Leadership in crisis management and corporate risk avoidance – an interview with Caroline Sapriel
Discussion with Caroline Sapriel, founder and Managing Partner of CS&A, who is a keynote speaker at the 2018 ASIAL Security Conference.
In today’s world, the main driver of corporate risk is extreme stakeholder outrage. This can manifest in a number of forms, and focus on a raft of issues ranging from discrimination, gender inequality, sexual harassment, corruption, environmental contamination, privacy breaches and crime, as well as polarisation and politicisation.
Social networks provide an unparalleled opportunity for this outrage to be expressed and go viral or for any incident or issue to gain unprecedented levels of recognition and therefore grow to epic proportions.
Caroline Sapriel, founder and Managing Partner of CS&A and a keynote speaker at the 2018 ASIAL Security Conference, answers questions on corporate risk and leadership in crisis management.
Where does an ‘inside attack’ rank in terms of risk to a large corporation? What role should leaders play in making sure insider attacks don’t occur?
Disgruntled employees and whistle blowers have always existed and before cyber attacks, there were other means for such employees to express their frustrations: leaks, physical sabotage, extortion, law suits, etc. Risk management is critical to define the potential consequences of decisions and actions taken by management. This includes having a solid stakeholder engagement and communication plan when bad news impacting employees has to be announced. Foresight, planning and being forthright and responsible should be the underpinning principles.
Supposing a large organisation has been compromised, what are the first steps that leaders should take, once the attack has been mitigated?
First the organisation must report the breach to the relevant authorities. Second, quick and transparent communication about the potential scope of the breach must be initiated with the impacted stakeholders; and last but not least, actions speak louder than words, so leaders must quickly articulate a remedial plan to retain stakeholder trust.
Is there a way to quantify how much brand damage an attack can have?
For publically listed companies, a drop in stock price is an immediate indication of the damage any crisis including cyber attacks has caused. However, if well handled, this can bounce back. What is harder to assess is the impact on stakeholder trust – short, medium and long term. Any crisis causing a loss of stakeholder trust creates a reputation meltdown. This must be avoided at all cost.
How do leaders regain credibility after an attack?
Leaders must strive to maintain credibility before, during and after any crisis. Owning up to the problem is the absolute first step while playing ostrich by hiding your head in the sand is a sure way to destroy credibility. Once leaders’ credibility is compromised, stakeholder trust is gone and that is the worst possible outcome of a crisis.
What about ‘selling’ the message to employees – is employee trust compromised after an attack, and is it hard to regain that trust?
Employees are possibly the most important stakeholder group, but regrettably not always treated as such. Consistency is key and the same messages and actions must be communicated to all stakeholders – albeit in a different tone suited to each stakeholder group.
Looking at risk avoidance now, what part does enterprise leadership play in a crisis management strategy? Are there best-practice guidelines for leaders to follow?
Crisis management is considered a “push down” practice, it must be mandated from the top with clear implementation steps throughout the organisation. It is a “must-have” component of best practice corporate management systems and not just a “nice-to-have”, and as such it must be considered an investment and not a cost. Beyond crisis management policy and procedures, leaders must demonstrate or acquire crisis leadership skills. A crisis is not merely a bad week at the office and years of business experience does not by default make for good crisis leaders. Recognising that it takes special skills to manage a crisis and that real crises are rare, leaders can develop them via regular crisis leadership training and exercises.
Crisis is a time for leaders to stand up and be counted – but what about the management framework they have in place around them – how much does their leadership strength rely on the ability of others, and should it?
Crisis management effectiveness relies on three critical aspects: 1. Tried and tested procedures, 2. Crisis leadership competencies, and 3. Experience. Crisis-resilient organisations must have proficient crisis leaders and rely on the practice and experience of their support teams.
How much credibility flows directly from a leadership team following a crisis, and is there a lasting impact on that group or individual?
Before, during and after a crisis, leaders have a critical role to play. Poor or weak leadership can make or break a crisis. It will definitely have a lasting impact on the organisation and the trust of its key stakeholders.
Is there actually an opportunity here for personal and team growth – out of adversity comes new strength, for example?
There is much to gain from every experience good or bad, but to achieve this growth, individuals and companies must have a formal process to capture and share lessons learned. Regrettably after a crisis, organisational and personal fatigue, as well as pressing business priorities, often prevent this from taking place and generating the output needed. Lessons learned from past crises definitely enhance organisational resilience as long as there is appetite to learn and improve. Aware leaders are the main drivers of a crisis resilient culture.
Is there a set of guidelines you would recommend as best practice for crisis management?
See below for CS&A’s 10 commandments of Crisis Management.
To hear more from Caroline Sapriel and explore innovative security solutions in depth, register here for the 2018 Security Exhibition & Conference, on next week from 25-27 July at the Melbourne Convention & Exhibition Centre.