by Alex Hindson / reprinted with permission from Insurance Research Letter
“It takes a lifetime to build a good reputation, but you can lose it in a minute.” ~ Will Rogers
So what is a crisis?
British Standard 11200:2014 defines a crisis as an “inherently abnormal, unstable and complex situation that represents a threat to the strategic objectives, reputation or existence of an organisation.” Crises are inherently unpredictable in their timing and nature. They have the potential to significantly damage an organisation’s reputation and could be terminal in their effects.
A case study in managing a cyber crisis
So what does a crisis look and feel like in the internet-enabled 21st century? The cyber attack against UK mobile phone operator TalkTalk is a good case study, both in terms of the nature of the exposure and in supplying some important lessons for organisations on how to respond and the consequences of getting the response right.
Some 157,000 TalkTalk customers had their bank account numbers, birth dates and addresses stolen in the attack. It was a combined distributed denial of service (DDoS) attack that overwhelmed the mobile phone operator’s website and allowed a breach of firewalls. TalkTalk was far too slow to reassure customers and adopted a defensive and passive tone for the first 48 hours following the incident, losing the media agenda.
PwC was brought in to investigate the cause of the incident, and the TalkTalk CEO was forced to answer questions in front of a UK parliamentary committee. The UK Information Commissioner’s Office (ICO) investigation determined that hackers had gained access through vulnerable websites related to TalkTalk’s takeover of rival Tiscali. It is reported that the October 2015 attack led to losses of about £60 million. TalkTalk also was fined £400,000 by the ICO. Perhaps most damaging, Irman Choudhary, consumer insight director at Kantar Worldpanel, is quoted as saying, “Customers have lost faith in TalkTalk as a trustworthy brand,” after 100,000 customers left the company as a service provider.
Compounding the crisis, TalkTalk CEO Dido Harding was under severe pressure in June 2016, after it was revealed that her total income tripled to £2.8 million, despite presiding over this incident. This revelation eventually led her to step down in February 2017, less than 18 months after the incident, and after a tenure of seven years. The headline from one source was telling: “Dido queen of carnage steps down from TalkTalk.”
Why does this crisis matter?
Given the focus by regulators, investors and credit-rating agencies into cyber vulnerabilities, having both a crisis response and a technical response to cyber threats has never been more important. The classic 1996 study by Rory F. Knight and Deborah J. Pretty revealed significant shareholder value protection for those organisations labelled in a post-crisis period as recoverers, as opposed to non-recoverers. The study compared more than 15 crises and considered the difference in shareholder value 50 days after a major event for the two groups.
Using Cumulative Abnormal Return (CAR), Knight & Pretty’s chosen measure of share-price volatility, the study showed that non-recoverers saw an average destruction of value of 17 percent, while recoverers saw post-crisis value creation of 5 percent. The business case, therefore, is clear: a 22 percent variance in shareholder value protection between organisations that effectively recovered from a crisis and those that suffered in the period immediately after the event.
Failure to prosper in the period following a corporate crisis is typically associated with: a) not being able to maintain trust with stakeholders; and b) not being able to exit from the media cycle and buy senior managers time to address the problems that underlay the crisis. Ultimately, such a spiral of failure can lead to the departures of senior managers and actions taken by shareholders.
What can we learn from this crisis and others?
Unfortunately, there continue to be many corporate crises since that of TalkTalk. Airmic – the United Kingdom’s industry association for insurance and risk managers in industry and commerce – produced an excellent paper in 2010 (“Roads to Ruin”) that analysed 18 specific events that impacted different companies from 1999 to 2008. Out of that analysis, the paper identifies seven generic drivers of corporate failures:
- Corporate governance failures, driven by board skill gaps and limitations of non-executive directors
- “Risk blindness” by boards that fail to grasp major risks, including their “licence to operate”
- Poor leadership in terms of corporate culture and ethical ethos
- Defective communication and an inability to ensure information reaches those who need it most
- Excessive complexity that hampers the ability to respond to risks
- Inappropriate incentive schemes that impact the ability to recognise risk exposures
- “Glass ceiling” impacts the ability of the internal audit or risk management function to communicate problems internally at an early stage
Failure is not a term used lightly. Thirteen of the organisations studied by Airmic have either collapsed, been acquired or been through a major restructuring.
Airmic followed up its paper with the equally insightful report “Roads to Resilience.” The report identified the “five Rs” required for organisations to survive crises.
- Risk radar: The ability to anticipate problems helps an organisation develop an early-warning system and seize new opportunities
- Resources and assets: Well-diversified resources provide an organisation the flexibility to respond to opportunities as well as to changing circumstances
- Relationships and networks: Risk information flows freely throughout an organisation, up to directors, to prevent “risk blindness”
- Rapid response: Capability that prevents an incident from escalating into a crisis because people act to restore things quickly to normal
- Review and adapt: Learn from experience, including near misses, and make changes to strategies, processes and capabilities
In simple terms, getting crisis response and management right preserves corporate reputation and minimises the risk of litigation, including unfortunate claims on directors and officers’ liability, errors and omissions, and cyber liability insurance policies. Getting it wrong can be mission-critical to an organisation and can be the trigger for senior executives to depart, stock prices to crash and the organisation itself to become a target for acquisition.
Your call to action – what you need to change
Senior executives need to wake up to the fact that their organisations’ reputations are core to their respective missions and central to their ability to deliver on their respective strategies. These corporate leaders also need to realise that crisis management is a vital leadership activity – distinct from business continuity or disaster recovery – which these leaders may well have delegated to others within their organisations. Executives who believe that crises happen only to others are making themselves and their organisations vulnerable. And failing to recognise the exposure and failing to take personal responsibility can lead to a day when their companies’ resilience is brought into question.
So what exactly should be done? To protect their brands’ reputations in times of crisis, executives must take three compelling actions:
- Recognise: Before anything can be done, your organisation needs to accept that a crisis is unfolding. This risk awareness then needs to lead to action.
- Decide: Your organisation needs to move quickly in today’s 24/7 news cycle. Time is of the essence, and information is likely to be confused and scarce. This atmosphere of confusion and scarcity means your organisation needs to define roles clearly in advance, and rehearse subsequent actions so that it is clear to all who needs to come together and how decisions will be made.
- Lead: Your organisation needs to develop a culture in which bad news can not only flow, but also be recognised and acted upon. A resilient organisation responds and adapts to adverse circumstances. It may even emerge from a crisis strengthened, both internally and in the eyes of key stakeholders.
Alex Hindson joined Argo Group as Chief Risk Officer in 2015. He is responsible for the implementation of enterprise risk management across the company, as well as for Argo Group’s corporate compliance function and the company’s credit rating agency relations. Previously, he was Chief Risk Officer of Amlin AG, the Swiss reinsurance operation of Amlin plc, where he was responsible for risk, compliance and legal functions across the company’s Bermuda branch and Zurich operation. Prior to that, he held other risk management roles at Amlin plc and Aon Global Risk Consulting. Alex is originally a chemical engineer and worked for AstraZeneca in a variety of roles. He is a Certified Fellow, past Chairman of the Institute of Risk Management (IRM), and member of the Business Continuity Institute (BCI).