By Bill Udell – Senior Partner & Aaron Schwirian – Associate Director – Control Risks
For decades at Control Risks, we have assisted our clients in building crisis readiness programmes (crisis management, business continuity and resilience), rolling those programmes out across their global enterprise and assisting them in responding and recovering when disruptions occur.
We have seen things go extremely well and we have seen them go off the rails. Regardless of the sector, size or the geographic location, there are a number of common mistakes that we see as organisations establish global readiness programmes. Getting these wrong will likely lead to a plan that sits unused on a shelf when disruptions occur. Getting them right will help ensure the global adoption of a sustainable, flexible and practical programme that will facilitate effective monitoring, appropriate escalation, limitation of impact, rapid response, business-centric recovery and, ultimately, protection of organisational growth,
profit and reputation.
The 13 common mistakes…
1. Missing opportunities to avoid locally driven crises and disruptions
A logical but often overlooked part of any organisational readiness strategy is to avoid the disruption in the first place. Companies that have risk management functions that are informed by global threat intelligence and monitoring either through a global security operations center (GSOC), third-party information feed or other integrated analytical capabilities are better at seeing disruptive events early and avoiding them altogether or containing incidents before they become full-blown crises.
In the event of incidents and crises, leveraging contextual information from sources at the coal face helps crisis management teams to build local context-driven scenario analyses. This ensures that they have an accurate picture of the situation, worst-case and most-likely scenarios and are able to make critical impact-limiting decisions with the most perfect information possible.
2. Not securing global response assets ahead of time
In building a readiness programme, organisations often consider retained assistance from outside counsel or public relations firms as part of the strategy. However, they often forget the ‘boots on the ground’ that are required in response to many types of disruption around the world – from a terrorism or security event in the Philippines to a compliance and regulatory investigation in Brazil. How will the organisation actually execute the response activities?
In some cases, there is an assumption that the local business will dedicate or locate the resources, but this is often poorly communicated and not based on actual capability. In other cases, while most organisations have master services agreements with response providers that cover them in some geographies and for some hazards, few have done a deep dive to match their responsive capabilities (both internal and external) against their most critical assets, high-threat geographies and risky activities. While of course it remains possible for teams to establish retainer-based relationships across geographies and technical specialties, many find this time-consuming and inefficient.
Insurance can play a role here. Hiscox for one is helping organisations fill this gap with the creation of the Security Incident Response policy, which provides 24/7 access to control risks experts across the world and across subject matters to execute an incident response against 38 separate hazards on an insured basis. It guarantees that the assets will be in place where they are needed and with the right technical know-how and local contextual understanding to mitigate the impact of disruptions and help ensure business recovery.
3. Failure to capitalise on local knowledge and business units
There is no better way to understand what doesn’t work in a disruption than by assessing past response performance. The combined institutional knowledge of staff who have worked through incidents and crises in the past is a trove of lessons learned that must be harnessed before any readiness programme is implemented at scale. While building a global programme, leaders should conduct local interviews, look through past history and integrate findings into the programme. This will also help achieve local buy-in and a sense of local and business unit ownership.
4. Lack of executive sponsorship
While executive sponsorship is important for any organisation-wide programme, buy-in and active advocacy from the top is particularly critical for the roll-out of a global crisis management programme or readiness programme. The chances are that independent business units and regional management have a way of doing things that they think works just fine and has become hard coded into their local cultural DNA – and possibly even proven effective in responses to significant disruptions. While working-level, grass-roots buy-in would be ideal, it helps if there is a perception that someone with a C in their title is mandating an enterprise approach.
5. Setting the sights too narrow
Organisations too frequently design programmes in a way that reeks of tunnel vision. Crisis management is perceived as a security or a public relations or a legal issue. Considering it from one viewpoint and focussing solely on the impacts related to that viewpoint is a guarantee that a programme will become irrelevant. Successful global roll-outs create programmes focussed on roles and responsibilities and not on individuals and personalities. Meanwhile, multi-disciplinary workshops help demonstrate the extent to which different functions rely upon others. Additionally, tying the programme to the enterprise risk management (ERM) matrix helps ensure it is fit for purpose.
“The corporate ‘mother ship’ may often have a different definition of what constitutes a crisis from the regional or business unit leaders. That is natural and to be expected”
6. Setting the sights too wide
Teams charged with rolling out a global programme often set about trying to ‘boil the ocean’. In the pressure to meet personal objectives or programme KPIs, they push to check the enterprise-wide box as quickly as possible at the expense of true adoption and sustainability. Depending on the organisation’s structure, culture, risk landscape and other contextual circumstances it is often a better idea to roll the programme out with a methodical, step-by-step approach, prioritising business units or regions based on the order of crisis, risk or quick-win potential. Consider showing success and gathering critical early lessons in the first phases of this approach before tackling the entire enterprise. Additionally, some organisations overweight the size and complexity of the corporate team, causing gears to grind to a halt during a response. A good corporate-led programme does not necessarily require a huge core team.
7. Failure to leverage technology
Coordinating across languages and geographies – particularly during intense moments of a disruption or crisis – remains a challenge for any organisation. But technology is making it easier every day. Too often, organisational crisis management structures still rely on paper- or email-based plans and structures that impede real-time coordination. Technology platforms in the crisis management space, including Crisis Resilience Online now integrate mass notifications, work flow, plan hosting and real-time meeting coordination on a seamless global web-based platform.
8. Under-escalating a crisis, over-escalating an incident
The corporate ‘mother ship’ may often have a different definition of what constitutes a crisis from the regional or business unit leaders. That is natural and to be expected. Local and business unit leaders often do not have the full enterprise picture and can’t independently judge when the impact of a disruption has crossed the line from local incident to enterprise crisis. In other cases, for reasons of pride or protectionism, they may decide to continue to try to solve problems locally that should have been escalated to the corporate crisis management team (CMT) long ago. In other cases, individual managers may routinely escalate even minor incidents as a means of protecting themselves or because of a perceived corporate hunger for information. A well-structured readiness programme and global roll-out informed by substantive input from across the organisation will include agreed and established escalation criteria and definitions.
9. A single-region approach to a global enterprise
This pitfall occurs when organisations have an established readiness programme at the corporate level or in a single region and try to simply copy it and change the addresses to match different business units and geographies. They do not take into account local and business-unit context or unique operating environments when building the enterprise-wide programme. For most organisations that take this approach, there are significant parts of the business that feel left out of the process and stuck with plans that do not work for the realities of their business. As a result, in a real crisis, these plans remain on the shelf and the regions/units revert to an ad hoc or independent approach that works for them.
10. Risk assumptions don’t reflect enterprise-wide concerns
Readiness programmes should be tied to and informed by the organisation’s ERM register. Leaders responsible for global crisis management roll-out need to understand the risks that have been agreed by the executives to be the most critical for the organisation. They need to understand their businesses and where they are going. If there is no ERM programme in place, they should engage local and business unit management to ensure that all risk concerns are heard and prioritised. Too often, headquarters-driven programme setups miss large revenue drivers and risk sets that sit outside of the immediate corporate view. Risk workshops that include representation from across the enterprise will inform the creation of the risk-based programme as well as drive buy-in and a sense of ownership across the organisation.
11. Lack of cultural nuances
In establishing a global programme, headquarters-based leaders often fail to account for local cultural, contextual or practical nuances or don’t assign them an appropriate level of importance. For example, in parts of the world where it is dangerous for women to take public transportation, business continuity and incident management plans must account for alternative transportation arrangements. Meanwhile, in other parts of the world, it would seem inappropriate to put such gender-specific considerations in a corporate document. While there is no easy answer for some of these nuances, they must be considered and discussed during roll-out to achieve local adoption, relevance and trust.
12. Global crisis exercises fail to include regions or business units
Scenario-based exercises are the cornerstone of the maintenance and continuous improvement strategy for any readiness programme. They not only validate the plan, but also help ensure that the CMT can achieve the levels of stability and perspective that are needed to navigate real-life disruptive events when they occur. While most owners of global programmes have a regular exercise schedule, too few include regional or business unit incident management teams (IMTs) or stakeholders in those exercises. While it is important to roll out the exercise programme across the enterprise – ensuring that individual IMTs run scenario-based sessions to an agreed standard – it is also critical that parts of the business feel included in corporate scenarios as they would in real life. Particularly for more mature programmes, CMT exercises should incorporate real-time call-ins and escalations from regional or unit teams or stakeholders. While these ‘semi-live’ exercises require more planning and coordination support, they are invaluable in reinforcing an enterprise approach to readiness.
“Risk workshops that include representation from across the enterprise inform the creation of risk-based programmes as well as drive buy-in and a sense of ownership across the organisation”
13. Forgetting the practical issues
Expanding a readiness programme from a centralised corporate capability to a global capability with established teams, stakeholders and interdependencies carry a wide variety of intensely practical challenges that fall into the miscellaneous category, but in aggregate are critically important, particularly in a real-life disruption. Time zones, local holidays and customs, connectivity issues and available materials must all be considered early rather than assuming that a real incident will follow a course that is convenient for the corporate entity.
As an example, a company that wants to centrally manage media monitoring resources in North America during a crisis will either go dark at critical times or require arrangements for shift work, if that crisis is emanating from Australia. To mitigate this risk, companies might pre-arrange a follow-the-sun model. In many cases, tighter coordination between the crisis management organisation and the capabilities of the GSOC – bringing GSOC owners in to programme development – helps drive efficiencies, facilitate global coverage and ensure a more rapid response.
When creating a global crisis readiness programme, avoiding these pitfalls can be the difference between a programme that enables the business by increasing resilience and operational cooperation across the enterprise and a plan that sits on a shelf during a crisis. There is so much to consider when going through the programme development process and you don’t have to do it alone. Control Risks’ approach leverages lessons learned from the successes and failures of thousands of clients across multiple sectors and geographies.
As head of the sub-practice, Aaron manages a team of consultants who write customized kidnap-for-ransom contingency plans and conduct specialized education and training for varied audiences, including executives, security professionals, and risk managers.
In addition to the specific kidnap-for-ransom work, Aaron focuses on crisis management and physical security program review, development, and implementation. As part of these efforts, Aaron works with clients to create tailored crisis management plans and to facilitate scenarios designed to mature their crisis management capabilities. He also leads workshops to enhance clients’ knowledge and understanding of crisis management best practice.
About the Authors:
Bill Udell is Chief Executive Officer of Control Risks’ Americas region. He is responsible for the strategic growth and development of Control Risks’ business across the Americas, including its offices in Bogota, Houston, Los Angeles, Mexico City, New York, Panama City, São Paulo and Washington DC.
Aaron Schwirian is an Associate Director with Control Risks’ Crisis and Resilience Consulting team based in Washington, DC, where he manages the North America kidnap-for-ransom and response preparedness sub-practice. As head of the sub-practice, Aaron manages a team of consultants who write customized kidnap-for-ransom contingency plans and conduct specialized education and training for varied audiences, including executives, security professionals, and risk managers.