Paramita: Hello and welcome to PwC Luxembourg TechTalk. For this end-of-year episode. We will talk to Thomas Wittische. He's our risk assurance director. And Vladimir Kolimaga. He's a senior adviser in the forensic services.
Luis: Exactly. That's right.
Paramita: And we will talk about... what are we going to talk about?
Luis: What else? Crisis management.
Paramita: We will talk about crisis management today with them. So keep listening.
Luis: Stay tuned.
Paramita: We have in the studio today Thomas and Vladimir.
Before talking about crisis management, let's start from the beginning. What is a crisis according to you?
Thomas: Well, first, I make a difference between what is a crisis and an incident that's often something which is mixing up at our clients. Incidents are something usually which is managed through a predetermined process within the companies that can be manageable where there is a number of solutions to be managed. Whereas a crisis is an impact or at least it's an event that is really not manageable as such, which will have a direct effect either on the people. It could be a dramatic event impacting people or the business of the company.
Luis: So what you mean is an incident is foreseen? So the company has thought before that potentially happening? And a crisis is something you can not prevent? That's what you mean?
Vladimir: No, it's not so much in terms of preparation. The main difference would be rather in terms of impact. Basically, an incident is something that you can manage because you have the proper policies, the proper procedures in place to tackle the situation and recover properly, whereas in a crisis situation, it goes out of your hands. And basically, if you do not have the proper response, then you can quickly be overwhelmed by the situation.
Paramita: Why do we say "crisis management" then, and not "incident management"?
Vladimir: Because if the situation turns out to be a crisis, and it might, there are still some keys, some elements that companies can implement in order to remediate the situation as swiftly as possible. And this is kind of a different discipline than incident management, which is rather traditional, and that today is quite well implemented by most of the companies.
Thomas: Incidents when they cannot be managed, become often crises.
Luis: That was my question. So badly managed incidents become crises after all.
Thomas: Badly or not badly. Some incidents can be well managed. However, they turn out to be a crisis.
Luis: OK, so let's say when it comes to cybersecurity things, some of them are incidents. Some of them can be crises, correct?
Vladimir: Correct. Yes.
Luis: And the same goes for every single field, right?
Vladimir: Yes pretty much, independent from the type of crisis. What we see today is that many, many factors, many incidents can turn into a crisis. Whether it can be cyber security, it can be data leakage, can be humanitarian, it can be financial, reputational etc. So there are many types of crises and it can go wrong in many ways actually.
Luis: So there is an earthquake that is also part of crisis management that companies should think of?
Thomas: They should think of it. Well, in our region, we are a bit lucky because that's probably not the region in this part of the world, which is the most touched by such events. But yes, that type of crises is difficultly manageable. You can difficultly prepare for such an impact. However, it could be having a huge effect on companies or on the people or human beings who work in these companies.
Paramita: Yeah, I'm sure in businesses in Japan, they are always ready for, you know, an earthquake crisis or something like that.
Luis: Yes, hurricanes or I don't know...
Thomas: Yeah, well we experienced a recent hurricane in Luxembourg which was obviously not expected. That made me feel that basically we're always thinking that such a type of a natural disaster will probably not hit our region. But as you see there, it exists. So I'm not saying that we should all be prepared for such incidents. However, I'm saying that not all types of natural disaster... I mean, looking at how the world is moving and also looking at elements or at least the climate change within the world, you see that such things could happen still.
Vladimir: And speaking of earthquake, if you remember like a couple of weeks ago or even one month ago, there were two earthquakes back to back like with one day of difference in France, so not too far from Luxembourg as well. And the key thing is that most of the time, the companies, when they try to anticipate an earthquake, they think first of of their own employees, of their own building. But most of the time, the transport part is kind of missing. If there was an earthquake in Luxembourg and the motorway is damaged, then you can be pretty sure that it would cause a major traffic jam, we'd be quarantined in Luxembourg. So sometimes the impact is not where you foresee it to be. Which is why, I guess in Japan, I mean, the question of earthquake goes beyond just the buildings and where do data centres should be. It's like also transportation and making sure that your employees are able to reach the office, can connect etc.
Luis: Do you think crisis management has become more complex over time? You mentioned climate change, but I think 50 years ago climate change wasn't a thing.
Vladimir: The complexity does not really come from the climate change because I mean, that is only one type of crisis. And even though it might become more and more frequent, I would say that the complexity first comes from the social media, which were not necessarily present like 10 years ago or of course, not 20 years ago. But now as soon as there is a crisis and if it becomes public, then due to Twitter or Facebook, LinkedIn, everybody is talking about it. And then it becomes much difficult for companies to answer properly because every single of their gesture is then observed by the public. And they have to react quickly and they have to make announcements. They have to communicate. They cannot just to keep people in the dark about what's happening.
Paramita: But there I think we're more talking about reputation and not a crisis, isn't it?
Vladimir: Well, it can be a reputational crisis.
Thomas: I mean, all crises become reputational in one way or another. That's for sure. And I guess coming back to our region and what we often see, what we call crises or scenario of crises that are currently hitting our place or close, close countries, obviously we are not talking too much about natural disaster, even if it's something we should keep in mind obviously. Vladimir mentioned about data leak, cyber attack, which is obviously on top of what our clients are currently facing. I will not forget about the risk of terrorist attack, which might obviously affect our region in a way or another being border blocked. And I really like to say that we are not a place which is a less at risk. Even if many persons think that this will never hit the place, especially our markets. However, the impact of such a scenario or such a crisis could be huge for our country. Financially speaking, or from people perspective, I mean, if a terrorist attack hits Luxembourg we may expect easily borders being blocked. Obviously in France when we saw that back in 2015-16, they were not in the position to block all the borders. But in Luxembourg you may easily expect that this would happen. And the question is, are companies prepared to keep on running the business, especially since we are into a kind of day to day business which is expected in the financial industry by the rest of the world. So this type of crises needs to be also thought about.
Paramita: Because we are talking about Luxembourg, do we know how much prepared Luxembourg businesses are at this moment?
Thomas: It's a good question. I mean, Luxembourg being a huge financial centre, financial place is obviously very well equipped with I.T. technology that allows companies to continue working, which is often more related to cyber type of risk or scenario or crises. Well, the answer to that is yes, companies are well prepared when it comes to the so-called business continuity management or disaster recovery planning. That's something which the country is already well prepared for, especially also because we have a huge regulation in relation to that. The CSSF imposes a number of preparedness there, which is good. Where I believe companies are less prepared, and that's also the reason why we kind of launched that type of crisis simulation exercise, is when we talk about a crisis management team or top level to teach them how to really manage from a human perspective a crisis. And that's probably where they are not that prepared. And that's also what we often see when doing a simulation exercise, is that some time people are not really ready to... or are not using the right concept to manage such a crisis.
Luis: So you mentioned twice crisis simulation exercise. Could you please tell us a bit about that, what it consists in?
Thomas: Of course. Just giving you a bit of history... I've been working on that business continuity disaster recovery thing since back 2005. Besides this I was also a long time ago I've been playing theatre for 16 years.
And basically last year I was really looking to make something a bit more realistic when talking about crisis management. So actually I was just trying to bring that two types of skills, let's say. One being the business skills around business continuity as well as bringing that theatre skills to one single crisis simulation. So what is it about? That's the question.
So basically the idea is to bring together our clients' crisis management teams within... well, usually we do that in our own premises, in our PwC Experience Center and the idea is really to bring them all together around the table. Usually there's kind of six to twelve people max, more than that can overkill sometimes.
And together with Vlad, we are writing predefined scripts, scenarios that are really tailored to their environments. When we talk about an insurance company or when we talk about a bank, we always try to make it their scenario. And the idea is really to drive them through that scenario for kind of a three hour session where every couple of minutes we are bringing new information about the scenario where we are bringing what we called injects. So it could be flash news, could be calls from the regulator or from the Ministry of Finance. So these obviously are all fake injects, but which makes the situation real for them.
Paramita: It's like a drill.
Thomas: Yeah it's a drill. It's an experience. At least that's what the clients are telling us, that they really like doing such a true simulation or life simulation instead of doing what they used to be doing in the past the famous table top exercise with a pre-written text where you just read the story and you try to react there. Now we are here using, as I said, our videos studio to do that. We are using actors, Vlad being one of them.
Paramita: You're the bad guy?.
Vladimir: No, no, no. Usually I'm the good guy. I'm helping or I'm playing like IT roles due to my background in IT security. But we do really custom injects. So it can be... even sometimes we are helped by the clients, by some of their employees, like the head of I.T. and we have prepared their employees to kind of simulate emotional responses to the situation, like picking up the phone and being panicked, talking to their management in a panicked way saying I don't know what's going on, we cannot connect to this system anymore, this is down, we have lost X and Y and Z etc. etc. and bringing forth new elements to the crisis. And then we, the crisis management team, we are managing the exercise from a different room. And actually the client is always observed, always monitored. And so they are kind of acting in a secure environment where we can monitor their progress in facing the crisis and adjust what's going on in the room.
Luis: So Vladimir how it happens when because Thomas mentioned, you write the script, which means you imagine the situation. Do you have any particular practice? You have like a nice cup of coffee and you sit together and you write. How does it happen?
Vladimir: Oh, that's pretty much how we do it. We try to do it that way. We sit together, we combine our experiences. I have worked on a certain number of forensic investigations. So we use a bit what we saw on the market during our respective careers. And we try to come up with a scenario that matches the client environment and their fears as well, because that's what this is about. It's bringing a scenario to life that they will not really expect, but that is plausible. And usually at the end of the exercise, when they come back to us, they say, well, it could have happened. That's precisely the point, it's not to prepare them for earthquakes that are perhaps less relevant for Luxembourg, but we really put in place scenarios which could happen to them.
Paramita: And how do they react in the first place? When you first bring them, how are they initially and how are they after I don't know, an hour or an hour and a half when they're really immersed?
Thomas: Usually, first of all, clients, when they're coming up to our premises, do not really know the reason why they're there. So as it is top management level, we still have to make sure that they will be there on the D Day.
So obviously we book their calendars way in advance, sometimes it can be a few months in advance. We pretend to have a kind of a training session at PwC, but when they are entering the room, they quickly realise that something else is going to happen. It always takes a few minutes, but not more than five, I'll say. So the first five minutes they go kind of OK what's going to happen? And after five minutes, they realise that it's a bit more than a simple training. And that's it's going to be a long afternoon together to manage a crisis. And often what we try to do, which I guess is also very interesting for one of the companies we did, two months ago, so the company is placed in Luxembourg, owned by a French company. So we succeeded to bring up pre-recorded messages from the top management responsible in France and we pre-recorded those messages. And early in the scenario we kind of asked our actors, so the secretary or the assistant to say, look, we just received a message coming from a certain person - I'm not going to mention the name obviously - I will transfer it to you. And all of a sudden you see that the level of severity or the level of engagement from the people increases a lot because they are really receiving a message from the number one of the company. And even sometimes they think the guy is sitting next to them looking at them. So which makes it again, an additional realistic thing.
Vladimir: You can really see them they start sweating. They start to put on the jacket, they put on the tie. They are like, OK, if these guys from PwC are observing us, who else is behind the camera? You know, my top management could be there as well. And most of the time, the real trigger, the trigger from the phase where they are kind of chill like, ha ha, we are in PwC, what's going on. And the moment where they really engage the game is when finally we show them a video of their company, their building with a journalist in front of the building, saying hey, this is live from whatever news company, we are live. Things are happening right now. What is the company doing? What's going on? We have a news from this and this website. So we try to make it credible. And by seeing their own building on the news, then suddenly it clicks.
Paramita: OK so we'll probably wrap things up quite quickly. If I ask you to give top three tips that you can give to a company for their crisis management. What will they be?
Vladimir: First one, I would say communication is key and not communicating is sometimes worse than even communicating in the wrong way. Because if you do not communicate, then you increase the focus of the public around you, and then you give the impression that you really don't know what's going on.
So precise communication. Of course, it's hard to have all the facts, but at least communication should be tackled as soon as possible, especially when there are like regulators knocking on the door, lawyers, insurance companies, etc. So the public has to know so that they know that you're on top of the crisis. So, first point would be communication.
Luis: OK so first one is about communication. Yes, so what is the tip number two?
Vladimir: Tip number two is that you need to train because your crisis management team is most of the time more or less equal to the executive management, plus or minus a few extra like head of communication, etc., a few extra roles. But if you do not train, then when the real crisis hits, then everything is to be built. So the objective is that you have the feeling of you know, it's part of the daily activities. And then you can just put on your suit and manage the crisis property because you have been there already. And that's key.
Thomas: And just to add on the training side, it's not only the crisis management team that should be trained, but it's also the employees of the companies that must also be trained and that must be aware of what is the communication flow, who do we receive the information from, are we allowed or not to communicate. So the training obviously starts at the top but should also be propagated to employees.
I think one of the tips is let's come and try. Let's come and try our simulation.
Vladimir: Number three for me would be more like stakeholders, because when they start to answer a crisis, most of the time they realise that they missed one of the key stakeholders. So usually we try to remind them of all the dimensions of the crisis, whether operational, weather regulatory, weather communications. Communicating to the outside world is obviously key, which is why I named it as number one, however, communicating to the right people, and sometimes you need to have tailored messages to each and every one of the stakeholders. That is also a key criterion. So first you should map all the relevant stakeholders and make sure that you address them in the correct timeframe. Because we mentioned data leaks, so think about like entities like CNPD, like CSSF, like ECB, etc. So make sure that you map them correctly so that they are not forgotten in any stage of the crisis.
Thomas: Stakeholder mapping.
Paramita: Quick question, do we have something like that for us internally?
Thomas: So our top management already went last year for such a simulation. There was a terrorist attack simulation. And that was also a way for us in 2018 to train ourselves internally because I'd just like to mention that this is obviously not an exercise that is being done between Vladimir and myself, but that we have a team, I'll even say a crew or we have friends behind it.. be it our video team that helps a lot, be it all the guys working in the logistics, in our I.T. department, the actors, colleagues from PwC Belgium also helping out, Head of Communication, observers, facilitators... So, I mean, that's very much important to explain that this simulation will not be working without all these people.
You know, each and every crisis has a different flavour. I would not say that you're always fully prepared, but at least you need to train yourself and to give your maximum to be prepared. So that's what we're trying to deliver to our clients at least.
Paramita: Hopefully, Luis, we won't have such a crisis. The only crisis to manage right now is to get Luis to speak to the mic.
But thank you Vladimir, thank you Thomas for your time. Thank you so much. And to the audience, this is our last episode before the holidays. So from all of us, Happy holidays and a happy new year.
Pauline André
Director, Head of Marketing & Communications, PwC Luxembourg
Tel: +352 49 48 48 3582