From natural disasters to technological crises to workplace violence, this guide can help you evaluate the risks for your business, protect and prepare your business with proactive security measures, and develop and enhance your business’s response plans.
The world is an uncertain and complicated place. But one certainty is that every business — regardless of size and industry — risks facing a crisis, which may arise unexpectedly, and turn your business’s smooth sailing into rough seas.
You can take steps to protect your business from some crises, such as a breach of your electronic security, through proactive measures. Others, like a natural disaster, cannot be prevented. But one thing likely to add to the strain of any crisis is trying to deal with it unprepared.
Having a solid, well-structured plan in hand before a crisis gives your business its best chance to survive and recover.
If your business doesn’t have a formal crisis plan, step 1 below outlines actions to help you get started. To help your company prepare, we also recommend implementing proactive security measures and creating the business continuity and communication plans outlined in step 2.
Planning for a crisis can seem overwhelming, but you can get started in five manageable steps.
Your business may not have specialized employees with experience crafting a crisis plan. However, there
are a number of outside agencies available, from security consultants to crisis communications experts, that help businesses prepare for various incidents.
we also recommend implementing proactive security measures and creating the comprehensive business continuity and communication plans outlined in step 2.
Fraud, theft and information compromise can put a strain on your capital, expose confidential customer information and erode trust.
Your first line of defense is to make sure you have the proper security, policies and controls in place. Your security and IT departments should collaborate to ensure your electronic systems are an uninviting target through regular IT vulnerability assessments.
Many organizations educate only the money movers about fraud and data compromise schemes. But every employee from the C-suite to the mailroom should be taught how to spot, mitigate and report fraud attempts. So, what should you educate employees about?
Emotional Tactics:
Business Email Compromise (BEC):
Phishing:
Fraudsters are just as serious about their business as you are about yours; as such, their strategies, technology and expertise often advance quickly.
No organization is immune to fraud, so protective measures are imperative. Reviewing our fraud protection checklist on a regular basis can help you make appropriate policy and procedure changes.
Fraud and theft can come from inside or outside your organization. In 2010, electronic theft surpassed physical theft for the first time, and the divide has only grown since.2
Information is one of a company’s most valuable assets. Whether it’s a trade secret or a list of customers’ Social Security numbers, it’s priceless. It’s also a prime target for anyone who can breach your system.
Some common methods of defrauding a company beyond BEC include:
Fraudsters are just as serious about their business as you are about yours; as such, their strategies, technology and expertise often advance quickly.
No organization is immune to fraud, so protective measures are imperative. Reviewing our fraud protection checklist on a regular basis can help you make appropriate policy and procedure changes.
Fraud and theft can come from inside or outside your organization. In 2010, electronic theft surpassed physical theft for the first time, and the divide has only grown since.2
Information is one of a company’s most valuable assets. Whether it’s a trade secret or a list of customers’ Social Security numbers, it’s priceless. It’s also a prime target for anyone who can breach your system.
Some common methods of defrauding a company beyond BEC include:
Your crisis plan should address some components of a comprehensive business continuity plan. However, implementing a business continuity program is a good next step to help ensure that business processes can continue during an emergency or disaster.
1. Conduct a Complete Business Impact Analysis
Complete a review of all the business processes within the organization, and the technology, services and vendors required to support them. Next, analyze the list to identify which are most critical for the business’s survival.
Depending on the size and complexity of your business, identifying all of these might be challenging, but administering a questionnaire that all business leaders are required to complete is one way to help you identify any gaps in the list.
Once all business processes have been identified, prioritizing them is the next step. In the event of a disaster, you’ll want to have already identified what processes are most critical to keep your business running. Of course you want to save everything, but if you can’t you must have the systems in place to save what you absolutely need.
2. Conduct A Risk Assessment
Create as comprehensive a list as possible of the specific types of risks that could impact each business site or location. For example, a business site on the Florida coast may be at risk of hurricanes, while a business site in Wisconsin needs to prepare for a crippling blizzard. Both may be at equal risk from a non-weather crisis, however. Each risk should be considered in terms of likelihood and possible impact on the business.
3. Business Continuity Plan
In creating the plan itself, the two previous items are considered in concert with each other to create a step-by-step strategy for the business to recover from whatever the crisis may be.
As part of your gap analysis, determine the gaps between recovery requirements and current capabilities. Then explore recovery options, and take the proper steps to implement them. Also consider what equipment or other supplies are needed that may be required by various processes.
From the first realization a crisis is occurring to resuming operations as normal afterward, a business continuity plan should identify the following for each of the events your business is most to prone:
4. Testing
The plan isn’t complete until it’s been tested. This means role-playing through the crisis and including both physical tests and technical — or IT — tests. In a technical test, you’ll want to consider: Can the information be relocated to a safe site? In a physical test, you’ll want to consider: Can a building be evacuated and a remote office set up in another site? Don’t neglect user acceptance testing after systems are moved; if your recovery system is implemented, the people who use the systems every day need to be able to resume their work with a minimum of adjustment.
Your crisis team, including executive management, should review and approve the initial plan, and revisit it annually after testing.
No matter what kind of crisis your business faces, it doesn’t come alone — whether it’s a natural disaster, pending litigation or security compromise — it often comes with a communications crisis attached at the hip. Poor handling of communications during a crisis can shake confidence, erode employee morale or impact your public reputation, compounding issues and worsening the crisis.
1. Identify Relevant Audiences
Revisit and expand your audience list for each type of crisis. Consider whether each audience has different segments that need to be communicated to uniquely for each scenario. For example, do you need to communicate something additional to your customer-facing employees than other employees?
2. Identify Communication Channels
Identify which communication channels are available and effective for each audience segment in various crisis scenarios.
3. Document Procedures for Approval and Deployment
Intended communication may require approval from different individuals or groups within the organization. Make sure those processes are outlined in your final plan, and detail the proper steps and key players before issuing any communication.
4. Develop Communication Templates
Though you can’t predict the future, by creating communication templates and ensuring they are preapproved by the proper parties in advance, you’ll be much more nimble when every minute counts. Another advantage to creating communication templates is you can weigh messages when you’re in a clear frame of mind versus being in a reactionary mode during a crisis.
5. Identify & Train Spokespeople
Carefully select individuals who can represent your organization in the event of a crisis, then provide media training for those spokespeople. It’s essential that each of them understands the basics of how to effectively interface with the media in critical times.
You should also make sure that your crisis and recovery teams know who the identified spokespeople are, so that unauthorized individuals do not speak on behalf of your company.
Your crisis team and executive management should review and approve the final plan, and revisit it annually after testing.
No doubt about it, handling a crisis is exhausting. But when it’s over your work isn’t done. It’s important to conduct a review session with every response team participant. Then revisit your plan, evaluate your actual response and adjust your plan accordingly. Don’t let the experience you just had in crisis management go unused.
Make sure employees know that they should not respond to inquiries from the media. Arm them with procedures so they can effectively direct incoming media inquiries to the appropriate spokesperson, and remind them of the policies and procedures annually so the expectations are top of mind.
Every business is different and every crisis plan is different. Your circumstances are unique, and your plan should be tailored to match them. Our highly experienced bankers are well-versed in the trends and topics that affect your business. Plus, our network is your network; we’re always happy to connect our clients with experts from our company or contacts within our network. Contact a Texas Capital Bank relationship manager to discuss the future of your business.
Experience more with experienced bankers who are committed to helping you grow.
“Business E-Mail Compromise E-Mail Account Compromise The 5 Billion Dollar Scam.” Public Service Announcement, Federal Bureau of Investigation Internet Crime Complaint Center, Federal Bureau of Investigation, 4 May 2017, https://www.ic3.gov/media/2017/170504.aspx. Accessed 13 June 2018.
“Information Theft at Companies Surpasses All Other Forms of Fraud for First Time.” SecurityWeek, 18 October 2010, https://www.securityweek.com/informationtheft-companies-surpasses-all-other-forms-fraud-first-time. Accessed 13 June 2018.
Simon, Matt. “30% of businesses will fail because of employee theft.” Hill & Hamilton, 3 March 2016, https://www.hillandhamilton.com/ohio-insurance-blog/30-percent-of-businesses-will-fail-because-of-employee-theft. Accessed 13 June 2018.
“Data Breach QuickView Report.” Risk Based Security, January 2017, https://cdn2.hubspot.net/hubfs/614666/Reports/2016/2016%20Year%20End%20Data%20Breach%20QuickView%20Report.pdf. Accessed 12 June 2018.
DeNisco Rayome, Alison. “DDoS attacks increased 91% in 2017 thanks to IoT.” TechRepublic, 20 November 2017, https://www.techrepublic.com/article/ddosattacks-increased-91-in-2017-thanks-to-iot/. Accessed 12 June 2018.
Texas Capital Bank is a wholly owned subsidiary of Texas Capital Bancshares, Inc. We are headquartered in Dallas, Texas, and work with clients across the country. All services are subject to applicable laws, regulations and service terms.