Risk Management

Business Under Attack: Five POWER Actions Boards, Management and Risk Leaders Need to Prepare for Crisis in 2021

Cyber-attacks compound data, financial and privacy issues. Pandemics linger, break supply chains and destroy economies. Competitors and disgruntled employees attack in unprecedented ways.

Proliferation of lawsuits drive culture change and broaden disclosure in diverse areas increasing costs. Political leaders have little understanding of business, meeting payroll, let alone cutting costs. A new federal administration is proposing increased regulations and taxes that will impact business in unpredictable ways.

Business is under attack.

Unfortunately, in the years ahead, corporations will face multiple crises that disrupt or endanger operations and mission. And at the same time, sensationalistic media modify and magnify fundamental perceptions.

In dealing with these critical moments, companies must preserve brand value and reputation. It requires leadership, transparency and grace under pressure. Ill prepared managements will suffer far more than 15 minutes of global shame.

In the face of such Black Swan events, last year’s thinking and planning is ineffective.

During crisis, organizations need leaders at every level. Leadership is about coping with change … whereas active management is about coping with complexity. Generally, managers direct operations, financial and human capital to accomplish objectives. Leaders step forward and managers must step back.

Key Point: Leaders inspire, influence, motivate and enable others to take a different path. They recognize and drive change, empower others to implement and align individual aspirations to accomplish objectives. So in achieving one… leaders indirectly impact all.

On this issue, Ronald Regan said, “The greatest leader is not necessarily the one who does the greatest things. He is the one that gets people to do the greatest things.”

In crisis, leaders have a vision of what they need people to do and what they want to happen. I discuss this important concept in speeches on leadership. When business is under attack, leaders are called to their most important role.

History and Contemporary Teachings

The word ‘crisis’ is traced back in the Chinese language some 3000 years. It is composed of two characters, one representing danger and the other opportunity. Although scholars now say these characters actually represent an incipient moment or crucial point.

Albert Einstein, thinking about crisis said, “In the midst of every crisis, lies great opportunity” … and Winston Churchill said, “Difficulties mastered are opportunities won.” We can split hairs, yet crisis is a danger and opportunity, as well as a circumstance requiring immediate and unusual action.

To succeed in planning, before, during and in the aftermath of crisis … boards, management and risk leaders must offer innovative thinking, new skills, as well as contrasting approaches that will match the depth, breadth, magnitude and speed of today’s online world.

Crisis disruptions drive fear, uncertainties and lack of trust. However, humans crave security. We need to feel safe and have a sense of control over our business and personal lives. That is the emptiness and disorientation confronting many during this pandemic.

Key Point: Crises usually begin or end up online. Attacks do not usually occur during normal business hours. They will occur at night, on weekends or holidays when companies have limited resources to deploy. And many are not prepared for that.

Simply, there are three basic types of cyber or digital crisis that attack organizations today. All have reputational considerations and consequences.

• Cyber-attacks from outside the organization – crime syndicates, overseas competitors or state actors seeking destruction or theft of data, money or intellectual property; disruption or ransom; blackmail, extortion, retaliation or denial of service, as well as warnings of attack capabilities.

• Reputation attacks – on company operations or management issues from activists or trolls seeking to disrupt; conflicts with labor or other constituents; product or service liability retaliation; brand or reputational injury; operational mistake, compounded by dreadful fact gathering and communications.

• Attacks from within – disgruntled current or former employees – seeking financial gain, commercial espionage, or retaliation for employment issues.

Key point: Anticipating attacks, companies always underestimate and are somewhat baffled by attacks from within.

Following are five POWER actions – Prepare, Observe, Weigh Risks, Evaluate, Respond – boards, management, risk leaders should consider preparing for crisis in 2021.

First, Prepare

Don’t be scared … Be Prepared.

Every crisis is different. Emphasis, circumstances, constituents, geography, industry, history, legal, regulatory issues, length and players can all shift. Leadership and wisdom emanate from experience.

Unlike a fire, crises cannot be simply extinguished. And despite our fondest hopes, attacks or crises do not fade away … they usually expand.

In his 1960s song, legendary blues singer Albert King chanted: “Everyone wants to go to heaven, but nobody wants to die … Everybody wants to hear the truth, but still they want to tell a lie.”

Most companies say they are prepared for crisis. Unfortunately, few actually are.

This is underscored by the debris on Wall Street of brand names that did not perform well in crisis. To appreciate not being prepared, just look to posterchild events at icons: Boeing, Facebook, Equifax, United Airlines, British Petrolatum, Toyota, Sony Pictures, Target, Domino’s Pizza and many others. They demonstrated inadequate management, not much leadership … and in some cases, worse.

Key Point: Despite ever-growing awareness of how attacks, crises and disasters instantaneously affect companies, serious preparation of table-top exercises, dress rehearsals, planned and unplanned trials are not granted much attention by top management.

This is the critical difference between performing well – or becoming a poster example of performing poorly – when an attack or crisis occurs.

Studying Navy Seal operations, you realize why they are excellent models of preparation. They visualize every part of a mission before implementing it. Then they practice. A lot. Emphasis concentrates on what they can control, what they cannot control, what they can do and not do with unexpected changes that always materialize in the field.

Extensive preparation immunizes them somewhat from fear because they've rehearsed most scenarios and are highly trained to adapt to unforeseen events. We apply this unique model for drills in simulated client exercises.

All organizations need similar preparation developing response strategies for attacks and crises.

Second, Observe

Leaders at all levels must be aware what is posted and said about you and your company on a timely basis. This is one importance of a plan.

When strong core company values are in place, organizations that engage with key constituents actively and honestly in normal times, will do well in times of stress. Businesses that do not have these values and two-way lines of communications to constituents in normal times, do not endure well in crisis.

In normal times, but especially in crisis, constituents can be your best friends … or worst enemies.

Spokesmen converse with many groups. Some groups companies engage with and know well. Others not so much. These important stakeholders include investors, employees, customers, industry analysts and commentators, lenders, partners and advisors, suppliers and vendors, regulators, media and social pundits, as well as community, industry, government leaders … and yes … competitors.

Key Point: Like them or not, these key groups comment and create perceptions about you and your company in normal times, as well as during a crisis. Keep an eye on their comments.

Do you consider all these constituents when issuing documents and statements? Through technology, they all have the ability to access and comment at the same time as well as react to what you reported or did not say, especially in times of crisis.

Third, Weigh Risks

Watch for hidden or secret attacks. Be aware of what is posted about you or your organization immediately. That is one reason why a plan is so vital.

Content and mobile are kings. With nearly 8 billion people in the world, 5 billion are mobile phone users and 4 billion are active on social media. So, every crisis response plan must be reconceived for small screens, terse messaging, micro-video and consumers who are adept at meshing screens.

Speaking in London last year at a private CEO group, I emphasized “With recorders and video cameras in every smartphone – social media’s voracious appetite for sensation and a pervasive desire for 15 minutes of fame – create a perfect storm reaching critical mass threatening every private discussion or meeting.”

Do you consider that? How are you protecting from these risks?

Fourth, Evaluate

Crisis response plans completed as recently as 12 months ago should be dragged into the trash icon. With the pandemic, cultural shifts, as well as significant advancements in technology … a year ago, might as well be a decade.

But before you can create a plan, you must understand and accept that crisis can attack your organization. Unfortunately, the number of CEOs I have heard say, “that would not happen here” extends beyond the fingers on both hands.

Moreover, as you prepare a response plan, you must identify and formulate what the ‘what ifs’ are apt to be. They will vary by circumstance and issues outlined above, as well as what just happened to your neighbor.

Key Point: In planning, do not lose sight of profound effects attacks or crisis have on stock valuation; senior executives time focused on the crisis, diverting concentration from managing the business; customer perceptions and sales; ability to attract and retain employees, as well as vendor delivery.

Risks change. Therefore, crisis response should be reassessed as frequently as you review threats. Is your plan digitally available through a password protected portal or cloud service? Is it updated regularly? Or does it still sit in a binder on a shelf collecting dust, that few have access to when needed late at night, during a weekend or holiday? You can’t make this up … and you would be startled how many still prepare for crisis as if it were 1980.

Baseball legend Yogi Berra said, “You've got to be very careful if you don't know where you are going, because you might not get there.”

Fifth, Respond

Digital attacks require a very accelerated time schedule. The instantaneous nature of social media forces us to think differently about many things, but especially about time … more than we did just a few years ago, centering on traditional media news cycles.

The phrase “Eight-hour Digital Day” was coined in my book Digital Assassination. We must view eight hours as 'One Digital Day' – a central truth that many business advisors and leaders have yet to recognize.

In the new world of the ‘eight-hour digital day’, when assassins mount an assault – something that must be acknowledged or answered – you have four to eight hours for an initial response as their post goes viral, especially in the context of today’s multi-screen, mobile environment.

Key Point: It isn’t always wise to respond, but if you had to, could you react quickly and effectively, within an ‘eight-hour digital day’?

Most corporate leaders, cultures, lawyers and risk managers are simply not prepared or trained to operate at this warp speed. And many will be burned, perhaps several times, before they understand the new timing of an ‘eight-hour digital day’.

Reputation & Risk

Reputation is the new corporate capital.

Attention and innovative skills are needed to improve it, leverage it … and protect it. A recent study noted that 87% of top executives rated reputation risk more important than other strategic risks.

In an interview with The Wall Street Journal I said, “Reputation has an effect on careers, equity value, sales … everything.”

Today, CEOs spend 20 to 30 percent of their time dealing with public issues. This will evolve and increase to include other C-suite and board leaders, as assassins and activists attack.

Unfortunately, many do not think about building this new style of plan or rehearsing. They tend to focus on isolated incidents … and that is not a formula for success.

Will Rogers, renowned cowboy and humorist, in the early part of the 19th century said, “Even if you are on the right track, you’ll get run over if you just sit there.”

This has implications for crisis leadership today.

Published .