Author: Glenn C Schoen
ISBN No:
Review date: 09/05/2024
No of pages: 148
Publisher:
Publisher URL:
https://www.glennschoen.com/work/
Year of publication:
Brief:
Glenn C. Schoen is owner and CEO of Boardroom@Crisis BV
price
£-
Code Black: 50 Lessons in Crisis Management for Effective Leadership, by Glenn Schoen, was 2023 winner of the ASIS International book of the year prize. It’s easy to see why Schoen’s book found favour with the judges, writes Mark Rowe.
You’ve outsourced and some vital product or service in your supply chain isn’t coming through; some marketing campaign of yours has gone down badly on social media, and your share price is falling; a piece of dis/mis-information about the CEO, ditto; you cannot do a thing because ransomware has frozen your IT; whether thanks to climate change or not, one of your branch offices is in the path of a wildfire. As Glenn Schoen puts it at the very beginning of his book, ‘crisis management is no longer the esoteric art of the few it once was. General management now increasingly has to deal with it too’. And, we might add, security managers too. In passing we can note that the previous two years’ winners did not have security in their title either, covering emergency management in 2022 and risk assessment and threat reduction in 2021.
As Schoen writes in the introduction, he set out to compile ‘practical, rapidly applicable real-life learnings’, whether the crises were related to IP theft, terrorism, cybercrime, false accusations or fraud. One of his points is that crises ‘inherently involve novelty and no one size fits all’. That said, you can learn from the experience of others, whether in the field, or crisis team rooms, situation rooms or boardrooms.
Code Black, as Schoen explains right away, is an old Pentagon alert code for ‘danger – we’re facing a potential crisis’. He argues that crises ‘continue to increase in scale, frequency and potential impact’, whether because tech is ever more connected, the weather more volatile, or the economy is more globalised, or some mix of these and other reasons. Schoen makes the shrewd point, rightly starting with definitions, that all those around the proverbial or actual table have got to agree on what a crisis is (and isn’t).
Here are Schoen’s seven characteristics of a crisis:
- Pose sudden, urgent major challenges;
- Contain a degree of novelty to you;
- Require top-tier engagement;
- Disrupt regular routines;
- Disturb stakeholders;
- Create friction; and
- Have a tail.
Schoen defines further by separating ‘evident’ from ‘emergent’, slow-burning crises; ones that make you go ‘whoa!’ or ‘hmmm’, as Schoen puts it endearingly. Chernobyl, the Indian Ocean tsunami, an earthquake or explosion or volcanic eruption: no mistaking they are a crisis for those in the vicinity. But a fraud, or cyber breach, or theft of intellectual property? It may not turn into a crisis; or it is one already, but you just haven’t noticed?!
Numerous books are out there about business continuity and crisis management; what does Schoen bring, and who would find the book useful? The text is dripping with wisdom, both thanks to Schoen’s experience and to words of others. Such as the former US Secretary of Homeland Security Michael Chertoff (who himself went into consultancy after that federal service): “You know you’re in a crisis when a first run-through of your control process didn’t end it.”
Schoen shows how crisis management is at once a process – which can be a comfort for any team, whether medics treating casualties or managers handling a ransomware demand or a ransom demand in a case of product contamination. He goes on to write in terms of risk; structure; and leadership. As with security management, managing a crisis has to be firmly about reality; if you assume anything, that’s fatal. As a crisis unfolds, news floods in (and can you trust what you’re told, by those frightened – for their lives or their careers? Or is what news is coming in, what you most need to know?) and it’s as bad if you’re overloaded with information as the opposite. People may take the easy way out, fail to rise to the occasion. Neat, generic check-lists won’t work.
That said, Schoen stresses that you do need structure: “You need a policy, plan, and procedures. You need to form, instruct, train, test, and maintain a team. You need to house it, equip it, provide it resources. You need to plug it in to the larger organisational mothership.” Schoen offers five standards, or sets of documents, of use:
- EU CEN/TS 17091 Crisis Management as a Strategic Capability
- BSI 11200 Crisis Management Guidance and Good Practice
- ISO 31000 Risk Management / Organizational Resilience
- ASIS 2020 Business Continuity Guideline
- ISO 22301 Business Continuity
Structure shades into leadership, because what people do you, the crisis manager, want ‘on the bus’: the CEO, an outside consultant, a few or a committee? Don’t forget someone to log what the team does, and comms, whether internal or external. Schoen suggests that ‘common core team members hail from Operations, IT, Logistics, Finance, Security and Safety, HR, Compliance and Legal.’ Schoen advises that members have to add up to a balance for age and gender; and they should be personally resilient (or seaworthy, to use a nautical term, as used by Schoen).
Schoen quotes the ASIS International president for the year 2020, the Dutchman Godfried Hendriks, on how the US-based security management association went about doing its job during the pandemic:
‘I was two months into my term when the pandemic struck. Forging that community at the outset, dealing with all the new health screening procedures, the business shut-downs, the new risks around ‘Work From Home’, and then laying the groundwork for the re-openings and recovery with security staff continuously on the front line – it was a lot of work …. Ultimately, we in the security field proved to be part of just about everyone’s crisis plans, both as enablers and even drivers of management and safety staff. In terms of proving our worth for industry in crisis, I think it was one of the association’s finest hours.’
It’s a point well made, given that everyone has understandably been keen to move on from covid, indeed to tackle the next crises (a kidnapped executive? A money-laundering or corruption scandal? war in Ukraine?) Schoen addresses that entering the final quarter of his work, on leadership. Actually doing the job of running your unit or department is only a part of a manager’s job; besides you should always look to improve what you do; and to be a mentor, recruit and bring on new talent, for when (inevitably) you no longer do whatever it is you do.
The fifth and final chapter rounds off; about financial crime and its investigation; about the security of events (Schoen was in the thick of it at Arnhem on the 75th anniversary, when he apologised to Prince Charles (in Parachute Regiment red beret) for disorganisation of ceremonies. For Schoen it was a ‘reminder as to how easily best laid plans and months of preparation for a major event can be thrown off-kilter by minor things, and how thin the margin between success and failure is’. Schoen’s list of major events and venues where crisis struck includes the 2017 Manchester Arena concert suicide bomb. Again, if it’s possible to boil learnings down to one phrase (and Schoen doesn’t), the imperative is to face reality and not wishful ‘it’ll be all right on the night’, thinking. Leading to rote planning, and preparing in terms of ‘on the back of a cigarette packet’. On terrorism, Schoen points out also the ‘fall out’ of disrupted (business) travel and building lockdowns, besides actual attacks. He judges that ‘your chances of being touched by terrorism as a secondary target – to include staff members who happen to be caught at the wrong place at the wrong time while traveling – are not insignificant. Best to prepare a few key steps’.
As for reputational risk, of a crisis in public relations terms, Schoen stresses the need to be ‘honest and forthright’ when to blame for something, and not to duck; and to ‘acknowledge the risk that a high-profile leader may pose to an organisation, particularly if and when he or she is likely to attract public scrutiny’.
Late on Schoen defines a disaster in terms of ‘great damage or loss of life’ such as a plane crash or crowd crush. Thus ‘a disaster doesn’t always equate to a crisis: if it is finite, and well-handled as a (major) incident, a disaster need not per definition result in a crisis’. He also covers workplace violence; civil unrest; ransomware, malicious software; and (sometimes related) insider risk from espionage; and pandemics. Schoen is profoundly humane, both in terms of the fellow professionals he plainly has learned from and holds dearly, and in terms of how to do the tasks of managing a crisis well – it’s a duty, as he puts it. As he concludes: “People first, always.”
