Is corporate America ready for the next round of crises - whether related to terrorism, scandal, or plain old natural disasters?
It's a simple question, and the answer is clear as mud.
Depending on which statistics, polls and reports you believe, America's business leaders are:
a) Taking to heart the need to be prepared
b) Talking a good game, but lagging in terms of real action steps
c) Pigeon-holing crisis preparedness far too low in their organizations
d) All of the above.
Everyone agrees - it's time to get prepared.
By almost any standard, more American companies have taken to heart the need to have crisis management plans (which, for our purposes, include: disaster, business continuity,
emergency management, data and physical security plans). The American Management Association reported last month that 64% of 146 companies interviewed have crisis plans in place,
up from 49% in 2002. The number reporting designation of crisis teams, and conducting emergency drills, was also up. Smaller and mid-size businesses are also taking steps.
According to a Hartford Financial Services Group study, 97% report having one type of "emergency plan" in place.
But, it seems companies are still just talking the talk.
A disturbing number of companies are still taking the narrowest possible view of "crisis." That is, something that can be planned for based on last year's problems, that fails
to take into account the randomness of today's crises and that can only be justified on traditional cost-benefit criteria.
Even on the front lines of corporate security, "complacency rules," according to a June 2003 survey by Security Director's Report:
- 66% say their company is unprepared for a chemical or biological attack
- 55% do not have backup facilities at other sites
- Barely half conduct emergency drills
- 29% allow unsecured visitors (even now, post 9-11)
"People are making decisions on profit and loss, not safety," Kroll CEO Michael Cherkasky told USAToday. And that, according to an extensive new study at USC, is a perfect
example of applying yesterday's thinking to the reality of today's crises - which are random, often evil and cannot be based on the kind of incident that has already struck the
company (see Mitroff and Alpasian, "Preparing for Evil," Harvard Business Review 109, April 2003).
Crisis-prepared companies, say the authors, stay in business longer and enjoy better reputations in the long-term -- facts which, if taken to heart, might trump the short-
sighted thinking that crisis is a P&L decision, rather than the long-term investment it truly is.
In too many companies, crisis management resides in Geekville.
The good news is that so many companies have sophisticated IT managers who are not shy about alerting senior management to real risks in data security that could harm
operations, customers, or long-term viability. The bad news is they get stuck with a disproportionate share of the crisis work, whose importance never seems to bubble up to the
C-suite.
The vulnerability of our vast storehouses of data has been highlighted in recent months thanks to the recent blackout in the eastern states, the increasing number of virus
attacks, and other headline-grabbing incidents. The attacks of September 11 had the effect of immediately prompting large numbers of IT directors to create disaster recovery
plans, according to VERITAS Software. Yet, in 76% of the companies surveyed, the decision-making process for all of disaster recovery remained with IT, "despite the potential
impact to the entire business," according to VERITAS.
The VERITAS study paints a picture of data managers who have neither the breadth of responsibility -- or the purse -- to adequately prepare their companies for the threats they
perceive (data loss, decreased productivity, damage to customer relationships, and reduction in profits) and yet have the lion's share of the crisis mandate.
So what does it all mean?
There are a host of other disappointments to be found in this mixed bag of recent research: most companies are still not testing their plans, not extending home office crisis
plans to the field, not covering data in the desktop or laptop environments. But these are microcosms of the larger problem: corporate America's commitment to crisis
preparedness, especially in the un-sexy world of follow-through and detail, is lacking.
The hard economic consequences of this unacceptable level of risk-taking are documented, as are the reputational ones. In an era of increased expectations in the area of
corporate responsibility a broader view of the realities of the globalized world in which we work -- and evidence that our worst nightmares can come true -- it's truly
unacceptable that our national picture of crisis preparedness isn't clearer and in sharper contrast to the state of corporate vulnerability frozen in time on September 11,
2001.
Contact: Larry Kamer, president of Kamer Consulting Group LLC, can be reached at 510. 644.3500, [email protected]