Crisis Audits: The Lifeblood of the Socially Responsible Organization

Posted on July 1, 2021 by imitroff

Crisis Audits are the foundation of the Socially Responsible Organization. They are fundamental in assessing the crisis potential of organizations They are thereby the foundation upon which the Crisis Management (CM) plans and preparations of an organization are built.

Because they are so critical, they cannot be conducted by the members of an organization themselves. As a general rule, people only see the crises that are directly associated with their immediate jobs and positions, if they are able to see even them. Thus, even though one starts an audit by asking the open-ended question, “What is a crisis for your organization?”, the answers one gets are largely dependent on where one is and does in an organization. For this reason, it’s not advisable to give the respondents a general list of the different kinds of crises where they can then check off all those that they think apply to their organization. Instead, one wants to see what comes to their minds without being prompted.

After they have responded to what they believe is a crisis for their organization, follow-up questions probe for how well prepared they are to handle it.

It’s advisable to interview as many members of an organization as possible to get as accurate a picture as one can of the full range of crises to which they feel they are susceptible. This not only includes the top officers of an organization but those as far down as possible. The responses between them couldn’t be more different.

After having ensured the respondents that everything they say will be treated in the strictest confidence, and that no names whatsoever will be attributed to anything that is said, those at the bottom are much more likely to be forthcoming about the potential for employee sabotage. They are also likely to be more forthcoming about sexual harassment, especially women respondents. They are equally likely to be sensitive to threats, real and imagined, between fellow workers, especially those directed upwards to their superiors. Unless they have strict assurances that they will not be punished for reporting their suspicions, let alone their direct observations, they will not report anything for fear of retaliation, either physically and/or the loss of their jobs. One of the best ways of assuring that they will not be punished are anonymous tip lines. But this means that someone in the upper hierarchy—the most appropriate being the head of Human Relations (HR)–has given them their full support.

As a general rule, the heads of HR are concerned about the general morale and well-being of employees. They are also concerned about those who are most vulnerable to outside pressures that would cause them to engage in acts of internal sabotage. They worry constantly about disgruntled workers. 

The heads of Information Technology (IT) are primarily concerned about the general security of the organization’s proprietary information. They worry constantly about hackers. But most of all, they worry about potential alliances between insiders who know the system’s inner workings and outsiders who can link up with them and thereby do the most damage by exploiting its vulnerabilities.

The heads of Security are concerned primarily with the physical protection of an organization. How secure is the organization to persons gaining unauthorized entry?

The Chief Financial Officers (CFOs) are primarily interested in the financial health and well-being of the organization. How well are their stocks doing in markets around the world? Is the organization vulnerable to hostile takeovers? How well are they protected from insider-trading?

The Chief Legal Officers are concerned primarily about lawsuits, especially those without merit. In short, how do they protect the legal liabilities of their organizations? 

Finally, the Chief Executive Officers (CEOs) are concerned about the general reputation of the organization. They are equally concerned about unfair competition. And they are concerned about the loss of proprietary information that can pose major threats to their organizations as a whole. In this regard, they are especially concerned about the threats posed by foreign competition, particularly lower wage jobs. They are also focused on anything that can disrupt long-term strategic goals and objectives.

The one thing that emerges time and again from such audits is how virtually no one sees the full range of crises to which they are susceptible and thus prepares for them as a whole. Because no one sees the complete picture, they don’t see the interconnections between the various Types of crises, especially how anyone of them can set off any of the others. Just as bad is the fact that the preparations for each of the crises that the various parties do acknowledge are at best fragmented and incomplete. 

If this weren’t serious enough, it’s made worse by the fact that organizations are facing a whole new series of threats for which they are largely unprepared, if they’ve even given them any thought. Thus, few give serious thought to the unintended consequences of their products and services, manufacturing processes, technologies, and so forth. Likewise, few are prepared for how others will abuse and misuse their products and services for nefarious purposes. In addition, little if any thought is given to dis and misinformation and how it could affect them. Virtually none is given to what if they are the sources of dis and misinformation.

By far, the biggest factor is the Culture of an organization. Does it truly value and thereby give CM the importance it requires? Are the organizations reward systems in sync with CM? Are the bearers of bad news rewarded or “killed”?

Is the organization even aware of how national and international crises such as Domestic Terrorism and Pandemics could affect them?

Without a doubt, the biggest and most difficult job of a Crisis Auditor is presenting the full picture of the crises that can affect an organization in such a way so as not to scare off the top executives who for one reason or another decided to do a Crisis Audit in the first place–the most prominent reason being that they’ve had a recent “near death experience.” Somehow or another, someone in authority has gotten the “light” that they need to assess their full vulnerabilities. 

In the end, one is playing a highly dangerous and tricky game. Is there time enough to allow people slowly to come to grips with the realities with which they are faced, while betting that the worst doesn’t happen to them in the interim?

About imitroff

Dr. Ian Mitroff is Professor Emeritus at the Marshall School of Business and the Annenberg School for Communication at the University of Southern California in Los Angeles. He is the president and founder of Mitroff Crisis Management, a private consulting firm based in Oakland, California, that specializes in the treatment of human-caused crises. He is a Senior Affiliate with the Center for Catastrophic Risk Management at the University of California, Berkeley.
This entry was posted in Crisis Management and tagged , . Bookmark the permalink.