Crisis Remediation: Are You Prepared?February 8, 2018
By David Peterson
A robber sticks a gun in the face of a new teller and demands money. A water pipe bursts in your data center directly above the server farm. The CFO is arrested for defalcation. A woman slips and falls at a bank-sponsored event. All these scenarios could be considered a “crisis,” but they are not equal from a crisis response perspective.
Your response should appropriately reflect the level of crisis.
The dictionary defines a crisis as “a time of intense difficulty, trouble, or danger,” and “a time when a difficult or important decision must be made.” According to M.W. Seeger and T.L. Sellnow, the three primary characteristics of a crisis are that it:
- Is unexpected (i.e., a surprise)
- Creates uncertainty
- Is seen as a threat to important goals
All financial institutions are required to have disaster recovery and business continuity plans in place.
And, hopefully, these are tested periodically throughout the year. But these plans tend to be focused on large external crises (such as a hurricane, flood, or tornado). Has your organization spent any meaningful time brainstorming the types of crisis events listed in the first paragraph? Not as likely.
One exception is the robbery, an event included in the initial training and annual updates for all frontline staff. Yet a robbery represents the very type of crisis that, although “expected,” tends to yield unexpected reactions from staff who cannot adequately prepare for a true robbery event. What a difference for an employee sitting in a training room watching a video vs. standing behind the teller line facing a loaded gun.
Can watching robbery training videos train employees to respond instead of react?
In order to determine the appropriate response to a crisis, you must identify whether immediate action is required to remediate the effects of the crisis.
There is no time for a teller facing a gun to access the employee handbook on how to respond to a robbery. Likewise, in the case of a burst water pipe, shutting off the water supply as quickly as possible will likely mitigate the negative effect of the water pouring into computer equipment.
So, two key elements in crisis mitigation are:
- Anticipating the types of crises likely to occur.
- Brainstorming how to remediate those crises.
This expands the advanced thinking on potential crises beyond robbery training to include burst pipes, kids pulling out computer power cords, or a zombie apocalypse. (Okay, a real zombie apocalypse is extremely unlikely. But if you did brainstorm how to mitigate one, the resulting mitigation and communication strategies would be just as effective against a riot or epidemic infectious disease.)
By spending hours in thought considering the unthinkable, you prepare your institution to address situations that require decisions to be made in minutes or even seconds.
A good friend of mine runs a large IT department for a city government. His organization had an incident where, indeed, a pipe burst directly over a large server farm. It took over 15 minutes to get the water turned off, creating significant damage. Turns out, he was unaware of that water pipe, which was covered by ceiling tiles and not listed on versions of the building plans he had.
When that organization moved into a new building, he ensured there were no water pipes running overhead in the data center, period. He also created emergency shut-off plans for the water in zones where there could be even incidental damage due to a pipe breaking. Think about this: do you know whether you have properly identified all the pipes that could break and cause water to pour into your data center? And do you have emergency cutoff switches that can be accessed in seconds during a crisis?
By doing advanced brainstorming of potential disaster events, we can remove the unexpected characteristic of a crisis.
If we are planning for it—thinking about how we might handle this situation or that likelihood, coming up with remediation options and effective communication plans—then, when a crisis hits, it is not unexpected. The team can move quickly to implement the remediation plan.
Proficiency in communication forms an integral part of any remediation effort.
Suppose you have thoroughly brainstormed the potential disasters that could negatively affect your server farm, and instructed all of the relevant IT staff on remediation efforts. Then, one day, a pipe bursts, and water is pouring over the servers. However, none of the IT staff is immediately in the area. A company courier is standing nearby, but you failed to include that individual in your remediation plans. Since the courier is unaware of the cutoff switch and does not have a procedure to access the computer area in an emergency, water continues to pour in on exposed equipment. Not training the entire organization on remediation of crises is a gross error but one that is easily fixed.
The outcome of your crisis remediation brainstorming should include a series of if-then statements.
If this situation occurs, then we will take the following action. This can be broken into sections covering the major areas of the institution, (i.e., operations, lending, lobby, etc.). At times such as company-wide meetings, you can go over a couple of scenarios and remind the entire enterprise about remediation plans for a particular crisis.
Turn it into a game and periodically send out a crisis scenario. Invite everyone to offer his or her proposed solution. It can be easily done using an online survey tool or your existing intranet. Answers could be via a multiple-choice list or short answer comments. The advantage to short answer questions is that you may harvest new ideas for remediation to augment your existing plan. In either case, pushing staff to think about crisis remediation on a monthly basis instead of once per year will likely yield employees who are more prepared to effectively deal with a crisis situation, even an event that was not on your remediation brainstorming list.
As a senior executive, consider some other areas in which you likely need to be more prepared.
Patrick Dix, a senior member of the Shazam Speakers Bureau, recently provided banking executives some examples of crises that generally result in a TV reporter sticking a microphone in the face of a bank executive exiting the building. It is likely that most bankers, including CEOs, have little experience dealing with the press, especially TV, in a crisis situation.
Take the aforementioned CFO defalcation event. It certainly would not be a surprise for a TV crew to want to ambush the bank CEO for comment. Caught off guard, the CEO makes a statement that is taken out of context and damages the institution’s reputation. Or worse, the CEO reacts instead of responds and leaves the impression that there is “something to hide.”
Following Mr. Dix’s presentation, Tim Jones, the president of my bank, Citizens Community Bank in Valdosta, Georgia, shared with me that during the presentation his thoughts turned to exactly how he would react in that situation. He further stated that he planned to take Mr. Dix’s advice to plan and train, in advance, for that very situation.
That is what we need: senior executives that take planning seriously and place themselves and their institutions in a position to successfully remediate crises as they occur. The ability of leadership to appropriately respond rather than react to situations and the resulting communication to all the stakeholders in a crisis is crucial. What are you specifically doing to brainstorm potential outcomes and implement ongoing training for your staff to be ready to appropriately respond at the moment decisive action is required? Your leadership will make the difference.
David Peterson is chief strategic officer at i7strategies, a consulting and strategic planning firm specializing in financial institutions and the companies that serve them.