Crisis management: Preparing your response today
Picture this: you arrive on vacation, eager to spend a few relaxing days out of the office. You’re settled deep into a beach chair, basking in the sunshine and the sound of the gentle waves, when your phone rings. It’s your assistant, who says there has been a data breach of your company.
As Chief Compliance Officer, you take a deep breath, call your team, and start implementing an action plan.
But who is your team? And what informs the plan? Given the myriad types of crises that may come to light at a moment’s notice, and the looming possibility of imminent oversight by the regulators, lawsuits, and negative press (among other concerns), is your plan robust enough to meet this crisis? And will you and your team be able to execute it thoughtfully and with flexibility?
In this article, we provide practical guidance on how to anticipate, mitigate, and effectively respond to the array of crises that businesses face in our rapidly shifting world.
A range of challenges
In just the past few years, companies have been forced to navigate numerous crises: a global pandemic, labor shortages, and a host of data and cybersecurity threats are just a few examples. These are each very different types of challenges; given their broad natures, each may spin off a wide range of potential further problems.
Given this, companies – and especially their compliance officers – must understand that preparing for such broad, shape-shifting threats is essential, and they must ensure that their Compliance and Crisis Management programs are robust enough to guide them through any crisis that arises.
"While it is impossible to anticipate all of the potential crises a company might face today, it is important that compliance officers work to ensure that their companies are prepared to address a multitude of issues. Different crises require different preparations."
This is especially crucial considering policy guidance from the Department of Justice (DOJ), updated most recently in March of this year. Since 2016, DOJ has emphasized the importance of an effective corporate compliance program to avoid or minimize criminal prosecution. The DOJ’s revised guidance incorporates this emphasis into the Justice Manual, by providing details on how an “effective compliance program” may be assessed by the DOJ.
The considerations include 1) whether a corporation’s compliance program is well designed; 2) whether a corporation’s compliance program is adequately resourced and empowered to function effectively; and 3) whether a corporation’s compliance program works in practice. Within those broader categories, DOJ has outlined the importance of a culture of compliance, experienced risk management personnel, the effectiveness of the company’s risk assessment, the compensation and promotion of compliance personnel, the auditing of the compliance program to ensure effectiveness, and the reporting structure of compliance personnel.
Additionally, government agencies in the US and abroad, have adopted whistleblower programs, meaning that companies must not only appropriately respond to crises, but should foster an environment in which issues raised by employees are heard, acknowledged, remediated, and treated appropriately.
Given all of these considerations, now is the time for compliance officers to ensure their companies are prepared for any number of crises which they might face. To do so, companies must 1) establish and clearly define roles for leaders within the organization to respond to and remediate crises that arise and 2) ensure their organizations take concrete steps to prepare themselves as much as possible when responding to and remediating crises.
Identifying potential crises
In order to be prepared, companies first need to understand the various types of crises they may need to confront. Compliance officers, in conjunction with other key corporate stakeholders, should critically assess the legal, regulatory, reputational, operational, and other risks their company might face to determine where a crisis could arise.
There may be common risk areas across industries, but each company’s risk profile will likely look a little different. While the below categories are certainly not exhaustive, they demonstrate the range of challenges that compliance officers must anticipate:
Legal, regulatory investigations, and enforcement crises. These encompass investigations by various regulatory authorities, including (among others) DOJ, the Securities and Exchange Commission (SEC), and state attorneys general; internal investigations related to conduct that may necessitate a disclosure to regulatory or enforcement authorities; and lawsuits, particularly those that are large or well-publicized.
Labor and employment crises. These may include labor shortages, strikes, discrimination claims, and other issues relating to workers.
Environmental, health, and safety crises. These may relate to workplace accidents, occupational exposures and hazards, inspection issues, and concerns related to working conditions.
Data and cybersecurity crises. These crises, which are becoming ever-present in today’s world, may range from cyberattacks and data breaches to data privacy law violations. In addition to the compliance aspects of data and cybersecurity risks, companies need to be aware of the information technology and operational implications associated with these types of crises.
Financial crises. These might include economic downturns and recessions, inflation and interest rate increases, trading issues, and market manipulation.
Natural or force majeure crises. These can include certain weather or environmental events as well as health crises such as the COVID pandemic.
Considering areas of impact
A savvy compliance officer, with the aid of the crisis management team, should consider the potential impact of crises on their business in crafting their plan – including the variable, shifting nature of crises.
Areas of impact considered will of course include business concerns, such as systems failures, continuity of operations, damage to share price, and customer exposure, among other things. But crises often raise concerns in such areas as public relations, regulatory/government intervention, and employee relations, and they may trigger a need for an internal investigation. Understanding the potential impact that different types of crises may have on the company enables the compliance officer to assemble a core, cross-functional leadership team to manage crises and make critical decisions. In the process, you will also identify team members who have particular skill sets and expertise that the core team can call on based on the type of crisis at hand.
Creating a core team and developing bench strength
A major component of a comprehensive crisis management plan is establishing who is responsible for managing the crisis and making key decisions to respond quickly. The crisis response team, together with other stakeholders will also oversee the recovery of your business after the crisis has been mitigated.
Next, a crisis management team that is multi-disciplinary – based on the identified potential crises and areas of impact most applicable to your business – will be best positioned to assess the situation and react decisively under pressure. Such a team typically features a core group that is empowered to make key decisions, establish priorities, and controls communications, surrounded by a larger, more ad hoc team drawn from various areas of the business to provide their support and expertise, depending on the nature of the particular crisis.
Responsibilities, roles, and levels of authority during a crisis should be clearly delineated among these groups in order to implement action plans appropriately and efficiently. In publicly traded companies, compliance officers must also work with executive management and the board – or a special committee thereof – to establish specific policies and procedures and/or action plans. This process would include identifying board members who must be contacted in the event of a crisis or developing crisis, the role of each director or committee and sub-committee; a clear set of decision points that will need to be made when a particular type of crisis hits; and the best way to contact each board member. Compliance officers also should work with Legal to identify skilled and trusted outside counsel and, if necessary, an outside public relations or crisis communications team who (ideally) are familiar with the company and its policies and procedures.
Furthermore, at each stage the crisis management team must coordinate closely with Legal to carefully evaluate and balance the need to share information with the appropriate constituents and/or groups with the potential that such sharing, including with an outside crisis management team, may void any applicable legal privileges. This may be a particular challenge where regulators and outside parties such as banks, investors, and/or counterparties require timely updates.
Prepare before a crisis hits
Once the potential crisis landscape has been assessed and the crisis team is in place, compliance officers should take the following steps to ensure the crisis management team is prepared to respond effectively to mitigate the impact of a crisis and manage the company’s recovery:
- Have an action plan for how to respond to a crisis. The plan should (a) indicate how to assess and when to declare a crisis; (b) identify levels of crises and response times (and set out appropriate immediate, short-term, and long-term actions) and (c) make clear the level of response appropriate for each; and (c) discuss how to close out and recover from a crisis.
- Develop a crisis communication plan that clearly delineates who is authorized to speak on behalf of the company, to whom, and on what topics, including who will handle questions from the press as well as announced or unannounced visits from law enforcement or regulatory officials.
- Train the crisis leadership team and test the efficacy of the company’s crisis plans by conducting tabletop exercises with real-world scenarios. The core crisis leadership team, as well as other key players – among them, external consultants – should be included in the simulations. Conducting the exercises in real time will condition the team to collaborate under pressure before the stakes are real.
- Stay up to date on laws and regulations, as well as current events and market conditions, that could impact your company’s crisis landscape to identify emerging risks and changes in the company’s risk profile.
- Review, update, and practice. Once the crisis plans have been developed, and the team trained, it’s important that the plans are not just put on the shelf to await a crisis. Continually reviewing and revising the crisis plans, and routinely conducting tabletop practice exercises based on those updates, will ensure that as the company’s crisis landscape and risk profile changes, your readiness and your response plans also adapt.
In addition, ensuring the company has developed robust controls, policies, and procedures that anticipate many potential issues, such as a code of conduct, anti-discrimination policies, corruption policies, data privacy and cybersecurity policies, and health and safety policies, will help companies prevent many crises in the first place. Ensuring employees receive comprehensive trainings on company controls, policies and procedures make them attuned to warning signs. And fostering a culture of compliance throughout the company – from senior management to the most junior employees – will encourage employees to report potential issues before they develop into crises.
While it is impossible to anticipate all of the potential crises that a company might face today, it is important that compliance officers work to ensure that their companies are prepared to address a multitude of issues. Different crises require different preparations. In order to anticipate and address potential crises, compliance officers should assemble sound, representative crisis teams; stay connected with those teams and clearly define their roles and responsibilities; and ensure that team members remain aware of how to respond in the event of a crisis.
It is also essential for compliance officers to stay current on changes to relevant laws and regulations to better understand their evolving responsibilities in the face a crisis.
Last, compliance officers need to have a plan to deal with various crises, but they should also stay flexible enough to ensure that, in the event of an emergency, the company will respond to the reality on the ground. Treating the plan as a living document and adapting it to evolving business risks will ensure the crisis management team stays nimble and responds efficiently and effectively to almost any crisis that may arise.
To learn more about developing your own crisis management plan, please contact any of the authors.
Generative AI – framing a business-centric policy to address opportunities and risks
11 July 2023 .8 minute read
EU’s Corporate Sustainability Reporting Directive: What US companies need to know
28 June 2023 .15 minute read