20 May 2012

THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE...

Google
[For the February 2014 version of this post, see here]
Not impressed with LinkedIn's social media crisis response after more than 6M user passwords got leaked recently or non-plussed with Dropbox's handling of their own crisis? Read on... In one of my February posts, I wrote about incident response and the importance of addressing the media in a timely manner. Whilst the NIST report SP 800-61 gives really good guidelines on the positive aspects of fully and effectively communicating important information to the public, I feel there is some mileage to be had by exploring the use of social media when tackling incident response. After all, we've all seen how quickly news can spread on twitter here or here... So, should you be breached, you would no doubt have a crisis communication process already in place, but does it include social media?...

The need for speed...
Social media crisis response brings a new dimension to crisis communications: speed. My previous post highighted how to prepare for traditional media (training, mock interviews and press conferences, prepared statement structure, do's and don'ts, etc.). With social media crisis management, time is of the essence: the first 24 hours are crucial as this is when people will cast their digital nets out and frantically search for information. 
I am assuming at this stage that you have an established and tested incident response plan (if not see my previous posts - here and here - on the subject). 
You need to be prepared: the internet does not wait for your CEO to respond, the news will spread with or without your involvement. You have however a chance to take control. 
So assuming incident response is already well establihed in your organisation, you are in good shape as you have most of the building blocks in place. 
One easy block to add (now!) is a web page dedicated to a potential crisis/ breach. Having this prepared with an easy structure to follow will enable you to control the flow of information very quickly.
The structure of your web page should follow what I call The Three As and it should include the following sections (IMHO):
  • ACKNOWLEDGMENT: This early, you may not know much, but you could look at: Who attacked you? Why? etc.; When did it happen? How did it happen? How widespread? What/ who does it affect? How did you find out? But first and foremost, take ownership: passing the buck or blaming others is not an acceptable response. Of course, there will be instances where you cannot divulge much of the details (e.g. if law enforcement is involved), but don't let this distract you from the fact that you have to acknowledge something, even if you cannot share details. The result of no acknowledgement will be inflated speculation, and you want to avoid this.
  • APOLOGY: all too often, organisations do not acknowledge that their customers/ partners/ stakeholders/ etc. may be worried/ could be inconvenienced/ need to be reassured. Even if you don't know much at this stage, show you feel the pain and that you are trying to make it go away... Acknowledgment that you are listening and seeking answers buys a lot of time and more importantly can quell anger and resentment. See The Power of an Apology.
  • ACTION: again, at this stage, you may not know a lot, but you need to share what steps you propose to take/ have already taken to 1) determine what happened and 2) prevent it from re-occuring and 3) Maintain the trust of your customers/ stakeholders/ partners/ etc. You also need to reassure your customers/ partners/ stakeholders and show them you understand the situation. For example, we all know that criminals will piggy-back on any type of newsworthy event or crisis (see here), and we also know that this is an excellent opportunity to start social engineering attacks (e.g. phishing) which are always launched very quickly (see previous post). Take this opportunity to warn everyone that this could happen and how you will communicate (e.g. "we will always..." or "we will never...") and make sure everything is consistent (e.g. if you send an email out, make sure the text of the email is included on your website so your customers can clearly see it is not a phishing scam, see the comments on the Dropbox blog - avoid including links in emails).
Design your web page with this structure in mind so content can easily be dropped in when needed (an example of a good structure can be found on the Stratfor site). Keep the webpage uncluttered and easy to use.

Head for spread...
With your web page, you now have a single, simple, point of referral. But having a web page doesn't necessarily mean people seeking information will listen to you or find it... You need to become the central hub for information on the crisis. As with everything in life, you can't do this on your own. Again, I offer Another Three As:
  • AMPLIFICATION: use all the social media avenues available to you: twitter, facebook, YouTube, Google+, LinkedIn, blogs, etc. Use these to direct information seekers to your crisis web page. Do this often (at least two or three times a day to cater for the different time zones, and be under no illusion: the world is watching you even if you only operate in one country/ time zone). Keep your webpage updated as and when you know more and amplify it by using all the tools at your disposal (e.g. create your own hashtag first). Offer advice when you can but be careful not to be patronising.
  • ADVOCACY: it is not new that in any kind of crisis communication, third party experts (these can be industry commentators, journalists, experts in your field, etc.) will be the most trusted group: seek out the influencers and give them the information. Also seek out your allies and partners and keep them informed. And finally, take a deep breath, trust your employees to be your advocates. There is limitless untapped value in personal social networks... If you want your employees to be your advocates, be sure they know first (before the media and external parties) what messages are going to be delivered, and where possible, draft messages that they can use if they so wish. They can not only alert you to opportunities but also to crisis issues via their own networks. The key word here is enablement (see What Can Employees Do to Help Their Company During a PR Crisis?).
  • ADHESION: facing a crisis situation does not mean you have to surrender your corporate values. Be sure your messages are constructed within the framework of your corporate image as now is not the time to surrender caution and governance. In addition, be clear about your limits: you cannot solve every problem for everyone, so you'll have to think of way of pacifying part of your (unhappy) audience when solutions cannot be found quickly. In addition, now is not the time to lapse on customer service: you can be speedy and achieve spread successfully, if you don't follow through with good customer service and deliver on your promises, all this would be in vain...

Check the decks...
So now that you've achieved speed and spread, you've got a couple more things to do before you become the de facto information hub for the crisis at hand. This is perhaps the scariest step because this is where you have to open up... Yet again, I have Three More As for you and these are about stacking the odds in your favour:
  • ANALYSIS: you have to monitor real time content on the various networks in order to categorise and prepare the type of content needed on your web page. I found a useful infographic giving some statistics for the education sector in terms of social media crisis managenent (this easily applies to other sectors in my opinion).
  • ANSWER: invite comments and answer them (on your web page). Yes, very scary, but bear in mind that not inviting comments will have a negative impact on your brand. It is however possible to manage comments very successfully by remembering a few things: not every comment requires a reply and you must know when to disengage; if a hostile ring leader emerges, it is sometimes best to take the discussion out of the social media sphere and engage directly; there is never any harm in specifying your rules of engagement (e.g. no foul language allowed); Keep up with the Joneses: if a negative blog entry is posted, respond with a positive entry from your CEO, etc. An excellent example will be the way Shell dealt with the recent Greenpeace campaign against arctic drilling. As far as I know, they decided not to engage, but in the article mentioned, they issued a very dignified reply: [extract] "Shell recognises that certain organisations are opposed to our exploration program offshore Alaska, and we respect the right of individuals and organisations to engage in a free and frank exchange of views about our operations. "Recognising the right of individuals to express their point of view, we only ask that they do so with their safety and the safety of others, including the general public and Shell personnel, in mind. Shell has met with numerous organisations and individuals who oppose drilling offshore Alaska. We respect their views and value the dialogue. We have extended this same offer for productive dialogue to Greenpeace." They even overlooked the fact that Greenpeace used the Shell logo wthout permission. If we also consider the fact that Greenpeace closed 74 UK Shell petrol stations, therefore affecting the public at large, public opinion will decide which brand came out worse...
  • AGGREGATION: as you're getting the hang of it, you are now ready to become the de facto information hub by posting all stories on the crisis on your web page (positive or negative). You will rapidly realise that you cannot control the conversation. You are however in complete control of where the conversation appears on your web page: make sure your opinion and your content has prominent and favourable placement.

Here we go, a successful social media crisis response strategy can be summarised by
1) The Need For Speed
2) Head For Spread and
3) Check The Decks...

And don't forget, suffering a crisis is not the end of the world, you might just be able to turn it to your advantage, see my next post if you're interested.

For my webcast on the topic of this post, see here.

To see the infographic associated with this post, see here.

As ever, the best line of defence is being prepared...


Until next time,
neirajones