The C-Suite has become more like a trauma center in a major city hospital than a card room in a suburban country club. The heightened risk of facing a crisis is being driven by the increasingly complex nature of operating a global business, the speed of change and the need to quickly react to huge volumes of information traveling 24/7 at the speed of the Internet. In many cases, companies are operating with less corporate staffing in multiple jurisdictions and time zones. Crisis management needs to be a mainstream business practice.
The types of potential crises continue to expand:
- cyber attacks and data security breaches;
- governmental investigations or regulatory compliance issues;
- sudden executive departures or misdeeds;
- negative business events such as loss of a customer, a supply chain issue, or factory or other business catastrophe, an extreme weather or environmental event;
- terrorist events;
- a company-specific stock market event;
- negative comments from a rating agency, a proxy advisory firm or a prominent securities analyst;
- an approach or other actions by an activist shareholder;
- a bid for the company by a potential suitor;
- an FDA recall or failure to receive FDA approval of a key product;
- accounting irregularities.
The list of potential events goes on and on. Not to be ignored are the ever-present class action lawyers waiting in the wings to attack a company and its board for failure to recognize and address potential risks associated with a company's operations. No company is immune. It is not a question of whether, but when and how a company addresses the inevitable crisis.
Those companies that have implemented risk management review exercises should consider updating them. Those that have not established a separate crisis management planning process should consider doing so. Incredible value can be protected or destroyed depending upon how a crisis situation is handled. Such recent examples as the Target massive data breach, General Motors ignition switch issues and Takata airbag recalls are an indication of how quickly events can spin out of control. As a result, companies with robust corporate governance practices are devoting significant time to crisis management both at the board and senior management levels. Crisis management planning is like insurance with a bulk of the premiums being paid with board and management time. The payoff is not only a well-handled crisis but also a greater ability to maintain focus on running the business during the pendency of a crisis.
Like most corporate processes, one size cannot fit all. There are generally five key elements to effective crisis management planning:
- a ''core'' crisis management team;
- identification of potential crisis situations;
- a thorough understanding of each potential crisis situation, including the potential downstream consequences of each potential crisis;
- an action plan/framework for the most significant potential crises, including as a top priority an effective communications strategy; and
- periodic review of the crisis management plan.
Formation of a ''Core'' Crisis Management Team
Crises can occur in a wide variety of areas, so a well constructed crisis management team will have representation from the C-Suite and each of the major functional disciplines in the company. While the composition of the core crisis management team will vary from company to company, it will generally include the CEO, CFO, COO, GC, and the heads of human resources, information technology, public relations and investor relations. It may also include the heads of principal business units, the chief risk officer, the chief compliance officer, the chief privacy officer, the chief security officer, the chief accounting officer and the heads of other functional areas.
Like any team, the core crisis management team will have levels of member involvement that will vary depending upon the task being performed. For example, in the brainstorming process of identifying crisis situations and assessing their potential impacts, it is most likely that those team members who are focused on identifying the risks the company faces will be more involved. On the other hand, when an active crisis is underway, those team members who interface directly with internal and external constituencies will be more involved. It is important for all members of the crisis management team to understand each other's perspectives to enhance the effectiveness of both the planning process and the handling of crisis situations.
From a governance perspective, two questions should be considered. First, to what extent should the crisis management team formation and the planning process be formalized, and second, what role should the board play? In assessing the benefits of a more formalized process, a company should consider:
- the extent to which the company will benefit in an actual crisis situation,
- the extent to which existing processes can be leveraged,
- the need to prioritize crisis management within the company,
- the demands on senior executive time and
- the culture of the company.
It is important to make sure that any process that is put in place is worth the effort. A less formal process may be adequate for a smaller company with nimble senior management.
A board should be regularly briefed on crisis management planning. The frequency and extent of the briefing will depend on the level of the board's involvement in the company's risk management process, as well as the specific risks facing the company's business and operations. In an actual crisis, the board's level of involvement typically increases. While it may be acceptable to delegate oversight of a particular crisis situation to a committee of the board, the board as a whole should continue to be regularly briefed.
Leadership of the crisis management team is a key issue. The leader must have the requisite leadership skills and be given the authority within the company to marshal the appropriate internal and external resources as they are needed. In addition, it must be someone whose direction will be followed in the time of crisis. For major crises, this means having the CEO herself or himself handle the matter. For lesser matters, it can be someone with the clear support of the CEO and the rest of the senior management team. In most situations, it is not advisable for someone outside of the crisis management team to play the leadership role.
Another important matter to consider is the retention of external advisors. These external advisors may include legal counsel; crisis management, public relations, investor relations or proxy solicitation firms; and forensic accountants or other experts, including possibly investment bankers. Consideration should be given to identifying these advisors in advance, potentially putting some of them on retainer, and making it clear within the company who has authority to involve them in the event of an actual crisis. It may also be desirable to have replacements identified in case of conflicts.
Identifying Potential Crisis Situations
The most time and energy should be spent on those matters that are most likely to have the biggest impact on the company. In prioritizing management's and the board's focus on particular crisis situations, both the likelihood of the event occurring and the potential magnitude of the event should be considered.
A common starting place for identifying potential crisis situations is the company's existing risk management process. Increasingly, companies are undertaking detailed enterprise risk management exercises. An obvious but often overlooked benefit of such a process is the creation of a detailed list of potential risks, usually prioritized by probability and potential severity. This not only enables a company to take measures to reduce such risks but should also be used as a guide to structure an effective crisis management plan. As company practices vary considerably, consideration should be given to whether other existing processes or analyses from other contexts can be utilized for this purpose. It is likely, however, that certain potential crisis events, such as an approach by an activist, are not within the scope of existing processes.
Understanding Potential ''Downstream'' Consequences
One of the most important aspects of crisis management planning is the determination of the potential downstream consequences from each crisis situation. This will inform who at the company should have responsibility for managing a particular crisis situation. For example, what potential reputational harm could result from a particular crisis? Will the company's brand be tarnished? Will customers stop buying the company's products or services? Will the company's access to the capital markets be impaired? Will the company's stock price be negatively affected, and if so, what are the further consequences of that? Will the company's relationship with its employees (or unions) be impacted? Will there be any supply chain reaction? What will be the reaction of the company's regulators? Will there be any impact on the communities in which the company operates? In assessing the potential downstream consequences, it is important to distinguish the short-term consequences from the long-term consequences in order to maximize the effectiveness of any crisis management plan.
The same predictive analysis used in the area of risk management can and should be applied in the crisis management planning process. A goal of this exercise is to develop warning indicators that can be monitored. These indicators can show the likelihood that a particular risk may come to pass, thereby giving the crisis management team valuable additional time to prepare for an actual crisis. Warning indicators can be developed by mining the company's data to look for anomalies and abnormalities, analyzing past crises, and looking at issues faced by competitors. It is also helpful to analyze how other companies have addressed a particular potential crisis on the company's list to see if there are any lessons that can be learned.
Developing an Action Plan/Framework For the Most Significant Potential Crises
After the company identifies the potential crisis situations to which it is subject, it must develop an action plan to deal with each type of potential crisis. While there will be many common elements among all such plans, senior management should develop adapted plans for different types of crises. For example, the response to a major cyber incident will differ from responding to an approach by an activist shareholder.
A common element is development of a communications strategy, which is always one of the most crucial components of an effective crisis management plan. The importance of communicating the company's messages effectively during a crisis cannot be overstated. The company should be aware that its messages will be received by a number of different constituencies, all of which are relevant to a particular crisis management plan. Potential constituencies include customers; suppliers; employees; strategic partners; the Securities and Exchange Commission; the NYSE or NASDAQ; federal, state or local regulators of the company's business; significant shareholders; holders of indebtedness; proxy advisory firms; rating agencies; the company's external auditor; and the company's board of directors. Notwithstanding this complexity, the guiding principle should be for a company to always deliver its messages accurately, promptly and consistently. It is crucial for a company to ''speak with one voice'' during a crisis. This should be achieved by designating a single spokesperson, usually the CEO, as it conveys confidence and control, especially if the facts and plan of action are clear. While the company might prefer retaining an outside firm to deliver messages if there are facts that have yet to be determined or if there is not yet a clear plan of action in place, it should do this only in extraordinary circumstances as this can give the impression that the company is unprepared to deal with the situation.
Periodic Review of the Crisis Management Planning Process
An indispensable element of a robust crisis management planning process is to review periodically and to assess the process itself. A company's situation evolves over time as does the external industry and economic environment. In addition, key personnel take on new responsibilities or change jobs giving rise to the need to regularly assess the membership of the crisis management team. As part of a company's annual risk management review process, it is desirable to reassess the crisis management plans that have been prepared. Do the plans continue to address the key risks? Are the right people involved? If a competitor in the same industry has had to face a major crisis, what lessons can be learned from how they handled the situation? After a crisis, the board and senior management should assess the company's risk management and crisis prevention and response systems to determine areas where they functioned properly and the areas in which they failed. Learning from past mistakes both from one's own and from those of others is crucial.
Preparation is key to mitigating the negative and potentially lingering consequences of crisis situations that all companies inevitably face. By establishing a separate crisis management planning process, a company will be better positioned to react promptly and confidently in the face of a crisis. Focusing on an effective communication strategy is necessarily a key component. The crisis management planning process should be an ongoing and dynamic part of a company's operational review.
Previously published by Bloomberg BNA's Corporate Law & Accountability Report on July 17.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.