.svg)
This article was originally published on Law360.
A crisis can come from any direction, and nobody is immune. Having a plan in place and ensuring key individuals and third-party advisors are on the same page puts senior executives in a better position to navigate the crisis and weather the storm.
The tide can turn at any time. Business as usual can suddenly become a high-profile, high-stakes moment, throwing an organization into crisis — often when they least expect it.
The recent CrowdStrike IT issue showed us that something as routine as a content update could stop business operations worldwide, with immediate and significant rippling impact on its customers — and their customers too.
Not only was this a crisis for CrowdStrike, whose share price fell by 40% over the month of July, but for thousands of organizations that suffered the outage after an estimated 8.5 million PCs and servers were disabled.
While it can be difficult to predict when a crisis might hit — and how that will look — there are steps that senior executives can take to be in a better position to prepare for such an eventuality and to navigate the crisis more effectively.
Understanding what can be done proactively to mitigate the risks, as well as how to best manage any crisis that a business is thrown into, means you are much more likely to weather the storm in the moment — and are better positioned to build increased resilience for the future.
The impact of a crisis
There is no universal definition of what constitutes a “crisis”. What may be considered a crisis event for one organization may have very little impact on another. It is crucial for senior executives to think proactively about what a crisis means to them and to examine what the risks or potential vulnerabilities are, prioritizing the different types of risks based on their likely impact.
Aside from the financial and business implications, the ripple effect of these tide-turning events can cause long-lasting — and sometimes irreparable — reputational damage. The importance of an organization’s reputation is not to be understated; it is one of a business’s most valuable assets, and the impact of a crisis itself on that reputation can be severe.
But it is important to recognize that public opinion — and an organization’s reputation as it emerges from a crisis — is also based on how the senior executives deal with that crisis. They are placed under a microscope and everything they say or do, including what they may previously have said and done, is driven into the spotlight.
Many crises unfortunately come with no warning. Ferrari narrowly missed a potential crisis last month after its CEO was impersonated on a call using AI software; indeed, the increasing sophistication of deepfakes is creating an ever-growing threat for organizations.
The heightened risk of data breaches and hacks, paired with the speed of social media, the sophistication of smear campaigns and the power of cancel culture, mean that often, one seemingly manageable crisis can proliferate into several.
Many of these catalytic factors, enabled by technological developments, are largely outside an organization’s control. However, that does not mean preparation is futile. Senior executives should accept that nobody is immune: They should consider these issues in advance, and expect them, before their organization is thrown into the eye of a storm.
Horizon scanning and preparing for a crisis
Some events — or potential fallout from these events — are, however, more predictable. This could be anything from an incoming CEO, a new ESG initiative, a merger or a public decision after a regulatory investigation.
Senior executives should look ahead to such notable points on the horizon and assess their risk. Conducting reputational due diligence and thinking proactively and strategically about what issues could arise will help place senior executives on the front foot.
In these circumstances, and as a proactive step generally, it helps to be aware of what a journalist — or an armchair detective — can find out about the senior executives or those employed by or due to join the organization, and assess the accuracy of the public record.
For example, is there any adverse reporting or historical issues that may come to the fore in the event of increased public scrutiny? Have any key individuals been involved in a crisis situation in the past that may be dredged up when a new crisis hits?
It is also wise to look critically at earlier messaging, and whether any previous statements or social media posts could contradict an organization’s likely position mid-crisis, which could undermine the legitimacy of what is being said.
Having this knowledge better informs and prepares the senior executives to avoid any surprises, and allows them to, where inaccurate, ensure this publicly available information is removed.
Navigating a crisis
In an ideal situation, a crisis team is established, and a crisis management plan put in place, before any crisis hits.
In addition to senior members of the organization, the crisis team should include external third parties — such as communications experts and external lawyers — who are aware of the other members of the core crisis team, the key stakeholders, and the agreed method of communication. This will allow the team to immediately convene and agree a strategy when required.
When a crisis does hit, whether anticipated or not, time is of the essence. The quicker and more effectively actions are taken, the more opportunity there is to mitigate any potentially adverse consequences.
Effective communication, where everyone is encouraged to speak candidly and challenge group thinking, mutual trust among advisors, and a robust, agreed strategy are crucial. Without these, communication is likely to break down which can lead to an inconsistent and ineffective approach to navigating the crisis.
During the crisis, it is advisable to maintain a chronology of key events leading up to and during it, in addition to a factual matrix. This ensures that everyone is aware of the true position, what happened and when, and there is consistency in communication and understanding. Further, if any advisor or stakeholder needs to be apprised of the situation urgently, the relevant information is quickly and easily to hand.
Key individuals should agree from the outset what reporting will be accepted concerning the situation and what crosses the line to the extent that PR or legal engagement is necessary.
An article reporting on the organization’s share price mid-crisis would generally be acceptable, but intrusive drone photographs of a senior executive’s private residence or details of his or her family are likely to cross the line and infringe individuals’ rights.
If everyone is on the same page from the beginning and external advisors are already aware of what will be accepted, advice on any unreasonable reporting can be obtained and any remedial action taken without unnecessary delay.
Communicating within the organization is also key. Employees should be reminded to be vigilant and not to speak to the media or to disclose any confidential information.
In the event that employees are approached, ensure that they are prepared with an approved protocol for dealing with media enquiries and/or approved wording so they are clear on what they should and should not say.
With this in mind, it is also advisable to conduct online monitoring so that the organization is aware of what is being said about it, the senior executives and the crisis itself throughout the process. The organization will be alerted to reporting at the earliest opportunity, enabling it to decide quickly whether it requires any engagement, such as a legal complaint or provision of an on-the-record rebuttal statement.
There is a societal shift towards transparency in organizations, irrespective of the subject matter. Senior executives, in collaboration with their external advisors, should ensure that they are sufficiently transparent and responsive to stakeholders throughout any crisis.
The degree of detail necessary depends on the circumstances of each case, but they should not overlook the value in openness and honesty, and taking responsibility where it is appropriate to do so.
Handling the legal fallout
From a purely legal perspective, there are several requirements which are triggered when a crisis hits – and which lawyers should keep front of mind.
For example, in the event of a data breach or hack, there are specific obligations for notifying to the data protection regulator set out in the GDPR / UK GDPR – as well as other US state-based data privacy laws - and the timeframes for doing so are often very short. As a proactive step, legal teams should ensure they put training in place to be able to properly comply with regulatory requirements. It may also be prudent to take advice from specialist external lawyers, if necessary.
Similarly, if an insurer needs to be notified within a specified period of time, the relevant documentation and contacts should be easily accessible. In the midst of a crisis, wasting time searching for crucial documents and policies is at best inefficient and at worst, could result in severe delays and potentially fines.
Legal counsel will also need to identify any contractual breaches and address any financial or other losses -either that their organization has suffered and/or that may be claimed against them as a result of the crisis. While it is difficult to carve out the time mid-crisis to review contracts and establish liability, this will better prepare counsel for any claims coming down the line and enable the organization to assess the impact of the crisis more fully and form a strategy.
Amidst all of this, it is crucial for legal counsel to ensure that privileged communications remain privileged. When caught in a crisis it is all too easy to overlook this central principle, and for individuals to forward email chains to others in the business - or externally - in attempt to keep people in the loop or bring them quickly up to speed. Lawyers should remain vigilant and take steps to ensure that privilege is not inadvertently lost.
Building Resilience in the Aftermath
Once the crisis is over, there is an opportunity to reflect and learn from the situation. This will ultimately make the organization more resilient, and better prepared for any future storms going forward.
It is important to understand what worked well, what did not, and what lessons can be learned. Any individuals who were placed under extreme stress or pressure should continue to be supported, and any processes or procedures should be updated or implemented as is necessary.
Proactivity and Prevention
Ultimately, a crisis becomes more manageable, and possibly less damaging, when senior executives exert vigilance across the whole crisis spectrum.
Navigating any potentially reputationally damaging moments is often only successful when these four key steps are followed:
• Find out what data exists about the business and its senior executives;
• Scan horizons and assess risks;
• Develop a crisis response plan with a dedicated crisis management team; and
• Reflect and rebuild.
Prevention is always better than cure. To that end, we advise being proactive, pre-emptive and investing in reputation during “peacetime”. Strengthening a profile, shaping the narrative — and sharing with key stakeholders — plus working with legal, digital and communications advisors to ensure a reputation is in a position of strength, means the firm will be much better placed to weather any future crises that may come about.
