Lessons from Optus: Beware of ‘natural’ crises, and never describe the obvious as unexpected

Every organisation, of whatever size, faces the risk of ‘natural’ crises.

These are not crises caused by natural disasters but arise from the identified crisis risks particular to your specific industry. 

If, for example, you are in the food business – whether you are a major manufacturer or a family-run restaurant – one of your natural crises might be an incident or allegation of widespread food poisoning.

If your company handles dangerous or flammable chemicals, your natural crises would include spills, leaks, fires and explosions.

If you are processing confidential customer information one of your natural crises would be cyberattack or exposure of sensitive data.

If you are a retailer handling high-value goods you would be very conscious of the risk of after-hours breaks-ins. 

If you are in the transport business – perhaps as an airline or a trucking company or a bus operator – one of your natural crises would be an aircraft crash or a vehicle caught up in a major road disaster.

For an aged-care facility or hospital, it might be the risk of a serious outbreak of infection.

All of these ‘natural’ crises have been in the headlines in recent times, yet too often the organisation concerned was very clearly unprepared for the obvious, or argued it was ‘unexpected’.

There is no better example than the recent network outage at Optus.

“We didn’t have a plan in place”: Optus

For a major telecommunications company, one of the most obvious ‘natural’ crises would have to be a catastrophic system failure. But that seems not to have been considered.

Appearing before a Senate Committee, the company’s managing director of networks, Lambo Kanagaratnam, conceded Optus had never held a crisis planning simulation for an outage of that scale.

He told the lawmakers that Optus believed the level of redundancy built into the system meant such a crisis was unlikely.

“We did do a network outage exercise in October, but it wasn’t for a full outage on the network,” Kanagaratnam said.

“We didn’t have a plan in place for that specific scale of outage. I think it was unexpected.

“We have high levels of redundancy, and it’s not something that we expect to happen.”

It’s not uncommon for engineers and other experts to have unwarranted confidence in technology. But there is a clear difference between confidence and denial.

Such denial is well illustrated by two high-profile American cases. 

In early 2019 the US Government staged a series of crisis exercises in Washington DC and 12 states based on a fictional scenario – codenamed ‘Crimson Contagion’ – based on a respiratory virus that began and rapidly became a global pandemic. 

A draft report on the simulation, obtained by the New York Times, revealed just how underfunded, underprepared and uncoordinated the government would be. It showed clashes between federal agencies; states going their own way on social isolation policy and school closures; and a shocking lack of medical equipment, respirators and ventilators. Sound familiar?

When the real COVID-19 struck just a few months later, then president Trump claimed: “Nobody knew there would be a pandemic or epidemic of this proportion . . . Nobody ever thought of numbers like this”. Yet, as the New York Times pointed out, Crimson Contagion had in fact simulated such numbers and was startlingly similar to the real crisis. 

This failure to learn from a simulation mirrored almost exactly what happened more than a decade earlier when the US Emergency Management Agency (FEMA) staged a massive five-day exercise based on a fictional Hurricane Pam striking New Orleans and creating a storm surge that topped the levees and flooded much of the city. Some critics argued at the time that the simulated event was far too expensive and unrealistic. But just over a year later – in August 2005 – Hurricane Katrina devastated New Orleans in almost identical fashion and became the most costly natural disaster in American history.

After the real hurricane  – and despite the eerie similarities with the crisis exercise – Homeland Security Secretary Michael Chertoff seemed to set the model for president Trump’s later response,  arguing that it was “particularly unpredictable” and “exceeded the foresight of planners and maybe anybody’s foresight”. The official report into the disaster concluded there was no failure to predict the inevitability and consequences of the monster hurricane, but a “failure of initiative” to improve protection.

Beyond denial, there is just basic mismanagement and a lack of preparedness for obvious risk.

When suspected botulism contamination of milk products caused an international recall crisis for New Zealand dairy giant Fonterra (which eventually proved to be a false alarm), the official investigation concluded the organisation failed to see the reputational risk. They said the company did not “join the dots” between botulinum contamination, infant food products, consumer sensitivities, and the company’s global reputation.

And in the wake of the notoriously mishandled Deepwater Horizon disaster in the Gulf of Mexico, BP CEO Tony Hayward later admitted the company’s contingency plans for such an oil spill were inadequate. He told a reporter: “We were making it up day to day”. 

An oil spill for an oil company and a poisoning scare for a food company must surely be classified as predictable, natural crises.

Small businesses are not immune

However, another important lesson from such international cases – and the recent Optus debacle – is the false impression that this mainly happens to big, high-profile organisations. Certainly, such cases get much more media attention, and affect significantly more people, but paradoxically size can in fact provide a level of protection. 

For example, a report of food poisoning at a small suburban takeaway shop could completely destroy the business. By contrast, a similar report involving an outlet of a major fast-food chain would more likely trigger a well-rehearsed response plan, supported by an army of crisis managers and lawyers to protect the brand. 

So, what can smaller businesses do to protect themselves?  The obvious answer is to develop and rehearse an effective crisis plan. That’s no surprise. But once the plan is developed, make sure you have identified and prepared for the natural crises that are inherent in your business. And that includes worst-case scenarios, which is where Optus planning apparently fell down.

Clearly, not every crisis arises from my definition of ‘natural’ risks. But it’s a pretty good place to start. The American management expert Kurt Stocker once wrote: “When you look at the majority of crises, what happened should have been on or near the top of the list of possible events. Why wasn’t anyone prepared?” 

It’s a good question, and one every company should ask. 

Dr Tony Jaques is an expert on issue and crisis management and risk communication. He is CEO of Melbourne-based consultancy Issue Outcomes and his latest book is Crisis Counsel: Navigating Legal and Communication Conflict (Rothstein, New York, 2020).