Legal team's role in crisis and post crisis management

Almost every business crisis has a legal, regulatory or compliance-related dimension.

This means you’ll be heavily involved if a crisis hits your organisation. Colleagues as diverse as PR managers, brand managers, accountants, HR managers as well as the board and, possibly, investors, will look to you for leadership in a crisis, so it pays to have a plan in place.

Crisis – what crisis?

A crisis can take a wide range of forms and hit your organisation in many ways. A good crisis management plan should:

• Follow a five-stage process;
• Support all the organisation’s major stakeholders; and
• Minimise the impact of the crisis on the wider business.

The five-stage crisis management plan

Pre-crisis

1: Assess risk and make a plan. Consider every possible risk to the organisation. The list could include:

• Cyber-attacks;
• Employee data theft;
• Bankruptcy of critical supplier or client;
• Power outages;
• Fires; and
• Terrorism on your supply chain.

Next, assess what the effects of a full-blown crisis your organisation would be. For example, they could be:

• Physical – involving personal injury, or worse;
• Financial – affecting your revenues;
• Reputational – causing your brand to suffer;
• Operational – leading to difficulties in making your products or delivering your services; and
• Legal – your organisation could face legal action.

Having identified the threats and their potential effects, create your crisis management plan.

2: Review, test and update. Review your crisis management policy every six months to ensure the roles, the contact details and the reporting lines of everyone involved in it stay current.

Just as practicing emergency stops when learning to drive encodes instinctive behaviours, reviewing your response procedures regularly will help your staff click into action if a crisis strikes at your organisation.

Post-crisis

3: Implement and evaluate. Once a crisis hits, be ready to:

• Activate your plan; and
• Notify identified management, the crisis management group and other stakeholders.

Next, identify:

• What actions and communications you need to put in place;
• Which teams to assemble; and
• What information you need to move to the next stage.

4: Verify, scope and plan. Now, take control and scope your response by:

• Using data to verify your understanding of exactly what happened;
• Identifying the resources you need to contain and close the crisis; and
• Activating a command and control structure to own the crisis and learn from it for the future.

5: Normalise the crisis. Once you’ve achieved step 4, you can move on to a more controlled handling of both the crisis and its impact on the wider business.

Stakeholders to support in your crisis management plan

Who the main stakeholders are in your plan will vary depending on the nature of your organisation. However, they’re likely to include most, if not all, of these groups:

• Senior management. Agree who in senior management will be part of the crisis management team and what their roles will be. Keep the numbers limited - they still have a business to run. That said, have a plan B in case people are absent;

• The wider team. If people from outside senior management are in your crisis management team, consider if they need additional support or temporary increases in their authority;

• Your legal team. Legal and compliance are usually the departments most heavily involved in a crisis. However, lawyers are not always the best people to make decisions at this time. Our desire to eliminate risk can make us slow. Choose legal contributors to the crisis team carefully;

• Your outsource providers. From IT, through company cars to the provision of security guards and cleaners, some of your organisation’s biggest risks of a crisis lie in outsourcing. Do you have a resilience plan if the IT fails, your car lease company has its vehicles repossessed or a rogue cleaner steals your employee data? If things get messy with outsource providers, your ability to function can deteriorate fast;

• The supply chain. If suppliers, including outsource providers, are worried about your business, they may trigger Force Majeure clauses and may unexpectedly notify their regulators or their stockmarket when you are not ready. On the other hand, they could be the cause of the crisis, for example the subject of a modern slavery discovery. Ensure resilience of supply;

• The customer base. If you have to let clients down, should you let everyone down slightly or a few people down totally? Remember too, that clients, just like outsource partners and suppliers, may wish to terminate or suspend their relationships with you during a crisis (think FIFA sponsorship) - that might leave you with a lot or work or good in progress /transit that you need to do something with urgently. Can you argue against this or manage the consequences? and

• Shareholders, joint venture partners and the board. Who do you need to tell, when and how much? Does your board need to approve activation of a crisis plan and does the chair need to step in if executive management are implicated in the cause of the crisis or vice-versa (remember Paul Flowers at the Co-op)?

Minimising the impact on the wider business

A crisis can affect the wider business in many ways. You can help minimise the impact across your organisation by getting involved in:

Managing the media, public relations and the Twittersphere. Good PR and legal teams understand each others concerns, issues and language. When one writes something for the other, minimal or no adjustment is needed.

As an in-house lawyer in a time of crisis, you’ll need to prepare or edit communications that are legally robust yet friendly in tone. They’ll also need to fit strict media timescales. This can be tricky as you’ll want to assess if other people’s authorship could give rise to negative effects. Control, rather than eliminate, risk by adjusting your colleagues’ drafting in words that they would use.

It’s also critical to understand the different communication channels your organisation uses. From a call centre staff member dealing with an angry customer (or journalist pretending to be one) to the over-emotive or too-smart-by-half corporate Twitter response, the potential sources of weakness could be numerous.

Plan for effective communication across your organisation, monitor social media and learn to spot when people are trying to find or create cracks in your approach.

Updating the business plans and forecasts. A major crisis is going to leave lasting effects on your revenues, your cost base, your staff levels, your sales prospects, your ability to procure favourable supply costs and more. You’ll probably need to deal with:

• Companies Act forward-looking management statement obligations;
• Employment law issues, including those associated with dismissing culpable people;
• Damaged corporate pride; and
• Missed bonuses.

In the worst case scenario, you may even have “going concern” issues.

The sooner you recalibrate the organisation’s plans and objectives, the easier these issues will be to deal with.

Dealing with auditors. “You’ll have to waive privilege and tell us, otherwise there will be no sign off.” You may well hear or read these words from your organisation’s auditors in the weeks or months following a crisis.

And, if you’re on half-yearly or quarterly reporting, you’ll probably have had no time to quantify the issues before you have to discuss them with the auditors.

Accept that issues will arise. Meet with your crisis management team and work out your best approach in advance so you have as much control as possible if the issues arise during audit.

Asking questions about wider corporate reporting, such as:

• When should you notify the markets of a material change in your trading conditions and issue a profits warning?
• When and how will you act on regulatory demands?
• If you are multi-jurisdictional company, in what order across jurisdictions should you act? and
• When and how do you notify your insurers to avoid being declined cover?

Collateral effects

Collateral effects are risks that arise indirectly during, or after a crisis. They can include:

• Stockholders, joint venture partners and other investors being in a position to profit from your low stock value;
• Insider trading;
• Whistleblowing, internally and externally;
• Reduced creditworthiness resulting in restrictions on supply;
• Difficulty in recruiting;
• Stressed internal atmosphere; and
• Ambiguous future potential.

It’s hard to mitigate these risks, yet being aware of them will put you in a good position to spot the early signs and tackle them head on.

There’s no substitute for having a deep understanding of all parts of the business and its plans, staying current on changes and being proactive.

But then, as a great General Counsel, you already know that. And you’re already doing it.

Conclusion

The effects of a crisis in an organisation can be far-reaching and long lasting. They have many causes and can strike at any time. While you may not be able to avert a crisis, you can minimise its impact and get your organisation back on track as quickly as possible through risk assessment and good planning. You’ll achieve this by recognising the life cycle of a crisis, determining the main stakeholders affected and looking at the implications for the wider business in the weeks and months afterwards.