When the process becomes the problem
Culture • 15 July 2026 17:57:52 BST • Written by: Matt Rowntree
Marks & Spencer’s cyber-attack is back in the headlines this week, and not because of a new hack. It’s because the fuller picture of what actually happened is still emerging, more than a year on.
Go back to April 2025 and the opening act was well handled: M&S confirmed the incident within days, was upfront that stores stayed open while systems were affected, and got outside experts and the authorities involved fast. That’s the swift, human, first-72-hours playbook working exactly as it should.
Then came the harder part. Weeks became months. Online shopping stayed offline for the best part of seven weeks. And the true scale of it, the profit hit, the tens of millions in recovery costs, the slow drip of detail to Parliament and shareholders, only became clear long after that first statement had faded from memory. None of which means M&S handled it badly, if anything, they handled the opening exchanges better than most organisations manage. But it’s a near-perfect illustration of where crisis comms breakdown. Not in the first hours, when a small team can make decisions fast. It’s in the weeks after, when the process takes over..
That’s the version of crisis communications that works. It's lean, fast, focused and human-centric. The right people in the room, a clear chain of accountability, a statement that sounds like it was written by a person rather than a committee, and a decision made before the story gets away from you.
I've worked in that environment. When the crisis comms team was small by design: a communications lead, a relevant subject matter expert – legal, compliance, operational, depending on the nature of the issue – and a single C-suite signatory. The rest of leadership was kept informed. Nobody interfered and nobody held things up. It worked because everyone trusted everyone else to do their job, and because ownership was unambiguous.
Then I worked in a very different kind of organisation and I discovered what happens to a process like that when it meets scale, hierarchy and fear.
The issue that never materialised
A potential reputational issue was flagged. The kind that needed monitoring and a prepared reactive statement but not panic. In a smaller, more agile business, this would have been handled in a morning. Small team, statement drafted, escalation criteria agreed, plan signed off. Done.
Instead, I shared it with a peer at a more senior level for awareness and then the group started to grow.
Over the following weeks (still without confirmation the issue would even become public), the number of people who had seen the statement in some form crept toward fifty. It had been through so many iterations that the language had shifted from human and considered to something robotic and defensive. The tone (the thing that matters most when a crisis lands), had been committee'd out of existence.
The issue, in the end, never materialised. All of that work, and the involvement of some extraordinarily senior people, was for nothing.
Fear dressed up as governance
I want to be clear: I'm not describing stupidity. I'm describing a rational response to a broken structure.
In a large organisation, particularly one that's publicly listed, heavily regulated, or where people have spent decades building careers and protecting what comes with them, being wrong carries consequences that being indecisive does not. So people share. They escalate, they make sure someone more senior has also seen it, also agreed and also carries some of the exposure. It's not cowardice. It's self-preservation in a system that has quietly taught people that ownership is risk.
I've seen the same pattern in a large energy company, where the sign-off process for any external communication was so laborious, not because the content was complex, but because nobody wanted to be the person who approved it, that by the time a statement was cleared, the moment had passed. People with long-tenure, significant seniority and plenty of institutional knowledge were consistently deferring upwards on things that didn't warrant it. The process existed, ostensibly, to protect the business. In practice, it protected individuals.
The result, in both cases, was a communications function that, at the exact moment it most needed to be fast and clear, became slow and blurred. A statement that belonged to no one and a process that had quietly inverted its own purpose.
What this means for you
If you lead communications or run a business with any kind of public profile, you probably already know the version of this that works. You've built it, or you're in the process of building it. A tight team with clear accountability and the authority to act without waiting for twelve calendars to align.
Fight for it. Document it. Make it a named, agreed process before you ever need to use it, because the moment a crisis lands is not the moment to be negotiating the sign-off chain.
And if your business is growing, merging, or heading into a structure where that process is about to meet a much larger governance framework: push back early. Not on the principle of oversight (oversight matters) but on the principle of ownership. Someone has to be accountable. A room of fifty people with eyes on a document is not accountability, it's the absence of it.
The process exists to protect the business. The moment it starts protecting individuals instead, it has already failed.
