Reputational risk has been sharpened by social media, making crisis response even more vital. David Benyon reports
Crises used to be relatively straightforward to manage. Social media have revolutionised things. Mismanaged, a crisis response can snowball into a much bigger threat than whatever event it was that initially triggered it.
Social media are credited as a wonderful tool for communicating directly with customers and the wider consuming public.
But they are also perhaps the most dangerous crisis catalyst, virally propagating an event’s fallout, giving word of mouth global proportions, taking a crisis and giving it the potential to multiply into an uncontrollable epidemic.
A poor response to a crisis can send a company reputation, brand value and share price tumbling as quickly as a newsfeed fills up with tweets or posts.
On the other hand, getting crisis management right via social media can demonstrate a company has its house in order, can respond to criticism, and listens to consumers.
In the previous century, if a company or one of its employees did something malevolent or foolish, the company could take stock, consider, and respond: either proactively once a problem was identified in-house; or reactively once it was realised that word had gotten out.
Even then, the effects could be dampened: TV and radio news were broadcast at an appointed hour by a handful of outlets; the print press worked at plodding speed; a limited pool of journalists could be fed carefully scripted lines; and ordinary consumers were for the most part passive listeners – rather than amateur hacks, bloggers and online activists.
“Now, the minute you hear about a disaster, it’s possible the whole world has heard too,” warns Julia Graham, Airmic’s deputy CEO, who also works as risk management and insurance director for global law firm DLA Piper.
“Fitness levels need to be much higher than in the past,” she says.
The democratising power of social media has shifted the balance of power towards consumers. Helen Wright, associate at Lysander PR and a former journalist, says: “There has been a seismic shift in the control of communication from media hubs towards individuals, spreading this once fairly-centralised power far and wide, adding extra layers of commentary and allowing opinion to spread rapidly and organically through different interlinked networks.”
In early March, Airmic came out with guidance for risk professionals on crisis management in the social media age, echoing such sentiments. “We chose this subject because we could see the continued attempts by organisations to respond to crises, but not always making good job of it,” explains Graham.
“We’re in a fast-moving, complex, connected world. That speed and connectedness is increasing all the time, and organisations need to be in high state of readiness for crisis. This risk never goes away; they’re either going through a problem or waiting for it to happen,” she says.
Airmic’s advice includes making social media a key pillar of the corporate communications strategy and ensuring that there is a dedicated social media monitoring team. This team should be alert to and ring the alarm bell about specific operationally significant developments, Airmic suggested, as well as taking and retaking the temperature of broader social sentiment.
Social media crises can be thought about as having two phases, according to Airmic’s guide. The first phase involves an initial spike of activity – a wave of angry, incessant social media chatter, misinformation and finger-pointing. This phase might last 12-36 hours, according to Airmic.
The initial spike is followed by a second phase, “the long tail”, which lasts perhaps two weeks to a month, by Airmic’s estimate. It is in this period that journalists begin to write in greater detail on the topic, further fuelling the social media buzz. This phase is less hectic in terms of numbers of tweets or posts, but includes greater interest in the company involved, and heightened sensitivity about the issues at stake.
Plan for the worst
Preparing an effective response to a social media crisis can begin long before an event takes place. Planning for the future might make for less of a scramble if and when the worst happens.
“We try to have an overall policy rather than planning for individual scenarios, because you can guarantee that the one thing that happens is the thing you didn’t plan for,” says Michael Lewis, resilience manager at Canary Wharf Management.
“We use a communications consultancy during a crisis, and they are involved with us in our planning stages as well. If you work out what works in peace time, you’ll be better able to respond,” he says.
The composition of a crisis management team can vary with the scenario, Graham suggests, with social media management just one element. “You pick your team depending on the nature of the incident. Like a football team, you pick the squad and substitutes to draft in depending on the ground, opposition and fitness,” says Graham.
“You can’t start picking that squad from scratch after an event has happened. The practice we condone is that the organisation ought to have a pool of response-ready people who can come together depending on the scale and nature of the incident,” she continues.
She thinks internal and external communications teams are at the core, with close liaison with legal advisors. Other important input can come from internal and external technology specialists, the chief information officer, chief information security officer, business continuity, and human resources management.
“Human resources issues should be considered because it could be something that affects the wellbeing of your people. Social media issues can be psychologically challenging, so your team should almost reflect the senior managers reporting to the C-suite,” says Graham.
She thinks the risk manager’s role is primarily to act as a facilitator, helping to coordinate efforts, and avoid inefficiency and duplication.
“My role as a risk manager has included crisis management. The risk manager may be the facilitator of the team,” says Graham.
“You should also talk to the insurance team, too. A lot of insurance spending is there to help recover from a crisis. For example, if the crisis has come out of a cyber risk, such as a data breach, it will probably include responders. You don’t want to be in a situation where, for example, IT brings in one group and business continuity management brings in another group,” she adds.
Lewis’s organisation is responsible for security operations on the Canary Wharf estate, a major financial centre as well as a retail hub, which he describes as being “like a mini-city”, with a working population of 120,000, plus around 40,000 additional daily visitors. The estate’s many financial and corporate tenants are responsible for their own crisis management teams.
He works with a core team of about a dozen people. “As an incident management team or crisis communications team we exercise frequently with the press office and communications team, running frequent exercises that we have either constructed ourselves or by looking at incidents that have occurred elsewhere,” Lewis says.
The wider team can include people dealing with consumers face to face. “Our public-facing element consists of 450 security officers on shifts of 120 on any given day,” says Lewis.
“We train them in communicating with the public and staying on message. Members of the public posting on social media are interacting with those people on the ground, so it’s important they understand why they’re doing this, and we’re not just giving them lines to take.”
He lists some crisis scenarios for which his organisation has trained, including a plane crash, a fatality on a construction site, a suspect package to be dealt with by police and explosive ordnance disposal, a protest spiralling into a riot, and a roving terrorism threat. The most recent exercise took the recent Westminster Bridge roving terror attack as the basis for the scenario.
“We run an annual exercise for tenants on the estate, which is the largest business continuity exercise in the UK,” Lewis says. “As part of the exercise we like to build in social media aspects that the security and crisis management teams from across the estate would expect to see.”
For the most recent exercise, social media buzz was incorporated from recent Westminster and London Bridge attacks, as well as a false alarm at Oxford Circus London Underground station.
“Building situational awareness is a double-edged sword; social media can be very informative but there is a lot of noise to cut through,” says Lewis. “Twitter can be very useful for initial reporting, but it quickly becomes cluttered to get at the relevant information.”
It is important to initially show that the company is at least aware of the situation. “It depends on circumstances, but we’d look to own the space early on with some form of holding message,” says Lewis.
He emphasises the importance of using reliable sources when putting information out. “Primarily our response is reactive to either questions or requests for statements,” says Lewis. “One of the biggest challenges is not wanting to post anything that is unverified. On Twitter, for example, we would use the authorities as a lead.”
This can benefit the reputation of the organisation online. “What we’ve seen is that if you own the space early on, provide reliable messages, and people see you as a reliable source, they will look to you when other incidents take place,” says Lewis.
Social media can be used to correspond with individuals, answering some questions as they arise.
“We haven’t pushed too much direct messaging from social media handles to organisations, but that is something that businesses could look to do more of, to get teams responding to difficult questions,” says Lewis.
Outside advisors exist to help companies run online crisis management rehearsals as desktop exercises, much as firms might for other resilience and business continuity planning scenarios.
“Organisations are generally much better rehearsed at dealing with a fire or a flood,” says Graham. “Research I’ve read says people are getting better but not as fit as they should be. Too many are not running rehearsals. At end of a rehearsal you know what worked well and what didn’t, and who is right for the team.”
One advisory firm, Social Simulator, worked with the team at Canary Wharf on the online and social media aspects of its annual resilience training exercises. The firm uses a desktop hub for a communications team to roleplay social media, complete with a newsfeed, journalists’ stories, a mock-up of the company website and a share price tracker.
“The focus is on establishing real-time situational awareness,” says Chris Malpass, executive director of Social Simulator. “We try to bring the scenario to life and harness social media in the event of a crisis. It’s a means of equipping senior decision-makers with the information they need to take decisions. Rather than thinking ‘what should we be saying on Twitter’, it’s about how to utilise those channels to make sure that we’re basing judgments on sound information.”
Cyber risk scenarios are the most in-demand with clients, Malpass says, representing about 60% of the company’s exercise trainings. The industries he works with most often are financial services, the energy sector, and the aviation industry.
“They’ve either had a real-world issue that’s front of mind for them, or another entity in their sector has experienced a problem, and they’re worried about it coming around to them,” he says.
“Typically, we work with one or a combination of the following teams: senior crisis management decision makers, communications, legal, finance, human resources, risk management, business continuity and resilience.”
Push the button
In dealing with the initial phase of a social media crisis, Graham notes that organisations can be slowed down by the usual chains of command. “Crises are no respecter of availability and disasters never happen when you want them to happen. The experts you need are rarely going to be where you want them when something goes wrong,” she says.
“So that means your response can’t be hierarchical. You can’t have people waiting around for somebody to push the button. The team need to know that they might get a call from you, but equally they might need to call you and pull the trigger themselves,” she says.
Age and seniority doesn’t come into it, and quite often the person that presses the button is a junior member of the team. If they’re properly trained, I would sooner have somebody people overreact than underreact, so long as they don’t cry wolf too often,” Graham adds.
Liability concerns can bog down a response to a social media crisis, Lewis thinks. “Organisations can be hesitant when owning the social media communications space due to liability issues. That can hold organisations back, making them slow to respond. They’re concerned with the regular courts as well as the court of public opinion,” he says.
“You need to make sure that your decisions and whatever you say can be justified. If you can demonstrate the logic behind your thought process, then you should be okay,” Lewis adds.
CEO risk
Events this year have demonstrated that even social media giants can be slow to respond. Mark Zuckerberg took five days to reply to allegations that Facebook had inappropriately allowed 50m users’ data to be shared with Cambridge Analytica (CA), a firm which worked on Donald Trump’s 2016 US election campaign. “Facebook didn’t say anything for several days, and meanwhile the share price fell rapidly,” notes Lewis.
Facebook’s CEO had previously talked down suggestions that “fake news” – political stories with dubious reliability and origin, bought as advertisements – had influenced the US election. The CA story followed news that 150m Facebook users had been exposed to free posts propagated by Russian sources, trolls and bots, believed by US intelligence sources of trying to influence the election.
Not showing leadership can contribute to a vacuum. “You need to react,” says Graham. “You absolutely can’t have people saying it will wait until Monday, as we’ve seen with the Cambridge Analytics issue. If you don’t know the answer have to say so, but you can’t just run away and hide. Even if you don’t know the answers, what you say has to be plausible and true. The worst possible thing is to wing it.”
Putting a CEO in front of cameras has risks. Letting a gaffe-prone or underprepared boss make public statements without adequate media training or communications supervision might prolong or exacerbate a crisis. “Otherwise great leadership from a CEO is often not same when you have a crisis,” notes Graham.
Take the example of former BP chief executive Tony Hayward, which has stuck in popular memory. Three weeks after the Deepwater Horizon oil rig explosion on 20 April 2010, under fire BP boss Hayward had commented that the spill was “relatively tiny” compared with the “very big ocean”.
Other incendiary comments from Hayward followed, including that the environmental impact in the Gulf of Mexico would be “very, very modest”, and in reply to intense media scrutiny of the catastrophe: “You know, I’d like my life back.”
His words were shared around the internet and social media cauldron, stirring outrage that went on and on. To quote a New York times article from 3 June 2010, Hayward had become “a day-after-day reminder of BP’s public relations missteps”. Despite stepping back to allow others take the lead, the damage was done. The following month it was announced Hayward would be replaced as the energy firm’s chief executive that October.
Lewis agrees that it is can be counterproductive to shove the chief executive into the limelight, depending on the situation and the individual. “Sometimes the CEO not the right person for that role at that particular moment. It could be that somebody else is better suited. It’s a difficult balance to manage those decisions, certainly,” he says.
For many senior decisionmakers, preparing for the worst now is seen as the best way to get an edge in having the right plans, teams, and processes in place before a crisis takes hold.
Malpass says: “Clearly, you’d rather avoid a crisis altogether, but if you can demonstrate it can be managed well, then it can be an opportunity to demonstrate to customers and staff that you’re a good quality organisation.”
No comments yet