The pandemic has tossed aside many of the assumptions of the past as we move towards what has been tentatively dubbed the ‘new normal’. Precisely how the ‘new normal’ will look remains to be seen. What we do know is that it is a path forged in the most challenging of circumstances: only this month it was announced that the UK the economy had dipped 20.4% between April and June, plunging the UK into recession for the first time in 11 years. As the cliché goes, uncertainty is very much the only certainty in these most tumultuous of times. This period of uncertainty can often damage brands’ reputations.
Now is clearly the time for law firms to think about their infrastructure for managing reputational risk.
During a period characterised by the unknown, possessing the capability to predict reputational risk is a most-valued commodity. However, preliminary to any discussion about predicting risk must be an understanding of the different types of risk that could, at any point, manifest into a crisis. This is crucial to understanding how, and ultimately when, they might strike.
Although a crisis will often feel like a flashpoint moment, the risks which contribute to it do not always have to be sudden or unforeseen. In fact, many senior leaders who have experienced a crisis may tell you that, with the benefit of hindsight, the writing was on the wall for quite some time. A crisis is, by this definition, distinct from the risks that may act as its triggers or escalators. It is a ‘situation’: a timebound, specific event, upon which success or failure can – preparedness withstanding – depend on key strategic decisions made in the heat of battle.
Andrew Griffin (2014) distinguishes between these two, distinct triggers for a crisis situation: the sudden crisis, or incident, and the smouldering crisis, or issue. This is the much-quoted typology of the ‘cobra’ and the ‘python’ colourfully coined by Evans and Elphick (2005) – the crisis that strikes unexpectedly from the tall grass, and the one which slowly takes a stranglehold unto the final, fatal act.
Last week, in collaboration with London School for Business, Byfield published its Six Things Keeping Managing Partners Awake at Night. It found that all the managing partners surveyed consider a data breach or loss to be a serious reputational concern. A cyberattack leading to loss of client data might clearly appear to an incident. However, the shift to remote working may have made firms increasingly vulnerable to cyberattacks during the pandemic – as signalled by the SRA back in April – meaning that this could also very much be an issue.
These are both examples of situations led by an external party or event. For example, the firm is likely to be an innocent victim of a hacker campaign, or perhaps chosen due to the strength of its clients. Likewise, the SRA warning notice suggests that law firms are at risk in general. However, incidents and issues can also be driven by internal failures or performance. The firm may be vulnerable to cyber-security issues due to a failure to implement the appropriate systems during the transition to remote working. It may also have led an incident, such a leak caused by an employee struggling to adapt to the new processes whilst being out of the office.
This gives us four potential types of crisis situation:
1) internal driven incidents (accidents, misconduct, systems failure)
2) internally driven issues (poor decision-making, governance issues)
3) externally driven incidents (cyber-attacks, natural disasters, pandemic)
4) externally driven issues (client business, regulatory action, social issues).
Understanding the different types of possible risk is the very first step in being able to identify, analysis and then act upon them. It provides a framework for identifying the appropriate sources for early warning scanning and horizon scanning. Which of the categories the risk falls into will help to inform senior leaders’ decision-making on the appropriate strategy for prevention, management, and/or mitigation.
Firms ought to put planning measures in place for any potential scenario they think could occur across the spectrum of internal driven incidents, internally driven issues. externally driven incidents and externally driven issues.
This requires a finally-tuned radar for external and internal risks – aligning internal communication with external horizon scanning; tracking and measuring the reputation of the firm; and above all, being a listening and engaged organisation that is willing and able to adapt to the changing risk landscape.
To find out how Byfield can help your firm in a crisis, please click here