Of the many well-publicized cyber-attacks that have occurred in the past decade, at least one was noteworthy because it failed to bring a company down. On the morning of Jan. 16, 2012, millions of people awoke to the news that every online shopper dreads: Zappos, a leading retailer of shoes, apparel, and accessories, had been the victim of a cyber-breach that captured information from as many as 24 million customer accounts. Major news outlets, financial websites, and security blogs all published headlines covering the crisis at Zappos, which had been acquired by publicly traded Amazon just three years prior in a deal worth US$1.2 billion.
The online retailer immediately announced the launch of measures to reduce the impact of the crisis. But the most critical factor in surviving the attack didn’t need to be launched. The company had already put preventive measures in place, long before the hack was discovered. For example, it had stored customer passwords and credit card information on a separate server from other customer details, a server that was ultimately found to be uncompromised by the cyber-attack. Zappos also had used hashtag encryption to conceal customer passwords. Had the hackers accessed the relevant server, they would have seen “##########” in place of the actual passwords.
These precautions were considered leading-edge practices for protecting customer information from cyber-attack, but they were most noteworthy for something that had little to do with technology. They were part of a comprehensive crisis response plan that articulated the capabilities that Zappos would need if a cyber-attack — or any other type of business-disrupting crisis — occurred.
For instance, Zappos had developed a protocol for notifying key stakeholders in a crisis. Thus, when the breach was discovered, the company immediately notified internal staff about the issue and the company’s planned response. Then, before news hit the press, Zappos sent an email to all customers with registered accounts, letting them know that it was proactively resetting all their passwords. The message contained an email address for questions or help creating new passwords. By providing this alternative to its call centers, Zappos ensured that far fewer customers would wait anxiously on hold; thus, fewer would develop a negative perception of the company. It also gave the call centers more time to respond to individual messages; it had figured out in advance that customers were more patient with email than with phone calls. Finally, having already given its staff readiness training, Zappos could easily shift people from other functions to surge support for customer service.
All this preparation paid off. Customers and security experts commended Zappos’ communications strategy and transparency throughout the crisis. Three weeks after the breach was announced, Amazon’s share price was higher than before it happened, and though the company was the target of a class action lawsuit from nine states as a result of the breach, Zappos ultimately settled for a mere $106,000.
Zappos’ approach and similar responses we’ve seen from other companies — including those affected by the WannaCry attack — demonstrate a basic principle: You develop the capability to handle a crisis long before you need it. This capability should be broad enough to cover any type of crisis, including an operational disruption, a cyber-breach, a terrorist attack, a major accident, a natural disaster, a crime, a pandemic, a food safety scare, a major labor dispute, a financial meltdown, a product failure, a sexual harassment case, or your company’s ethical scandals coming to light. It also should be focused enough to fit your company’s unique culture, practices, and strategy. Ideally it should help you not only manage crises but avoid some self-inflicted ones. You can’t put this kind of crisis preparation capability in place overnight — you need to develop it as a way of life.
Crises Are Inevitable
The likelihood that your business will be hit by a highly threatening, unexpected event has never been higher. In a PwC survey of 164 chief executives around the world, launched in 2017 and known as the CEO Pulse on Crisis, 65 percent of respondents reported experiencing at least one crisis since 2013; 15 percent had experienced five or more. Forty percent expected to experience a crisis in the coming three years, and an additional 33 percent expected to experience more than one or even many more during that time. According to another PwC survey (pdf), conducted in 2015–16 with more than 1,400 global CEOs, two-thirds believe that their businesses face more threats today than three years ago.
They are right to be worried. In 2015, cybercrime alone was estimated to cost businesses $375 billion, up from $3 billion in 2013. The 10-year average for insured and uninsured losses from natural catastrophes is $194 billion. This doesn’t take into account the costs of fraud, corruption, pandemics, labor disputes, or the many other types of crises that organizations may face today. Episodes like this don’t affect just a few “bad apples”; they have challenged every type of organization, including those with good reputations, highly loyal customers, and long track records of success.
Whether the original crisis is self-inflicted or caused by external events, lack of preparation almost always makes the outcome much worse. And only one in 10 companies is prepared, according to the law firm Freshfields Bruckhaus Deringer, whose lawyers interviewed 102 crisis communications specialists who had worked on 2,000 significant reputational risk incidents in 80 countries. Only one in five companies had ever simulated what a crisis might look like, four in 10 had no plan at all, and 53 percent of companies struck by crisis did not regain their previous share price.
Why is good crisis preparedness so rare? Probably because it requires many organizational moves that can feel uncomfortable at first: collaborating closely across organizational boundaries, raising awareness of potential problems, and closing the gap between strategy and execution. If you assume the buck stops at the CEO’s desk, and that any problem can be solved if the top leaders make the right decisions, you might miss the need to build operational capabilities throughout the enterprise. Conversely, if you invest in operational capabilities around the world, you still may have difficulty getting the right signals communicated up the hierarchy quickly. Crisis preparedness also runs counter to the natural impulse to minimize potential problems, to deny that they exist, or to try to cover them up.
Fortunately, even the most devastating events generally start as small incidents. The sooner your company can recognize these incidents’ potential for trouble, the more effectively it can respond. To build the capability for responding, you need to consider three critical dimensions: people (your governance structure and relationships), preparedness (planning and execution), and testing (rehearsing your actions in advance). As you gain proficiency in all three dimensions, you become better equipped for managing crises before one is already upon you. Then, it will be too late to learn; now, you still have time.
People: Governance Structure and Relationships
Imagine that you are the head of a company that builds and maintains long-distance natural gas pipelines. These tend to run underground for hundreds of miles, far from your headquarters or anywhere you directly conduct business. One morning, a pipeline bursts under a community of thousands of people. Families are evacuated, and some individuals are badly hurt. Unexpected accidents of this sort leave many companies paralyzed; it can take years to recover their reputations.
Murphy’s law is not a myth: The worst is likely to happen. You have to start now to be ready.
We know of several energy companies that have found themselves in this situation. Their ability to handle the crisis depended almost entirely on how well they had prepared for it. In the cases that worked well, the top leaders of the company, and the board, were directly involved in the preparations, along with everyone up and down the line.
In the pipeline example, within two or three hours of the explosion, the company is ready to issue a statement expressing concern for the injured and the community. Updates to the news media rapidly follow, explaining how the company plans to respond.
Legal issues — not just preparations for liability claims against the company, and for any class action suits that might follow, but for regulatory approval as well — are involved. Parts of the pipeline will have to be shut down, and gas deliveries may have to be suspended while the company begins to check the cause of the damage. That will mean customers have to find alternative sources of energy. The company must check every other part of its pipeline network for similar weaknesses, and it must keep up community outreach, maintaining contacts with local reporters and potentially a website or app devoted to revealing the company’s efforts. It must also reach out to investors, assuring them that measures are in place that will allow the company to recover, without downplaying the financial expenses of investigation and repair — expenses that could rise in some cases to the billions of dollars.
Sooner rather than later, the company’s leadership — ideally the CEO — will have to make a public statement. Advisors have talked regularly with the CEO, planning these statements and perhaps even rehearsing them, ensuring that they avoid any sign of self-concern or glib assurance (such as talking about the time the CEO has spent addressing the problem, or saying there’s nothing to worry about). Other roles, including the technical and public relations posts, are also rehearsed and planned. Because they have talked through the process, company employees don’t assume that someone else is taking care of everything; they know just how they will step in to manage part of the crisis. Indeed, everyone in the company understands the part they must play in guaranteeing recovery and future safety.
In this way, even after a gas main explosion or similar catastrophe, a company can restore its reputation and go on stronger than it was before. But everything depends on the relationships within the enterprise from the CEO on down, and with key external officials and regulators. Human connection is central to crisis preparation. People need to know what they need to do next, who to report to, and who they can rely on.
The critical importance of the CEO’s involvement was demonstrated after a horrific accident that tested the crisis management ability of Merlin Entertainments, a Luxembourg-based company whose United Kingdom facilities include the Alton Towers theme park just north of Birmingham. On June 2, 2014, two cars on a roller coaster crashed. Sixteen people were trapped, and four were seriously injured; two young people had to have their legs amputated. Though the park did not perform well in overall preparedness (it took 17 minutes for the staff to notify emergency responders), there was a clear, engaged response by Merlin CEO Nick Varney as soon as he learned of it.
First, the company immediately closed the park, providing a full refund to anyone who arrived after the incident or the following week. Varney took responsibility, appearing the following day on BBC Radio’s “Today” program. “Clearly we’re absolutely devastated by what happened,” he said, “and our thoughts are with those who were injured and our hearts go out to them and their families. As a business, we are all about giving safe, fun, memorable experiences with the emphasis on safety. Clearly something went terribly wrong.” When the interviewer asked what caused the accident, he replied, “We’re trying to find the causes of an accident that shouldn’t have happened. All roller coasters are designed so that two cars can’t be on the track at the same time but clearly they were. I’m not going to sit here and make excuses; I simply do not know what made the accident happen.” As for the share price, he said, “You’ll forgive me if I’m not really focused on the share price at the moment.”
No one but the CEO could have credibly made statements of that sort, and they would have been meaningless unless they were backed up by the rest of the company. Indeed, during the following months, Merlin Entertainments paid the fines and damages demanded by the Health and Safety Executive (the U.K.’s regulatory bureau) without contesting them (essentially pleading guilty), and immediately put in place a series of safety measures.
To establish a web of relationships that will be valuable during a crisis, look at both formal and informal connections. The formal governance structure encompasses reporting relationships (the chain of command, or “lines and boxes” on the org chart) along with the escalation or decision rights given to key individuals — and their backups if they are not available. Spell out explicitly what is expected of key employees and key retainers with supporting third parties. If outside contractors are involved, formal arrangements can include signed memorandums of understanding so that there is no ambiguity about who is responsible, for example, for keeping IT systems working.
Although you can’t know what type of crisis you will encounter, you can specify many of the tasks that must be handled under altered circumstances, and who will handle them. Some participants will be designated as makers of public announcements, others as information gatherers; still others will be assigned to provide communications help, logistical help, or legal advice. Make sure the plans are flexible and holistic enough to handle variations — for example, key people may be on vacation when the crisis occurs.
Augment these formal arrangements with informal working relationships, cemented by opportunities to meet together and ideally work on common projects — including, but not limited to, the design and development of the crisis capability. Look for aspects of your culture that reinforce the values you want to be present when a crisis occurs. For example, Zappos drew on its well-established cultural values of building open and honest relationships with customers. If your employees have worked together on a day-to-day basis, if they trust one another’s reliability and competence, and if they put customers first, then all of these behaviors will still be in place when the company is faced with a crisis.
Most arrangements will combine formal and informal elements. Inside your company, cement the formal reporting relationships with group sessions, retreats, or other opportunities for collaboration. Externally, reinforce them with networking. For example, your crisis managers undoubtedly have contact information for local law enforcement officials. But the officials will be far more prepared to act effectively if your crisis teams have ongoing conversations with them, and they feel comfortable with each other. The same is true of other relevant external parties, such as lawyers, logistics experts, and public relations professionals. Get to know them in advance.
Relationships with groups you perceive as opponents are also critically important. This could include local interest groups, industry bloggers, and activist investors. In any disaster, there will be people who, rightly or wrongly, feel justified in taking your company to task. They may threaten lawsuits or otherwise address you through formal means, but there may also be an opportunity to reach out to them in candid conversation and ask, “What would convince you that we are acting in good faith?” If they are honest in their answer, you may find they are interested in something you hadn’t considered important, such as a high level of transparency or the willingness to answer questions.
If you’re reluctant to engage with people this way, ask yourself if it’s because your capabilities are weak. You can build those capabilities by designing good governance structures as “guardrails” and then practicing, through regular conversations, your ability to talk informally with groups you might have avoided in the past.
Preparedness: Planning and Execution
Companies that are prepared tend to come out of a crisis relatively unscathed. The WannaCry cyber-attack that began May 12, 2017, the largest-scale ransomware attack in history, was possible because of a software vulnerability generally believed to have been made visible through a leak of U.S. National Security Agency hacking tools. Some companies weathered the storm simply because they had put in place the software patch that Microsoft distributed in March after news of the leak broke. These companies were primed to do this quickly because they were prepared — not for this specific event, but for any changes that might affect their prevalent operating systems.
A similar level of preparedness was important to Home Depot in September 2014. In a cyber-attack that month, data from 56 million credit and debit cards was stolen. The company had a plan in place, as well as the technical ability to eliminate the malware as soon as it was discovered. Within a day, Home Depot announced that the threat had been removed, and it promised customers that they would not bear the cost of any fraud and that the store would offer them free identity theft and credit monitoring services. The chain also announced the adoption of chip-based credit card scanners more rapidly than had been planned. It took two years to settle a class action lawsuit for $19.5 million, but during that time, the company’s share price continued on an upward trend.
Companies that are not well prepared can compound their difficulties. Even if they accept responsibility — for example, by announcing an independent audit of the situation — there is a time gap involved for those that are not prepared. During this time, while you are busily organizing and deciding how to respond, the world is waiting for you. People are speculating. If there’s a perceived problem with a product you manufacture, for example, the retailers that carry it may feel pressed to withdraw the product temporarily, which will raise more questions. It could even create a snowball effect in which other retailers follow suit. Your product may be deemed free of problems in the end, but the episode will have added a great deal of unnecessary damage to your reputation and distribution network.
Build a single plan for your overall acumen. There are at least seven categories of crisis to prepare for: financial (for example, an abrupt drying up of credit), legal (a shift in regulations), technological/intellectual (a patent theft), operational (a supply chain failure), human capital (a harassment case), humanitarian (a terrorist attack), and reputational (a major ethical failure coming to light). Within each of these categories are countless permutations. Few companies have the resources to prepare for all of them separately, and if they did, they would create silos that duplicate or even undermine one another’s efforts. Moreover, many disasters combine two or three types of crisis at once. One well-managed crisis plan, and the ability to execute it by drawing on people throughout your organization, will set you up for a broad array of contingencies. For the leaders of this effort, pick people who are good observers and skilled at rapid organization. They should be able to recognize a crisis early, glean the causes, assemble the response team, handle issues requiring immediate attention (such as plugging a leak or putting out a fire), alert the rest of the organization, and align everyone with the process.
You can’t predict which crisis will strike or when, but you can analyze your preparedness for the crises most likely and relevant to you — for example, a retailer is vulnerable to cybertheft, an energy company to environmental crises, and a manufacturer to operational failures. Having a plan in place is not enough; you need to be sure you can execute. Look closely at the capabilities you already have and how they could help you. At most medium-sized to large companies, this type of crisis-ready analysis takes 10 to 16 weeks and involves pulling together the relevant players to explore what would happen when the storm hits and to answer questions like these: Have your risk professionals played a key role, integrating their enterprise risk management plans into this new effort? Does the legal team know the current compliance regulations for resolving an operational accident, and how to work with communications to send the right messages at the right times? Are terms of reference in place for outside consultants? Run through contingencies and what-ifs, drawing on sources of expertise throughout your company. For example, your 24-hour customer service hotline can be redeployed as a 24-hour crisis triage center for customers and investors. There’s no need to reinvent or duplicate expertise.
Make sure that people have paper copies of the crisis plan, and have memorized critical telephone numbers. The plan is not worth anything if the paper is lost or the computer is inaccessible. Many companies are also building apps for their crisis plans that are tailored to each crisis team member’s role. This allows for easier updates and ready access when it’s needed.
Finally, start now. The PwC CEO Pulse on Crisis survey of 164 global chief executives found that 25 percent had not even started planning for simple contingencies. But of those who had plans in place, 83 percent reported that their companies had been in a crisis, that planning had helped them respond effectively, and that they had bounced back financially afterward.
Testing: Rehearsing Your Actions
Accepted practices for risk preparedness tend to vary by industry. In financial services, for example, government compliance requirements have mandated the need to provide backup IT systems and tests of the robustness of contingency and continuity plans. These common standards have an effect; when the crisis management teams of 140 banks went through a scenario exercise in September 2016, they were all similarly prepared. Other industries, such as consumer products, are much less regulated — and the variation in preparedness from one company to another reflects their lack of shared knowledge.
In this context, financial-services companies have an edge; their industry has primed them to test risk policies in advance. But they will not benefit unless they follow through. The only way to learn what to do is to rehearse a simulated crisis that requires you to show that you have contingencies covered. That’s where you’ll discover that good plans can collapse because you’ve overlooked a logistics or IT issue, or because people required to execute the plan haven’t figured out all the details. Testing of this sort also helps you avoid the kind of awkward moment when a CEO asks the head of communications how the firm will respond to a customer Twitter storm, and there’s only silence in reply.
The testing process is also important for engaging top management. Given their fiduciary responsibilities, most chief executives and corporate board members recognize the value of risk preparedness. But ask them if the company has a crisis management plan, and you may find they know very little about it, even though they will play a critical role. They, like everyone else, need to rehearse their part.
In designing your test, emulate the financial sector, which has statutory requirements to walk through virtual crisis simulations. There are a growing number of computer-based role-playing exercises for teams, with video clips, mock social media feeds, and other electronic simulacra to provide the look and feel of an actual crisis. (PwC has produced one that enables managers to live through a simulated crisis, gaining a sense of the real-world repercussions of their decisions.) Simulations can also be tailored to rehearse particular crises, such as a natural disaster or a terrorist attack, to evaluate the quality of your response and fill in the gaps.
Be sure to test your speed. Bad news travels fast. When a crisis breaks, comments are often posted on social media within an hour. In a cyber-attack or an explosion, as we’ve seen, reaching out to affected people ahead of the news can be extremely important. But most companies take more than 24 hours to issue a statement. At one company that suffered a severe system outage, senior managers had different opinions about what to do. The chief information officer did not want to go public with the problem, no one was willing to make a final decision, and some executives failed to attend key meetings, so consensus became nearly impossible. The delays damaged the company’s reputation and led directly to lost business.
Murphy’s law is not a myth: The worst is likely to happen. You have to start now to be ready. It might take six to 12 months to evaluate your readiness, put in place the right governance structures and relationships, and design and test your plan. But that will serve you better than waiting until a crisis comes and winging it. The three dimensions above — people, preparedness, and testing — can give you the confidence you need to survive, recover, and avoid more crises in the future.
- Melanie Butler is a partner with PwC UK, based in London. A forensic accountant by background, she leads PwC’s Global Crisis Centre. She led the firm’s response to the 2013–16 Ebola outbreak in West Africa.
- Sloane Menkes is a principal with PwC US, based in DC. She is the Global Crisis Centre coordinator for Asia-Pacific Americas and a forensic services leader in PwC’s advisory practice.
- Marissa Michel was formerly a director with PwC US, based in DC.
- This article was developed with PwC’s Global Crisis Centre.