Building organizational crisis resilience seems like a never-ending game. New teams come on board; new business streams, operations, or production sites launch; and new markets open---all of which provide fresh opportunities, but also increase the risks of failures and exposure. Furthermore, external threats like climate change, security threats, socio-economic shifts, cybercrime, and the interdependencies of a globalized world---just to name a few---continue to provide the risk, crisis or business continuity manager with plenty issues to tackle. Yet many organizations are not as prepared as they believe themselves to be. A new crisis survey conducted by PRNEWS and CS&A International, a global risk, crisis and business continuity management consultancy, highlights some concerning gaps in organizations' overall crisis readiness. Data from the survey of more than 200 respondents across industry sectors fielded in October shows that 62% of organizations have crisis plans, but just 49% of those plans are up-to-date. Christine White, a recently retired global director of crisis management and international risk management at a large multinational food and beverage company, says she is "concerned that only 26 percent responded that the [crisis] plan is well known to crisis management team (CMT) members." A total of 33% said "most of the members of the CMT are familiar with it." Yet 31% said they "weren't sure" and 10% said "no."

The importance of practice

Another striking finding is that nearly 40% of respondents told PRNEWS that they have never conducted a crisis exercise. Twenty-one percent said they "weren't sure" how often their company runs a crisis exercise. Organizations do not realize the ROI of having periodic exercises/round table discussions to review their crisis management plans using real or hypothetical scenarios," White says. "The value this provides...is not clearly understood."

Learn from the past

One third of respondents say they don't have a system in place to learn from past crises. Dirk Lenaerts, senior partner at CS&A International, says "Once a crisis is over, people want to forget about it and move on as quickly as possible. As a result, a large number of companies have nothing in place to learn from...or to share within their organization. A best practice is to capture lessons from crises and ensure that all employees with a crisis responsibility are adequately introduced to documented cases."

The increasing threat of cybercrime

Also surprising, the survey shows that cybercrime, an increasingly frequent source of crises, isn't getting enough attention. When asked which crises are most likely to affect their industry, respondents listed ethics and compliance, major accidents, product/service quality issues, mismanagement, and third-party hostile action (terrorism, mass shooting, kidnapping, hostage-taking, riots, etc.) ahead of cyberattacks and extreme weather. Today, according to a University of Maryland report, a computer is hacked every 39 seconds. The average cost of a data breach next year will be US$150 million, according to Juniper Research. While the majority of cyber-crime is concentrated in three sectors (health, retail and government), nearly every business is susceptible to attack. Still, relatively few respondents (39 percent) identified cybercrime as a potential crisis area. Crisis preparedness is not a destination but a journey. It is not possible to be 100% prepared, as the risk landscape is ever-changing and organizations are in perpetual flux. The Crisis Management Culture Ladder below provides a road map to increase your organization's readiness and resilience.

As part of your budget planning cycle, build in resources to ensure that you bring your crisis plans up to date, conduct a training needs analysis, schedule exercises, and comply with audit requirements. The following 10 questions might help you to determine what your priorities are, where the gaps in your planning lie, and what you can realistically accomplish in the next calendar year.

Caroline Sapriel

Caroline Sapriel is the founder and managing partner of CS&A International, a global risk and crisis management consulting firm working with multinational clients across industry sectors in Asia, the Middle East and Africa, Europe, and the Americas. With over 25 years experience in risk and crisis management, she is recognized as a leader in her profession and acknowledged for her ability to provide customized, results-driven counsel and training at the highest level. Caroline speaks on risk and crisis management at international conferences regularly. She has published articles and co-authored two books as well as contributed the chapter on crisis management to IABC’s handbook of Organizational Communication. She has been a member of IABC since 1987 and has served on chapter boards in Hong Kong and Brussels as well as been a founding member of IABC's Ethics Committee. She has also spoken on crisis management and communication at several World and Regional Conferences. Caroline also lectures on crisis management at the University of Antwerp.