisis should really be reserved for those most unique and challenging problems.

Q: How has crisis management technology evolved over the last 10 years, and what benefits do you see modern technology offering large organisations when it comes to crisis management and preparation?

Magnus Josias

Over the past decade, while organisations have put an emphasis on digitising all aspects of their businesses, resilience and security have lagged behind. 10 years ago, it was normal for even large organisations to store all their crisis management (CM) and business continuity (BC) plans in paper form e.g. in binders on a shelf. Between 2010-2015 we saw a shift where CM and BC plans were moved from the dusty binders onto Word and PDF documents often placed on different shared drives across the organisation. Today we are seeing organisations being more proactive, moving towards a unified resilience set-up where planning, response, recovery, and exercises are gathered on one platform specially built for that purpose. 

However, currently large organisations in particular have too many applications in their IT infrastructure. This issue flows into the management of critical incidents and crises where I often experience companies using too many different tools for crisis response. Some employees are using WhatsApp, some are using MS Teams and others are communicating via Email and text. Having a dedicated tool for crisis management will provide organisations with a “single source of truth” during incidents, enabling them to respond faster and more efficiently as a team and collaborate across the organisation.

Another advantage of a crisis management tool is the automated creation of an audit trail. The audit trail can be used not only for the Post Incident Report (PIR), but also for any insurance, legal or other auditing purposes. Organisations can save abundant resources by using an overarching platform which gathers all data in one place. This makes it easier to keep optimising their preparedness and response capabilities.

Q: How have changed working conditions under COVID-19 challenged crisis management teams’ ability to coordinate an effective response?

Billy Gouveia

In terms of cyber security, establishing out-of-band communications has become more important than ever. If an organisation’s email network is compromised and a threat actor has eyes on their email traffic, the company won’t be able to use their email network to coordinate a response to the crisis. In a ransomware event, a company’s entire corporate network may no longer be operable. Given these challenges, we've seen a lot of organisations really struggle to bring together the right people to oversee the response. Senior executives tend to be quite accessible, but it may be more difficult to contact the network administrator if you don't have access to email or your company's Teams or Slack platform, for example. We’ve even had clients resort to looking key contacts up in the phone book. It can take hours to bring the right people together if the company is not prepared correctly. 

So, my recommendation is to think through your communication protocols. If you can't communicate as you normally would, what out-of-band communication channels do you have in place? I would encourage companies to look through all their plans, think about the communication groups they need and to set those up now so that you're not trading off time in the midst of the response itself.

Magnus Josias

COVID-19 has accelerated digital maturity in most organisations. Suddenly, thousands of employees were forced to work from home – including members of the business continuity and crisis management teams. One recent report from McKinsey points to some of changed practices including an increase in remote collaboration and the use of technologies in decision-making. Both points are directly related to crisis management as both collaboration and decision-making are key aspects in any crisis response. Unless organisations have an ambitious digital strategy, simply deploying a digital tool for crisis management is not likely to meet the expectations from both regulators and customers when it comes to the speed and quality of a crisis response.

John White

Remote and decentralised working conditions have challenged many crisis planning assumptions. Organisations, more than ever before, now find their crisis teams distributed geographically across locations and even nations. We need to consider whether questions like “how long will it take us to reach the crisis room?” are still relevant when the act of getting to the crisis room wastes precious response time.

The natural next question is then “how do we do this remotely?” Here at S-RM we are pioneering the use of remote crisis management technology to both prepare for and respond to real world events. It’s true there is no substitute for in person meetings, but it is a fundamentally flawed observation to suggest that remote working is simply less effective. Many of the tools we are now using increase collaboration and improve preparedness. Each option has strengths and drawbacks.

Q: What are some of the early lessons learned in terms of reputational risk, when it comes to corporate responses to the pandemic?

Jamie Singer

The pandemic has been a wakeup call for many organisations in terms of communications response and crisis preparedness. One of the biggest lessons has been seeing how one crisis can lead to another. From a reputational and communications perspective, what we've really seen test organisations’ crisis resiliency is not just how they respond to the acute public health issue at play, but how the pandemic has intersected with other key issues.  

For example, we've seen powerful intersections with the racial justice and Black Lives Matter movements. In the US in particular, companies are grappling with reputational questions around whether or not to allow employees to wear masks with BLM slogans on them, and how can they protect their frontline workers’ safety, knowing that for many industries a disproportionate number of those frontline workers are also people of colour. Another example of intersecting issues relates to the financial impacts of the pandemic. How do you communicate about restructurings and layoffs in this environment? This is especially complex for those companies that are also providing essential services.

Q: Have you seen any organisations find opportunities in the current environment? Have we observed any positive changes?

John White

If we look back over the last six months, some sectors have done very well. Businesses focused on the provision of online services and retail have typically been more successful than their “real world” counterparts. In the UK, the large supermarkets who were already gearing up for a shift to the online marketplace are doing well. Similarly, many technology companies – especially those facilitating remote working have thrived. As an example; in June this year the market capitalisation of Zoom was greater than the combined market capitalisation of all four of the largest airlines in the US. This statistic, of course reflects not only the growth of Zoom but equally the contraction and challenges faced by the airline industry.

Around the world, what we're seeing in terms of growth is offset by challenge in other sectors. It is not the case that the market globally for products and services has grown, it's just changed. In the UK, household names like John Lewis and Marks & Spencer have both announced significant store closures and tens of thousands of potential job losses. This is not happening in isolation of other events; it is a reflection of growth in firms like Amazon and other online retailers and something being expedited by the current COVID-19 situation.

From a crisis management perspective, there are seismic shifts going on in terms of global supply chains, consumer behaviour and the ebb and flow of money in and around business.  It's important to look one level past your nearest supplier to make sure that any of the assumptions that your plans are based on still stand true, because there's a lot of change going on.

Jamie Singer

Some organisations have turned the pandemic into an opportunity to do things differently. From a crisis management perspective, we've been working with several global organisations to help them evolve their historically reactive, siloed approaches to crisis communications to a more proactive issues management stance. For example, in order to get ahead of narratives around concerns about employee safety, we’ve seen companies be more proactive and transparent within their own channels about what they're doing to keep employees safe, how they're making investments to secure more PPE and how they're prioritising customer safety. This has helped them recognise the importance of not only triaging the immediate fires in front of them on a given day, but also looking around the corner of the pandemic in a global and more coordinated way. Convening groups or task forces dedicated to long-term scenario planning has been an effective tactic for organisations in this environment to take a more proactive approach to risk mitigation, rather than previous models of risk avoidance.

Q: While crisis managers and team leaders have been so focused on responding to the pandemic, are organisations in danger of neglecting other issues?

John White

I wouldn’t use the word “neglecting”, because that implies a deliberate ignorance of the issues.

If I reflect back to the work we were doing in November or December last year, we weren’t working with clients who had plenty of spare capacity – everybody already had a long list of key risks to deal with. Then the pandemic happened. We work with many familiar brands, each of whom have great crisis teams – nevertheless, for the first few months of the pandemic at least, these teams have been working on overdrive because they were responding to something they didn't really have a specific plan for.

Most plans assume an incident will happen somewhere, and the default assumption in these plans is that if I can't get something or do something in one place I will try and do it somewhere else. But COVID-19 is happening everywhere, in different ways, all the time – and that presents a new problem. One of the conversations I'm having at the moment with my clients is all about “how do you continue to keep all the things you were already concerned about fresh in your mind with everything else that’s going on?”

For many crisis leaders the thought of another large scale crisis exercise makes them want to run for the hills, having been in crisis mode for so long. Nevertheless, the risk environment we were preparing for last year hasn't changed. All those things we were concerned about last year are still there, and we need to set an expeditionary mindset to look at how we can keep ourselves fresh, keep our people trained, but do so in a way that doesn’t further push the fatigue many of us are already feeling.

Q: What are some of the second-order risks brought on by the pandemic, or operational risks that pre-date it, that crisis and leadership teams should be keeping fresh in their minds?

Billy Gouveia

Certainly, cyber security should stay front of mind, especially as cyber threats can flare up during periods of uncertainty and confusion . Cybercriminals will look to exploit this. Looking back at the last several months, I would break cyber threat actor activity down to three distinct phases.

The first has been opportunistic and messy. In the early days of the pandemic, we saw a lot of COVID-19 themed phishing campaigns taking place. These were efforts by cybercriminals to harvest as many credentials as possible in a fast-changing environment, capitalising on the fear, doubt and uncertainty as populations globally were first adjusting and adapting to new working conditions, for example.

The second stage was a lot more deliberate and a lot more surgical, and by that I mean that we witnessed a real rise in email compromise and fraud, such as redirected wire payments and the likes. This was while companies were still adjusting to a new operating model and didn't have the right controls in place yet to validate payments and other activities of this kind. There is a link here to the phase one attacks, because by getting inside the email network of a company with some of those stolen credentials, the threat actor could impersonate a CFO, for example, and ask for a payment to be redirected.

The final stage, which has just been emerging over the last month or so, is the most worrisome. It’s the return to “big game hunting”, demonstrated by a resurgence in large scale ransomware attacks. In terms of number of attacks, these haven’t necessarily reached pre-pandemic levels yet, but certainly in terms of the amounts of ransom demands which are as high as ever. In the last few weeks we’ve seen a series of demands ranging from USD 5 to USD 50 million. The threat actors are clearly building on those first two phases, and are trying to capitalise on them in a really big way.

John White

Last year, for the first time, the top five long-term risks that organisations were concerned about according to the World Economic Forum were all related to the environment. Indeed, 2019 saw billions and billions of dollars’ worth of losses associated with climate and other natural disaster-related events. This is a trend that is going to become more frequent and severe both within the foreseeable future, but also well within the planning horizon that most organisations should be working toward.

Consider the implications, for example, of a typhoon in Asia or a hurricane in the US making landfall at the same time as healthcare systems are desperately trying to cope with the challenges of COVID-19. What will that scenario mean for your business? How robust are your planning assumptions in a situation like that?

We are now also experiencing the first ripple of the existential economic changes caused by the pandemic. What does that mean for your supply chain? What does that mean for your workforce? What does that mean for the budgets that you have available to do scenario planning to address these risks? Are you going to feel more compelled to kick the can down the road? Is your executive leadership team informed enough to understand exactly what doing so might mean for the company’s balance sheet? What is the level of uncertainty that your organisation is prepared to accept?

There aren’t necessarily clear answers to these questions, but they are conversations that I strongly advise organisations to start having.

Q: What are some of the emerging trends you foresee when it comes to crisis management training and exercising in particular?

Magnus Josias

I think crisis exercises are going to take on a digital format in the coming years. If organisations are already leveraging technology for their crisis response capabilities it only makes sense to do the same with exercises , and train using the same tools you would use to respond to the actual crisis. Just as with the actual crisis response, crisis exercises are being conducted in a digital format that will prepare the participants for leveraging technology in their crisis management. Using a digital tool for training and exercising will tremendously increase efficiency, especially when it comes to the scenario and run sheet development, exercise facilitation, and post-exercise reviews.

John White

I have always been an advocate of the idea that the more human interaction you can get in the planning process, the better off you are. I would rather have some experienced people with a few guidelines responding to an incident, than some inexperienced people following an extensive and exhaustive plan. But, ultimately, planning and experience need to work hand in hand. I would never advise throwing away the plan, while equally I don’t think I’ve ever spoken to anyone who, when crisis hits, has immediately pulled out the plan and said “Okay, what does it say on page one?”

So, when you think about training, it’s important to keep in mind what it is you’re trying to achieve. Ultimately, you’re trying to bring the contents of the plan to life. We want to use exercising and training as a means of allowing people to rehearse the things they might need to do in a crisis situation in a safe environment. We provide all kinds of exercises and training services to our clients. For some organisations that are pretty new to this, a light touch approach works best. There's not much point in spending 60 minutes proving to someone that they aren't ready to manage a crisis. Conversely, with a really mature organisation, we want to do everything that we can to simulate a highly realistic crisis environment. That means simulating the chaos and the uncertainty of information flow, the pressure to make decisions and the speed with which things evolve.

Q: How will approaches to cyber security management change, if at all, in the wake of COVID-19?

Billy Gouveia

First of all, if I were hiring a Chief Information Security Officer (CISO) today, the first thing I'd ask her is about her approach and experience to securing a remote workforce. I don't think that this dynamic is going anywhere, but alongside that we’ve witnessed a really rapid digital transformation. The pandemic has driven, or accelerated, a “cloud first” mentality everywhere. That changes how we focus our attention as cyber security professionals. We now need to make sure that the configurations are done in a secure manner, we need to think through the data supply chain and understand who should be connected to what and how that is achieved securely. The complexities of this process mean that you have to pay more attention to risk and what you can do to decrease the likelihood of a cyber incident and its impact. One component of that is making sure you have strong cyber incident response capabilities in place so that you are able to react very quickly to whatever happens.

However, I think one of the broadest shifts the pandemic has introduced is the adoption of a “zero trust” mentality.  “Zero trust” is a model more than it is a technology, which assumes that attackers are already inside and outside your network and it doesn’t automatically trust users or machines. We see this manifest in processes like multifactor authentication and other mechanisms which continuously verify and authorise users accessing certain data. Ultimately, if you adopt a mindset of not trusting anyone, it's a great starting point for rethinking the way that you secure your data. And I don’t think the need to adopt that mindset is going away.

Q: What are the tangible steps organisations can take today in this “new normal” environment to enhance their resiliency and their preparedness going forward?

Jamie Singer

This is an opportunity to do a refreshed gap analysis on your crisis teams, your crisis plans and your crisis training. This means making sure you have the right people at the remote table, that you have clear quarterbacks and captains, and that individuals understand their roles and responsibilities.

Two areas that I would encourage all companies to think about right now are whether there is a communications plan for the likelihood of increased litigation in this environment - whether it's related to wrongful termination or wrongful death - and how the acceleration of digital transformation by the pandemic is going to create more reputational risk in the area of data privacy and security, especially when you look at the healthcare and financial industries.

Having a really targeted focus on scenario planning and preparedness is also important. This is not the moment to put off that simulation that you were hoping to do in person. Do it now in a remote capacity, because this is how your team is going to have to operate. Finally, make sure that the C suite is involved as part of those trainings. The CEO is now expected to be the “Chief Empathy Officer.”  When you have people tragically dying from COVID-19 or at the hands of racial injustice or inequities, training CEOs to be able to communicate in a crisis with empathy and humanity is more important than ever.

Billy Gouveia

I would also consider the fatigue factor. Checking in with your teams is really important. The few times where I’ve seen clients in real distress, it’s always been after several days of experiencing a high-adrenaline response which collides with the personal stress brought on by the pandemic. So, as you’re collecting information relating to the event and coming up with your response plan, giving some careful thought to how you’re going to resource that plan and building in a healthy rotation is really important. The types of crises we’re talking about can’t be cured in 24 hours, so being realistic about your resourcing, and also checking in proactively and in a thoughtful way with your team, to figure out how people are holding up through it, are really key.

John White

If there is one thing I would recommend it is for organisations to focus on some near-term scenario planning. Scenario planning occupies the space in between the theoretical writing of lengthy plans and actual exercising.

It's not as resource intensive or as expensive as training and can be done virtually. The benefits of this are that it is a very quick way to check how comfortable you are in your ability to respond to some of the issues that may be coming around the corner. I would recommend feeding into that scenario planning some of the underlying changes that COVID-19 has placed on the business environment. Major catastrophes are usually a convergence of one or two or more unfortunate events. We know what one of those is already, so looking into your other scenario plans and factoring in how they are likely to be impacted by the ongoing COVID-19 crisis is really important.