Beware the Black Swan

Imagine the worst: within the last 72 hours, your company has been hit by a major crisis. There may have been serious damage to the community in which you operate. Your customers may have suffered, people’s livelihoods may have been destroyed, the environment may be irretrievably damaged. Some of your employees and contractors may be injured, or worse. Your investors will be livid, and the board looking to assign blame. By the end of the first week, chances are your organisation will be facing dozens of lawsuits, some set to become class actions over time.


At this early stage, you will realise that verifiable facts are few and far between. Opinions and rumours abound. You will have little or no idea of the extent of any physical or financial damage, or to what degree the organisation was complicit in the event. You do not even know which of your top team you can count on. Some of them may be implicated; others may be operationally inexperienced, unfamiliar with the political realities, or temperamentally unsuited to the new situation – filled with good intentions, but uncertain what role to play.

Normal rules for how the organisation operates get torn up quickly in a crisis. Informal networks founded on trust and the calling in of favours can dominate over formal organisational reporting structures. Those previously opposed to the status quo can quickly become vocal, sparking a turf war and delaying action. Managers may start executing an uncoordinated set of actions with the best of intentions, but incomplete or inaccurate information. No longer able to build consensus, they end up with unwieldy organisational structures that have dozens of decision-makers around a table, with the result that the effort becomes dispersed and disconnected.

The crisis will be manna from heaven for your organisation’s natural antagonists, who will seek to take advantage of your misfortune. Competitors will try to lure customers and poach employees. Activist investors may plot a takeover. Hackers may target your systems. The media will dig up every past error the company has ever made.

Much of the anger, by the way, is directed at the executives personally. Parody Twitter accounts may appear, trashing their reputations. Their families may be targeted online. Reporters may be camping outside executives’ homes at odd hours of the day and night.

In the midst of all this confusion, what do you do? Do you hold a press conference? If so, what do you say when you have so few facts? Do you admit wrongdoing, or do you insist that what happened is not the fault of the company? Do you point to the cap on your legal liability, or promise to make everything right, no matter the cost? What do you tell regulators who are themselves under pressure and demanding explanations?

These issues are not hypothetical. They are all real experiences that organisational leaders have faced during crises in recent years. And these incidents are now far more frequent, and far more devastating, than they were in the past. The amount of money paid out in penalties by US companies grew five times between 2010 and 2015, to $60bn. Globally, this figure is now over $100bn.

Every crisis has its own unique character, rooted in specific organisational, regulatory, legal, and business realities. Over the years, McKinsey has delved into the chaos of corporate disasters to help around 150 companies to cope. As a result, it has developed a view that spans sectors and geographies, and which reveals some clear patterns in the most successful crisis resolutions.

Preparation: devil in the detail

Forewarned is forearmed, but what level of detail is useful when many crises take companies by surprise? When planning in advance, the McKinsey message is to aim for a balance of preparation and real-time reaction. Too much specificity can be a waste of time, because what happens is unlikely to closely mirror the plan. Instead, identify the top three to five threats your company might potentially face in broad terms, construct scenarios to deal with them, and allow for flexibility during the execution. If you are lucky, the plan will be 60% right.

Modelling the crisis team ahead of time

A key practical step when planning is to prepare the crisis response unit and allocate roles within it. The ideal approach is a set of small, cross-functional teams, typically covering planning and intelligence gathering, stakeholder stabilisation, technical or operational resolution, recovery, investigation, and governance.

The best crisis response units are relatively small, with light approval processes, a full-time senior leader, and very high levels of funding and decision-making authority. The team should be able to make and implement decisions within hours rather than days, draw a wall of confidentiality around the people who are responding, and protect those not involved from distraction in their day-to-day activities.

Conducting a simulated crisis scenario is a good idea, to ensure that people know what they have to do, and allow for a greater level of preparedness when the real thing hits, even if the crisis in question is completely different from the simulation. Even if you do not go to the lengths of enacting a full-scale exercise, just talking through a scenario at a board meeting can alert key stakeholders to the complexity of a potential risk situation and open their minds to doing more in terms of preparation.

Wise counsel

The right leader will usually be internal, well known and well regarded by the C-suite. They will have served within the industry, and will enjoy strong informal networks at multiple levels in the company. He or she should possess a strong set of values, have a resilient temperament, and demonstrate independence of thought, in order to gain credibility and trust both internally and externally. Could this be the general counsel?

Not usually, according to McKinsey, which instead suggests that the crisis leader is an operational expert, rather than a legal one. However, the role of the GC in a crisis is critical. They can add real value through their ability to influence and act as the bridge between business executives and the legal teams (external and internal). By virtue of participating in key meetings and major strategy discussions, they and their team are aware of potential crisis issues. GCs are also usually best placed to shape the organisation’s negotiation and settlement strategy, based on the legal exposures.

Identify the top three threats your company might face, construct scenarios to deal with them, and allow for flexibility during the execution. If you are lucky, the plan will be 60% right.

In addition, the ability of the GC and their team to translate risk exposure into plain business terms can be of pivotal importance, as other business leaders will be typically concerned with understanding and mitigating the level of exposure. For example, in the aftermath of a crisis, businesses are often hit with liquidity issues as suppliers and business partners become nervous, and shorten payment terms. Anticipating that risk when drafting contracts can be a significant factor in avoiding further crisis escalation. If the crisis response team does not have an awareness of the intersection of the legal and business risk, it is hard to be effective.

Parallel paths to resolution

It helps to think of a crisis in terms of ‘primary’ and ‘secondary’ threats, McKinsey argues. Primary threats are the interrelated legal, technical, operational and financial challenges that form the core of the crisis, while secondary threats are the reactions of key stakeholders to those primary threats. Ultimately, the organisation will not begin its recovery until the primary threats are addressed, but dealing with the secondary threats early on will help the organisation buy time. While all need to be tackled early, they will likely require different levels of emphasis at different stages.

Stabilise stakeholders

In the first phase of a crisis, it is rare for technical, legal, or operational issues to be resolved. At this stage, the most pressing concern will likely be to reduce the anger and extreme reactions of some stakeholders, while buying time for the legal and technical resolution teams to complete their work.

For instance, an emergency financial package may be necessary to ease pressure from suppliers, business partners, or customers. Goodwill payments to consumers may be the only way to stop them from defecting to other brands. Business partners might require a financial injection or operational support to remain motivated or even viable. It may be necessary to respond urgently to the concerns of regulators.

It is tempting, and sometimes desirable, to make big moves, but it is tough to design interventions that yield a tangible positive outcome from either a business or a legal standpoint. What usually works is to define total exposure and milestones, stakeholder by stakeholder, then design specific interventions that reduce the exposure.

Resolve the central technical and operational challenges

Many crises (vaccines in pandemics, oil wells during blowouts, recalls in advanced industries) have a technical or operational challenge at their core. But the magnitude, scope, and facts behind these issues are rarely clear when a crisis erupts. At a time of intense pressure, the organisation will therefore enter a period of discovery that urgently needs to be completed. However, companies frequently underestimate how long the discovery process and its resolution will take.

One manufacturer had to reset several self-imposed deadlines for resolving the technical issue it faced, significantly affecting its ability to negotiate. Another company in a high-hazard environment made multiple attempts to correct a process safety issue, all of which failed very publicly and damaged its credibility.

It is best to avoid over-promising on timelines and instead allow the technical or operational team to ‘slow down in order to speed up’. This means giving the team enough time and space to assess the magnitude of the problem, define potential solutions, and test them systematically.

Technical and operational war rooms should also have an appropriate level of peer review and a ‘challenge culture’ that maintains checks and balances without bureaucratic hurdles.

Repair the root causes

The root causes of major corporate crises are seldom technical; more often, they involve people issues (culture, decision rights, and capabilities, for example), processes (risk governance, performance management and standards setting), and systems and tools (maintenance procedures). They may span the organisation, affecting hundreds or even thousands of frontline leaders, decision-makers and workers. Tackling these is not made any easier by the likely circumstances at the time: retrenchment, cost-cutting, attrition of top talent, and strategy reformulation.

Repairing the root cause of any crisis is a multi-year exercise, sometimes requiring large changes to the fabric of an organisation.

For all these reasons, repairing the root cause of any crisis is usually a multi-year exercise, sometimes requiring large changes to the fabric of an organisation. It is important to signal seriousness of intent early on while setting up the large-scale transformation programme that may be necessary to restore the company to full health. Hiring fresh and objective talent onto the board is one tried and tested approach. Other initiatives we have seen work include the creation of a powerful new oversight capability, the redesign of core risk processes, increased powers for the risk management function, changes to the company’s ongoing organisational structures, and fostering a new culture and mindset around risk mitigation.

Restore the organisation

Some companies spend years of top management time on a crisis, only to discover that when they emerge they have lost their competitiveness. A large part of why this happens is that they wait until the dust has settled before turning their attention to the next strategic foothold and refreshing their value proposition. By this stage, it is usually too late. The seeds for a full recovery need to be sown as early as possible, even immediately after initial stabilisation.

This allows the organisation to consider and evaluate possible big moves that will enable future recovery, and to ensure it has the resources and talent to capitalise on them.

Crisis management at McKinsey

Mihir Mysore is one of McKinsey’s leaders in crisis response, operating from the company’s Houston office. He shares his thoughts on the evolving nature of corporate crises and the grounding for an effective response.

The threat is growing

Globalisation and increased complexity are the main reasons that black swan events have increased so much. It’s becoming harder to predict and prevent every risk. We may not have even thought of some risks, due to changes in technology or the supply chain.

Another factor can be the speed we have in product development cycles that were taken for granted a decade ago. Now there can be two new versions of a car in a year. With that speed of change it’s hard to know what risks you are taking on.

The next big change is that of stakeholder expectations. We see people taking a position on social media that can shut down revenues, and shareholder activists making fundamental changes in the way a company is run. It’s all part of a changing social contract around institutions and a lack of trust in those institutions.

The right amount of detail

Many companies today get very detailed when considering what crises to prepare for. People want to go into a certain level of detail because they can model it. But most companies are finding out that it is not possible to ascertain whether every employee or contractor is truly following best practices, such as not clicking on phishing emails, or using passwords that can be broken. You can’t be certain that an employee is not going rogue and breaking the law. Or, if you think about the massive complexity of products now, whether that’s in pharmacy, cars, cell phones and so on, can you truly know that your product does not contain something that can harm privacy or safety?

However, the process of going through a ‘rich enough’ scenario is incredibly informative. The first thing it teaches you is that there are second order effects when you have a crisis. For example, even if in the first instance your competitors sympathise with you, that doesn’t mean they won’t be undermining you in a month. Just knowing that second order effect in the broadest terms can change your actions.

It’s not enough to think solely in legal, technical or PR terms. If you go through exercises with enough detail you will form an intuition about the way a crisis works that is hugely effective.

The role of the GC

We have seen extremely competent GCs step up and become crisis response managers, but often the GC is too busy managing the legal issues. They’re more front and centre once the issue becomes a crisis, not before, and we think that should change.

For every 100 potential issues facing companies and their officers, 98 will not become crises. We can’t treat everything as a crisis, but we need judgement, and that risk judgement can be key for the in-house legal team to be part of.

Being involved early on can give the legal team an opportunity to understand the project and the various potential trade-offs in a richer level of detail. It does mean that the lawyers have a delicate balancing act, but they can really play the role of objective observer and give feedback on previous issues such as lawsuits or challenges that have happened.

Very few crises are ever completely new; you just need a wide enough lens and a desire to dig into these issues to get a perspective, which is what lawyers are ideally placed to provide.