The coronavirus pandemic has resulted in an orgy of news stories, commentary and analysis in which the terms crisis, disaster and emergency have been used almost interchangeably. What is the correct terminology?
These three terms are closely related and overlap significantly, yet each has its own distinct meaning and implications.
A crisis is an issue or event that invites unwanted external scrutiny, seriously impacts an organisation’s ability to do business, and jeopardises its reputation. There are many types of crises (and non-crises); research shows most crises stem from management weaknesses.
An emergency is an unplanned event such as fire, flood, evacuation, violent crime or fatality that affects an organisation locally and requires immediate action. The impact of an emergency is generally limited to the initial event itself.
A disaster is a severe situation that affects broader society and which has the potential to interrupt business operations on a longer-term basis. Examples include an earthquake, a tornado, a major flood or power outage, or a serious health pandemic.
Despite the coronavirus technically classifying as a disaster, it is no surprise that journalists and commentators prefer the term crisis given it is media shorthand for pretty much anything that goes or can go wrong.
Yet the boundaries between crisis, emergency and disaster are less straightforward than they first appear.
The coronavirus may be a disaster for health organisations and inter-governmental organisations, but it is also resulting in serious crises for companies shut down by government decree or mishandling how they manage their response.
And a really serious crisis resulting in significant environmental, social, economic or geo-political damage – think BP Deepwater Horizon – is often termed a disaster (‘a crisis with a bad ending’), or even a catastrophe.
Crisis teams and communicators, however, should take real care with their terminology. Planning and responding to serious negative events requires precision with what words mean and imply.
A health pandemic necessitates a different response to a workplace fatality or data privacy breach. Different teams are often involved, and each scenario demands different policies, protocols and messages. Activating the wrong plan can be disastrous.
While COVID-19 is growing exponentially, it is no emergency, no matter what the media says. But it is a crisis for some organisations and a disaster for others.
Concern is widespread that artificially generated ‘deepfake’ videos pose a major potential problem for those targeted, be they companies, CEOs, celebrities, academics and commentators, or politicians.
A new study of 14,678 deepfake videos by cybersecurity company Deeptrace suggests otherwise. Deepfakes may generate millions of views, yet the great majority (96%) are pornographic and have little wider societal impact.
This may change all too soon. Deepfakes are increasingly realistic, freely available, and easy to make. Artificial voice company Lyrebird promises it can create a digital voice that sounds like you in a few minutes (even if my voice apparently proved less than straight-forward.)
It is surely only a matter of time before we see more regular instances of deepfakes damaging – directly or indirectly – companies, governments and individuals through false or misleading news stories, hoaxes and reputational attacks.
A recent example: controversial Canadian psychology professor Jordan Peterson recently found himself at the mercy of a website where anyone could generate clips of themselves talking in his voice, forcing him to threaten legal action. The simulator has since been taken offline.
In another case a political private secretary in the Malaysia government was arrested over a video allegedly showing him having illegal gay sex with the country’s minister of economic affairs. The country’s leader responded by saying the video was ‘cooked up’, but it remains unproven whether the video was manipulated.
Reputational risks of deepfakes for companies include:
A fake CEO town hall video regarding the new company strategy is ‘leaked’ to the outside world, allegedly by a short seller
The voice of a politician is used to manipulate a senior director into discussing allegations of corporate fraud
A fake recording of two executive board directors discussing the sexual habits of a colleague is used to blackmail the company
An outsider gains entrance to a secured office by impersonating the voice of a company employee.
Spread over the internet and social media and excavating distrust in institutions and deep geo-political tensions, the risks of malevolent deepfakes are only now starting to emerge.
While the likelihood of a deepfake attack remains low in the short-term, and impact remains hard to quantify, every organisation would be wise to start considering what it may mean for its name and image.
Last week I had the fortune to be invited to speak on the topic of reputational risk management to MBA students and assorted internal auditors, risk managers, HR and communications executives at the Othman Yeop Abdullah Graduate School of Business at the Universiti Utara Malaysia in Kuala Lumpur.
Reputation risk may not be as high up the agenda of boards of directors and management teams in Malaysia as in some other countries, but it has gained importance in recent years due largely to two major crises:
the 1MDB scandal that led directly to the overturning of the Malaysian government, the arrest and forthcoming trial of former prime minister Najib Razak, fraud investigations in 10+ countries, and criminal charges laid against Goldman Sachs and two of its former employees
and the various woes befalling Malaysia Airlines (here’s my take on the mystery of MH370 from an online/social media perspective; if you haven’t already, I strongly recommend you read this in The Atlantic for what may well be the last word on the tragedy).
Whilst unresolved, both crises helped erode confidence and trust in institutions in Malaysia and raised (and continue to raise) legitimate questions about how Malaysia Inc – which is still largely dominated by a few family-controlled businesses – operates.
Accordingly, companies (especially government-owned or linked ones) and parts of government and civil society are actively considering the extent to which they are exposed to reputational risks, and thinking harder about how these should be minimised and managed.
The whys and hows of effective reputation risk management
Predicting and managing reputational risks poses a wealth of tricky questions and challenges – amongst them:
How should reputation risk be defined?
What are the primary drivers of corporate reputation?
What forms do these risks take?
Who is responsible for an organisation’s overall reputation?
Who should own corporate reputation on a day-to-day basis?
What role(s) should communications and marketing play in reputation risk management?
How best measure, track and report reputational threats?
Why can leaders be reluctant to get to the root of reputational issues?
I tackled these and other challenges in my presentation, setting out solutions based on my professional experience, research and observation.
Most companies expressly avoid mentioning past scandals in their advertising. Not so VW, which makes its 2015 diesel emissions crisis the starting point for its latest ad ‘Hello Light’.
The ad is clearly intended to signal VW’s shift to electric driving, while drawing on the company’s glory days of the 1960s and 1970s. It is eye-catching, and feels honest and refeshingly unnostalgic.
It is also brave. For one, there are clear risks in framing the firm’s shift to electric through the prism of its diesel emissions fiasco. Purists might also complain there is no apology – just as there was no apology in VW’s November 2015 goodwill marketing campaign.
Hello Light is no one-off, but is part of VW’s larger ‘Drive Something Bigger Than Yourself’ brand campaign that aims to press home it’s commitment to electric while drawing on its rich history.
Yet VW’s diesel emissions woes are far from over. With legal cases in 50 countries, 2019 may prove to be the company’s ‘most difficult year ever’ according to Hiltrud Werner VW Group board member and head of compliance.
Each court case will bring a rash of unwelcome publicity as old documents are raked over and new evidence comes to light. Much will hinge on the company’s rogue employee defence, which is looking increasingly brittle.
Major cities are banning diesel cars in their centres. And several top auto manufacturers have promised to end production of the internal combustion engine. VW says its last generation of combustion engines will be launched in 2026.
In addition, the electric market is a challenging proposition thanks to new entrants such as Tesla and the relatively high cost of electric technologies, even if these costs are now starting to fall as volume increases.
Set against this background, VW’s electric driving campaign is worth the strategic and reputational risks.
Not that these two views are necessarily mutually exclusive.
Early social media strategy
Initially, many companies took to social media to increase
reach and build buzz. A sale or two might even be recorded.
There were competitions and promotions galore, and plenty of grinning
employee photos and CSR fluffiness to make people feel well disposed.
Lo and behold, follower and ‘engagement’ rates rose and management
was delighted. Now we’re onto something, they figured.
The trouble was that they didn’t really know who was signing
up or why they were doing so. And, frankly, they didn’t much care as long as
the numbers continued to travel in the right direction.
So email addresses and telephone numbers were amassed, channels
proliferated, customer segments segmented, and ‘conversations’ sparked.
Customers appreciated it for a while. It was fun and involving and every now and again you might receive a free bar of soap or a voucher for a half pint of Tennent’s – provided you told your friends about it.
A sting in the strategic tail
Unsurprisingly, things then rather quickly became distracting
and tedious and occasionally menacing.
Promotions and content, even when they were properly considered
and delivered, easily became lightning rods for discontent, their sponsors oblivious
to the fact that the customer wants to use social media for real interaction, a
true conversation, a proper peek into the soul of the company.
What does the GDPR mean for business leaders, communicators, risk managers, lawyers and others preparing for tougher data privacy laws across Asia and responding to data breaches in the EU?
Here are some important principles to bear in mind:
Take swift, decisive
action to address the problem
Companies have no option other than to move fast under GDPR. There are only 72 hours to establish what has happened, assess the likely damage, notify the regulator(s) and communicate with those impacted can seem like precious little time, especially when the facts remain unclear.
Notification and communication can appear especially daunting when the hole remains open and the facts are unclear. Yet, the quicker a company moves to fix the hole and the more decisively it does it, the more likely it will be able to limit the actual and potential damage and rebuild confidence.
Err on the side of caution, but do not panic
It is easy to feel like you are being press-ganged into publicly disclosing a data breach. In fact, not all breaches need to be reported to the regulator, and some don’t need to be reported within 72 hours.
Some breaches do not pose a high risk to those impacted, while others may be considered temporary. In some cases, the data involved is unintelligible and/or already in the public domain, in others, the effort involved in notifying the regulator may be considered disproportionate to the actual or likely damage.
In such instances, a company may choose to inform the customer of an incident without notifying the regulator or making a public statement—provided it is confident it is on a safe footing legally.
However, generally, it is best to err on the side of caution and report a breach to the regulator. If one is unclear, information regulators will generally advise whether it needs to be reported. They may also provide guidance on whether it should be communicated with those impacted.
That said, there may be some instances in which
you feel it is more important to communicate immediately with those impacted,
before notifying the regulator. For example, where the data involved is
extremely sensitive, or where a supplier processing data for a business
customer is breached.
There are also good reasons to be wary of going
straight to the data subject. Customer and stakeholder expectations vary widely
on data privacy and, in the wake of an incident, their behaviours can conflict.
And news of a breach typically becomes public as soon as it has been
communicated with those impacted.
Whichever route you choose, it is usually best
to err on the side of caution. There’s no need to panic.
Be open and honest
EU information regulators have said they will take seriously anything that puts these twin principles into jeopardy and that they are willing to expand investigations beyond assessing IT/cybersecurity governance and controls to testing compliance in areas like technical competence and education and training.
The same goes for customers in Asia, who increasingly expect organisations to be honest about their shortcomings and to move quickly when something goes wrong.
Consider carefully how those impacted might be affected
Understandably, company leaders and executives fret primarily about the sensitivity and volume of data involved in a breach and what it means for the well-being of their employer. But it is just as important to pay close attention to those impacted and to the context in which the incident has occurred.
In August 2018, British Airways suffered a major breach involving the personal and financial details of over 500,000 customers. Despite no evidence of fraudulent financial activity at the time, British Airways quickly appreciated that the potential for lasting reputational damage was significant, given the large number of payment card and CVV numbers involved.
Hence the airline’s decision when it acknowledged the breach to offer compensation to customers for any financial hardship suffered—a promise that may result in significant payouts and higher insurance premiums going forward. The decision almost certainly also took into account the overwhelmingly negative reaction to the airline’s 2017 IT systems outage.
Consider carefully the needs and expectations of those impacted, the degree of external and internal scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach.
Don’t walk away
From a communications perspective, it is
tempting to treat a breach as a one-off negative event to be resolved with
a little timely public grovelling.
This is a mistake.
Nowadays, people take naturally to social media to vent their experiences and concerns, which can easily spiral into secondary news stories. Leaks are common, and breaches easily bleed into other business issues, thereby aggravating the situation and elongating the news cycle.
Worse, GDPR means regulatory investigations, fines and litigation are more likely, resulting in additional negative publicity. In the process, you may also come under greater pressure to publish internal and expert investigative reports.
It is important to understand that a breach is
often just the start of the reputational battle, and that you must stay – and be seen to stay – the distance
in all facets of your response if you are to have any real chance of
Align your response
The messiness and complexity of data breaches and the need for different business units to be involved in the response can result in sloppy, inadequate, or inconsistent communications.
Given the expanded legal obligations under GDPR, the likelihood of the emergence of equivalent regimes across Asia and heightened public awareness of data privacy rights, it is particularly important that companies’ legal and communications responses are properly aligned.
Legal and communications teams can sometimes be at loggerheads, so this is not necessarily as straightforward as it sounds. It need not be difficult. Unlike in a court of law, in the court of public opinion, a business is presumed guilty until it proves its innocence.
This doesn’t just mean one should be as open and honest as possible and that one’s rhetoric always meets reality. It means that a company must look at the wider picture, avoid inappropriate legal threats, actions, and lawyerly sounding statements, and apologize sincerely when it is at fault.
By following these principles, you will be less likely to botch your business and communications response to a data privacy incident.
More important, you will be in a much better position you to persuade your customers and others that you are acting in their best interests.