Story image

Interview: Leadership in crisis management and corporate risk avoidance

16 Jul 2018

In today’s world, the main driver of corporate risk is extreme stakeholder outrage. This can manifest itself in a number of forms, and focus on a range of issues from discrimination, gender inequality, sexual harassment, corruption, environmental contamination, privacy breaches and crime, as well as polarisation and politicisation.

Social networks provide an unparalleled environment and channel for this outrage to be expressed and go viral or for any incident or issue to gain unprecedented levels of recognition and thus grow to epic proportions.

Caroline Sapriel answers questions on corporate risk and leadership in crisis management, in an exclusive interview.

Where does an ‘inside attack’ rank in terms of risk to a large corporation? What role should leaders play in making sure insider attacks don’t occur?

Disgruntled employees and whistle blowers have always existed and before cyber attacks, there were other means for such employees to express their frustrations: leaks, physical sabotage, extortion, lawsuits, etc. Risk management is critical to define the potential consequences of decisions and actions taken by management. This includes having a solid stakeholder engagement and communication plan when bad news impacting employees has to be announced. Foresight, planning and being forthright and responsible should be the underpinning principles.

Supposing a large organisation has been compromised, what are the first steps that leaders should take, once the attack has been mitigated?

First the organisation must report the breach to the relevant authorities. Second, quick and transparent communication about the potential scope of the breach must be initiated with the impacted stakeholders; and last but not least, actions speak louder than words, so leaders must quickly articulate a remedial plan to retain stakeholder trust.

Is there a way to quantify how much brand damage an attack can have?

For publically listed companies, a drop in stock price is an immediate indication of the damage any crisis including cyber attacks is causing. However, if well handled, this can bounce back. What is harder to assess is the impact on stakeholder trust - short, medium and long term. Any crisis causing a loss of stakeholder trust creates a reputation meltdown. This must be avoided at all cost.

How do leaders regain credibility after an attack?

Leaders must strive to maintain credibility before, during and after any crisis. Owning up to the problem is the absolute first step whereas playing ostrich is a sure way to destroy credibility. Once leaders’ credibility is compromised, stakeholder trust vanishes and that is the worst possible outcome of a crisis.

What about ‘selling’ the message to employees – is employee trust compromised after an attack, and is it hard to regain that trust?

Employees are possibly the most important stakeholder group, but regrettably not always treated as such. Consistency is key and the same messages and actions must be communicated to all stakeholders, including and especially employees - albeit in a different tone suited to each stakeholder group.

Looking at risk avoidance now, what part does enterprise leadership play in a crisis management strategy? Are there best-practice guidelines for leaders to follow?

Crisis management is considered a “push down” practice, it must be mandated from the top with clear implementation steps throughout the organisation. It is a “must-have” component of best practice corporate management systems and not merely a “nice-to-have”, and as such, it must be considered an investment and not a cost.

Beyond crisis management policy and procedures, leaders must demonstrate or acquire crisis leadership skills. A crisis is not merely a bad week at the office and years of business experience does not by default make for good crisis leaders. 

Recognising that real crises are rare but that it takes special skills to manage a crisis, the only way for leaders to enhance them is via regular crisis leadership training and exercises.

Crisis is a time for leaders to stand up and be counted – but what about the management framework they have in place around them – how much does their leadership strength rely on the ability of others, and should it?

Crisis management effectiveness relies on three critical aspects:

1. Tried and tested procedures, 2. Crisis leadership competencies, and 3. Experience. Crisis-resilient organisations must have proficient crisis leaders that can rely on the practice and expertise of their support teams.

How much credibility flows directly from a leadership team following a crisis, and is there a lasting impact on that group or individual?

Before, during and after a crisis, leaders have a critical role to play. Poor or weak leadership can make or break a crisis and therefore has considerable influence on the perceptions and trust of its key stakeholders during and post-crisis.

Is there actually an opportunity here for personal and team growth – out of adversity comes new strength, for example?

There is much to gain from every experience good or bad, but to achieve this growth, individuals and companies must have a formal process to capture and share lessons learned.

Regrettably after a crisis, organisational and personal fatigue as well as pressing business priorities, often prevent this from taking place and generating the output needed. Lessons learned from past crises evidently enhance organisational resilience as long as there is appetite to learn and improve. Aware leaders are the main drivers of a crisis resilient culture.

Is there a set of guidelines you would recommend as best practice for crisis management?

CS&A’s 10 commandments of Crisis Management, which won a Gold Quill Award from the International Association of Business Communicators, provide a best-practice roadmap for organisations and their leaders to follow.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.