Every business needs a plan to survive in a crisis. Along with generic and industry specific risks, contingencies should be in place for unexpected disasters such as floods, terrorist attacks, and computer hacking issues.
Imagine you’ve been building a successful business for seven years and decide to launch a succession plan to move out of the day-to-day operations and concentrate on a new venture. After months of searching for and recruiting the right general manager to take over the business, you give them seven solid months of induction. This allows you to focus on growing a second business overseas, secure in the knowledge that you have a solid manager heading up the organisation in Australia.
A few days after landing in the Philippines to focus on building your business, an acquaintance comes into your office to use one of the computer terminals and maliciously changes the IP address on every web camera, voice over internet phone, data server, mail server and the network server—all to the IP address of the printer. Everything that connects your business to the web (and your customers) thinks it’s a printer. Your clients can’t even call or email you to complain.
Five days later, while you’re scrambling to rectify crisis number one, you receive an email from your new national business manager in Australia advising you of their resignation, effective the day before they sent the email (yes, a negative one day’s notice).
These aren’t examples of extreme crises that could occur in business. This string of events did actually happen to Andrew Ward, co-founder of corporate and event massage company 3 Minute Angels and staff hosting company Delegait, earlier this year.
What one business considers a crisis may be different to another—whether it’s crises similar to Ward’s, or an advertisement that has gone out with the wrong phone number, or a product which is faulty and needs to be recalled—in all cases, the effects on your business can be disastrous if not managed properly.
“You can do everything in the world to minimise your own stuff-ups by planning, but a crisis moment is when you get an interjection you hadn’t planned for, or that you’d failed to plan for. It’s how you deal with it that’s important,” says Ward.
His general approach to business crises prepared Ward well, even for the unexpected. “I have an attitude that ‘you can’t scream until the bullet hits you’. What I found was, in the first two years when we were starting up, cash flow issues or any particular crisis could potentially knock you out of the game completely. I would watch other people, who had also started businesses, and they would be preoccupied with the potential risk that might be an hour, a day, a week, or a month away, and they’d start screaming.
“Instead of that, we always took the attitude that if the bullet hasn’t hit you, you’ve got to keep managing, keep working, add the solution, and as soon as you commit to getting through it, it tends to be that you do get through it. As soon as you resign yourself to the fact that the bullet is coming, I think you get knocked out.”
That’s not to say Ward wasn’t rocked by the shock resignation of his GM in January this year. Adding to the crisis was the timing as December and January are the quietest months for 3 Minute Angels. “We found ourselves with no general manager and no cash flow and no opportunity to do recruitment. And obviously, with me being out of the country and the GM resigning, it left a ripple of panic among the junior managers.”
While Ward admits he’s learned to have more formal and binding management contracts in place—with a four-week notice period built in—he says he had the trusting, small business mentality that, after seven months of induction, he expected the GM to gallop out of the gates as soon as Ward left. The shock came because Ward expected to know if the manager had had any doubts.
“The truth is, throughout the week when the resignation happened, for the first two days I didn’t know where the solution was going to come from, but I kept my cool and kept communicating with everybody about what the current thinking was and getting feedback.
“The worst thing I could have done would have been to stay in the Philippines and bury my head in sand. Inactivity would definitely have killed a business that has been going for seven years.
“You have to be the one that’s calm and rational and keeping it in proportion,” he adds. “If your staff are feeling anxious, it’s only going to get worse if you are too.
“Now I realise that even though I had spent seven months trying to leave, given what I had to do in terms of the business’ overall health, that crisis really was the other side of opportunity.”
After the time and investment Ward had placed in his GM, he realised that in order to find the right replacement in a short period of time, as well as give staff confidence and still allow Ward to work more exclusively on Delegait, he had to come up with a completely different solution.
“First, I got myself back to Australia, and with the senior manager who was remaining (but had only been with the business for three weeks) and the other Sydney managers, we got together on the Monday and I said, ‘we’re going to book in time this Friday, we’re going to fly in the other state managers and we need to, in the interim, create a plan’.
“The first part of the plan involved getting out our functionality chart, which outlines what areas of the business need to be covered in order to keep working operationally, to keep sales working, to keep marketing and finance going. We had to redraw our management structure completely.
“Where we had a centralised management structure previously, we then had to decentralise it and drop the responsibility into a state-by-state structure, and then have the states coordinated by either myself or the other senior manager.
“She and I are separating our time between Australia and the Philippines. So alternate months I’ll be in the Philippines and she’ll be in Australia. I’ve hired some additional resources in the Philippines to become our reception, administration and contact with our accounts payable and receivable, and that enabled us to take away that financial responsibility that the national business manager had and put that into a lower-cost resource over there.
“By taking all the leadership and planning and marketing roles that the national business manager had and moving them down to the states, we were able to empower our state managers, so we can now provide them with a mentor who will help them grow. We were also able to put in a five percent bonus incentive, based on targets, because we had retained a cost saving from the loss of the business manager.”
Unfortunately, though, Ward’s IT crisis at Delegait’s staff hosting premises in the Philippines wasn’t so opportunistic for the company, except to deliver them some hard lessons.
With all of Delegait’s employees working for the company’s Australian clients, all of their staff needed to continue working. Occupying a few floors in the building, they were able to share the load of one floor between two, which dramatically reduced internet speed and phone quality, but it only took three days to come back up to 100 percent, thanks to the IT department working round th
“Now we’re aware of it, we’ve got our internet security upgraded, we now have a specialist outsourcer and we have reduced access on our local area network,” explains Ward. Delegait has also taken out some key security measures regarding staff access.
“When you’re a communications or technology company, it’s a bit like the business having a heart attack—your IT is absolutely essential to the running of it. Productivity dropped to at least half because we had to share the resources. We had to reimburse our clients for their downtime. In terms of dollar costs, it would have cost at least $250,000, but in terms of opportunity cost—because there would still have been emails and calls made to us that we’re completely unaware of—the reputation and goodwill lost was the crisis in that situation. That’s immeasurable.”
The situation could have been a lot worse, though, if the company’s network had run across all floors and wasn’t split between them. Ward thanks his business partner’s extensive ICT experience for setting the system up this way, as well as being able to identify so quickly how and where the problem had occurred. “Even though we had a failure and clients couldn’t call us when it immediately happened, when we were able to explain what happened we found people were quite tolerant of crisis situations, especially if they understand it’s a one-off, as opposed to reoccurring.”
Consequently, Ward highly recommends having internal IT knowledge, even if you outsource IT operations.
Crisis Management 101
Crisis management expert Ross Campbell, author and director of consultancy Ross Campbell and Associates, believes there are always going to be ongoing issues and emergencies in every business. Some will be continual bubbling issues—such as cash flow, new regulations, and staff leaving—but some issues can tip over to become a critical issue. Then, there are some you can’t prepare for.
He uses the extreme US examples of 9/11 and a major recall by Johnson & Johnson 20 years ago when a number of people died from cyanide poisoning when the company’s flagship analgesic Tylenol was laced in several stores. “And nobody ever knew that a student was going to walk into Monash University and start shooting,” he says, “or if you’re living in northern Queensland at the moment, that floodwaters are going to come into your shop and potentially wipe you out.
“It comes as a painful shock when confronted by the real world of a random, nasty event, often categorised by incredibly dangerous results—bottom line issues that slow your business right up and, in some cases, stop it. I don’t think most managers are prepared, either emotionally or intellectually, to face the worst-case scenario,” says Campbell.
“There’s a better understanding now than ever before about the fact that you need to know what to do, and I think people have some kind of risk planning, but can they manage it when it happens? They may have identified some of the risks, but not formally by putting a plan in place to deal with them.”
In most cases, especially with SMEs, Campbell says the police will manage the emergency, and you’ve got expert trained responders to help you, but as the business owner you have to protect your bottom line, your people, your assets, and make sure you recover.
In order to identify and plan for a worst-case scenario, Campbell advises businesses to take the following steps:
- 1. Have a commitment to have a plan, a process, and a team. Even in the smallest of businesses, one person can’t manage a critical incident; there’s got to be a group of people who do it and in an SME that may mean bringing in people.
- 2. The team has to identify the worst 10-20 threats that could critically affect the business. There are some generic threats right across business but there will be specific threats that need to be managed in each individual case. Even businesses that have multiple branches will have different threats at each site.
- 3. Once threats are identified, correct them so they don’t reach the point where they’re bubbling over into a crisis. And for those crises you may not be able to completely prevent, the key response team needs to rehearse how they will manage those situations.
“Some people might say they can never get control of the possibilities, but I think that means they haven’t been analysing their risks well enough to see they can prevent them. Business can be resilient against crisis—not every crisis, we can’t stop lightning striking, we can’t stop a car running into a building, we can’t stop an armed hold-up, but we can make it hard for those things to happen.”
In times of crisis it’s also important to manage the media effectively. “In today’s world of instant media coverage, if you don’t get your message out quickly, somebody else will, so that’s a big issue,” warns Campbell. “Whether you’re a small or big business, you can attract media attention and you’ve got to talk to your employees very quickly first, then your other key stakeholders before the media know. Then, get ready for the media to come because they will ask questions and you can’t just stand there and say ‘no comment’.
“The big value-add in this process is the internet—it can work against you, but if you’ve got a website and you publish information quickly about what’s gone wrong and how you’re dealing with it, you will take the high ground.”
Campbell has published a book, Crisis Control, Preventing & Managing Corporate Crises, which is a useful resource for businesses to help identify their top threats and to ask key questions like who is going to lead the response and who the core team will be. Check it out at www.crisismanagement.com.au.
Caught in the Net
Risk management is a term that describes the forward management of negative events while taking into account the probability of those events occurring. Like avoiding accidents in the workplace, you can prevent business hazards by being vigilant and encouraging safe behaviour.
To avoid the consequences of a network breach, such as the IP address hack at Delegait, it’s important to limit access to the deeper levels of your local area network to key people who use it. Storing data off site is also a good idea as it means you can still access records if your network has been compromised in the office. As Delegait co-founder Andrew Ward suggests, understanding a bit about IT helps, even if you outsource that department.
A recent survey of small to medium businesses by global online security software company, Symantec, revealed online security risk was an increasing concern for Australian SMEs. “The research shows that organisations are aware of the significant risks surrounding the storage of information and are clearly prepared to take no chances, with 98 percent of Australian SMEs backing up their business-critical information,” says Steve Martin, Symantec mid-market manager, Australia and New Zealand. “However, faced with new and evolving regulatory compliance re
quirements and a growing mobile workforce, SMEs are under increased pressure to secure and manage their information in a timely and cost-effective manner.”
Martin outlines ten tips SMEs can use to stay safe:
1. Keep updated with changing threats and technologies. Employees and executives need to be aware of new threats. Security awareness training can go a long way to protect a company from attacks.
2. Create policies that address mobility and social networking. Corporate internet security policies should be put in place and all users need to understand how to comply with these policies. Policies could cover areas such as what data is allowed to be stored on mobile devices, to company policies about access to social networking sites.
3. Be careful how much information you divulge. Attackers use information gathered from social networking sites to carry out targeted attacks.
4. Be careful about third party applications and emails. Hackers can embed malicious code or malware into these applications, which can give access to a user’s profile.
5. Limit access. Unless the company requires it, consider disabling access to popular social networking sites.
6. Treat PDAs and smart phones like computers. Just like computers, mobile devices need to have up-to-date antivirus and firewall software installed to protect them.
7. Get specific. Hackers use mobile technology that targets SMS and MMS services,so mobile devices need to be installed with an anti-SMS spam service similar to an email spam service.
8. Protect your mobile data. Encryption software protects data as well as memory cards on devices in the event they are lost or stolen. Alternatively, a data wipe tool erases all data after a maximum number of consecutive failed login attempts.
9. Don’t be naïve. Mobile technology and social networking sites are seen as the path of least resistance to malicious activity by hackers. A security breach in one of these areas could compromise your business.
10. Don’t shy away from embracing new technologies. Mobile technology and social networking can be fantastic tools for SMEs if they are managed properly. Mobility devices free employees to conduct business any time, anywhere, but it is important to deploy the appropriate security measures at the front end rather than leave it as an after thought. Business oriented social networks can be a real bonus to business—as long as users take precautions.
Another step businesses should consider in their crisis management planning is taking out insurance against financial loss caused by equipment breakdown resulting in data loss. While insurance won’t prevent crises, financial compensation can assist the execution of a contingency plan, especially if your business subsequently needs to reimburse clients for their downtime, as Delegait did.