Coffee with Dr. Ian Mitroff: thinking the unthinkable
Dr. Ian Mitroff and I first met after I read his book “Why some companies emerge stronger and better from a crisis: 7 essential lessons for surviving disaster.” Every time we had virtual coffee since then, I’ve taken copious notes.
Credited as the founder of the modern discipline of proactive crisis management, Dr. Mitroff has written over 40 books. They include Managing Crises Before They Happen, The Essential Guide to Managing Corporate Crises, and A Spiritual Audit of Corporate America: A Hard Look at Spirituality, Religion, and Values in the Workplace.
Dr. Mitroff’s vision for strategic, proactive, systemic crisis management is deeper than anything I’ve encountered in my consulting career, and I thought others might benefit from hearing his thoughts, too. So came the idea of a coffee break with Q&A’s.
Natalia Smalyuk
Ian, thank you for taking the time to share your thoughts on crisis management. First, can you say a few words about what it is, in your opinion?
Dr. Mitroff
In short, crisis management is thinking the unthinkable – and preparing for it. We know there are different general types of crises. We also know that no single crisis ever happens by itself. It’s always part of a system of interrelated crises, and it has the potential to set off a new set of interrelated crises. If you are not thinking proactively, strategically, and thereby systemically, you are not prepared. When a crisis happens, being reactive makes it worse because that adds to the original crisis. We need to be always looking for the early warning signals of what might happen and trying to head it off. I know it’s different from what people are rewarded for.
There’s one thing I want to make clear. Crisis management is a response to the fact that the world is creating more and more crises each day. Crises management helps organizations deal with them. It’s not forcing them to be prepared. It’s encouraging them to be prepared for themselves, their stakeholders, and their communities.
Natalia Smalyuk
It can be overwhelming to come up with all the unthinkables. Where do we start and where do we finish? If I were to play a sceptic – or devil’s advocate – I might ask, should we prepare for an alien invasion? That’s an unthinkable. But should we – for example, if we are a school or a hospital – prepare for an alien invasion? Where I’m going with this is the mechanics of thinking the unthinkable. How do we rate or prioritize the unthinkables that we need to prepare for and invest the resources in?
Dr. Mitroff
The point of the alien invasion question is to make the whole idea absurd. We don’t need to do this. Here’s how you can decide which crises to focus on.
Look at different families of crises – for example, technology, natural hazards and psycho-criminal – and pick at least one type in each family to which your organization could possibly be susceptible. Thus, in the psycho-criminal category, it could be a shooting. Then, go through all of the various types of crises in different families and prioritize them. Start with one and work forwards. Hopefully, over time you can link different families of crises and their types better. This is how you think proactively and systemically. The thinking is: “If this happens, then this can happen as well”.
In other words, you start with the types of crises that make the most sense to you. Then over time, you expand your crisis portfolio. It’s definitively a portfolio. Indeed, that’s the best metaphor for it. Focus on the big-ticket items, the most likely types of crises. Then, over time, look at the least possible ones. Often, they are the ones that will do the most damage. They have an uncanny way of becoming highly possible. The things you discount are the things that come back to haunt you.
What I’ve just described is a very simple, intuitive way of introducing crisis management to an organization. The initial understanding of the unthinkables could be aided by factual evidence – for example, a crisis or risk audit based on the insights from a leadership team, employee focus groups, information interviews or online surveys.
Of course, doing this takes time. It would be the rare organization that could do all of this all at once. In the meantime, while building proactive crisis management in an organization, hopefully, we are engaged in learning more about it. Ideally, before the big one hits, we’re further along in the process.
Natalia Smalyuk
I have colleagues in the risk management community, and we cannot always find an easy way to describe how crisis and risk management relate to each other, even when we want to collaborate. Can you talk about how crisis management is different from risk management?
Dr. Mitroff
I get asked this question a lot. I get that people are more focused on specific risks, which is not the same as crisis management, which typically looks at a broader spectrum of risks and potential crises.
Risk management has taken off because people see it as a systematic way of picking up important risks. Ideally, risks are based on statistics. Thus, formally, risk is defined as the probability of an event times its consequences. So you have very specific, quantifiable data to support decisions, which is appealing to management.
Crisis management is broader because it identifies a broader set of potential risks. They are not necessarily quantifiable. For example, such risks could be in the realm of culture or psychology. When it comes to crises, I don’t like describing them or the criteria for assessing them as “hard” or “soft” (like engineering versus psychology). What matters is whether something is important. Not whether it’s hard or soft. We often use the word “soft” as a term of derision. We shouldn’t.
To illustrate this, an organization whose culture is such that suspicions of technical problems are ignored and whistleblowers are silenced can create safety risks. When we talk about crisis management, we are often talking about whether the culture of an organization is receptive and ready for it. I confront this all the time.
Of course, people would like things to be more orderly. They want to be in a comfort zone. Risk management puts you in a comfort zone because you have clear quantifiable risks. Crisis management is exactly the opposite. It takes you out of a comfort zone and puts you in the discomfort zone. At least immediately. But it’s better to be taken out of the comfort zone before a crisis happens than during it. Again, if you are not prepared beforehand, it only makes an actual crisis worse.
Natalia Smalyuk
Your vision of the continuum of proactive crisis management includes before, during and after the occurrence of crises. Would it be fair to say that risk management should be viewed as the “before” part of this proactive crisis management continuum?
Dr. Mitroff
Risk management is a partial “before.” I am saying partial because risk management is not broad and comprehensive enough in its consideration of potential crises. Most risk managers identify a smaller set of risks than crisis managers identify. In short, risk management prepares for the tip of the iceberg – the things that are easily identifiable. And crisis management keeps pushing beyond one’s comfort zone. I understand that we don’t always want to think in terms of crisis management. Who wants to be uncomfortable? Well, welcome to the world! The world is under no obligation to live up to our desires.
Look at the risks created by generative AI systems. Labs are training and developing these technologies way faster than we are able to understand them and put some safeguards around them. This is an example of risks that are not necessarily captured by traditional risk management systems. Traditional risk systems rely on the readily available data based on the experience of the past. That’s hindsight thinking. To understand and mitigate the risks of the fast-emerging machine learning and language models, we need a different kind of thinking. Future thinking. Creative thinking. Critical thinking. We need to imagine what does not yet exist, fathom its potential harmful uses and start building safeguards. At societal, international and organizational levels. This is the domain of proactive crisis management.
Risk management doesn’t provide instruments for the “during” phase, either. What are you going to do when something has already happened? Now we’re talking about business continuity or recovery – repairing what you can. And then there’s the “after” phase – learning for the next set of crises. What did we do right? What did we do wrong? What do we need to repair? What do we need to accept? This is typically not part of risk management.
Put simply, I view risk management as something that is not as broad as crisis management. Should you use it? Of course. But use it systemically. Use it in combination with crisis management, which typically identifies a broader set of potential risks.
Natalia Smalyuk
Here’s my experience with the language clients use to talk about crises. With people like me, they talk about crisis communications. That’s straightforward. Some organizations – for example, banks or insurance companies – also have risk management; more and more are introducing enterprise-wide risk management (ERM) systems. And then there’s also business continuity planning (BCP), something that’s also seen as completely different. There’s a separate BCP-certified expert leading this function. When the subject of crisis management per se comes up, it’s usually in the context of the proverbial S&** hitting the fan. In fact, one of my colleagues described crisis management as “icing on a cake”, where BCP is a cake, and crisis management is the icing (“the what if this happens” part of business continuity planning.). Does this metaphor capture how you think about crisis management versus business continuity planning?
Dr. Mitroff
Business continuity planning ought to be considered as an integral part of crisis management. It’s the during and after phases of crisis management. How are we going to maintain our business? How are we going to recover? But you need to focus on proactive pre-planning for business continuity, ideally, before crises happen.
O.k., you can call it hitting the fan. The point is, what are all the things that can hit the fan, if you want to really make your organization prepared? Yes, you can say that you can’t prepare for everything. And you shouldn’t necessarily. You don’t want to waste your resources on an alien invasion. But you can be prepared as much as anyone can be by getting out of your comfort zone – preparing for different types of crises, not just fires and floods.
Again, crisis management is thinking the unthinkable, which is really uncomfortable for people. For example, thinking about things like terrorism or fraud. Clients may say: oh well, what’s the point of that? We already have enough on our plate. I’ve heard all the excuses, and all I can say is: lets start somewhere, and work to think more comprehensively and systemically.
Natalia Smalyuk
You mentioned in our earlier conversations that people are not educated to think systematically and are not rewarded for this in organizations. Why would they then practice systemic thinking in the context of crisis management?
Dr. Mitroff
We did a study years ago showing that those organizations that do crisis management proactively are significantly more profitable. It was part of a PhD dissertation by one of my students. So, crisis management is not only the right, ethical thing to do, but it’s also good for profits because, when you head off crises before they happen, you also head off the enormous expenses you throw at coping with a crisis when you deal with it reactively.
Natalia Smalyuk
Let’s talk more about what thinking systemically may look like. You mentioned earlier that most risk managers identify a smaller set of risks than crisis managers. In our other conversations, you also suggested that most organizations prepare for a limited set of risks that are familiar or a direct threat to their core business, such as contamination in the food industry, product tampering in the pharmaceutical, or supply-chain issues in the automotive. How can these companies prepare for a wider range of adverse events than what they’ve experienced before?
Dr. Mitroff
I’ll come back to what I said earlier. We know about the different types of crises or crisis families. For example, privacy breaches, financial crises, product tampering. I counsel clients not to discount any of the families. Instead, ask yourself, what’s the form of a particular crisis in this particular family such that it could happen to us? That’s the heart of crisis planning. It’s difficult because we don’t typically ask ourselves this.
We are in the game of trying to get people to think outside of the box so they can say, o.k., we haven’t typically thought of this. But here’s the form this crisis could take if it were to affect our organization, and this is how it could potentially damage us. This is what would keep me awake at night if, say, product tampering or domestic terrorism happened.
No one can do crisis management by themselves. We need to work with a small group of people, often including people at the bottom of an organization because they see issues more intimately than those at the top. Ideally, this means jointly constructing a worst-case scenario. What then would be the signals that it’s getting too close for comfort?
Natalia Smalyuk
I recall that we had a conversation about crises related to “things” – physical things, like buildings or technology infrastructure – as opposed to “people.” Even the technology family of crises – say, cyber security – involves the technology and the people sides of cyber security. Breaches often happen as the result of employee errors or misbehaviours. But organizations are not necessarily comfortable putting crises on the table that originate from people, especially if it’s from someone inside the organization. Another example is sexual harassment. That would be very uncomfortable to talk about. Are there safe ways to try to extend crises portfolios into these uncomfortable people-focused crises?
Dr. Mitroff
We are not only trying to get people to think about the unthinkable, but we are also trying to get them to speak about the unspeakable. Like sexual harassment. Of course, people don’t want to talk about it. Whether we want to talk about it or not, it’s a fact that it happens and needs to be dealt with.
Recently, the popular cartoon, Gilbert, contained racist statements. As a result, newspapers have stopped carrying it. Elon Musk was thoughtless when he said: “oh, you are trying to censor white people.” Talk about making a crisis for yourself.
It’s hard enough to get people to think about the unthinkable. It’s even harder to get them to speak about the unspeakable, about the very personal, about the things that can really ruin their reputations.
But my point is, the unthinkable is happening more and more. And the more you don’t deal with it, the bigger the impact it will have. Of course, even preparing for something can itself be viewed as a crisis or can cause a crisis. It may become controversial. It may become political. It may start generating bad press. It’s a case of “you’re damned if you do and damned if you don’t.”
I would argue that when something is particularly complex or sensitive you have to deal with it in the best way possible so that you can not only defend yourself, but demonstrate that you are a socially responsible organization. That you are thinking about as many stakeholders as you can and the impacts on them.
Natalia Smalyuk
The concept of speaking the unspeakable, in addition to thinking the unthinkable, is very interesting. I can see how this can be very difficult, and we certainly don’t want to create a crisis when we are trying to prepare for it.
Something that just came to mind is a situation in Ontario we had a few years ago. There was a nuclear emergency alert sent in error about an incident at the Pickering Nuclear Generating Station. I was taking a quick morning walk when I got a text message on my iPhone. Our family comes from an area contaminated by the Chernobyl disaster in Belarus, and I immediately called my daughter wondering if we need to get radiation-blocking iodine pills. That false alarm caused quite a bit of confusion, which became a crisis in itself.
Dr. Mitroff
Well, it could have been a crisis.
The broader point I want to make though is that if anything is at the heart of proactive crisis planning, it’s worst-case scenarios. And this goes beyond risk management and business continuity planning. What are the worst-case scenarios that can do the most damage to you, your stakeholders, and your community? Your products, your reputation, your standing, your financials, your very survival? Once you’ve identified such scenarios, you are able to consider the “before, during and after” phases of crisis management. What can you do in the “before” stage to help prepare for the worst-cases, mitigate risks and catch early warning signals? What are you going to do during a crisis? If you haven’t prepared “before”, you are not going to do well “during” a crisis because your lack of preparation is going to add to the complexity and expense of managing it. And in the “after” phase, what’s your honest no-holds-barred assessment of what you did right and what you did wrong so that you’re better prepared for future crises?
Natalia Smalyuk
Lets get to the operational side of things. Lets say, I am the CEO of a mid-sized business and I want to do everything right. I come to Ian and say, look, I need to do crisis management for my organization. How do I resource it? What should my budget be and who should I hire to do the work? I might also be wondering whether I can find the management time and resources for this.
Dr. Mitroff
Well, if you don’t have the time and money now, just wait until you have an actual crisis. It’ll be much more costly and time-consuming. And that’s one of the excuses that people have. I heard it again and again.
Typically, proactive crisis management is approximately one half to one per cent of your total operating budget. So we’re not talking about straining your budget. There has to be at least one person who is thinking about the big picture. A Chief Crisis Officer, or somebody else in your current set of top executives who will take on the role.
A crucial point is where crisis management should be located. What function in the organization will take it seriously? Should it be part of security, legal affairs, IT, quality control? Ideally, you’d have a crisis management team that includes the CEO, COO, legal affairs, CFO and all key organizational functions because crises involve all of them.
If I had to pick one function, it would be quality control because crisis management can make or break the products or services of an organization. So quality control is a natural home, especially in the manufacturing or engineering context.
We could have a separate conversation about centralized or decentralized organizations with many offices, which are sometimes geographically dispersed.
But, no matter how centralized or decentralized the organization is, crises happen at the national and sub-unit level. If they happen to the units, they often pertain to the organization as a whole, with the same corporate functions involved.
Ideally, the crisis team would meet at least every couple of months to review the status of its unthinkables. What’s heated up? What’s happened to other members of your industry? What crises are we not prepared for? What things look probable?
Now, that’s also part of strategic management, and not just risk management or business continuity planning. It would be part of strategic thinking. Strategy is a key here. Proactive crisis management should be integrated with strategic planning. But, again, however we can get an organization to think more broadly about crises, and whoever can take on the role most naturally, I am fine with that. Does this make sense?
Natalia Smalyuk
I am sensitive to the optics and I can see how organizations might be uncomfortable introducing the position of a Chief Crisis Officer. We don’t want to create the impression that we have a lot of crises. I recall that I recently saw the Canada Deposit Insurance Corp. (CDIC), a Canadian body that insures bank deposits, was looking to hire a Crisis Communications Officer. But, generally speaking, it’s not common for organizations to have the word “crisis” in the name of the position.
A Chief Risk Officer may sound more plausible, but then, again, we are back in the risk management paradigm as opposed to proactive crisis management.
You also made an interesting point about strategic planning. I’d like to get back to it, may be in our next coffee chat.
Dr. Mitroff
If you don’t like the term Chief Crisis Officer, I understand. We have to be sensitive to what terms are acceptable in an organization. A Chief Risk Officer may be more palatable. Not as scary. As long as you do the actual function, I don’t care what you call it.
Crises are very inconvenient. Who indeed likes them? But, again, welcome to the real world. It’s manufacturing crises at a greater rate than we can defend ourselves. For example, the culture wars in the U.S. are so bad that, in effect, we have our own version of a Cold War. That’s a new form of a crisis, in addition to various other things we have to deal with, like the derailment of trains, the proliferation of guns and the anti-abortion movement. These new societal crisis forms are also affecting organizations.
I know that a lot of this is too jarring for them to hear. So however we can present a proactive crisis management message, whichever way we can get decision-makers to pay attention, I am all for it. That’s precisely why you and I are talking.
We know that to present an organization with all that we are talking about now might not be helpful. They can just shut down. It’s too much.
But hopefully we can help them start preparing before a crisis hits, based on what’s within their tolerance level. We can talk about what we can do – rather than what we can’t control. Are they open to doing a simulation? If any kind of crisis happens, would they be prepared financially? Emotionally? Strategically? I know that’s asking for a lot. I wouldn’t be saying all this if the world itself weren’t manufacturing more and more crises. I am often called Dr. Gloom and Doom. And I understand it. I got involved in this field more than 40 years ago because it’s important, and I am glad that we are having this conversation, and that you are playing the devil’s advocate because you are only raising what you hear.
Natalia Smalyuk
I am glad to hear you acknowledge the importance of messaging and communication in crisis management because nothing is going to happen unless people buy into the importance of it. Also, I don’t know if I’d agree with calling you Dr. Gloom and Doom😊. You definitely have a calming effect, and we definitely need that when we talk about crises.
Dr. Mitroff
Well, that’s good to hear. Messaging – or whatever you want to call it – is important because it helps get the attention of people. You have to avoid scaring them and you have to give them the confidence that this stuff is doable. That’s the right attitude for crisis management. If you don’t make it doable, and if you don’t show people how to do it, then you are just headed for a crisis. And what’s the point of that? I wouldn’t be doing this if I didn’t believe that there’s a way of getting it done. Yes, it’s difficult, but you have to build up to it.
Natalia Smalyuk
Ian, you said in our earlier conversations that every serious crisis is a “wicked mess”– a tightly interconnected system of highly interactive problems. Are organizations more prepared to deal with “wicked messes” today than they were before the pandemic? Is crisis management more “doable” now?
Dr. Mitroff
No, unfortunately, they are not. And I wouldn’t start with “wicked messes.” I would start with crisis management.
Here’s what I would do. Pick two crises. Lets start with just two. Pick one type of crisis that you know is highly probable. Maybe it’s similar to something that has already occurred. Reflect on how your organization handled it. Then pick one type of crisis that you view as improbable and that would have very significant negative consequences if it came to pass. The third step would be to explore how both of them could happen simultaneously. If they both happen at once, what would happen then? How could one crisis provoke the other?
That’s how you begin to extend your crisis portfolio. Just start with two. And that’s how you start to think systemically. You think about what happens if these two crises collide.
Here’s an example.
Years ago, I was working with an oil company. I said, lets look at a potential crisis of consumer product tampering. The client didn’t want to do it because “no one tampers with our petroleum products.” I said, wait a second. You have convenience stores at each of your gas stations. You sell candy and pain killers. The proverbial light went on, and the client said: Oh yes. My God. Yes, we could have product tampering occur in our stations, which would damage our customers.
The point is: you’ve got to make it plausible. You have to make it realistic. Our job is to get clients to think the unthinkable and then put some boundaries around it so that they can begin to deal with it.
Natalia Smalyuk
In my experience, clients actually love hearing about wicked messes. This is intellectually very stimulating. Decision-makers enjoy talking about case studies and war stories, the “how-to” and “how-not-to” fables. Usually, it’s about somebody else in Canada or the U.S. or elsewhere across the globe. These stories create a lot of lively discussion. When we try to take these case studies and apply them to the reality of specific organizations though in simulations and desk-top exercises, that’s where things may get more challenging or uncomfortable.
Dr. Mitroff
I am surprised that people you work with can tolerate the notion of a wicked mess because it’s pretty abstract. But if that engages them, well, then they’re ready for it.
War stories are important, as you know. War stories are, first of all, just that – stories. They help put crises in the language of an organization so they can make sense of them. A war story is how they visualize crises, how they categorize them, how they relate to them. That’s how they make sense of them.
Unfortunately, as you say, the process often ends with the war stories based on the experience of other players. Organizations just don’t connect them to their own reality. Sometimes, they think: that won’t happen to us.
But if they had a catalogue of their own war stories, different stories about different wars in their own organizational experience, that’s one way of approaching crisis planning. We can start with the past. Lets say, we look at this particular war story that is about this particular crisis that happened to our organization five years ago. We look at how we dealt with it or how we didn’t deal with it.
Then, we can envision a future war story about how a crisis in a similar crisis family could play out in the future in a changed environment. That’s how we start thinking systemically and planning proactively.
I am open to whatever language we need to use to get inside an organization and make sense to its team to start planning proactively.
At the end of the day, all I am talking about is extending a crisis portfolio – for example, from the wars you’ve already fought to the ones you haven’t yet encountered. And those war stories are themselves part of a wicked mess.
Natalia Smalyuk
I don’t know if this expression I suggested – war stories – is the right term these days, but I do know that case studies – or situational analyses of what happened to organizations in other contexts, in other industries or at other times – are extremely informative. You and I know this from our cybersecurity presentation for the Centre for Catastrophic Risk Management. We also spoke about case studies with Canadian students. Often, the best entry point into a conversation about proactive crisis management is to present people with a specific example.
Dr. Mitroff
I agree with that because that’s what most people can easily focus on. It’s something to put their hands on, to put their minds around. Crisis management gets very abstract. I know that. And I really appreciate what you do. I am as aware as anybody else of how abstract and theoretical this all can get unless you bring it down to earth.
I got a lot of push back at the beginning of my consulting career when people didn’t want to hear about the results of a crisis audit that I had done for their organization. In fact, I got fired a couple of times so I learned that you can only present such information very carefully. You only present what people are ready to hear.
Again, the biggest part of crisis management is psychological and cultural.
Part of the business, as you know, is packaging crisis management. I’m extremely sensitive to it. I come out of engineering. I’ve studied the philosophy of science and the social sciences. As a result, I’ve learned how limited engineering is. Engineering and tech turn people off. In fact, a lot of what academics do is a turn-off, too. That’s what you and I are trying to avoid. That means being sensitive, being hyper-sensitive to the culture and language of an organization and its hierarchy, whatever it is.
You have to get the confidence, the trust of people. You have to learn the language of the organization. You have to learn who is the right person to present your findings to, and do it in the right way. Because if you don’t, people zone out. Especially when it’s the stuff people don’t want to hear.
I learned very quickly that I need to ask clients: what language should we use to get things across? Who should I be saying this to? What are going to be the objections? Where’s the resistance? I learned very quickly that we need to pay attention to how we are going to deliver this stuff. That’s something we have to say to students, too, so they are prepared. You either learn and adjust or you are out of business.
Natalia Smalyuk
From a communication standpoint, I like to say that I am in the business of helping people understand each other and deal safely with our differences. In crisis management, this is particularly important recognizing all the emotions, sensitivities and stressors that are inevitably involved in high-stakes situations.
Dr. Mitroff
It really is. Unfortunately, we are going to be in business for a long time, Natalia.
Natalia Smalyuk
Thank you very much for this conversation, Ian. I deeply enjoyed it and learned a lot. I hope in our next coffee we can dive deeper into the integration of strategic and crisis planning, as well as the psychodynamics of crisis management.