Risk reviews and crisis management plans: how businesses can increase protection

The UK Government’s publication of its National Risk Register should prompt companies to review their risk registers and crisis management plans. The same risks will not apply equally to all businesses (or at all) but the identified risks, and measures proposed in connection with their management, should catalyse your organisation’s engagement with risk reviews. It may even indicate avenues through which risks could arise that you may not have contemplated. Such reviews ensure the business is properly equipped to manage risks and, in turn, better placed to respond to crises.

First, you must achieve a detailed understanding of the risks facing your operations. The next step is to understand what can be done to mitigate their impact or to reduce the probability of them arising.

A risk review is the first step towards understanding your exposures, and a necessary one. A crisis management plan is no less significant.

The right tools, employed at the right time, and using the right skills, may save your bacon. If a crisis hits, a written plan and ready access to key resources will be critical success factors.

You should leverage your risk reviews and risk register in creating such a plan. Even if you cannot tell for sure what sort of crisis might ensue, a multitude of different trigger events can be anticipated.

And if you need further inspiration, consult the National Risk Register. As the document itself says: “Who should use the National Risk Register? Businesses, including small- and medium-sized enterprises, … who have a need to understand the most serious risks that could impact their business continuity.”

What should a risk review encompass?

In the context of any business, risk management has both general and specific meanings. For example, health and safety risks will be significant for a business in an engineering or manufacturing environment, whereas those specific risks may be less pertinent for companies that operate in a different sector.

But in all businesses, no matter what sector, risk management should also encompass things such as financial risks, insurance, legal and compliance risks (arising under contract or applicable laws and regulations), information security, commercial and reputational risks.

Of key importance is identifying the risks (both specific and general) that are pertinent to the organisation and deciding how to manage them. Then, of course, acting on those decisions.

Embedding risk management in the business

Risk management should not be separate from the day-to-day operation of the business. It should be about “the way we do things”. It will be more effective when approached in this manner, driving greater benefits for the business. It will also be much easier to implement, and will create less friction, if it is an inherent part of day-to-day processes and operations rather than a separate admin/compliance layer, which may just be seen as a box that has to be ticked.

Managing risks one step at a time

Risk management can be approached in a nuanced and proportionate manner, having regard to your understanding of the risks and the business’ appetite for risk. Moreover, if resources are constrained, you may have to prioritise. If so, once the key risks are understood and adequately managed within this framework, you can move on to lesser risks.

In this manner, by adopting an ongoing programme of steady and incremental improvements, major risks can begin to be addressed as a priority and other risks will begin to be captured and better managed over time. The risk management needle will gradually and inexorably move in the right direction.

In assessing the identified risks, remember that you do not have to take a binary view of the issues. Risks can generally be managed in one of four ways:

• Treat – Can you do something practical to mitigate it?
• Tolerate – If you cannot treat it, can you just live with it?
• Transfer – If you cannot do either of the foregoing, can you shift the risk? Insurance and contracts are two typical mechanisms for risk transfer.
• Terminate – If none of these is a practical option, can you jettison the risk by ceasing, or not starting, the activity that creates it?

Once you understand the risks, you can use them to inform your crisis management planning.

What should a crisis management plan include?

A plan specifies how issues are to be escalated, who reviews and responds to them and against what criteria and, finally, what supporting systems, processes and tools are available to help. It incorporates, or gives easy access to:

• Important corporate information.
• Contact details for the crisis management team and contact mechanics (such as how to access physical / virtual meeting facilities).
• An agenda for the crisis management team: a series of reference points to ensure you don’t miss anything critical.
• Pre-prepared public statements (in template form, not complete).

In addition to the plan, many organisations make use of technology to support their response during a crisis, utilising a variety of tools:

• Data discovery, news and social media monitoring to ensure issues are identified early.
• Expert analysis and reporting.
• Mass communication tools.
• Data visualisation and tracking of assets and staff.
• Online crisis management tools to ensure a rapid, consistent and well-documented response.

Putting a plan in place 

Start by asking the following questions:

• How prepared is the organisation for a crisis?
• Is the organisation resilient? Has it got the know-how, the personalities and the financial and physical assets that will allow it to withstand a serious incident and bounce back, returning swiftly to ‘business as usual’?
• What areas are most vulnerable? Where would the greatest and / or most enduring impacts be felt?
• What sorts of events might trigger a crisis?
• What would be the internal response to any given incident and the resultant crisis?

To evaluate different impacts and decide how to prioritise your response, you should adopt the ‘PEARS’ acronym:

• People. Save lives and think about the human consequences.
• Environment. Care for the immediate environment and mitigate any lasting impact.
• Assets. Salvage physical assets and data next; together with people, these are the key resources that drive your business.
• Reputation. Communicate effectively with media and others to preserve goodwill; by acting on the first three items, you will find you have already taken significant strides in this direction.
• Stakeholders. You have a responsibility to a broader community of stakeholders; this could be local communities, employees not directly affected, shareholders or regulators.

Once you have identified causes and impacts, you can start to think about how you would respond. PEARS reflects both what is the right thing to do from a moral standpoint and what, also, is most likely to reduce legal exposure and result in a sympathetic reaction from the outside world (which makes good long-term business sense).

When should you plan? 

In any crisis there are three distinct periods:

• The period before the trigger incident.
• The trigger incident itself.
• The period after the trigger incident.

Crises can arise suddenly or evolve gradually out of a series of connected events. The former are known as ‘big bang’ crises; the latter are termed as ‘rising tide’ crises. Whilst a rising tide crisis will give you more room to breathe, it may be harder to spot and, therefore, catch you off guard. Systemic fraud, bribery or corruption, which would tend to take root over months or years and reveal themselves slowly or coordinated programmes of non- compliance (such as the VW emissions scandal) are all examples of rising tides.

The effectiveness of the organisation’s response and the speed of recovery is disproportionately determined by the state of readiness and preparation pre-crisis. If your organisation waits for a crisis to manifest itself before taking steps, it will start behind the curve and likely stay there as events outpace its ability to act.

Business and legal leaders need to understand the crisis dynamic and the different tools at their organisation’s disposal to ensure a seamless, integrated approach to crisis management, communication, business continuity and recovery.

Depending on the facts, the directors may bear personal criminal liability; and major litigation, regulatory sanctions and fines can all follow. Each of these is likely to place members of the executive team under significant personal strain and will probably lead to a substantial diminution in corporate value and goodwill.

The crisis management team (CMT)

You will need a local team at or near the site of the crisis, with support (such as experience, resources, money and a broader view). Ideally there should be representation from:

• Business leadership (although not necessarily the CEO).
• Operations.
• Health, safety and environmental.
• Human resources.
• Finance.
• PR / communications.
• IT.
• Specialists such as environmental, medical or chemical experts or hostage negotiators (imported if you lack the skill sets internally).
• Legal.

Review of crisis management plan

The review should generate refinements to the crisis management plan, and outline requirements for additional training and resources. You must remain flexible and be prepared to innovate to overcome the evolutionary challenges of a crisis.

If you have questions about how to conduct a risk review, assess the risks you have identified or to implement a crisis management plan in your business, please contact Nick Watson.