On Thursday, 28 September Porter Novelli CEO Rhys Ryan joined veteran Non-Executive Director and Audit Committee Chair, Sally Freeman GAICD at the Melbourne Directors’ Briefing to present on the topic of Crisis Management and the Board’s role.
“Issue plus time equals crisis.” That’s how Rhys Ryan outlined the course of inception and growth of a crisis in an organisation. In other words, if an issue arises in an entity and goes unchecked over time, it will inevitably lead to a crisis.
A seasoned executive who has dealt with his fair share of crisis management, Ryan is aware of what creates a crisis and, more importantly, what it takes to get out of one.
In his Directors’ Briefing, Ryan shared his thoughts on how boards should deal with crises with his three-step process: Plan, Prepare and Test.
The first plan of attack is to carry out a risk analysis, he says. Identifying potential events that may adversely impact the company is a critical first step in understanding what can occur, the financial or non-financial implications of that occurrence and what steps can be taken in advance to mitigate or eliminate that risk altogether.
Once potential risks are identified, Ryan says clear actions for each level of crisis must be put in place, considering factors like crisis communication and delegation of duties among the board.
“Boards cannot sit in a governance bubble,” says non-executive director Sally Freeman GAICD, who sits on the boards of Regis Aged Care, Eastern Health, Regional Investment Corporation, Melbourne Football Club, Suburban Rail Loop Authority and ASX-listed Netwealth Group . “They need to lock in stances, like whether or not they’ll pay a ransom before something actually happens.”
In the preparation phase, Ryan also places importance on preparing proxies for a crisis through training.
“In a financial crisis in business, you need to have the right people in the right positions,” says Freeman. “Boards should not try to do the jobs of managers.”
Ryan suggests that every two years, proxies should undertake training, including how to deal with the media, stating that in some cases it’s fine to identify and quash a crisis before it affects stakeholders without media involvement, while at other times it’s wise to alert the media first to control the narrative before it goes down the wrong path. Locking down relationships with suppliers is also an important part of preparing.
The final step in his process is the testing phase, whereby issues are simulated and juxtaposed with actions. Resilience testing is one form of this, where IT applications can be tested with a focus on how they will perform in a crisis and their ability to withstand stressful or challenging factors. Taking this one step further, penetration testing, a simulated cyber-attack performed on a company’s computer system to evaluate its security, uses the same tools, techniques and processes as attackers. This enables boards to find and demonstrate the weaknesses in a system and the business impacts thereof.
Freeman says you must know in advance who your tech advisors are in the event of a cyber attack, so that you don’t find yourself after an attack saying, “It was a sophisticated attack”, and leaving it at that.
The Director’s role
Behind the scenes, as the planning, preparing and testing is taking place, sits the director. So, what do directors need to consider before, during and after a crisis? Ryan lists the following as essential actions directors must take:
1. Maintain ethics, values and principles.
2. Be the human in the room.
3. Let the cobbler cobble.
4. Support your executive team. No one else will.
5. Be the voice and face of the company.
6. Think laterally and long term.
7. Be willing to walk.
For information on future AICD events like this one, visit our website
Already a member?
Login to view this content