Top five reasons companies don't prepare for crises
Over 50% of 850 company directors surveyed by AICD in June 2022, said their organisation had NO formal cybersecurity risk management framework or strategy in place. Additionally, 68% of small businesses have no specific cyber insurance in place, and 80% of SMEs know they should be doing more to train their staff in risk management and crisis planning.
Now cybersecurity is not a new problem and neither is it simply an IT issue. Targeted corporate cyber attacks have been notable problems since the mid- 2000's and earlier, and the impacts can be felt across organisations and their wider stakeholder networks. So, why do many Aussie directors and SME operators still fail to develop a risk management process - particularly for cyber-risk, and neglect business continuity plans?
I recently consulted my key crisis management peers to uncover the main reasons they hear when companies decline to rehearse and train their staff for risk management threats and cybersecurity risks. Here's a recap of the most common excuses given:
1 Cost: Crisis management training is perceived to be expensive, especially when there's no understanding of the true, full cost of crises on unprepared organisations. Some operators are reluctant to allocate resources for what they mistakenly believe is an unnecessary expense, and which they fear may not provide an immediate return on investment. This overlooks how a little investment today can avert the worst consequences of enterprise risk management lapses tomorrow.
2. Overconfidence: Some directors and executives hope that crises will not happen to their business and, even if they did, they have good people who could probably handle the likely impacts. However, such cockiness often leads to complacency, the disempowerment of staff and the elevation of gambling as a risk management tool.
3. Other priorities: With many businesses driven to make up for Covid and other downturn losses, financial and operating performance seems to have become a focus for corporate training. Despite knowing cyber and crisis training is critical, job-specific, productivity-specific or staff-support training may currently be taking precedence over risk and business continuity planning activities.
4. Remote scheduling: With 'Working From Home' becoming an accepted work mode, many organisations may struggle to schedule crisis training sessions for their employees, particularly if the workforce is big and dispersed. However, the flexibility afforded to WFH staff actually presents new problems should staff have to respond to crises remotely, and these new challenges have to be prepared for and, ideally, practiced.
5. Bad publicity: 'Ostrich' directors view business risk management or crisis simulations as a covert admission of unprofessionalism or weakness. Equally, few organisations are proud to talk-up their crisis planning initiatives for fears it might cast them in a bad light and, if reported by media, could signal some corporate ineptitude. In truth, stakeholders could be reassured knowing that brand A was preparing for crises, yet brand B was not; but that's not a narrative companies are yet happy to talk about, far less talk up.
CONCLUSION: Patently, the issues, risks and threats that catalyse crises are on the rise. Cyber-related attacks have recently infiltrated tech-savvy brands like Latitude, Medibank, Optus, Twitter and WhatsApp. Obviously, then, many lesser-prepared companies and government agencies need to do more crisis planning and risk management assessments, to be equipped to handle cyber attacks and other crisis risks.
Fundamentally, the goal of good risk management is to anticipate and prepare for threats, and to get staff drilled in how to handle any adverse impacts. Yes, planning and preparation comes at a cost but this is an investment in defending your company and its assets against the wide-ranging ravages of crises. By taking crisis preparation seriously, entities can build a risk process plus employee resilience that paves the way for business continuity and continued survival, even after the storms of a crisis have passed over.
/ends