It is out there: the fraud incident, the data breach, the safety lapse, the technological meltdown. Your next crisis could manifest itself in a number of ways, and, almost by definition, you will not see it coming.
How quickly and effectively your organization responds, stems the overflow of information, and communicates with stakeholders throughout the event will have a lasting effect on how your company is judged – demonstrating grace under pressure or exacerbating the damage of the crisis.
This reality is not lost on CFOs, who are well aware of the types of crises they are prepared for – and those they are not.
When a crisis strikes, the situation can be managed by relying on a pre-established culture of crisis preparedness and by employing three tactics: leveraging the golden hour, developing a common operating picture, and prioritizing stakeholders
Prepared or not, companies have to respond when called. The response can be extremely challenging for C-suite leaders as they try to sort out myriad concerns in real time, including defining the crisis, determining its cause, and generating options to stanch its impacts.
While some crisis planning can happen in advance, this issue of CFO Insights discusses some essential tactics CFOs can employ in crisis response and why learning these tactics can help to preserve a crucial level of trust and confidence among the impacted company’s many stakeholders.
An introduction to response tactics
As businesses become more complex and interconnected, confronting some sort of crisis is almost inevitable. Many companies recognize this trend, which is why corporate functions and business units typically have well-practiced risk mitigation plans in place to address routine issues.
Some of these include safety plans for manufacturers, recall plans for food companies, and liquidity plans for financial institutions, along with disaster recovery and security plans for companies across industries.
However, even with these initial steps taken, when a profoundly different, rapidly evolving crisis event hits – when that crisis has an impact that extends beyond the organization’s capacity to respond, and when it has exceptionally high stakes and an even higher degree of uncertainty – it is impossible to write a plan for what to do.
To face off against crisis events, a culture of crisis preparedness is required. This includes defining roles and responsibilities, establishing incident protocols, and identifying leaders to run the response – all before a crisis hits. Crises disrupt the operations of a company, as well as threaten its strategic imperatives, viability, and reputation. Such crises include:
- Multiple events occurring at the same time (e.g., domestic terrorism)
- Events with wide-ranging impact (e.g., natural disasters that breach levees or flood nuclear reactors)
- Black swan events that simply lie beyond an organization’s imagination
Whatever form the crisis may take, business leaders, including CFOs, should develop a common response approach. They should understand that there is a common approach to responding to a severe, franchise-threatening crisis, regardless of its origin.
At the strategic decision-making level, the crisis leadership skills required to respond to a cyber breach are the same as those needed for a chemical spill, a bribery scandal, or a regulatory violation.
At the tactical level, the response to these crises will differ.
For many of these scenarios, company leaders will have to improvise and learn to adapt to the alternate universe that a crisis brings. This means thinking strategically even when surprise is a factor. It means acting decisively in the face of time pressures.
Add the challenge of sorting through misinformation or simply not having enough facts on hand, and executives face a dilemma:
- Make decisions quickly at the risk of basing them on incorrect or inadequate information; or
- Wait for the perfect set of data, thereby essentially freezing in the headlights and making no decisions at all.
The odds of an effective crisis response increase if the unknowns are dealt with in an organized way. Then, when a crisis strikes, the situation can be managed by relying on that pre-established culture of crisis preparedness and by employing three tactics for response: leveraging the golden hour, developing a common operating picture, and prioritizing stakeholders.
Even if the crisis is not related to finance, the CFO is crucial to identifying functional impacts. In a crisis like a cyber breach, those functional impacts may include determining insurance coverage, deciding if the event must be reported to regulators, and estimating the costs of the breach
Leveraging the golden hour
The concept of the golden hour originated in emergency medicine during World War II. Medics found what they did in the first hour of a patient’s arrival – both in terms of assessing the situation and mobilizing appropriately – profoundly affected the patient’s chances for survival.
Applied to a business crisis, what happens during the onset of an event greatly affects the extent of damage and eventual outcome of the crisis, as well as determines the course of action in the weeks and months to come.
Leading crisis responders first conduct a mobilization meeting to share emerging information about the crisis, create an understanding of the potential impacts across the company, and start to define roles and make decisions about initial response actions.
During this precious time, executives should avoid the temptation to try to understand why the crisis happened. This will come later. Instead, executives should mobilize promptly and start by focusing on what they know, and what they want to know.
During the mobilization meeting, executives should determine the “CEO’s intent,” including the definition of success for the response and the timeframe for accomplishing it. These guidelines will enable C-suite executives to align their actions to the overall objective and galvanize the rest of the organization to work toward that common vision.
A CEO’s intent that stresses financial preservation could result in one set of actions, while a CEO’s intent that expresses the need to maximize customer retention could result in a different response. The CFO can offer suggestions and serve as a sounding board to the CEO to help shape the intent of the crisis response.
Companies should emerge from the golden hour with a clear strategic direction, set at the CEO and executive level, that will guide the hours and days that follow it.
The CFO may not be the person chairing this initial call or meeting, but he or she is crucial to identifying interdependencies. For example, if the nature of the crisis is a liquidity crisis, the CFO may naturally be the subject matter specialist and work with business units to assess the impact of the problem and brainstorm possible responses.
Even if the crisis is not related to finance, however, the CFO is crucial to identifying functional impacts. In a crisis like a cyber breach, those functional impacts may include determining insurance coverage, deciding if the event must be reported to regulators, and estimating the costs of the breach.
Overall, the full C-suite should work in concert as a cross-functional leadership team – and the CFO is central to that team.
To conclude the mobilization meeting, participants should agree on when to convene next and take initial steps toward the second tactic: determining what is known, what is unknown, and how that information builds a common operating picture for the response.
For natural disasters, a company may prioritize employees and community members. For a cyber breach, the response may begin with the customer or law enforcement. In an accident involving the CEO, the board and shareholders may be engaged first
Developing a common operating picture
During a crisis, information is inaccurate, contradictory, and sporadic. Additionally, managers’ responsibilities often shift during a crisis, with some assuming more wide-ranging duties than they typically perform, while others may be embroiled in unfolding events and completely unavailable.
In this splintered environment, developing a common operating picture – a COP – can help organize the response team. Simply stated, the COP is a single, identical display of relevant information that can be shared across the whole team. It includes information, such as:
- facts (what do we know? what do we want to know that we don’t yet know?)
- impacts across lines of business, functions, and stakeholders
- decisions and actions, both planned and completed
The benefits to a COP are threefold. First, the tactic helps to reduce white noise. During a crisis, it is often difficult to discern critical information from misinformation. No matter what, executives have to make decisions with the information they have, so the COP provides a mechanism for capturing the known information in one place as a single version of the truth.
Second, an enormous amount of time is usually spent keeping everyone on the response team in the loop. The COP can streamline these efforts and save precious minutes.
Lastly, using the information stored in a COP is a leading practice when creating communications related to the event, whether the messages are internal or external, to ensure the organization speaks with one voice based on one set of facts.
As circumstances change, the common operating picture will need to be updated (updates should occur multiple times per day). With the required care and maintenance, the COP provides a dynamic snapshot of what is known or not known at a particular point in time, and tracks the actions in play.
Actions taken during a crisis, if they are ill-conceived, can create a loss of trust between a company and its stakeholders. Maintaining trust involves quickly identifying who is impacted and what their concerns entail.
While companies need to demonstrate empathy for all those affected, they also have to assess who is the most impacted and who has the most influence, and then develop a very deliberate way of stratifying different categories of stakeholders.
Stakeholder prioritization involves advance planning that provides a quick payoff during the crisis. Impacted stakeholders are generally known in advance of different types of crises.
For natural disasters, a company may prioritize employees and community members. For a cyber breach, the response may begin with the customer or law enforcement. In an accident involving the CEO, the board and shareholders may be engaged first.
After identifying the stakeholders for each type of crisis, leading companies will categorize them by the impact the event will have on them and their level of influence during the event.
Effective communications should address the myriad of reactions stakeholders may have to the event, including anger, concern, and anxiety. Honesty, transparency, and inclusiveness are also critical
Some important questions to consider include:
- Who will be most impacted and how?
- Can turning the opinion of influential stakeholders create business advocates?
- Are there stakeholders who you merely need to keep in the loop? How do you prioritize them?
By categorizing the different interested parties, you can devise a strategy for how to engage with each of them, in what order, and to what extent. Stakeholders who both have influence and are impacted by the event will be the most critical to engage with first.
Throughout a crisis, communication and empathy with stakeholders will be important. Effective communications should address the myriad of reactions stakeholders may have to the event, including anger, concern, and anxiety. Honesty, transparency, and inclusiveness are also critical to an effective response.
Flexible deployment of these tactics
This article rests on the idea that having an overarching culture of crisis preparedness and implementing associated tactics will enhance a company’s ability to protect and preserve value and maintain or enhance stakeholder confidence in the event of a crisis.
The mobilization meeting, common operating picture, and stakeholder prioritization are tried and tested approaches to crisis response. By identifying effective crisis leaders (including the CFO) before a crisis event and empowering them with these tactics, companies can successfully manage their responses to almost any event.
About the Author
This Deloitte CFO Insights article was developed with the guidance of Dr. Ajit Kambil, Global Research Director, CFO Program, Deloitte LLP; and Lori Calabro, Senior Manager, CFO Education & Events, Deloitte LLP. For more information about Deloitte’s CFO Program, visit www.deloitte.com/us/cfocenter.
© 2017 Deloitte Development LLC. All rights reserved.