Regulations are getting more complex. Cybercrime is up. There is elevated scrutiny of organizations’ actions in the environmental and social arenas. News travels at the speed of the internet. Are you ready if a regulator shows up at your door? Or if you wake up to a public calling out of your organization for unethical conduct? Put another way: how do you feel about your organization’s ability to respond quickly and appropriately to a crisis?
Many organizations haven’t thought about how to handle a sudden, adverse event. Or management thinks it can handle that type of situation without clear and documented planning. As a result, some organizations haven’t even thought about the risk of not creating a crisis management plan.
Some are better prepared. You may have a plan for a specific risk or two – perhaps for a data leak or a strike at a plant. Or, maybe you conducted a crisis management exercise a few years ago. But who keeps the plan updated? And will Compliance have a seat at the table?
Using tabletop exercises is an excellent way to test your organization’s preparedness and identify weak points in planning. However, getting executives and board members to dedicate time and resources to a crisis management tabletop exercise may be difficult.
If you recognize your organization needs improvement in this area, you don’t have to wait. You can take several smaller steps to reduce the potential for chaos in a crisis. For example:
· Identify other group heads that are like-minded and understand the value of crisis management, and work with them.
· Start by considering who should be at the table if the unthinkable happens. Legal, corporate communications, compliance, and HR should always be involved. They may not be the decision-makers, but they are critical for advice, conducting a risk/reward analysis, and executing a plan.Depending on the issue, other teams will also be indispensable: IT security, marketing, and operating heads, for example.
· Document who should organize the initial meeting and whom to include.
· Be sure there is an easily accessible list of contact information for the crisis team.
Remember, someone, like Compliance, must advocate for doing the right thing — not just protecting the company from liability. Too often, organizations prioritize minimizing financial risk as the primary consideration. Deny, delay, and defend is a common strategy. Unfortunately, that strategy often leads to not only reputational damage but also fines and penalties as the regulators learn the truth.
For the opposite approach, we can look to Intuit. When the company received a complaint that its tax preparation software had a defect, Intuit promptly worked to identify the cause of the flaw, offered replacement software to anyone who asked, and offered to indemnify customers if they incurred penalties from the IRS due to the flaw. While customers may have been annoyed at the extra work it caused them, Intuit’s reputation was intact, and its business has grown.
If you aren’t comfortable with your organization’s preparedness to handle a crisis, make some inquiries. Compliance certainly needs to understand how the organization controls such risks, and it should have a seat at the table. If you aren’t satisfied with your organization’s crisis management plan, begin to take some steps. Elevate your concerns. If you can’t address a crisis management plan now, put it on your roadmap for the next quarter or year.
If you are looking for help with proactive crisis planning, don’t hesitate to reach out to us. You can reach us here on our site, or email us at hello@rethinkcompliance.com. We’d be happy to help.
