A hacker stole your client data. Was your crisis management plan ready and waiting?

Why is it so important to have a crisis management strategy?

Imagine this scenario: your organisation has just experienced a massive data breach that has compromised the personal information of your clients. News of the breach spreads quickly in the media, and before you know it, your company is being bombarded with negative publicity. Your organisation’s reputation is on the line. Were you prepared?

A major PR crisis can threaten to destroy your company’s reputation and erode customer trust, leading to significant financial losses. This is a nightmare scenario for any leader, and it highlights the importance of having a robust PR crisis management plan in place.

A crisis can strike at any time, and if you’re not prepared, the consequences can be catastrophic.

Common excuses for missing crisis management plans

While many businesses recognise the importance of having crisis management strategies in place, a significant number of either don’t have a plan or have an outdated plan that hasn’t been updated to reflect new risks and emerging technologies.

This lack of preparedness can leave companies vulnerable to unexpected events, leaving them scrambling to respond and mitigate the damage.

Here are some of the common excuses we hear at Strawberry Media for missing crisis management strategies:

1. “We’ve never had a crisis before, so we don’t need a crisis management strategy.” This is a common misconception, as crises can happen unexpectedly, and companies need to be prepared to respond quickly and effectively.
2. “We don’t have the budget for it.” Developing a crisis management plan does not have to be a costly endeavor. Many companies can create a plan internally, leveraging existing resources and expertise.
3. “We don’t have the time to create a plan.” While creating a crisis management plan does require time and effort, the consequences of not having one can be much more significant.
4. “We’re too small to need a plan.” Even small businesses can be vulnerable to crises, and having a plan in place can help mitigate the impact of a crisis and protect their reputation.
5. “We have crisis management strategy, but we haven’t updated it.” An outdated plan can be just as harmful as having no plan at all. Companies should regularly review and update their crisis management plan to ensure that it is effective and reflects current risks and technologies.

Excuses are like noses, we all have one. (That’s not quite the saying, but you get the idea!)

Don’t be caught out without a crisis management plan that has been updated at least once a year.

Crisis management plans should also be tested regularly to ensure that it is effective and that all employees are familiar with the procedures.

Your plan is the starting point for your crisis management process

Here are the key elements to include in your crisis management strategy:

1. Crisis management template: A crisis management template is a tool that provides a structured and comprehensive plan of action to follow during a crisis. You should save it to your regular system as well as somewhere offsite in the event that you can’t access your normal IT system.
2. Crisis management team: Designate a team responsible for managing crises, led by a crisis manager. Your team should include clear roles and responsibilities, and make sure that all team members receive regular training and are familiar with the plan.
3. Risk assessment: Identify potential risks and vulnerabilities that could lead to a crisis, and conduct regular assessments to ensure that your plan addresses emerging risks.
4. Media monitoring: Monitor traditional and social media channels for potential crisis situations, and proactively engage with stakeholders to address concerns.
5. Stakeholder management: Identify and prioritise your key stakeholders and develop a plan for how to communicate with and manage them during a crisis.
6. Crisis simulations and scenario planning: Regularly conduct crisis simulations to test your plan’s effectiveness and identify areas for improvement.
7. Business continuity plan: Develop a business continuity plan to ensure that critical business operations can continue during and after a crisis.
8. Post-crisis analysis: Conduct a post-crisis analysis to identify lessons learned and develop an action plan for improving your crisis management plan.

This is crisis management in a nutshell. Let’s delve into each of these areas a little more.

Your crisis management template

1. Index and introduction: an important overview of your plan and an index for each searching
2. Business Details: your organisation, name, address, ABN or ACN, and tax file number.
3. Bank account details (for every account): name of bank, company name, account name, number, BSB, direct debit details. Details of machines.
4. Emergency Contacts: contact details of key people including your accountant, bank manager, solicitor, insurance broker and doctor
5. Internal contacts register: the name, address, phone number and emergency contact details of your crisis manager, crisis management team, and senior management team, including human resources.
6. Letter of Authority: this allows designated people from your organisation to discuss matters on your behalf. It should be on letterhead.
7. Insurance: Insurance company, policy number, renewal date, type of insurance – eg. building, contents, Workcover, method of payment.
8. Business leases: what type of leased, when payments occur and how.
9. Building details: equipment and utilities: including landlords, equipment, computers and IT, electrical, gas, plumbing, water, telephone, refrigeration, locksmith, mail.
10. Staff: Company, name, position, phone, email
11. Key clients/customers: Company, name, position, phone, email
12. Supplier Contact Register: Company, name, position, products supplied, phone, email
13. Assets: List of all assets, including purchase date, value and serial number

Nominate your crisis management team

A crisis management team is composed of crisis team members who are responsible for managing a crisis and implementing the company’s crisis management plan.

Crisis team members should come from different departments across the organisation, including senior executives, public relations, legal, operations, and IT.

Here are some key considerations for setting up and managing a crisis management team:

1. Clear roles and responsibilities: Each crisis team member should have a specific role and responsibility within the team, such as leading the team, communicating with stakeholders, managing the response, and coordinating with external partners.
2. Regular training: Crisis team members should receive regular training on the company’s crisis management plan to ensure that they are prepared to manage a crisis when it occurs.
3. Testing: Crisis simulations are a great way to test crisis team members’ skills and familiarity with their roles and responsibilities.
4. Communication protocols: The team should establish clear communication protocols, including how to communicate with stakeholders, how often to communicate, and what channels to use. Crisis team members should follow these protocols to ensure effective communication during a crisis.
5. Escalation procedures: Crisis team members should understand the escalation procedures and follow them when necessary to ensure that crises are escalated to the appropriate level of management.

Having a well-designed and well-trained crisis management team is crucial for effectively managing a crisis.

The team should be empowered to make decisions quickly and effectively and should work collaboratively to ensure that all aspects of the crisis response are managed effectively.

Assess your risk, well before the worst case scenario happens

Risk management is about planning for events that might occur in the future. Crisis management, on the other hand, is about reacting to negative events when they are occurring and afterwards.

While risk management and crisis management are different, they both need to be assessed and planned for.

For example, you might determine that your organisation is at risk of having customer data stolen. As part of your risk management process, you would assess the likelihood and severity of the risk.

As part of your risk management process, you would try to mitigate data theft by hiring a consultancy to secure your IT systems and customer data.

As part of your crisis management process, you might still determine that despite your efforts to protect your data, a breach might still occur. In this case, you would plan for how you would handle a data theft crisis, which might include pre-preparing holding statements, conducting simulations, pre-preparing lists of stakeholders who you might need to contact.

Here are some steps that can help you assess your crisis risk:

1. Identify potential crises: Start by identifying the potential crises that your organisation could face. This may include natural disasters, cyberattacks, data breaches, product recalls, supply chain disruptions, financial scandals, workplace voilence, and other events that could negatively impact your organization.
2. Evaluate likelihood: Once you have identified potential crises, evaluate their likelihood of occurring. Consider factors such as your industry, location, regulatory environment, and history of similar incidents.
3. Evaluate potential impact: For each potential crisis, assess its potential impact on your organisation. This could include financial losses, damage to your reputation, legal liability, and other negative consequences.
4. Eliminate or reduce risks: Take steps to reduce your most important risks so that they never happen.
5. Develop holding statements: A crisis holding statement is a pre-prepared statement that acknowledges the occurrence of an event and assures stakeholders that the organisation is taking appropriate action, and it should be developed for all assessed risks to ensure a prompt and appropriate response during a crisis.
6. Review and update regularly: Regularly review and update your risk assessment and crisis management plan to ensure that they remain current and effective.

By assessing your crisis risk for different scenarios, taking steps to mitigate as many negative events as possible, and planning for how you would handle a crisis if it did happen, you will help strengthen your business against risk and potential disaster.

Set up media monitoring to help you identify early warning signals

Media monitoring refers to the process of tracking various forms of media, such as news outlets, social media platforms, and online forums, for mentions of your organisation, its products, or its industry.

It is helpful in identifying crisis situations early because it allows you to stay informed about any emerging issues that could potentially impact your reputation or operations.

By monitoring media channels, an organisation can detect potential threats, identify trends, and assess the public sentiment around a particular issue.

This can help you take proactive steps to address potential problems before they escalate into full-blown crises.

It can also help your organisation to track the effectiveness of its crisis communication strategies and adjust them accordingly. You can identify gaps in its crisis communication planning and make improvements where necessary.

Some specific benefits of media monitoring include:

• Identifying potential risks and threats to your organisation’s reputation or operations before they escalate.
• Assessing the public sentiment around a particular issue and understanding how it may impact your organisation.
• Tracking the effectiveness of crisis communication strategies and adjusting them accordingly.
• Gaining insights into how competitors are responding to similar issues.
• Staying informed about industry trends and developments that may impact your organisation.

In Australia, Meltwaterand iSentia are the two main media monitoring players in the industry. Setting up google alerts for your business and leadership team is also a good idea.

Media monitoring is really the canary in the coal mine for crisis management and should be prioritised.

List all of the potential stakeholders who might be impacted by a crisis

One of the first steps in managing a crisis is to identify the key stakeholders who will be affected by any crisis.

This is important because these stakeholders will have different concerns and priorities, and your organisation’s response should be tailored to address their needs.

Identifying stakeholders quickly is essential because it allows you to communicate effectively with them and address their concerns in a timely manner. Failure to do so can result in further damage to the organisation’s reputation and may prolong the crisis.

It’s amazing how many groups of stakeholders you can forget about in a panic. Thinking through who might be impacted by a crisis well in advance is important.

Stakeholders who may be affected by a crisis can include:

1. Customers: Customers may be impacted by the crisis, either directly (e.g., if a product they purchased is affected) or indirectly (e.g., if the crisis impacts the organisation’s ability to deliver products or services).
2. Employees: Employees may be impacted by the crisis, either through direct harm or by the disruption to their work.
3. Shareholders: Shareholders may be concerned about the impact of the crisis on the organization’s financial performance.
4. Regulators: Regulators may need to be informed about the crisis and any actions being taken to address it.
5. Suppliers and partners: Suppliers and partners may be impacted by the crisis, either directly or indirectly, and may need to be informed about any changes to the organization’s operations.
6. Local communities: Local communities may be impacted by the crisis, either through direct harm or by the disruption to their daily lives.

By quickly identifying key stakeholders who will be affected by a crisis, organisations can develop targeted communications and responses that address their concerns and needs, which can help to minimize the negative impact of the crisis.

Should you build out your full stakeholder contact lists in advance?

Yes, it is a good practice to have built lists of key stakeholders in advance. This will save time and effort when a crisis occurs and allow your organisation to communicate quickly and effectively with those who are affected.

Building stakeholder lists in advance involves identifying and compiling contact information for each stakeholder group, including:

• names
• phone numbers
• email addresses
• other relevant information.

This information can be stored in a secure database or contact management system. Key contacts from this list should be included in your crisis management template.

Having up-to-date stakeholder lists can help organisations respond more quickly and efficiently during a crisis.

It can also help to ensure that all relevant stakeholders are included in the organisation’s response efforts and that no one is left out.

Regularly reviewing and updating stakeholder lists is also important to ensure that they remain accurate and up-to-date.

Should media be part of your stakeholder list?

Yes, media should be considered as part of your organisation’s stakeholder list during a crisis.

The media can have a significant impact on an organisation’s reputation and can help to shape public perception of the crisis and the organisation’s response to it. As such, it is important to consider media outlets and journalists as key stakeholders in a crisis.

Having a media contact list that includes relevant journalists, news outlets, and media organisations can help you to quickly and effectively communicate with the media during a crisis.

This can help to ensure that accurate information is being disseminated, which can help to minimise the negative impact of the crisis on your reputation.

It is important to note that the media should be approached strategically and with caution during a crisis.

Organisations should work with their crisis management teams and public relations professionals to develop messaging that is clear, accurate, and appropriate for the situation. They should also be prepared to respond to media inquiries promptly and transparently, while also being mindful of any legal or reputational risks that may be associated with speaking to the media.

Simulate different crisis scenarios with your team

Scenario planning and exercises are critical to effective crisis management planning. By simulating potential crises, an organisation can identify gaps in its plans, assess its response capabilities, and refine its crisis management procedures.

Here are some steps to follow when conducting a crisis simulation exercise:

1. Define the scenario: Choose a realistic crisis scenario that is relevant to your organization, such as a data breach, a natural disaster, or a product recall.
2. Set objectives: Identify the objectives of the exercise, such as testing the effectiveness of your crisis management plan, training your crisis team members, or improving communication protocols.
3. Develop the scenario: Create a realistic scenario that includes specific details about the crisis, the timing, and the potential impacts. Develop a script that outlines the actions that your crisis team members should take.
4. Conduct the exercise: Run the simulation exercise and evaluate how your team members respond. Observe how they implement the crisis management plan, communicate with stakeholders, and make decisions.
5. Debrief: After the exercise, conduct a debriefing session to discuss what went well and what could be improved. Review the feedback and identify areas for improvement.
6. Refine your crisis management plan: Use the insights gained from the exercise to refine your crisis management plan. Update contact lists, improve communication protocols, and revise procedures as needed.

By conducting regular scenario planning and exercises, your organisation can help make sure that your crisis management plan is effective, your crisis team members are well-trained, and your organisation is prepared to manage almost anything!

What happens if your office is on fire or your IT systems have crashed? The importance of business continuity planning

A business continuity plan outlines the steps that your organisation will take to respond to a crisis and maintain its critical functions and systems.

A crisis can result in significant damage to your infrastructure, systems, and data. When this happens, it’s important to have a plan in place that outlines how to house staff and information in a safe and secure location.

Here are important steps to consider with recovery crisis management:

1. Designate your crisis manager or crisis coordinator: Your crisis manager will lead the business continuity planning process. This individual will be responsible for assessing the severity of the impact, identifying which systems and locations are inaccessible, and determining whether any sensitive information has been compromised. Based on this assessment, your crisis manager or coordinator can then determine where staff should work from and what systems they will use.
2. Assess the damage: Your team should assess the damage, detailing the systems and locations that cannot be accessed, as well as any information that has been compromised.
3. Move out of harm’s way: Relocate affected areas. This might mean moving equipment to another part of the office or new office. Similarly, if employees’ workspaces are unavailable, they may need to share desks or work from home until alternative arrangements can be made.
4. Fix the problem: You might be able to remedy parts of the situation yourself, which could involve calling your energy company or other essential services. You might also need to call in experts to assess the situation and begin repairs.
5. Return to normal operations: With recovery complete, it will be time to test your organisation’s systems and operations, and (hopefully) return to business as usual.

By undertaking the crisis management methods discussed, you will help mitigate an actual crisis and be prepared to manage incidents that do occur with an effective response. This might help salvage you operation’s reputation when it matters most.