THOMSON REUTERS
Westlaw Today
Enter to open, tab to navigate, enter to select
Best practices for crisis management preparation
2023 PRINDBRF 0301
• Practitioner Insights Commentaries
• June 13, 2023
(June 13, 2023) - Jennifer Kennedy Park, Rahul Mukhi and Abbey Doyno of Cleary Gottlieb Steen & Hamilton LLP discuss the importance of a carefully crafted response plan, built on a foundation of a robust compliance program, to help companies prepare for a crisis.
Companies in all industries are increasingly forced to wrestle with unexpected events on a global scale. This phenomenon will only continue to increase as companies expand their reach, technology facilitates cross-border dealing, and as law enforcement and regulatory agencies view their purview as more globalized. However, such crises stemming from political upheaval, unexpected business developments, legal enforcement actions, cybersecurity attacks, and a variety of other causes, while difficult to predict, can be prepared for.
Preparation for a crisis is essential. A carefully crafted crisis response plan, built on a foundation of a robust compliance program, can help a company effectively address a global disruption. With strategic preparation and response procedures in place, a company can be nimble as the crisis unfolds and even emerge strengthened by the experience.
Reflecting on our experience, we identify five steps a company can take to prepare for managing unexpected events in a globalized, regulated, and litigious environment.
1. Build a robust compliance program
An up-to-date, robust compliance program can not only help minimize the risk of a self-inflicted corporate crisis but can also serve to reduce the reputational damage or enforcement penalties faced by a company once a crisis is underway.
An effective corporate compliance program is comprised of well-documented policies that address identified sources of non-trivial compliance risk.
Typically, a well-functioning compliance program will address:
•Risks that apply across industries and geographies, such as dealings with public officials, fraud and private conflicts of interest, antitrust, harassment, and data protection;
•Risks applicable to a particular industry, such as workplace safety, money laundering, and sanctions compliance;
•Risks associated with a company's physical locations, such as regional instability, or political and legal changes.
Companies with thorough compliance and prevention programs in place will often be better positioned to receive cooperation credit from enforcement agencies if an issue arises. Compliance programs can demonstrate to regulatory and law enforcement authorities that a company takes violations of the law seriously and will make a best effort to prevent the concerns from arising again.
To maximize the likelihood of receiving cooperation credit, preventative measures should follow the most recently published best practices, including as articulated by the relevant authorities.
2. Develop a culture of compliance
Once a crisis occurs, a demonstrable culture of compliance can help shift public and enforcement agency perceptions.
• While it is necessary to have documentary evidence that compliance policies exist, it is more crucial to be able to show compliance efforts working in practice.
• Regulators are increasingly interested in seeing evidence of how a company's culture of compliance is implemented and works in reality, as opposed to only on paper.
• Demonstrating that the culture of compliance has been communicated from the top level of the organization is essential. For example, management can insist on compliance standards being incorporated into promotion and compensation decisions.
• Additionally, companies should consider how messages about their culture of compliance are communicated to third parties, such as contractors, vendors, or other partners. These relationships reflect on the company, and a third-party agent's actions can even be imputed to the principal. It is therefore important that the company's culture of compliance is shared across all partnerships, both in terms of preventing a crisis but also for displaying consistent policies to the public and regulators.
• Materials demonstrating a culture of compliance, including data-based conclusions, should be at the ready so that when a crisis occurs they can be deployed to garner credibility.
3. Identify key individuals to lead the response
In conjunction with designing a compliance program, allocating risks and crisis response responsibilities to specific "risk owners" can help to create accountability before and during a crisis.
• In advance of a crisis, identified key individuals can help to assess potential areas of compliance and reputational risk and act as a go-to resource for addressing risks as they arise.
• Linking compliance and crisis response measures to the daily operations of those who oversee them makes the measures more practical, concrete, and easier to follow by those implementing them.
• Clear processes should be articulated for escalating potential wrongdoing to a designated officer or team responsible for investigating any misconduct. Specifically, employees should be told who to inform if they observe any misconduct or if they suspect illegal activity.
4. Draft a crisis response plan
Building on a culture of compliance and compliance policies, a company can prepare for unexpected events with a crisis response plan. A written crisis response plan can help position the company to respond quickly and effectively at the outset of a crisis.
By carefully outlining the initial steps that a company should take, and appointing specific individuals to guide the response, such plans establish appropriate measures in advance of potentially destabilizing events.
A crisis response plan should be used as a flexible reference guide for senior leadership, that can be adjusted depending on the specific circumstances of the crisis. A response plan should include:
•The processes for reporting a crisis, both internally and to external stakeholders and regulators;
•Identified individuals, as explained above, and their responsibilities in the event of a crisis;
•Alternate individuals in the event that the identified crisis response team members are substantively involved in the crisis;
•A step-by-step process explaining how the plan should be implemented in the event of a crisis; and
•Resources such as model talking points, draft messages to stakeholders, holding statements, and example FAQs.
The legal department should review and approve any messages before they are made public.
Companies should consider engaging in tabletop exercises to provide the identified crisis response individuals with opportunities to practice utilizing the response plan and improve upon their coordination in the event that an actual crisis occurs. In a frequently changing environment, it is critical that the response plans are regularly tested and updated to remain relevant and effective. Having legal counsel involved in tabletop exercises is important in order to identify legal issues and to preserve privilege.
5. Incorporate lessons from post-crisis reviews
Companies should begin preparing for the next unexpected event as the prior crisis resolves. Establishing a post-crisis review process, which evaluates the company's handling of the crisis and its lessons learned, will assist a company with appropriately updating their response plan and identifying root causes of the crisis.
• A post-crisis review plan should lay out the processes that the company should take to evaluate the crisis response after the events have stabilized. The post-crisis plan should describe how the team involved will be evaluated, how investigations will be assessed, and how lessons learned will be incorporated. The post-crisis review should also focus on updating the crisis response plan.
• As a part of the post-crisis review, and subject to privilege and litigation considerations, the response team involved in the crisis should create a written record of what happened, the causes of the crisis, the impact, how the concerns were resolved, and any preventative measures that can be taken.
• A root cause analysis will allow the company to decide whether an independent investigation of the issues is warranted. Following a crisis, companies should also consider including internal and external auditors, legal counsel and consultants in post-crisis review processes to discuss whether further risk assessments should be conducted.
Conclusion
Preparing for a crisis can help a company act efficiently and effectively when an actual event unfolds. Taking preparatory steps, such as crafting a compliance program, developing a culture of compliance, identifying a response team, drafting a crisis response plan, and reviewing lessons learned from past crises, will be worthy investments for the increasingly likely eventuality of a global crisis.
For additional practical guidance, see the authors' firm's Global Crisis Management Handbook (https://bit.ly/3J2AhmQ).
Jennifer Kennedy Park is a partner at Cleary Gottlieb Steen & Hamilton LLP, in the Bay Area, who focuses on white-collar defense, enforcement actions, crisis management, and complex disputes. She can be reached at [email protected]. Rahul Mukhi is a partner at the firm, in the Bay Area, who focuses on criminal, securities, and other enforcement and regulatory matters as well as on complex commercial litigation. He can be reached at [email protected]. Abbey Doyno is an associate who joined the firm's Bay Area office in 2022. She can be reached at [email protected].
)
Jennifer Kennedy Park)
Rahul Mukhi)
Abbey Doyno| End of Document | © 2024 Thomson Reuters. No claim to original U.S. Government Works. |