30 May 2017

CAN YOU HANDLE THE CRISIS? (or how to win at incident response...)

As they have all been recent headline fodder, I'm sure you'll be familiar with the most recent incidents and data breaches... Most recently, we’ve had Chipotle restaurants, in 2016, we saw that famously mishandled TalkTalk hack, and only a few days ago, the IT incident at British Airways that left hundreds of people in the lurch over the bank holiday weekend... And these are only a few... Invariably, the fallout of a breach means that individuals will be affected, to varying degrees, depending of the severity of the event.
What always amazes me is the wide disparity in business attitudes when faced with such a crisis, and how organisations will handle communications, internal or external, if at all...
So let’s look at the real victims here: the customers, the partners, the employees and potentially anyone that has a connection with the organisation. They may have had their business or personal information stolen and were potentially the targets (at best) or victims (at worst) of scams, fraud, or disruption. Or they might be at some point in the future. What will be done for them and what advice and help will be given? Time always tells.And even if information is not at risk or stolen, the potential reputational damage to a breached organisation can be vast and have serious business implications...
In the meantime, let’s look again on the positive aspects of fully and effectively communicating important information to the public in the event of a crisis (and that’s for any crisis, not just data breaches).

In the 21st Century, social media brings a new dimension to crisis communications: SPEED.
One of my older posts highlighted how to prepare for traditional media (training, mock interviews and press conferences, prepared statement structure, do's and don'ts, etc.).
With social media and modern working practices, time is of the essence in crisis management: the first 24 hours are crucial. This is when people will cast out their digital nets and frantically search for information, whatever the sources. At this stage, the reliability of the sources is less important than their ability to disclose information at speed and many will speculate widely, until the authorised/ official/ recognised/ trusted/ influential sources have performed their validation activity and issued balanced statements. This usually happens within 24 hours and twitter is usually the means of disclosure and everyone will jump on the bandwagon with whatever axe they have to grind against the particular topic, organisation or industry sector...
Let’s face it: it is not Sky News’s job (or any media outlet’s) to handle YOUR customer communications... Customers won’t thank you for that. NEVER EVER. In fact, if you’re not on top of it, they will be very willing to talk to the press and tell them how bad you have been at communicating.
And that my friends, is a failure of your own, at best non-rehearsed, at worst non-existent, INCIDENT RESPONSE PLAN.
But let’s assume for a second, whilst we all know this is rarely true, that an established and a tested incident response plan and adequate processes are in place (if not, see my previous posts on the subject, here and here).
Therefore, the first thing to realise is that you need to be prepared: THE INTERNET DOES NOT WAIT FOR YOUR CEO TO RESPOND, the news will spread with or without your involvement, but you still have a chance to take control of the conversation.
So assuming incident response is already well established in your organisation and that you have the right team in place (e.g. Legal, HR, PR, Communications, IT, etc.), you are in good shape as you have most of the technical and procedural building blocks in place.
One easy block to add (now!) is a web page dedicated to a potential crisis/ incident/ breach. Having this prepared with an easy structure to follow will enable you to control the flow of information very quickly. Since I wrote my original post five years ago, I have noticed that many organisations have tried to implement this. The structure of your crisis communication web page should follow what I call THE THREE “As” OF SPEED and it should include the following sections:


This early, you may not know much, but you could look at:
What happened? What’s involved? Who attacked you?
Why did it happen?
When did it happen?
How did it happen?
How widespread?
What/ who does it affect?
Was personal/ sensitive information exposed?
How did you find out?
How are you going to compensate those affected?
Of course, there will be instances where you cannot divulge much of the details (e.g. in the case of a hack. if law enforcement is involved and investigations are on-going), but don't let this distract you from the fact that you have to acknowledge something, even if you cannot share details. The result of no acknowledgement will be inflated speculation, which must be avoided or at least minimised.
And in fact, it reminds me of this very well known quote from Winston Churchill:
"A lie gets half way around the world before the truth has a chance to get its pants on".
And let's not forget, it's not just speculation you have to worry about, but also, depending on what type of organisation you are, controversy, misinformation and disinformation (and we can talk about fake news at length, but that would make this post far too long...).

    All too often, organisations do not acknowledge that their customers/ partners/ stakeholders/ etc. may be worried/ could be inconvenienced/ need to be reassured (see that text book example of well executed acknowledgement at Stratfor).
    Even if you don't know much at this stage, show you feel the pain and that you are trying to make it go away... Saying you're sorry and that you are listening and seeking answers buys a lot of time and more importantly can quell anger and resentment. See The Power of an Apology.
    Again, at this stage, you may not know a lot, but you need to share what steps you propose to take/ have already taken to:

    determine what happened,
    prevent it from re-occurring and
    maintain the trust of your customers/ stakeholders/ partners/ etc.
    You also need to reassure your customers/ partners/ stakeholders and show them you understand the situation. For example, we all know that criminals will piggy-back on any type of newsworthy event or crisis (see here for Target breach), and we also know that this is an excellent opportunity for criminals to start social engineering attacks, especially if the crisis involves the loss of customer/employee credentials, which are always launched very quickly. I’m pretty sure that as a result of the British Airways incident, we’ll start seeing all sorts of free flight ticket scams emerging...
    Take this opportunity to warn everyone that this could happen and how you will communicate (e.g. "we will always..." or "we will never...") and make sure everything is consistent (e.g. if you send an email out, make sure the text of the email is included on your website so your customers can clearly see it is not a phishing scam, and avoid including links in emails – also, if the crisis involves the loss of credentials, you may want to seek communication means alternative to email).
    When data breaches happen in the US, this is usually when one year free credit monitoring is offered to affected individuals (but only because breached organisations are compelled to do so by law – this has yet to happen in Europe).
    Design your web page with this structure in mind so content can easily be dropped in when needed. Keep the webpage uncluttered and easy to use.

    With your web page, you now have a single, simple, point of referral. But having a web page doesn't necessarily mean people seeking information will listen to you or indeed find it... You need to become the central hub for information on YOUR crisis. As with everything in life, you can't do this on your own.
    Again, I offer another set of As: THE THREE “As” OF SPREAD
    Use all the social media avenues available to you: twitter, Facebook, YouTube, Google+, LinkedIn, blogs, etc. Use these to direct information seekers to your crisis communication web pages (see here how Heineken diffused a dog fighting disaster). Do this often (at least two or three times a day to cater for the different time zones, and be under no illusion: the world is watching you even if you only operate in one country or time zone). Keep your web page updated as and when you know more and amplify it by using all the tools at your disposal (e.g. create your own hashtag on twitter first). Offer advice when you can but be careful not to be patronising.
    It is not new that in any kind of crisis communication, third party experts (these can be industry commentators, journalists, experts in your field, etc.) will be the most trusted group: seek out the influencers and give them the information. Also seek out your allies and partners and keep them informed.

    And finally - take a deep breath - trust your employees to be your advocates. There is limitless untapped value in personal social networks... If you want your employees to be your advocates, don’t treat them as a communications risk and be sure they know first (i.e. before the media and external parties) what messages are going to be delivered, and where possible, draft messages that they can use if they so wish. They can not only alert you to opportunities but also to crisis issues via their own networks. The key words here are trust and enablement (see What Can Employees Do to Help Their Company During a PR Crisis? and also what a Miami college did with a mobile app). And it's also a good idea to offer training - after all, even the NYPD is sending its officers to twitter school...
    Facing a crisis situation does not mean you have to surrender your corporate values and governance processes. Be sure your messages are constructed within the framework of your corporate brand image and company policies. Now is not the time to surrender caution and governance.
    In addition, be clear about your limits: you cannot solve every problem for everyone, so you'll have to think of way of pacifying part of your (unhappy) audience when solutions cannot be found quickly.
    In addition, now is not the time to lapse on customer service: you can be speedy and achieve spread successfully, if you don't follow through with good customer service and deliver on your promises, all this would be in vain...
    So now that you've achieved speed and spread, you've got a couple more things to do before you achieve the aim of becoming the de facto information hub for the crisis at hand.

    This is perhaps the scariest step because this is where you have to open up... Yet again, I have Three More As for you and these are about stacking the odds in your favour:
    You have to monitor real time content on the various social networks in order to categorise and prepare the type of content needed on your web page. I found a useful infographic giving some statistics for the education sector in terms of social media crisis management (this easily applies to other sectors in my opinion).
    Invite comments and answer them (on your web page) but also reply appropriately to comments on the various social media channels that you monitor (see above) and again redirect people to your web page.
    Yes, very scary, but bear in mind that not inviting comments will have a negative impact on your brand. It is however possible to manage comments very successfully by remembering a few things:
    not every comment requires a reply and you must know when to disengage;
    if a hostile ring leader emerges, it is sometimes best to take the discussion out of the social media sphere and engage directly;
    there is never any harm in specifying your rules of engagement (e.g. no foul language allowed); 
    keep up with the Joneses: if a negative blog entry is posted, respond with a positive entry from your CEO, etc.
    An excellent example will be the way Shell dealt with the Greenpeace campaign against arctic drilling. As far as I know, Shell decided not to engage, but in the article mentioned, they issued a very dignified reply. They even overlooked the fact that Greenpeace used the Shell logo without permission. Greenpeace also affected the public at large by forcing the closure of 74 UK Shell petrol stations. Whichever way you feel on a subject, public opinion always decides which brand comes out on top...
    As you're getting the hang of it, you are now ready to become the de facto information hub for your crisis by posting all related stories on your web page (positive or negative). You will rapidly realise that you only have some amount of control over the conversation.
    You are however in complete control of where the conversation appears on your web page: make sure your opinion and your content have prominent and favourable placement.
    Here we go, a successful social media crisis response strategy in 9 steps:
    3) STACK THE ODDS...
    And don't forget, suffering a crisis is not the end of the world, you might just be able to turn it to your advantage... After all, Rahm Emanuel once said "You never let a serious crisis go to waste. And what I mean by that it's an opportunity to do things you think you could not do before."
    For the infographic associated with this post, see here.
    As ever, the best line of defence is being prepared... (and maybe I can help you prepare for the inevitable crisis or raise awareness in your organisation, I do love a good workshop and I run masterclasses on the topic!...)
    I first wrote on this subject in May 2012. Today, it is still the most popular entry on my personal blog. I am at once flattered and amazed that some musings derived from the good, bad and ugly of how businesses have tackled crisis communications in the past few years still very much resonate with a lot of you. I hope you enjoyed the 2017 edition...
    Until next time,