SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Interview: Leadership in crisis management and corporate risk avoidance
Mon, 16th Jul 2018
FYI, this story is more than a year old

In today's world, the main driver of corporate risk is extreme stakeholder outrage. This can manifest itself in a number of forms, and focus on a range of issues from discrimination, gender inequality, sexual harassment, corruption, environmental contamination, privacy breaches and crime, as well as polarisation and politicisation.

Social networks provide an unparalleled environment and channel for this outrage to be expressed and go viral or for any incident or issue to gain unprecedented levels of recognition and thus grow to epic proportions.

Caroline Sapriel answers questions on corporate risk and leadership in crisis management, in an exclusive interview.

Where does an ‘inside attack' rank in terms of risk to a large corporation? What role should leaders play in making sure insider attacks don't occur?

Disgruntled employees and whistle blowers have always existed and before cyber attacks, there were other means for such employees to express their frustrations: leaks, physical sabotage, extortion, lawsuits, etc. Risk management is critical to define the potential consequences of decisions and actions taken by management. This includes having a solid stakeholder engagement and communication plan when bad news impacting employees has to be announced. Foresight, planning and being forthright and responsible should be the underpinning principles.

Supposing a large organisation has been compromised, what are the first steps that leaders should take, once the attack has been mitigated?

First the organisation must report the breach to the relevant authorities. Second, quick and transparent communication about the potential scope of the breach must be initiated with the impacted stakeholders; and last but not least, actions speak louder than words, so leaders must quickly articulate a remedial plan to retain stakeholder trust.

Is there a way to quantify how much brand damage an attack can have?

For publically listed companies, a drop in stock price is an immediate indication of the damage any crisis including cyber attacks is causing. However, if well handled, this can bounce back. What is harder to assess is the impact on stakeholder trust - short, medium and long term. Any crisis causing a loss of stakeholder trust creates a reputation meltdown. This must be avoided at all cost.

How do leaders regain credibility after an attack?

Leaders must strive to maintain credibility before, during and after any crisis. Owning up to the problem is the absolute first step whereas playing ostrich is a sure way to destroy credibility. Once leaders' credibility is compromised, stakeholder trust vanishes and that is the worst possible outcome of a crisis.

What about ‘selling' the message to employees – is employee trust compromised after an attack, and is it hard to regain that trust?

Employees are possibly the most important stakeholder group, but regrettably not always treated as such. Consistency is key and the same messages and actions must be communicated to all stakeholders, including and especially employees - albeit in a different tone suited to each stakeholder group.

Looking at risk avoidance now, what part does enterprise leadership play in a crisis management strategy? Are there best-practice guidelines for leaders to follow?

Crisis management is considered a “push down” practice, it must be mandated from the top with clear implementation steps throughout the organisation. It is a “must-have” component of best practice corporate management systems and not merely a “nice-to-have”, and as such, it must be considered an investment and not a cost.

Beyond crisis management policy and procedures, leaders must demonstrate or acquire crisis leadership skills. A crisis is not merely a bad week at the office and years of business experience does not by default make for good crisis leaders.

Recognising that real crises are rare but that it takes special skills to manage a crisis, the only way for leaders to enhance them is via regular crisis leadership training and exercises.

Crisis is a time for leaders to stand up and be counted – but what about the management framework they have in place around them – how much does their leadership strength rely on the ability of others, and should it?

Crisis management effectiveness relies on three critical aspects:

1. Tried and tested procedures, 2. Crisis leadership competencies, and 3. Experience. Crisis-resilient organisations must have proficient crisis leaders that can rely on the practice and expertise of their support teams.

How much credibility flows directly from a leadership team following a crisis, and is there a lasting impact on that group or individual?

Before, during and after a crisis, leaders have a critical role to play. Poor or weak leadership can make or break a crisis and therefore has considerable influence on the perceptions and trust of its key stakeholders during and post-crisis.

Is there actually an opportunity here for personal and team growth – out of adversity comes new strength, for example?

There is much to gain from every experience good or bad, but to achieve this growth, individuals and companies must have a formal process to capture and share lessons learned.

Regrettably after a crisis, organisational and personal fatigue as well as pressing business priorities, often prevent this from taking place and generating the output needed. Lessons learned from past crises evidently enhance organisational resilience as long as there is appetite to learn and improve. Aware leaders are the main drivers of a crisis resilient culture.

Is there a set of guidelines you would recommend as best practice for crisis management?

CS-A's 10 commandments of Crisis Management, which won a Gold Quill Award from the International Association of Business Communicators, provide a best-practice roadmap for organisations and their leaders to follow.