Small businesses (SMEs) are the backbone of many economies, providing essential goods and services to their communities.
SMEs are vulnerable to various crises, from natural disasters to financial downturns, and now, cyber-attacks have become an additional threat. Therefore, it is imperative for small businesses to have a crisis management plan that includes cyber security measures.
In today’s feature, our experts provide insights into why small businesses must prioritise crisis planning and practical tips to develop a comprehensive crisis management plan. We’ll cover the steps involved in assessing potential risks, implementing security measures, and offering practical advice for SMEs to protect themselves and their customers from the consequences of a crisis.
Let’s Talk.
Discover more Let’s Talk Business episodes
Contribute to Dynamic Business
Manu Mehra, Managing Director, Australia and New Zealand, Lenovo ISG
“Crisis can take any form. The biggest risk factor today with emergence of tech-first businesses is cyber security. Cyberattacks evolve faster that an organisation’s strategy to adopt new technologies. And today’s distributed workloads in hybrid cloud, edge, and on-premise, have higher vulnerability. While Large enterprises have the capital to take immediate measures in adversity, SMBs as we saw during the pandemic are the worst impacted.
“The most important part of cyber crisis management is IT preparedness to avoid it and the demand for technologies in security, fraud/risk, and IT operations in ANZ is increasing. As a technology leader, we see the following steps critical to ensuring security and resiliency of any business:
- Streamline, simplify, and automate protection of your data using solutions like ThinkShield that offer self-healing BIOS, encrypted storage, and robust authentication capabilities
- Ensure there is a disaster recovery (DR) infrastructure in place – any unexpected downtime has the potential for severe business disruption and data loss, costing millions in lost revenue
- SMBs are always growing – partner with the right technology provider to benefit from As-a-Service offerings like Lenovo TruScale that allows the businesses to only pay for what they use and scale as required
- Establish a Zero-Trust approach – eliminating implicit trust and continuously validating every stage of digital interaction.”
Jennifer Harrison, Director, Startups and Scaleups, Reputation Edge
“In case of crisis, and as a strategic business planning tool, small businesses should have a one-page map of stakeholders and their interests. And it’s essential to include non-obvious stakeholders because it’s the ones you forget who can end up blindsiding you!
“In a crisis, the only control you have is how you respond. Your top priority must be keeping the trust of your customers and your employees because this helps to prevent escalation.
“Don’t leave an information vacuum, because that’s how rumours start, and you’ll be on the back foot. Prioritise communicating with the right internal and external stakeholders transparently and with empathy. Stick to the facts and be consistent. Do not make speeches or submissions. You need flexibility to pivot as new information comes to light.
“There is no perfect crisis management plan, rather there are checklists and guiding principles – like the four Rs (readiness, response, resolution and recovery) and the four Cs (cooperation, containment, control and cauterise).
“When using those checklists and guiding principles, keep sight of the big picture and don’t get dragged into the weeds. Stay true to your vision and your values, rather than feel you need to respond to every small detail.”
Shiva Pillay, General Manager and Senior Vice President, Asia and Japan, Veeam Software
“It is imperative that small businesses develop a crisis management plan, especially for cybersecurity, as no business is immune from attacks – it is a matter of when, not if. In 2022, 85% of organisations were successfully attacked by ransomware at least once, and less than 50% could recover encrypted or destroyed data.
“Small businesses can start building crisis management plans by identifying potential scenarios and prioritising by risk. Businesses can then develop standard protocols to prepare, such as by creating immutable backups and performing regular backup recovery tests to ensure data can be restored efficiently.
“Data resiliency is key to a business’s crisis plans. This means ensuring that data is securely backed up and can be easily restored in the case of a crisis. Veeam recommends adopting the 3-2-1-1-0 backup strategy, which means having three copies data on two different media – one copy being off-site and one copy being offline, air-gapped, or immutable; lastly, there should be zero errors after automated backup, testing and recoverability verification.
“A crisis management plan that emphasises data resiliency can help businesses of all sizes respond effectively to unexpected attacks, minimising the impact on brand reputation and ensuring business continuity.”
Lyndelle Morgan, Director, Niche Marketing Group
“Although small businesses may not have the same level of resources as larger organisations, having a crisis management plan can help them stay prepared and protect their business. A crisis management plan should outline: roles and responsibilities, communication protocols, contingency plans, and procedures for handling different types of crises. Potential crisis scenarios should be devised and included in the plan, with each outlining potential issues, responsibilities, courses of action, relevant internal policies, and draft statements for responding to media.
“Much of crisis management relies on clear, concise communication with stakeholders including media, customers, general public, and the internal team. A crisis management communications plan should include:
- Key messages which can be used or adapted to respond to media enquiries and general public announcements, as well as owned channels, to ensure messaging consistency
- Draft Q&As for all relevant audiences
- Media interview dos and don’ts as reminders for the organisations’ spokesperson and team
- A timeline of actions to manage the issue.”
Paul Soong, Regional Director, ANZ, e2open
“Today, as we continue to operate in uncertain times, it is imperative for small businesses to develop a crisis management plan. Businesses need to build resiliency within the organisation to aid them in becoming disruption shapers that undertake active steps to reduce risk events the business may be subjected to.
“To execute a crisis management plan, businesses first need to establish a crisis management team. This team will see the entire crisis strategy through from start to end. To develop an effective plan, the team would need to brainstorm for potential risks the business may face, both high and low risks so they are prepared for any type of risks. When doing this, the business needs to understand what the various risks can entail and what are the possible outcomes. From there, the team can then plan appropriate responses for each risk and strategy to tackle them.”
Caitlin Zotti, Co-CEO, Pin Payments
“Small businesses are often vulnerable to unexpected events that can disrupt their operations, and the pandemic really put a spotlight on the importance of having a crisis management plan. Up until that point, many small businesses had been operating without any consideration for unforeseen events. Having a crisis management plan in place, ideally, enables businesses to incur the least financial impact and have a swift return to normal business operations.
“The recent bout of cyber-attacks has presented businesses with yet another reason to be prepared for the worst, demonstrating that a comprehensive, holistic assessment of internal and external risks is critical to the success of a crisis management plan. Only once key risks to your business have been identified, can you start to prepare a successful crisis management plan for your business.”
Garrett O’Hara, Senior Director Solutions Engineering APAC, Mimecast
“Despite constrained resources and time, small businesses should not feel exempt from having a crisis management plan in place as a priority. All businesses are at risk of falling victim to a crisis, whether this be economic downfall, geopolitical events, or cybercrime, which is exploding and impacting organisations of all sizes. In fact, small businesses face greater pressure to recover from adverse events, with 41% of Australian organisations experiencing a loss in revenue due to a ransomware attack.
“Focusing on cybersecurity, businesses looking to mitigate risks and ensure business continuity can implement several processes to help reduce risk. Mimecast’s State of Email Security Report 2023 revealed that 80% of respondents believe their company is at risk due to careless or negligent employees, so a great start is to focus on raising awareness across your entire team of the need for cyber vigilance. The most effective training is regular, short, and engages the whole organisation as a collective effort to keep work protected.
“As well as awareness training, small businesses should also consider basic cybersecurity hygiene, such as firewalls, data segmentation and zero-trust frameworks.”
Brodie Haupt, CEO and Co-founder, WLTH
“Nowadays, small businesses need more than a solid financial plan and a reliable product or service offering. A crisis management plan is worth having in the toolkit to navigate unforeseen challenges and ensure long-term success.
“With a well-prepared plan, small businesses can continue to operate despite adverse situations. It ensures they can maintain their cash flow and uphold commitments to customers, suppliers, and employees. An effective crisis management plan can help maintain and even boost a business’s reputation by demonstrating its ability to handle difficult situations professionally and efficiently.
“To develop a crisis management plan, begin by evaluating your business’s operations, industry, location, and partnerships to identify potential hazards and vulnerabilities. Next, consider internal and external risks, ranging from natural disasters to technology failures, assemble a team of key personnel responsible for managing crises, and designate roles and responsibilities, such as decision-making, communication, and resource allocation.
“It’s important to ensure all employees are familiar with the crisis management plan and their roles in it. Regular training and drills can help ensure everyone is prepared to respond effectively in the event of a crisis. Regularly review and update the plan to ensure it remains relevant and effective.”
Mel Greig, PR and Media Manager, BRANDiT Agency
“EVERY business should absolutely have a crisis management plan or at least have the internal discussion with the team of ‘What could go wrong?’
“When it comes to crisis a lot of it can be unpredictable, but you will lessen that risk if you do a risk assessment. For small businesses some of your risks can stem from behaviour:
- A staff member or owner says or does something controversial, offensive, or unethical publicly or on social media and the situation is managed with no regard.
- Angry customers or clients that can drive your reviews from 4 stars to 1 star due to public backlash on an incident that wasn’t handled well in a crisis.
“When putting together your crisis management plan, think of these 3 top tips:
- People will be very forgiving if you’re honest about a situation (seek legal advice to ensure you aren’t confirming liability)
- There is always a way to say sorry or show emotion in a crisis.
- Have a representative/staff member media trained in preparation for a crisis and learn your key messages.”
Monique Haylen, Founder, MINT PR
“Small businesses are vulnerable to a range of potential crises that could have severe impacts on their operations, reputation, and future. From natural disasters to cyberattacks and product recalls, these threats can strike unexpectedly, making it critical to have a well-developed crisis management plan in place to minimise their impact.
“The first step in creating a crisis management plan is to identify potential crises and assess their potential impact on your business. With this information, you can craft a detailed response plan that outlines the steps you will take to mitigate the crisis’s impact.
“However, a response plan alone is not sufficient. A comprehensive crisis communication plan is an essential element of any crisis management strategy. This plan acts as a strategic roadmap, defining how you will communicate with key stakeholders during a crisis, including identifying target audiences, channels, messages, and response protocols.
“By investing time and resources in developing a robust crisis communication plan, you can avoid confusion, minimise misinformation, maintain credibility with customers and employees, and protect your business’s long-term viability. In today’s fast-paced and unpredictable business environment, a crisis communication plan is a must-have tool for small businesses looking to survive and thrive in the face of adversity.”
Sally Branson, Director, Sally Branson Consulting
“The myth-making of crisis management does small businesses a disservice.
“Many people mistakenly assume that crises only happen in high-stakes, big businesses – putting small businesses on the back foot. Because, in real life, crisis happens in all businesses, almost every day. It could be a supply chain issue, a negative social media review, or difficulty finding staff to fill a shift.
“As a small business, it’s time to forget the myths surrounding crisis management and ensure that crisis planning becomes an ordinary, everyday business activity. By doing so, you can be better equipped to handle challenges, protect your business, and even turn a crisis into an opportunity for growth.
“Starting out on crisis planning is formulaic, once you ignore the myths, it is a streamlined process. The first way forward is to think about every worst-case scenario, what keeps you or your staff up at night? What sort of crisis are they? Slow burn? Creeping Crisis or just an ugly everyday dramatic and instant crisis. Being aware of what you face, gives you power to act and more authetoically and appropriately.
“The most important part of crisis management is the preparation work – identifying worst-case scenarios, establishing a chain of command, making sure you have a media-trained spokesperson and talking points, and setting up advice channels. By planning for a crisis, you can ensure that you have a way forward, and be prepared to respond responsibly, appropriately, and quickly. Effective crisis planning can also help minimize losses, communicate authentically, and build resilience during a crisis event.”
Meena Wahi, Director/SME Insurance Specialist, Aspect SME Insurance
“Anticipating potential scenarios that may cause significant disruptions to a business is critical (regardless of your business size). Small businesses are possibly more at risk in some situations as even minor crises can seriously impact operations, or blow the business up entirely.
“Small businesses can incorporate crisis management planning into their insurance planning, which is easiest done with the help of an insurance broker who can identify relevant risks and potential crisis scenarios. A well-developed crisis management plan should include risks that can be eliminated or effectively managed, risks that are accepted, and also risks that can be transferred to an insurance company.
“The plan may include an incident response plan that outlines necessary actions and tasks to manage the impact on various stakeholders and the business as a whole, from clients/customers, to restoring operations to (saving) the brand. Certain insurance policies offer more assistance than others in the event of a crisis as well. A good example of this is cyber insurance policies which often have a Cyber Incident Response Panel that can help you respond to a cyber incident.
“For this reason it’s important to consider what assistance your insurance will be able to provide first – as you will need to plan in more detail for the risks you’re deciding not to have covered.
“By having a well-developed crisis management plan that accounts for potential risks, small businesses can minimise the impact of a crisis if it occurs and respond with some level of confidence.”
Thomas Fu, Executive Director and Founder, Motor Culture Australia
“During the 2022 QLD floods, we saw firsthand at Motor Culture Australia the impact a crisis can have on a business. While we had a general plan in place, our team learnt a lot from that experience and the importance of setting up the right processes to minimise the impact on operations.
“An effective plan should consider all potential scenarios from natural disasters to pandemics to internal situations. Likewise, make sure you appoint a crisis management team, so there’s always someone who can step up if others are unable. Workshopping different scenarios, and considering the impact of each on the business, will help you to effectively create policies and guidelines for each. Don’t forget to include a crisis social media plan, as these channels are vital during disasters.
“Once you’ve outlined potential crisis scenarios in your plan, be sure to brainstorm solutions for each. Have templates and guidelines in place and appoint a media spokesperson who can communicate to the public during this time. Remember, disaster management isn’t a set and forget process, to be effective it’s essential that your plan is reviewed and updated regularly.
“Ultimately, thinking ahead and being open to change during challenging times is important to ensure your business model is flexible and adaptable to evolving circumstances.”
Anthony Caruana, Co-CEO and Co-Founder, Media-Wize
“Every business needs a crisis management plan. Without a plan, there is a high likelihood that you will make things worse before you make things better and recover.
“Creating a crisis management plan starts with a risk assessment. For each risk, plan what you will do and how you will communicate with all affected stakeholders. This includes customers, suppliers, shareholders and the media. Planning and practicing how to handle the media spotlight during an incident is critical.
“It’s too late to start thinking about how to handle media attention when a crisis is unfolding.
“We’ve all seen people crumble when they’re unprepared. Even if you are doing a good job of managing the crisis, poor communication can result in damage to your brand and reputation. Crisis communications must include all stakeholders and all communications channels including social media.
“Preparation reduces the cognitive load during a period of stress and reduces the risk of mistakes. If you’ve rehearsed responding to unexpected questions, your brain won’t be overloaded when you’re asked a more challenging question.
“A well-managed crisis doesn’t have to be the end of a business or the death of a brand. It can be an opportunity to communicate, fix problems and emerge wiser and stronger.”
Remonda Martinez, Managing Director, Blue Haven
“Being proactive is king. Here are a few personal tips:
- Identify potential crises: Begin by listing potential threats, including natural disasters, cyberattacks, or supply chain disruptions. Consider internal and external factors that could negatively affect your business, and prioritise them based on probability and potential impact.
- Develop response strategies: For each identified crisis, outline appropriate response strategies to address and mitigate the situation. This may include assigning responsibility to specific team members, establishing communication protocols, and creating contingency plans for business continuity.
- Communicate with stakeholders: Ensure all employees and relevant stakeholders are aware of the crisis management plan. Provide training and resources to help them understand their roles and responsibilities in case of an emergency.
- Establish a crisis communication plan: Effective communication during a crisis is crucial. Develop a plan that outlines how the information will be disseminated, identifies key spokespersons, and ensures transparent, accurate, and timely communication with employees, customers, suppliers, and the media.
- Test and update the plan: Regularly conduct simulations and drills to test your crisis management plan’s effectiveness so you can identify gaps and refine the plan accordingly. Needless to say, update the plan as your business evolves, ensuring it remains relevant and effective.”
Annette Densham, Creative Director, The Audacious Agency
“You need a plan. In business, especially in this age of social media and trolls, a crisis can be anything from a negative review on your Facebook page to a product recall or staff member committing fraud. Not all crises end up in the media, but if you are part of a community, word of mouth travels fast, and social media is powerful, if not more powerful than mainstream media.
“None of us expect the worst, but not planning for it is like not having insurance. You may never need it. But when you have a fender bender, you’re glad you did.
“Crisis management is not the sole domain of big business. Small businesses need to Without a plan, you’re lost and at the whim of the crisis tide, being carried wherever it takes you. Without a plan, many react emotionally and illogically, taking knee jerk actions – a big no, no since it often compounds the issue.
“Having a plan in place generally means you can bounce back quickly and with minimal disruption to your business. A plan should touch on ALL potential threats to the business, some draft content on how you respond to each, who will do the responding and how you will mitigate the damage to your brand.”
Discover Let’s Talk Business Topics
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.