Optus must have had a crisis plan. How did it all go so wrong?
by Tony Jaques, Director of Issue Outcomes Pty Ltd, for people who work in issue and crisis management
It’s not often we get to see a corporate crisis spiral out of control as quickly as happened when hackers struck Australia’s second-largest telecommunications operator. Optus will almost certainly have paid expensive consultants to help them develop a crisis plan, along with rehearsals and simulations, and media training. And the plan was likely not much different than what is in place for Telstra or TPG or a host of other companies. So why didn’t it work? And was there a Plan B to meet rapidly changing events?
While the Optus crisis is still evolving, there are already some important lessons, especially for other companies:
Media preparedness is based on individual capability, not job titles. In any crisis, the spokesperson must speak with confidence, even without having the full facts. Yet the Optus CEO was evidently uncomfortable dealing with the media, as was the Director of Communications sent out to speak on radio. Where was the personnel fallback plan?
Don’t play the victim. Rehearse planned crisis responses . . . but playing the victim should not be one. The CEO said “we are not the villains” but forgot, it’s not about you. It’s easy to assume a bunker mentality, but there are literally millions of people here who are in no doubt about who are the real victims. The plan should focus on your customers, not just on the crisis.
Plan to get the basic strategies right. Offering credit monitoring is now standard practice in large-scale data breaches where customer financial data is exposed, and that step should have been in the plan. Why did it take so long? Such protection was offered only after four days, only after the Minister demanded it, and only for “the most affected customers”. That distinction might make sense to Optus, but not to millions who fear for their personal cyber-security.
Get all the bad news out at once. The full impact of a crisis is seldom known at the start but plan to avoid drip-feeding information which further corrodes public and political confidence. For example, it was a full week before Optus revealed almost 37,000 current and expired Medicare card numbers had been compromised.
Where there’s a crisis there’s a politician. There are no crises politicians won’t try to turn to their advantage – either to take control or blame the “other side” and they are vital stakeholders in any crisis plan. The speed at which politicians entered the Optus debacle, and the speed at which a newly-minted government began promising new legislation was remarkable, though probably predictable. Has every other corporate crisis management plan been updated to reflect the change of government?
Every crisis provides an opportunity . . . for other companies. With cyber-security in the headlines, Australia Post, CBA, Binance and other organisations were quick to assure customers their online data is secure. But how many have already simulated how they would have dealt with a similar Optus-scale data breach?
The Optus crisis will surely trigger a flood of investigations and litigation, picking over everything the company did and didn’t do.
In the meantime, there are two immediate necessities for every company when considering their crisis plan:
First, make sure you fully understand your corporate governance responsibilities with regard to data you hold. In May, for the first time in Australia, the Securities & Investments Commission successfully prosecuted a company for a data breach as a result of its failure to manage its cybersecurity risks.
Second, develop and rehearse a robust crisis management plan, not just a consultant cookie-cutter, but a dynamic and flexible plan which provides for every specific scenario, for everything going wrong, and has been brutally tested by probing for any possible weakness.
It’s not enough to have a plan. It has to work when disaster strikes.
A Parting Thought
When is a crisis reached? When questions arise that can’t be answered.
Ryszard Kapuscinski
Tony Jaques is Director of Issue Outcomes Pty Ltd, for people who work in issue and crisis management
Learn more about Reputation Risk, CEO apologies, and Crisis communication in Tony Jaques’ new book, Crisis Counsel: Navigating Legal and Communication Conflict.
Hear How Others Fortified Their Crisis Plans With The Help Of Tony’s Book On Navigating Legal And Communication Conflict
“Crisis Counsel confirms Tony Jacques position as one of the industry’s foremost experts on issues and crisis management. In addressing the complex interactions between legal and communication crisis responses Dr. Jacques provides riveting case studies and practical advice. It highlights the financial and reputation risks of not effectively integrating communications and legal counsel. It should be on every communications practitioner’s reading list and companies should insist their in-house and external legal counsellors read it.” – Noel Turnbull, Former Chair of Turnbull Porter Novelli, Adjunct Professor, RMIT University.
“For senior managers who find themselves in the C-suite for the first time, Crisis Counsel should be mandatory reading. Such specific legal and communications provocations are not covered in university management courses, and the introduction is replete with illuminating case studies and key takeaways. The author provides sage advice for Chief Executives who must ultimately make a decision based on what they think is the right thing to do; often under pressure. Crisis team leaders and team members will find this book equally of value, as the more you know about it, the better you and the team will be.” – Jim Truscott, Director, Jim Truscott & Associates Pty Ltd, Perth, Australia
“For far too long, the role of lawyers in crisis management has been neglected. If discussed at all, it is often in negative terms. Tony Jaques adjusts this picture in masterly, yet eminently readable terms. His comprehensive discussion of apology in crisis management is likely to be a go-to source for years to come. This is a welcome book for anyone interested in how crisis-confronted corporations (and other organizations, too) can navigate the tricky legal waters of communicating under fire. For university teachers like me, it’s a rich source of well-researched case studies. A gem!” – Chris Galloway, PhD, Head of Public Relations, Massey University of New Zealand