Is it time your crisis management procedures had a health check?

Organisational crises come in many shapes and sizes: profits falling well below forecasts; data breaches; accidents and fatalities on site; and regulatory investigations to name but a few.

All crises come with a cost, both financial and reputational, from which many organisations take years to recover. That is if they recover at all.

Although in many ways inevitable and unpredictable, crises are nonetheless a risk for businesses that must be assessed and mitigated.

Such is the role of crisis management, a set of policies and procedures outlining the required behaviours, processes and responses triggered by an incident, all of which are designed to help the business reduce any negative impact, protect the health and safety of stakeholders and, where possible, continue business as usual.

The most common forms of crisis management are evacuation procedures during a fire, but any situation with the potential to disrupt business, endanger life or accrue costs will require some form of crisis policy and framework.

Consider the following, for example. Malware has infected your company’s intranet, exposing sensitive and private data to the world.

How would you notify relevant stakeholders, secure your systems, liaise with the press, compensate those affected and educate employees to avoid recurrence?

What if the Police, the Environment Agency (EA) or a health and safety executive (HSE) officer were to attend your offices? Would all your staff know how to deal with this?

While not exhaustive, these examples demonstrate that the scope of a crisis management procedure extends far beyond alarms and emergency exits. The problem is, not all businesses are aware of this, and it’s making them vulnerable.

Don’t panic

If you work in finance, insurance, or engineering, you’ll probably be familiar with the concept of stress testing.

The Bank of England, for example, conducts annual tests using “what if” simulations to analyse the resilience of banks during a financial crisis.

Formula One engineers use stress testing to push a component, such as a gearbox, to breaking point to gauge its ability to withstand great mileage at high speed. In short, stress testing is a way of checking how something would cope in a challenging scenario, without subjecting it to that scenario in real life.

A health check of a crisis management procedure is similar, in that it considers a hypothetical scenario and applies it to current policies to analyse if they adequately mitigate any potential impact. Rather than relying on algorithms or simulations, a health check uses a variety of techniques to thoroughly review all aspects of crisis management within an organisation, from the policies to their dissemination and actual understanding. These include:

1. Reviewing the relevance of current documents

It's quite common for crisis management policies to be drafted, filed, and forgotten.

Businesses change, however, as do the macro-economic and regulatory landscapes in which they operate.

If crisis management policies are even a couple of years old, it’s likely that they will miss crucial details regarding any legislative updates, as well as personnel changes, site relocations or shifts in business activity that may have occurred in the meantime.

Treating policies as living documents is crucial to ensuring they are relevant and applicable to the business as a whole and will support any measures implemented when a crisis strikes.

It’s worth noting that surprise inspections from the Health & Safety Executive have increased markedly this year, with up-to-date risk assessments, policies, and procedures being some of their key areas for review.

2. Checking if crisis management is communicated across the company

A crisis management policy that sits in a cupboard gathering dust is hardly worth the paper it is written on, particularly if most stakeholders are unaware of its existence.

From experience, too many crises have been exacerbated because front line staff did not know how to handle a police request, or an employee giving an on-the-record comment to a journalist without first checking what information could, and could not, be communicated.

Successful crisis management relies on all stakeholders within a business responding in a manner that is appropriate to their role and consistent across the organisation, so a key part of a health check will be discussing this with employees and identifying the gaps in their knowledge.

3. Preparing management for interviews

An interview with police, any regulator or the media can be an intimidating process for anyone, regardless of experience. It only takes one ill-phrased comment or unguarded remark to worsen the situation or cause lasting damage to a company and its reputation.

What’s more, as a representative of their organisation, the interviewee must manage their public perception carefully, from body language to facial expression.

It's difficult to predict how an individual will cope under that kind of pressure, but directors and spokespeople can be prepared, and understanding the interview process and powers of the regulators will help with this.

Media training and interview specialists can also work with key spokespeople to prepare them for such eventualities.

4. Evaluating company culture

A company can live and die by its culture.

If it is secretive, insular, and uncommunicative, for example, and adopts this approach during a crisis, it can reduce trust among customers and stakeholders, and even create a greater perception of culpability and deceit.

If, on the other hand, a company is open, communicative, and reflective, this can reduce the reputational impacts of a crisis, and even gain public trust if remedies are swift and lessons are readily learned.

One of the best ways to understand company culture is to examine the working practices of its management, speaking to staff and, if needed, provide insight and training into how this can be improved.

5. Committing to regular reviews

Go several years without seeing a dentist, and the condition of your teeth is likely to degrade.

Similarly, leaving policies and procedures to fester without regular updates, communication and employee training, and their value to the organisation will reduce.

In addition to any timely updates, annual reviews of documents can help to ensure a crisis management policy remains fresh and relevant, covering all necessary legislation and regulatory obligations.

Of course, any updates to policies must also be communicated to employees and relevant parties, but it is also worth conducting annual training reviews and quizzes to refresh employee knowledge and understanding.

Quizzes are a useful and easy way of reminding a team of the key elements of a crisis policy, as well as spotting any potential issues.

To be most effective, an organisation’s approach to crisis management needs three things: transparency, communication, and consistency.

Everyone, from the person on the front desk to the CEO, needs to know what potential crises could arise, and how they play a part in managing and mitigating them.

No business wants the worst to happen, but by putting its policies to the test, it raises the chances of surviving, and even thriving, after a crisis.