BDO’s senior manager Francisco Basdekis highlights the steps to be taken in disaster management.
RECENT CORPORATE failures to properly manage crisis situations have stressed the need for Boards to increase more efforts towards planning for and responding to crises.
Granted, in any business, there are some risks that are impossible to eliminate no matter how much care is taken. However once realised, these risks can be devastating if a company is unprepared.
A crisis is a situation where a risk materialises, resulting in significant operational, financial and reputational consequences. Crisis management is the process by which companies prepare for crises before they occur and manage them when they do occur.
Disaster management plan
As with risk management, boards are responsible for ensuring that the companies they oversee have established a disaster management plan for each risk, based on its industry and operations.
While a board needs not ensure that a company’s crisis plan addresses issues described below, asking management about whether it has addressed such elements (or why it has chosen not to implement such elements) can help directors satisfy their fiduciary duties.
Business experience and practicing of enterprise risk management (ERM) as well as the establishment of its framework has shown that the following outline of five steps, along with an effective board culture, can help ensure management is well positioned to respond when a crisis occurs. These steps are:
i) Step 1: Evaluate internal controls, risk management and corporate governance – The first step involves a periodic examination of internal controls, risk management processes and corporate governance practices. Together, these three components create a strong foundation for crisis management. One way of evaluating this foundation is through reviewing corporate policies and controls to ensure that they address the types of behaviours that could lead to significant risks.
ii) Step 2: Identify common causes of corporate crisis – The nature of a crisis involves uncertainty and the likelihood of a particular crisis occurring varies by company-specific factors. With these factors taken into account, it is necessary for the Board and Management to be familiar with the most common causes of corporate crisis for their organisation.
Some of these causes may include: product failures/ recall, a data or security breach that handles significant amounts of sensitive data, loss or the compromise of sensitive intellectual property, systemic ethical issues, the loss of a key executive, and allegations of fraud.
iii) Step 3: Appoint an internal and external crisis response team – Both an internal and external crisis response team should be formed that include individuals with a range of expertise to quickly determine a plan of action in real time.
Internal response teams should be comprised of: senior executive officers, representatives from the appropriate key operational departments, and heads of compliance, internal audit, human resources, corporate communications and public relations (PR), and sales and marketing. This composition should be adjusted based on the team’s needs and the full Board may need to become involved.
For an external team, it is advantageous to have established relationships with outside providers of legal, forensic, PR and communications advice. Having these experts get to know the company and its key members in advance will help when a quick response is needed.
iv) Step 4: Implement a communications plan – A communications plan includes Management recognising the Board wants to be warned early about a possible crisis. This means that a workable and well-understood crisis communications plan should be developed. The primary focus should be making sure the appropriate people can be called together promptly and ensure the company maintains confidentiality until it has decided to speak on the matter.
Other specifics related to the communications plan include:
▪ Call for early communications to the Board and crisis response team.
▪ Identify a spokesperson for internal and external communications.
▪ Include monitoring of social media and develop strategies to use this media effectively.
▪ Consider whether it would be beneficial to have an attorney involved in coordinating the efforts of other advisors.
▪ Companies with operations and markets in non-US jurisdictions should make sure that their efforts are sensitive to how different cultures may react so they can be appropriately managed.
v) Step 5: Develop a crisis response – This step includes procedures to assess, investigate and mitigate the crisis. Once the crisis response team has made an initial assessment of the situation, they will determine who should lead in the company’s response. The CEO and key members of senior management are usually best positioned to lead. However, if the issue relates to senior management’s integrity the independent directors may need to oversee the crisis response or a special Board Committee may be needed to investigate allegations of wrongful conduct. In addition, the level of Board involvement depends on the nature and scope of the problem.
Effective Board culture
The ideal Board culture is usually able to achieve consensus, respects independent viewpoints and protects confidentiality. Some notable ‘strategies’ for encouraging an effective Board culture are:
▪ Agree on the role of the Board and management, including expectations on information the Board needs and the Board’s involvement in decision-making.
▪ Emphasise the value and the limits of ‘constructive tension’ in the Board/ Management relationship.
▪ Agree on valued behaviours.
▪ Remind directors of confidentiality obligations.
▪ Periodically evaluate board culture.
Role of Social Media
The crisis management plan must be attuned to the role of social media — (that is, blogs, Facebook, Twitter, Google+, YouTube among others). A far-flung incident can easily spark a global media conflagration.
Social media communications are instant. They are simultaneously global and grassroots. They can range from spontaneous reactions from customers almost on a point of sale basis to mass distribution of prepositioned messaging from advocacy groups.
A company should be prepared to deal with social media fallout in crisis. For example, a crisis management plan may include having a predesigned website and prewritten blog posts, press releases, and FAQs to deal with the aftermath of a crisis.
Companies with adequate resources may also consider having people in place to monitor the talk about the company on social media websites so that they can engage right away and send the best message the first time.
Taking steps to consider the risks a company is facing, addressing such risks through a combination of corporate structures, policies and procedures, and developing crisis management plans for the most significant and the most predictable of these risks, is critical to preparing a company for these risks when they are realised.