If power and cellular phone service to your plant were inoperable because of a devastating hurricane, how would you reach employees to confirm their safety first, and then address the status of the facility? If your company handled classified projects and a building’s power grid failed in a natural disaster, how long would backup generators work before being refueled by trucks that might not have an easy route to the building? What if the building’s doors were unlocked after the back-up locks failed—could the classified work within the facility be compromised?
These real-life stories, shared at the April program of the NACD Carolinas Chapter, illustrate the unpredictable nature of crises. How can companies prepare for the unknown, and what role does the board play in oversight and direct response in the event of a crisis?
James H. Hance, director for The Carlyle Group, Cousins Properties, Acuity Brands, and Ford Motor Co. (and a former director of Sprint Nextel Corp., Bank of America, and Morgan Stanley), and Linda P. Hudson, chair and CEO of The Cardea Group, and director of Bank of America, Southern Company, and Ingersoll Rand, shared their experiences and advice on crisis management. They were joined by Deloitte’s Henry Phillips and Theresa Drew, who moderated the conversation.
Lessons learned from real-world crises and how the boards of their companies responded follow.
1. Establish and understand what amounts to a crisis.
“As a director, you know the company will have a crisis,” said Hance. “But what will that crisis be and how do you prepare?” He defined a crisis as an immediate problem that “requires the CEO of the company to be involved.”
Further, the initial measure of a company’s successful response tends to be tied to how early the crisis is identified. Social media may lead to the whole world knowing about the crisis very quickly, so the company must be agile enough to respond very quickly in kind.
2. Prepare for the known, but expect the unknown.
According to Hudson, if your company hasn’t thought through the possible risks involved in crisis scenarios, then the company likely will fail in its response. However, even if risks have been evaluated, there “isn’t a high probability the crisis that happens will be what was originally identified.” Hance added that those companies with a robust enterprise risk management function will likely be more prepared for a crisis, whatever it might be.
During her time as CEO at BAE Systems, Hudson deployed playbooks that addressed key crisis management questions. Some of the most critical items included in those playbooks follow.
Who will identify the situation as a crisis?
Who is on the team that is pulled together to respond to a crisis?
What is the escalation protocol?
Who calls whom (ex., customers, regulators, and other stakeholders)?
Who will be the public face of the company?
3. Board oversight is critical.
“The board must be in the escalation cycle in a crisis management plan,” said Hudson. Hance agreed. He also added that the board should exercise policy oversight. Hance pointed to a recent story in the news. A board would not, for example, look at how passengers are removed from planes. However, it would review the airline’s policy for bumping passengers, as well as the company’s culture, and make suggestions to management based on those considerations.
Phillips also emphasized the role of the lead independent director given that a crisis can be very emotional for board members closer to the company. The lead independent director can act as a source of calm leadership through a crisis. In addition, Hance emphasized, “The CEO needs to have a sounding board, and this group of people should be identified and set up ahead of time.”
4. Learn from each crisis and study your competitor’s crises to help prepare for your own.
Each crisis—whether one of your own or one happening at a competitor’s company—is an opportunity to learn. For example, panelists pointed out how well the CEO of General Motors Co. handled the ignition switch crisis, and called out the genuine connection the company made with affected people. Hance concurred and noted that other car companies were watching and learning. He also shared how Ford changed some of its processes after Toyota Motor Corp.’s crisis over sticking accelerators.
Unexpected events like 9/11 and Hurricane Katrina taught companies valuable lessons. For example, many New York banks routed electronic traffic through networks at the World Trade Center. When those networks went down, so did the banks’ ability to do business, according to Hance. Similarly, Hudson shared that after Hurricane Katrina made landfall on the Gulf Coast in 2005, landlines and cell phones alike stopped functioning. Now the company has satellite phones in each of its locations, enabling seamless communications in the event of a communications-disrupting crisis.
5. Use outside help judiciously.
Depending on the industry, Phillips noted the importance of ensuring that the company has the right connections to important officials in the event of a crisis. For example, does the company have an established contact at the Federal Bureau of Investigations in case of a cyber-attack?
The panel agreed that, while legal help can be critical, it is also important to be open and honest, resisting any advice to keep silent during the crisis. Liability will follow, regardless. When asked about involving public relations firms, Hudson shared that each company “should tell its own story.” Doing so can be more authentic.
6. Always do the right thing.
The panelists agreed that the best defense in a crisis is to be sure the company directly addresses the personal needs of those impacted—whether they’re employees or members of the community. After Katrina, Hudson’s company assisted employees in Mississippi who had no access to banks by meeting their need for cash through the recovery period. The company never asked for that cash back.
Hance noted that the board is likely to be criticized in a crisis regardless of whether the proper oversight was exercised. So, as a company, the best approach is to identify what feels like the correct response for each event, and simply to “do the right thing.”
NACD Carolinas would like to thank the panelists for sharing their experiences with attendees and Deloitte for its support of the program.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
While technical defenses might help stave off some attempted hacks, sooner or later a company will become a victim of cybercrime, and a contingency plan for communicating about the aftermath of an attack is critical for any organization. RANE recently reached out to several experts for their advice to companies for managing the flow of information and maintaining control of an organization’s reputation in the event of a breach.
The Initial Response
Ann Walker Marchant
“There’s a lot to gain or lose when you approach the equity you’ve built in your brand—and trustworthiness is part of the value of your brand,” says Ann Walker Marchant, CEO of The Walker Marchant Group. After a breach, an organization’s leadership must keep in mind all of the people who have placed trust in the brand. The impacted enterprise must convey that it is “willing to do whatever it takes to ensure you minimize risk to them,” she adds.
“You have to understand that it’s most important you’re communicating with your own people internally,” Christopher Winans, executive vice president and general manager at Hill+Knowlton Strategies, argues. Organizations should not allow internal stakeholders to learn about a crisis from external sources. “When your own people are finding out through press reports, it harms confidence within your [entire organization].”
“With a cybersecurity breach, you often don’t know what’s been compromised, at least at the very beginning,” Walker Marchant explains. Often, the best bet is to expect the worst. “You’ve got to assume they’ve got everything and act accordingly without appearing to create fear and panic with your internal and external audiences,” while simultaneously dealing with pressure from various audiences and stakeholders, Walker Marchant said.
Reaching Out to Regulators
A client update published by Debevoise & Plimpton LLP, titled “How to Disclose a Cybersecurity Event: Recent Fortune 100 Experience,” states that Fortune 100 companies disclosed 20 “incidents of major data breaches or cybersecurity events between January 2013 through the third quarter of 2015.” Most of the affected organizations made initial public announcements via news reports instead of a current report on Form 8-K. Debevoise & Plimpton notes that companies that did go the Form 8-K route “most often did so where the breach involved customer financial information.” Organizations, the report’s authors add, “should also be mindful of selective disclosure issues and their obligations under Regulation FD.”
Debevoise & Plimpton also warns against the risk of disclosing incomplete information regarding a breach, noting that “the ‘known’ facts may represent a small piece of the cybersecurity risk mosaic, which can require significant forensic research to assemble.” Potential inaccuracies in any disclosure represent yet another risk for organizations.
Subsequent reporting of updated cyber risk factors were largely contingent upon how breaches were initially disclosed in periodic corporate reports. In annual reports that come after a material breach, the Debevoise & Plimpton report notes, many corporations “view their annual report as an opportunity to update and tailor risk factors more generally, and the occurrence of an intervening cybersecurity event provides fodder for such fine tuning.”
Differing Perspectives Within an Organization
Caution is important, although any delay in responding in a timely manner also presents a risk for targeted enterprises. At the outset of planning the response, Winans adds, “It is better to tell your constituencies what you don’t know than it is not to tell them anything.”
However, there are often conflicting viewpoints of how to act in the immediate aftermath. “The tech guys will weigh in and say the best thing the company can do is get a hold of the FBI and find all the things in the network that are screwed up so they can take action to fix it,” says Steven Bucci, a visiting fellow for special operations and disaster management at The Heritage Foundation. “But you’d be hard pressed to find any lawyers to give their leaders that advice; instead, they’ll say it will hurt the company’s bottom line, it’ll hurt the company’s stock, and it could open up the organization to claims by competitors. While all of that, frankly, is true, that leaves the organization as vulnerable as they were before the breach—and probably also in violation with the Securities and Exchange Commission, as well as open to potential lawsuits from customers or clients.”
Still, it’s understandable that a cautious approach may appeal to many who don’t want to create panic, or those who are simply conflicted over the best course of action, Walker Marchant says. On the other hand, any delay in crafting a measured public response can result in harm to an organization’s brand equity. “Stakeholders will want to know who knew what, when, and why didn’t you tell us?”
Winans says that a clear organizational response plan that involves upper management is crucial before a crisis. “The very first thing you need to do is create a team, a coordinating committee, that is made up of all the functional parts of the company—the C-suite, the CEO or COO. Ideally, it’s got to be the leader of the company that takes charge of the situation, and you have to have people from HR, legal, operations, IT and investor relations.” For a company that answers to a variety of regulators, it’s even more important to get people in different roles together.
“That’s a team that needs to meet every day,” Winans adds. And before an actual breach takes place, that same team should be practicing how they will respond to a worst-case scenario. Winans proposes a “flight school.” “We set up people to actually play out an actual scenario,” he says. “The whole thing is designed to feel like an actual crisis.”
Lessons of a Real World Response
The Sony Pictures hack is an instance where the company was a little more forthcoming, at least with law enforcement, because they had no idea who could be penetrating their systems so extensively. Nevertheless, they suffered serious criticism and ridicule for how poorly they guarded their network.
“Exactly what the breach entailed wasn’t clear at the very beginning,” Walker Marchant says. “It was death by a thousand knife wounds because it was that trickle-down approach, because every day was something different.” Lists of salaries, copies of unreleased films, and sensitive e-mail from senior leadership were also part of the data theft. Still, Bucci argues that “while they did get beat up pretty badly,” in the end “they got through it faster and with far more sympathy from the public by saying, ‘We got hammered.’”
As recent examples of flawed responses by organizations following cyber breaches highlight the risks of incomplete or inaccurate information, boards have one clear warning: Doing nothing is not an option. The age of instant communications and 24/7 media coverage ensures that very little in the cybersecurity universe can reliably remain under wraps for long—lessons that others have already learned the hard way.
“I think the biggest mistake is deluding yourself that you can contain this and no one will find out,” Winans says. “The fact is that very often the worst thing that can happen to a company isn’t a crisis situation. It’s how they respond to it.”
About the Experts
Steven Bucci is a Visiting Fellow for Special Operations and Disaster Management, as well as primary instructor in leadership, at The Heritage Foundation.
Debevoise & Plimpton LLPis a premier law firm with market-leading practices, a global perspective and strong New York roots.
Ann Walker Marchant is recognized as a preeminent strategist and counselor with more than 20 years of experience developing and leading wide-ranging initiatives for the White House and Fortune 100 brands.
Christopher Winans, executive vice president and general manager at Hill+Knowlton Strategies in New York, has 22 years of experience in journalism, 10 of those at The Wall Street Journal.
RANE is an information services and advisory company serving the market for global enterprise risk management. Learn more at www.ranenetwork.com.
What would you recommend if you were on the board of Ford Motor Co., Boeing Co., or Lockheed Martin Corp., all of which have had tête-à-têtes with the incoming leader of the free world? Welcome to the age of the suddenly very bully pulpit. The most powerful thumbs in the world belong to Donald J. Trump, who will soon become the 45th President of the United States.
In mid-December, when Trump despaired that Lockheed Martin’s cost overruns on the F-35 joint strike fighter “were tremendous,” the company’s stock lost $4 billion in market capitalization in a matter of hours. Even though the company quickly recovered those losses when its stock price stabilized, Trump’s tweet triggered some discomfiting moments.
No one understands better how to wield the powers of Twitter, the 24/7 news cycle, and a cult of personality than Donald J. Trump quite like the man himself. To one extent or another, Lockheed Martin Corp., Toyota Motor Corp., Carrier, Mondelez International (parent of Nabisco), Ford Motor Co. , and Boeing Co., have all been caught in Trump’s Twitter maelstrom. Fiat Chrysler Automobiles, in a proactive move to get the target off its back before the opening salvo, wisely announced that it would invest $1 billion and create 2,000 U.S. jobs. A smart play, but as all newlyweds ask, “Will it last?”
We’re in unchartered waters here—and by “we,” I include C-suite executives, corporate directors, and communications counselors like me who advise corporations on how to enhance their brand equity, engage with decision makers, and weather inevitable storms that come with doing business. Social media, fake news, and a new president have changed the rules of engagement.
So what is the new rubric? For most publicly traded companies over the near term, the right response is the easy one: for your shareholders’ sake, meet Trump more than halfway if his demand isn’t too outrageous, and give him the early victory lap. But at some point, after Trump’s modus operandi on these matters inevitably hits some turbulence, that dynamic is likely to change. Watch this space closely, particularly the business-to-consumer tech companies who have millions of customers conditioned to social engagement.
In the meantime, how can a company prepare for presidential squalls or getting caught in the crosswinds of a Twitter-induced tsunami?
There are scores of precautions a publicly traded company should consider, but they can be boiled down to four imperatives.
Engage employees. Trump’s “Make America Great Again” mantra proved enormously popular in America’s industrial heartland. His administration’s public positioning will be devoted to job preservation, reinvigorating the manufacturing base, and sticking up for the little guy. In such a climate, relations with national and local union leaders and heads of employee groups will be doubly important. If a company is suddenly the subject of public scrutiny, its labor and management will want to present a united front. Politics, it is said, makes strange bedfellows. So does business in tough situations.
Enlist allies. Empowering third-party champions has always been an important part of any corporation’s public affairs and communications arsenal, but now it’s absolutely vital. The press and public in today’s environment are inherently suspicious of big corporations and paid spokespeople. In the clutch, customers, vendors, suppliers, community leaders, local environmental advocates, philanthropic heads, Chambers of Commerce, et al., will have far more credibility. The more social media-savvy—and more genuinely connected to grassroots movements—these champions are, the better allies they are for your company.
Prepare now. Companies should use “peacetime” wisely by distilling facts and messages into 140 characters; creating photos and videos for other social channels (e.g., Facebook, Snapchat, YouTube, etc.) that make emotionally appealing messages; track media socially in a sophisticated way that predicts trends; and build a social army now to articulate track records in U.S. job creation and economic growth.
Emphasize speed. Virtually every crisis communications plan in corporate America can be rendered obsolete by the proliferation of Donald J. Trump’s use of social media. If a company is being attacked via social media, it cannot rely on conventional communications to respond. Corporations need to put in place ultra-quick turnaround systems that tap leading-edge media. Build your arsenal of information, army of activists, and strengthen your reflexes now. Have the leader of the company’s digital media team report directly to the board. Integrate your silos so that legal, investor relations, government relations, public relations, digital, and brand practices all know and trust each other. Board members and senior teams need to be put through their paces via scenario drills and full-scale rehearsals.
The most effective way for a company to combat thumb power is through thumb power of its own.
Richard Levick, Esq., @richardlevick, is chair and CEO of Levick, a global communications and public affairs agency specializing in risk, crisis, and reputation management.