A Crisis Response Framework: Strategies for Effective Leadership Mary E. Galligan Director Deloitte & Touche LLP August 4, 2015
Managing a crisis
A crisis is a major catastrophic event, or a series of escalating events, that threatens an organization s strategic objectives, reputation, or viability. Crises typically exceed existing mitigation techniques and risk management programs such as Business Continuity, Disaster Recovery, Health and Safety plans, or Emergency Response.
Crisis management in today s world. Papal Audience 2005 vs. 2013
Crisis response framework
Crisis Management Program coverage Important to include cyber risks and other non-traditional crisis risks Insider Threat Data privacy Agency data Breach Cyber risks are an important crisis risk to invest in covering Cyber attack Lost Laptops Loss of critical data Lack of Data Integrity Crisis Management Program Coverage Tornado Crime Ineffective Crisis Messaging Pandemic Earthquake Flood Fire Theft Terrorism Today s Crisis Management Program Labor Issues/ Strikes Ebola Important to have a big umbrella Active shooter Extended Government closure Inability to provide services Citizen Trust Important to expand crisis risk coverage beyond people, place and technology Sudden increase In costs Safeguarding citizens Citizen information leakage
Comprehensive crisis management program Eleven elements needed to establish and sustain a program Governance Organizational Structure Thresholds Roles & Responsibilities Leaders Management Plans Current Response Plans Crisis Leadership Skills Logistics Technology Training and development Using tools to support the organization s overall crisis management response
Operating principals during a crisis
Operating principles for managing a crisis. 4 5 Drive towards actionable intelligence 3 Be ready for the unexpected 2 Actively communicate 1 Continually frame the crisis Lead decisively
Leaders set the tone
1. Lead decisively Act taking no action is making a decision Always keep in mind your goals and objectives Focus on what you can control; accept what you cannot Avoid analysis paralysis you will never have all the information Establish a clear, ongoing decision-making process Prioritize decisions based on their crisis impact Manage incidents locally, and crises as enterprise-wide In a crisis, don't hide behind anything or anybody. They're going to find you anyway. - Paul Bear Bryant
2. Continually frame the crisis Quickly diagnose the crisis with the available information Think ahead anticipate how the crisis might progress Reassess everyday do not fall in love with the plan Do not let the incidents distract you from the crisis It's a crisis if everybody calls it a crisis. - Morgan Downey, Lasalle Global (quote from Credit Crisis of 2007)
Communicating in the age of social media Crash of Asiana Flight 214 at SFO 7/6/13 Timeline of Events 6 July 2013 The first tweet, posted within 30 seconds of impact. 11.27am: Plane makes impact at SFO 11.28am: First photo from a Google employee boarding another flight hits Twitter (within 30 secs!) 11.30am: Emergency slides deployed 11.45am: First photo from a passenger posted on Path, Facebook and Twitter, re-tweeted by 32,603 users 11.56am: Norwegian journalists asks for permission to use photo from first tweets. Several media requests follow 1.20pm: Boeing issues statement via Twitter 2.04pm: SFO Fire Department speaks to the press for first time 3.00pm: NTSB holds press conference, and keeps updating Twitter with photos 3.39pm: Asiana Airlines first statement released 3.40pm: White House releases statement 8.43pm: First Asiana Press release (6.43am Korea time)
3. Actively communicate Own the story, don t let the media tell it for you Be candid communicate with honesty and personal commitment Convey consistent messages internally and externally Back your words with actions Control the narrative communicate on a regular cadence Choose wisely who speaks they will be the face of the organization We get far more credit than we deserve when things go right and too much blame when they don t. - Mel Karmizan, Former Viacom President
4. Be ready for the unexpected Know that individuals may act differently under extreme pressure Realize that normal organizational roles may not apply to a crisis Avoid relying on a single person for successful navigation in a crisis Anticipate when and how external parties may steer the crisis Recognize your limitations a crisis can test everyone s breaking point Prepare to work with limited (or no) technology / information If anything can go wrong, it will - Capt. Edward A. Murphy ( Murphy s Law )
5. Drive towards actionable intelligence Beware of confusing data and intelligence Focus on who needs to know what and by when Cast a wide net important information can come from anywhere Qualify your sources misinformation is as prevalent as information Recognize you will never have all the information Ramp up your ability to process data do not let it bury you Record what you knew at the time of the decision True genius resides in the capacity for evaluation of uncertain, hazardous, and conflicting information. - Winston Churchill
Chaos framework
Question and answer
Contact info Mary E. Galligan Director, Cyber Risk Services Deloitte & Touche LLP mgalligan@deloitte.com
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 36 USC 220506 Member of Deloitte Touche Tohmatsu Limited