Effective Enterprise Risk Management Includes Crisis Preparedness

The media continue to be filled with stories about companies that fail to manage crisis situations, costing them millions in damage, fines and reparations, lost revenue and lost jobs.  Many of those failures can be tracked to a few common causes: 1) lack of attention to the identification and assessment of risks, 2) weak leadership commitment to effective risk mitigation and crisis management, 3) no crisis communication plan, and 4) no process to assess, investigate and mitigate a crisis.

As part of an effective enterprise risk management program, leaders need to make the right moves when a crisis occurs to resolve the issue and protect the organization. These five steps, when taken with care and commitment from the Board of Directors on down, can help ensure the enterprise is well-prepared to protect itself when a crisis occurs.

Step 1:  Evaluate Corporate Governance, Risk Management and Internal Controls

Organizations must commit to a regular evaluation of their corporate governance and risk management practices and internal controls. When addressed together, these three components provide the pillars for a strong crisis management program.  Through a regular review of these pillars of effective governance, corporations can identify new and emerging risks, assess existing risks and make the policy and process changes needed to address the behaviors that could lead to significant damage to the enterprise—before they evolve into a crisis.

Step 2: Identify the most probable crises and assess their potential impact

There are several kinds of crises that are possible in every organization, including natural disaster, unexpected injury or death of employee or customer, harassment or discrimination, workplace violence, employee malfeasance, cybercrime, white collar crime, litigation or class action, fraud, mismanagement, and product defects/recalls. Other categories may be unique to the business.  An enterprise-wide vulnerability assessment using clearly defined risk indicators will help to uncover the kinds of crises for which the organization needs to plan and prepare. Extra attention should be given to those crises that are deemed either highly likely to occur, or have the highest potential impact on the organization.

Step 3:  Create and train a crisis management team

Arguably the most important step in an effective enterprise risk management and crisis response program is having the crisis team in place.  Internal and external experts should be identified and roles and responsibilities clearly delineated.  Regular training and crisis exercises are vital to assuring that the team is prepared to execute on important response strategies and tasks. Internal expertise should include senior executive management, operations leaders from key areas, and leaders of compliance, internal audit, corporate communications/PR, human resources, legal, sales and marketing, among others.

External expertise may be needed to supplement the internal team, and should include established relationships with outside providers of PR and communications, legal and forensic counsel, among others. By having these key vendors in place well in advance, they can get to know the company and its leaders, facilitating better, faster response when a crisis is declared.

Step 4: Develop and implement a crisis communication plan

Effective communication response to a crisis has never been more important than in this highly charged age of instant communication. Organizations no longer have the luxury of waiting days to respond when an issue arises.  Effective crisis communication plans include details no only on what to do, but how to do it. Policies and processes, chains of command, roles and responsibilities for communication should be detailed. Best-practice plans contain quick response guides for the most probable crises identified in the vulnerability assessment, including initial strategy and messaging that has been vetted and pre-approved by management and legal.

Spokespersons should be identified and trained. Platforms to monitor media and social media should be implemented well in advance.  Companies with operations in multiple countries should make sure that their communication plans address important cultural differences so that they can respond appropriately. Finally, the plan should be exercised and updated at least annually to assure that it is well integrated with operational response and business continuity and recovery plans.

Step 5: Develop a crisis response plan

The crisis management team needs a written plan to effectively manage the crisis.  The plan should address levels of crisis with thresholds for activating the team and implementing the plan. It should identify who will lead the response for each type of crisis.  Procedures to assess, investigate and mitigate the crisis are vital. Operational roles and responsibilities should be detailed and external support services identified and engaged.

Consider providing NIMS training for the entire crisis management team.  The National Incident Management System – NIMS- provides an excellent framework for crisis response.  This system has been used successfully to manage a variety of disaster responses and other corporate crises.  The first few courses in the NIMS training program are offered online free of charge.

The investment in enterprise risk management and crisis planning is the proverbial ounce of prevention that can shield organizations from the ton of cure that awaits the unprepared. Don’t let your organization be one of those that, by failing to plan for the inevitable, puts its very future in jeopardy.