Bear in mind the three Cs: contain, command and control.
• Contain the situation to determine what has happened, and where.
• Set up or identify a chain of Command. Who needs to know about the situation? Who can help?
• Apply Control; confirm when the crisis happened, or started, or began escalating.

When these factors are clarified, a better indication of what the situation requires, will appear. As alarming, dangerous or unsettling as the incident may appear, the focus of the organisation should be on the impact of what has happened, rather than on the incident itself. Why? Because what has happened, has already happened; it cannot be undone. The organisation should be proactive, and gear up for mitigation or prevention. This is when crisis management preparation kicks in. With crisis management, you don’t wait for things to happen. You need to move quickly and concertedly – which is why management has to cultivate anticipation of what could happen.

Prevention and action are key, and must be supported by communication. It is imperative to keep people informed of what is happening. This is also to avoid speculation, which could damage the firm’s reputation even before the full facts of the incident are established. Besides, when you keep communication going, it reassures stakeholders that you are in control of the situation, and that despite difficulties, you are doing everything within your means to address it. You should be transparent about what you are doing at all times, and communicating clearly, concisely and in a timely manner is one of the best ways to do it. Transparency indicates good governance, and good governance is always a great brand builder.

Companies should also be aware of how their data is managed, and the laws which regulate its storage, transport and application, mainly because data breaches are one of the most common harbingers of crisis. It indicates that a company’s data is accessible to parties that have no right to it; loss of confidentiality makes stakeholders uncomfortable, and confidence in the organisation dwindles. Crisis management extends to physical equipment as well, as the physical location of these or their improper management can sometimes cause them damage, thereby impairing the ability of the firm to manage the situation. For example, if the diesel generators of a factory are not maintained and kept fuelled at all times, they will not be of much use in the event of a power outage.

Together with managing the company’s data and physical assets, the workforce needs to be managed in tandem. Companies, i.e. the HR department, must be conversant with the prevailing health and safety requirements, and keep abreast of the contractual terms of the expatriates they hire, at all times. Outbreaks of disease, rioting and natural disasters may be factors warranting evacuation of foreign staff as stipulated by their contracts. If the company fails to do so, it may be making itself vulnerable to lawsuits. Be prepared with alternative physical sites, in the same way that non-physical company assets, like data, are stored and can be accessed in the event the regular place of business cannot be operational for any length of time.

With so many factors to consider, how could managers come to grips with what needs to be managed in a crisis? The starting point is identifying risks confronting the organisation; then identify what the responses to these risks should be, and assess the organisation’s risk response readiness. Identifying and assessing these risks means measuring them – and what can be measured, can be managed. But measuring and managing are extensive jobs which take time and resources, which is why recognising the need for them and putting in the checks and balances which will enable the appropriate mitigation measures to operate in the event of a crisis, should begin from the outset. Recognising this need is the start of risk management.

It is also the starting point for the development of a risk culture and the realisation of the crucial role that risk management plays in the enterprise. While effective risk management is primarily people-based (because it takes humans to realise that things can go wrong, and identify what these are to begin with), companies need to be vigilant regarding their physical environments as well, including supporting and complying with robust regulatory requirements – and must be seen to be doing so. Before declaring themselves “best brand” winners, firms have to ensure that they have addressed their threats and that there are mitigation measures in place, should the unthinkable happen.

Crisis management is crucial to the sustainability of the firm, as is risk management. In best practice terms, there is a crying need to develop a risk management culture. Employees at all levels must be aware that threats exist to the business, and it is their responsibility – and within their power – to contain it. It is crucial to move from a culture of apathy to one of being aware of the challenges facing the firm at any point in its existence. People need to be aware of what to do at the moment of crisis because managing this risk is integral to the life of the firm, and their continued employment.