Any plumbing company which thinks it’s not likely to be struck by a crisis should spare a thought for the mid-sized American operation, Fazio Mechanical Services, which had a contract to maintain refrigeration and HVAC at Target stores.
Because Fazio Mechanical’s computer system was not kept fully protected, a phishing assault by criminal hackers used the contractor’s online access to break in to Target’s accounting system. They stole 40 million credit and debit card numbers and 70 million personal information records in one of the biggest ever data breaches of its type. With just 125 employees, Fazio may have thought it was too small to get caught up in a major corporate crisis, and then found out the hard way.
To be fully crisis prepared there are two separate activities and both need to be addressed.
For any business, the first step is to identify and manage the issues which have the potential to become crises. Proactive plans then need to be put in place, and there are simple ways to do this.
The second step is to establish a straightforward but robust process to respond when and if a crisis does actually strike. One of the reasons companies give for not being crisis prepared is that there are just so many potential crises you can’t possibly deal with all of them, so you might as well not deal with any.
Clearly every business has different needs and different risks, depending on the industry where it operates, its size, its profile, its reputation and many other factors. But while you can’t prepare for every possible crisis, every business has what I call ‘natural’ crises. These arise from the risks which are natural to the company or the industry and represent the most probable crises.
A good place to start reviewing crisis risk is to ask yourself some tough questions.
- How strong is our business continuity plan if we faced a sudden unexpected event?
- Could we demonstrate that we have effective processes in place if we were accused of allowing sexual or racial harassment, or workplace bullying?
- Are we well prepared to handle a major product failure or recall?
- When did we last audit our compliance with environmental, health and safety regulations?
- Do we encourage ‘no fault’ upward reporting of problems and near misses?
- How well is our computer system protected against breakdown, data loss, breach of privacy or cyber-attack?
It’s essential to remember that these are not remote or unlikely crisis risks. Consider how Fazio Mechanical got caught up in a massive crisis. Or consider the Geelong builder fined $12,500 for bullying an apprentice. Or the Melbourne construction company and its directors recently fined almost $900,000 after the death of a young employee. Or the small company servicing regional Queensland, which has just been penalised about $265,000 for underpaying staff. And don’t forget the widespread publicity and reputational damage last year when a batch of ALDI taps were alleged to be causing high levels of lead in drinking water.
Identifying possible crises needs a genuinely honest look inside the company. But it also helps to look outside.
- What kinds of crises have other companies in our industry had?
- What did we learn and how well would we have performed if it happened to us?
- Are we actively engaging with our trade association to keep abreast of trends and changes and emerging issues?
- Are we listening to our stakeholders to properly understand their concerns?
- And, most importantly, do we have a process to identify and respond to risk issues and red flags?
The American management expert Kurt Stocker once wrote: “When you look at the majority of crises, what happened should have been on or near the top of the list of possible events. Why wasn’t anyone prepared?” It’s a good question and one every company should ask.
However, identifying and managing potential crises before they occur is just the first step. To be fully crisis prepared also requires a process in place to respond promptly and effectively if preventive measures aren’t sufficient and a crisis does strike. In other words, when you move from crisis prevention to crisis response.
Despite what some consultants advise, there is no one-size-fits-all crisis response plan. It could be a 300-page document with detailed instructions across dozens of different departments and communication templates for every possible scenario.
Or it could be a simple set of guidelines for what to do and say in the event of a crisis.
Regardless of scale, it must be appropriate to the organisation and it must be updated and tested on a regular basis. While the format will vary, these are some of the core requirements:
- A designated crisis management team comprising the people who will be most help in a crisis situation, not necessarily the full executive group.
- An activation process which can be used 24/7 to assemble the team.
- A well-equipped crisis management location which can be accessed at all hours.
- An agreed plan of roles and responsibilities.
- Designated and media-trained spokesperson(s) who can speak with both compassion and authority. Even the smallest business should determine who will be the nominated go-to person in a crisis and they should be media trained.
- Contact lists prepared in advance: including emergency services, regulators and elected officials, news media, customers, suppliers, insurers and others.
- Pre-prepared information about the organisation which is up to date and ready for immediate use.
- A schedule of training meetings and scenarios to make sure the response plan is a live document which doesn’t just gather dust.
It’s impossible to overstate the importance of having a plan and being able to implement it quickly.
While big companies typically have experienced crisis managers and spokespersons, smaller companies sometimes make a crisis worse by not speaking at all, or saying the wrong thing.
Take the case of a recent incident in Melbourne when a crane dropped a load of wet cement, which killed one man and severely injured another. The crane company was severely criticised because it said nothing publicly for more than 24 hours. Then the company issued a carefully worded statement to the media, but failed to post it on either its Facebook page or website, which had not been updated for two years.
It’s easy to be critical when crisis communication is not well managed. But at the same time, none of the steps to get crisis prepared are difficult or expensive.
Crisis management can seem daunting to smaller businesses, but simple planning may spell the difference between survival and destruction. Indeed, research in Australia shows that one in four organisations struck by a crisis goes out of business.
Even basic crisis preparedness could save you from being the one in four which does not survive. You don’t have to commit a lot of money and resources, but you do have to consciously want to do it.
Visit plumber.com.au and log in to discover a members only check list.
Dr Tony Jaques is a Melbourne-based crisis expert and Director of Issue Outcomes Pty Ltd (www.issueoutcomes.com.au). He writes the e-newsletter Managing Outcomes and his latest book is Crisis Proofing: How to Save your Company from Disaster (Oxford University Press, 2016). www.oup.com.au/books/highereducation/management-andmarketing/9780190303365-crisis-proofing.
