The 10 Steps of Crisis Prevention
By Jonathan Bernstein
In my 30+ years of experience, I have found that 95% of the organizations with which I have had substantial contact are either completely unprepared or seriously underprepared for crises — even the most predictable ones.
Many, to their credit, have what I call “operational response” plans for specific contingencies such as fires, earthquakes, tornadoes and other natural disasters. The “how do we protect everyone physically” kind of plans, which remain quite inadequate for the communications component of crisis management. And they fail to plan for the much wider range of crises, including strictly reputation-threatening crises, to which they are vulnerable.
Organizations in specific industries may have both fairly comprehensive operational and communications plans for certain scenarios — e.g., an active shooter on campus or in an office building — but they frequently don’t plan for the type of much more common crises that can be readily predicted. A college or university is considerably more likely to deal with improper sexual behavior than an active shooter, for example. I will continue to use colleges and universities as an example in this paper, but the principles apply to every type of organization.
How can any organization ensure a much-improved condition of crisis preparedness? Follow these 10 steps.
1. Reverse-engineer your industry’s crises
Do a deep Google dive into traditional and social media coverage about organizations in your industry, using relevant search terms. A college or university could search with terms such as:
“(college or university) crisis”
“(college or university) complaint”
“(college or university) disaster”
“(college or university) lawsuit”
“(college or university) death”
Then closely examine what has occurred at each organization involved and see what lessons you can learn from their challenges — it sure beats having to learn everything the hard way from your own crises!
To continue with the same example, here is a partial list of the types of crises to which virtually all colleges and universities are vulnerable:
Accidents resulting in injury or death
Activism – Internet or on-site
Compliance or Certification issues
Confidentiality breaches (e.g., student records)
Criminal behavior (non-violent)
Criminal behavior (violent)
Crisis-level issues at affiliated organization (e.g., university-owned business)
Disasters – natural or man-made
Investigations by local, state or national authorities
IT interruptions (due to viruses, hackers, hardware or software issues)
Labor & employment issues
Losses (partial or complete) of key facility (e.g., due to disaster, internal infrastructure failure)
Negligence – actual or alleged
Permit and regulatory violations – actual or alleged
Sexual impropriety – actual or alleged
Special event misbehaviors (e.g., fighting between fans)
Sudden management changes, voluntary or involuntary
Terrorism – direct or indirect impact
I refer to such lists, which I’ve prepared for many different industries, as “Oh sh**” lists because that’s often the reaction of the leadership team to seeing the potential crises all in one place like this.
2. Conduct a Vulnerability Audit
A Vulnerability Audit is a multi-disciplinary risk assessment to determine current and potential areas of operational weakness and strength, and potential solutions, because identified weaknesses may result in emergencies or crises of varying magnitudes if not corrected. Ideally, every functional area of an organization is examined to identify anything that could lead to a significant interruption in business and/or reputation damage. At Bernstein Crisis Management (BCM), we employ three different types of vulnerability audit:
Crisis Document Audit –a simple (typically three- to eight-hour) review of existing documents related to crisis preparedness and response, such as crisis communications plans, emergency response policies, disaster plans, etc. This audit includes creation of a written evaluation and recommendations for improvement.
Executive Session Vulnerability Audit – a one-day session (typically six to eight hours) in which your leadership team is led through a series of educational and thought-provoking discussions to uncover and begin to address organizational vulnerabilities that could escalate to crises. This audit includes a post-session written summary of findings and recommendations for improvement.
Comprehensive Vulnerability Audit – a series of interviews with employees at all levels of an organization, each conducted in complete confidence so the interviewee feels comfortable disclosing information he/she might not otherwise discuss. This is complemented by interviews with representative members of key external audiences, and concludes with preparation and presentation of a comprehensive audit report to the senior management team.
Vulnerability Audits are not just focused on potential disasters. Rather, the audits seek to identify threats to the organization that may arise during normal operations in addition to those resulting from extraordinary external events. For example, the process looks for poor communicators and their impact on the organization. There have been many human resources-related crises, critical instructions misunderstood (leading to crises), and significant amounts of business lost simply because individuals in certain key positions were poor communicators. They may have vast knowledge of their trade, but without the ability to communicate effectively, they damage themselves, others and the organization. Their behavior may not be actionable from a human resources viewpoint, but their “style” increases the organization’s vulnerability to crises. When such individuals are identified as a potential instigator of crises, however unwittingly, senior management can quietly initiate steps to mitigate the situation before it becomes a bigger problem.
The vulnerability audit also identifies vulnerabilities in technology or other systems that are supposed to maintain or enhance communications. Are the phone, email, broadcast text and/or other systems adequate to manage increased traffic during crisis situations? Will they even survive such crises? Is the client organization prepared to rapidly put accurate information out via the Internet during crises, and to respond to Internet-based inquiries?
An effective analogy is the work of a fire inspector — if he/she is allowed to look in every room, behind every door, he/she can do the best-possible job of preventing fires or reducing the damage from unavoidable fires.
Here’s a handful of sample questions from a vulnerability audit:
If you lost your primary workplace overnight due to fire, flood or some other disaster, would all employees already know where to report tomorrow?
Do you have backups already identified for every vendor or contractor whose goods or services are critical to your operation?
Is there a 24/7 system by which any employee can notify senior management, for-the-record or anonymously, about a potential crisis?
Are employees allowed to move storage media, e.g., flash drives, disk drives, back and forth between home computers and work computers?
Do you have a document shredding policy, and do people actually follow it?
Do you have disaster drills at all of your locations at least once annually? Is attendance mandatory and enforced?
Is your organization particularly vulnerable to certain types of lawsuits?
Do all employees know what they are supposed to do if they are contacted by a reporter asking questions about your organization?
3. Engage in crisis planning and training
There are some in the PR field who are critical of crisis management plans which, they allege, just sit collecting dust on a shelf or reside in a computer file folder aging rather ungracefully. They are even more critical of plans which include procedures and draft messaging for a number of foreseeable potential crises, claiming that you can prepare for 20 crises and what happens is the 21st.
This is sometimes true. Heck, it is often true. But saying that planning is always useless because it never goes much beyond the plan creation stage is like saying a car is always useless until it’s actually owned by someone who has learned how to fuel it, care for it, and drive it.
The military says that no battle plan survives first contact with the enemy. That’s true. So why plan? To create a system for getting the needed resources – human or other – to the right place, for a specific purpose, as quickly as possible. That system, the plan and accompanying training, is designed to be as flexible as possible so it can be adapted “on the fly” to changing circumstance — to include the procedures and messaging. I’ve seen it done — frequently — and with great success.
The content of the plan evolves from the information you gathered in steps 1 and 2, above. It contains sections on operational response, communications response, and how the respective teams responsible for those two components will coordinate with each other. And it fully integrates the use of all media for communication — traditional and social, high-tech and low-tech.
Then training — for crisis managers that means anything from tabletop exercises to full-scale simulations — teaches trainees how to use the plan under a variety of circumstances, and refresher training helps lock in that knowledge. The same way a soldier has learned how to instinctively do the right thing from training and more training.
It also includes media and presentation training for those who are going to be on the public front lines, because crisis-related interviews and speeches have characteristics quite unlike a “friendly” exchange.
4. Collect Intelligence
Have you read any of the widespread criticism of the Obama Administration for failing to have adequate intelligence to prevent Benghazi? Or to anticipate how aggressive Putin would be? How many of those critics, even as members of the C-suite, ensure that their own organizations are collecting all the intelligence they need to prevent or minimize the risks of crises? Probably one percent. Competitor-related information gathering? Sure. But that’s the same thing as looking for warning signs of trouble. And on the Internet, trouble can start with a single Tweet and grow into an international firestorm in minutes.
To optimize your intelligence gathering, you must:
Establish a framework/infrastructure for Internet-centered communication
Start by setting up your own social media accounts. If you want to know what your stakeholders think about you, your products and/or your services, social media provides them with a place to engage you (besides its many uses for proactive PR). You don’t need to be active on every single social media platform — pick two or three of the most popular amongst your stakeholders — but it’s still a good idea to have at least a basic profile fleshed out on others.
Get familiar with your tools
Find a social media dashboard that allows you to access every major service (at BCM we prefer HootSuite), and start exploring. See how conversations flow, and familiarize yourself with how to reply, both privately and in public, to others, as well as how functions like lists and targeted messaging work.
If you’re going to use social media for both personal and business via the same device, we strongly recommend using two different programs or apps. Far too many crises have begun as a result of someone sending messages via the wrong profile!
Keep an ear to the ground
Searches are your friend when it comes to online reputation management.
You’ll want to establish searches for your company name, industry keywords, competitor’s names, hashtags you use, and any other relevant terms you come up with. Your social media suite should be able to display a constant stream of searches for mentions of your names or handles. Google Alerts is another fantastic, and free, tool that will cover mentions of any keywords you want from around the web. And if you really want to get serious, you can’t beat paid services (we use CustomScoop) for catching more mentions than free alerts typically provide.
Empower your employees
Each of us is the center of our own networks of hundreds or even thousands of contacts. Each of those networks provides valuable intelligence information that may be useful for crisis prevention or response.
Every employee is a public relations representative and crisis manager for the organization whether you want them to be or not. So why not ask them to keep an eye out for certain types of information that might be the heads-up you need to get out in front on a brewing crisis? And then provide them the mechanism for getting that information into the right hands, quickly.
5. Optimize physical systems for crisis prevention and response
A frequently overlooked aspect of crisis preparedness is ensuring physical systems — e.g., phone systems, websites — can withstand a huge increase in usage during a crisis. How do you feel, when there’s been a threatening sounding product recall and you can’t reach the manufacturer at all because its customer service system and website have crashed under the stress of too many hits? It exacerbates your concern and criticism, of course.
If you’ve engaged in the vulnerability audit process, you will have looked at all physical systems necessary to support crisis response to create contingency plans which will accommodate worst-case scenarios. In the case of a limited phone system, for example, you may have a call center with high capacity and advance training already pre-booked, and your main customer service number starts forwarding to the call center.
6. Make sure you can talk to each other during a crisis
This might seem pretty basic, but you might be surprised at how incredibly difficult it can be to reach someone’s landline or cellphone when everyone in your region is using the same providers because there’s just been an earthquake or other disaster. In the aftermath of 9/11, phone calls to/from New York City were damn near impossible, but text messages started trickling out within hours.
The lesson – some communications systems will work in a major crisis, some will not, so you have to be prepared for simultaneous use of multiple systems. Some of the active shooter situations at colleges and universities recently proved the value of that practice.
And for members of your primary crisis response team(s), going a step further and having good ol’ fashioned walkie talkies with a decent range — or satellite phones if your operations are widespread — is an investment worth making.
7. Create your crisis response teams by capability, not just by position
Not everyone is capable of carrying out certain elements of crisis response. John may be the best person to send into a heavily damaged building to assess damage, but he’d be the last person you want interviewed about it on camera. Sarah has the compassionate delivery and experience to be a highly credible on-camera spokesperson, but don’t ask her to write anything, because her written communications skills are nowhere near as good as her spoken ones.
Know your people and their skills specific to the operational and communications requirements of your crisis management plan.
8. Backup, backup, backup
The need to back up computerized data is well-recognized (even if sometimes inadequately performed). But you should also have backups for:
Every vendor or contractor whose services are critical to your operation
Every member of your crisis response teams
All of your primary methods of communication
All of your primary places for doing business
Any employee whose knowledge is critical to daily operation of your organization
If your staffing is thin, you may need to cross-train personnel to cover for each other if someone you need for crisis response simply isn’t available. It’s why SEAL and Special Forces personnel are always cross-trained in a specialty other than their own.
9. Ensure that all employees’ crisis-related knowledge and skills remain current
If you are trained in any unfamiliar subject and then don’t have to use it for a year, will you remember it? Unlikely. Human Resources can and should often take the lead in ensuring that all employees regularly (I advise four times annually) receive some refresher training in crisis prevention and response appropriate to their position. It can be as simple as sitting down and going over the main lessons learned from the training that was conducted after a crisis management plan was created.
10. Regroup regularly to reverse-engineer, self-audit and adapt plans accordingly
Don’t outgrow your planning or training. No organization is static. Changes in products and services are inevitable. Personnel turnover is routine. Organizations expand and contract. Crises test your response systems and sometimes find them wanting.
Core personnel responsible for the organizations crisis management program should regroup regularly to look at all these factors, and any others that might merit a change in plans and/or training.