Shareholder Communications in Crisis and Non- Crisis Situations
Every organization has shareholders or stakeholders involved with, or having a stake in, its operations, procedures and ultimate financial or citizen-
results. As information technology is used in almost every business environment, shareholders are aware of the benefits and risks, and want to be kept current about good news and bad news. When operations are going well with few and normal problems, routine
and e-mail updates every week or two is a reasonable frequency. However, should an information security breach occur
organizational financial or legal exposure, shareholders require a very high level of communications with and between executives and senior management. The IT organization needs to establish four dimensions of communications:
Identifying shareholder and customer expectations
Establishing direct communication channels
Developing the message
Managing the message
IT executives and senior managers have the same problem as elected
: cutting through the noise to answer questions and provide information. In today s 24-
news cycle environment, almost anything occurring in the world can
good news cold, and bad news hot. It is a fact of life that shareholders and customers collect and review information on a 24x7 basis and compare the media provided information against management reports to understand the differences, if any. During times of crisis such as a major security breach, accidental release of customer files or information, loss of data during a
, or the inability to handle high
of sales data, the volume of information impedes understanding exactly what is happening or
. Complex problems must have simple
to gain political and shareholder support (which is often very difficult).
Here is a multi-prong approach to use to communicate shareholder information with both positive and negative information.
Dimension 1: Identify shareholder and customer expectations upfront
Learn the Why (Why are they interested in this situation?)
Define the When (What triggered their interest?)
Identify the Who (Exactly who is interested?)
Provide the How (How are they
(Why are some people upset and not others?)
Bridge the client-shareholder gap (Put yourself in both of their shoes.)
Ask questions to extract answers if information is not volunteered or easily available. Listen to who is speaking, and understand why others are listening. Determine who enjoys the largest benefits or advantages and who has the smallest gains. Confirm your assumptions with all parties, as details may not be obvious.
Dimension 2: Establishing direct communications channels
Why is this important? To avoid filtering or
of your message by others who may not have all of the information you may have. Communicating directly creates a single project voice that
the amount of confusion created by multiple perspectives for both good and bad news.
How can this be established?
Publish a monthly IT security newsletter
Build an organization IT security Web site having daily updates
Become the voice all the time, everywhere
Respond to questions on good news fast, and bad news faster
Dimension 3: Develop the message
Know your audience ” know what gets them interested and invested. Create a message that has a What s in it for them perspective from both the good news and bad news perspectives. If shareholders or customers will benefit from security improvements, let them know. It they will be negatively impacted
or legally let them know.
Good messages reach through to the
issues faced by shareholders (image, financial impact and future growth) and customers (information privacy exposure, total loss, or access constraints). Learn what they get asked about from their customers or investors so that you can use their terminology. Keep the message brief and focused, and exclude specific dates, dollars or short-
issues that you are unclear about.
With good news, tell everyone why everything is going well, and the benefits or advantages to be recognized. With bad news, identify who is affected and who is not, possible causes, and possible solutions.
Dimension 4: Manage the message
Determining the frequency,
to use and opportunities to present updates to your message are key management decisions. With good news, announcements can usually be established to accommodate everyone s schedule. With bad news, there is never a good time to update shareholders and customers. Whenever there is enough accurate information to explain what happened, why it happened and what corrective action plans are being started is probably the earliest a message can be presented. Having accurate information is better than providing speculation based on fast changing assumptions.
If updates will be needed, tell the audience when they will be provided and in what format (presentation, e-mail, voicemail, Web site posting, etc.)
External factors may have an impact on the IT security scope and resources, which should be mentioned to shareholders and customers during presentations. There are situations that are completely outside any plausible planning events or scenarios, such as the September 11, 2001 attacks on the New York World Trade Center and the Pentagon.