Archive

CEO, leadership & executive communications

Narrative. Story. Backstory. Media jargon is now part of the lexicon of public life, drawn on daily by politicians, journalists, commentators, marketers and businesspeople to set the agenda, challenge, inspire, dramatise and bring meaning.

For Boris Johnson, ‘Brexit is going to happen… and when it does, we must finally begin the positive narrative of Brexit Britain: tackling crime, investing in our health service and our schools, and fixing the housing market to help young people own their own homes.’

An American CEO and entrepreneur with an unorthodox career says she wants ‘to share with you my backstory and hope it can encourage you’.

And here’s Allianz Global Investors CEO Andreas Utermann looking to persuade asset managers of the merits of active investing by changing its fee model:

Allianz CEO changes active investor narrative

As communicators working in a fast-paced visual age in which facts and rumour and misinformation constantly compete for attention and viewpoints chop and change at a moment’s notice, it makes much sense to think like journalists, producers and storytellers.

The customer is not a moron media-junky

Talk of stories, backstories, narratives and episodes may sound impressive and make sense to our clients and ecosystem partners and media targets. Yet is this how our wives and children and friends and next-door neighbours think?

Do they, like Boris Johnson (who must compete with multiple other narratives and has his own rather complex backstory to contend with), reckon the positive story of Brexit Britain can only start if and when the UK leaves the EU?

Or do they think the facts speak for themselves, from whichever side of the political spectrum they hail?

We are in danger of assuming the man on the street understands and relates to such language. We also risk sounding pretentious, confusing, and disingenuous.

Focus on the facts not the packaging

As communicators we are, or should be, in the business of honesty and clarity, of rigorously examining the underlying issue rather than revelling in its packaging, of reducing the gap between rhetoric and reality.

This means sticking to the facts, avoiding jargon and doublespeak, and using words and phrases everyone understands. And it means persuading our clients to do the same – especially in a consumer or general public context.

‘Active managers add long-term value cost-efficiently. Our new fees reinforce this.’ Allianz could have said.

Which would have been clearer.

Our American CEO might simply have said she would like ‘to share with you my backstory unusual career path and hope it can encourage you’.

Which might have resulted in a few more clicks or likes.

Boris could have stated: Brexit is going to happen… and when it does, we can must finally begin the positive narrative of Brexit Britain start building a new and better Britain.’

More people might then believe him.

Since the start of the year a rumour has been swirling that Facebook has been using a then-and-now facial recognition photo-sharing challenge to collect data about users and improve its AI algorithms. The social network denies it started or is involved with the challenge. 

That people suspect Facebook of being involved, and that the rumour went viral, is indicative of the suspicion with which the company is held since its flaccid approach to privacy became widespread public knowledge.

Multiple data privacy violations

These suspicions are not new. There was the row over Facebook’s Beacon user-tracking service in 2007, concerns about facial recognition, a bungled psychological experiment into the moods of its users, and run-ins with the US FTU, ACLU and privacy commissioners in multiple jursidictions over many years.

According to Google, there has been considerable public interest in privacy (mostly as a proxy for internet and/or data privacy) for many years.

Google: Data Privacy News Trends


Facebook had plenty of time to tackle the problem and prepare a meaningful response. The Guardian’s initial story in December 2015 about the covert harvesting of user data by Cambridge Analytica did not ignite until whistle-blower Christopher Wylie lifted the lid on Cambridge Analytica twenty-six months later.

Yet they did little to address the core of the privacy issue, Mark Zuckerberg disappeared as soon as the story ran, and Facebook’s value dropped USD 119 billion in a single day. Zuckerberg hardly helped matters by refusing to appear before the UK DCMS Enquiry into Disinformation and ‘Fake News’.

How did Facebook fail to anticipate a major privacy crisis when the writing had been on the wall for so long? Were its leaders truly ignorant and out of touch, or simply failed to act substantively on the many warning signs? Why did they behave the way they did? Was Facebook’s experience isolated, or consistent with other reputational meltdowns? 

Reputation risk management

These are the kinds of questions posed by lawyer Anthony Fitzsimmons and insurance expert Derek Atkins in their book Rethinking Reputational Risk, in which they get to practical grips with the notoriously knotty, slippery topic of reputation risk management.

Rethinking Reputational Risk

Drawing on analysis of recent high profile crises such as BP’s Deepwater Horizon spill, Barclays’ LIBOR rigging, Tesco’s false accounting, and the VW diesel emissions scandal, the authors argue that the problem lies in the complexity of many modern businesses, the emergence of multiple online ‘unseen systems’, fast-changing stakeholder behaviours, inadequate listening, issues management and crisis preparedness, and an unwillingness to get to the root problem of problems and failures, chiefly due to over-confidence, complacency and hubris.

All this sounds familiar. But the book comes into its own when it addresses the failure of ‘classical’ risk management and the three/four line of defence model, which is regarded as overly rigid and ill-suited to handling the many and varied behavioural risks, from weak culture and values and inappropriate incentive schemes, to the blurring of personal and professional lives and the character and personality traits of senior leaders.

The authors rightly argue that reputation risk is first and foremost a leadership responsibility, and too often it is at Board level that things fall down. Board failures were involved in 50% of the 42 crises studied.

Why?

Because Boards are essentially self-selecting, and overly reliant on people with financial and operational experience, as opposed to the forensic, analytical, behavioural and digital skills that are required in today’s globalised, networked and inherently volatile economies. There is much in this.

Since concerns about Facebook’s approach to privacy first started emerging several years before its murky dealings with Cambridge Analytica came to light, Mark Zuckerberg and Sheryl Sandberg have admitted that they should have taken user privacy far more seriously.

The important question on why they didn’t heed the warning signals earlier appears to have a single plausible answer: user privacy was regarded as a price worth paying for growth, and they would make the most of it while the sun shone and regulators, politicians, customers and the general public had more important fish to fry.

Mark Zuckerberg may insist he is personally responsible for Facebook’s privacy lapses, but Facebook’s board is also responsible and must prove itself equal to the task of fixing the holes properly, and holding its CEO to account. Its members would do well to read Fitzsimmons and Atkins’ excellent book.

Meantime, Facebook must shoulder part of the blame for the many rumours about it – be they accurate, misinformed, or plain false.


A series of vague and apparently contradictory statements have marked Cathay Pacific’s public response to its recent data breach – the world’s largest airline data privacy incident.

While the extent of the damage to the company and its reputation remains unclear, the breach has been described by Cathay’s Chairman as ‘one of the most serious’ the airline has faced, and that its response would be ‘different’ tomorrow.

What can be learned from the airline’s fumbled response?

First, the backstory: late one evening Cathay acknowledges a ‘data security event’ affecting 9.4 million customers that it claims to have acted to contain ‘immediately’. A torrent of negative coverage and plenty of speculation about the state of the firm’s IT security quickly ensues. Journalists and customers complain that Cathay is not responding to phone calls or emails.

The following morning Cathay admits that it had been aware of suspicious behaviour on its network for a three month period starting March, prompting an avalanche of questions from worried customers and bemused regulators and politicians about why it had taken so long to inform its customers. CEO Rupert Hogg takes to the media and video to defend his firm.

Three weeks later, Cathay submits a statement (pdf) to Hong Kong lawmakers confirming the attack had intensified over a three month period and that it had known in August that passenger data had been accessed and/or stolen. Cue a third wave of hostile coverage, this time questioning the company’s honesty and transparency. Lawmakers accuse the company of orchestrating a cover-up.

(Business Traveller has a useful timeline of the incident).

Making inaccurate or inconsistent statements during a data privacy incident is easily done when facts are thin on the ground and the media is breathing down one’s neck.

Top data breach communications pitfalls

Based on my experience, here are the top five communications mistakes organisations make when responding to a data breach – the first and most damaging of which is zero communication:

  1. Concealing a breach. Until recently, most data breaches were not made public. GDPR and other data privacy laws now mean organisations must notify those impacted and the relevant authorities about a breach. Yet some will try to bury it from public view. As Uber and Yahoo! can testify, a cover-up is seen as worse than the breach itself. Substantial fines may appear a good deterrent to concealment, but research shows the longer-term reputational damage can be more significant.
  2. Confirming a breach too slowly. Cathay Pacific took three months to delay formal notification in order to contain the attacks and to determine what data had been lost and who has been affected. But organisations in many jurisdictions are now obliged to notify regulators quickly, and customers now expect to be informed quickly, and view organisations that are seen to move too slowly as unprofessional, clueless, or with something to hide.
  3. Providing inaccurate facts or data. Cathay Pacific may have waited until it was sure of the facts and numbers, yet many organisations now quickly go public about a breach to meet their regulatory obligations, or under pressure from a third party, and then have to revise their statements as the facts become clear (eg. Dixons Carphone revising upwards the number of records involved in its 2017 data breach from 1.2 million to 10 million). This creates additional negative news cycles, and creates a perception of amateurism at best and willful obfuscation at worst.
  4. Downplaying a breach. It is tempting to claim that the sensitivity and scope of the data and systems involved in a breach are limited, or that the impact on the company and those affected is minimal. But such statements can easily come undone as the full extent of the intrusion comes to light, leaving you looking irresponsible or worse.
  5. Providing inadequate media support. Cathay chose to push out its bad news late in the evening and send its teams home. But little irritates journalists more than an unmanned communications team or unresponsive senior management, and senior executives unable or unwilling to provide a human face to something that has already been confirmed publicly by the company.

Every organisation is advised to avoid these pitfalls wherever possible.

Cathay’s CEO may have promised the airline would respond differently to future breaches, but he did not elaborate how.

Notifying regulators and customers more quickly is an obvious starting point.

Careful thought should also be given to the openness, transparency, tone, consistency and ownership of its’s statements, amongst other factors.

Tim Bell has been widely – and rightly, in my opinion – excoriated for his ‘car crash’ Newsnight appearance before Kirsty Wark defending his role in Bell Pottinger’s demise.

With his (former) company on the verge of bankruptcy, his own name being dragged through the mud, and mindful of the potential impact of his own consultancy Les Frontieres, Bell set out to distance himself from events, and from his sparring partner James Henderson.

Arguably, he just about managed it, even if he also came across as arrogant, dismissive, and shifty.

He also made a notable gaff by leaving his phone switched on.

But was this the silly, cringe-worthy error it appeared?

Bell is a seasoned PR hand who prepped Margaret Thatcher, amongst others, for media interviews.

There is almost zero chance he would accidentally have left his phone on. And even less chance that he would have failed to turn it off again during a high-profile, high stakes interview.

Bell deliberately left his phone on and enlisted friends to call and message him in order to disorientate and distract his interviewer from the outset.

The diversionary tactic failed. Wark stuck doggedly to her task and proved she was not for turning – leaving Bell in an even deeper hole.

Thatcher must be looking askance in her grave.

How you are seen to respond to a crisis matters, and with the internet a critical source of information, especially in a crisis, both your offline and online communication must be credible and consistent.

McDonald’s handling of the ongoing meat expiry scandal in Hong Kong shows clearly what happens when the two channels get out of sync.

How the crisis developed

The backstory: The Shanghai Husi Food Co is found to be selling meat past its expiry date to its customers, including Yum Brands (KFC, Pizza Hut), McDonald’s and Starbucks. Systematically. And condoned by management. Customers on the mainland quickly suspend sales of relevant products. McDonald’s Japan, also a customer, suspends sales of chicken products.

Meantime, McDonald’s Hong Kong denies it has a relationship with Shanghai Husi to the Hong Kong government, which launches an investigation that quickly establishes otherwise. McDonald’s then argues with the local health authority about who should make a statement and when it finally does so itself, issues a ‘sincere’ apology and refuses to answer any questions.

Ham-fisted crisis response

The burger chain subsequently publishes the message below to its local website. A textbook guide to poor crisis communications could hardly have put it any better.

McDHK_meatexpirycrisiswebsitemsg

Some brief observations:

  • The message is not addressed to anyone
  • It appears selectively misleading (‘…we have proactively suspended relevant food ingredients’)
  • There is no hint of remorse
  • The customer apology is buried at the end and appears wholly insincere
  • The company provides no hint of how it is going to stop a similar incident happening in the future
  • It is unhelpful, providing no additional information or ability to ask questions online or via a hotline
  • It is unclear who owns the statement – the local CEO?
  • The English is badly mangled and the paragraphing awkward (at best).

In the final analysis, McDonald’s appears both evasive and incompetent.

All is not lost. Nobody has (yet) fallen ill and Ronald and his companions have plenty of goodwill in the tank – even weddings are held between the hallowed yellow arches here.

To re-build trust they will need to take concrete actions to ensure this cannot happen again, and communicate these actions simply and clearly. While bearing in mind that what is said online is consistent with what is said offline.

%d bloggers like this: