The COVID-19 pandemic has called into action contingencies most companies never expected to execute. Your leaders likely handled the initial wave using crisis management, business continuity or incident response plans, or some combination. These processes share a common goal: Deal effectively, and quickly, with an extraordinary event that disrupts business as usual. Execution is the job of operational teams, front-line employees who interface with customers and the IT team.
What’s missing from this picture? Or more precisely, who?
The current crisis is, of course, all hands on deck. But in many of the more-contained disruptions and tabletop exercises I have been part of, with a variety of companies, the CFO is rarely involved. That’s a huge missed opportunity.
When a crisis hits, it reduces organizational risk tolerance quickly and sometimes deeply. That’s just human nature. But even when people are cognizant of this phenomenon, most teams deemphasize risk in their decisions. I see it all the time, and this is where CFOs come in. Finance leaders have scenario planning and modeling skills, they understand which variables most impact the business and they’re used to basing risk decisions on data rather than knee-jerk reactions and then documenting the outcome.
What’s that? You ARE at the table?
Before COVID-19, when was the last time you reviewed your company’s business continuity, crisis or incident response plan or attended a walkthrough or table-top exercise modeling a worst-case scenario? In my experience, unless you also happen to have operational control, the answer is likely “it’s been years” or “what incident response plan?”
“What makes a decision great is not that it has a great outcome. A great decision is the result of a good process, and that process must include an attempt to accurately represent our own state of knowledge. That state of knowledge, in turn, is some variation of ‘I’m not sure.’”
That quote is from professional poker player turned author Annie Duke’s book, Thinking in Bets: Making Smarter Decisions When You Don’t Have All the Facts.
Anyone who has gone all in with a 2 and 7 to keep a bluff going knows what making a high-risk decision while under pressure feels like mentally. That’s why Thinking in Bets is one of my favorite books for incident response management team members — it illustrates the reality that, when under pressure, people want to move fast, but only if they can be right in every decision. See my previous point on humans and risk tolerance.
Since that’s impossible, I’ve seen the classic “no decision decision” play out time and again. But inertia is pretty rarely a winning hand.
In a crisis, those who are at the table, often the CIO and COO, really, really don’t want to bet wrong because the cost is almost always financial, whether loss of revenue, a fine or some other bottom-line hit. What they need to understand is that the goal during a crisis is not pinpoint precision, but accuracy. You don’t need to hit the center of the bullseye. Heck, in some cases, just having the dart land on the board is a win.
When the CFO steps up and says, “I’m not sure, but here’s what I think,” that makes it OK for others to say the same and move past fear-induced paralysis.
This is much easier said than done, naturally, as most CFOs pride themselves on data-driven precision. But remember, in a crisis, time works against you, and you never have as much information as you want.
What generally does not change is the company’s mission, ethics and strategy. Help others during the crisis by asking the simple question: “What happens if we are 10% above or below this?” Reassure colleagues that if the risk remains within that +/- gap, things will be OK. Then they can move forward.
Here are three more critical abilities CFOs bring to the table.
Knowing where that dart needs to land can come either from the gut or through modeling. And in fact, financial modeling can be invaluable in the heat of a crisis, if the right infrastructure, tools and data reporting capabilities are in place. When they aren’t, a CFO’s innate understanding of the business’ fundamentals is the next best thing.
I said “the right infrastructure” because your standard modeling approach may not be effective during a crisis. Modeling is a proxy and simplification of reality. Models contain assumptions, and within a crisis, assumptions are what are usually impacted — not the formulas and ratios that leverage those assumptions.
Before working up different scenarios, spend time discussing with colleagues which assumptions are likely to or have changed. Sharing how you view the impact of a crisis on assumptions can completely upend what the team views as important, and may lead to new insights.
For example, while working with a client on an ecommerce outage, the models all assumed that certain financial processes that ran weekly and monthly, leveraging data from partners, would run as usual. However, the issue causing the outage prevented those processes from running, even though the data was available. The team did not realize this until the topic came up during the assumptions meeting, because IT had not properly documented these processes. Without the CFO at that table, no one would have realized.
CFOs understand how to keep accurate records with the right level of information. Any crisis management expert will tell you that keeping a decision log is essential during an emergency. Many people have their hands in the process, and they’re not always aligned.
I recommend that whenever a crisis decision is made, it’s entered in the log, and the CFO runs point on providing a concise evaluation of possible outcomes, likelihoods and impacts. Just the facts, at this point. Taking opinion out of it allows others to form an objective view of the options on the table. Skip the flourishes. There will be time to add context later should that be warranted.
I recommended this process to a client during an incident response plan review and got an interesting answer: “I don’t want to do that, so it does not become evidence used against us.”
Sorry to say, if you end up in court post-crisis, you will have to talk about your decision process. The question is, will you communicate accurately and with documentation to back you up?
A log is an invaluable asset to convey the thought process, potential outcomes and decision logic, and the CFO is the right person to ensure that decisions within the log reflect the actual likely impacts. For example: “We estimated that not running the order-processing ETL job, due to the attacker potentially having access to the server containing financial data, would result in approximately 8% of customers canceling orders. We opted to contact customers and tell them orders would be delayed”
A big, fast-moving crisis isn’t being solved with one decision; this is chess, not checkers. Companies can’t sit and wait for the full impact of each move to be felt before deciding if it was a good one or not.
CFOs have the reports, formulas, insights and data, including historical data for comparison, to make a fast call on whether you’re moving in the right direction, even if assumptions change.
If the item to be measured is not a financial metric or something you as CFO have tracked before, this may be a good time to help the team identify important metrics and how they should be reported. This is vital in smaller companies, where sales and marketing metrics are usually tracked alongside financial numbers, but operational, customer and logistics metrics may not be as mature.
Keep it simple, and after the crisis, these measurement best practices may just stay around.
So, I started this column talking about risk. In giving the above recommendations, I purposely didn’t frame the concept of a crisis in risk management terms, but that’s all it really is. When a risk is identified, it needs to be evaluated and modeled, the impact and likelihood documented and disclosed and compensating controls (alternatives) discussed. Once those controls are implemented, they need to be measured and tracked to ensure they meet the goal and that the risk remains under the level the board or leadership has deemed acceptable.
Communicating accuracy over precision is just a simpler way of communicating risk tolerance.
I have seen firsthand a CFO saying, “We need a list of compensating controls …” and being stared down by the incident response team, with an undertone of, “Please, none of that compliance and risk tolerance crap right now — we have a problem to deal with!”
Well, guess what? A crisis is a risk that has become reality. Risk management processes are exactly what you need.
The COVID-19 pandemic caught some businesses off guard. You can find guides to scenario modeling and crisis management right here on Brainyard, and there are countless resources to help you effectively build and run these processes. Do not attempt to boil the ocean and outline every possibility. Focus on identifying, reviewing and updating who does what, when they need to do it and to whom actions are communicated.
Having the CFO at the table means a too-risky bet won’t end up costing the business.
Michael A. Davis is an independent security consultant. He was previously CTO of GoSecure and Senior Manager, Global Threats for McAfee. Aside from his work advancing cyber security, Mike has been a partner in diverse entrepreneurial startups; held a leadership position at 3com; managed two Internet service providers; and recently served as president/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.
As an educator on IT security, Mike’s portfolio of clients includes international corporations such as AT&T, Sears and Exelon as well as the U.S. Department of Defense. His early embrace of entrepreneurship earned him a spot on BusinessWeek’s “Top 25 under 25” list, recognizing his 2005 launch of IT security consulting firm Savid Technologies, which was recognized as one of the fastest growing security companies of its decade. He has a passion for educating others, as a contributing author for the “Hacking Exposed” books, through industry publications including InformationWeek and Dark Reading, and as a speaker at industry conferences including Black Hat, Interop, SuperStrategies, and InfoSecWorld.