Be prepared, or pay the price

It seems the operating environment of businesses becomes more complex with every passing day. While companies are working hard to navigate these complexities, they’re increasingly being scrutinised by regulators and their stakeholders. And with news traversing the globe faster than ever, the risks and need to be prepared for a crisis have never been higher.

Recently, the Australian Prudential Regulation Authority released its Corporate Plan 2023-24, detailing the regulator’s focus areas for the next four years.

In the Plan, APRA’s chair John Lonsdale details how the swift collapse of Silicon Valley Bank in March 2023, and the takeover of Credit Suisse a week later, set off alarm in global markets and rattled public confidence around the world.

Without a doubt, he says, the digital connectedness of financial systems allowed for a bank run at a speed never previously witnessed.

Lonsdale notes that the events of March 2023 are one of several changes in the operating environment over the past 12 months that influenced the development of APRA’s latest Corporate Plan.

Other considerations included rising interest rates, higher inflation, and ongoing geopolitical uncertainty, as well as rising cyber security threats and the increased frequency and severity of natural disasters linked to climate change.

"One of the various challenges APRA plans to focus on is operational resilience, through an increased focus on cyber resilience, crisis management and operational risk management practices," Lonsdale says.

Government and industry regulators have been open about their willingness to act against companies that don’t pay attention to their risks.

Indeed, Australian Securities and Investments Commission (ASIC) chair Joe Longo told a recent conference that ASIC would look to make an example of directors and executives who are ill-prepared for cyberattacks, by taking legal action against them.

"For all boards, cyber resilience has got to be a top priority," Longo said.

"If things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps or make reasonable investments proportionate to the risks that their business poses. I can assure you that in the right case, ASIC will commence proceedings if we have reason to believe those steps were not taken."

Joanna McCarthy, Senior Director, Morrow Sodali, says: "The release of APRA’s Corporate Plan and the comments made by ASIC are not something that should be alarming. Rather, they are a clear reminder to organisations about the need to bolster corporate resilience, anticipate threats and be prepared to respond. Organisations need to face the risks and focus their attention on crisis preparedness in the same way that government and regulators are – ahead of time, not afterwards."

As with in life, things do go wrong in business and suddenly, nothing is business as usual. So, in addition to strong risk management protocols, McCarthy says companies need to have a detailed plan and processes in place for crisis communications to protect their corporate reputation and, ultimately, shareholder value when or if things go wrong.

Having a well-rehearsed crisis plan enables organisations to respond rapidly and with confidence when uncertainty and chaos can reign as a crisis unfolds. It may be that the usual systems of communication such as email, intranet, web and server access are blocked – for example, if hackers attack your systems. So knowing how to switch seamlessly to alternate communication channels is invaluable.

The implementation of a plan plays a pivotal role in minimising potentially adverse impacts during a crisis and can contribute to the safeguarding of a company’s reputation by:

• Equipping leaders with the tools to assess the reputational repercussions of a crisis and determine appropriate communication strategies for each stakeholder.
• Facilitating the swift execution of both external and internal communication during a crisis, recognising the critical importance of a rapid response.
• Establishing a structured framework of responsibilities and pre-prepared communication materials that can be tailored to particular events and disseminated promptly as part of a timely response.

Despite their tailored nature in an unfolding situation, all communications throughout a crisis should uphold the company’s brand and values.

"While achieving perfect preparedness for a crisis is unattainable, robust planning goes a long way to minimising risks," says McCarthy.

"Time and again, businesses have paid the price for poorly constructed and ill-timed or non-existent communication to stakeholders. The only change now is that, with increasing regulatory scrutiny and greater penalties, the price for not preparing and not complying just went up."