When it comes to crisis management, many companies suffer from the hubris that comes with overconfidence.

That is the message and warning from Deloitte in a recently released crisis management survey.

Sixty percent of crisis management leaders believe that organizations face more crises today than they did 10 years ago, the survey found, but confidence in crisis management capabilities often does not align with their actual level of preparedness.

The study, which builds off similar research in 2015, surveyed more than 500 senior crisis management, business continuity, and risk executives.

The research uncovered dramatic gaps between a company’s confidence that it can respond to crises and its level of preparedness. The gap becomes even more evident when evaluating whether organizations have conducted simulation exercises to test their preparedness.

Nearly 90 percent of respondents are confident in their organization’s ability to deal with a corporate scandal, yet only 17 percent of organizations have actually tested the assumption through a simulation or stress test.

“One of the problem companies face is that they have a plan in place, all their workbooks are done up, but they have never tested that plan,” Deloitte Global’s crisis management leader Peter Dent says. “They may have done some training, but they never tested the plan with a live simulation. That can be where that disconnect between confidence and preparedness comes from. They are not testing the actual preparedness of the whole team. There might be a good policy in place. There might be a good roadmap. It just sits on someone’s shelf.”

Eighty percent of organizations worldwide had to mobilize their crisis management teams at least once in the past two years, the research says. Cyber-security incidents, in particular, are a primary catalyst for companies’ crises.

The good news: Many who have already experienced a crisis are learning from them.

Following an event, nearly 90 percent of organizations have conducted reviews. These insights may prompt organizations to take action to forestall future crises. Respondents, through post-crisis analysis, have also identified the need to improve detection and early warning systems, invest more effort in prevention, and do more to identify potential crisis scenarios.

“Crisis management shouldn’t start with a crisis—at that point it may already be too late. The ability to prevent a crisis can be fortified by looking at the entire life cycle of a crisis instead of just readiness and response,” Dent says. “Successful crisis management also requires overcoming any biases to ensure that the board and senior management look closely at risks. Even those, and perhaps especially those, they believe aren’t likely to happen.”

When responding to a crisis, strong leadership skills and situational awareness are critical. The survey finds that nearly a quarter of respondents cite the effectiveness of leadership as one of their greatest crisis management challenges. Organizations, the report says, should consider: organizing leaders ahead of time; clearly defining their various roles and responsibilities; and training leaders in the tools and techniques that can help them through a crisis.

“With the rapid pace of change facing companies worldwide, and with crises on the rise, it is critical for organizations to be ready to respond with skilled leadership and plans that have been tested and rehearsed.”
Peter Dent, Crisis Management Leader, Deloitte Global

Board and senior management participation in crisis exercises is critical, as is their involvement in developing an organization’s crisis plan. More than four in five respondents say their organizations have a crisis management plan in place, and those who enlist the board to participate say the number of crises has declined over the last decade (21 percent), compared to those without board involvement (2 percent).

The participation of directors and senior leadership in crisis exercises is described as critical, as is their involvement in developing an organization’s crisis plan. More than four in five respondents to the survey said their organizations have a crisis management plan in place, and those who enlist the board to participate say the number of crises has declined over the last decade (21 percent), compared to those without board involvement (2 percent).

Third parties are both part of the problem and a path to the solution, Dent says.

While third parties are often the cause for a crisis, 65 percent of organizations with a crisis management plan have involved external parties in the development.

“External parties can be an important solution to addressing crises,” the survey says. Recognizing this, 59 percent of the survey’s respondents say that they participate in crisis exercises with third parties, examine third parties’ crisis plans, or both. Bringing in outside organizations and coalescing internal teams is an important part of addressing, and potentially preventing, crises. Well-designed and vetted risk management capabilities may help organizations avoid costly, and sometimes irreparable, damage to finances, employee morale, brand, and reputation, it adds.

Truly effective crisis management goes beyond being reactive and simply protecting existing value, Dent says. “It also enables resilience and powers future performance, thereby enabling an organization to emerge stronger.”

Dent is a proponent of training exercises that can address a fictitious problem with real life responses and strategies. Executives face a full-blown simulation that takes place over three to four days to simulate a live event.

“It simulates what their life is going to be like during those two to three days and the different decision points that have to be made,” Dent says. “One of the things we recommend, but don’t see a lot of executives do, is to actually put their executive spokesmen in front of a camera.

“It’s very similar to what you would see after a live crisis event. They are not getting fair questions and they are not getting easy questions. We tape record the event and play it back later. It is an eye-opening experience and, for many senior executives, a very humbling one.”

The rapid-fire pace of social media is among the reasons that modern companies need to be prepared for any crisis, big or small, in order to avoid brand damage.

“Twenty-five years ago, the 24-hour news cycle changed the dynamic for organizations in terms of how they respond to events affecting them,” Dent says. “Social media made those same types of changes and its reach is only growing over time. What wasn’t a crisis five years ago could become a crisis today.

“One of the important lessons of social media is that there is no crisis that cannot be made worse by how you respond to it,” he adds. “Social media is the great equalizer in terms of how people respond to a crisis. No matter how good you think you are, not having the right response in the moment can be devastating to your business in the long term.”

Hurricanes, earthquakes, and tsunamis are among the uncontrollable natural forces that can cause havoc with supply chains and logistics. While many view the fury of nature as unpredictable and uncontrollable risks, Dent sees them as fitting within a typical crisis management plan.

“We’ve found is that your strategy does not change, irrespective of the triggering event,” he says.

“There are actually a lot of warning signs around hurricanes,” he explains. “You know what regions a hurricane is going to strike, or not strike. You know where your brick and mortar operations are in the world and you know where your key suppliers are as part of your supply chain. How are you preparing for a hurricane to affect those operations in those regions of the world? How are you taking into account that hurricanes and natural disasters are getting worse over time as climate change affects the severity of weather-related events?”

A similar approach encompasses supply chain disruption and third-party created crises.

The Deloitte survey found that 59 percent of respondents say that they participate in crisis exercises with third parties, examine third parties’ crisis plans, or both.

“You may have been doing everything right, but the reality is that you are only as strong as the weakest link in your supply chain,” Dent says. “You need to not only think about your own brick and mortar operations, but who your key suppliers are and how an event impacting one of your key suppliers could affect your ability to serve your own customers.”

Among the most meaningful recommendations in the Deloitte report is to start managing crises before they start. “The ability to prevent a crisis can be fortified by looking at the entire life cycle of a crisis instead of just readiness and response,” it says. “Crisis management shouldn’t start with a crisis. At that point, it may be too late to contain most of the damage.”

Dent reiterates that advice.

“One of the things we are seeing many organizations do is risk sensing and horizon scanning, where they look for risks that could harm their business or affect the business of their peers in similar regions of the world,” he says.

The advent of Big Data analysis can be deployed for the task, he says, and allows a company to study five to 10 years of historical information from a crisis standpoint.

“It allows you to say that ‘these types of crises are more likely to take place in these regions of the world.’ You have these types of extreme weather here, you are more likely to have geopolitical events in these regions, and you are going to have these labor situations here,” he says. “That gives you an ability y to set aside your own prejudices around what could impact your business and look at crisis readiness from a data-driven exercise to gain insights about what are actually the growing threats to your business.”

Dent points out that dissent should be encouraged during any training scenario or high-level discussion on risk. Having different opinions is good, he says, stressing the importance of having different perspectives on what could cause a crisis and how to respond to one.

“Let’s be honest with ourselves,” Dent says. “You can have the best plan and have done all the things we’ve talked about, but any crisis that hits your organization will not be exactly how you planned for it. It might be nothing like you planned for it. The value of the crisis plan is not he plan itself, it is the process of planning and getting people to think about how to respond to a crisis. Simulations and stress testing are a big part of that. They get people into the moment and allow you to move more quickly after an event. It is not the plan that is important, it is the planning that is important.”