Board oversight considerations before an event
- The board should set the tone at the top for the importance of crisis management. A robust crisis response program may be considered a low priority, and time and money may not be appropriately allocated to crisis planning, response rehearsal and remediation efforts. The board can help address this challenge and elevate the importance of preparedness and crisis readiness.
- Depending on the nature of the crisis, boards may need to have a spokesperson to speak on behalf of the board and/or the company. The board should identify a spokesperson for the board (ideally an independent board leader) who will be prepared to represent the company and the board, as needed, and will serve as the key point of contact for management during the event.
- The board should feel comfortable with the crisis response plan, including how the board will be getting information throughout the crisis, and should actively oversee its development and testing.
- The board should have a deep understanding of the company’s strategy, culture, disclosure protocols, ERM process and external business developments. This knowledge enables the board to challenge management’s biases, help identify warning signs that could portend a crisis and provide that the company’s strategic objectives and values drive crisis planning and response. Leading boards may also consider engaging a third party or having an external assessment performed on the effectiveness of the crisis response plan and highlight any significant gaps.
- The board should have a good understanding of the insurance policies held by the company, including criteria for reimbursement of claims, criteria that would trigger insurance coverage to be void, what would be covered and to what extent.
- The board should verify there is a robust feedback and monitoring system in place to assess how events are unfolding in real time to make sure the decisions are in sync with the events on the ground.
During an event
Deploy a communication and briefing plan among all internal stakeholders. A centralized response program should provide guidance to all lines of business involved in the response and set a level of understanding about what information is critical for senior leaders to know – as well as when and how to express it. Companies should work to carefully investigate and swiftly gather as much information on the crisis as possible (including proactively monitoring social media and other blogs to gain an understanding of stakeholder and media perceptions). During the information-gathering process, companies should verify accuracy of facts to prevent acting on any misinformed assumptions or bad information. While the visibility of the CEO should depend on the nature of the crisis, it is critical that she or he be prepared to go public as needed to protect the company and trust in the brand, demonstrate strong leadership and communicate credibility to key stakeholders.
Centrally manage all inquiries received from external and internal groups. Communications to both internal and external audiences should be carefully and thoughtfully planned, performed by management and executed with oversight by the board. Such communications should link to the company’s ethics and values and be timely, accurate and consistent, as lack of clear messaging can pose or introduce litigation risk. There is less room for conflicting or inaccurate messaging when all crisis-related communications are centrally managed by the response team.
Navigate the complexities of working with external groups. Crisis management will involve a variety of external parties, such as outside counsel, regulators, third-party advisors and/or investigators (particularly if management is implicated in the crisis), and law enforcement agencies. A centralized response program helps to safeguard a timely and coordinated flow of information to these groups that integrates the knowledge of key internal stakeholders.
Collaborate with business units to support ongoing operations and execute upon disaster recovery and business continuity plans. It is imperative that the company have management that can focus on running the business (while managing and maintaining customer experience) during a crisis as others focus on managing the crisis and restoring operations.
During a crisis, companies may need access to additional financial resources and working capital, and those resources may have to last during a prolonged crisis. Accordingly, it is critical that companies have shored up, in advance, robust, tested financial contingency plans that are linked directly to their crisis management processes; this way, when crises hit, the crisis and operational teams can work effectively with treasury resources to manage liquidity and working capital needs. Companies should also recognize that those financial contingency plans may have to withstand industry-wide market failures, during which time liquidity and capital may not be readily available. Additionally, establishing contingency arrangements with major business partners (especially critical vendors) in advance of a crisis event may also be helpful in transitioning back to business as usual.
Board oversight considerations during an event
- The board must understand the scope of the crisis and its existing and potential impact to determine the scope of the board’s involvement (including whether a special ad hoc committee or a designated counsel for the board is warranted) and to oversee and help guide the response strategy. This strategy should include communicating with various stakeholders, including employees, customers, the public, shareholders, external third parties and, potentially, regulators and law enforcement.
- The board should receive regular briefings from management with the latest findings, regulator and law enforcement inquiries, vendor and supplier impacts, customer sentiment, employee reactions, litigation filings, insurance considerations, media coverage (traditional and social media) and reactions of major shareholders. In the case that management is implicated and an external provider and/or investigator is retained to conduct an investigation, the board (or appropriate committee) should closely oversee that process. The board should also receive any related briefings directly from the third party.
- The board (and/or appropriate committee) should be supportive while providing effective independent oversight as they interact with the executive management team and other key stakeholders.
- The board can help provide that the company’s crisis response is consistent with its core values and purpose. New risks and unintended consequences may arise from the crisis and boards should work with management to proactively oversee the dynamic situation. The way an organization responds to a crisis can speak to, and is a test of, the organization’s culture and processes. Once a response team is activated, an effective crisis management plan is one that leads with values and communicates openly, with humility, and swiftly with the key stakeholders involved (consumers, investors, media, regulators, etc.)
After an event
Define recovery effort by critical business needs. Disconnected initiatives by different business units could have conflicting priorities and hinder timely recovery. A central point of authority is required to oversee the prioritization of critical business processes across the organization to align with the company’s strategic objectives and to base that prioritization on the greatest risks to the company.
Prioritize communications with key stakeholders. The recovery effort should prioritize fact-based, timely and open communications with employees, customers, shareholders, joint ventures, business alliances and other key stakeholders to help create transparency, foster a culture of integrity and restore confidence.
Identify and remedy any underlying or systemic causes of the crisis. Companies should have procedures in place to continually learn from incident response and improve, including an analysis to identify causes that may be rooted in the company’s culture and practices. Management teams should perform postmortems on any near misses and post-crisis to assess the effectiveness of response plans and discern lessons learned.
Board oversight considerations after an event
- The board should assess the adequacy of management’s response to the crisis and its post-crisis evaluation, recovery and corrective actions. The most effective crisis response systems are those that institute a continuous feedback loop that allows the organization to better identify risks before crisis arises to lower the probability of a crisis occurring and improve its response should one arise.
- The board should evaluate its own role in responding to the crisis, including whether the board had the adequate skills, structure and information needed to enable quick, decisive and informed action. A crisis is likely to draw investor scrutiny of the company’s compliance and governance, including board and committee leadership and director qualifications. Among other things, this scrutiny could lead to requests for engagement, shareholder proposal submissions, public campaigns opposing specific directors and interest from activist hedge funds. Proactive self-assessment by the board, direct engagement with key shareholders and transparent communications around remediation efforts and board-level changes may help address investor concerns.
A crisis may be inevitable; however, an effective crisis management plan and ERM program, coupled with strong tone at the top and risk mitigation, can help to detect and prevent a crisis before it hits.
While companies cannot predict when a crisis or a black swan event may occur, boards should prepare their organization to have the ability to react to and recover from a crisis with resiliency and strength. Organizations, and in particular leaders, are defined by a crisis. How a company and/or its executives weather through a crisis can have enormous brand and economic impact for a company: it can either propel a CEO through stakeholder confidence to take on bigger change, or may result in negative repercussions because a company or its CEO mismanaged a situation. The criticality of being ready and knowing that this will indeed happen, with a great management team that’s driven to get this right, is one of the most important things CEOs and boards need to prepare for.
Questions for the board to consider
- Has the company developed a crisis management “playbook” with decision process flows and escalation protocols? Do all the participants know their roles and the critical approval processes that are in place to be certain of quick and straightforward approvals?
- Has the company considered and challenged itself as to the types of crises it may face, where and how likely such events might be?
- Has the company identified the individuals who will lead communications during a crisis?
- Has the company identified the external advisors in the various scenarios that the company plans on seeking counsel from? If so, are agreements in place with the external advisors such that they are able to be mobilized quickly? Does the company have a place or virtual room secured to gather in the event of a crisis?
- How often do senior leaders take part in tabletop exercises using realistic crisis scenarios? And what is the board’s role in these?
- Does the company’s response planning prioritize communications with key stakeholders, including employees, customers, shareholders and business partners?
- If a crisis were to unfold today, how prepared is the company to react with precision, speed and confidence?