Handling a Corporate Crisis

Matteo Tonello is managing director of corporate leadership at the Conference Board. This post is based on an issue of the Conference Board’s Director Notes series by John F. Savarese, partner in the Litigation Department at Wachtell, Lipton, Rosen & Katz. This Director Note was based on an article written by Mr. Savarese; the full version, including footnotes, is available here.

The ongoing fallout from the 2008 financial crisis has generated a host of unprecedented challenges for broker-dealer, investment banking, investment advisory, and other financial services firms. Last year alone, the industry was hit with wave upon wave of criminal prosecutions, regulatory enforcement proceedings, and parallel private civil actions. In fiscal year 2011, U.S. Attorneys’ offices nationwide collected $6.5 billion in criminal and civil actions, and the U.S. Securities and Exchange Commission commenced 735 enforcement actions and obtained over $2.8 billion in penalties and disgorgement. Many of the more high-profile matters also triggered congressional hearings as well as massive adverse press attention and publicity.

The securities and financial services industry has been a key focus of government attention. As announced by President Obama in his January 2012 State of the Union address, the U.S. Department of Justice has formed a new unit within the Financial Fraud Enforcement Task Force—the Residential Mortgage-Backed Securities Working Group. The group will consist of at least 55 DOJ lawyers, analysts, agents, and investigators from across the country and will be chaired by the heads of the DOJ’s civil and criminal divisions, the U.S. Attorney from Colorado, SEC enforcement head Robert Khuzami, and New York Attorney General Eric Schneiderman. It will focus on investigating those responsible for misconduct contributing to the financial crisis through the pooling and sale of residential mortgage-backed securities. The unit has already sent subpoenas to 11 financial institutions.

Officials have also said that this new unit would most likely focus on Wall Street firms, big banks, and other entities that the public believes have avoided scrutiny for their role in the housing crisis.

Private equity firms are also an enforcement priority. The SEC’s asset management unit is focusing on both “market facing conduct,” such as insider trading as well as issues such as calculation of fees and expenses. The ways in which private equity firms value their investments are also attracting the regulators’ attention.

The Consumer Financial Protection Bureau, established by Dodd-Frank, is also empowered to regulate financial institutions. Newly installed director Richard Cordray has said that while the agency intends to work cooperatively with financial companies whenever possible, he “will not hesitate to use enforcement actions to right a wrong.”

Anytime a firm finds itself under any of these sorts of regulatory inquiries, it faces a potential corporate crisis, and, for those inclined to look for silver linings within storm clouds, an opportunity. If handled effectively, a firm can emerge from a crisis in one piece, with any flawed procedures and systems corrected, a reputation on the mend, and operations still intact. However, handled poorly, a crisis can leave a firm teetering on the brink of failure, suffering the loss of important customers and personnel, enormous financial costs, and reputational harm. The following are 10 commandments of crisis management that, if implemented effectively, can help a financial services firm wind up at the better end of this range of outcomes.

1 Heed the Boys Scouts’ motto: be prepared.

Two levels of preparation are necessary to successfully weather a crisis. The first might best be described as crisis prevention. This involves, among other things, a general review of the adequacy of the firm’s compliance and information and control systems. When they function effectively, these systems should reduce the occurrence of unplanned disasters and facilitate the mitigation of the effects of those that can’t be prevented.

Every firm should have established standards of conduct in place, and control and information reporting processes that allow management to reasonably conclude that the firm is operating within the law and under management control. Under the landmark Caremark decision, directors have an obligation to satisfy themselves that the company’s risk management processes as designed and implemented by management are consistent with the company’s corporate strategy and functioning as directed, and that necessary steps are taken to foster a culture of risk-aware and risk-adjusted decision making throughout the organization. Setting the appropriate “tone at the top” and instilling a culture of compliance and “no surprises” are the keys to fostering ethical behavior and minimizing crises brought about by improper or poorly controlled conduct. In a speech last year, the U.S. Attorney for the Southern District of New York emphasized that “the best-conceived compliance programs and practices and policies in the world will be too weak to stave off scandal if the core principles are not internalized, if there is not from the top a daily drumbeat for integrity.”

Communicating a true commitment to compliance with policies, procedures, and training, and establishing ways for employees to report issues and concerns (e.g., through an employee hot line) can also help prevent a crisis. Often, crises are not really surprises, but are a product of longstanding unethical behavior that had been thus far tolerated by the business leadership and accompanied by rationalizations, such as “everyone does it this way.” Proper supervision and the establishment of a mechanism for employees (or even members of the public) to raise concerns about wrongful or questionable conduct can help potential issues surface early and avoid serious problems. In these rapidly changing economic and enforcement environments, all firms should consider whether any enhancements to their policies, procedures, and controls are appropriate.

As discussed more fully later in this report, the second level of preparation involves being ready to effectively deal with a crisis when it arises. In today’s business environment, a crisis—particularly for securities and financial firms—may seem almost inevitable. As noted earlier, some can pose a serious threat to a firm’s reputation or survival. Investing the time and resources in detailed, advance planning can have a significant impact on how a company weathers a crisis. The considerations set forth in this report should be helpful, but, of course, any advice must be applied thoughtfully, in light of the specific issues raised by the particular matter.

2 While every crisis is unique, advance planning can make a huge difference.

All crises are unique and inevitably raise complex and often unforeseen issues. Thus, there is no single template for a crisis response that will assure that injury will be avoided or minimized. Custom tailoring, not off-the-rack efficiency, is the best prescription. However, there are certain similarities and predictable patterns in the way most crises unfold. Advance planning may give a firm more time to maneuver when a crisis erupts, and more time to focus on the wholly unexpected details.

Preplanning and the exercise of sound judgment are critical. Many crises can be anticipated, at least generally. Rules and strategies should be thought through ahead of time, to the extent possible, for each kind of anticipatable crisis, including, for example: financial fraud or serious accounting problems; criminal or regulatory investigations; significant lawsuits or judgments—e.g., punitive damage awards; discrimination judgments; and failures to comply with legal regulations and/or fiduciary duties.

The first critical step is to establish core crisis teams for each foreseeable type of crisis. The teams should include corporate leadership and high-level representatives from operations and technology, the finance department, media relations, investor relations, the risk and compliance function, and the legal department. Project-specific specialists, such as accountants, should also be included. The company should also have outside counsel who have experience and credibility with regulators and/or prosecutors to handle any internal investigations.

Crisis teams should stay prepared and alert. Once teams are identified, they should meet periodically to assess their readiness to react. The goal is to have a plan that assigns specific roles to each team member in case a crisis occurs. Advisors must be senior enough and experienced enough to deal with the CEO and board effectively. An up-to-date “war list” should be created, with contact information for all key participants.

Firms should take the opportunity to consult with outside counsel and other advisors during “peacetime.” It is important to keep an eye on relevant legal and business trends in an effort to anticipate areas of likely crisis. While it may be impossible to predict the actual nature or timing of a crisis, a firm may be better prepared by keeping tabs on applicable legal developments affecting competitors. For example, from time to time, both the SEC and DOJ initiate industry-wide investigations. Recently, the DOJ confirmed that it is investigating pricing in the electronic book industry, while the SEC is reportedly gathering information about business practices in the private equity industry. The SEC is also reportedly investigating accounting firms concerning their audits of Chinese companies whose shares trade in the United States. In the past, industry-wide investigations have also targeted potential Foreign Corrupt Practices Act violations by financial firms in connection with their dealings with the Libyan Investment Authority, alleged manipulation in the London Interbank Offered Rate (LIBOR) market, auction rate securities, mortgage foreclosure “robo signing,” and mortgage-backed securitization and marketing practices.

The SEC has made clear that more such “sweeps” are on the horizon. For example, when the Commission announced FCPA settlements with Panalpina, Inc. and six other oil services companies alleged to have been engaged in a widespread bribery scheme involving customs officials, the chief of the SEC’s FCPA unit noted, “the FCPA Unit will continue to focus on industry-wide sweeps, and no industry is immune from investigation.”

As part of their readiness preparation, corporate crisis teams should monitor press reports of actual crises that have affected relevant industries to determine whether and to what extent the same issues may apply to their own firm, and to evaluate how the firm would have responded to a similar problem. For example, recent insider trading prosecutions implicating the use of expert networks by hedge funds should trigger a review by comparable firms of their reliance, if any, on such networks.

3 Beginnings are as important as endings.

The outset of a crisis is when proper preparation pays off. Once a crisis actually occurs, the pertinent crisis team can be assembled immediately without losing valuable time. It is critical to quickly get at the facts and find out as much as possible about the situation. Most often, lawyers will oversee the factual investigation. Senior management’s grasp of the relevant facts should be quickly assessed by the investigative team. There is often a belief early on that management’s knowledge of the facts is clear when it is not. Thus, it is almost always necessary for the lawyers to interview employees at all levels of the company to understand the facts leading up to the crisis.

The firm should focus immediately on document retention and retrieval programs. In any crisis involving regulators and prosecutors, the universe of relevant documents must be quickly identified and preserved. Failure to properly preserve and timely produce documents can result in severe sanctions that may seriously undermine a company’s ability to defend itself in court. It will be important for the firm to retrieve documents quickly and efficiently, both to understand the facts and to satisfy external requests for information. It will similarly be important to be able to fully document what steps have been taken. Information technology specialists should be consulted concerning servers, archives, back-up tapes, hard drives, etc. Missteps in document retention and gathering can make a crisis substantially more serious and occasionally can cause more problems than whatever event precipitated the initial crisis.

It is also important to communicate effectively with the board of directors, and, in particular, the audit committee, which may be given principal responsibility for overseeing the handling of such crises. The board should be assured that a team is in place, informed about next steps, and then provided with interim updates as the crisis unfolds. Beware of over-engagement by the board, however. Unless the CEO and senior management team are critically compromised by the nature of the crisis, the board (or whatever committee is delegated oversight responsibility by the board) should be kept advised in a timely way, but should allow management to design and direct a response. While under certain circumstances a committee of the board should be appointed to oversee an investigation and/or “independent counsel” should be brought in, boards should take care not to lose control of the situation to outside lawyers, accountants, and other experts. The proliferation of independent investigations by special committees, each with its own set of advisors, can be distracting and time consuming and, in extreme cases, may result in lawyers for the special committee monopolizing the attention of directors and senior management.

4 Speak with one voice.

Planning ahead for how communications will be handled in the event of a crisis is critical. While numerous constituencies will want to be kept informed during a crisis (e.g., employees, shareholders, trading counterparties, customers, government prosecutors and regulators, and the public), every effort should be made to speak with one voice and to avoid communicating mixed or inconsistent messages. Firms should assess what issues will be of interest to each constituency and craft responses that will reasonably satisfy them that the crisis is being managed properly and that their interests are being protected.

The firm should speak with a single, trained voice via a pre-designated spokesperson or control group authorized to deliver the public message. The firm may want to consider involving public relations professionals early on to set the right tone. Firms should assess the likely effect of a public statement on all stakeholders, especially the government prosecutors and regulators involved, since in a criminal or regulatory investigation they will often be the firm’s most important audience.

Firms should expect government attorneys to closely scrutinize all public statements made on behalf of the company during an investigation, and to be critical of any statements viewed as unduly optimistic or minimizing the significance of the investigation. For example, when Lucent Technologies settled an accounting fraud action with the SEC, the agency imposed an additional $25 million penalty for the company’s “lack of cooperation,” citing public statements made by Lucent’s counsel denying the wrongdoing as one of the factors giving rise to the additional penalties:

“After reaching an agreement in principle with the staff to settle the case, Lucent’s former chairman/CEO and outside counsel agreed to an interview with Fortune magazine. During the interview, Lucent’s counsel characterized Lucent’s fraudulent booking of the $125 million software pool agreement between Lucent and Winstar as a “failure of communication,” thus denying that an accounting fraud had occurred. Lucent’s statements were made after Lucent had agreed in principle to settle this case without admitting or denying the allegations concerning, among other things, the Winstar transaction. Lucent’s public statements undermined both the spirit and letter of its agreement in principle with the staff.”

While the firm and/or senior management may wish to appear quickly or immediately knowledgeable and in control, an understanding of the facts will likely evolve over time and may even change dramatically as an internal review progresses. Any initial early statements issued about an investigation should state that senior management is being fully informed and is staying closely involved with the investigation and its resolution. Publicly committing the firm to a definitive position at the outset of an investigation can be treacherous. It is especially risky to deny wrongdoing at an early stage before the firm can be highly confident of the facts supporting that position. Such a denial may not only jeopardize relations with prosecutors and regulators, but can easily undermine the credibility of the firm’s internal review and may be viewed by the government as an attempt to mislead the public. The SEC has taken boards of directors to task for public statements found in hindsight to be inadequate. The instinctive “apology” can be equally dangerous. Any premature institutional admission of wrongdoing may be immediately accepted as valid by the government, making it difficult for the firm to backtrack, even if exculpatory facts later emerge. As a result, any ill-considered public statements from the firm about the merits of the matter can seriously threaten the firm’s ability to negotiate a favorable disposition with prosecutors and/or regulators.

5 Stop any bad practices as soon as possible.

Any illegal activities should be stopped as soon as the firm learns about them. It is important to promptly address whatever problem seems to be precipitating the crisis. The following is what may be one of the most extreme examples of the consequences that can follow a company’s failure to eliminate the wrongful conduct: Stolt-Nielsen was indicted on antitrust and conspiracy charges two years after entering into an amnesty agreement with the DOJ in connection with its role in an international parcel tanker shipping cartel. The DOJ revoked the agreement and indicted the company after it learned from other sources that top Stolt- Nielson executives had continued to participate in the conspiracy for months after the scheme’s discovery. The DOJ’s initial leniency toward the company was predicated on a number of representations, including that it “took prompt and effective action to terminate its part in the anticompetitive activity.”

6 Be careful of the “first date.”

Maintaining credibility with regulators and prosecutors is critical. The firm’s relationship with regulators does not begin with the onset of a crisis. Long-term investment in a reputation for integrity and compliance can provide a reservoir of good will that may help at a critical time. The goal in preliminary dealings with the government should be a demonstration that the firm and regulator are on the same side: both want to stop any wrongdoing, take corrective steps, and engage in appropriate remediation on a reasonable timetable and within a reasonable budget.

Under the current enforcement regime, in which demonstrations of extraordinary cooperation may be rewarded, consideration must be given to contacting regulators at an early stage. This is essential if the matter will become public, but it is a sound step in many circumstances in any event. The government generally rewards firms for self-reporting and cooperation and may penalize firms for failure to do so. Assistant Attorney General Lanny Breuer has noted that the DOJ wants “companies that uncover illegal conduct to come forward voluntarily… if you come forward and fully cooperate with our investigation, you will receive meaningful credit.”

For example, the SEC recently recognized the cooperative efforts of two companies under investigation by agreeing to enter into the SEC’s first non-prosecution agreement and its first deferred prosecution agreement. In explaining the decision to accept a non-prosecution agreement from Carter’s Inc., rather than bring an enforcement action against the company, the SEC identified the following factors: the “relatively isolated nature” of the unlawful conduct; the company’s “prompt and complete” self-reporting of the misconduct to the SEC; and the company’s “exemplary and extensive” cooperation in the inquiry, including undertaking a “thorough and comprehensive” internal investigation.

In its first deferred prosecution agreement with Tenaris, the SEC explained that the company was an “appropriate candidate” because of its “immediate self-reporting, thorough internal investigation, full cooperation with SEC staff, enhanced anti-corruption procedures, and enhanced training.” The SEC noted that the “company’s response demonstrated high levels of corporate accountability and cooperation.”

More recently, the SEC announced a settlement with Diamondback Capital Management LLC on insider trading charges, which included disgorgement of more than $6 million, a $3 million civil penalty, and an injunction against future violations. The company also entered into a non-prosecution agreement with DOJ prosecutors. The SEC’s release noted that in assessing the appropriate remedy, the SEC considered the “substantial cooperation that Diamondback provided, including conducting extensive interviews of its staff, reviewing voluminous communications, analyzing complex trading patterns to determine suspicious trading activity, and presenting the results of its internal investigation to federal investigators.”

In determining whether to enter into a non-prosecution agreement, a deferred prosecution agreement, or a conventional settled enforcement action, the factors and considerations that the SEC staff will rely upon are not clear cut. However, based upon the commission’s actions to date, it appears that beyond those specifically highlighted in the Carter’s and Tenaris cases, the breadth of any misconduct, the involvement of more senior corporate officers, and a willingness to disgorge all profits from the alleged misconduct will likely be relevant factors.

The SEC also recently adopted new rules that create financial incentives for whistleblower employees to report suspected securities law violations directly to the commission, which could result in the issuance of subpoenas and thus prompt a potential corporate crisis. Because these rules may encourage employees to circumvent company compliance programs, they may change the dynamics of handling such crises, and companies may feel some pressure to move faster to report possible instances of wrongdoing to the SEC. In addition, the rules create heightened penalties for any retaliation against whistleblowers and possible problems for a company’s internal compliance function.

7 You may be able to protect the attorney-client privilege, but you still have to share the key facts.

Under the DOJ’s current Principles of Federal Prosecution of Business Organizations, credit for cooperation will not depend on whether a corporation has waived attorney-client privilege or work-product protection, or produced materials covered by attorney-client or work-product protections. The DOJ revised the principles in August 2008 to make significant changes concerning the issuance of cooperation credit. Section 9-28.300 of the U.S. Attorney’s Manual continues to provide that prosecutors “should” consider nine factors “in reaching a decision as to the proper treatment of a corporate target,” including the corporation’s “timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents.” However, the prerequisites for cooperation credit were changed.

The principles now state that credit for cooperation will not depend on whether a corporation has waived attorney-client privilege or work-product protection, or produced materials covered by attorney-client or work-product protections, but rather, will depend on the disclosure of pertinent facts. Corporations that timely disclose relevant facts to the government may receive credit for cooperation regardless of whether they waive privilege in the process. The current policy forbids prosecutors from even asking for non-factual privileged information. Under the prior version of the principles, known as the McNulty memo, prosecutors were permitted to request, under certain circumstances, that a corporation produce non-factual attorney-client privilege communications and work product.

The principles also now specify that federal prosecutors are not to consider whether a corporation has advanced attorneys’ fees to its employees, officers, or directors when evaluating cooperation. Under the earlier guidance in the McNulty memo, the DOJ reserved the right to consider such payments negatively in deciding whether to assign cooperation credit to a corporation. Federal prosecutors can also no longer consider whether the corporation entered into a joint defense agreement in evaluating whether to give the corporation credit for cooperating. However, the government has the right to ask that a company refrain from sharing information the government has provided to the company with third parties.

Federal prosecutors should not consider whether a corporation has disciplined or terminated employees for the purpose of evaluating cooperation; they may only consider whether a corporation has disciplined employees it has identified as culpable, and then only for the purpose of evaluating the corporation’s remedial measures or compliance program.

Similarly, the SEC’s Enforcement Manual provides that the SEC “staff should not ask a party to waive the attorney-client or work product protection without prior approval of the Director or Deputy Director.” The manual makes clear that a party’s decision to assert a legitimate claim of privilege should not negatively affect a claim of cooperation credit.

Although the DOJ’s and SEC’s policies may take waiver of privilege or work-product protection off the table in negotiations, firms facing criminal and regulatory investigations have significant incentives to cooperate fully with government investigators. It is generally in a firm’s best interest to seek cooperation credit by providing relevant business records, identifying relevant personnel and evidence, and conveying other pertinent information to government investigators.

8 Not every stone needs to be turned over.

Internal investigations should be designed to uncover the facts relevant to the crisis. Management must know the cause and effects in order to implement appropriate preventative steps. Despite the need to know the relevant facts, not every stone must necessarily be overturned. The nature of the investigation and decisions about who should conduct and oversee it are highly fact-specific. Good management practices suggest that the limits of the investigation should be carefully set and reset, if necessary. The need to move quickly may initially require limiting the scope of the investigation. Due to extensive regulatory overlay in the securities industry, most medium and large firms have built sophisticated in-house legal, compliance, risk management, and audit capabilities, often composed of personnel with substantial law enforcement backgrounds—resources they may be able to rely upon to conduct internal reviews. It is important to stay focused and solve the immediate problem causing the crisis without creating additional problems. Then, consideration can be given to a broader scale compliance audit.

9 Resist the urge to discipline too early.

Firms should tread carefully when determining whether and when to take action against employees involved in a crisis. While they may feel pressure from the press, the public, Congress, and/or the board to move quickly to punish those viewed as responsible, companies should resist the impulse to discipline reflexively. Fairness to employees and officers requires caution here, and frequently coincides with the firm’s best interest.

Discipline is often more wisely one of the last steps in an investigation rather than the first in order to ensure that firms do not act prematurely, without full information. Strong discipline may alienate other employees who possess important information and might otherwise be helpful in the investigation. Employee cooperation will be much more difficult to obtain after disciplinary action is taken. Thus, efforts to obtain information should generally be made before any action is taken. The loyalty of a firm to its employees, and vice versa, is a valuable asset that the firm should not squander. Thoughtful judgment is necessary; it is often wise to measure twice or thrice before cutting. The exception is deliberate wrongdoing where the individual personally benefited. If the company’s thought process is explained, the government will understand and is not likely to pressure the company into severing all ties with an employee early on. The exception may be when the wrongdoing relates to integrity or misleading the public.

Options for dealing with employees who may be involved in the conduct at issue include: full support for the individual, suspension until the facts are fully developed and informed judgments can be made but with continued financial support in the interim, termination of the individual with fair payment if the misjudgment did not involve a knowing attempt to violate firm policy or the law, or termination without any financial support. Severance and indemnification policies must be considered in making this assessment. Generally, under Delaware law, corporations have the authority to indemnify directors, officers, and others against the costs of threatened or pending legal action, including providing advancement of legal fees. This obligation continues until there is a “final disposition— a final non-appealable conclusion of a proceeding.” Securities firms may also have an obligation to disclose any incidents involving employee misconduct under applicable FINRA rules.

The company’s expenses in advancing fees may be covered by a directors and officers liability insurance policy. The company should notify its insurance carrier promptly of potential liability to ensure coverage. Counsel for individual directors or for committees of the board might also be well advised to raise the insurance question lest a “notice” issue be created.

10 When the smoke clears, learn from the experience.

Once the crisis has abated, the firm will often need to take steps to repair its reputation with regulators and others, and to restore employee morale. It is also the time to learn from the crisis. The firm’s information reporting and control and compliance structures will have been tested and perhaps shown to be wanting. Therefore, it is prudent for management to review these systems to prevent future problems and to assure the board that such a review is being undertaken.

It is important to ensure that the company’s compliance infrastructure is adequate to deal with the current regulatory regime. Altered circumstances require reassessment of legal and compliance issues, relevant practices, applicable policies and procedures, and training programs. As discussed above, a crucial aspect of any compliance program is making clear to employees that management believes compliance is of the highest priority. United States Attorney Preet Bharara stated publicly that executives should never assume that all employees understand the importance of integrity, a basic message he emphasized must be reinforced again and again. He stressed that: “Profound personal integrity, repeatedly demonstrated and openly valued, is absolutely critical.”

Periodic risk assessment and reassessment are also critical. The firm must have a strong, well-informed grasp of the financial, reputational, and legal risks in its various lines of regulated businesses and should ensure that a workable early warning system is established. As the business changes, these risk assessments must be refreshed. Employees must understand that the practices of competitors do not justify problematic business activities.


The SEC’s Enforcement Manual specifies that one of the relevant factors in assessing whether to open an investigation is whether the case involves a “recidivist.” Similarly, the Federal Prosecution Principles provide that “Prosecutors may consider a corporation’s history of similar conduct, including prior criminal civil and regulatory enforcement actions against it, in determining whether to bring charges and how best to resolve cases.” The firm must be able to assure government prosecutors and regulators that it has learned from past mistakes and has made every effort to build an effective compliance infrastructure, set the right tone at the top, given employees and supervisors adequate tools to understand and comply with applicable rules and regulations, and is committed to following up promptly and vigorously whenever issues surface.

Both comments and trackbacks are currently closed.

One Trackback

  1. […] full article via Handling a Corporate Crisis — The Harvard Law School Forum on Corporate Governance and Financial R…. Share OptionsPrintEmailMoreFacebookLinkedInStumbleUponTwitterPinterestRedditDiggTumblrLike […]