A Crisis Response Framework:
Strategies for Effective Leadership
Mary E. Galligan
Director
Deloitte & Touche LLP
August 4, 2015
Managing a crisis
Copyright © 2015 Deloitte Development LLC. All rights reserved.
A crisis is…
“… a major catastrophic event, or a series of
escalating events, that threatens an organization’s
strategic objectives, reputation, or viability.
Crises typically exceed existing mitigation techniques and risk
management programs such as Business Continuity, Disaster Recovery,
Health and Safety plans, or Emergency Response.”
Copyright © 2015 Deloitte Development LLC. All rights reserved.
Crisis management in today’s world.
Papal Audience
2005 vs. 2013
Crisis response framework
Copyright © 2015 Deloitte Development LLC. All rights reserved.
Important to include cyber risks and other non-traditional crisis risks
Crisis Management Program coverage
Crisis Management Program Coverage
PandemicLabor
Issues/
Strikes
Ineffective
Crisis
Messaging
EarthquakeTerrorism
Inability to
provide
services
Active
shooter
Tornado
CrimeTheft
Fire
FloodEbola
Loss of
critical
data
Agency
data
Breach
Extended
Government
closure
Citizen
information
leakage
Cyber
attack
Data
privacy
Lost
LaptopsInsider
Threat Citizen
Trust
Sudden
increase
In costs
Safeguarding
citizens
Lack of
Data
Integrity
Cyber risks are an
important crisis risk to
invest in “covering”
Important to expand crisis risk
coverage beyond people, place
and technology
Today’s Crisis Management
Program
Important to have a “big umbrella”
Copyright © 2015 Deloitte Development LLC. All rights reserved.
Eleven elements needed to establish and sustain a program
Comprehensive crisis management program
Using tools to support the organization’s overall crisis management response
Governance
Organizational Structure Thresholds
Crisis Leadership Skills
Roles & ResponsibilitiesCurrent
Response Plans
LeadersManagement
Plans
Training and development
Technology
Logistics
Operating principals during a
crisis
Copyright © 2015 Deloitte Development LLC. All rights reserved.
Operating principles for managing a crisis.
1
2
3
4
5
Lead decisively
Continually frame the crisis
Actively communicate
Be ready for the unexpected
Drive towards
actionable
intelligence
Copyright © 2015 Deloitte Development LLC. All rights reserved.
Leaders set the tone
Copyright © 2015 Deloitte Development LLC. All rights reserved.
1. Lead decisively
• Act – taking no action is making a decision
• Always keep in mind your goals and objectives
• Focus on what you can control; accept what you cannot
• Avoid analysis paralysis – you will never have all the information
• Establish a clear, ongoing decision-making process
• Prioritize decisions based on their crisis impact
• Manage incidents locally, and crises as enterprise-wide
In a crisis, don't hide behind anything or anybody.
They're going to find you anyway.
- Paul “Bear” Bryant
Copyright © 2015 Deloitte Development LLC. All rights reserved.
2. Continually frame the crisis
• Quickly diagnose the crisis with the available information
• Think ahead – anticipate how the crisis might progress
• Reassess everyday – do not fall in love with the plan
• Do not let the incidents distract you from the crisis
It's a crisis if everybody calls it a crisis.
- Morgan Downey, Lasalle Global
(quote from Credit Crisis of 2007)
Copyright © 2015 Deloitte Development LLC. All rights reserved.
Communicating in the age of social media
Crash of Asiana Flight 214 at SFO 7/6/13
Timeline of Events – 6 July 2013
11.27am: Plane makes impact at SFO
11.28am: First photo from a Google employee boarding
another flight hits Twitter (within 30 secs!)
11.30am: Emergency slides deployed
11.45am: First photo from a passenger posted on Path,
Facebook and Twitter, re-tweeted by 32,603 users
11.56am: Norwegian journalists asks for permission to use
photo from first tweets. Several media requests follow
1.20pm: Boeing issues statement via Twitter
2.04pm: SFO Fire Department speaks to the press for first
time
3.00pm: NTSB holds press conference, and keeps
updating Twitter with photos
3.39pm: Asiana Airlines first statement released
3.40pm: White House releases statement
8.43pm: First Asiana Press release (6.43am Korea time)
The first tweet, posted within
30 seconds of impact.
Copyright © 2015 Deloitte Development LLC. All rights reserved.
3. Actively communicate
• Own the story, don’t let the media tell it for you
• Be candid – communicate with honesty and personal commitment
• Convey consistent messages internally and externally
• Back your words with actions
• Control the narrative – communicate on a regular cadence
• Choose wisely who speaks – they will be the face of the organization
We get far more credit than we deserve when things go right
and too much blame when they don’t.
- Mel Karmizan, Former Viacom President
Copyright © 2015 Deloitte Development LLC. All rights reserved.
4. Be ready for the unexpected
• Know that individuals may act differently under extreme pressure
• Realize that normal organizational roles may not apply to a crisis
• Avoid relying on a single person for successful navigation in a
crisis
• Anticipate when and how external parties may steer the crisis
• Recognize your limitations – a crisis can test everyone’s
breaking point
• Prepare to work with limited (or no) technology / information
If anything can go wrong, it will
- Capt. Edward A. Murphy (“Murphy’s Law”)
Copyright © 2015 Deloitte Development LLC. All rights reserved.
5. Drive towards actionable intelligence
• Beware of confusing data and intelligence
• Focus on who needs to know what and by when
• Cast a wide net – important information can come from
anywhere
• Qualify your sources – misinformation is as prevalent as
information
• Recognize you will never have all the information
• Ramp up your ability to process data – do not let it bury you
• Record what you knew at the time of the decision
True genius resides in the capacity for evaluation of
uncertain, hazardous, and conflicting information.
- Winston Churchill
Copyright © 2015 Deloitte Development LLC. All rights reserved.
Chaos framework
Question and answer
Copyright © 2015 Deloitte Development LLC. All rights reserved.
Mary E. Galligan
Director, Cyber Risk Services
Deloitte & Touche LLP
Contact info
Copyright © 2015 Deloitte Development LLC. All rights reserved.
This presentation contains general information only and Deloitte is not, by means of this presentation,
rendering accounting, business, financial, investment, legal, tax, or other professional advice or
services. This presentation is not a substitute for such professional advice or services, nor should it be
used as a basis for any decision or action that may affect your business. Before making any decision
or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities.
DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see
www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte
LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2015 Deloitte Development LLC. All rights reserved.
36 USC 220506
Member of Deloitte Touche Tohmatsu Limited