AFP 2019 speaker Fran Townsend, Executive Vice President for Worldwide Government, Legal and Business Affairs at MacAndrews and Forbes Inc., knows a thing or two about strategic risk and crisis management.
From 2004 to 2008, she served as assistant to President George W. Bush for Homeland Security and Counterterrorism, and she chaired the Homeland Security Council. Townsend also spent 13 years at the U.S. Department of Justice under the administrations of President George H. W. Bush, President Bill Clinton, and President George W. Bush. Today, she is a director on the boards of three public companies and a senior national security analyst for CBS News.
Townsend is the featured speaker at the Certification Luncheon at AFP 2019. She will discuss how crises can be mitigated with the right combination of leadership, courage and discipline. Townsend recently joined the AFP Conversations podcast, and previewed her session. The following are five important insights on what treasury and finance professionals can do to turn a bad situation into a positive one.
There is a lesson in every crisis. “When you're in the midst of a crisis, you are just focused on managing your way through it and mitigating any downside—any losses or liabilities. But once you've steered your way through the crisis, I’d say there's an opportunity to learn. Were there aspects of this that you could have or should have anticipated? If you had seen them, what could you have done on the front end to mitigate the impact if it happened? So when I say that crisis is an opportunity, it's an opportunity to learn how you can be better the next time.”
Tabletop exercises are great ways to test your preparedness. “You have to take what your plans are and do a tabletop exercise against them to test them, to both test the individuals who are going to have to manage the response to the crisis, and to test the crisis response plan itself. It’s always hard to convince executives who are too busy already to take time to do a game, or what they perceive as a game. But I will tell you, time and again, we identified gaps in our capabilities, in our legal authorities, and just in our general preparedness by taking the opportunity to do these tabletop exercises, which have become much more prevalent now in the cyber realm. In any risk mitigation plan, you need to test it and make sure people understand what their roles and responsibilities are, and then to make sure that you plug any gaps.”
Tabletop exercises may receive pushback, and you need find ways to get people on board. “At a mid, mid to lower-level in an organization, I think the concern there is, ‘Is this a blame game? Is somebody testing me because they're going to assess me and my capability, and I'm going to get blamed for a mistake? Or am I being tested so if I don't do well, I'm going to get fired?’ And part of this is to reassure the workforce, that's not what this is about. This is actually to improve everybody's performance. There's no downside to this if you're at the mid or lower levels.
“At more senior levels, the problem is the timeline. I mean, I can remember the first time President Bush signed an executive order requiring cabinet members on a quarterly basis to come in on a Saturday morning with me and participate in a tabletop exercise. You can well imagine, these cabinet secretaries who are working 18-hour days, seven days a week, do not want to take time on a Saturday morning, much less to do something that's not real to them.”
In the current cyberthreat environment, any sudden change to the norm should be questioned. “Too often we're focused on the vector of attacks-- how are people trying to hit your system and enter your system, and what is their purpose? Is it malicious, to destroy information? Is it to steal money? And sometimes it's not a pure cyber play. Sometimes it's a phishing attack that allows them to learn. It's a malicious email that comes into your system. Someone sits on your system and watches how information goes back and forth. They'll wait; they're very patient. And on the finance side, what we find is that an individual will then insert themselves into a conversation, get someone in the financial chain to transfer money out.
“Most people on the finance side will say, 'Well, that's ridiculous, I would never do that based on an email.' But if it looked like it was an email from the CEO, and it was a very well -done malicious email, you might. So what we've learned is you have to have sort of the belt and suspenders-- a double check. If it's a regular vendor, and for some reason they've changed their account number, pick up the phone and talk to that person before you transfer it. Even if it's an amount that you're expecting, and it's an email of a conversation that's been ongoing, if there's anything, any change to the normal business process, that ought to raise suspicions, and that's why sometimes you do what we call red team exercises, where a cyber attempt is made against the finance team, just to test them so they understand what a malicious attack using the cyber vector will look like.”
To turn a crisis into an opportunity, leaders must be prepared to confidently address the situation. “We have to understand that you're not going to be able to anticipate every crisis. Something's going to come at you that you didn't anticipate, and how big an impact it has, particularly for a public company, really depends on how the leader handles it, and whether or not markets, shareholders and the board have confidence in the leader. And I like to think that it really comes in three steps. The first is, when you recognize you've got the crisis, you've got to understand it and understand it quickly as the leader, in order to know what your options are. And that means bringing in outside help, spending the money you need to spend. This is not the time to cut corners or costs. If you need outside help from technical people, lawyers, communications folks, you got to bring everybody in. Get the facts, and get them quickly.
“The second piece to really instill confidence in folks is the leader's ability to describe in real detail. Because it's detail that conveys what the problem is and how they've identified it. You'll remember in the 2008 financial crisis, what happened was banks' leaders tried to articulate what the problem was, and every time they did, the bottom fell out, and markets lost confidence in the leaders' ability to really understand the problem. And so describing it in detail, using facts to demonstrate your own detailed knowledge of the problem, gives other people confidence that you'll know how to solve it.
“The third piece is to describe the solution--what the steps are that you're about to take to resolve the crisis. And in describing the solution, again, specifics matter, because what you want to do is describe it in measurable ways. You're giving them the ruler by which to measure your success, and so they don't have to wait for you to tell them, 'The crisis is over, I've solved it.' You've described the solution in such a way that an outsider can measure your performance, and therefore have confidence again that you understood it, and that you're dealing with it. And they'll be able to assess for themselves when the crisis is passed and what the damage is.”