When things go wrong
Despite the best efforts of the risk manager and senior leadership, it’s still possible that things can go wrong for your organization. Processes aren’t followed or are applied incorrectly, mitigation measures turn out to be inadequate, something unforeseen happens or, as is so often the case, someone does something they shouldn’t. At one end of the spectrum are relatively common slips, trips or falls, minor fires, or the accidental deletion of data. More significant are the payment of bribes, cutting corners on regulations or a crass, offensive comment from an executive. At the extreme end of the spectrum are crisis events, situations that can strike a fatal blow to the organization: a chemical spill causing mass casualties, widespread fraud or a toxic culture of racism, sexism or other discrimination.
Some of these events are ‘own goals’, caused by the organization itself, whereas others may originate externally. Whatever the cause, it is extremely unlikely that every possible eventuality can be captured and mitigated during the risk management process. There’s no avoiding it; you need to have a plan for what to do when things go wrong.
This article will look at the things that can go wrong and how to differentiate between different types of events. It will outline a general framework for response too. We will also introduce the key concepts around crisis preparedness and crisis management. This will be examined in more detail in other articles. The overall focus in this article is on crisis as a strategic activity and one closely linked to enterprise risk management. However, although the focus is on crisis, there is a lot of overlap with response in general and many of the same principles and processes can be applied in all situations.
As usual, we should set out some definitions first.
Issue, Incident or Crisis?
During the risk assessment process, the organization will have identified a range of threats, the most likely risks that it faces and worked out how to mitigate these. Broadly speaking, risks can result in one of two kinds of negative event: an incident or an issue. Despite their wide use, these two terms are not standardized so the two definitions we will use are:
An incident is an adverse event that might cause physical, material or financial disruption, loss or damage (adapted from BSI 11200)
An issue is “a gap between corporate practice and stakeholder expectations” (from Risk, Issues and Crisis Management in Public Relations, Regester & Larkin, 4th ed. 2008.)
In addition to the differences in the effects of each event, another differentiation is based on time and space. Incidents usually occur rapidly with concentrated, physical first-order effects which can often be dealt with relatively quickly. On the other hand, issues emerge much more slowly with diffused, second-order effects that can last for months.
In extreme cases, an incident or issue becomes so large that it threatens the whole organization. We refer to this situation as a crisis. Luckily, we have a definition for this:
A crisis is “[an] abnormal and unstable situation that threatens the organization’s strategic objectives, reputation or viability” (BSI 11200 Crisis Management)
Sometimes a badly managed response could mean that events simply overwhelmed whatever contingencies were put in place. At other times, the problem itself was not anticipated or was poorly diagnosed, meaning that there was no appropriate response plan in place. Maybe a series of factors combined to cause an otherwise ‘normal’ incident or issue to develop into a crisis.
Whatever the cause, when an organization finds itself in such a situation, it is probably facing a crisis that requires a different approach.
As always, be wary of a specific term being used carelessly. You will often hear individuals and organizations say something along the lines of ‘we are always in crisis’. This is nonsense as it’s not possible to always be in crisis because the organization would simply collapse.
Even organizations that are constantly faced with instability and danger, such as NGOs working in complex environments, aren’t in perpetual crisis. They just have a different version of what normal looks like, and this raises an important point about the relative or subjective nature of crises.
Crises are highly subjective so the same incident that causes a crisis for one organization, may be a minor event somewhere else. For example, losing $250,000 may be a rounding error for a Fortune Five company but that kind of loss could sink a small not-for-profit organization. Therefore, rather than trying to determine what constitutes a crisis based on the magnitude of an event, think about the effect on the organization’s objectives.
A crisis only occurs when the organization itself is under threat and where failure would mean fundamental, lasting change. As the definition above notes, this is a situation “that threatens the organization’s strategic objectives.”
If your immediate thought is to call 911, it’s an incident. If your first thought is to contact your PR department, it’s an issue. If you think you should call both, or aren’t sure, then it could be a crisis.
But then what?
Responding to a Crisis
Response is a very broad topic that covers everything from minor first aid to the steps required to deal with a company-killing crisis. Each of these areas is highly specialized and comes with its own terminology, peculiarities and sub-sets of specialization. A robust response capability should be something that can be adapted to any situation.
Anything that is overly-specialized is likely to prevent a unified, coordinated response and this will simply make an already bad situation worse. Again, this is a broad topic so all we will cover here is a very high-level review of crisis response to introduce you to the ‘system of systems’ that makes up an effective response capability.
Whatever situation you are dealing with – issue, incident or crisis – your reaction can be thought of as occurring in three parts or phases: before, during and after the event.
- Activities before an event will include mitigation measures arising from the risk assessment, scenario-specific response planning, training and exercises. All of this can be broadly lumped into the category of preparedness.
- During an event, we are concerned with response, which can be used to refer to incidents, issues or crises.
- After the event, the focus is on recovery and resumption of ‘business as usual’.
Even though we are thinking about responding to a crisis, it is vital to think about the activities before and after because these are equally critical to success. In the same way that an athlete doesn’t just turn up and win gold at the Olympics, the seeds for an effective response are sewn months or years beforehand through careful preparation.
Once things calm down, even an event that is managed successfully will have caused an organization to deviate from business as usual. If nothing is done to recover, this post-event disruption could still have a major impact on the organization’s objectives.
Preparedness begins with the risk assessment as the results of the assessment will help the organization focus on it’s most critical risks so it can begin to prepare. In addition to these organization-specific threats, there will also be mandatory precautions to take for more general threats, such as how to respond to a fire or a data loss. This combination of scenario-specific and mandatory requirements provides the organization’s preparedness ‘to do’ list and the planning can begin.
Although issues and incidents are abnormal situations, these can still be very structured, making planning more straightforward for lower-impact events. Often, a range of incidents will be grouped together and covered in a single emergency response plan (ERP). This is then supplemented by scenario-specific plans such as how to respond to a spill or data breach. Plans will explain the response structure, roles and responsibilities, and specific actions to take, depending on the situation.
In more complex situations, there may be a combination of incidents and issues so these basic plans will not be sufficient. Crisis situations require more flexible plans that strike a balance between providing a supportive framework for the response team while still leaving sufficient freedom of action to address the specific needs of that situation. These plans are usually called crisis management plans (CMP).
The organization can use the processes in the CMP to diagnose the situation and determine the best solution before it employs scenario-specific plans to deal with the particular set of incidents and issues that it faces.
The next step in developing preparedness is training and exercising. Individuals and teams need to learn their roles and refine their skills through training and in exercises where realistic situations can be simulated. Plans must be tested and refined to ensure that these address the challenges of individual scenarios and that processes work in practice.
Preparedness also includes purchasing the necessary equipment, preparing response facilities, implementing horizon scanning mechanisms and a number of other elements.
In that same way that the plans for incidents differ from those for a crisis, so does the response itself. In an incident or issue, the correct course of action is often quite obvious and there will be a clear response plan in place. However, despite having a clear plan in place, the actual response to an incident can be difficult and dangerous.
In contrast, a crisis is a situation defined by uncertainty and complexity: there are usually no good answers, only less bad ones. A lot of this complexity will arise from the fact that crises are very rarely due to a single causal event. Therefore, unlike an incident or issue where a pre-developed response plan can be implemented, crises require a blended response.
Not only will there be the initial trigger event, but other factors will act as a catalyst or accelerator, making the situation much worse. For example, small spills of a few pints of oil are commonplace in refineries but this could cause havoc if released into a city’s water supply. Moreover, if the company had already been told to clean up its act because of previous spills, the public, stakeholders, and regulators would be much less willing to forgive what could otherwise be a manageable incident and a crisis would ensue.
Understanding the situation and developing an appropriate plan in a crisis can be difficult. Developing an understanding of the situation and a suitable plan will be the main focus of the crisis management team (CMT) at the beginning of the response. Once the situation is understood, knowing what to do can be relatively straightforward although actually taking appropriate action can be hard. Often organizations in crisis are confronted with uncomfortable situations which lead them to delay doing the right thing which only exacerbates the situation. As Colin Powell observed,
“Bad news isn’t wine. It doesn’t improve with age.”
Another element to consider as part of the response is time. As noted earlier, an incident will often be over very quickly but a major issue or crisis can drag on for months or even years. This means that in addition to a degree of endurance, organizations in crisis also need to find a way to manage the crisis alongside day-to-day operations. This brings us on to business continuity: “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident” (ISO 22313 Business Continuity Management Systems).
The organization will be managing the crisis itself (crisis management), getting the affected parts of the organization back to ‘accepted levels’ of service delivery (business continuity management) while also making sure that the unaffected parts of the business are also taken care of. The emphasis between these three elements will shift over time but this is not a sequential series of activities. Organizations may have to balance all three for an extended period of time.
Finally, it is important to note that it is entirely possible for an organization to manage a crisis successfully and to avoid the worst of the damage. With robust plans and procedures, a well-trained staff and an effective response, a crisis can be managed and disaster  avoided.
“So long as the ship rides out the storm, so long as the city resists the earth shocks, so long as the levees hold, there is no disaster.” 
Successful response or not, at some point, the crisis will be over and the organization will have to move onto the final stage, recovery.
Recovery focuses on getting the organization back to normality after the crisis. Although this might sound a lot like business continuity, the big difference is defining what ‘normal’ looks like.
If the crisis has been handled well, recovery will concentrate on getting the business back to its pre-event normal. However, if the crisis overwhelmed the organization, it could have to adapt to a ‘new normal’ where it occupies a very different place in society. If the results were catastrophic, the new normal may be the dissolution of the organization altogether.
The financial crisis of 2008 gives us an example of each. JP Morgan escaped relatively unscathed so their post-crisis normal wasn’t significantly different from pre-crisis. However, the Royal Bank of Scotland (RBS) in the UK was bailed out by the government with part of the deal being transfer of control of the bank to the British government. So although RBS survived the financial crisis, their post-crisis normal was significantly different from their pre-crisis situation. At the extreme, US bank Lehman Brothers collapsed: for Lehman there was no post-crisis.
The example of Lehman Brothers, as with Barings Bank, PanAm and Union Carbide before it, reminds us that sometimes there is no recovery and the only thing happening after a crisis is a ‘fire sale’ of assets.
However, for companies that weather the storm, recovery will involve rebuilding operational capacity and stakeholder confidence, something that can take months or years. As with the response phase, there is still a need to keep day-to-day operations running alongside recovery efforts so management time, energy and attention needs to be allocated carefully.
This has been a very quick review of some of the main elements associated with crisis. As such, this has only skimmed the surface and there are a number of things that I have deliberately oversimplified. However, I hope that this has given you a sense of what we mean by the term ‘crisis’ and how this aligns with, yet differs from, incidents or issues. You should also have a sense of what is meant by crisis preparedness, crisis management, business continuity management and recovery, all topics that we will cover in more depth in other articles.
Mar 22, 2018 – I just added a short video to help explain the relationships described in this article.
I hope you found this useful but please email me and let me know what you think – good or bad, all thoughts are welcome!
 This consideration of effects, not causes, neatly ties into the ISO definition of risk as ‘the effect of uncertainty on objectives’.
 While a crisis is a situation that could cause enormous change, a disaster is the situation after that change has occurred. This is most often used to describe a situation where a community or area has suffered enormous damage due to either man-made or natural events. Extreme weather events, conflict, drought and famine are all disasters as the degree of change is so significant that things have altered fundamentally.
 Carr, 1932: 211. Disasters and The Sequence Pattern Concept of Social Change, American Journal of Sociology.