Texas Capital Bank Client Support will be closed for Veterans Day on Monday, November 11, 2024. We will be back to our normal 8:00 AM to 6:00 PM support hours on Tuesday, November 12, 2024. 

We will be making updates to our website from 8:00pm - 11:00 pm CST on 11/20. During this time, the website may experience some interruptions of functionality or be unavailable.

Crisis Planning: Protecting the Business You've Built.

Take these steps to protect your business.

From natural disasters to technological crises to workplace violence, this guide can help you evaluate the risks for your business, protect and prepare your business with proactive security measures, and develop and enhance your business’s response plans.

The world is an uncertain and complicated place. But one certainty is that every business — regardless of size and industry — risks facing a crisis, which may arise unexpectedly, and turn your business’s smooth sailing into rough seas.

You can take steps to protect your business from some crises, such as a breach of your electronic security, through proactive measures. Others, like a natural disaster, cannot be prevented. But one thing likely to add to the strain of any crisis is trying to deal with it unprepared.

Having a solid, well-structured plan in hand before a crisis gives your business its best chance to survive and recover.

If your business doesn’t have a formal crisis plan, step 1 below outlines actions to help you get started. To help your company prepare, we also recommend implementing proactive security measures and creating the business continuity and communication plans outlined in step 2.

Step 1: Developing a Crisis Plan

Planning for a crisis can seem overwhelming, but you can get started in five manageable steps.

Assemble A Team

  • Crisis planning is a group activity. Identify the players inside and outside your organization who should make up your crisis team. Consider including colleagues from your executive office, legal, communications, information technology, facilities, human resources and security.
  • There should also be a chain of command and a set of alternate locations for the crisis team to convene in the event a primary location becomes inaccessible, as well as backups identified for each crisis team member.

Start Small

  • Crisis can be defined as anything from a hurricane to an active shooter to a pandemic to your business falling victim to fraud. The list of possibilities can be intimidatingly long. One way to approach the development of a crisis plan is to start small by identifying your crisis team’s top five concerns for potential crises.
  • Not all businesses share the same vulnerabilities, but the vulnerabilities unique to your locations, industry and business must inform your planning.
  • When you’re planning, keep the focus on what’s most likely. If you craft a plan for each of the top five potential events, you’ll likely have a plan that can be adjusted to fit the specifics of the situation when a crisis arises.

Identify Critical Processes & Recovery Strategies

  • Make a list of the processes that are most critical to your business, and the technology, services and vendors required to support them. Once you have your list, conduct a gap analysis to determine where you have the proper recovery systems in place, and where you need to implement new systems. Take the proper steps to identify and implement the proper systems where you have gaps.

Know Your Communication Channels & Audiences

  • A crisis often involves communicating with multiple audiences, and each may require unique channels through which you communicate with them. As you think about potential crises, craft communications for each scenario, identifying the audiences you’d need to communicate with and the channels you’d leverage for doing so.
  • See Crisis Communications Planning & Policy below for more tips on communicating during a crisis.

Test, Test, Test

  • After you have your plans in place, the job isn’t done. They should be tested and refined. Run your organization through a mock crisis to see how well your plans hold up. Revisit your plans on an annual basis to see if any improvements need to be made.
Call In The Experts

Your business may not have specialized employees with experience crafting a crisis plan. However, there
are a number of outside agencies available, from security consultants to crisis communications experts, that help businesses prepare for various incidents.

Potential Audiences:
  • Clients or customers
  • Employees and their families
  • Executive team and/or board of directors
  • Government officials and regulatory agencies
  • Investors, shareholders and suppliers
  • Local community
  • News media
Potential Communication Channels:
  • Client- or customer-facing portals (where clients go on the web to log in and transact with your business)
  • Company intranet
  • Company website
  • Email
  • Emergency communication system (system that automatically sends outbound calls/texts)
  • Employee call tree
  • Location signage
  • Media placements
  • Press release
  • Social media: LinkedIn, Twitter, Facebook, etc

To help your company prepare,

we also recommend implementing proactive security measures and creating the comprehensive business continuity and communication plans outlined in step 2.

Step 2: Protection & Preparedness

Proactive Security Measures

Fraud, theft and information compromise can put a strain on your capital, expose confidential customer information and erode trust.

First Line Of Defense: Security, Policies & Controls

Your first line of defense is to make sure you have the proper security, policies and controls in place. Your security and IT departments should collaborate to ensure your electronic systems are an uninviting target through regular IT vulnerability assessments.

  • Make sure your systems are secure and restrict access to portions of the internet, such as unsecured websites and streaming services, which have been known to provide fraudsters access to your system.
  • Employees, particularly those in a position to move funds, should be thoroughly vetted.
  • Consider what potential weaknesses and gaps a fraudster may exploit and how you can remediate the area before a breach occurs. One way you may do this is by running a few “false frauds” in your organization to see how employees react and systems respond, then adjust accordingly.
Second Line Of Defense: Employee Education

Many organizations educate only the money movers about fraud and data compromise schemes. But every employee from the C-suite to the mailroom should be taught how to spot, mitigate and report fraud attempts. So, what should you educate employees about?

Emotional Tactics:

  • Employees should be familiar with the emotional tactics that fraudsters often use. They employ these techniques in an attempt to scare employees and make them panic, so they’ll stop thinking. Employees should stop and ask themselves if what they’re hearing or seeing makes sense. Is there anything unusual in the request? Any strange circumstances? It’s OK to be skeptical. It’s always a good idea to double-check. It’s not paranoia, because chances are we’ve all been the target of at least one fraudulent attempt.

Business Email Compromise (BEC):

  • Educate your employees on BEC. It’s an increasingly common fraud scheme, which, according to the FBI, has cost U.S. businesses $1.6 billion since 20131. BEC can occur when an attacker poses as a trusted colleague and sends a bogus message to another employee requesting the wiring of funds. In some cases, BEC attempts can be foiled with a simple phone call or a walk down the hall to double-check a wire request, so start by implementing a policy that requires voice or in-person verification of every request received. 

Phishing:

  • Employees should not click links or open files in emails they’re not absolutely sure they can trust. Doing so can introduce malware or ransomware on their device. Fraudsters often pretend to be organizations such as the IRS or the Better Business Bureau. Employees should know that these organizations don’t officially communicate by email.
  • Employees should be educated on these topics when they join your company, and then at least annually thereafter. 

Fraudsters are just as serious about their business as you are about yours; as such, their strategies, technology and expertise often advance quickly. 

No organization is immune to fraud, so protective measures are imperative. Reviewing our fraud protection checklist on a regular basis can help you make appropriate policy and procedure changes. 

Fraud Vs. Information Compromise

Fraud: 

Fraud and theft can come from inside or outside your organization. In 2010, electronic theft surpassed physical theft for the first time, and the divide has only grown since.2

  • Employee theft is a problem for all businesses, occurring almost 15 times as often as theft from an external source, according to the U.S. Chamber of Commerce.3 However, it is usually in much smaller sums than external fraud schemes, rarely rising to the level of a crisis.
  • If your company is impacted by external theft, it can mean huge amounts of capital can vanish with a few taps on a keyboard.
Information Compromise:

Information is one of a company’s most valuable assets. Whether it’s a trade secret or a list of customers’ Social Security numbers, it’s priceless. It’s also a prime target for anyone who can breach your system.

  • Data breaches are an ever-increasing problem for companies. In 2016, there were more than 4,000 data breaches exposing more than 4.2 billion records.4
  • Denial-of-Service attacks on companies have grown exponentially, experiencing a 91 percent increase in 2017.5

Beyond Business Email Compromise

Some common methods of defrauding a company beyond BEC include:

Fraudsters are just as serious about their business as you are about yours; as such, their strategies, technology and expertise often advance quickly. 

No organization is immune to fraud, so protective measures are imperative. Reviewing our fraud protection checklist on a regular basis can help you make appropriate policy and procedure changes. 

Fraud Vs. Information Compromise
Fraud: 

Fraud and theft can come from inside or outside your organization. In 2010, electronic theft surpassed physical theft for the first time, and the divide has only grown since.2

Information Compromise:

Information is one of a company’s most valuable assets. Whether it’s a trade secret or a list of customers’ Social Security numbers, it’s priceless. It’s also a prime target for anyone who can breach your system.

Beyond Business Email Compromise

Some common methods of defrauding a company beyond BEC include:

  • ACH Fraud: Unfortunately, ACH fraud can be easy to execute, requiring just two pieces of information.
    • Employee theft is a problem for all businesses, occurring almost 15 times as often as theft from an external source, according to the U.S. Chamber of Commerce.3 However, it is usually in much smaller sums than external fraud schemes, rarely rising to the level of a crisis.
    • If your company is impacted by external theft, it can mean huge amounts of capital can vanish with a few taps on a keyboard.
    • Data breaches are an ever-increasing problem for companies. In 2016, there were more than 4,000 data breaches exposing more than 4.2 billion records.4
    • Denial-of-Service attacks on companies have grown exponentially, experiencing a 91 percent increase in 2017.5
    • Automated Clearing House (ACH) Fraud: Unfortunately, ACH fraud can be easy to execute, requiring just two pieces of information.
    • Check Fraud: Between forgery, counterfeiting, check washing and new techniques enabled by advancing technology, check fraud is an all-too-common criminal act that can be carried out by employees and outsiders alike.
    • Ransomware: Several large-scale schemes have involved the use of this type of malicious software that blocks access to your data until a ransom is paid.
    • Wire Fraud: Confidential information is often exposed through phishing or social engineering, and is then used to gain access to electronically transfer money from your accounts. Corporate account takeovers can also occur when log-in information is captured through malware that allows fraudsters to log key strokes.
  • Check Fraud: Between forgery, counterfeiting, check washing and new techniques enabled by advancing technology, check fraud is an all-too-common criminal act that can be carried out by employees and outsiders alike.
  • Ransomware: Several large-scale schemes have involved the use of this type of malicious software that blocks access to your data until a ransom is paid.
  • Wire Fraud: Confidential information is often exposed through phishing or social engineering, and is then used to gain access to electronically transfer money from your accounts. Corporate account takeovers can also occur when log-in information is captured through malware that allows fraudsters to log key strokes.

 

Business Continuity Planning

Your crisis plan should address some components of a comprehensive business continuity plan. However, implementing a business continuity program is a good next step to help ensure that business processes can continue during an emergency or disaster. 

There are four components of a solid business continuity program:

1. Conduct a Complete Business Impact Analysis

Complete a review of all the business processes within the organization, and the technology, services and vendors required to support them. Next, analyze the list to identify which are most critical for the business’s survival.

Depending on the size and complexity of your business, identifying all of these might be challenging, but administering a questionnaire that all business leaders are required to complete is one way to help you identify any gaps in the list.

Once all business processes have been identified, prioritizing them is the next step. In the event of a disaster, you’ll want to have already identified what processes are most critical to keep your business running. Of course you want to save everything, but if you can’t you must have the systems in place to save what you absolutely need.

2. Conduct A Risk Assessment

Create as comprehensive a list as possible of the specific types of risks that could impact each business site or location. For example, a business site on the Florida coast may be at risk of hurricanes, while a business site in Wisconsin needs to prepare for a crippling blizzard. Both may be at equal risk from a non-weather crisis, however. Each risk should be considered in terms of likelihood and possible impact on the business.

3. Business Continuity Plan

In creating the plan itself, the two previous items are considered in concert with each other to create a step-by-step strategy for the business to recover from whatever the crisis may be.

As part of your gap analysis, determine the gaps between recovery requirements and current capabilities. Then explore recovery options, and take the proper steps to implement them. Also consider what equipment or other supplies are needed that may be required by various processes.

From the first realization a crisis is occurring to resuming operations as normal afterward, a business continuity plan should identify the following for each of the events your business is most to prone:

  • Relocation/alternate site plans
  • Recovery teams and decision-makers, and directives for what they do when a crisis begins, designating a clear chain of command
  • The critical processes that are most impacted, and disaster recovery procedures for IT and business continuity teams
  • Applicable work-arounds for systems that can’t be recovered immediately
  • Communication plans (see to Communications Planning for more)
  • Long-term implications and plans should the disaster have an ongoing or longer-than-expected impact
  • Post-crisis plans for returning processes to normal, reconstructing systems if needed, filing reports with insurance carriers and the appropriate regulatory agencies

4. Testing

The plan isn’t complete until it’s been tested. This means role-playing through the crisis and including both physical tests and technical — or IT — tests. In a technical test, you’ll want to consider: Can the information be relocated to a safe site? In a physical test, you’ll want to consider: Can a building be evacuated and a remote office set up in another site? Don’t neglect user acceptance testing after systems are moved; if your recovery system is implemented, the people who use the systems every day need to be able to resume their work with a minimum of adjustment.

Your crisis team, including executive management, should review and approve the initial plan, and revisit it annually after testing.

 

Crisis Communications Planning & Policy

No matter what kind of crisis your business faces, it doesn’t come alone — whether it’s a natural disaster, pending litigation or security compromise — it often comes with a communications crisis attached at the hip. Poor handling of communications during a crisis can shake confidence, erode employee morale or impact your public reputation, compounding issues and worsening the crisis.

For each type of risk you identify, your crisis communications plan should:

1. Identify Relevant Audiences

Revisit and expand your audience list for each type of crisis. Consider whether each audience has different segments that need to be communicated to uniquely for each scenario. For example, do you need to communicate something additional to your customer-facing employees than other employees?

2. Identify Communication Channels

Identify which communication channels are available and effective for each audience segment in various crisis scenarios.

3. Document Procedures for Approval and Deployment

Intended communication may require approval from different individuals or groups within the  organization. Make sure those processes are outlined in your final plan, and detail the proper steps and key players before issuing any communication.

4. Develop Communication Templates

Though you can’t predict the future, by creating communication templates and ensuring they are preapproved by the proper parties in advance, you’ll be much more nimble when every minute counts. Another advantage to creating communication templates is you can weigh messages when you’re in a clear frame of mind versus being in a reactionary mode during a crisis.

5. Identify & Train Spokespeople

Carefully select individuals who can represent your organization in the event of a crisis, then provide media training for those spokespeople. It’s essential that each of them understands the basics of how to effectively interface with the media in critical times.

You should also make sure that your crisis and recovery teams know who the identified spokespeople are, so that unauthorized individuals do not speak on behalf of your company.

Your crisis team and executive management should review and approve the final plan, and revisit it annually after testing.

 

After A Crisis

No doubt about it, handling a crisis is exhausting. But when it’s over your work isn’t done. It’s important to conduct a review session with every response team participant. Then revisit your plan, evaluate your actual response and adjust your plan accordingly. Don’t let the experience you just had in crisis management go unused. 

Implement A Media Policy

Make sure employees know that they should not respond to inquiries from the media. Arm them with procedures so they can effectively direct incoming media inquiries to the appropriate spokesperson, and remind them of the policies and procedures annually so the expectations are top of mind.

How Can Texas Capital Bank Help You?

Every business is different and every crisis plan is different. Your circumstances are unique, and your plan should be tailored to match them. Our highly experienced bankers are well-versed in the trends and topics that affect your business. Plus, our network is your network; we’re always happy to connect our clients with experts from our company or contacts within our network. Contact a Texas Capital Bank relationship manager to discuss the future of your business.

Connect with an expert banker.

Experience more with experienced bankers who are committed to helping you grow.

Contact Our Experts

  1. “Business E-Mail Compromise E-Mail Account Compromise The 5 Billion Dollar Scam.” Public Service Announcement, Federal Bureau of Investigation Internet Crime Complaint Center, Federal Bureau of Investigation, 4 May 2017, https://www.ic3.gov/media/2017/170504.aspx. Accessed 13 June 2018.

  2. “Information Theft at Companies Surpasses All Other Forms of Fraud for First Time.” SecurityWeek, 18 October 2010, https://www.securityweek.com/informationtheft-companies-surpasses-all-other-forms-fraud-first-time. Accessed 13 June 2018.

  3. Simon, Matt. “30% of businesses will fail because of employee theft.” Hill & Hamilton, 3 March 2016, https://www.hillandhamilton.com/ohio-insurance-blog/30-percent-of-businesses-will-fail-because-of-employee-theft. Accessed 13 June 2018.

  4. “Data Breach QuickView Report.” Risk Based Security, January 2017, https://cdn2.hubspot.net/hubfs/614666/Reports/2016/2016%20Year%20End%20Data%20Breach%20QuickView%20Report.pdf. Accessed 12 June 2018.

  5. DeNisco Rayome, Alison. “DDoS attacks increased 91% in 2017 thanks to IoT.” TechRepublic, 20 November 2017, https://www.techrepublic.com/article/ddosattacks-increased-91-in-2017-thanks-to-iot/. Accessed 12 June 2018.

    Texas Capital Bank is a wholly owned subsidiary of Texas Capital Bancshares, Inc. We are headquartered in Dallas, Texas, and work with clients across the country. All services are subject to applicable laws, regulations and service terms.