Of data leaks and oil spills: Tips for tackling a corporate crisis

Will Railton
Follow Will
Eleven People Missing After Explosion At Offshore Drilling Rig
BP's Tony Hayward unwisely talked down the environmental implications of the Deepwater Horizon oil spill (Source: Getty)

As Johnson & Johnson, BP, Volkswagen and TalkTalk can all attest, corporate crises are never easy. Communicating an assured and consistent message at a time when consumers may be vulnerable to fraud or even poisoning is one that few do well, especially when one eye is on the share price.

“Businesspeople are used to being detached,” says Roderick Clayton, global co-lead of Weber Shandwick’s issues and crisis group. “But you have to put yourself in the shoes of your customers or other stakeholders.” So how can companies prepare for the worst?


First and most obviously, partners, customers, and other stakeholders should be contacted directly, before they learn about it in the media.

Statements should be issued by the chief executive if the crisis is particularly severe, but a clear message should be worked out in advance. Once the crisis has been made public, refusing to communicate will allow speculation to fill the silence.

Updates on how the situation is being handled should be offered often. This is especially important in the case of data breaches, because customers may be vulnerable to fraud. When TalkTalk suffered a hack in October, the company was criticised for keeping the leak secret from its customers, while some received phishing calls. “Given the speed with which the misuse of data happens, 24 hours was too long,” said Farrer & Co’s Jennifer Agate and Alicia Mendonca.

When it comes to releasing specific details, firms are often caught between a rock and a hard place. When the BP oil spill occurred in 2010, the then chief executive Tony Hayward talked down its environmental impact as “very, very modest”, which inspired more anger when those expectations were not met.

But be careful not to over-compensate either. There is a real risk that, in trying to be transparent, a company may needlessly exaggerate the seriousness of the crisis and trigger investor flight. “Sometimes you have to accept that you don’t know the facts,” says Clayton. “Firms need to show appropriate concern and engagement without getting anything wrong.”

It may be difficult for a firm to pursue a strategy which is consistent, because views differ about how a crisis-hit company should react. In a recent survey of MPs and business and financial journalists, Ipsos Mori found that MPs considered recalling or revamping a faulty product more of a priority than journalists. The latter prized acting with openness and transparency more than elected officials.


Members of Ipsos Mori’s Reputation Council estimate that 65 per cent of the reputation management they do is proactive, not reactive.

Indeed, having a contingency plan for a range of potential scenarios should not be considered optional. KPMG advises that lawyers, IT and forensic accounting professionals, and other consultants “should be vetted, contracted with, and know the business beforehand to be ready to take action at a moment’s notice.” But when allocating resources, how much should you spend on cultivating a good reputation, and how much should you keep in reserve for when things go wrong?

An Ipsos Mori council member argues that unless a firm is anticipating market shifts, changes to regulation and fostering relationships with partners, it is underestimating the value of corporate reputation.

And even if preventative measures fail to stop a data breach, they may help to keep stakeholders loyal and mitigate potential fines. “Companies who suffer data breaches face fines of up to £500,000 from the UK’s Information Commissioner’s Office,” said Agate and Mendonca. “These widely publicised fines are largely determined by the extent to which the company can be held responsible for the security breach.”

Related articles