Optus outage: Why having a crisis plan is not enough

There’s an old saying in the crisis management business that the most effective form of crisis management is to take steps to prevent a crisis from happening in the first place.

But the latest debacle to engulf Optus is a reminder for businesses everywhere of what happens when you don’t prepare.

The story still has a long way to go – with experts trying to understand the technical problem that disconnected ten million people, and commentators deploring the inadequate communication and messaging from the telecom giant. 

Yet it’s already clear that Optus had no valid system in place to respond when a crisis struck in the early hours of the morning.

Most importantly, it’s not as if Optus has not had plenty of opportunity to learn from past crises. 

There has been an inevitable comparison with the Optus hacking crisis in late 2022, but let’s not forget the fiasco in mid-2018 after Optus purchased exclusive rights to stream most Soccer World Cup matches and share the balance with free-to-air broadcaster SBS. Right from the start thousands of paying customers were shut out by buffering and other technical issues. 

The company blamed “an extremely high number of viewers logging into our platforms just before kick-off, causing some systems to overload.” This raises the obvious question, why would it be a surprise that viewers would log in just before kick-off?

After intervention by then prime minister Malcolm Turnbull, Optus agreed to share some matches, and later all remaining matches, with the primary rights holder and offered refunds to customers. 

Then came the hacking crisis in late 2022, where Optus was once again blamed not just for technical shortcomings, but for inadequate and badly misjudged communication. 

The company initially said “up to 9.8 million customers might be affected” but later advised that 7.7 million did not need to take further action, though of course the damage to reputation had already been done. The company then offered free credit monitoring, but only after four days when the Cybersecurity Minister demanded it.

And it was a full week before Optus revealed almost 37,000 current and expired Medicare card numbers had been compromised.

Spring forward to November 2023 and the question has to be asked: what did Optus learn in terms of being prepared for a crisis, and how much has their communication improved?

Judging from the events of the last week, and the level of public and political outrage, the answer seems to be that very little was learned.

As Luke Holland of Think HQ told Mumbrella, “it’s always easy to be wise after the fact – hindsight can make crisis comms experts of us all”, but even this gracious stance cannot smooth over Optus’s actions. 

“It’s near impossible,” he said, “to find much to recommend in the public response from Optus to their nationwide service outage”.

While these three incidents which devastated Optus’ reputation are each different in nature, there are some key learnings for other companies.

Make plans like a boy scout and be prepared

Every organisation, no matter how large or small, should have a crisis response plan. It doesn’t need to be a massively sophisticated document, but it must meet the needs of the organisation and prepare it for when things go wrong. And it needs to be up to date and practised regularly. 

Optus will almost certainly have paid expensive consultants to help them develop a crisis plan, along with rehearsals and simulations and media training. But it clearly wasn’t effective.

Be ready to deal with the media

Crisis communication is only part of the wider crisis response plan, but it is essential to get it right. When communication fails, no amount of effective response can compensate. Not every manager can handle the media well, but it’s a skill that needs to be learned and practised.

Where there’s a crisis, there’s a politician

Politicians are a key stakeholder group. In all three Optus crises there was rapid political intervention. In the World Cup streaming fiasco, the prime minister at the time forced change to the broadcasting plan. Following the hacking attack, a newly-minted government immediately promised new legislation to combat the issue. And after the latest outage, government ministers instantly promised a political review and the Greens announced a senate inquiry. Not every company is equally exposed to political intervention, but it is a very real risk that has to be considered.

Every crisis provides an opportunity . . .  for other companies

With cybersecurity in the headlines following last year’s Optus hack, Australia Post, CBA, Binance and other organisations were quick to assure customers their online data is secure. However, it can be a dangerous tactic. There was a clear lesson in 2016 following a series of massive outages at Telstra. At a later function, then CEO Andy Penn boasted that a review of Telstra’s network showed its “incredible strength and resilience”. Just one day later their system crashed again.

Following the latest Optus outage, rival telecommunications companies immediately reported a spike in new customers. But only time will tell how real and how sustained that effect will be.

Regardless of the details of the Optus outage, and what new revelations and actions might emerge, the fundamental lesson here is about having an effective crisis management plan in place. 

Not just an off-the-shelf consultant cookie-cutter model, but a dynamic and flexible plan which provides for every specific scenario, for everything which might go wrong for your organisation, and which has been fully tested by probing for possible weaknesses.

However, as Optus has shown, it’s not enough just to have a plan. It has to work when disaster strikes.

Dr Tony Jaques is an expert on issue and crisis management and risk communication. He is CEO of Melbourne-based consultancy Issue Outcomes and his latest book is Crisis Counsel: Navigating Legal and Communication Conflict (Rothstein, New York, 2020).