Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
February 23, 2016
Crisis Management–
Are you prepared?Denise Pacofsky, Partner, Deloitte & Touche LLP
Marshall Billingslea, Director, Deloitte Financial
Advisory Services LLP
2 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Partner l Deloitte Advisory
Deloitte & Touche LLP
• Over 20 years of experience, largely international
• Focus on Crisis Management to assist companies in preparing for, responding to, and recovering from crisis
events; international IPOs; regulation and public policy; auditing multinationals
Denise Pacofsky
Director l Deloitte Advisory
Deloitte Financial Advisory Services LLP
• Supports Deloitte Advisory’s work with NATO, the European Union, US Special Operations, and Intelligence
communities
• Prior to Deloitte Advisory, held senior positions within US Federal Government and overseas, including
Deputy Under Secretary of the Navy, Assistant Secretary General of NATO for Defense Investment
Marshall Billingslea
Presenters
5 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
TO BE INSERTED INTO POLL EVERYWHERE
TECHNOLOGY
• Yes, it was horrific
• Yes, it was not so bad
• Yes, barely
• No
Have you experienced a corporate
crisis?
• We were not prepared
• We were in denial
• Events unfolded so fast
• We overanalyzed
• Media was unforgiving
• Would have been different before the
days of social media
• All of the above
• Other
• N/A
What was the most challenging aspect
of the crisis?
6 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Source: marketoonist.com, February 5, 2012
9 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
TO BE INSERTED INTO POLL EVERYWHERE
TECHNOLOGY
• Cyber attack
• Food safety
• Financial crime
• Labor disputes
• Natural disaster
• Terrorism
• All of the above
• Other
• Not sure
What is your biggest crisis concern
today?
• Ready to go – robust program in place
• Currently working to mature our
capabilities
• Not very prepared
• Not sure
In your opinion, how equipped is your
organization to handle a crisis?
“A reputation crisis – where a company
may suddenly lose more than a fifth of its value –
carries an 80% likelihood in a five year period.”
Source: Oxford Metrica and Aon Reputation Review 2012Copyright © 2016 Deloitte Development LLC. All rights reserved.
… a major catastrophic event, or a series of escalating events, that
threatens an organization’s strategic objectives, reputation, or viability.
Crises typically exceed existing mitigation techniques and
risk management programs such as Business Continuity, Disaster
Recovery, Health and Safety plans, or Emergency Response.
A crisis…
Copyright © 2016 Deloitte Development LLC. All rights reserved.
12 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
50
150
250
350
450
1970 2010
Crises have grown in severity and frequency N
um
be
r o
f E
ve
nts
natural
disasters
300+
major boycotts,
riots, and labor
disputes globally
500+
S T R I K E
annual cost to the global economy from
records stolen due to cyber attacks
$400B
$$
$ $
total loss for
man-made
disasters
~$9B
corporate fraud and
embezzlement cases in US
1.2K$
Source: See Appendix slide for sources
13 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
The data below represents actual events that placed a hospitality company in the public spotlight and often
resulted in financial implications.
Hospitality industry has similarly experienced a wide
spectrum of crises, with increased frequency
Timeline is illustrative, not drawn to scale, and represents crises noted from public sources
2012 2016
Discrimination
Legal and Regulatory
Disputes/ Labor Disputes
Legal and Tax Disputes
Digital Crisis
Cyber Breach
(multiple instances)
Terrorist Attack
Foodborne Illness
Executive Misconduct
(ongoing)
Labor Disputes
(ongoing)
Human Rights
ConcernsCyber Attack
Social media can quickly instigate a
slow burn. Twitter has 320 million users
who post 500 million tweets per day
Terrorist Attack
Cyber Breach
(multiple instances)
Source: Deloitte analysis, Twitter September 30, 2015
14 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Crisis management capabilities are integral to an
organization’s ability to manage unforeseen crises
RecoverPrepare Respond
Scenario
Planning
Strategic
Risk/ERM
Assessment24/7 Monitoring
War Gaming and Simulations
Business Continuity
Management
Crisis Management Planning Crisis Communications
Real Time
Response
Post-crisis
Recovery
Post-crisis
Assessment
Crisis
trig
ge
r
15 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Moving toward effective crisis management
DescriptionTopic
Response Organization
Decision Making Process
Crisis Management Plan
Common Operating Picture
Ongoing Crisis Monitoring
Private — Public Coordination
Control Hierarchy
Information Management
Pre-defined group of senior leaders responsible for all aspects of organization's response
Structured approach for analyzing situation, identifying issues, assessing options, taking
decisive actions
Guidelines and procedures developed in advance of a crisis
Situational awareness capability
Collecting and analyzing pertinent information on a continuous basis throughout the crisis
Integration between public and private sector to respond to events that may involve
critical infrastructure and key resources
Structure that defines decision rights, leadership succession, other management controls
Formal documentation to track the details of the event and response actions
Crisis Communications Communications internally and externally during a crisis
16 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Effective crisis response is essential to preserving
shareholder value
Source: Research from 15 high-profile crises focused on the impact on shareholder value
following the crisis; Oxford Metrica and Aon Reputation Review 2012
Crisis Characteristics
• Sudden, unexpected event
or multiple precipitating
events
• Compressed time for
decision-making and action
• High potential for negative
impact to organization
• High uncertainty, low clarity
• High media scrutiny
• Significant business
disruption
Crisis challenges
can delay and
degrade response
Effective crisis response shown to
reverse negative effects on
shareholder returns
19 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
TO BE INSERTED INTO POLL EVERYWHERE
TECHNOLOGY
• CEO
• CFO
• Chief Risk Officer
• Legal
• PR/Communications
• SME (i.e., CIO for cyber)
• Other
• Unsure
Who is on point to lead a crisis for your
organization?
• Customers
• Employees
• Investors
• Media
• Third parties/vendors
• Other
• Not sure
In your opinion, who might be the most
overlooked stakeholder in a crisis?
20 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Is your organization prepared to be in the spotlight?
REGULATORS/
AUDITORS
CUSTOMERS
& SUPPLIERS
MEDIA
EMPLOYEES
BOARD OF
DIRECTORS
KEY
INVESTORS
BANKS/CREDITORS/
CREDIT RATING AGENCIES
Is our
credit rating
vulnerable?
What penalties
and fines are
we exposed to?
What’s
our legal
exposure?
What’s the
damage to our
business?
How will
reputation
loss impact the
company’s long-
term viability?
How much
cash will
we bleed?
Who’s to
blame?
Does this
impact our bank
covenants?
What really
happened?
Can we trust
you to keep
your financial
commitments?
How safe
are our jobs?
Which controls
and procedures
were violated?
By how much
will we miss
our earnings
estimate?
C-SUITE
21 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Rehearsing and practicing before a crisis can lead to
greater success with crisis response and recovery
• Training-based
• Informative
• Consensus building
• Walkthrough scenarios,
passive environment
• Practice roles and processes/
explore strategies
• Examine assumptions
• Increased pressure and focus on
timely decision making
• Scripted, active environment
• Hot-wash debrief
• Stress test assumptions
• Worst-case scenarios
• Red team–adversarial group playing
against participants
• Free play, interactive environment
with open debates
• Hot-wash debrief
• After action report
Incre
asin
g r
ea
din
ess
Table-top Exercises
Simulations
War Games
Increasing Complexity
22 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
War Games can enable risk-informed decision-
making through immersive and experiential learning Plausible scenarios are customized depending on requirements and can include exploring an
issue, assessing capabilities against established processes, or anticipating future risk and
examining an organization’s ability to manage it.
War Game Types
Illuminates emerging crises and risks,
and their impacts; and identifies ideas
to prepare, respond, and recover
War Game Outcomes
Breaks through organizational bias and
enables common understanding of
risks
Discovery
Evaluates current plans, procedures
and capabilities; and identifies gaps
for improvement
Assessment
Probes future environments to
recognize emerging threats, enabling
pro-action rather than reaction
Strategic Futures
Improved
Understanding
Enables development and refinement
of alternatives and their effects
Enables organizations to be better
prepared through rehearsing in a
simulated environment
Identification of
Alternatives
Readiness and
Reduced Surprise
“I hear and I forget, I see and I remember, I do and I learn.” - Confucius
23 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Overview—hotel terrorismAn increase of hotel terrorist attacks prompts a reevaluation of current security
postures within the hospitality industry. Adapting to this threat environment will
require new approaches and the implementation of industry-wide security
standards.
Success factorsOutline critical factors needed to effectively adapt to the threat environment
Leading PracticesHighlight leading practices for implementing success factors
Indicators of attractivenessIdentify indicators that make hotels attractive targets
Understand vulnerable exposure points that can be exploited by
terrorists
Trends in terrorismUnderstand global terrorism trends and implications on hotel security.
24 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Attractiveness of a targetTerrorists are focused on targets that provide the greatest return on investment.
Hotels often exhibit many of the qualities that make a target “attractive” to
terrorists.
• Requires few resources
• Involves minimal planning
• Potential to elicit fear among
the masses
• Traditionally weak security
posture
• Dense western populations
• Symbolic of western values, culture
25 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Increases in hotel terrorismTrends in global terrorism appear to correlate with hotel terrorism and are on the
rise. This should spur both owners and operators in the hospitality industry to
reconsider hotel security strategies.
0
20
40
60
80
100
120
140
160Casualties Per Terrorist Attack 2005-2015
Average Attack Hotel Attack
Data Sources: National Consortium for the Study of Terrorism and Responses to Terrorism
(START). (2013). Global Terrorism Database [Data file]. Retrieved from
http://www.start.umd.edu/gtd. Combined with other external media sources.
145
Casualties
61 Casualties
2002
2014
Extremist Attacks by Country
10 or
fewer
10-
100
100-
300
300-
500
1000 or
more
500-
1000
26 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Critical success factorsThese critical success factors set forth a multifaceted strategy to help address the
security vulnerabilities that make hotels attractive terrorist targets.
Every hotel employee plays a role in maintaining the security of the property and its
guests. Therefore, training in basic security awareness and response should be a
necessary component of every employee's orientation and continued training.
Comprehensive vetting process not only validates skills, but also helps protect against
potential insider threats. Background checks should be performed on hotel employees,
vendors, and contractors.
The application of proactive, effective security capabilities include layering security--
crucial for protecting hotels and guests from terrorist attacks.
Approximately 98 percent of terrorist attacks live within 28 miles of their target.* The
more that a hotel is locally connected, the more likely it can keep abreast of patterns of
behavior in the community that may signal preparation activities for an attack.
Well-trained employees
Background checks
Multi-layered security
Community buy-In &
engagement
Symbolic appeal
Industry standards
* Data Source: National Institutes of Justice
By understanding what makes a soft target appetizing to a terrorist group,
countermeasures may be taken to minimize the profile of the hotel.
There is a need for coordination across the hospitality industry to establish a global
security framework with minimum standards and leading practices.
27 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Leading practicesWhile there is no proverbial silver bullet, the current and emerging trend of hotel
terrorist attacks requires an integrated response anchored in leading practices.
Perform routine hotel security
assessments to identify
security gaps and vulnerabilities.
Security AssessmentsDevelop a security strategy
that enables the business
capabilities, services, and
processes to function with
minimal disruption.
Security Strategy
Conduct regular employee
meetings to develop a shared
understanding around critical
functions of hotel security.
Regular Meetings
Employ strategic communications to sustain
buy-in from community leaders and encourage
employees to keep hotel security staff informed.
Communications
Fully integrating robust
security measures and
leading practices into
daily operations is
essential to preserving
security.
Provide clear policy guidance
for the establishment of a
security strategy that defines
roles and responsibilities
throughout the hotel compound.
Policy Guidance
28 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
SummaryThe identified critical success factors and leading practices can serve as a model
for standing up a capability for hotels to mitigate the risk and reduce the impact of a
terrorist attack.
Implemented together, hotels have the ability to improve security effectiveness.
This mission is essential to preserving the confidence of travelers.
Success factors
Background
checksTraining Security
Symbolic
Appeal
Community
Engagement
Industry
Standards
Leading practices
Security strategy
Security assessments
Policy guidance
Strategic communications
Regular meetings
Questions
30 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Board members feel ready to handle crisis, but a deeper dive hints otherwise
Feeling ready vs. being ready – board survey results
How would you rate your
organization’s crisis
management strategies
and capabilities?
Respondents who answered "4" or "5"
on a five-point scale where 1= not at all
prepared and 5= fully prepared
62% 82%
OVERALL OVER US$10B REVENUE
Fewer than half of the total respondents say they
have a “playbook” that sets out some of the
options, actions and decisions that may be
required for specific, defined crisis scenarios.
Uncertain
33%
No
18%
Yes
49%Does this organization
define a specific set of
actions—a distinct
“playbook”—for each of its
specifically defined crises
scenarios?
31 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Most steps toward crisis preparedness go ignored
Half the total respondents or fewer reported having engaged in each of a list of specific crisis preparedness activities
Feeling ready vs. being ready – board survey results
50%
Evaluated
key crisis scenarios
50% 49%
46% 43% 41%
What steps have you
taken in crisis
preparedness?
Respondents who answered
“4” or “5” on a five-point scale
where 1= not at all and
5= extensively
Evaluated strengths/weaknesses/
opportunities/threats (SWOT)
Identified
relevant stakeholders
Engaged
multifunctional teams
Evaluated
worst-case scenarios
Evaluated stakeholders in
analysis of specific scenarios
32 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Ranking the threats – board survey results
We asked companies how vulnerable they might be to the following potential
crises (on a scale from 1-5 where 1 = not at all vulnerable and 5 = extremely
vulnerable)
Across all industries, locations, and company sizes, the most commonly cited vulnerabilities were corporate
reputation and cyber-crime. Chemical, biological, radiological, or nuclear attack and the threat of workplace
violence were at the bottom of the list.
Co
rpo
rate
re
puta
tio
n
Cyb
er-
cri
me
Ru
mo
rs (
thoug
h f
als
e)
Re
gu
lato
ry a
ctio
ns
Na
tura
l d
isaste
rs
Sup
ply
cha
in issue
s
Org
aniz
ation
al
malfe
asa
nce
Terr
ori
sm
/ma
nm
ad
edis
aste
rs
Pro
du
ct ta
mperi
ng
Liq
uid
ity
Ch
em
ical, b
iolo
gic
al
radio
log
ical, n
ucle
ar
Wo
rkp
lace
vio
lence
73%70%
68% 66% 66% 66%64% 63%
60%58%
55% 54%
(If answered Yes to 2A or 3) Having indicated earlier that you have gone through a crisis—what are the
lessons that your company has learned, or that you would do differently? Choose top three
Question 17 – board survey results
34%
27%
32%
16%
23%
28%29%
28%29%
28%
24%
2%
Do m
ore
to b
etter
iden
tify
pote
ntia
l crisis
scenario
s
Invest m
ore
effort
in
pre
ventio
n
Impro
ve d
ete
ctio
n a
nd e
arly w
arn
ing
syste
ms
Mo
nitor
socia
l m
ed
ia a
s a
means o
fdete
ctio
n
Be
tter
defin
e the c
hain
of com
mand for
spe
cific
scenario
s/s
itua
tio
ns
(ro
les/r
esponsib
ilitie
s/t
imin
g)
Conduct better
pre
-crisis
pla
nnin
g for
coo
rdin
atio
n/c
om
munic
atio
n w
ith
em
erg
ency r
esponse team
s in
clu
din
g f
irst
responders
and g
ove
rnm
en
t agencie
s
Execute
a m
ore
tim
ely
and r
obust
com
munic
atio
ns p
lan
Com
munic
ate
more
effe
ctively
with
busin
ess p
art
ners
/alli
ances
Com
munic
ate
more
effe
ctively
with
em
plo
yees
Com
munic
ate
more
effe
ctively
with
custo
me
rs
Com
munic
ate
more
effe
ctively
with
sup
plie
rs
Oth
er
34 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Many organizations face challenges and stumbling
blocks that can delay or degrade crisis response
Excessive focus on fixing the incident, rather than
leading the response and addressing the strategic
impacts
Failing to understand or underestimating the scale,
breadth, and speed of the crisis and its unanticipated
consequences
Making inaccurate decisions and unintentionally causing
harm, due to bad or incorrect information in the first few
hours of a crisis
Not having enough time to make sense of the chaotic
inflow of information and answering all of the direct
inquiries
35 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Have a plan in place and exercise it before a crisis hits
Lead decisively – remember, taking no action is making a decision
Continually frame the crisis – don’t underestimate the scale, breadth, and
speed of the crisis and its unanticipated consequences
Focus on what you can control; accept what you cannot
Address the strategic impacts – avoid excessive focus on fixing the incident
Avoid analysis paralysis – you will never have all the information
Actively communicate – own the story, don’t let others tell it
for you
Be ready for the unexpected
Drive toward actionable intelligence
…Don’t panic
And furthermore, in a crisis…..
36 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Partner l Deloitte Advisory
Deloitte & Touche LLP
Denise Pacofsky
Director l Deloitte Advisory
Deloitte Financial Advisory Services LLP
Marshall Billingslea
For further information
Appendix
38 Crisis Management–Are you prepared? Copyright © 2016 Deloitte Development LLC. All rights reserved.
Sources for slide: ‘crises have grown in severity and
frequency’Sources:
Financial disruption: http://www2.deloitte.com/la/en/pages/risk/articles/ceo-of-
queensland-reconstruction-authority-to-join-deloitte-and-set-up-a-centre-for-
excellence-for-crisis-management-for-sea.html
Other catastrophes: Swiss Re: Natural disasters and man-made disasters 2011
Sources of data points on the right:
4,000 successful cyber-terrorism attacks globally (every year): Cyber-terrorism:
http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_of_Cyber_Crim
e_Study_August.pdf;
https://securitymetrics.org/content/attach/ReturnOnInvestment/economic.impact.c
yberattacks.pdf
800 Billion individual records lost with an annual cost to the global economy of
more than $400 Billion: Net Losses: Estimating the Global Cost of Cybercrime
June 2014 – McAfee
This document contains general information only and Deloitte Advisory is not, by means of this document, rendering accounting, business,
financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or
services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking
any action that may affect your business, you should consult a qualified professional advisor.
Deloitte Advisory shall not be responsible for any loss sustained by any person who relies on this document.
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte
Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and
Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP
is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for
a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under
the rules and regulations of public accounting.
Copyright © 2016 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited