Crisis management in the age of disruption

The age of disruption is bringing new complexities, new opportunities, and new risks to the business landscape. Alongside the disruption the potential for crises has intensified – driven by rapid technological change and amplified by societal expectations around trust and social responsibility.

While traditional crisis management strategies certainly have their place, the velocity and asymmetry of today’s risks require a new mindset. This paper outlines 10 steps for consideration and seeks to prompt a crucial and timely discussion: why organisational leaders and crisis managers must adjust their approach for this new era.

Richard Horne,

Bobbie Ramsden-Knowles and

Johanna Peterson, PwC UK

The age of disruption is upon us – and with it a fertile field for technology-related crises of all kinds. PwC’s recent Global Crisis Survey confirms that one in three senior executives cite cybercrime and technology failures as the trigger for their most serious crisis.

We point to four main drivers of crises in the age of disruption: systemic interdependency, concentration risk, opacity, and complexity. Add to these drivers the ‘long tail’ factors (including societal pressures around trust, privacy, ethics and social responsibility) and the impacts of the crisis will be amplified – from financial loss to regulatory and reputational fallout.

The four drivers of disruption

Many organisations are more entangled

than they realise in far reaching,

deeply embedded value chains – from

interconnected in-house systems to data

feeds between cloud mega-providers.

To an ever growing degree, data and

technology underpin operating models,

drive decision making, and propel

value creation.

On the surface, this seems like a

smart strategy: leveraging the core

competencies of well-matched

counterparts in order to compete in an

agile, accelerated fashion. But there is a

downside: the inherent risk of systemic

interdependencies. If your organisation

relies on processes being performed

by another organisation and something

far beyond your control disrupts their

business, then your business continuity

will be challenged.

1 in 3Corporate crises is triggered by cybercrime and technology failures.

PwC Global Crisis Survey (2019)

The World Economic

Forum has identified the growing interdependence of digital technologies and systems as a likely source of instability and disruption.

WEF Global Risks Report 2019

This vulnerability is amplified when you consider the concentration risk: the

ubiquity, scale and power of a relatively

small number of tech giants upon whom

such offerings depend. The web of

dependency has created a situation of

opacity and complexity, where not only

the origins, but also the possible impacts

of disruption, are harder to predict.

All of this means you may not know where

the weakest points in your system are,

and this knowledge gap translates into

vulnerabilities that will be exposed when it

most matters: in times of crisis.

So, whilst the outward face of the

organisation may rightly be talking about

velocity, versatility, and innovation,

inwardly you must work harder to protect

it from these emergent and unpredictable

risks. However, the investment required

to fully understand the consequences of

a catastrophic failure of technologies and

third parties remains significant.

It’s hardly controversial to point out that

society’s expectations have changed

dramatically in recent years. Virtually all

stakeholders have trust issues, any one

of which could cascade into a crisis –

especially when put under the spotlight

of regulatory action.

The erosion of trust is evident

everywhere. Trust in business and

political leaders; trust that personal data

will be protected; and trust even in the

basic motivations of organisations.

Shareholders, the media, and employees

are increasingly emboldened to voice

their displeasure through their words

(vastly amplified on social media), their

money, and their feet.

If you are responsible for your

organisation’s crisis readiness, the trust

spotlight will shine on you at the most

unsettling time. Your board, your people,

your customers, your regulators – all will

The long tail: Why trust is the key – for all stakeholders

need to have trust in your organisation.

That will require confidence that you are

primed and ready for a crisis; that you are factual and transparent in your response;

and that you are adequately protecting

your (and your customers’) data through

it all.

Stakeholders will also expect that if

you’re introducing a new technology or

service – e.g. building an algorithm for a

driverless car, or a new medical device,

or a surveillance technology – that you’ll

do so with baseline ethical and

environmental considerations baked in.

And you’ll need to understand how those

considerations vary from stakeholder to

stakeholder, market to market, and

country to country, because crises vary

by location, too.

4 | Crisis management in the age of disruption | PwC

Are you ready to adopt a new mindset?

The age of disruption hasn’t just changed the way we do business, it has also

changed the way we must handle crises. Well established strategies such as

frequently documented gold-silver-bronze response structures certainly have their

place (particularly in more traditional scenarios where there are physical impacts).

It’s important to recognise, though, that the velocity and asymmetry of today’s digital risks require crisis managers to evolve their response strategies.

Gold-silver-bronze structures may

not be agile enough for an effective

organisational response to technology

driven crises. The response to high

impact events, driven by global

technologies, cannot rely on escalation

through multiple layers of teams that

may have a limited understanding of their

remits. Tactical actions in these scenarios

generate strategic challenges and far

too often decision making is postponed

or delegated. Strategic indecision –

originating from a lack of technical

understanding at ‘gold’ – is also common

at a time when rapid dissemination of

strategic direction is required. This

requires a new mindset: one that

brings your technical tacticians and

strategic decision makers together

and recognises that you are also a

tech and data organisation – no matter

your line of business.

How a privacy violation issue could escalate into a

reputation crisis – an illustrative case study

A consumer business with a popular delivery app finds itself in violation of privacy laws – and, before long, in a full blown crisis.

The app collects the location data of customers and delivery drivers.

Unfortunately, the company fails to sufficiently anonymise the data, allowing employees to track the orders and locations of customers and drivers. That

data is subsequently passed to a third party without the individuals’ consent.

After an anonymous complaint surfaces, the company establishes internal

practices to address the issue and publishes an apology. When questions

about the efficacy of those practices emerge, the third party access issue is uncovered and the company suffers a significant reputational hit, escalating the issue into a crisis.

The company is unable to document what data was distributed to which

third parties, how it was shared, and where it was used.

Had the company adopted a digital mindset from the outset, established

a data workstream and managed the issue with established response

structures, it could have identified the third party issue and mitigated the risk of escalation to crisis.

The speed factor can also work in

inverse. Future crises are just as likely

to emerge from a slow burn issue as

they are to come from a high velocity,

high impact event. This is an area that is

often overlooked as crisis frameworks

are typically reserved for operational risk

and not used to manage slower moving,

reputation and regulatory-driven issues.

However, there may be an opportunity

to use these well rehearsed structures

to manage issues, without the need

to declare a crisis. We have frequently

encountered organisations that are

reluctant to activate their documented

response structures when facing

emergent slow burn issues. Unfortunately,

many then miss the opportunity to gain

control and manage these stealthy issues

– with a structure, procedures and clear

pathways for escalation – before they can

threaten the strategic objectives of

the organisation.

PwC | Crisis management in the age of disruption | 5

Ten steps to crisis readiness for the age of disruption

6 | Crisis management in the age of disruption | PwC

No matter your line of business, recognise you

are also a tech and data organisation

As a technology-centric organisation, you could

face a crisis triggered by any number of events:

the introduction of new software, necessary IT

upgrades or a cyber attack. As a data-centric

organisation, your governance obligations increase

with changes to regulation and evolving societal

expectations. Consider your new risk environment,

and inform your crisis planning through that lens.

No matter your line of business,

recognise you are also a tech and data organisation

Orientate your response

around impact categories

Get comfortable speaking

each other’s language

Manage issues using

your crisis management

framework

Plan for the major,

learn from the minor

Don’t wait

Crisis

management

in the age of

disruption

Appoint a data subject

matter expert

Gather the technical tacticians

and strategic decision makers

Map your dependencies

Grasp the opportunities

hidden in crisis

Appoint a data subject matter expert

In a crisis, managers must make crucial decisions

quickly – and those decisions will hinge on the

availability, accuracy and comprehensiveness of

information. Ensure you have a crisis-specific data strategy that enables you to quickly access large

volumes of structured, validated data, at pace.

PwC | Crisis management in the age of disruption | 7

Orientate your response around impact

categories

A tech-driven crisis will be likely to hit all aspects of

your operation – operational, financial, compliance, reputational – and most of your stakeholders, in

different ways. Assemble a team of subject matter

experts who can advise on the best course of action

across all impact categories and ensure each is led

by accountable impact owners.

Gather the technical tacticians and strategic

decision makers

When it comes to crises, less can be more. Isolate

a small group of designated people who have the

knowledge, the ability to triage issues, and the authority

to make decisions quickly. Typically, this will require

close cooperation between technologists – who have

the information upon which the decisions can be

made – and key senior members of the organisation, who have the power to make those decisions.

Manage issues using your crisis

management framework Treat both with the same degree of seriousness.

Recognise that a slow moving, ongoing issue can

trigger a crisis just as devastating as a sudden

external event – and know when to invoke the

response structure before needing to ‘call a crisis’.

Plan for the major, learn from the minor

In ‘peacetime’, gather your impact owners and

wargame your top five digital disruption crises as a team. Plan for high impact scenarios, extensive

disruption, and long recovery timeframes. And be sure to treat minor incidents as warning signs that

can help you identify patterns and deepen your

understanding of the risks you face.

Map your dependencies

Review your systems, stakeholders, and current

crisis framework – not an easy task, considering today’s typically sprawling technology estates,

business partners and third parties. Are there hidden

dependencies or gaps that could cripple a cohesive

response? What if your crisis was downstream of a

larger service provider issue? If a high speed, high

impact event were to hit you tomorrow, would your

organisation be operationally resilient? How confident are you in your organisation’s ability to weather

sustained disruption – and emerge stronger?

Get comfortable speaking each other’s language

If there are blind spots, silos, or stress fractures

between your operational groups and leadership,

you can be certain that a crisis will expose them

at the worst possible time. Avoid breakdowns in

communication: get organisational leaders closer to

the technology on which the organisation depends,

whilst cultivating ‘boardroom-savvy’ technologists.

Practicing and stress testing brings teams

together to learn each other’s language and build

muscle memory.

Don’t wait

Critically, this process must begin now, in

‘peacetime’, without the press of urgent issues, so

that the gaps can be identified and closed with care, preparation, and practice.

Grasp the opportunities hidden in crisis

Understand that in the age of disruption, ‘business

as usual’ actually means falling behind. Even before

the crisis has been resolved, the disruptive energy at

its heart can be harnessed to strategic advantage.

Visualise – and prioritise – emerging as a more agile, better tech-enabled organisation, but also foster the

team bonds that will have formed.

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2020 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

200204-174821-BC-OS

Contact us

M: +44 (0)7775 553373

E: richard.horne@pwc.com

Richard Horne

Partner

Cyber Security

M: +44 (0)7483 422701

E: roberta.ramsden-knowles@pwc.com

Bobbie Ramsden-Knowles

Director

Crisis Management

M: +44 (0)7483 416849

E: johanna.peterson@pwc.com

Johanna Peterson

Senior Associate

Cyber Security & Crisis Management

M: +44 (0)7801 216737

E: melanie.butler@pwc.com

Melanie Butler

Partner

Crisis Management