Crisis Management: A Guide for Business Leaders

In short:

• What are the three main phases of crisis management? From pre-crisis preparation to post-crisis repair, we outline key elements
• Here’s how to put together a crisis management team that’s expert enough to understand challenges — and nimble enough to address them
• CEOs need to lead crisis communications efforts, remembering that your company gets only one chance to make initial outreach and protect its reputation

In late September 1982, three Chicagoans died after taking Tylenol that had been laced with cyanide. By Oct. 1, the death toll hit seven across Illinois. We still don’t know why someone injected Tylenol capsules with poison then resealed bottles and put them back on store shelves. But if the goal was instilling fear and anger across the nation, mission accomplished.

Johnson & Johnson had a crisis on its hands the likes of which companies rarely see. It had done nothing wrong, yet people were dying after using one of its most popular products — at the time, Tylenol had more market share than the next four over-the-counter painkillers combined. The public was outraged, and without a perpetrator to take the brunt of that fury, Johnson & Johnson landed in the crosshairs.

How it responded is a case study in competent crisis management, as we’ll discuss.

The Institute for Crisis Management defines a crisis as “any issue, problem or disruption which triggers negative stakeholder reactions that can impact the organization’s reputation, business and financial strength. Crises can be situations threatening or doing harm to people and property, serious disruptions to operations, product recalls, labor issues, social media attacks, lawsuits, highly negative media coverage or allegations of wrongdoing against employees or leaders.”

COVID-19 falls into the first situational bucket, and the harm being done to people and property will take years to fully understand. However, Deborah Hileman, the ICM’s president and CEO, says that only about half of all organizations worldwide have crisis plans in place for problems that aren’t in the black swan category, and that’s a potentially expensive oversight.

Leaders looking to up their crisis management games need to consider a number of factors. We’d argue, though, that they must filter their strategies through the lens of human nature. As a species, we’re better at reaction than proaction. You’d think that after a few million years of evolution, homo sapiens would have learned to focus on preventing recurrences of known risks — like, say, pandemics — rather than expending resources on largely theoretical hazards.

And yet.

There’s plenty of evolutionary science behind why people do seemingly irrational things, like hoard toilet paper, but it boils down to feeling that we’ve done something — anything — to regain control.

In this guide, it’s our goal to help you think more proactively, prevent the crises you can and better handle the ones you can’t.

What Is Crisis Management? A Process

Say your company makes both tennis and golf supplies, and your shipping department accidentally sends 500 golf balls to a tennis club customer. That may not seem like a crisis, but you can bet that when the shipping clerk spotted the error, her pulse quickened, her mouth went dry and she started running through scenarios on how to make it right.

That “fight or flight” reaction has served us well for many thousands of years, after all.

While the golf ball snafu isn’t on the order of poisoned pain pills, it is a problem that needs prompt attention to preserve revenue, customers and reputation. So, for our purposes, it’s a crisis.

Now let’s look at how the company might respond.

Initial action: Do you ask the tennis club manager to ship the golf balls back? No. Arrange to have a truck pick them up and drop off the correct product.

Crisis communication: There’s a golf course manager somewhere wondering why he has a few hundred tennis balls. Find out who, and proactively communicate how you’ll fix the problem.

Reputation repair: The customer needed something from you and didn’t get it. Now is the time for some elevated attention.

Financial assessment: Estimate potential revenue loss and operational disruption. Say you don’t charge for either the tennis or golf balls and dispatch an employee to make the swap. What does that cost?

Then there’s escalation. If your warehouse burned to the ground or a defective product caused harm to customers, the crisis is existential, and top executives must be involved in shaping the response. However, in this case, a first-line manager should be empowered to make the call on how to fix the mix-up. Then, she should report the issue upstream, so process owners can figure out what went wrong and put procedures in place to prevent recurrence.

But will she? Informing the chain of command of manageable problems goes against human nature, because notification itself creates a crisis of uncertainty, especially when the person who made or found the error doesn’t know how the boss will respond. The shipping manager will be tempted to limit reporting to her immediate supervisor, or she may even cross her fingers and think, “What they don’t know won’t hurt them.”

That might work out fine. But what if the owner of the company runs into the manager of the tennis club and has no idea there was a problem?

No-fault learning is a tenet of many high-performing organizations. That is, no one is punished for bringing a problem to light or making a mistake — not immediately, and not the first time, anyway. Errors are seen as opportunities to improve. In the context of our crisis management case study, by escalating the ball mix-up, the owner, or an account rep or regional manager, could decide to call the affected customers, thus turning a crisis into an opportunity to demonstrate responsiveness.

If you take nothing else away from this paper, remember these four points when developing a crisis management plan:

1. Empower people to act quickly when a crisis is within their spheres of responsibility.
   • Actions should be based on established procedures, and
   • Employees should be required to report the issue, response, operational and revenue implications and other relevant factors to their immediate supervisors, who then escalate to the level appropriate. Shaming or punishment won’t be tolerated while the crisis is ongoing.
2. Favor procedures that emphasize customer care and satisfaction in the face of a poor experience, even if they’re costly. Acquiring new customers is almost universally more expensive than keeping current ones.
3. Err on the side of over communication. More information is better.
4. Analyze the root cause of the crisis and put processes in place so that reoccurrences become less frequent.

The critical element here is that team members and their immediate supervisors are trusted to address crises in scope, able to spot systemic weaknesses and empowered to continuously improve processes so that mundane emergencies become rare.

Organizations adept at handling day-to-day crises tend to also handle the bigger ones properly. So get good at the small stuff. Track errors, and work to drive down their frequency and fine-tune team responses.

Major Crises

Big crises are newsworthy. And since news reports are trackable, we can understand what crises are most common. The Institute for Crisis Management does just that and provides an annual breakdown of where institutions broke down.

The chart below comes from the Institute’s latest report. We’ve highlighted the crises that account for 5% or more of news stories tracked by the ICM.

Volume of stories isn’t a perfect measure of the financial and operational impact of classes of crises. Convicted sex offender Harvey Weinstein dominated multiple news cycles last year and early this year, and that coverage gave rise to the #MeToo movement. That in turn caused a spike in disclosures, so the number of sexual harassment stories eclipsed those of what the ICM classifies as “catastrophes,” even as it’s likely that more immediate economic damage was caused by wildfires and hurricanes.

Still, tracking news stories does illustrate what captures public attention, and that alone is worth considering. Let’s look at the ICM’s most common crisis categories and how to prepare, cope and respond.

Employee-Practices Related Crises

HR-related crises were common in 2018 and likely at least as prevalent in 2019. Labor disputes and sexual harassment and discrimination accounted for one-third of the crisis stories that hit the press. Clearly, management needs to take workforce relations seriously, and executives would do well to take the golden rule to heart.

Pre-crisis preparation: At minimum, HR should document how state and federal statutes govern treatment of your workers. However, we recommend going further. Any company with five or more employees that does business in California must provide sexual harassment prevention training, for example, and the state’s recently enacted labor law changes cover everything from unlawful retaliation to privacy.

California is among the most aggressive in protecting worker rights, and its laws provide a template for going the extra mile to avoid employment-related crises.

It’s difficult for management teams to honestly assess their own company cultures. But when one-third of newsworthy crises are caused by poor HR practices, it becomes clear that outside evaluation of policies, culture and risk is a good investment. Your HR team is there to ensure that you have the right talent in place and avoid practices that will land your firm in court, but these professionals are not well-positioned to drive cultural change.

Crisis response: When Uber engineer Susan Fowler went public with allegations of a culture of sexual harassment, she created a firestorm. Experts say then-CEO Travis Kalanick took the right steps. According to NBC, Kalanick immediately stated that what Fowler described was “abhorrent and against everything Uber stands for and believes in” and promised an “urgent” and independent investigation led by former U.S. Attorney General Eric Holder and board member Arianna Huffington. The mea culpa was public, did not attack Fowler and laid out a plan to improve, all good moves.

Post-crisis strategies: When an employee-related incident goes public, expect ongoing scrutiny. In Uber’s case, Fowler’s revelations contributed to the ouster of Kalanick. His replacement, Dara Khosrowshahi, has won praise for transparency and using the crisis to rebuild Uber’s brand.

Culture can be changed, with top-down leadership and the will to take sometimes Draconian corrective actions. If misdeeds rise to anything near criminal levels, those responsible must be held to account. If the CEO knew or should have known, it’s probably time for new management — a difficult move for closely held companies. At minimum, reparative measures need to be demonstrated. Even if employees don’t leave, a toxic culture is a hiring impediment of the first order.

Management-Driven Crises

Next on the ICM list, if you take mismanagement, whistleblowers and white-collar crime together, is management-caused crises.

The Institute gives examples like Volkswagen cheating on emissions tests and Wells Fargo creating fake accounts and says the SEC gets about 5,200 tips a year from whistleblowers.

Pre-crisis preparation: No executive acting in good faith wants to believe that the actions of her peers will land the company on the wrong side of a business-gone-bad news story. It’s therefore critical to get regular outside evaluations to ensure your code of conduct and ethical guidelines are being followed. Business consultants with vertical expertise are one potential source; just make sure they’re giving you an unvarnished, objective view. The Enron scandal was culturally pernicious in that it not only infected the totality of Enron’s upper management, it took down Arthur Andersen Consulting too.

Crisis response: For closely held companies, the immediate threat is to credit worthiness and valuation, if you’re considering a sale. If the misdeed understated tax liability, hid a product fault or failed to protect customers or employees, bring in the lawyers and let them lead.

Don’t try to hide the extent of the problem. When Volkswagen admitted in 2015 to the existence of a device to defeat emissions control tests, the original estimate was that some 500,000 U.S. customers were affected. Volkswagen quickly, and wisely, admitted that 11 million cars on the road had the devices installed.

Begin estimating the financial impact, to the extent you can. VW immediately set aside $6.7 billion and recalled some 8.5 million vehicles. However, that was just a down payment. In June 2016, the carmaker settled with three federal agencies for $14.7 billion, by far the largest clean-air fine to date. In many cases, VW must buy back vehicles that it can’t easily resell or export.

Post-crisis strategies: Realize that it’s a long road back from a management crisis, even for companies that do everything right. VW took responsibility, admitted the extent of the fraud, paid to fix the problem and cover fines, spent five years figuring out how to make its signature diesel engine meet emissions standards and changed executive leadership. Yet as of March, the company’s stock price still had not rebounded to its pre-fraud level.

Catastrophic Crises: When Mother Nature Strikes

Catastrophes are forces of nature — hurricanes, droughts, wildfires, tornadoes and pandemics. Over the past 30 years, the number of severe hurricanes has tripled, and these big storms have become more intense both in wind speed and precipitation. Wildfires in western states are more common and larger.

Without an action plan, catastrophes are existential threats. Plans must be comprehensive and consider the increasing scope and severity of natural disasters. Go beyond business continuity to include responses to stresses on the community and your ability to serve customers as you recover business operations.

“If working from home and a decentralized workforce has been a smooth transition for your organization over the past month or so, chances are you had a good disaster recovery plan in place,” says Richard Lockson, SVP of IT at cloud integration consultancy AllCloud.

Pre-crisis preparation: In all cases, it’s an up-to-date, well-tested, comprehensive business continuity plan backed up with stockpiles where it makes sense. Catastrophes require unique, prescriptive actions that you can’t figure out after disaster hits.

Formalized, vetted continuity plans have been developed by leading companies and government agencies, so you don’t need to reinvent the wheel. The Department of Homeland Security’s Ready.gov site provides an excellent general-purpose plan. For financial firms, FINRA provides a continuity plan template. For smaller companies, consider disaster recovery in an as-a-service model.

Process is critical, too. It’s a problem if only one person can do the month-end close or knows the passwords to cloud accounts and servers.

“More than one person in a finance department needs to know how to run payroll, for example, which makes cross training among employees very important,” said Jody Cire, CFO at AllCloud. “Strategic initiatives can’t stop in a crisis, either. A significant disruption, such as what we’re experiencing now, may call into question a company’s very viability, prioritizing finance-related issues such as fundraising and M&A.”

Crisis response: This is largely dependent on the catastrophe and the critical functions of the business. For most companies, Lockson says to focus first on restoring access to the applications employees depend on — email, calendar, finance systems, payroll — and making sure you can communicate with your employees, customers and partners.

Post-crisis strategies: The goal is resumption of business operations, with all departments operating as normally as possible. Once you get as close as possible, eliminate any single points of failure that negatively affected operations. If the internet went down at headquarters, get a backup connection. If you were without power for a few hours, get a generator. Second-sourcing materials, implementing a durable work-from-home plan and ensuring that at least part of your business can continue to generate revenue are vital to operating well and reliably in modern times.

Develop an after-action report — what went well, what areas need improving — as soon as possible, while events are fresh. It’s tempting to skip this step. Don’t.

After severe catastrophes, such as a pandemic, corporate goals and objectives may need to be reevaluated.

Cybercrime

Cybercrime is big global business: The World Economic Forum tracks attacks by industry and estimates that, between 2019 and 2023, approximately $5.2 trillion in global value will be at risk.

For most businesses, ransomware attacks and data breaches for purposes of theft are the most likely hazards. Physical security also must be considered.

Pre-crisis preparation: It’s financially infeasible to protect against every possible attack. Rather, evaluate your risk. Do you handle personal data, such as healthcare records or Social Security numbers? Do you accept credit cards? Then you’re subject to regulations including HIPAA and PCI. While “compliant” does not automatically equal “secure,” following the guidelines laid out in these standards is a good place to start.

Then, have your team or a consultant assess your individual risk. We like the free NIST Cybersecurity Framework, which covers five areas for which every organization should have controls.

Ransomware gangs don’t take American Express, so fund a Bitcoin wallet before you need it.

Another best practice is to purchase cybersecurity insurance. These policies are designed to address data-breach-related expenses including forensic investigations; monetary losses, such as for ransom payments, a key purchase driver; customer and supplier data loss notifications; and ensuing lawsuits. A recent cybersecurity insurance report by credit rating agency A.M. Best provides more information.

Crisis response: For ransomware, if you pay within the prescribed time limit, the bad guys may reverse the process. So move quickly, especially if your IT team cannot restore your data from a backup. In the case of data theft, notify customers as soon as possible.

Moving on-the-fly to infrastructure and software as a service transfers much (though not all) security responsibility to expert teams at cloud providers while also increasing business resilience. By definition, cloud-based systems are securely accessible from any internet connection. That’s often not the case with on-premises systems.

Post-crisis strategies: In cases of data theft, virtually all states require you to report data loss, and with GDPR in Europe and the California Consumer Protection Act now in force, you can be liable for significant fines on top of the cost of remediating your systems and notifying customers.

Every day, top-tier IT teams who thought they had security in hand fall to attackers. Use the experience to improve. That gives you a positive story to tell customers, employees and the press.

How to Create a Crisis Management Committee

In between mis-shipped golf balls and wildfires are mundane crises, like a pipe bursting in the warehouse or the resignation of a key employee, and the not-so-mundane, like the loss of a very large customer or a supply chain disruption.

Figuring out what could go wrong is the role of a cross-functional crisis management committee comprising representatives from each major department as well as a triage team that jumps quickly into crisis situations.

The committee’s mandate is to:

• Annually or semiannually audit companywide and departmental business resilience plans for completeness, timeliness and relevance to outside forces, like changing regulations.
• Review departmental plans, which should be tested quarterly. Get reports from operations, finance, HR, IT, legal and other stakeholders.
• Work with the CFO to analyze the financial impact of actions called for by the master plan.

The committee should include one or more top business executives as well as department heads, communications and marketing managers, HR leaders, corporate council and a board representative where appropriate.

That’s a big group — too big to make critical decisions on the fly. For that you need a triage team that’s smaller and flexible in its makeup. Standing members might include the COO, CIO, facilities director and VP of engineering or HR, depending on your business.

Keep the triage team both lean and high-ranking, so it can analyze what happened and craft an initial response quickly. This team reports to the CEO, who will add other players as needed. The first issue at hand is to make sure that the emergency is in fact understood and contained — the fire is out. The leak is stopped. Unsafe facilities are evacuated.

The finance team will have a big part to play once the triage team understands the issue. There’s a cost to get back to normal operations, and there may be lost revenue while a service or production facility is down.

Understanding the financial ramifications of a disaster and its cure is critical, as is determining how far to go in preventing future occurrences. Cures need to be better than the malady. If the problem is big enough, finance may need to work with creditors to secure the funds needed to return to normal operations.

The triage team is responsible for advising the CEO on the tenor of initial communications. It’s also responsible for determining involvement of other teams and setting a rough timeline for returning to normal operations.

How to Handle Crisis Communications

The ICM describes crises as either sudden — a product is dangerous and needs to be pulled immediately — or smoldering and likely to draw ongoing attention.

Determining whether a crisis will linger with employees, customers and the press and general public is an important function, and how initial communication is handled often determines how affected constituencies react.

CEOs need to lead initial communications, with corporate PR or, in extreme cases, a crisis communications consultant. Lawyers, HR, COOs, CFOs and others may have input, but you get only one shot at initial outreach. Our advice is to remain factual, advise on steps constituents should take and establish a timetable and channel for further information.

This is your Day 0 response, and it should be all about the welfare of employees, customers, suppliers and the public. Looking out for the well-being of the balance sheet by obfuscating or being deceitful almost always has exactly the opposite effect. Be honest, brief and direct.

In its extremely comprehensive Crisis and Emergency Risk Communication manual, the CDC provides advice on building credibility and trust, choosing an effective spokesperson, interacting with the media, legal considerations and more. The manual is recommended reading for anyone leading crisis communications.

As you move ahead with your crisis plan, continually assess the accuracy of initial communications. If you said the wrong thing, fix it.

How To Implement Crisis Reputation Management

If you have a strong social media presence, this is not the time to go silent. In fact, social listening is the best way to understand if your message is resonating.

Carefully crafted, honest communications will be key to maintaining your corporate reputation. The style of communication, your honesty about what’s happening to your business and, when appropriate, messaging on how your company is aiding an affected community is critical.

“A best practice in social media right now is to try to find ways to break through the clutter,” said Tony Wright, CEO and Founder of Wright ICM and an expert in digital media communications in times of crisis. “If you can’t break through the clutter, speak to your existing customers as opposed to looking to find new customers. There will be a time for new business development in social media. Right now might not be the best time.”

As an example, during COVID-19, a local pet daycare center sent out a message on social media offering free pet care for first responders. It was a welcome gesture and demonstrated that the owners are supporting the community while remaining open for business.

Consider offering replacement products or free repair services, even if you aren’t contractually obligated to do so. Would you rather be right, or would you rather keep your customers? It’s usually not a hard choice.

Reputation repair can take more than some comped service if the crisis was caused internally by faulty products or services or management malfeasance. In these cases, you need to prove that the cause has been found and dealt with appropriately. WeWork and Uber are examples of cases where toxic leaders were not removed quickly enough to prevent brand damage.

In a major crisis, cash flow is king. But as you get back to normal, it’s your employees and customers that will make your business flourish. It’s virtually impossible to sacrifice those in the short term and not suffer long-term reputation damage. Consumers want to do business with companies that share their values. In times of crisis, that means exhibiting compassion and helping affected communities to the extent you can.

Crisis Resolution: What Next?

If all of this sounds laborious and expensive, it is. But the process of creating and executing a crisis management plan will make your organization more resilient. Risk management and mitigation are intrinsic to business planning, and risks are brought into sharp relief as you assess the impact of losing a key supplier or customer, an internet connection falling victim to a backhoe or a store or manufacturing site being destroyed by a hurricane.

In each of these cases, there are steps you can plan to take in the moment, and then there are moves you can make when times are good that will not only lessen the impact of a crisis but benefit your business.

Humans are built by evolution to spot and react to crises. What’s not so instinctual is doing it well. Which brings us back to how Johnson & Johnson responded to a tampering crisis.

The company could have said that it appeared that the scope was limited to Illinois, or even the Midwest. Instead it recalled every Tylenol product and told the public not to take the medication. James Burke, J&J’s chairman at the time, formed a seven-member task force with the first goal of protecting customers, and a secondary goal of reintroducing the product to the market in a way that ensured purity. The company set up hotlines and continued its communication that the public should not use Tylenol purchased prior to the date of its release with new safeguards.

Americans saw that J&J put safety before profits, and when the company re-released Tylenol with tamper-proof packaging, consumers returned to using it. Today, Johnson & Johnson’s market cap is nearly $350 billion.