Crisis management Overview
A key element of effective social media governance and risk management is crisis management. Crises can hit any organization with little or no warning and can have devastating effects. In today’s world, rumors and news spread at incredible speeds over social media, which can make an incident escalate faster than ever.
In the past, perhaps only large international incidents would hit the mainstream news; however, with so many people using social media around the world, an incident doesn’t need to hit the mainstream news for it to get the attention of thousands of your customers.
In this blog, we’ll look at how crises develop, how you can assess a crisis when it happens and how to implement a strategy to manage the crisis effectively. We’ll also look at how human behavior changes when faced with stressful situations and consider how well-laid plans and a well-executed crisis response strategy can help an organization avoid disaster.
What is a crisis?
A crisis is an incident that has a high impact and has either already occurred or has a high likelihood of occurring.
An organization may experience a high number of incidents in its normal course of business, such as making a social media post and including a link that doesn’t work. A crisis, on the other hand, is an incident that has a much higher impact on the business.
To continue the example above, an erroneous link embedded in a post would cause only minor annoyance to social media users; however, if an offensive image had accidentally been included in the post it would have a much higher impact on the company and is more likely to go viral, resulting in the company’s reputation being damaged by a large backlash from social users.
The risk matrix shows the relationship between the impact of risk and the likelihood of it occurring. A crisis will be any event classed as ‘extreme’ in the risk matrix.
There can be a fine line separating an incident from a crisis. All crises will begin as incidents but not all incidents will spiral into full-blown crises.
To assess a crisis you need to consider what the impact could be of an incident occurring to understand what might happen. Some examples of incidents that could turn into crises are as follows:
Hacked social media account. This will almost certainly be classed as a crisis because, during the time that you lack control of your account, the hacker could post a huge amount of negative material that could quickly attract the attention of the global media.
Inappropriate social media post. Many companies have experienced incidents where someone accidentally posts something inappropriate on social media.
A good example of this was when a tweet was posted from the American Red Cross account which said ‘Ryan found two more 4 bottle packs of Dogfish Head’s Midas Touch beer…. When we drink we do it right #gettingslizzard’.
While this is an embarrassing mistake for someone to make (likely mixing up their personal and work accounts) and attracted a lot of attention across the internet, it could have been a lot worse.
On the other hand, if the post had included more offensive language or imagery, and if it had stayed up for a long period of time, it would be more likely to escalate into a crisis.
The website goes offline. If your website goes offline unexpectedly in the middle of the night for a few minutes it might not have a big impact on your company; however, if you’re a multinational online retailer, any downtime could cause a real crisis, harm your reputation and negatively impact both revenue and investor confidence.
Data Breach. Data breaches would normally constitute a crisis; however, if an attacker had only managed to access your internal data you might be able to avert a wide-scale crisis.
If, on the other hand, a hacker had gained access to the personal data of your customers or employees it could be considerably more serious, have a harmful impact on your reputation and attract fines from regulators.
In the above examples, it’s clear that not all incidents will have the same impact. Likewise, what one organization sees as a crisis another might see as just another day in the office. Some organizations are targeted regularly by activist groups or hackers and have become used to dealing with a wide range of incidents.
Human response to a crisis
It can be tempting for someone who is experiencing a crisis to act differently to how they would ordinarily. In the course of their normal work, they will follow policies and procedures diligently, for example by seeking approval for new content posts and documenting their actions as they go.
However, in a stressful situation, these tasks can appear menial when compared with the crisis that the person is experiencing.
This can make them change their behavior by not following the required processes and procedures. The person may feel that they’re doing the right thing and are prioritizing effectively. However, these actions can actually make a bad situation worse.
Picture this hypothetical scenario: a number of abusive images and offensive content are accidentally posted on the company’s social media account. Not realizing what had just happened, the social media team goes out for a pre-planned team lunch to a pub down the street.
The pub has very poor mobile phone reception and no wifi. An hour into their lunch, a colleague runs into the pub and explains what has happened. Tensions heighten almost instantly.
Questions start popping into everyone’s head: ‘what do we do next?’, ‘how could this have happened?’, ‘what has the response been from other social media users?’, ‘who’s to blame for this?’ or ‘Oh no, this might be my fault, who can I try to blame?’. The team hurry back to the office and start trying to rectify the situation.
They’re receiving lots of posts every second and they try to respond to as many as possible. Normally, all content and replies need to be reviewed by the team leader before they can be posted, but due to the heightened stress levels, members of the team started making more posts, defending themselves and claiming that it wasn’t their fault.
This annoyed other social media users and made the crisis worsen – it was then picked up by mainstream media and reported on the TV and main news websites.
We can relate to the team because there will be times when even the most laidback people have experienced stressful situations. However, if appropriate technical controls had existed and a crisis response plan initiated it would have helped to manage the crisis and avert an escalation.
It can feel counterintuitive to assess the options and plan the next steps when faced with a crisis because many people will want to act.
Even after controls have been implemented, the teams that will have to deal with crises should be given appropriate training. Training is important to ensure that the team are familiar with crisis situations and know how they should act.
Crisis simulations are an effective and fun way to test a team’s response to any given crisis and can help improve your crisis response strategy. Crisis simulation is covered later in this blog.
Avoiding a crisis
The best way to deal with a crisis is to avoid it in the first place. An effective risk management function and a risk-aware culture will go a long way to safeguarding your company from unfortunate incidents. You should spend time thinking about where the risks are to your business and what you can do to manage them.
For example, if you have engaged a third party to manage your enterprise social network, you are exposed to a risk that the third party may experience issues that have a knock-on effect on your company. If the third party’s IT network goes down, it may take your enterprise social network down with it.
A common way to guard against this is by completing a due diligence exercise where you assess any third parties that you work with to gain confidence that they have appropriate processes and procedures in place to avoid any impact to your own business.
Your procurement team should already have due diligence processes in place, but if you’re purchasing an enterprise social network or a social media management tool, you should complete your own additional due diligence to ensure the tool meets your needs.
Purchasing a social media tool without appropriate due diligence is risky because you are at the mercy of the supplier to provide the tools. Things you should consider are:
Have the provider’s infrastructure and applications been independently security tested? Has the provider achieved appropriate accreditation that shows that they have assessed security risks and implemented mitigating controls? Can you comfortably rely on the security offered by your provider and does it meet your own requirements?
Availability. You should ensure that the provider has agreed to an acceptable level of availability of the tools or applications you are purchasing. When is it acceptable for the application to be unavailable?
How quickly will the provider respond to unexpected downtime (when the application is unavailable)? At what times and on which days will maintenance be carried out?
The systems should have an appropriate level of redundancy, for example, to avoid downtime from unexpected events such as power cuts. To do this, ‘uninterruptible power supplies’ can be used, which will provide power for a short period of time while the main building power is off. Support. What support arrangements will be in place?
How quickly will the provider commit to responding to any support requests and how long will they take to resolve? Data protection. Is the provider aware of their responsibilities with regard to data protection law?
Has the provider implemented controls to safeguard personal data? Where will the data be hosted/stored geographically? Will the data be transferred and, if so, have controls been implemented for this to happen legally?
Archiving. What data is archived? What is the process and schedule for archiving data? When will data be deleted?
Backups. How quickly can the provider access backups, should they need to? Will backups be stored on-premise or off-site? (If the building burns down and the backups are in the building, it’s not likely you’ll get access to them…) Who has access to the backups? How are the backups secured?
A problem with one of the challenges listed above is something that could lead you into a crisis, which is why oversight of these is vital. However, for all the planning and preparation that you do, nobody has a crystal ball and it’s impossible to guarantee that you won’t face a crisis at some point in the future.
Therefore it’s important to put plans in place to deal with a variety of incidents quickly and effectively to stop them from becoming a crisis.
Twitter Q&As backfire, attracting a barrage of public criticism
Twitter Question and Answer (Q&A) sessions, or ‘ask me anything’ events, can be a really effective way for organizations to connect with their customers.
They give customers an opportunity to pose questions to a company’s senior leadership and, when executed successfully, can increase customer engagement and improve a business’s reputation.
Unfortunately, however, there have been a number of examples of companies that have started a Q&A only to be faced with a barrage of public criticism.
One such example is UK gas company British Gas, which organized a Twitter Q&A in October 2013 and invited Twitter users to ask questions to British Gas Customer Service Director Bert Pijls, using the hashtag #AskBG. Unfortunately for British Gas, they decided to run their Q&A session on the same day that they announced a 10.4 percent increase in electricity prices.
The session immediately started trending on Twitter as users joined in to voice their grievances over the increase in prices and the impact that it would have on their families. One user asked:
@britishgas is it true your top shareholders heat their homes by burning loads of £100 notes they have from excessive profits?
Another Twitter Q&A event which caused a stir on social media around the same time was planned by US bank JP Morgan. In this case, however, the bank received such a barrage of negative tweets before the event even began that they canceled it.
Even after the Q&A had been canceled, messages continued to be posted with some highlighting how JP Morgan had failed to embrace social media as an effective PR tool. At the time, JP Morgan was facing a record fine of $13billion for misselling bad mortgage debts to investors prior to the 2008 financial crash. One user posted:
#AskJPM is the greatest social media fiasco ever contrived. A lesson in being completely self-unaware of public perception.
According to Topsy, a company that analyses tweets, at least two-thirds of the 80,000 tweets sent using the AskJP hashtag were negative. After a few hours the bank reversed its decision to hold a Q&A session online and posted:
The key takeaway from both of these examples is around the timing of the Q&A sessions. It’s hardly surprising that, at a time when both companies were already receiving negative press, users took to social media to publicly complain about them. Social media analytics could have been used to show overall sentiment over the brands and could have fed into their decision to run the Q&A, or not.
Roles, responsibilities, and logistics
It’s important to have roles and responsibilities clearly defined within your crisis response strategy so that there can be no ambiguity as to who is responsible for what. Any uncertainty could delay your response and result in a crisis being escalated unnecessarily while your people scramble to work out who should do what.
You should maintain a list of approved company spokespeople who are authorized to make comment to the media about the crisis. These people should be identified within your strategy and should have received appropriate training to ensure that they are capable of dealing with the media.
Your strategy should also make it clear that only those people who are approved company spokespeople are allowed to make any comments to the media about an ongoing crisis.
It’s also worth considering the mechanics of how you will operate during a crisis. For example, which room will you use to coordinate your response and where will it be located?
Getting as many of the key people as possible in the same room will make decision making much quicker and will allow everyone to keep up-to-date on any developments.
You might want to include social media feeds and a news channel on a big screen. In some cases, you might need to set up a dedicated telephone line that customers or members of the public can phone if they need assistance or further information.
All of this logistical information should be included within your strategy, as well as a list of key contacts who can assist with setting up telephone lines, access to the internet and so on.
Responding to a crisis
Having assessed the severity of a crisis, documented the cause and communicated it to your key stakeholders, you can move on to actually responding. Your crisis response strategy will be invaluable here and it’s important to refer back to your well-laid plans before charging ahead.
The cause of the crisis, the current political environment, your business strategy, and other events will all have an impact on how you respond and what tasks you will build into your response.
One of the first things that you should do to respond to a crisis is to assess your options. What was the cause of the crisis? Is there something that you can do to easily rectify the situation?
Not everything can be addressed quickly and easily, but if it can what will you do next to communicate your response internally and externally?
For example, if the cause of the crisis was a bad choice of advertising that ended up offending huge groups of people, you will have a few options. You could attempt to remove the offending advertising, or you could try to justify it. Justifying it might be dangerous because saying that ‘it’s not my fault’ can cause more anger and escalate the crisis.
If you want to remove the advertising, you’ll need to plan how to do this. If it’s online advertising, what channels is it on? Who are the people that you need to contact to get it removed?
If it’s printed advertising, you’ll need to consider a communications strategy to apologize and explain. Once the advertising is removed, how will you engage with those groups who had been offended by it?
Social media may be a great way to quickly reach your customers or the wider public to communicate your response. But you need to consider where your target audience is and which platforms they are using.
For example, if you experienced an incident in Russia, you won’t want to rely solely on Twitter and Facebook because most Russians use local social networks such as VK mobile version or OK.RU.
Will your audience even use social media? If you sell stairlifts to the elderly you might find that a social media communications campaign doesn’t reach your target audience and may just inadvertently publicize the issues which you are experiencing to a wider group of people.
Regardless of whether or not you will be using social media as your main communications channel, you’ll need to carefully monitor it. Rumors on social media spread incredibly fast so you’ll need to be prepared to respond if needed.
Having well-documented escalation processes is essential when you face a crisis. Teams who are dealing with a crisis need to understand at which point they need to escalate an issue to another team or to someone more senior and how they do so. Inappropriately escalating issues will bombard other teams and take their attention away from more serious issues they need to address.
The process should outline criteria and situations that require the issue to be escalated to another team. Details of who in that team the issue should be passed to should be included.
Greggs bakery logo vandalized
If you search for a business in Google you may have seen the panel that appears on the right displaying key information about the business including its logo, address, phone number.
On 19 August 2014 social media users noticed that if you typed ‘Greggs’, the UK’s largest bakery chain, into Google, a fake logo with an offensive slogan was displayed instead of their official logo.
It didn’t take long for Greggs to be flooded with posts and comments via Twitter. Greggs faced two issues: 1) they needed to work out how to fix the issue and get their proper logo to appear again, and 2) they needed to deal with the barrage of tweets from customers.
How Greggs reacted was impressive. They created the hashtag ‘#fixgreggs’ and tweeted a photograph of a large plate of doughnuts to Google UK with the text:
Hey @GoogleUK, fix it and they’re yours!!! #FixGreggs
Google UK then tweeted back:
Sorry @GreggstheBakers, we’re on it. Throw in a sausage roll and we’ll get it done ASAP. #FixGreggs.
For hours while they waited for Google to fix the issue, Greggs was responding to hundreds of tweets from their followers. They didn’t respond with generic ‘we’re looking into it’ messages the way other brands have done in the past.
Instead, they responded with appropriate and sometimes witty posts. They didn’t ignore their followers and didn’t shy away from what had happened; they rose above it.
Greggs managed to get in touch with Google California and after a few hours the logo was fixed, at which point Google UK tweeted:
That’s all done now @GreggstheBakers, #FixGreggs is now #FixedGreggs
Even after the logo issue had been fixed, Greggs didn’t stop there. They then tweeted a photo of sausage rolls laid out on a table spelling ‘Google’, with the text ‘Aaaand relax! Maybe those kind folks @GoogleUK could give us the doodle tomorrow?’
Not long later Google tweeted back with a photo of an almost identical desk scattered with what appeared to be sausage roll crumbs and the text ‘Whoops! Sorry, @GreggstheBakers’.
Google didn’t give Greggs the doodle, but it was an entertaining story with a good outcome for Greggs. They received a lot of support from its followers throughout and were able to respond in a very human way.
The way Greggs handled this potential PR nightmare was reported positively in many of the mainstream newspapers and resulted in a lot of positive press.
This goes to show that social media can be used effectively to manage a potential PR nightmare and come out on top.
Reactive versus proactive communications response
When you face a crisis you can choose to respond either proactively, or reactively. In a reactive response, you will wait to be contacted by customers or the media before you respond to them and you will only disclose as much information as you have been asked for.
In a proactive response you won’t wait to be contacted, instead, you’ll proactively push out messages on social media, contact the media and give regular updates on your progress.
The best response tactic will depend on the circumstances of the crisis, as well as how much you know about the incident versus how much the public know. If your company is well known and champions transparency and you become aware of an issue with a product or service you might choose a proactive response.
This would help you avoid being accused of hiding information, reacting slowly or not seeming to care. You might choose a reactive response tactic if there are already details of an issue emerging in the media, but not all of the detail has been leaked into the public domain.
In this example, you wouldn’t want to go out and put all your cards on the table as it might prompt an even bigger backlash against your company. Instead, you’ll monitor the situation to see what stories get picked up by the media and put your energy into responding to them rather than focusing on other issues that are not causing such a press sensation.
After an incident has been dealt with you should review your own performance to understand how you can improve should you face a similar incident in the future. Questions that you could ask are:
Was the crisis report template used and was it effective?
Was the response timely?
Were the policies and procedures followed?
Were any amendments to the agreed procedures made?
Were the amendments effective and should they be incorporated into the processes?
Did the teams collaborate effectively?
How has the perception inside and outside the company changed as a result of the crisis?
Were any improvements identified?
Once you have the answers to these questions you should have a fairly clear picture of how well your teams responded to the incident. You will also be able to see more clearly where your team had trouble or responded slowly. This valuable information should be used to update your crisis response strategy so that if there’s a next time, your response will be more efficient.
Crisis testing and simulation
Once you’ve crafted your crisis response strategy it will hopefully be a quite some time until you have to put it in action, if ever! But such a strategy is an unfortunate necessity.
The organizational change many companies face as well as the constant changes in technology and social media mean that the strategy could quickly become outdated. To avoid this, your strategy should be reviewed annually and updated appropriately.
You should also consider running crisis simulations to test your response strategy. Crisis scenario testing can uncover issues in your strategy and helps people in your organization to understand what they should do and how they should act in a crisis.
Such testing will inevitably require quite a lot of senior resource, but the benefits of familiarizing your people with the strategy and getting a view on how it can be improved will prove invaluable when the time comes to put the strategy into action for real.
The objective of a crisis scenario test is to simulate events that might happen during a crisis over the period of a day. This could involve phone calls from the press, IT infrastructure going down, or even parts of the office becoming inaccessible. Throughout the test, you will need observers to document how your people react to different situations, the decisions they take and the impact they have.
You’ll also need a team of people who will play the roles of key individuals in the outside world, for example, a journalist calling for information. At the end of the test, you should analyze the results and report back to leadership to summarize what went well, what didn’t go well and what aspects of the strategy need to be amended.
The key benefits of crisis scenario testing are:
It gives the organization an opportunity to rehearse its response capabilities and builds confidence in people’s roles and responsibilities.
It gives the organization confidence that they will be able to deal with a crisis but also highlights areas for improvement.
The testing is realistic rather than theoretical. People will need to send emails and make phone calls as part of the test, all within a safe environment. This will bring the scenario to life and is more effective than just thinking about the tasks. For example, you might assume that to write a press release will take 10 minutes when in fact during the test it could take double that time.
If the response to the crisis involves teams in multiple locations around the world, it gives them a chance to work together and get to know each other. Crisis scenario testing is a fun exercise and a break from the norm.
The tests are performed in a safe environment because they highlight fictional problems; however, they will go a long way to preparing an organization to deal with a crisis effectively when it occurs.
In this blog, we covered crisis management, an essential part of safeguarding your organization against social media risk. Being prepared for a crisis will help you deal with it more effectively. On the flip side, not being prepared for a crisis could have devastating consequences for your organization.
We covered the four stages of the crisis lifecycle: preparation; assessment and analysis; response; and prevention. In the preparation stage, you consider what threats the organization might face and what measures you will implement in order to respond to a crisis if it materializes.
The severity of a crisis can increase or decrease, so by defining the different levels of crisis severity, you are able to implement response plans to deal with the crisis effectively regardless of how it develops.
Your crisis response strategy will have all of the tools and guidance that you need to deal with a crisis. Crisis response strategies need to be updated regularly as standard as well as after a crisis in order to tweak the strategy and help prevent future crises.
Finally, we covered crisis scenario testing – a key way to test your crisis strategy and an opportunity to identify and fix any issues within it. Running crisis scenarios helps bring the theory to life and will be a memorable experience for all of those involved, which in turn will help people to either prevent a crisis from happening or to respond appropriately if it does.