Date posted: 1/12/2016 5 min read

Risk management — preparing for a crisis

How can leaders prepare their businesses for natural or economic disaster?

In brief

  • Self-reliance starts with a clear understanding of your business and its vulnerabilities
  • Run a business impact analysis to identify system vulnerabilities in your organisation
  • Ensure sound infrastructure to deal with staff welfare, client care, cash flow and communications

By Adrian Sparrow

When you’re faced with an event that can destroy your business, it’s good to know that you’ve prepared for it.

You don’t want to rely for solutions on people like former US President George W Bush, who infamously remarked at a 2009 press conference: “One of the very difficult parts of the decision I made on the financial crisis was to use hardworking people’s money to help prevent there to be a crisis.”

Self-reliance starts with a clear understanding of your business model and its vulnerabilities.

It sounds obvious, but it’s surprising how infrequently business leaders truly know the nature and extent of their organisations’ vulnerabilities.

From a practical point of view, the source of an event — global financial crisis, earthquake, internal fraud — is less important than putting yourself in a position to cope when something happens that severely interrupts everyday business.

Following a simple risk management approach will help you to understand the effect of the likelihood and consequence of a breakdown at every point of vulnerability. Using those assessments, you can then consciously decide what investment should be made to treat the risks, bearing in mind the cost and effectiveness of the treatment.

Most Australasian organisations use the ISO 31000 Risk Management Standard (see p36) as a sensible way to help think about risk, prepare for an event, and to guide quick recovery.

Following this approach, the first thing to do is to establish the context, i.e. how your business objectives sit in relation to what’s important to your stakeholders and customers, legal constraints, market pressures, etc.

The second part is risk assessment: what uncertainty exists around achieving your business objectives? Understand those risks and place them in order of priority. This is a process of anticipating the future; a process of systematically identifying your risks then analysing and evaluating them against criteria that are relevant to your business context.

Having tried to anticipate the future, the third part in the sequence is where leaders shape the future by taking informed decisions about how to treat their risks. Up to this point it’s all talk, after these decisions are taken you need to take action and be committed.

In many organisations, the most overlooked part of this process is to communicate and consult. Don’t forget that stakeholders (especially staff) can help make your organisation more robust, so be sure to keep them aware of what is being done to make your organisation resilient.

How do leaders prepare their organisations?

There are four basic areas that business leaders must ensure are prepared if they want to give their organisations the best chance of survival in a crisis: staff welfare, client impact, cash flow and communications.

On top of these four, each organisation will probably have one or two absolutely critical areas particular to its own business model, such as its information technology platform.

In the event of an earthquake or other natural disaster, speed is essential.

In the event of a credit crunch, commodity price collapse or other economic crisis, there is usually more time to think.

Whatever the nature of the event, good preparation will give leaders the confidence and composure to reassure their stakeholders that action is underway to recover the situation.

Understand vulnerabilities

One way into a systematic understanding of your business model is to run a Business Impact Analysis (BIA), which identifies critical and non-critical system vulnerabilities in the organisation, estimates recovery times and recovery requirements, and compares costs of failure against the costs of upgrading a particular system.

This needn’t be as complicated or onerous as it sounds. And there is usually the benefit of identifying redundant or inefficient systems that can improve everyday business.

Conducting a BIA or similar exercise will give you and your teams a solid understanding of your business and its vulnerabilities. That’s one pillar. The two other critical pillars involve infrastructure and people.

Maintain a solid infrastructure

Infrastructure is the underlying base necessary for an organisation to function at all. It’s the essential facilities, services, and installations. This will vary from organisation to organisation. It will also vary over time.

Obvious things, such as working toilets are often overlooked. Assumptions, such as sufficient capacity on the organisation’s virtual private network to support all staff working from home, are often unverified. Well-prepared leaders ensure that their organisations have infrastructures that are fit for purpose, well maintained, and periodically updated.

It is absolutely critical that there is sound infrastructure to deal with the four basics of staff welfare, client care, cash flow and communications.

How this is done isn’t important, as long as it fits with your organisation’s style, but it is important that there is not reliance on one component in case that component fails (e.g. expecting all communication to be done via mobile phone, only to find the cellphone towers are inoperable because of the event that caused the crisis in the first place.

Prepare the people

The final preparatory pillar is people. Everyone in your organisation needs to have a big picture of the organisation painted for them, and to have their roles made clear.

This does not mean beating awareness into everyone with enormous emergency manuals. What it does mean is that people are aware of the relevant findings of a BIA, they are involved in developing contingencies, and they have the training to be able to help when a crisis hits. This could mean finding efficiencies to cope with an unexpected tidal wave of cheap competition, or dealing with the pressure of working out of temporary accommodation after a flood.

Your organisation should try to encourage future assistance by putting staff concerns at rest in advance (for example, indicating that payment of wages/salaries will continue during an emergency).

Similarly, individuals should ideally know their roles and be reassured that they have authority to act.

Everyone in your organisation needs to have a big picture of the organisation painted for them, and to have their roles made clear.

Important preparations for quick recovery

1984 Rogernomic Reforms, 2001 World Trade Center Attacks, 2005 Hurricane Katrina, 2008 global financial crisis, the 2011 Christchurch earthquake … the list goes on.

With hindsight, the likelihood and consequences of each of these events were obvious, but at the time they were unexpected. Some leaders and organisations coped well, many didn’t.

Organisations that survive such events and subsequently thrive do not to rely on the authorities. Their infrastructure — particularly communications — stands up and their people stand up. The most important preparations to enable quick recovery lie in these two areas.

Give your people the tools to be able to do the job; and give them the training, and simulations so that they have the confidence and ability to cope.

The final safety net is good and sufficient insurance.

Being prepared for an event that could potentially destroy your business isn’t particularly easy or cheap. Neither is it particularly hard or expensive. Certainly, not being prepared is a lot more expensive when such an event does occur.

Although you don’t want to rely on people like George W Bush for solutions, as a leader, it’s good to look to people like Winston Churchill for inspiration, the Prime Minister who said: “Never let a good crisis go to waste.”

Adrian Sparrow is deputy chair of RiskNZ and group manager, risk and assurance for Datacom.

This article was first published in the February 2015 issue of Acuity magazine.