Jeremy Smith, DMD, Global ERS, Global leader of Deloitte's Center for Crisis Management
CIOs and their peers in the C-suite face the ongoing possibility of major adverse events that can bring business activities to a halt or even imperil a business’s very existence. Cyber security breaches are relatively new features on a complex, ever-changing risk landscape that includes natural disasters, fraud, financial crime, regulatory action, product defects, supply chain failure, and other events. Company share prices dive more precipitously and rebound more slowly when companies are poorly prepared to handle crises of great scale. These conditions mean CIOs are putting their reputations and their careers on the line when they develop and implement plans for dealing with crises.
As senior executives and as architects of systems and assets that enable critical business processes, CIOs have an integral role in helping to create and administer crisis management plans that are robust and state-of-the-art. CIOs can add enormous value by mapping the company’s information flows and communications channels and determining not just how to harden those assets against crisis situations, but how they can enable the company to prepare for, withstand, and overcome the worst possible shocks.
Before a crisis: Readiness
Corporate crises are becoming increasingly frequent, severe, and diverse. And while companies may be accustomed to managing minor crises, major crises have the power to do irreparable damage to a company if inadequately prepared. Today’s crisis management plans must be written accordingly, taking into account multiple crisis scenarios and the unknown. Today’s plans are very different from the crisis management plans that companies might have developed even just three years ago.
The C-suite should take part and invest in developing a company’s crisis plan by pulling in key leaders from other functions, such as strategy and risk management, to ensure a holistic and well-balanced outcome. Business leaders have to consider the assumptions that are at the heart of their strategies, and then think through the vulnerabilities that arise because of those assumptions and the related strategic choices.
The CIO has a special role in that they must determine how the company’s strategic assumptions and choices depend on its ongoing information management capabilities, and then must figure out how those capabilities can be preserved throughout a crisis. Some crises disrupt a company’s IT assets; others leave those assets intact but require responses enabled by IT. The crisis management plan needs to account for both scenarios.
Once a company has a developed a cohesive crisis plan, it can be extremely valuable to stress-test the plan using “war game”- style simulations. Sophisticated war games include the sorts of surprises that can catch companies off guard in the real world, and thereby reveal contingencies that a crisis plan didn’t address. An actual crisis shouldn’t be the first time that a company tries out its crisis management plan.
Another key area of crisis readiness is the ability to predict what future crises may be looming. CIOs should consider new capabilities for sensing crises so that companies can get ahead of them – or even prevent them from hitting with full force. Advanced situational monitoring can allow companies to detect conditions that signal the onset of events: political instability in pivotal locations, negative public sentiments, or troublesome economic conditions, to name a few.
During a crisis: Response
Uninterrupted access to accurate, timely information is key to effectively managing a company’s external communications during a crisis. By instituting safeguards for communications and data, the CIO can ensure that executives have access to information about finances, operations, physical assets, and personnel that they need to make swift, effective decisions. A CIO must also provide mechanisms for logging the crisis response process: what was known at the time, what problems arose, and what decisions were made.
Furthermore, a company that loses control of the public narrative about the crisis can see its reputation damaged beyond repair. Since every piece of information a company releases in a crisis can affect shareholder value, the CIO has a vital role in helping the company avoid reputational harm. During the crisis response period, the CIO must ensure that traditional, digital, and social communications channels remain open for updating the press, employees, customers, vendors, regulators, and other stakeholders. A CIO should also work with the crisis response team to deliver key information while protecting privacy and keeping sensitive information confidential at a time when challenging questions are sure to be asked.
After a crisis: Recovery
The CIO can help a company emerge stronger from a crisis by putting in place systems for managing information and handling the myriad requests and requirements that typically follow crisis situations. No company ever welcomes a crisis, but when a company shows it is doing all it can to resolve problems and prevent them from recurring, it’s possible that a company may recover more value, more quickly than it could otherwise.
Even though the incident that triggered the crisis may end, the crisis can continue for days or weeks, depending on the situation and how well the company responds. A CIO needs to work with other executives on diligently capturing and managing information, keeping track of decisions, and addressing financial, insurance, and legal matters. The last thing a company needs after a crisis is more harm resulting from an avoidable mistake.
“CIOs are in an excellent position not just to help their companies survive crises, but to emerge from them stronger than ever”
Another crucial order of business is learning what went wrong, down to the level of root causes, and changing systems and processes to fix shortcomings. It’s often said that leaders should never let a crisis go to waste. One way to interpret that maxim is that the real-world conclusions that a company can draw about its preparedness and response capabilities are too valuable to overlook, considering the possibility of another crisis.
CIOs are in an excellent position not just to help their companies survive crises, but to emerge from them stronger than ever. They bear the responsibility for safeguarding assets that are some of a company’s most critical in a crisis. If they ask the right questions and prepare intelligently, they can help the company act quickly, confidently, and advantageously in response to major events.