Crisis Proofing: A new approach to protecting your company

Most managers want to do what’s right for their organisation. Yet some struggle with exactly what needs to be done to protect against the reputational and organisational damage threatened by a crisis or major public issue.

In response to this challenge I have developed a new concept called Crisis Proofing, which focuses on the role of executive managers and the practical steps they can take to secure proper protection.

Research shows senior managers recognise that the best crisis management is to take steps to help prevent a crisis from happening in the first place. But how to do this? How to manage both preparedness and prevention? And what should remain in the executive suite and how much can be delegated downward?

Crisis Proofing has emerged to help answer such questions. And to help move the focus of crisis management leadership from tactics in the war room up to strategy in the board room. It’s introduced in the new book Crisis Proofing: How to save your company from disaster which spells out how the role of senior managers in crisis prevention and reputation protection has never been more important.

Yet many companies continue to leave crisis management in the hands of operational managers or technicians with little expertise beyond what to do when things go wrong. Corporate crisis management traditionally has a strong emphasis on tactical element such as crisis manuals, table top simulations and a well-equipped war room. However leading companies are now shifting from reactive crisis response to proactive crisis prevention and that demands a new involvement from the executive suite and the board.

But progress is slow. A global survey of board members published early in 2016 found that fewer than half of the non-executive directors reported they had engaged with management to understand what was being done to support crisis preparedness. And only half the boards had under taken specific discussion with management about driving crisis prevention.

The other key factor driving increasing senior executive engagement has been acknowledgement that most crises which threaten a company are not unexpected events but are, in fact, preceded by clear warning signals, which are frequently ignored. Together, these two factors – that most crises are not truly unexpected and that most are avoidable – fuel the move from the operational emergency context of the war room to strategic planning in the board room.

So what’s needed to help move management focus from crisis response to crisis prevention? One answer is the Crisis Proofing approach. Most managers aren’t looking for a textbook analysis, or yet another how-to manual on tactics. The new book Crisis Proofing is neither a textbook nor a manual. It’s an informal conversation at executive level which shows how responsibility for protecting the organisation lies absolutely in the C-suite.

It gives practical advice on how senior executives can provide participation and leadership from the top. And, faced with the fact that one in four organisations which suffer a major crisis going out of business, it provides a realistic blueprint for how to save your company from disaster.

Posted in Crisis management, Crisis Prevention | Tagged , , | Leave a comment

Data security – the crisis risk elephant in the room

If you’re ever tempted to doubt the impact of a data breach, just think about the hackers who leaked emails immediately before the US Democratic National Convention, which exposed the party machine’s bias against election hopeful Bernie Sanders.

There’s some question as to who engineered the hack. Maybe it was the accused Russians and maybe it wasn’t. But there is no question at all as to the reputational impact for the Democratic Party (which appeared to endorse the bias); for Chairwoman Debbie Wasserman Schultz (who was forced to resign); and for Presidential nominee Hillary Clinton (who had to wear the damage).

While not every data breach is so high profile, such security lapses are increasingly common and constitute a massive crisis risk for organisations of all sizes. Indeed the Australian Institute of Management recently reported 60 percent of IT professionals in Australia and New Zealand expect a cyber attack to affect their organisation this year, yet only 43 percent believe they are prepared for it.

Similarly, a new survey for Accenture found that a majority of security executives around the world (69 percent) had experienced an attempted or successful theft or corruption of data by insiders during the prior 12 months, and more than half (54 percent) indicated that their current employees are under-prepared to prevent security breaches.

While such worrying numbers are not exactly a surprise, they highlight that vulnerability to cyber-attack is a crisis risk which demands a higher level of management commitment and communication planning. (Look no further that the Australian Census debacle in the last issue of Managing Outcomes)

However, executive support often seems to be lacking. For example the PwC Cybercrime Survey last year found that fewer than half of the global organisations surveyed had a cross-organisation team which regularly convenes to discuss, coordinate and communicate about issues involving information security.

And, amazingly, the new Accenture study found that more than a third of the experts surveyed believed their executive management consider cyber-security “an unnecessary cost.” Sheesh. Tell that to Hillary Clinton. Or to the Australian Bureau of Statistics

We know from experience that companies which are not properly prepared to manage a crisis sometimes say “We are small and not likely to have a crisis.” The same dangerous mistake applies in spades to the risk of cyber-attack. A 2015 survey of small US businesses by Nationwide Insurance, found 63 percent said they had been attacked at least once. Meantime, in a survey by UK insurer Towergate, 82 percent of small business owners believed they were safe from a cyber-attack because “they didn’t have anything worth stealing.”

Oh Really? Forbes magazine recently warned this belief couldn’t be more wrong. In fact they said hackers often go after small companies, which may not be so well protected, specifically to worm their way into more valuable victims. Like when data thieves hacked into a small contractor to access records of 70 million customers of US retail giant Target.

So data security is the elephant in the room.  Everyone knows it’s there but sometimes it seems too big to tackle. Mark Twain famously said (or repeated): “Everyone complains about the weather, but nobody does anything about it.” The same might be said about data security as a leading crisis risk. However, unlike the weather, in this case you can do something about it, and you need to take action now.

Posted in Crisis management, Reputation risk | Tagged , , , , | Leave a comment

The Australian census crisis: what can we learn?

One of the highest profile organisational crises in recent times was last week’s disastrous failure of the Australian online census. The Bureau of Statistics website failed on census night, leaving millions of angry and frustrated citizens unable to submit their census information for almost 40 hours.

There are plenty of theories about what happened and who was responsible, but it’s still far too early to make a definitive assessment of exactly what went wrong. We should leave that to the slew of different inquiries and investigations which were rapidly announced.

However, there are already some important broad lessons for crisis managers everywhere about preparedness and prevention. An angry Prime Minister Malcolm Turnbull stated the blindingly obvious when he thundered: “Denial of service attacks are absolutely predictable.”

Of course they are, Mr Turnbull. In fact there could have been no more predictable crisis risk for the online census than a system melt-down. Yet the headlines are full of organisations which ignore the predictable and pay the price. What becomes obvious is that they often had no real plan for how to respond after those predictable crises struck.

Crisis management falls into two distinct categories of action – resistance and resilience. Resistance is the effort you make to try to prevent crises happening in the first place. Resilience is the steps you take to minimise the damage from a crisis, and to protect reputation. Organisations should be committing resources to both.

For the Bureau of Statistics, the minute the system failed, nothing they did or said could have prevented it being a major national crisis. The only uncertainty at that stage was how damaging the crisis would be and how long it would last. From the evidence so far it would seem that the planning and load testing was all about technical issues and not enough about how to explain a failure and how to minimise the fallout.

Effective crisis management demands a full communication contingency plan for the most likely and the worst case crises. A system failure is never “just an IT problem” and the Bureau’s apparent focus on system integrity for the census evidently left them dangerously vulnerable and unprepared when it came to communicating the nightmare scenario. The crucial question here is not what could go wrong and how can we prevent it, but what is our communication plan when it does go wrong?

Moreover, nightmare IT scenarios are certainly nothing new in major government agencies. Think no further than last December when China was blamed for a massive hack attack on the Bureau of Meteorology, which houses one of Australia’s largest super-computers. The predictable crisis risk was well captured by a headline in The Australian: “The hacking of the Bureau of Meteorology shows the vulnerability of all agencies.”

Yes, all agencies. Which brings us back to last week’s census debacle, where the political game began with the Opposition calling for ministerial resignations, and the Prime Minister warning that heads will roll. They were setting the scene for one of the brutal realities of post-crisis management. Investigations and commissions of inquiry are seldom primarily to find out what happened. Their real purpose is to apportion blame, and history shows that “poor communication” is a popular scapegoat.

The Bureau of Statistics didn’t just need load testing for the website. It needed load testing for the crisis communication contingency plan.

Posted in Crisis management, Crisis Prevention | Tagged , , , , , | Leave a comment

An issue management lesson from Lady Gaga?

Picking a fight with China can be dangerous. But singer Lady Gaga has shown how it can be done without creating fresh reputational risks for yourself, your organisation or your sponsors.

When she posted pictures of herself interviewing the Dalai Lama the reaction from China was swift and predictable. Chinese Netizens posted messages such as: “The way the Chinese feel is just like you were shaking hands with Osama bin Laden,” and the Beijing Government promptly banned the singer from visiting the country.

However she had only just been taken off the “list of hostile foreign forces” after a previous three year ban, which may reflect that she is reportedly the most popular Western singer in China. The issue management lesson for dealing with China was that Madam Gaga said nothing, and neither did her sponsor Shiseido, for which she is the face of the brand in Japan.

Contrast this with what happened just a few weeks earlier when cosmetics giant Lancôme (owned by L’Oréal) cancelled a promotional concert in Hong Kong by local pop star Denise Ho, a high-profile advocate for Hong Kong’s pro-democracy movement who recently posted photos of herself with the Dalai Lama. The concert was cancelled for “possible security reasons” after Chinese protesters called for a boycott of Lancôme products, including Listerine mouthwash. The company briefly closed down their stores across Hong Kong as a safety measure (and later dumped Ho from advertising for Listerine, claiming its marketing had “entered a new phase.”)
Unlike Lady Gaga’s model of restraint, Denise Ho reacted with a full-scale media assault on Lancôme, driving an online petition, publicly challenging management to justify cancelling the concert, and accusing them of “kneeling down in the face of a bullying hegemony.” Writing in the South China Morning Post under the headline “Lancôme has only itself to blame for public relations fiasco,” columnist Alex Lo called the singer’s response: “Fine words – and just about every international corporation’s nightmare.”

A nightmare indeed, and hardly new. Think no further than when film star Sharon Stone declared that the devastating Szechuan earthquake was perhaps ‘karma’ for China not being nice to her friend the Dalai Lama. In the face of a threatened boycott, luxury brand Christian Dior had to quickly apologise and remove the actress from their advertising in China. Or when Procter and Gamble’s SKII cosmetics faced similar criticism in China for choosing as brand ambassador a Taiwanese model who supported Taiwanese independence from the mainland.

We have no particular view about the Dalai Lama, or about the political status of Hong Kong or Taiwan. But such cases highlight the critical importance of choosing the right celebrity to endorse your company. Plus of course highlighting the challenge of dealing with Chinese sensitivity, and the risk to reputation when advertising sponsorships go wrong.

When it comes to managing issues in a highly politicised environment, Lady Gaga showed that – sometimes – the right response may not be to reach for a cleverly-worded media statement or a sharp social media riposte, but to maintain a dignified silence.

Posted in Issue Management, Reputation risk | Tagged , , , | Leave a comment

Organisations dropped the ball on McGuire football gaffe

It was no surprise to see broadcaster and football personality Eddie McGuire fumbling to disentangle himself from yet another self-inflicted disaster. But the case highlights the reputational risk to associated organisations when individuals overstep the mark, and their failure to effectively manage the issue.

It started during radio discussion about a charity event where Australian football personalities were to slide into freezing water. McGuire said he’d pay $20,000 to see high-profile sports journalist Caroline Wilson go down the slide, and would make it $50,000 “if she stayed under.”

His fellow football broadcasters guffawed and joined in the “joke,” but it all turned sour when commentators, anti-violence campaigners and politicians of all stripes piled on to condemn the comments. And to make it even worse, the broadcast coincided with football’s White Ribbon Round, designed to focus attention on combatting violence against women.

While McGuire is no stranger to controversy, it took him three attempts at an apology before he finally abandoned excuses and apologised unreservedly.

But as the outcry spread, it became a genuine test of issue management for the organisations drawn into the controversy, and few enhanced their reputation. Opposition Leader Bill Shorten cancelled a scheduled interview with the radio host, branding the comments “unacceptable,” yet the radio station simply said it “had discussion with those directly involved” and apparently saw no reason to take any action against their star.

The Collingwood Football Club, of which McGuire is President, said it took the issues raised by the comments seriously, but accepted McGuire’s apology and, rather surprisingly, used the opportunity to express its “complete and ongoing support for his position as President.”

Meanwhile CEO Gillon McLachlan of the Australian Football League condemned the comments but stopped short of punishing the men involved.  Which in turn triggered even more media and community outcry, given that in the very same week the League had fined a football coach $30,000 for criticising a match referee.

The only organisation to emerge with any dignity was carmaker Holden, a major sponsor of Collingwood, which categorically condemned the broadcast and announced it would be reviewing its association with the club. Holden subsequently said half their multi-million dollar sponsorship would be diverted to Collingwood’s women’s team and community programs.

For Caroline Wilson, the sometimes controversial journalist at the centre of the affair, what seemingly rankled most was her belief that McGuire was forced to apologise. “I think he had to be dragged to that point, kicking and screaming. He was, I believe, pressured to do so and I believe that he is not really sorry personally to me. But at least he’s sorry that he used that language and I think that’s a start.”

Her comments echo the headline on a New York Times essay by Deborah Sontag at the time of the Clinton/Lewinski scandal. “Too busy apologising to be sorry.”  For any organisation or individual facing a serious issue or a crisis, the best way to protect reputation may be to spend less time worrying about the timing and the wording of an apology and more time demonstrating in a meaningful way that they really are sorry.

Posted in Issue Management, Reputation risk | Tagged , , | Leave a comment

Is reputation really like a bank account?

Just about every communication professional has used or heard the expression that reputation is like a bank account.  You build it up in good times and draw from it when things go wrong. But is this attractive notion really as valid as it seems?

Risk guru Peter Sandman says it’s simplistic to accept that events which improve your reputation are deposits, events that damage your reputation are withdrawals, and that the objective is to maintain a healthy balance of “reputational capital.”

The snag is that the metaphor assumes everything is equal – that withdrawals and deposits are in common currency. If you deposit $1,000 worth of reputational credits and then withdraw the same amount in reputational damage (or vice versa) your reputation is somehow back at neutral.

In other words, it assumes that if a company does a whole lot of bad stuff, then doing an equal amount of good stuff will restore its reputation. However it doesn’t work like that.  Sandman argues that “good reputation” and “bad reputation” should be seen as separate variables which exist at the same time. Therefore, he says, if your positives are high and your negatives are low, you have a good reputation.  If your positives are low and your negatives are high, you have a bad reputation.

Yet do the public see it like that?  The problem here lies in assuming that good actions and bad actions are measured in the same currency. It has been proved over and again that years of positive reputation can be destroyed in days or weeks by unacceptable or improper behaviour. Just ask Warren Buffet. And there’s another problem too. When organisations behave badly and then keep repeating the same mistake, the reputational withdrawals are not just dollar for dollar, but multiply with accumulated penalty interest. In fact American academic Harlan Loeb describes what he calls reputational debt as “non-negotiable ballast” which can’t be traded or hedged and which can persist for decades.

So what is the right priority? The reality is that a bad reputation distinguishes an organization from the rest of the pack a lot more than a good reputation does. Reporters, customers and commentators are far more likely to focus on the bad stuff you’ve done rather than the good performance you have been working on. So organizations are best advised to expend effort in avoiding or repairing a bad reputation rather than trying to create a good one.  Any organization which sets out on a programme to build reputation has likely forgotten that old adage that branding is what you say about yourself, reputation is what other people say about you.

The bank account metaphor also suggests that badly behaved organizations can “buy back” reputation with some high profile good citizenship. But it just aint so. When failed Australian tycoon Alan Bond died last year, some of his supporters tried to mitigate his record corporate collapse by emphasising that he helped Australia win the America’s Cup yachting trophy. It made a good story of reputational redemption, but it meant nothing to the investors who had lost millions. They knew the real meaning of an empty bank account. And for them it was no metaphor.

Posted in Issue Management, Reputation risk | Tagged , , , | Leave a comment

13 worst crisis communication mistakes

It’s a sad fact that crisis management case studies are more often about what companies did wrong rather than what they did well.  And some organizations seem determined to follow what NOT to do when facing a crisis.

From the rich buffet of crisis communication disasters, US crisis expert Jonathan Bernstein shared with Managing Outcomes his tongue-in-cheek 13 rules for ensuring your crisis will flourish and grow:

  1. Play Ostrich
    Hope that no one learns about it. Take advice to say nothing, do nothing. And while your head is buried firmly in the sand, ignore the part that’s still exposed.
  2.  Only Start Work on a Potential Crisis Situation after It’s Public
    Even if you don’t play ostrich, you can still nurture your developing crisis by avoiding preparation. Pre-planned and tested key messages would help communication when the crisis breaks publicly.  So always shoot from the hip.
  3. Let Your Reputation Speak for You
    Two words: Arthur Andersen.
  4. Treat the Media Like the Enemy
    By all means, tell a reporter they’ve done such a bad job that you’ll never talk to them again. Or send nasty emails. The reporter is sure to get angry and REALLY go after your organization.
  5. Get Stuck in Reaction Mode Versus Getting Proactive
    When a negative story suddenly breaks, respond with a statement, then repeat the dose for each and every follow up. Don’t initiate messages and make others react to what you say. Always look like the guilty party defending yourself.
  6. Use Language Your Audience Doesn’t Understand
    Jargon and arcane acronyms are great ways to ensure you confuse your audiences, and make most crises worse. Try this real life gem; “We’re considering development of a SNFF or a CCRC.” Naturally the general reaction is “HUH?”
    7. Don’t Listen to Your Stakeholders
    Make all decisions based on your own best thinking. After all, what would your customers, employees, investors, or other stakeholders know about how to communicate with them?
    8. Assume That Truth Will Triumph over All
    You have the facts on your side, by golly, and you know the public will eventually come around and realize that. Disregard the fact that perception is as damaging as reality—sometimes more so.
    9. Address Only Issues and Ignore Feelings
    “The green goo which spilled on our property is absolutely harmless.” “Our development plans all comply with appropriate regulations.” So what if people are upset? You’re not a psychologist…right?
    10. Make Only Written Statements
    Face it, it’s a lot easier to just issue written statements. No fear of looking or sounding foolish. Less chance of being misquoted. Who cares if it’s impersonal and some people think it means you’re hiding and afraid.
    11. Use “Best Guess” Methods of Assessing Damage
    “Oh my God, it’s a front page disaster. We’re ruined!”  Congratulations—you may have just made a mountain out of a molehill. Don’t bother talking to your stakeholders (See item 7) about the real impact of a crisis.
    12. Ignore Social Media
    You don’t have an active Facebook account, and Twitter is just for chattering idiots, yes?  Never mind that no medium in the world can destroy your reputation faster than social media.
    13. Do the Same Thing Over and Over Again Expecting Different Results
    Last time you faced bad news you ignored media calls because whatever you said they’d get it wrong. Of course stakeholders got upset and it took ages to fade away. So next time you’ll do the same thing, right? Because “stuff happens” and you can’t improve the situation by better communications… can you?
Posted in Crisis management | Tagged | Leave a comment