How many firms had up to scratch and effective business continuity plans and crisis management responses when the world shut down in 2020?
Financial institutions discovered whether their working from home plans really worked when people got locked down. Some of them discovered their main contingency was predicated on back-up sites, which clearly were inaccessible, and had to scramble to enable working from home in the middle of the crisis. But thanks to Zoom and a lot of efforts from tech colleagues, including the distribution of tons of hardware, the show went on.
The Finance industry proved to be operationally resilient, but it was “lucky” the pandemic did not hit its core business. And the crisis unfolded in a matter of weeks giving us time to adjust at pace. Other sectors were not so lucky.
Preparing for a Crisis
Effective crisis response is not built in the middle of a crisis. It is planned for, it is tested, it is improved, and tested again in “normal” times. It is first and foremost about bringing together and enabling a group of people to make the right decisions at the right speed and at the right time. It is not possible to plan for every scenario, but it is necessary to get some key ingredients right to enable the same group of people to adapt to the situation with minimum level of improvisation.
Figure 1. Crisis Response Framework
Crisis Response Roles and Responsibilities
Clear roles and responsibilities must be in place at both global and local levels. This includes defining who will be part of the crisis response executive team and how the short circuit decision process will work – responsiveness is key; decision by committee is simply not possible. Depending on the situation, local management must be in the position to make decisions without global “interference”; for example, in case of a natural disaster, the global management must be positioned to help, not to hinder the local response. This also includes defining how the group will be brought together – for example, how to reach people if the firm’s network is down and emails do not work?
Crisis Communication
Internal and external communication is critical. Contingency planning is key for this to work and this was a major failure in the TSB incidents back in 2018. This is less about having the forethought to consider all possible scenarios – that is unlikely to happen - and more about considering key factors in how, when and to whom to communicate. Some ground rules
o Communication must consider all required and possible clients / customers channels (e.g. regulatory notifications, website, in-app, social media, letters, emails, branches, text messages, etc.) The objective is to ensure as many impacted parties as possible are aware of what is going on and make no assumptions on what people will and won’t see.
o Communication must be clear, precise and concise. When TSB referred to “the vast majority” of its customers in its communication, it created a material ambiguity on who was being impacted at the time when there was a successful first-time login rate of only 50 per cent on their web channel – making the situation worse for them and their customers as more and more people tried to login.
o Communication must be timely; it should not be too early so as not to exacerbate the issue (e.g. do not communication in the middle of a cyber-attack; no need to advertise to the world you might be vulnerable), but still enable your stakeholders to make decisions if / when they are impacted (a clear failure on TSB’s part)
o Communication must be “proactive”. If you know you are about to update some critical infrastructure over the weekend, let your customers know you will be undergoing some maintenance and your services might not be available for a period of time. This will enable them to prepare for it.
Crisis Response Testing
Finally, this must be tested, and tested again. And the test must be as close to reality as possible. A team in crisis mode must know and understand the playbook. It must be able to act together. It must have built some group resilience and agility. It must understand how to emotionally respond and support each other in a very difficult – and sometimes life threatening – situation.
Crisis response is a key non financial risk management framework and it clearly depends on the type of industry you operate in and the potential impact of something going wrong. Testing and preparation are as much about checking that the capabilities and tools are in place and work, as they are about making sure the “humans” are as ready as possible to make the right decision at the right speed and moment under (humongous) stress. There will be some improvisation, that is inevitable; but getting the key ingredients covered in this short blog post right will get you a long way to surviving and recovering from a crisis. Learn more on crisis management.