On 18 May 2010, almost a month after an explosion on BP’s Deepwater Horizon oil rig in the Gulf of Mexico, Tony Hayward, BP’s CEO at the time, told reporters: “I think the environmental impact of this disaster is likely to be very, very modest.”
In the event, five billion gallons of crude oil leaked into the Gulf of Mexico, 11 people lost their lives and, to date, BP has spent $55 billion on fines, payouts and clean-up costs. The company’s share price more than halved from a high of 651.46p and has never really recovered.
When a crisis goes beyond the operational aspects of fixing what has gone wrong, there are expensive pitfalls. “There can be costs in terms of loss of share and brand value, lawsuits, bad media exposure and of doing business afterwards,” says Luciano Bordon, Partner, Advisory Services at Grant Thornton Brazil. “The common reason for these crises is the lack of enterprise risk management. When a company has good enterprise risk management, these kinds of failings can be avoided.”
How you communicate with your stakeholders is just as important. If you get it wrong, the repair bill is likely to be much higher than expected.
Good enterprise risk management (ERM) is a fundamental part of good corporate governance. Vassilis Monogios, a Partner in Operational Advisory at Grant Thornton Greece, recommends the 'Three lines of defence' model as one to follow. It enables you to understand which structures inside an organisation can help you to identify, measure, manage and audit all possible material risks that threaten the strategic, financial, operational and compliance objectives of the company.
“The first line of defence is management: sales directors, purchasing, finance, IT directors and so on. They manage the risks in their area,” Monogios explains.
“The second line of defence has to do mostly with compliance and risk functions. Compliance deals with what the company needs to implement to be compliant with external regulations and internal processes. The risk function continuously evaluates those risks to see if they are mitigated to an appropriate level, according to the risk appetite of the organisation.
“The third line of defence is the internal audit function, which audits the organisation’s entire operations and captures the material issues that the first and second lines perhaps could not deal with effectively. It’s a very practical model.”
This model can work for smaller organisations as much as larger ones, says Bordon. “If it’s not a whole department, then make people responsible for internal controls. If they don’t have the expertise, hire consultant firms to evaluate internal controls. You can also buy internal audit systems to help in this kind of assessment.”
An effective ERM strategy will also include a crisis communications plan for when things still go wrong, despite the three lines of defence, says Monogios. Without this, a problem that should be no more than moderate could become bigger. Even worse, a serious problem could disrupt the company's entire operation.
An effective crisis communications plan will cover how the media, public and shareholders are addressed during difficult times, including contingencies for the kind of scenario faced by BP.
Crucially, staff must be familiar with it at every level of the organisation. This is particularly important in today’s world where every employee, not just the CEO, has access to publishing platforms such as Twitter, Facebook and LinkedIn.
“Our best-prepared clients have a compliance department with a big communications plan for the whole organisation that explains good practice and how to avoid crises and mistakes,” says Bordon. “And all those responsible – everyone in management – teach their employees. They have meetings to explain the compliance programme. It's not only down to one person in the company, it's a multi-disciplinary task force.”
No company wants to be caught in the media spotlight for the wrong reasons. Good enterprise risk management helps prevent crises from occurring in the first place but if they still do, it also offers a robust communications plan that tells you how to speak to your stakeholders when things go wrong. As Bordon says: “You want to be more preventative before than detective afterwards, looking for what went wrong.”
To find out more about using enterprise risk management to avoid a communications crisis, contact Vassilis or Luciano directly.