CFOs and other board members need to prepare for continued uncertainty through resilience planning, an approach that goes beyond immediate crisis remediation and involves equipping an organization to weather constant and often unwelcome shocks including climate, IT security and other threats.

“Over the years, we’ve focused on putting in place the right frameworks, the right plans, [and] playbooks,” Bobbie Ramsden-Knowles, crisis and resilience partner at PricewaterhouseCoopers U.K., said in an interview. “What I have seen is a shift to also focus on equipping our leaders with the right skills and the right competencies to lead effectively under pressure.”

Executives have traditionally focused on addressing the immediate aftermath of a disaster but in an era of ongoing uncertainty, they need to strategize for longer-term threats based on detailed analyses of scenarios they’ve mapped out, she said during this week’s Take on Tomorrow podcast episode from PwC. 

CFOs have an important role to play as crisis leaders, bridging different perspectives across the board and the C-Suite, she noted.

“They might need to be involved in, for example, providing some very specific financial data associated with that crisis to help inform a very specific decision,” she said. 

The Waffle House Index

Through a flexible and iterative approach to crisis response, organizations can develop their own contextually relevant frameworks to help them undertake crisis planning and mitigation efforts.

For example, Craig Fugate, former administrator of the U.S. Federal Emergency Management Agency, said he used a concept he called “The Waffle House Index” as an informal way to measure the severity of a storm’s impact and the likely level of assistance that the area needs. 

“If you get there and the Waffle House is open and has a limited menu, it's probably got more to do with mass care issues, taking care of folks, no power, maybe no water, but not really where the search and rescue teams need to go,” he said during the podcast this week. “But if you get there where the Waffle House is closed because of the storm, start going to work because you're in the heavy hit area.”

In crisis situations, acting quickly is more important than taking action based on a precise needs assessment and formal requests for help, Fugate said. “There's two [post-crisis] hearings you're going to walk into: One where you didn't send enough stuff fast enough, and you're gonna get fired, or the hearing where you sent too much stuff and spent too much money and nobody suffered,” he said. 

Ransomware threat emerges

Though there may be differences of opinion within boards on mitigating climate change risks, companies increasingly find themselves under pressure to act.

“It’s absolutely part of the ESG strategy that most organizations are working on right now,” said Ramsden-Knowles. “Investors see that … and coupled with that there is that change in societal expectation and a change in consumer behavior.”

Other emerging threats C-Suite leaders could prepare for through scenario development include climate change and IT security risks, particularly ransomware, said Ramsden-Knowles. Ransomware typically refers to a type of software that blocks access to computer systems until a sum of money is paid.

The effects of ransomware on an organization can be catastrophic, and an approach to combating attacks involves detailed planning that could address how a business would recover if access to systems were blocked indefinitely and protocols to follow when an attack happens, said journalist Lizzie O'Leary, one of the podcast’s moderators.

“It goes beyond the type of planning I think we've done previously,” said Ramsden-Knowles. “You can map out a lot of those considerations as part of your playbook, and I think ransomware needs a playbook for your executives,” which would include how to communicate with stakeholders and how to handle reputation risks, she noted.