Crisis management: the last line of defence

The writer is chair of the European Risk Management Council

When all hell breaks loose, the last line of defence that can protect an organisation from disaster is crisis management. In this sense, we should consider crisis management as one of the most fundamental, and important, elements of modern risk management. Yet, for years, this area has not received as much attention from top management and regulators as it deserves.

The most recent examples of risk management failures in financial institutions are the collapses of Silicon Valley Bank and Credit Suisse last year. In the aftermath, numerous business publications have analysed the mis-steps of the banks’ leadership and the lessons to be learnt in order to avoid similar crises in the future.

However, the failure of crisis management in both banks has barely been mentioned, despite both SVB and Credit Suisse lacking actionable strategies that could have prevented these disasters.

One of the central lessons of those 2023 banking crises, therefore, should be the paramount importance of an effective crisis management framework. In the contemporary landscape, the backbone of such a framework must encompass five essential and actionable elements for a resilient crisis response. They are:

1. Crisis identification
   Crisis identification tools, such as early warning systems, empower organisations to save precious time in the early stages of a crisis. These tools should encompass various levels of data analytics, and may be enhanced by wider adoption of artificial intelligence to leverage large volumes of real-time and unstructured data. One critical aspect often overlooked in crisis identification is the presence of a triggering mechanism for crisis mode. This mechanism assigns personal responsibility and establishes conditions for a company’s management to declare the crisis and initiate crisis management protocols.

2. Contingency planning
   An organisation should develop and maintain an inventory of various contingency plans, enabling it to address risk shocks of different natures and magnitudes effectively. Each contingency plan should be detailed, outlining a sequence and timing of mitigating actions, with clearly assigned responsibilities, allocated resources and identified dependencies. And it should be tested, in a dry run.

3. Crisis governance
   During crises, traditional corporate governance structures often impede swift decision-making and crisis-mitigation efforts because of their bureaucratic nature and slow processes. Effective crisis governance demands a dynamic and streamlined approach — reminiscent of military-style governance, where key decisions are swiftly made by a small group of leaders possessing the requisite expertise and authority. This crisis governance framework should be established well in advance of any crisis and must incorporate mechanisms for decision cascading and feedback, to ensure efficient navigation during a crisis. Like contingency plans, governance frameworks also require a dry run to test their efficacy and train key decision makers.

4. Management information (MI) systems
   During crises, MI systems must rapidly process data to address the evolving situation. To be effective, MI systems need to prioritise delivering timely and relevant information. This may involve compromising volume and granularity for speed. In addition, MI systems should adopt an event-driven approach, rather than relying solely on scheduled predefined reports, and be flexible enough to handle non-standard requests. For example, when a risk event unfolds — such as a disruption of certain supply chains, or the imposition of international sanctions, or a cyber attack — the MI system should be capable of swiftly identifying borrowers who might suffer financially or operationally from the shock, and assessing the potential impact on their creditworthiness and resilience.

5. Crisis communication
   It is essential for an organisation to establish key crisis communication principles and a comprehensive crisis communication plan. This approach should assign specific responsibilities for internal communication with employees and for external communication with regulators, shareholders, the press and social media. Additionally, it should define communication frequency, tone, preferred timing and communication channels.

Effective crisis governance demands a dynamic and streamlined approach — reminiscent of military-style governance, where key decisions are swiftly made by a small group of leaders

Finally, and most importantly, organisations should conduct regular dry runs of their crisis management frameworks, in the form of war game exercises. These allow for the testing and refinement of crisis-mitigation strategies, as well as the training of individuals responsible for executing the outlined actions.

Wargaming also checks that crisis management is a credible and rigorously tested mechanism, ready for activation in critical situations, rather than just being written down in formal statements and policy documents to satisfy auditors and regulators.

When the entire existence of an organisation is on the line, crisis management becomes the mechanism that ensures a soft landing in difficult situations. It should be paramount for boards and top management, ensuring they are ready to weather future storms.