CLIP: The Key to Cutting the Cost of a Crisis

Science fiction writer H.G. Wells said, “The crisis of today is the joke of tomorrow.” It’s true — think about how political cartoonists pounce on breaches and corporate scandals. If you’re responsible for crisis management at your organization, however, the cost of a crisis is anything but funny. For example, if you experience a data breach, you’re looking at an average total cost of $3.86 million, or $148 per stolen record. Whether you’re facing a breach or a public relations fiasco, the key to reducing the cost of a crisis is CLIP:

• Customer trust
• Leadership effectiveness
• Involvement of third parties
• Preparedness

These recommendations are based on new findings from Ponemon Institute’s 2018 Cost of a Data Breach Study (sponsored by IBM Security) and Deloitte’s 2018 Global Crisis Management Survey.

Customer Trust

If you don’t protect your customer’s trust, you’re setting yourself up for costly consequences. Ponemon found that organizations that lost 1 percent of their customers due to a data breach faced an average cost of $2.8 million. If they lost 4 percent or more, the cost shot up to $6 million on average. In the U.S., the cost of lost customers is the highest: $4.2 million.

If you’re thinking you’d fall into the 1 percent category, don’t be so sure. The average abnormal churn rate is 3.4 percent, and it goes up in industries where customers have high expectations for data protection and can easily take their business elsewhere. The highest abnormal churn rates are in healthcare (6.7 percent) and financial (6.1 percent).

To earn and protect your customer's trust, have programs in place to encourage customer loyalty before a breach occurs. Ponemon also found that organizations were able to reduce churn by having a senior-level officer in charge of directing initiatives to improve customers’ trust in the organization’s ability to guard personal data — which leads us to our next point.

Leadership Effectiveness

Deloitte reports that involving boards and executives in crisis management helps reduce the severity of a crisis. That’s why 21 percent of organizations with board involvement reported that the number of crises had declined over the past decade. Only 2 percent of those without board involvement said the same thing. For data breaches specifically, Ponemon found that board-level participation decreases the cost by $6.50 per record.

Unfortunately, having leadership involvement is easier said than done — 24 percent of Deloitte’s survey respondents said one of their most significant crisis management challenges was leaders’ effectiveness and decision making.

To address these challenges, Deloitte recommends establishing crisis management roles ahead of time, taking leadership styles into consideration (e.g., speed of decision making under pressure). To keep leaders involved in the crisis management strategy, focus on “what keeps them awake at night.” This post has some pointers for appealing to various executive roles. While it is specific to business continuity, a lot of the same principles apply to crisis management.

Involvement of Third Parties

How many times have you heard about a vendor or contractor causing a crisis? Third-party crises are not only common, but they’re also costly. When a third party is responsible for a data breach, Ponemon reports that the cost per record breached goes up by $13 per record.

But while third parties are part of the problem, Deloitte points out that they’re also part of the solution. Fifty-nine percent of survey respondents perform exercises, including critical service providers, joint venture partners, resellers, distributors, etc. By involving third parties, you can pinpoint problem areas and address them before a crisis.

Preparedness

When managing a crisis, winging it won’t work. According to Deloitte, only 31 percent of organizations with a crisis management plan separate from business continuity and other preparedness plans experienced financial fallout, as opposed to 47 percent of organizations without a plan.

It’s also important to exercise the plan to make sure it works (and, as we mention above, be sure to involve third parties). It’s noteworthy that Deloitte found that 92 percent of respondents believe IT departments are prepared for a crisis. Only 77 percent think supply chain functions are prepared. The reason? Most IT functions (nearly 70 percent) have participated in a crisis simulation or exercise during the past two years. Deloitte’s study offers guidance for building a crisis simulation, and we’ve compiled a few tips for integrating disaster recovery and crisis communications.

In addition to having a plan and practicing it, Ponemon reports that you can reduce a data breach’s cost per record by having certain measures in place (this list isn’t exhaustive, of course):

• Incident response team — saves $14 per record
• Extensive use of encryption — saves $13 per record
• Business continuity involvement — saves $9.30 per record
• Employee training — saves $9.30 per record
• Insurance protection — saves $4.80 per record

By following each element of CLIP, you’ll avoid abnormal customer churn, place the right leaders in the public eye, transform third-party problems into solutions, and cut the overall cost of a crisis.