If we know what’s the crisis, why aren’t we still unprepared?
I always enjoy reading survey reports, all kinds of them, because most surveys deliver surprising, oftentimes shocking results, something that blows your mind.
As a security professional, I read crisis surveys wearing different glasses, by which I mean I look at the results and numbers from multiple angles, crisis management being a big chunk of my work after all.
In Nov — Dec 2016, The Economist Intelligence Unit (EIU)
interviewed 537 executives from 15 industries across the world for their perceptions of corporate crises.
The following charts from the survey reveal some interesting perspectives of the business leaders.
*above pictures from The Economist Executive Report
What are the key messages here?
To sum it up in a simple sentence:
The world business leaders see crisis mainly in 3 categories, namely,
· traditional crisis
· cybersecurity issues
· political issues
Another crisis survey took a different approach and came up with something through a zoom-in lens.
A crisis management survey of 170 large firms in 27 countries conducted by Regester Larkin and Steelhenge Consulting found: (*an old article on “Security Management” April 2016, page 16–17)
· 86% of the respondents said they had a crisis management plan,
· 59% carried out crisis training at least annually.
· 52% said their firms had mobilized a crisis response team within the last year.
· 14% did not have a crisis plan at all.
What needs to be underlined here is — half (52%) of the 170 big corporations have had at least one company crisis in 2016.
More interestingly, the respondents admitted there were challenges and obstacles when they tried to get the senior management (CEO’s and C-suites) actively involved in the crisis management system.
They gave 4 major reasons for their senior leaders’ decline or reluctance to participate in training or crisis exercises:
1. Time-short — the CEO’s are simply too busy to be bothered by a crisis training
*If a CEO of a company is so busy that he can’t be approached for serious business issues, the company needs an immediate diagnosis and maybe an operation. Don’t you think?
2. Overconfidence — some CEOs often deal with the media and feel they could handle crisis communication without taking part in an exercise.
*Overconfidence may be an understatement. What I see in their “overconfidence” has nothing to do with confidence, but wrong understanding of “crisis” and “crisis communications”.
3. Inaccessibility — exercise organizers can’t reach up to the CEO office.
*Well, refer to item 1 — crisis training? What crisis training? Wasn’t it done last year? The CEO’s secretary sneers…
4. Misunderstanding — some CEO’s still confuse crisis management with emergency response which they think is conducted on the operations level only.
*This is another popular myth about crisis. Some mistake a crisis management with an emergency response, others believe crisis management is all about a well rehearsed media statement.
No wonder that 46% of the respondents said “lack of senior management buy-in and support” was the biggest challenge to preparing their organizations for a crisis.
If you have been a crisis management coordinator or training facilitator, you probably want to cry at hearing this — you can’t agree more.
In Deloitte’s 2018 global survey of more than 500 senior crisis management, business continuity, and risk executives, the world crisis map shows a different face.
*above picture from the Deloitte Report
Nearly half (46%) have had cyber incidents in the past two years (2017–2018).
Isn’t it striking that though everyone seems to agree cybersecurity incidents would be the most disruptive and damaging crisis scenario, 19.5% of us are still unprepared for it?
What’s the issue that stops us from getting us ready for the clearly defined risks?
That’s a question every CEO and security professional (as crisis coordinator) should think hard about.
How does it look now in 2019?
A recent survey of PwC speaks volumes.
It is PwC’s first ever survey of such kind in which 2,084 senior executives from 25 industries across 43 countries were interviewed — 64% of the respondents are from c-suites.
Of the 2,084 respondents, 1,430 said they have experienced at least one crisis in the past 5 years, that’s 68.6% of them. (compare the figure with 52% in the Regester Larkin survey in 2016)
If 2/3 of the world’s businesses have been stricken by crises in the past 5 years, no one should assume they will be the lucky ones in the years to come.
PwC has sorted major company crises into 7 categories:
Operational — 53%
Technological — 33%
Humanitarian — 29%
Financial — 28%
Legal — 24%
human capital — 21%
reputational — 20%
*The above percentages don’t add up to 100% because most crises carry multiple attributes.
But the top 3 categories, namely operational, technological and humanitarian are certainly worth more attention and efforts.
Another interesting finding is the top 3 most disruptive crises for the companies are identified as:
1. Liquidity issues — 14%
2. Technological failure — 11%
3. Operational disruption — 8.5%
However, these top 3 disasters are not as eye-catching to the media or the general public as the top 3 “in the news” scenarios:
1. Cybercrime — 38%
2. Marketplace disruption — 37%
3. Ethical misconduct — 20%
*in terms of news coverage
How to read the messages?
In layman’s terms, when most companies are preparing to handle liquidity, technological and operational problems, the world (media) is expecting exciting stories of your failure in incidents related to cybercrime, competitiveness and misconduct (of your senior management).
A loose-cannon executive of your company would ruin all you have been busy preparing yourself for with a simple tweet or a careless remark.
The world loves stories — those involving crime, anecdotes, controversial rhetoric even better.
But what are the major crises in the vast “unknown unknown” world of uncertainty?
The surveys won’t give you answers to your questions — they only provide you with an overlook of the same problems others may also have.
But at least we can be sure of the following:
• Half or even more businesses will have to deal with at least one crisis every year or soon.
• Cybersecurity incidents will be the most likely scenario.
• Any political event and its ripple effect might strike you off guard
• To prepare you for the future crisis, training, refresher training, exercises are the key
• If we agree cybersecurity incidents are THE crisis scenario, we need to get off our tails and wait no more.
Now, do you still believe you are well prepared for the next crisis?
What would you do next?
For more about the cybersecurity risks, read Aon’s 2019 Cyber Security Risk Report: What’s Now and What’s Next
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Read the reports mentioned and cited in the article: