To view the recording of the on demand webinar, please register here.

Q1: Can you please give an example of acknowledging but not admitting to the event?

A1: We have become aware that [insert crisis] has occurred/occurred on [date]. We extend our sympathy to those impacted/Our thoughts are with those affected. We have put in place a team to investigate the circumstances which led to this and assure you we are taking it very seriously. Once we know more, we will provide an update.

Depending on the nature of the crisis, it may be appropriate to advise that you are bringing in experts/outside assistance.

Q2: Just for fun, if there is time, how do each of the speakers think Balenciaga have handled their recent crisis so far - including the urgent filing of a lawsuit?

A2: The response was appropriate but it was slow. It took Balenciaga a significant amount of time to take ownership of any of the issue. The acknowledgement of the error of featuring the bags with children and an apology for offence caused, and pulling the campaign was appropriate, as was the statement condemning child abuse, However publicly pointing the finger at a third party and advising of an action against them was a backward step from this, in our view. That legal action might happen in the background but to publicly blame someone else at the same time as apologising seems to detract from the apology. They finally issued a statement from the Creative Director and the CEO and have dropped the lawsuits against the production company - likely the right move but it does seem to confirm that they were trying to pass the buck.

Q3: In the presenting team's experience, which role is generally best positioned as the public "face" during a crisis? CEO or the senior-most officeholder (i.e. Chair)?

A3: Unless the crisis relates to actions of the CEO him/herself, or an issue at Board level, we think the CEO is the best positioned to be the public face. If the CEO's actions are impugned, or the matter relates to the Board, we would suggest the Chair take on that role. If the Chair is affected, the deputy chair or lead independent director would be the appropriate person. We recommend that these senior people have media training to assist in their ability to respond.

Q4: Section 5AH of the Civil Liability Act in WA provides that an apology does not constitute an admission and can't be used in evidence. I don't know about other states. Can an apology be used strategically in a crisis with the comfort of this protection?

A4: Care needs to be taken with any apology, as even if not considered an admission, it may cause issues with reputation, both internally and externally, and with insurers. That said, it may be appropriate to apologise for something happening (eg. We are sorry that you have been impacted by X) but without accepting liability/responsibility for its cause.

Q5: Where is the boundary between reputation risk generally and reputational risk that might arise out of a potential government inquiry? One seems to be a non-legal issue, but the other one a legal matter

A5: We see the issues as being very similar, in terms of the recommended response, although a government inquiry may involve mandatory elements that are absent from other crises and imposed timeframes for activities, such as the production of material.

Q6: What is the panel's view about ideal length of a crisis playbook/framework? Couple of pages?

A6: The length of the crisis framework very much depends on what it is intended to cover and what your business is, your place in the market and who your stakeholders are. For certain circumstances, such as a raid by a regulator, a checklist comprising about a page is probably the most useful. However, if your playbook includes some draft holding statements for various potential crisis events, plus a list of contacts, steps to take and instructions for staff, it could be many pages long. If it is a longer document, we recommend an accompanying "pocket guide" or flow chart to help people find the right guidance quickly.

Q7: Could you please touch on ASX reporting obligations and the interplay with crisis management?

A7: ASX Listing Rule 3.1 requires that entities immediately disclose market sensitive information that a reasonable person would expect to have a material effect on the price or value of the entity's securities. It is likely that an event that merits the label "crisis" will need to be disclosed to the market. "Immediately" means "without delay". While there is some allowance for gathering information and preparing an accurate announcement, you may need to request a trading halt if you know that the issue is material but you need time to properly investigate and assess its impact. If you are a listed company, your Continuous Disclosure policy should include an overview of the Listing Rule and its exceptions, and state who is authorised to approve announcements to the market.

Q8: Are there any key learnings that you have from how Medibank and Optus have responded to their recent cyber security crisis/ incidents?

A8: Optus' response was problematic because of an apparent knee-jerk response about what happened, which turned out not to be accurate. The lesson from that is not to make any early comment about a technical/subject-matter expert area without input from those who are in the know. Otherwise you face not only the reputational risk involved in the crisis but you face a credibility issue. Early statements and interviews did them no favours - they appeared ill-prepared, emotional and wanting to paint Optus as a 'victim' of the attack - strictly speaking, this was not untrue but not what customers needed or wanted to hear at that time. Medibank's response was better in terms of communication of the issue.

Q9: What are the bare minimums that all companies' crisis management framework/playbook should cover?

A9: We think essential inclusions are an up to date list of contacts, both internal and external (include authorised spokespersons, lawyers, public relations and regulators), a checklist of actions to take in certain circumstances and some example holding statements.

Q10 Simulations are very time consuming and can involve several very busy people - what are your thoughts on shorter, more frequent desktop exercises, where you are really testing knowledge and robustness of response plans, versus 'full blown' scenarios?

A10: Any type of practice run is worthwhile, in our view. The desktop exercises won't induce the same type of pressure and give the feeling of a "real world" experience as a full simulation but given the time and cost involved in a full blown simulation, we would encourage any preparatory exercises.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.