15below & Simpliflying: Managing disruption in the social media age
Crisis management in the age of disruption · The age of disruption is bringing new complexities,...
Transcript of Crisis management in the age of disruption · The age of disruption is bringing new complexities,...
The age of disruption is bringing new complexities, new opportunities, and new risks to the business landscape. Alongside the disruption the potential for crises has intensified – driven by rapid technological change and amplified by societal expectations around trust and social responsibility.
While traditional crisis management strategies certainly have their place, the velocity and asymmetry of today’s risks require a new mindset. This paper outlines 10 steps for consideration and seeks to prompt a crucial and timely discussion: why organisational leaders and crisis managers must adjust their approach for this new era.
Richard Horne,
Bobbie Ramsden-Knowles and
Johanna Peterson, PwC UK
The age of disruption is upon us – and with it a fertile field for technology-related crises of all kinds. PwC’s recent Global Crisis Survey confirms that one in three senior executives cite cybercrime and technology failures as the trigger for their most serious crisis.
We point to four main drivers of crises in the age of disruption: systemic interdependency, concentration risk, opacity, and complexity. Add to these drivers the ‘long tail’ factors (including societal pressures around trust, privacy, ethics and social responsibility) and the impacts of the crisis will be amplified – from financial loss to regulatory and reputational fallout.
The four drivers of disruption
Many organisations are more entangled
than they realise in far reaching,
deeply embedded value chains – from
interconnected in-house systems to data
feeds between cloud mega-providers.
To an ever growing degree, data and
technology underpin operating models,
drive decision making, and propel
value creation.
On the surface, this seems like a
smart strategy: leveraging the core
competencies of well-matched
counterparts in order to compete in an
agile, accelerated fashion. But there is a
downside: the inherent risk of systemic
interdependencies. If your organisation
relies on processes being performed
by another organisation and something
far beyond your control disrupts their
business, then your business continuity
will be challenged.
1 in 3Corporate crises is triggered by cybercrime and technology failures.
PwC Global Crisis Survey (2019)
The World Economic
Forum has identified the growing interdependence of digital technologies and systems as a likely source of instability and disruption.
WEF Global Risks Report 2019
This vulnerability is amplified when you consider the concentration risk: the
ubiquity, scale and power of a relatively
small number of tech giants upon whom
such offerings depend. The web of
dependency has created a situation of
opacity and complexity, where not only
the origins, but also the possible impacts
of disruption, are harder to predict.
All of this means you may not know where
the weakest points in your system are,
and this knowledge gap translates into
vulnerabilities that will be exposed when it
most matters: in times of crisis.
So, whilst the outward face of the
organisation may rightly be talking about
velocity, versatility, and innovation,
inwardly you must work harder to protect
it from these emergent and unpredictable
risks. However, the investment required
to fully understand the consequences of
a catastrophic failure of technologies and
third parties remains significant.
It’s hardly controversial to point out that
society’s expectations have changed
dramatically in recent years. Virtually all
stakeholders have trust issues, any one
of which could cascade into a crisis –
especially when put under the spotlight
of regulatory action.
The erosion of trust is evident
everywhere. Trust in business and
political leaders; trust that personal data
will be protected; and trust even in the
basic motivations of organisations.
Shareholders, the media, and employees
are increasingly emboldened to voice
their displeasure through their words
(vastly amplified on social media), their
money, and their feet.
If you are responsible for your
organisation’s crisis readiness, the trust
spotlight will shine on you at the most
unsettling time. Your board, your people,
your customers, your regulators – all will
The long tail: Why trust is the key – for all stakeholders
need to have trust in your organisation.
That will require confidence that you are
primed and ready for a crisis; that you are factual and transparent in your response;
and that you are adequately protecting
your (and your customers’) data through
it all.
Stakeholders will also expect that if
you’re introducing a new technology or
service – e.g. building an algorithm for a
driverless car, or a new medical device,
or a surveillance technology – that you’ll
do so with baseline ethical and
environmental considerations baked in.
And you’ll need to understand how those
considerations vary from stakeholder to
stakeholder, market to market, and
country to country, because crises vary
by location, too.
4 | Crisis management in the age of disruption | PwC
Are you ready to adopt a new mindset?
The age of disruption hasn’t just changed the way we do business, it has also
changed the way we must handle crises. Well established strategies such as
frequently documented gold-silver-bronze response structures certainly have their
place (particularly in more traditional scenarios where there are physical impacts).
It’s important to recognise, though, that the velocity and asymmetry of today’s digital risks require crisis managers to evolve their response strategies.
Gold-silver-bronze structures may
not be agile enough for an effective
organisational response to technology
driven crises. The response to high
impact events, driven by global
technologies, cannot rely on escalation
through multiple layers of teams that
may have a limited understanding of their
remits. Tactical actions in these scenarios
generate strategic challenges and far
too often decision making is postponed
or delegated. Strategic indecision –
originating from a lack of technical
understanding at ‘gold’ – is also common
at a time when rapid dissemination of
strategic direction is required. This
requires a new mindset: one that
brings your technical tacticians and
strategic decision makers together
and recognises that you are also a
tech and data organisation – no matter
your line of business.
How a privacy violation issue could escalate into a
reputation crisis – an illustrative case study
A consumer business with a popular delivery app finds itself in violation of privacy laws – and, before long, in a full blown crisis.
The app collects the location data of customers and delivery drivers.
Unfortunately, the company fails to sufficiently anonymise the data, allowing employees to track the orders and locations of customers and drivers. That
data is subsequently passed to a third party without the individuals’ consent.
After an anonymous complaint surfaces, the company establishes internal
practices to address the issue and publishes an apology. When questions
about the efficacy of those practices emerge, the third party access issue is uncovered and the company suffers a significant reputational hit, escalating the issue into a crisis.
The company is unable to document what data was distributed to which
third parties, how it was shared, and where it was used.
Had the company adopted a digital mindset from the outset, established
a data workstream and managed the issue with established response
structures, it could have identified the third party issue and mitigated the risk of escalation to crisis.
The speed factor can also work in
inverse. Future crises are just as likely
to emerge from a slow burn issue as
they are to come from a high velocity,
high impact event. This is an area that is
often overlooked as crisis frameworks
are typically reserved for operational risk
and not used to manage slower moving,
reputation and regulatory-driven issues.
However, there may be an opportunity
to use these well rehearsed structures
to manage issues, without the need
to declare a crisis. We have frequently
encountered organisations that are
reluctant to activate their documented
response structures when facing
emergent slow burn issues. Unfortunately,
many then miss the opportunity to gain
control and manage these stealthy issues
– with a structure, procedures and clear
pathways for escalation – before they can
threaten the strategic objectives of
the organisation.
PwC | Crisis management in the age of disruption | 5
Ten steps to crisis readiness for the age of disruption
6 | Crisis management in the age of disruption | PwC
No matter your line of business, recognise you
are also a tech and data organisation
As a technology-centric organisation, you could
face a crisis triggered by any number of events:
the introduction of new software, necessary IT
upgrades or a cyber attack. As a data-centric
organisation, your governance obligations increase
with changes to regulation and evolving societal
expectations. Consider your new risk environment,
and inform your crisis planning through that lens.
No matter your line of business,
recognise you are also a tech and data organisation
Orientate your response
around impact categories
Get comfortable speaking
each other’s language
Manage issues using
your crisis management
framework
Plan for the major,
learn from the minor
Don’t wait
Crisis
management
in the age of
disruption
Appoint a data subject
matter expert
Gather the technical tacticians
and strategic decision makers
Map your dependencies
Grasp the opportunities
hidden in crisis
Appoint a data subject matter expert
In a crisis, managers must make crucial decisions
quickly – and those decisions will hinge on the
availability, accuracy and comprehensiveness of
information. Ensure you have a crisis-specific data strategy that enables you to quickly access large
volumes of structured, validated data, at pace.
PwC | Crisis management in the age of disruption | 7
Orientate your response around impact
categories
A tech-driven crisis will be likely to hit all aspects of
your operation – operational, financial, compliance, reputational – and most of your stakeholders, in
different ways. Assemble a team of subject matter
experts who can advise on the best course of action
across all impact categories and ensure each is led
by accountable impact owners.
Gather the technical tacticians and strategic
decision makers
When it comes to crises, less can be more. Isolate
a small group of designated people who have the
knowledge, the ability to triage issues, and the authority
to make decisions quickly. Typically, this will require
close cooperation between technologists – who have
the information upon which the decisions can be
made – and key senior members of the organisation, who have the power to make those decisions.
Manage issues using your crisis
management framework Treat both with the same degree of seriousness.
Recognise that a slow moving, ongoing issue can
trigger a crisis just as devastating as a sudden
external event – and know when to invoke the
response structure before needing to ‘call a crisis’.
Plan for the major, learn from the minor
In ‘peacetime’, gather your impact owners and
wargame your top five digital disruption crises as a team. Plan for high impact scenarios, extensive
disruption, and long recovery timeframes. And be sure to treat minor incidents as warning signs that
can help you identify patterns and deepen your
understanding of the risks you face.
Map your dependencies
Review your systems, stakeholders, and current
crisis framework – not an easy task, considering today’s typically sprawling technology estates,
business partners and third parties. Are there hidden
dependencies or gaps that could cripple a cohesive
response? What if your crisis was downstream of a
larger service provider issue? If a high speed, high
impact event were to hit you tomorrow, would your
organisation be operationally resilient? How confident are you in your organisation’s ability to weather
sustained disruption – and emerge stronger?
Get comfortable speaking each other’s language
If there are blind spots, silos, or stress fractures
between your operational groups and leadership,
you can be certain that a crisis will expose them
at the worst possible time. Avoid breakdowns in
communication: get organisational leaders closer to
the technology on which the organisation depends,
whilst cultivating ‘boardroom-savvy’ technologists.
Practicing and stress testing brings teams
together to learn each other’s language and build
muscle memory.
Don’t wait
Critically, this process must begin now, in
‘peacetime’, without the press of urgent issues, so
that the gaps can be identified and closed with care, preparation, and practice.
Grasp the opportunities hidden in crisis
Understand that in the age of disruption, ‘business
as usual’ actually means falling behind. Even before
the crisis has been resolved, the disruptive energy at
its heart can be harnessed to strategic advantage.
Visualise – and prioritise – emerging as a more agile, better tech-enabled organisation, but also foster the
team bonds that will have formed.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
© 2020 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
200204-174821-BC-OS
Contact us
M: +44 (0)7775 553373
Richard Horne
Partner
Cyber Security
M: +44 (0)7483 422701
Bobbie Ramsden-Knowles
Director
Crisis Management
M: +44 (0)7483 416849
Johanna Peterson
Senior Associate
Cyber Security & Crisis Management
M: +44 (0)7801 216737
Melanie Butler
Partner
Crisis Management