A risk analysis process can help CEOs avoid a crisis
Could a corporate crisis put your business out of business, or cause a major financial setback?
If it’s not managed effectively, the answer is clearly “yes.” As a CEO, that fact might be one of the concerns that keeps you awake at night. The chances are good you won’t even see the crisis coming unless you take steps now to assess your vulnerabilities. Where are the soft spots, the areas most likely to generate a corporate, product or organizational crisis? Just how vulnerable are you? The only way to answer those questions is to roll up your sleeves and start digging.
Job One For the CEO
Appoint action teams from top management to conduct an exhaustive, company-wide vulnerability audit. Personally hold the teams accountable to provide solutions and action plans that will eliminate weaknesses and minimize the effects of a crisis. Then, start building your crisis management plan. The crisis management plan is a blueprint for how you will react to, manage, survive and emerge from a corporate, organizational or product crisis.
In the first step, the risk analysis, where do the teams start? In most businesses and organizations, the areas of operation in which vulnerability to a crisis is most severe are:
- Human resources
- Business practices
- Building and plant
- Information technology
Here’s a look at all four areas, complete with some suggestions and some questions for which the action teams had better find answers. It is a foregone conclusion that you will identify other questions and discover other areas of vulnerability within your organization, but these points provide you with a strong start.
HUMAN RESOURCES TEAM
This team will:
- Develop an emergency chain of notification procedure for key personnel. How are you going to reach people in a crisis? Provide for regular updates to the list and assign responsibility to get it done.
- Develop a solution for ensuring that all employee contact information and their emergency contacts are kept up to date, with copies stored off site somewhere.
- Develop a method for keeping a daily record of employee travel and itineraries, including flight numbers, destination, and arrival and departure times.
- Determine if your company is legally vulnerable to a challenge to its hiring practices. Are you meeting standards for inclusion regarding race, gender, disability and age? Is a class action suit in your future?
- Develop a plan of action for employee health and safety emergencies on site, such as a bad fall, food choking, heart attack or seizure. Who would call 911, or who would administer first aid?
- What about workplace violence? Are your managers close enough with their employees to be able to spot signs of domestic trouble at home – or outright abuse? Is an angry spouse or significant other likely to suddenly appear at the workplace to do harm?
- Do you, as the CEO, and your key managers practice management by walking around (MBWA), or are they invisible to staff? Informal, impromptu employee meetings with the boss at the water cooler or on the loading dock are great pressure relievers, and can give top management a real sense of the emotional health of the workforce.
- Is there a formal employee complaint procedure, or, at least, an employee advisory committee that receives, assesses and acts upon employee concerns and issues?
- What about termination policies? Is it likely that a terminated employee could make cyber treats or return to do harm? Is there a written termination policy that provides for a formal exit interview?
- List other areas of vulnerability you can think of.
BUILDING AND PLANT TEAM
This team will:
- Create an easily accessed roster of emergency response agencies, service providers and vendors to be available at the switchboard or manager’s office; provide a plan for quarterly updates.
- Identify areas of your operation that are likely targets of internal or external sabotage and provide a plan that outlines the actions needed to alleviate those threats.
- Review current procedures for off site storage of server backups and determine if this procedure sufficiently meets security needs. Can crucial work be lost in a server crash? Of course.
- Develop an emergency exit procedure and schedule drills for fire, workplace violence, toxic substance release, and other building emergencies.
- Would an extended power outage put you out of business?
- When is the last time you conducted a fire hazard walk-through? Have you ever looked for overloaded electrical outlets in employee cubicles, proximity of combustibles to heat sources, frayed wiring and aging break room appliances?
- Develop a response plan for an onsite chemical leak or toxic spill.
- Now, list other areas of vulnerability you can think of.
BUSINESS PRACTICES TEAM
This team will:
- Develop a plan of action for the continuation of business in the event that you and your top executives are deceased together in an auto accident or plane crash. Is it unpleasant? Yes. But it does happen.
- Develop a succession plan in the event of your extended absence because of illness or other factors.
- Examine the strengths and weaknesses of your relationships with your key publics. How close are you to your media, vendors, suppliers, health inspectors, clients, law enforcement, elected officials, industry leaders, customers and other key stakeholders and influencers? Provide an ongoing action plan to strengthen areas of weakness. Outside relationships must be kept strong. Relationships with key stakeholders and regulators are the keys to survival during and after a crisis.
- Develop a company policy requiring all staff with client/vendor responsibility to provide their contacts with all locator information and alternate contact information so the staff member can be accessible always.
- If you are a public company, are you on good terms with the analysts and media covering your business?
- Are your auditing procedures sufficient enough to uncover evidence of embezzlement or lapses in business ethics before they reach severe status? Do you have a code of corporate behavior/governance?
- Is your board independent, and is it made up of outside directors?
- Do you have multiple vendors or suppliers for unique components critical to the continuation of your key elements of business, or, do you rely primarily on one supplier or vendor. How is the financial health of your key suppliers and vendors; what about their labor relations?
- Do your key executives experience media spokesperson training at least once annually? They should.
- What safeguards exist against product tampering, and are they tested regularly?
- Would you as the CEO be informed immediately of a cyber attack or hacking event, product tampering or fraudulent use or application of the company’s products, services or intellectual capital? Are you kept in the dark about field operations?
- Other areas of vulnerability you can list?
INFORMATION TECHNOLOGY TEAM
This team will:
- Conduct penetration testing to determine paths of least resistance for hackers and cyber thieves.
- Review access permissions both for internal and external personnel (vendors, suppliers, providers, offsite staff).
- Examine personnel and external
PLAN OVERSIGHT AND DEVELOPMENT TEAM
Composed of CEO, VPs for corporate communications, human resources, legal and a top manager from every operating unit, the Plan Oversight and Development Team:
- Merges the plans from the three action teams into one comprehensive crisis management plan; identifies other areas of high importance and requests action from the appropriate team.
- Develops a crisis management and crisis communications plan, often in conjunction with outside counsel from experienced crisis managers.
- Manages accountability and implementation timeline.
- Ensures monthly updates of the crisis management plan.
- Conducts regular drills to test plan effectiveness.
Implementation Timeline: 60 Days
- Week 1-4: Team meetings to discover vulnerabilities and provide solutions/answers/action items. Significant interaction with external consultants/experts.
- Week 5: Group presentations to Plan Oversight Team.
- Week 6: Plan Oversight Team meets to review plans; suggests revisions.
- Week 7: Plans revised by action teams and external consultants/experts.
- Week 9: Oversight team meets, reviews and adopts action team plans, creates final crisis management plan for the business.
- Follow up and updates: Ongoing for the life of the plan.
- Crisis drills and simulations held semi-annually.
CEOs: A Word of Caution
CEOs who cannot plan to be 110 percent supportive of this process and take part in it fully risk wasting their time and the time of their key personnel because the process will fail without you. Time after time, crisis management planning procedures have been launched with good intentions all around, only to be derailed by a lack of genuine support from the top. Don’t start the process unless you intend to be fully involved throughout all phases, and then play a major role in managing the plan going forward.