Crisis management

in the age
of disruption
Rethink risk.

Decisions that minimise impact

and maximise value.
Together, we can rethink risk.
Introduction

As described in PwC’s ADAPT framework, the world is

facing significant and increasingly urgent global challenges
affecting individuals, organisations, governments and
society. This age of disruption brings new complexities,
opportunities, and risks for businesses. The potential
for crises has intensified – driven by rapid technological The World Economic Forum
change and amplified by societal expectations around
social responsibility linked to environment, social and identified the growing
Environmental, Societal and Governance (ESG) criteria.
interdependence of digital
Over the course of the COVID-19 response we’ve seen how
these trends have accelerated. And now, as businesses
technologies and systems as
start to look beyond the pandemic and into recovery,
our global findings show they have no intention of resting
a likely source of instability
on their laurels. Our 2021 Global Crisis Survey has revealed and disruption.
that seven out of 10 organisations are planning to boost
their investment in resilience and an overwhelming 95% WEF Global Risks Report 2019
of business leaders report that their crisis management
capabilities need improvement.

Building on these insights we’ve outlined the ten considerations

to prompt a crucial and timely discussion: why organisational
leaders and crisis managers must adjust their approach for this
new era.

1 | Crisis management in the age of disruption

The context:
drivers of
disruption

The age of disruption is upon us – we point to three main This vulnerability is amplified when you consider the
drivers which set the context for the 10 considerations concentration risk: the scale and power of a relatively small
below. They include systemic interdependency and number of tech giants upon whom such offerings depend.
concentration risk, velocity and declining trust.
This web of dependencies has created a situation where
1. Systemic interdependency and concentration risk the origins and possible impacts of disruption are harder to
predict – the entire system is becoming increasingly complex.
Many organisations are more entangled than they
realise in far reaching, deeply embedded value chains
All of this means you may not know where the weakest
– from interconnected in-house systems to data feeds
points in your system are, and this knowledge gap translates
between cloud mega-providers. Data and technology
into vulnerabilities that will be exposed when it matters
underpin operating models, drive decision making,
most: in times of crisis.
and propel value creation – a trend that has only been
accelerated by COVID-19 as many organisations switched
2. Velocity
to remote working.
Whilst the outward face of the organisation may rightly be
On the surface, this is a smart strategy: leveraging the harnessing the pace of change and innovation, inwardly
core competencies of well-matched counterparts in order you must work harder to protect your organisation from
to compete in an agile, accelerated fashion. But there is a the velocity of these emergent and unpredictable digital
downside: the inherent risk of systemic interdependencies. risks. The investment required to fully understand the
If your organisation relies on processes being performed by consequences of a catastrophic failure of technologies
another organisation and something far beyond your control and third parties remains significant.
disrupts their business, such as a pandemic, then your
resilience and continuity will be challenged.

Crisis management in the age of disruption | 2

3. Declining trust
It’s hardly controversial to point out that society’s expectations Additionally the growing scrutiny around ESG
have changed dramatically. The erosion of trust is evident performance is set to accelerate in the face of activism
everywhere. According to the 2021 Edelman Trust Barometer and regulatory pressure; for example, around inequality
there is an epidemic of misinformation and widespread and environmentalism. Value creation is increasingly about
mistrust of societal institutions and leaders around the linking your business to societal impact, not just the financial
world. COVID-19 has also accelerated this trend. bottom line. Organisations are working to understand ESG,
what it means for their strategy and growth and how this will
Shareholders, the media, employees and the wider affect trust in their brand.
community are increasingly emboldened to voice their
views through their words (vastly amplified on social media), If you are responsible for your organisation’s crisis
their money, and their feet. readiness, the trust spotlight will shine on you at the most
unsettling time. Your board, your people, your customers,
Stakeholders expect that if you’re introducing a new your regulators – all will require the confidence that you are
technology or service – e.g. building an algorithm for a prepared for a crisis; and that you are factual, transparent
driverless car, or a new medical device, or a surveillance and stay true to your values in your response.
technology – that you’ll do so with baseline ethical and
environmental considerations baked in. And you’ll need to Today, role model organisations want and are expected to
understand how those considerations vary from stakeholder think, behave and operate in a way that is honest, respected
to stakeholder, market to market, and country to country. and ethical as well as commercial, resilient and profitable –
attributes that mean they are doing 'good business' both in
commercial and an ethical sense.

3 | Crisis management in the age of disruption

Ten considerations
Against this context, we suggest 10 considerations
to enhance crisis preparedness in this age of disruption.

Grasp the opportunities

hidden in crises

Plan for the major,

learn from the minor

Gather the technical tacticians

and strategic decision makers

Get comfortable speaking

each other's language
Appoint a data subject matter
expert and have a crisis data
strategy in place

Prepare to manage your

issues to prevent crises
Build resilience,
prepare for crisis

Integrate your crisis and

resilience programmes to
manage disruption

Review your crisis

response structure

Recognise you are

increasingly exposed
to digital risks

Crisis management in the age of disruption | 4

 1. Recognise you are increasingly exposed 3. Integrate your crisis and resilience
to digital risks programmes to manage disruption
COVID-19 has accelerated the adoption of Review your systems, stakeholders, and current
technology and digital transformation as a crisis framework – not an easy task, considering
priority. Given most organisations are becoming today’s typically sprawling technology estates,
tech or data-centric companies, you could business partners and third parties. Are there
face a crisis triggered by any number of new hidden dependencies or gaps that could cripple
digital risks: introduction of new software, a cohesive response? What if your crisis was
necessary IT upgrades or a cyber event such downstream of a larger service provider issue?
as a ransomware attack. As a data-centric If a high speed, high impact event were to hit
organisation, your governance obligations you tomorrow, would your organisation be
increase with changes to regulation and evolving operationally resilient? How confident are you in
societal expectations. Consider your new digital your organisation’s ability to weather sustained
risk environment, and inform your crisis planning disruption – and emerge stronger?
through that lens.
Organisations that are prioritising enhancements
to resilience, are focusing on integrating business
continuity, crisis management and disaster
recovery. Business leaders recognise that these
2. Build resilience, prepare for crises
areas should not be considered in isolation,
All organisations need to prepare for disruption. but rather as interlinked disciplines that enable
It might be incident-led (i.e. a short, sharp event) organisations to successfully navigate disruption.
or issues-led (i.e. slow burning), but any disruption
will have impacts on an organisation. The ability
to navigate such disruption successfully
depends on:

• Resilience: having robust plans and capabilities

in place to ensure that organisations can
withstand, absorb or recover from any
disruption to ensure it does not cause
intolerable impacts; and plans to support
continuity and recovery when prevention is
As a data-centric
not possible or fails
• Crisis preparedness: where the resilience
organisation, your
arrangements are inadequate, fail or are governance obligations
overwhelmed (typically due to the scale or
nature of the disruption), being able to deliver increase with changes to
the organisation's strategic aims and return to
a viable operating state. regulation and evolving
Critically, organisations need to start preparing societal expectations.
for disruption now, so that the gaps can be
identified and closed with care, preparation,
and practice. Despite weathering a global crisis,
there is now an opportunity to embed learnings
and focus on preparing your organisation for the
other high-impact events identified through your
risk planning.

5 | Crisis management in the age of disruption

Organisations would benefit from recognising
that issues should not be managed as business
as usual; if left unmanaged they can be escalated
into a crisis by a trigger (eg a whistleblower). Treat
issues with the same degree of seriousness as an
incident-driven crisis, such as a cyber attack.

4. Prepare to manage your issues to prevent 5. Review your crisis response structure
crises
Well established three-tiered crisis response
As well as preparing your organisation to structures, such as gold-silver-bronze or
respond to an incident driven crisis, such as a strategic-operational-tactical, have their place.
ransomware attack, recognise that your crises However, it’s important to recognise that today’s
may come from issues, a non-acute threat to an risk landscape requires crisis managers to evolve
organisation’s strategic goals. their preparedness strategies.

Organisations would benefit from recognising The three tiered structure may not be agile
that issues should not be managed as business enough for an effective organisational response
as usual; if left unmanaged they can be triggered to technology-driven crises or indeed be
by an external event (eg a whistleblower) and appropriate for increasingly lean and agile
escalate into a crisis. organisational structures. The response to high
impact events, driven by global technologies,
Treat issues with the same degree of seriousness cannot rely on escalation through multiple layers
as an incident-driven crisis, such as a weather of teams that may have a limited understanding
event. Review your organisation’s capability of their remits. Tactical actions in these scenarios
to identify and manage issues. An issues generate strategic challenges, such as technical
management capability does not need to decisions taken during a cyber attack that
be complex and should be simple to drive limit strategic response options. Far too often
effective and swift decision-making to gain decision making is postponed or delegated
control – manage an issue with a clear structure, because of a lack of technical understanding at
procedures and agreed pathways for escalation – the strategic level.
before they can threaten the strategic objectives
of your organisation. To enable swift decision-making when
responding to technology or digital-driven
crises, consider establishing a structure aligned
to impact categories, with clear accountable
owners, rather than a three tiered response.

Crisis management in the age of disruption | 6

For many organisations, one of the
most significant challenges during
COVID-19 was difficulty gathering data
to inform and support their response –
specifically their decision-making and
communication to stakeholders.

6. G
 ather the technical tacticians and 7. Appoint a data subject matter expert and
strategic decision makers have a crisis data strategy in place
When it comes to crises, specifically those with For many organisations, one of the most
technology impacts, less can be more. Isolate significant challenges during COVID-19
a small group of designated people who have was difficulty gathering data to inform and
the knowledge, the ability to triage the event, support their response – specifically their
and the authority to make decisions quickly. decision-making and communication to
Typically, this will require close cooperation stakeholders. In a crisis, managers must make
between technologists – who have the crucial decisions quickly – and those decisions
information upon which the decisions can will hinge on the availability, accuracy and
be made – and key senior members of the comprehensiveness of information. Ensure you
organisation, who have the power to make have a crisis-specific data strategy. It should
those decisions. enable you to quickly access large volumes of
structured, validated data, at pace, and have a
plan for how to visualise that data to inform swift
decision-making in a crisis.

7 | Crisis management in the age of disruption

8. Get comfortable speaking each 10. Grasp the opportunities hidden in crises
other’s language
Understand that in the age of disruption,
If there are blind spots, silos, or stress fractures ‘business as usual’ actually means falling behind.
between your operational groups and leadership, Even before the crisis has been resolved, the
you can be certain that a crisis will expose them disruptive energy at its heart can be harnessed
at the worst possible time. Avoid breakdowns in to strategic advantage. Visualise – and prioritise
communication: get organisational leaders closer – emerging as a more agile, better tech-enabled
to the technology on which the organisation organisation, but also foster the team bonds that
depends, whilst cultivating ‘boardroom-savvy’ will have formed.
technologists. This also holds for relationships
with third parties and newly acquired
organisations. Practising and stress testing
brings teams together to learn each other’s
language and build muscle memory.

9. Plan for the major, learn from the minor

In ‘peacetime’, gather your impact owners and
explore your top five risks as a team. Plan for
high impact scenarios, extensive disruption,
and long recovery timeframes. Develop
playbooks and decision guides to prepare
Understand that in the age of
your senior management team. And be sure
to treat minor incidents as warning signs that
disruption, ‘business as usual’
can help you identify patterns and deepen your actually means falling behind.
understanding of the risks you face. Use tools
such as exercising and wargaming to explore
your strategy and decision-making against your
top five risks.

Crisis management in the age of disruption | 8

Contact us

Bobbie Ramsden-Knowles
Director
Crisis and Resilience
M: +44 (0)7483 422701
E: roberta.ramsden-knowles@pwc.com

Johanna Peterson
Manager
Crisis and Resilience
M: +44 (0)7483 416849
E: johanna.peterson@pwc.com

Melanie Butler
Partner
Global Crisis Centre Lead
M: +44 (0)7801 216737
E: melanie.butler@pwc.com

The PwC Crisis Practice helps organisations prepare

for, respond to and emerge stronger from disruption.
We support organisations throughout their journey to
crisis readiness and through any issues or crisis they
may face, with a specialism in cyber crisis and ESG
issues management.

The PwC ESG practice delivers value to clients

by using our skills and experience to help them
do 'good business' as a result of actively and
proactively understanding, identifying and managing
ESG-related risks. This, in turn, enables them to
embrace ESG, doing the right thing more broadly
and realising benefits in the form of value creation
and enhanced trust.

9 | Crisis management in the age of disruption

pwc.co.uk
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2021 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity.
Please see www.pwc.com/structure for further details.

Mitie Design RITM4436940 (04/21).