David A. Brown is leader, Claudia H. Allen and Patrick A. Lee are senior advisors at KPMG LLP. This post is based on their KPMG memorandum.
Crisis prevention and readiness
Crisis prevention and readiness have taken on greater urgency for management and boards as corporate crises—frequently self-inflicted— continue to make headlines. One question that quickly takes center stage, particularly if warning signs went unheeded, corporate culture was the culprit, or the company’s response was seen as inadequate: Where was the board? Could the board have done more to help prevent the crisis, mitigate the impact, or improve the response?
To be sure, the increasing likelihood of externally triggered crises occurring— cyberattack, natural disaster, terrorist act, supply chain failure—should be prompting a hard look at crisis readiness and response plans: Where is the company vulnerable? What is the crisis response plan—and has it been practiced? How well-prepared is the company? Does management have the resources, skills, and plan to handle a major crisis? What is our plan if the CEO is unavailable or otherwise disqualified?
But perhaps more concerning is the deep and long-lasting reputational impact of self-inflicted crises—product quality, worker safety, sexual harassment, unethical sales practices, legal/regulatory compliance—that have also put a brighter spotlight on crisis prevention. How effective are the company’s crisis-prevention efforts, particularly given the speed that news (accurate or inaccurate) travels globally, as well as high stakeholder expectations for companies to “do the right thing”?
As highlighted by the directors and business leaders we interviewed, the starting point is to make sure the fundamentals are in place, visible, and working—culture, tone at the top, ethics and compliance program, whistleblower hotline, employee training, and a robust risk management process. Indeed, recent corporate crises offer important lessons to consider in mitigating risk and being prepared for a crisis (see sidebars). Our interviews add important color and insights to those lessons—particularly on the role of culture in crisis prevention and tabletop exercises in crisis readiness, including:
- Making it safe for people to do the right thing
- Monitoring culture and incentives enterprise-wide, with healthy skepticism
- Calibrating board/committee processes and communications for a better line of sight
- Not simply having a crisis plan in place—but practicing it.
And when a crisis does occur, transparency and accountability, being clear about who is calling the shots, keeping the board informed, and maintaining the board’s independence are all cited as keys to an effective response and timely recovery.
In connection with crisis prevention and readiness, of course, the board and management have related duties but separate roles. Boards should not usurp management’s role (assuming no extreme circumstances); yet, the recent corporate crises create an imperative that boards reassess their level of engagement in this critical area.
The increasing likelihood of externally triggered crises occurring— cyberattack, natural disaster, terrorist act, supply chain failure—should be prompting a hard look at crisis readiness and response plans. |
And when a crisis does occur, transparency and accountability, being clear about who is calling the shots, keeping the board informed, and maintaining the board’s independence are all cited as keys to an effective response and timely recovery |
Make it safe for people to do the right thing.
Beyond setting the tone and walking the talk, “the CEO and senior management should create a culture that makes it safe for people to do the right thing.” A company’s leadership, particularly the CEO, needs to be visible and approachable. “The goal is to create an open and comfortable atmosphere that encourages people to come forward and speak up—not just vertically but laterally—360 degrees, really. You have to make it okay for people to ask questions, disagree, and bring up difficult subjects. They need to feel empowered to speak up when they see problems, even if the problem isn’t fully formed yet.”
The starting point: Make sure the fundamentals are in place and visible—tone at the top, ethics and compliance programs, employee training, whistle-blower hotline, a robust risk management process. “But then focus on the culture and incentives surrounding those mechanisms.”
Be clear about the behaviors for which the company has zero tolerance. Companies typically have zero-tolerance policies for certain behaviors—such as violence, fraud, racial discrimination, and sexual harassment, but there cannot be a zero-tolerance policy for everything—and it is essential that companies get this right. How should a board and management team go about developing a zero-tolerance policy? What makes a zero-tolerance policy effective? The #MeToo movement provided some important lessons for boards as to how to establish absolute clarity regarding a zero-tolerance policy for harassment and abuse. See sidebar, Zero tolerance: Lessons from #MeToo, on page 5.
Create a culture of accountability. “People pay attention to who gets hired, fired, and promoted. There is no substitute for being objective about leadership and holding them accountable and paying for performance. It gives all employees a sense of what is expected and what is rewarded.”
These issues are often more nuanced than simply reporting wrongdoing. One lead director’s company created a dedicated “advice hotline” in human resources (HR), separate from the whistle-blower line. “We found that employees are more inclined to call a line that’s staffed with professionals who can help them think through an ethical question.” “‘If you see something, say something’ is a useful mantra, but it doesn’t work if the power dynamic is wrong, or if there’s an implicit downside for speaking out.”
Emphasize values and purpose in the decision-making framework. Be clear that the company will stand behind employee decisions that are grounded in the company’s values—whether it’s safety, customer service, or kindness to others. Also, recognize that corporate loyalty is less of a motivator than it once was. Millennial and other younger generations may care more about the larger purpose behind their work, which is values based not company based. “Values and purpose are becoming north stars.”
A company’s leadership, particularly the CEO, needs to be visible and approachable. |
Understand how employees are onboarded, core values are communicated, and expectations are set. What is the messaging that new hires hear first? How are values articulated and reinforced? Make sure new employees understand expectations and enable them to live up to those expectations with training and regular reminders. At a leadership level, “any senior-level hire should meet with the lead director—when they’re hired or departing from the company—to talk about the culture.”
Recognize the power of performance targets. “Most people want to do the right thing, but generally speaking, they will aim for the targets they’re given.” Leadership may have all the right intentions and ideas for putting balanced targets in place, but cascading that down through a large, extended, and diverse organization is not easy to do. “You can end up with unintended consequences and behaviors that can lead to a crisis.”
Monitor culture and incentives enterprise-wide, with healthy skepticism.
Red flags are usually too late. Spotting yellow flags early enough to respond requires a combination of probing dialogue in the boardroom and exposure to the everyday culture of the company. What gets rewarded? What is driving behaviors and results?
Focus on outliers—negative and positive. How did an individual or a business unit get such phenomenal results this quarter? How did we beat our peers’ performance by a factor of three? “It’s easy to hold back on skeptical questions when things are going well, but ‘don’t mess with a good thing’ is not a good answer. If it sounds too positive, ask more questions. Insist that the board be informed about anomalies—good ones and bad. Ask for the outliers and have a constructive conversation about them. Be skeptical. That’s the board’s job.”
Zero tolerance: Lessons from #MeToo
- Send a clear message: Preventing workforce harassment and abuse at all levels is a top priority for the board and senior management.
- Clarify the duty of officers to share workforce misconduct information with full board.
- Assess the soundness of sexual harassment policies, training, and enforcement.
- Identify the types of complaints that must be brought to the board’s attention.
- Monitor red flags and actively inquire about culture, particularly instances of alleged sexual misconduct or inappropriate behavior, via executive session, through a committee, or the full board.
- Assess the effectiveness of employee hotline mechanisms, including processing and escalation as well as investigation policies and processes.
Do we understand our cultural risks—particularly those associated with tone at the top and incentives/pressures—and how we are addressing them?
- What are the tools or common ways that senior management and boards can use to gauge culture—particularly the culture in the middle and at the bottom?
- What are our metrics—and do the metrics reflect our values? — What pressures are we creating? Are performance metrics/ goals realistic?
- What is our zero-tolerance policy?
Do we use a “reputation lens” to assess, manage, and oversee risk?
- Do we consider the reputational implications of what may seem like “financially immaterial” risks?
- Does this yield better outcomes?
Do we have a robust risk and control culture?
- Do we understand our key operational risks and have the right controls in place?
- Are we sensitive to early warning signs regarding workplace conduct, safety, product quality, and compliance?
- Is internal audit properly focused and resourced?
How much information, and what kind of information, does the board require to provide effective oversight?
- Who decides?
- How involved are board members in determining their information needs and when additional information is warranted?
Conduct a formal risk assessment of incentive programs. Is pay driving too much risk taking or the wrong behaviors? “If all the focus is on the dollars, people may start cutting corners on maintenance, treating others poorly, etc.” A formal risk assessment by internal audit or a compensation consultant can help determine whether incentives are working as intended. “Our board’s independent compensation consultant conducts a risk assessment of compensation incentives going all the way down to the sales associate level. The consultant reviews the formulas and documentation to see if there are checks and balances to account for risk factors—unusual activity, a disconnect from returns, etc. If the leadership team knows that the compensation committee and board are getting this type of report, it sends a message to management about the board’s expectations.”
Assess the effectiveness of sexual harassment policies, including reporting channels and investigative processes. Is there a robust process for management to review and update the company’s policies on sexual harassment to ensure that they remain appropriate and relevant? How well are the avenues for raising sexual misconduct concerns communicated throughout the organization? Do employees feel comfortable raising concerns? What is the escalation process? Does the board know about a complaint concerning an executive as soon as it is reported? What about complaints deeper in the organization? Is there a protocol for reporting sexual misconduct complaint trends to the board?
Ask the auditors—and others—what they are seeing. Auditors are naturally attuned to the pressures facing employees and business units—for example, lack of resources, tight deadlines, or tough growth targets. Yet, “internal auditors are too often underutilized. My interactions with internal audit are always helpful—and not just whether technical procedures are being followed. They understand the general attitude in the organization, when things are getting lax or are running well.” Most organizations are doing more with less, and that is not sustainable over time.
Private discussions with the others who have a line of sight into the business— i.e., the external auditor, head of HR, general counsel, chief compliance officer, and compensation consultant—can provide important insights and context in crisis prevention efforts. “It’s also another opportunity to reinforce expectations and strengthen relationships.”
Spend time outside the boardroom and corporate headquarters. There’s nothing better than spending unstructured time, without a C-suite presence, visiting company businesses, plants, and facilities. A few hours with the local management team and interfacing with employees can give you a firsthand feel for what’s happening on the ground. Does it line up with what you’re hearing in the boardroom? “We send out teams of two directors to visit different parts of the company and meet with local management.” It’s not one and done. Relationships are developed over time—and trust is built based on these relationships.
It’s easy to hold back on skeptical questions when things are going well, but “don’t mess with a good thing” is not a good answer. |
Calibrate board and committee processes and communications for a better line of sight—particularly into culture, ethics, and compensation risks.
Consider the role of the committee chairs in the context of crisis prevention, particularly as the business environment becomes more complex and uncertain. Standing committees often have different lines of sight into culture, ethics, and incentive risks, and, therefore, different views as to potential vulnerabilities and risks, for example:
- The compensation committee, typically working with a compensation consultant, signs off on the Compensation Discussion and Analysis, required in the company’s 10-K filing and often incorporated by reference from the proxy. The compensation committee has a good understanding of how incentives are intended to drive behavior as well as associated risks posed by the incentives. That said, “What is going on further down in the organization in terms of incentives and pay driving behaviors? Does the compensation committee need to take a step back and a fresh look at the balance of targets? Other committee chairs may have related concerns.”
- The audit committee, working with auditors and overseeing enterprise risk management, ethics and compliance, and the whistle-blower hotline, has a different line of sight into cultural issues and risks. Audit committees are well positioned to help focus internal audit on risks posed by incentives—and to spot-check and question results that seem too good to be true.
- The nominating and governance committee, with responsibility for CEO/leadership succession, may also have a unique perspective on talent and incentives.
Periodically bring the committee chairs together to coordinate and calibrate. Have the committee chairs discuss each committee’s role—in conjunction with the full board—in overseeing tone at the top, culture, and incentive risks. Are there special roles for each committee? Is it time to reexamine board committee roles/charters? “As lead director, I attend all committee meetings to help ensure coordination and that we’re connecting dots.
Standing committees often have different lines of sight into culture, ethics, and incentive risks. |
Have a crisis response plan in place—and practice it.
Companies that are prepared tend to weather a crisis better. “It might be time-consuming and expensive, but identifying likely crisis scenarios and practicing responses is well worth the investment.”
Use tabletop exercises. “Every company should conduct tabletop exercises— starting with a cyber breach scenario. What do we do in the event of a major cyber breach? What are the critical elements of successfully managing a cyber breach, and how can we apply those elements to other crises?”
Some companies take a risk management approach. What are the categories of crises that could occur? Ask management and the board: What are the five worst things that could happen to our business? What alert systems are in place for quickly escalating issues internally? What is the impact on our company when something happens to another company? “Bring in buy-side investors and bankers, and ask them what they think is the worst thing that could happen to the company. Learn from other companies’ mistakes.”
For each category of crisis, develop a response plan:
- Who will act as an internal lead—and who are the backups—for each category of crisis?
- What is the role of each member of the crisis team—CEO, general counsel, outside counsel, public/investor relations, internal communications, or other relevant specialists?
- What outside advisers should be on the team—for example, legal advisers, accountants, investor and public relations experts, or crisis management firm?
- Who is responsible for communications to each constituency—for example, regulators, investors, employees, customers, media, the public? Is there a clear communications plan for each constituency—including a social media strategy?
- What is the role of the board versus management? Should the lead director/independent chair (and perhaps another director) be on the crisis response team to keep the board informed from the outset, facilitate communications to the board, and determine the appropriate level of board involvement—particularly if senior management is unavailable or conflicted?
Management should have a blueprint and communication protocol to follow. Key questions for the board: How well prepared are we? Do we have a comprehensive, executable crisis response plan? What don’t we have a game plan for? Does management have the experience, skills, and resources to manage a crisis? Keep in mind that many companies don’t have people with firsthand experience managing an existential crisis. There needs to be a blueprint to respond quickly. Know who needs to be at the table for any given crisis and connect with them early on, before a storm hits.
When a crisis does occur, be transparent, accountable, and clear about who is calling the shots.
“The company needs to step up and take ownership and responsibility in a crisis situation. Accountability and credibility are everything.” An effective response and quick recovery—particularly in the eyes of customers, employees, and the public—will hinge on transparency and speaking with a single, clear voice whether the news is positive or negative. “Run all the traps and avoid reaching a convenient but premature conclusion.”
Understand the scope of the crisis and how management is responding. Three key questions every board should ask: Have we determined the full scope of the crisis? Are the board and management all together/of the same mind as to what’s being done? Do we have benchmarks and checks on progress as the crisis management and mitigation efforts go forward?
The board’s role is to stay informed and oversee management’s response, “without getting in the way. Let management do its job and expect them to keep the board informed. But stay on top of the crisis until you reach the landing point.”
Make sure everyone knows what the company’s values and priorities are when a crisis happens. “Be clear in your own mind—and to the public—about what the company stands for, what its values are, and where its loyalties lie” (i.e., product quality and customer/worker safety versus financial performance). How does management communicate this to employees down the line? “Don’t short-change the response. Management should have all the resources it needs to do the right, best thing.” “Media and reputation is important, but do what really matters first. Doing the right thing will increase the likelihood of success.”
“Be as transparent as possible. Gather the relevant facts and, without jumping to conclusions, share as much as you can. ‘Going dark’ or having a bunker mentality will leave questions lingering and invite rumors and inaccurate information to build up.” “Use social media to help understand what marketplace perceptions are and stay ahead of the story.”
Be clear who is “calling the shots.” Assuming the CEO is not disqualified or unavailable, the CEO is in charge and the board’s role is oversight. The CEO is the face of accountability, and external communications should flow through the CEO. Individual directors should generally not speak for the company—unless a board response is determined to be necessary. What is the plan—including the role of the lead director—if the CEO is disqualified or unavailable? Remember that confidentiality is rule number one.
Support management, but maintain independence. The lead director needs to maintain the board’s independence during a crisis, working with the CEO and others to ensure the board has independent legal and financial advice if necessary.
Focus on the root cause and recovery. If the crisis was caused by an underlying problem, understand how management is getting to the root cause and fixing it. “If culture was the culprit, be prepared for a long-term effort.”
Three near-term steps for a better line of sight on culture and crisis readiness
1. Meet with committee chairs to determine whether the right focus and attention are being brought to culture and incentive risks. Is anything falling between the cracks?
2. Ask for risk assessment of culture and incentives. What is our culture? What behaviors are incentivized by compensation practices? Are the behaviors motivating people to do the right thing?
3. Have management run a tabletop crisis response with the board, starting with a cyber breach scenario. Where are the gaps—and what lessons can be applied to other crisis scenarios the company might face?