The Board’s Role in Confronting Crisis

Steve W. Klemash is Americas Leader, Jamie Smith is Associate Director, and Jennifer Lee is Senior Manager at the EY Center for Board Matters. This post is based on their EY publication.

A corporate crisis in today’s world accelerates more quickly with a larger impact than ever before. The 24-hour news cycle and prevalence of social media contribute to the risk of destabilization.

A crisis can be the result of a number of different types of incidents and developments and take on many forms. For example:

  • Reports or even hints of executive misconduct or a toxic
    work culture can ignite a media firestorm.
  • Negative, and misleading, videos and comments can go viral and damage reputations.
  • The polarization of people, governmental policies and politicians can catch companies unaware and put them in highly public debates.
  • Executing business-model initiatives and certain compensation incentive strategies can result in unintended consequences and enterprise-wide risk.
  • Natural and man-made disasters throw tightly linked supply chains into imbalance, amplifying how a regional event can have significantly greater and more far-reaching impacts.
  • A single cyber breach can have devastating consequences.

These incidents may call into question the effectiveness of a company’s board of directors and its ability to provide effective oversight and governance.

While prevention must always remain a priority, advance crisis preparation is now imperative as avoiding crises entirely is nearly impossible. For example, the current cyber threat environment is such that it is likely only a matter of time before all businesses will suffer a cyber breach. Whether the cause of the crisis is corporate malfeasance, a terrorist attack or a natural disaster, a company’s ability to manage a timely, well-coordinated crisis response and communicating with stakeholders is critical.

To help companies prepare for the challenge, boards should determine that management has a practical and relevant crisis response program and actively oversee and challenge all aspects of that program, including key considerations before, during and after an event. This includes determining that management has the right framework in place and that it has sustainable capabilities to allow the company to react to and quickly recover from crisis events. In preparing for and especially when confronting a crisis, boards should also understand the roles and potential implications to key stakeholders. Boards should also participate in various simulations and tabletop exercises with management teams to enhance their effectiveness in responding to crises.

Overseeing management’s crisis response program

A corporate crisis can impact organizational culture, business operations and reputation — all of which can have significant financial, legal and regulatory ramifications. Therefore, a crisis management program should bring together a variety of stakeholders who can understand the potential implications and help plan for and recover from a crisis. The program should be managed by someone with in-depth legal and compliance experience who is able to manage day-to-day operational and tactical responses. It should also closely align the internal and external communications leaders to make sure the decisions and messaging are clearly and directly articulated to the key audiences.

The crisis management program should be a process within the company’s broader resiliency toolkit and integrated into its enterprise risk management (ERM) program. This integration helps safeguard that crisis response planning is aligned with and informed by the company’s strategic plan and risk tolerances, and that it is dynamic and evolves along with changes to risk assessments and prioritization. Most importantly, a robust ERM program is foundational for risk management, litigation prevention and loss mitigation.

Stakeholders involved in crisis response

As the linchpin of the company’s response, the crisis response program must involve key constituencies and integrate their knowledge and expertise in managing and recovering from the crisis. The crisis response team should work closely with impacted business-unit leaders in executing upon disaster recovery and/or business continuity plans. The key roles in the company’s response may include:

  • Chief executive officer (CEO)—The CEO should be involved with leading the crisis management efforts (unless determined otherwise), including activating the management team and appropriate resources to gather information and work swiftly to determine the appropriate steps to mitigate the effects of the crisis.
  • Business operations and impacted business units—The chief operating officer (or equivalent executive of the impacted business unit) should focus on obtaining an understanding of the enterprise-wide impact the crisis had on operations (including customers, suppliers and any other impacted parties), as well as executing upon disaster recovery and business continuity plans. The business operations team should make sure operations are adequately supported during the crisis and strive to revert back to “business as usual” as quickly and efficiently as possible.
  • In-house and external counsel—In-house counsel is integral to nearly all response activities and needs to be equipped with as much information as possible in order to determine potential compliance and legal impacts and interface effectively with various parties, including external counsel, which also plays a critical role throughout the entire response. In advance of a crisis, in-house counsel should verify that initial briefings and any statements made to the press via talking points and scripts are developed for crisis events (including considerations regarding potential liabilities, material omissions or misstatements). In addition to the message, companies also need to make sure the lines of approval are clear and determine who the messenger will be. The internal counsel should also verify that agreements and/or retainers are in place for critical external parties (including direct and easy access to mobile numbers of third parties). In particular, in-house counsel should make certain they are knowledgeable about the specific insurance requirements and related criteria and protocols that must be followed in order to be eligible for insurance recoveries.
  • Chief communications officer (CCO) or equivalent—The CCO is integral toward establishing trust through sharing credible and transparent messaging that defines what has occurred,
    the impact and how the organization is seeking to stabilize, learn and improve from the crisis. The CCO will also oversee the monitoring of any feedback or new developments on social media or elsewhere. He or she acts as the conduit for taking the decisions made and turning them into reactive or proactive messaging and actions. Depending on the severity of the issue, an external crisis communications team may also be engaged.
  • Chief risk officer (CRO)—The CRO should work closely with in-house counsel to proactively identify and manage any risks that may arise as a result of the crisis or the crisis response plan (e.g., compliance, safety).
  • Chief financial officer (CFO)—Depending on the financial impact, the CFO will work closely with in-house counsel to file any required public disclosures (e.g., Form 8-K) relating to
    the event and will also play a key role in coordinating with in- house counsel in filing insurance claims and following related required protocols. The CFO is also integral in working with business units to assess the impact of the crisis (e.g., financial and liquidity considerations, operational and functional impacts, implications to the investor community), and quickly working with other members of the executive team on possible responses.
  • The external auditor—The auditor needs to understand and evaluate any potential adverse financial impacts of the crisis (including regulatory, legal and internal control implications) and make sure that the related financial effects and appropriate disclosures are accurately reflected in financial statements.
  • Technology, information systems and security teams—Depending on the nature of the crisis event, key systems, supporting technologies and data may not be accessible and/or compromised. In the event that the crisis has a cyber dimension, the chief information officer, chief security officer and/or chief technology officer are at the heart of the operational response. These individuals may need to work with other business functions to determine alternatives to key processes to support affected stakeholders (customers, employees, etc.) and possibly implement backup processes (such as manual workarounds) during the crisis.
  • Investor relations, corporate governance and public relations—These functions will play a pivotal role in assessing the implications of the crisis to the investor community and developing an appropriate communications strategy.
  • External investigators, public relations, marketing and human resources—These functions may have key roles to play in evidence gathering, identification and discovery, as well as internal and external communications.

Key goals of an effective crisis response program

Before an event

Support desired risk-aware culture. A risk-aware culture with robust ethics and compliance programs can help prevent certain types of crises and improve responses to others. The company’s ERM process should encourage escalation of concerns, clearly communicate responsibilities for management of risk across the organization, and align core values and behaviors with pay incentives.

Enhance early-warning systems. Ahead of an actual crisis, companies should decide which key issues must be elevated to business-unit leaders, senior management and the board. Where possible, companies can adopt explicit escalation triggers so as to limit the degree to which upward communications are inadvertently delayed. In particular, the company’s disclosure controls and ERM processes should allow for risk evaluation and mitigation before a crisis erupts, including risks that may be embedded in the company’s strategy or culture. This requires the company to encourage escalation of concerns (including elevation of information to the board as appropriate) and spend more time analyzing the external business context for risks on the horizon. It also requires that companies identify and understand the connectivity and interdependence among different business lines, geographies and across the supply chain. In particular, boards should have a robust understanding as to management’s process and elevation criteria used when reporting to the board.

Define roles, responsibilities and decision-making, and communication protocol in a crisis situation. Management and the board should clearly understand their respective roles and responsibilities before, during and after a disruptive event. Companies need to define the appropriate activities of the board and senior leadership during a crisis, such as who will be making decisions, how those decisions will be informed and made, and who will be brought in to assist. Processes and channels of communication (potentially including alternative platforms of communication) should be agreed to in advance. This includes identifying and training a company spokesperson, which may vary based on the nature of the crisis. When a crisis event occurs, companies should not be wrestling with questions around who should be informed, who will speak to the regulators, how to deal with the media, what kind of message needs to be communicated, and so on. Having defined protocols and responsibilities in place will allow for a continuous, coordinated response. Business operations may be disrupted during a crisis so it is important to determine which members of the management team (including substitutes) will be focused on operations and those who will be focused on remediating the effects of a crisis.

Identify and engage key allies and external advisors. The company should identify points of contact, open lines of communication, and, in some cases, have agreements in place with external advisors that they may need to secure and activate quickly during a crisis (e.g., legal advisors, public relations firm).

Develop reference materials for communications in advance. Companies can prepare for the 15–20 most common disruptions they may face, with messages suitable for different constituents, circumstances and media channels. Draft press release templates and scripts that can be delivered through print and television news at the local and national level, and through key social media channels, should be crafted in advance. Additionally, companies can develop a library of customer communications that covers likely experiences and alternatives, and craft specific messages for high-value customers for each major product or service. Draft crisis communications should also cover counterparties, vendors and employees.

Rehearse a response. Companies need to exercise the muscle that is responsible for responding to a crisis. Leading companies test their crisis readiness plans through tabletop exercises that challenge key senior leaders and those involved in the crisis response (e.g., lawyers, public relations) using realistic scenarios. These simulation exercises build efficiency and confidence, and allow companies to act with more precision when an actual crisis occurs. Crisis preparation and rehearsal of such responses will help organizations identify any possible gaps and enable them to navigate the crisis better. Boards should oversee these readiness exercises and take part in them when appropriate.

During an event

Develop and enforce a communication and briefing plan among all internal stakeholders. A centralized response program should provide guidance to all lines of business involved in the response and set a level of understanding about what information is critical for senior leaders to know—as well as when and how to express it. Companies should work to carefully investigate and swiftly gather as much information on the crisis as possible (including proactively monitoring social media and other blogs to gain an understanding of stakeholder and media perceptions). During the information-gathering process, companies should verify accuracy of facts to prevent acting on any misinformed assumptions or bad information. While the visibility of the CEO should depend on the nature of the crisis, it is critical that she or he be prepared to go public as needed to protect the company and trust in the brand, demonstrate strong leadership and communicate credibility to key stakeholders.

Deploy a communication and briefing plan among all internal stakeholders. A centralized response program should provide guidance to all lines of business involved in the response and set a level of understanding about what information is critical for senior leaders to know—as well as when and how to express it. Companies should work to carefully investigate and swiftly gather as much information on the crisis as possible (including proactively monitoring social media and other blogs to gain an understanding of stakeholder and media perceptions). During the information-gathering process, companies should verify accuracy of facts to prevent acting on any misinformed assumptions or bad information. While the visibility of the CEO should depend on the nature of the crisis, it is critical that she or he be prepared to go public as needed to protect the company and trust in the brand, demonstrate strong leadership and communicate credibility to key stakeholders.

Centrally manage all inquiries received from external and internal groups. Communications to both internal and external audiences should be carefully and thoughtfully planned, performed by management and executed with oversight by the board. Such communications should link to the company’s ethics and values and be timely, accurate and consistent, as lack of clear messaging can pose or introduce litigation risk. There is less room for conflicting or inaccurate messaging when all crisis-related communications are centrally managed by the response team.

Navigate the complexities of working with external groups. Crisis management will involve a variety of external parties, such as outside counsel, regulators, third-party advisors and/or investigators (particularly if management is implicated in the crisis), and law enforcement agencies. A centralized response program helps to safeguard a timely and coordinated flow of information to these groups that integrates the knowledge of key internal stakeholders.

Collaborate with business units to support ongoing operations and execute upon disaster recovery and business continuity plans. It is imperative that the company have management that can focus on running the business (while managing and maintaining customer experience) during a crisis as others focus on managing the crisis and restoring operations.

During a crisis, companies may need access to additional financial resources and working capital, and those resources may have to last during a prolonged crisis. Accordingly, it is critical that companies have shored up, in advance, robust, tested financial contingency plans that are linked directly to their crisis management processes; this way, when crises hit, the crisis and operational teams can work effectively with treasury resources to manage liquidity and working capital needs. Companies should also recognize that those financial contingency plans may have to withstand industry-wide market failures, during which time liquidity and capital may not be readily available. Additionally, establishing contingency arrangements with major business partners (especially critical vendors) in advance of a crisis event may also be helpful in transitioning back to business as usual.

After an event

Define recovery effort by critical business needs. Disconnected initiatives by different business units could have conflicting priorities and hinder timely recovery. A central point of authority is required to oversee the prioritization of critical business processes across the organization to align with the company’s strategic objectives and to base that prioritization on the greatest risks to the company.

Prioritize communications with key stakeholders. The recovery effort should prioritize fact-based, timely and open communications with employees, customers, shareholders, joint ventures, business alliances and other key stakeholders to help create transparency, foster a culture of integrity and restore confidence.

Identify and remedy any underlying or systemic causes of the crisis. Companies should have procedures in place to continually learn from incident response and improve, including an analysis to identify causes that may be rooted in the company’s culture and practices. Management teams should perform postmortems on any near misses and post-crisis to assess the effectiveness of response plans and discern lessons learned. A crisis may be inevitable; however, an effective crisis management plan and ERM program, coupled with strong tone at the top and risk mitigation, can help to detect and prevent a crisis before it hits. While companies cannot predict when a crisis or a black swan event may occur, boards should prepare their organization to have the ability to react to and recover from a crisis with resiliency and strength. Organizations, and in particular leaders, are defined by a crisis. How a company and/or its executives weather through a crisis can have enormous brand and economic impact for a company: it can either propel a CEO through stakeholder confidence to take on bigger change, or may result in negative repercussions because a company or its CEO mismanaged a situation. The criticality of being ready and knowing that this will indeed happen, with a great management team that’s driven to get this right, is one of the most important things CEOs and boards need to prepare for.

Questions for the board to consider

  • Has the company developed a crisis management “playbook” with decision process flows and escalation protocols? Do all the participants know their roles and the critical approval processes that are in place to be certain of quick and straightforward approvals?
  • Has the company considered and challenged itself as to the types of crises it may face, where and how likely such events might be?
  • Has the company identified the individuals who will lead communications during a crisis?
  • Has the company identified the external advisors in the various scenarios that the company plans on seeking counsel from? If so, are agreements in place with the external advisors such that they are able to be mobilized quickly? Does the company have a place or virtual room secured to gather in the event of a crisis?
  • How often do senior leaders take part in tabletop exercises using realistic crisis scenarios?
    And what is the board’s role in these?
  • Does the company’s response planning prioritize communications with key stakeholders, including employees, customers, shareholders and business partners?
  • If a crisis were to unfold today, how prepared is the company to react with precision, speed and confidence?

Both comments and trackbacks are currently closed.