How come you didn’t see this coming?
Board governance and crisis management: from oversight to foresight
When the Boeing Starliner successfully launched its first crew to the International Space Station, a colleague I was having a coffee with breathed a sigh of relief. Phew. Nothing fell off! It dawned on me: if a reputational issue trickles into café small talk, that’s precisely the sort of thing that should be dealt with at the board level.
I always remind myself to have empathy for organizations in crises. In hindsight, it’s easy to speculate on what could or should have been done, even when we don’t know the whole story. In real time, crises catch everyone by surprise. A pandemic shutting down the world. A war erupting. A cargo ship ramming into a bridge. A global tech outage paralyzing airports, hospitals and banks. We just cope as best we can.
Yet, some crises are predictable surprises that organizations can and should be prepared for. Following two deadly Boeing 737 Max jetliner crashes and the blowout of a door plug during an Alaska Airlines flight, it was hard not to connect the dots. In the business where failure is not an option, Boeing has repeatedly demonstrated it has a safety issue.
As the saying goes, culture eats strategy for lunch. At Boeing, it seems the other way around. The board and CEO’s strategy of cost-cutting has eaten an engineering culture where safety was once king.
Someone at the top could and should have raised questions. What happens when we put shareholders ahead of customers?
When an organization makes a strategic choice, it must do the homework on its vulnerabilities. At the very least, there should be a plan to work through the issues before they become bigger problems in early detection, prevention and mitigation programs.
Simply put, strategic planning and proactive crisis management go hand in hand. It only makes sense. The “threats” identified in a SWOT analysis are a natural starting point for risk assessment. At the very least, someone at the boardroom table should say: “Go through this strategy with a fine-tooth comb and come back with what can go wrong.”
Unfortunately, in many organizations, strategic planning and risk management are completely separate processes. Overseen by different teams. In some companies, enterprise-wide risk management frameworks don’t exist. And when they do, they often rely solely on hard data. What are the odds of this happening? This question defines what risks organizations pay attention to. The odds are expressed as statistical probabilities based on the experience of the recent past.
Traditional risk management first emerged in the insurance and financial world. It’s the science of the quantifiable. Like value at risk in a bank. Quantifiable threats can be marshalled into checklists and matched with operational controls. Done!
Peter Drucker allegedly observed: what gets measured gets managed. This paradigm makes the business world go round. There’s no denying that, when threats are predictable and the future looks similar to the past, much of risk management can be quantified and codified.
However, that’s not the world we live in. It’s not business as usual. In this uncertain world, the question is, what happens to what can’t be measured? My unscientific guess: it just falls through the cracks. Worst-case scenarios and all. Who could have predicted that a software update at a Microsoft’s partner CrowdStrike could disable 8.5 million Windows devices in one go?
Boards that speak only one language – data analysis – carry out their oversight functions without the tools to get in front of the question they will ultimately be asked. How come you didn’t see this coming?
When Tony Hayward became CEO of BP in 2007, he introduced new rules, such as the requirement for all employees to use lids on coffee cups while walking and to refrain from texting while driving. In 2010, the Deepwater Horizon oil drilling rig exploded in the Gulf of Mexico. The U.S. investigation commission attributed the incident to management failures that inhibited “the ability of individuals involved to identify the risks they faced and to properly evaluate, communicate and address them.”
While this is an extreme example of a narrow, simplistic understanding of risk management, it shows that the darkest scenarios lurk beneath the surface. They are not easily identifiable. And these murky, ill-defined “surprises” have an uncanny way of putting boards in the spotlight. Safety issues. Toxic workplace cultures. Fraud. Crime. In extreme cases, the unacknowledged risks may ultimately lead to board and CEO resignations. The unfortunate part? Many of these risks are predictable surprises.
To surface them before an issue becomes a crisis, we need to move from asking “What are the odds of this happening?” to “What’s important?” Even when it’s not easily measured. And then ask “What if?”
What if a natural resources company drills several miles below the surface and something goes wrong with the well seal? What can happen to quality control if an aviation company like Boeing starts to prioritize cost-cutting?
In an uncertain, crisis-ridden world, the science of hard evidence is not enough. Asking “What if” marries data and imagination in the art of scenario planning, which should be at the core of proactive crisis management, strategic planning and board governance.
Oversight is no longer possible without foresight. When it comes to predictable surprises, “how come you didn’t not see this coming?” is the question all boards need to be prepared for.
Here are five ways boards can enhance their resilience:
1. Balance oversight and foresight.
Leave enough space in meeting agendas for generative discussions about opportunities and risks. Avoid getting bogged down in the oversight weeds. Direct the management to pick up warning signals and deal with them head-on in early detection and mitigation programs.
2. Integrate strategic and crisis planning.
Reviewing strategy, request an assessment of what can go wrong in its implementation. Make sure this analysis is not just filed away in the board pre-read folder. Work with the management to use it as a critical input in proactive crisis management programs.
3. Use scenarios to plan ahead.
Get ahead of uncertainty by working through a range of scenarios when dealing with unexpected or escalating issues. Assign them to small plan-ahead teams. They will refine scenarios as more information becomes available and make recommendations to pivot, as needed.
4. Prioritize worst-case scenarios.
Deal with the “scariest” scenarios first even when their probabilities are not in favour of putting them at the top of the board agenda. Make sure unquantifiable threats don’t fall through organizational cracks. The most damaging scenarios should be prioritized for full support in crisis management programs.
5. Champion board resilience.
According to a Deloitte survey, almost one-fifth of board members say they have no crisis playbook. However, some issues – from strategic errors to succession planning to executive compensation – are escalated to directors. They should be equipped with up-to-date board-level crisis plans.
Natalia Smalyuk is an award-winning advisor and trainer with a focus on strategic communication, crisis resilience and stakeholder engagement. She runs a Women Business Enterprise (WBE) certified consultancy called NBAU. What is NBAU? Not Business as Usual. Why NBAU? Because there’s no such thing as business as usual for leaders who think ahead and see a landscape of opportunity — and risk — across the unchartered global space. NBAU supports organizations in building resilience before, during and after adverse events with a unique crisis planning and training model that broadens the understanding of crises and enables positive action in an uncertain world.