Building the crisis-ready board
Members of boards of directors take their responsibility to deal with crisis situations very seriously. But it’s unclear if they’re fully versed on whether the companies they’re directing are prepared to effectively manage those crises, a new survey suggests.
Deloitte surveyed more than 300 directors around the world. Seventy-nine per cent of survey respondents said relevant managers and staff at their companies were aware of crisis management procedures and how to execute them should an event strike tomorrow. The confidence was particularly high amongst directors of large companies.
But as the survey dug deeper, it became clear that at least half of the companies may not have taken key crisis preparedness steps.
Only half of the companies the directors oversaw had evaluated their strengths, weaknesses, opportunities, and threats or engaged in scenario planning for major risks. Fewer than half of the companies had identified relevant stakeholders (49%), had crisis playbooks ready to use (49%), or had involved relevant stakeholders in analysing specific risk scenarios (41%). Just 43% had evaluated worst-case scenarios.
The risks for which preparedness was most lagging at the companies included corporate reputation, product tampering, and man-made disasters such as terrorism.
Crisis preparedness can vary substantially from company to company, said Olivia Kirtley, CPA, CGMA, a seasoned non-executive board member who served as board chair of the American Institute of CPAs (AICPA) and as president of the International Federation of Accountants. Some directors have done scenario planning, established a communication crisis team, and examined what their companies did well and didn’t do well after previous incidents.
“Those directors probably speak with a lot of confidence because they have knowledge from past events how they were actually prepared and what they have done since then to improve preparedness,” Kirtley said. “Others may not get that level of reporting at the board level. They may receive reports on cybersecurity, but it may all be more theoretical than using actual events or having an actual preparedness drill.”
How much a board gets involved in managing an actual event differs by company and crisis, said Leslie Murphy, CPA, CGMA, a director on three corporate boards and five not-for-profit boards, and a former board chair for the AICPA. “Our duty is to ask the right questions and get ourselves satisfied with the answers.”
That includes asking business-line managers specific questions to get crisis management details, for example, when outside counsel is sought or the board is notified. Also, board members should be part of a cross-functional team that keeps up with scenario planning and tabletop exercises a company performs to test crisis preparedness. And they should determine whether there are any gaps in the crisis preparedness plan, request an action plan and a timeline to close them, and follow up on steps taken.
Director education is critical, Murphy said. “Being a director this year is different than being a director last year.”
To that end:
- Learn from case studies of how other companies managed crises.
- Attend forums to talk with other directors.
- Ask third parties with crisis management experience, such as consultants, attorneys, or communication professionals, to present an educational session to the board.
- Arrange for training – in the US, for example, through the National Association for Corporate Directors or through continuing education required to maintain a CPA licence.
Key crisis preparedness areas
To make sure their companies are as capable as possible of managing a crisis, Deloitte suggested board members focus on these six key areas:
Experience. Consider making real-world experience with a past crisis a strong credential when searching for new directors. This builds crisis capabilities into the membership and structure of the board.
Preparation. Determine vulnerabilities and key risks the organisation faces, and establish a crisis plan for the board. Raise awareness amongst board members that each one should be ready to apply special skills such as public relations, risk management, or social media to manage a crisis. Long before the need emerges, board members should make time for joint planning committees, simulations, and other time investments that will pay off during a crisis.
Members of the board’s risk committee should take an integrated, enterprise-wide approach that drives better reporting and monitoring. A big-picture view can improve the board’s support of executives who are charged with risk management, and it can hone the board’s focus on crises. Have the organisation’s crisis management capabilities audited internally and validated externally.
Ensure that the executive management team is adequately trained and takes part in crisis simulation rehearsals. Work with executive management to create a short list of third-party service providers in legal, forensic accounting, and other key areas to assist in times of crisis.
Logistics. Up and down the line and across the many silos inherent in most organisations, the group of key people who will spring into action during a crisis have to be ready. Define that temporary committee of board members or directors and management and the roles each member plays, so other committees and management structures are not too heavily taxed during a stressful crisis.
Make sure at least one board member represents the group in planning and carrying out communications. Also, designate people upon whom the group can call for support during a crisis.
Details. Expect to see specific plans for handling each of the scenarios that might threaten the organisation. Also, board members should participate in testing those specifics against their best knowledge of what may happen and what the company is capable of.
Communication. Crisis communication starts before pre-drafted press releases or mea culpas are under the spotlight. Organisations first need to work inside their walls to promote shared understanding of risks and responsibilities. Establish a robust crisis communications plan that has been stress-tested.
A board that listens to and engages with key influencers, stakeholders, and customers can look at a situation from the outside in.
Commitment. Embrace the board’s role as a guardian of reputation. An organisation’s reputation is a priceless asset. It can take years to build, but a moment can imperil it. Everyone who has authority over preventing that damage derives that authority from the board – and only the board can engage the right decision-makers, establish the requisite communications strategy, and set the necessary tone.
To make sure lessons learned during and after a crisis aren’t lost, a board may want to ask for an independent review of the crisis management and post-crisis events. When the worst moments are past, the effort that goes into investigations and independent reviews can help head off future trouble.
—Sabine Vollmer (Sabine.Vollmer@aicpa-cima.com) is a CGMA Magazine senior editor.