Imagine you’re a top executive at a company hit by a major crisis within the last 72 hours. First, and most importantly, there may have been serious damage to the community in which you operate. Your customers may have suffered, people’s livelihoods destroyed. The environment may be irretrievably damaged.

What do you do?

The threat is growing

Many incidents inside companies never hit the headlines, but recent evidence suggests that more are turning into full-blown corporate crises.

Why is this a bigger problem now than it has been in the past? First is the growing complexity of products and organizations. A new pickup truck today includes computer controls programmed with more than 150 million lines of computer code, while the average deepwater well is the height of seven Eiffel Towers. Goods travel thousands of miles and move through supply chains that comprise multiple intermediaries and multiple jurisdictions. A second reason for the significance of the problem is a higher level of stakeholder expectations. Customers, often in response to messages on social media, are more willing to sue or shun a company they believe is unethical. Governments are more willing to seek redress from companies they believe are breaking the law, and shareholder activism is on the rise. Third, the changing social contract is driving anxieties and mistrust in institutions, making irreversible knee-jerk reactions more likely. Finally, the raw speed of business operations—from rapid communications to shorter product-development timelines—makes crises more likely.

Understandably, companies spend more time trying to prevent crises than preparing for them. However, crisis readiness has become at least as important as risk management, takeover readiness, and vigilance over safety.

Five parallel paths to resolution

It helps to think of a crisis in terms of “primary threats” (the interrelated legal, technical, operational, and financial challenges that form the core of the crisis) and “secondary threats” (reactions by key stakeholders to primary threats). Ultimately, the organization will not begin its recovery until the primary threats are addressed, but addressing the secondary threats early on will help the organization buy time.

When a crisis hits (or is about to hit), one of the first actions should be to create a cross-functional team to construct a detailed scenario of the main primary and secondary threats, allowing the company to form early judgments about which path the crisis may travel. This helps the organization set out major decisions it needs to make quickly and is the first step toward wresting back control—improving the headlines of tomorrow, rather than merely reacting to the headlines of today.

1) Control the organization

An effective crisis team is central to mounting a satisfactory response. The best crisis organizations are relatively small, with light approval processes, a full-time senior leader, and very high levels of funding and decision-making authority. The team should be able to make and implement decisions within hours rather than days, draw a wall of confidentiality around the people who are responding, and protect those not involved from distraction in their day-to-day activities.

A common error is to choose an external expert as leader of the company’s crisis response. External hires typically struggle to motivate and organize the company in a crisis situation. The right leader usually will be internal, well known, and well regarded by the C-suite; will have served in an operational capacity within the industry; and will enjoy strong informal networks at multiple levels in the company. He or she should possess a strong set of values, have a resilient temperament, and demonstrate independence of thought to gain credibility and trust both internally and externally.

2) Stabilize stakeholders

In the first phase of a crisis, it’s rare for technical, legal, or operational issues to be resolved. At this stage, the most pressing concern will likely be to reduce the anger and extreme reactions of some stakeholders while buying time for the legal and technical resolution teams to complete their work.

For instance, an emergency financial package may be necessary to ease pressure from suppliers, business partners, or customers. Goodwill payments to consumers may be the only way to stop them from defecting to other brands. Business partners might require a financial injection or operational support to remain motivated or even viable. It may be necessary to respond urgently to the concerns of regulators.

3) Resolve the central technical and operational challenges

Many crises have a technical or operational challenge at their core. But the magnitude, scope, and facts behind these issues are rarely clear when a crisis erupts. At a time of intense pressure, therefore, the organization will enter a period of discovery that urgently needs to be completed. Frequently, however, companies underestimate how long the discovery process and its resolution will take.

It’s best, if possible, to avoid overpromising on timelines and instead to allow the technical or operational team to “slow down in order to speed up.” This means giving the team enough time and space to assess the magnitude of the problem, define potential solutions, and test them systematically.

4) Repair the root causes

The root causes of major corporate crises are seldom technical; more often, they involve people issues (culture, decision rights, and capabilities, for example), processes (risk governance, performance management, and standards setting), and systems and tools (maintenance procedures). They may span the organization, affecting hundreds or even thousands of frontline leaders, workers, and decision makers. Tackling these is not made any easier by the likely circumstances at the time: retrenchment, cost cutting, attrition of top talent, and strategy reformulation.

For all these reasons and more, repairing the root cause of any crisis is usually a multiyear exercise, sometimes requiring large changes to the fabric of an organization. It’s important to signal seriousness of intent early on, while setting up the large-scale transformation program that may be necessary to restore the company to full health.

5) Restore the organization

Some companies spend years of top-management time on a crisis, only to discover that when they emerge, they have lost their competitiveness. A large part of why this happens is that they wait until the dust has settled before turning their attention to the next strategic foothold and refreshing their value proposition. By this stage, it is usually too late. The seeds for a full recovery need to be sown as early as possible, even immediately after initial stabilization. This allows the organization to consider and evaluate possible big moves that will enable future recovery, and to ensure it has the resources and talent to capitalize on them.

In conclusion

Risk prevention remains a critical part of a company’s defense against corporate disaster, but it is no longer enough. The realities of doing business today have become more complex, and the odds of having to confront a crisis are greater than ever. Armed with the lessons of the past, companies can prepare in advance and stand ready to mount a robust response if the worst happens