At some point, your organization is likely to encounter a crisis situation. As CEO of a cybersecurity company, I work with many organizations responding to security crises, such as breaches or disclosure of security issues in their products. How companies respond to these situations can make or break their reputation and customers’ trust in the organization, and impact the cost of the incident. This is also true for non-security-related incidents.
As board members, you can support—or even mandate—a response that will see your business weather the storm as well as could be hoped. Nobody likes to think about worst-case scenarios, but as board members you must hold the organization accountable for doing just that to ensure it is prepared in case disaster strikes.
My seven steps to minimizing fallout through crisis response are as follows:
1. Determine your guiding principle. Before you begin planning for, or responding to, a crisis, determine the overarching goal or guiding principle that drives decision-making throughout the organization’s response. This should be a principle that has been articulated in advance and is well understood by all stakeholders.
Guiding principles can vary greatly, and could include: protecting users, investors, or employees; minimizing disruption or cost to the business; or demonstrating leadership in your community. Spend time with the executive team and other key leaders in your organization to determine what makes the most sense for your business. Be sure to discuss the risks, benefits, requirements, and payoffs of various approaches.
2. Preparation is key. Next, identify a handful of crisis scenarios that could affect your business, and to determine which key players will drive the response. This will likely change from scenario to scenario. Once you know your scenarios and stakeholders, assign an owner to build response plans. These plans should include basic workflows for every scenario and a detailed matrix of roles and responsibilities for all stakeholders. The owner should work through the processes and expectations to ensure that everyone understands their role, and what their teammates will need throughout the process.
As a board member, you can support this by asking:
Do we have an up-to-date incident or crisis response plan for the organization? What scenarios are covered? Are there applicable scenarios that have not been included?
Who was involved in creating, reviewing, and approving the plan? Do all stakeholders understand what is expected of them?
What assets most need protecting to ensure effective business continuity?
3. Practice makes perfect. There is no such thing as perfect when it comes to crisis management, but ensuring that your organization’s response plan has been practiced will help you identify potential kinks in the process before they become significant issues. It will also help your cross-functional team build trust and better understand each other’s processes and needs.
As a board member, you can support this by asking:
When was the last time we ran a drill for our crisis response process?
What points were identified as improvement areas in our last crisis drill?
How frequently does our response team run drills or tabletop exercises?
How many different scenarios have been walked through?
4. Build trust among core stakeholders now. If you have followed steps 1 through 3, then you know who your core team is for a variety of scenarios. Depending on the size and complexity of your organization, the key stakeholders may not know each other well and may have minimal experience working together. A crisis is an incredibly challenging time to begin building relationships and trust.
Encourage your crisis response leaders to get to know each other sooner than later, possibly through presenting the crisis response plan to the board. When presenting, ask them to demonstrate familiarity with each other and their alignment. For example:
Ask them to explain each other’s role and goals through a given crisis response scenario.
Ask how they collectively judge the success of a crisis response.
Ask them to explain what they need from each other and the board or leadership team, and what they will provide themselves.
5. Set clear expectations. As much as the crisis response leaders need to build a plan and determine workflows for crisis scenarios, the board should also establish clear expectations and share them in advance. Bear in mind that your role is to help, not hinder, the organization’s ability to respond to a crisis, so whatever expectations you set with the crisis leaders or executive team should be as minimal or efficient as possible.
Consider the following:
When do you want to be informed of a potential crisis situation? For example, when it’s first discovered? Once it’s been verified? Once it’s resolved? Are there any industry-specific regulatory requirements for the timing of reporting on a crisis?
How do you want to be informed? Do you want communication to be over email, or should everyone get together for a call?
Are there categories of incident severity that trigger different responses? For example, will there be situations that you don’t need to know about, some that can just be included in the regular board reporting, and others that warrant dedicated communication?
6. Glide like a swan. As board members, you are no doubt adept at maintaining a professional demeanor in the face of stressful situations. Never is this more vital than during a crisis response. You need to set a tone for the executive team and crisis response team. If you get heated or upset, that will likely perpetuate the same behavior, and a lack of calm generally encourages mistakes to be made and people to become less effective.
Similarly, a lack of calm among responders and executives will likely reveal itself to others, whether inside or outside the organization. This may result in speculation that does more harm to employee or customer morale, or to stock price, than the incident itself. Avoid being the cause of additional stress for those managing the response, and keep in mind point 5 above. It’s fine to want to be kept informed, but take care not to distract or further stress out the core team.
7. Capture learnings and avoid blame. When responding to a crisis, it’s important to enable people to be honest about what happened, what could have or should have been done differently, and what lessons and next steps can be taken away. If everyone is worried they will be fired or publicly blamed, they will be less likely to be honest about what happened. As such, it’s essential during the crisis response that you avoid recriminations and blame.
After the incident has been resolved, ask the crisis response leaders to present key learnings to the board, including what action will be taken to ensure the scenario is unlikely to occur again. At this time, it may be appropriate to discuss accountability; this should be handled privately and with sensitivity.
As board members, you typically will not be on the front line of a crisis response. However, you can still influence its outcomes by encouraging preparation, ensuring alignment, and supporting an open, calm, and blame-free approach. This will enable your organization to put their best foot forward, and hopefully weather crises in the best possible way.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
It’s way too early to make any judgments on board conduct in the Equifax controversy. That’ll be for the courts to decide, and they’ll take a long time getting there. But it’s not too early to draw some useful governance lessons from the situation, if media reports are to be believed. And these are lessons that apply regardless of whether the board serves a publicly held, privately owned or nonprofit corporation.
Some of these lessons relate to the board’s crisis management responsibilities. Others relate to the oversight of the board-CEO relationship. Still others invoke expectations of board cybersecurity oversight.
All of the possible lessons are premised on the increasing recognition of the inevitably of crisis, be it black swan or foreseeable, cybersecurity-related or “from out of left field.” For most complex enterprises, crises are just going to happen. The only questions are when, how big the crisis will be, and from what direction it will come. The most prescient of boards will embrace this inevitably and prepare for a corporate governance version of Defcon 3.
The other lessons are more practical in nature.
1. Emergency Succession The swiftness of Mr. Smith’s removal speaks to the “nuts and bolts” value of having an emergency executive succession plan. The sudden Smith transition is a shocking example of how emergency succession applies to circumstances beyond customary triggers such as death, health care and family considerations. In today’s crisis-oriented environment, the need to separate from, and replace even the youngest, seasoned and most successful executives can arise at a moment’s notice.
Succession is a part of the board’s basic responsibilities that often gets lost amid the confluence of best practices and consultant messaging. Such planning can be complicated. According to the New York Times, the Equifax board regarded many of its original replacement candidates as “tainted” by ties to the cyber breach—including some executives who are believed to have sold company stock after the breach was discovered but before it was disclosed to the public.
2. Structuring the Separation There’s also the need to anticipate both the classification and the financial terms of executive separation in the context of a crisis environment. According to media reports, Mr. Smith’s separation was described as a retirement. Yet, the board announced that it was reserving the right to retroactively classify the separation as for-cause termination, based upon the ultimate findings of a board special committee charged with the responsibility for reviewing the data breach. Such a reclassification would have obvious and material implications for Mr. Smith’s compensation arrangements, including valuable stock awards.
This action by the Equifax board reflects several key realities of the crisis environment.
It will often be difficult to fairly ascertain the presence of cause for termination purposes in the direct aftermath of a crisis. The consideration of the results of an internal investigation may be a necessary and equitable precondition.
While not yet considered best practice, the use of clawbacks and other forms of executive compensation disgorgement arrangements is increasingly viewed as an effective response to executive fraud, malfeasance, or other misconduct. Clawback application has most recently been demonstrated by the actions of a financial services company board in response to a significant corporate controversy.
Boards must face the harsh reality of the need to impose separation in advance of intense scrutiny by the media, regulators, and possibly even legislators. The sometimes corporate brutality of “throwing executives under the bus” may be perceived as both part of an effective board response (i.e., to demonstrate board accountability), and necessary to preserve the reputation of the company and the interests of its stakeholders. According to the Wall Street Journal, the departures of the Equifax information officer and chief security officer were not considered by the board to be actions significant enough in stature. Thus, the concept of “strict accountability” for executives in the context of major corporate controversies may increasingly be considered an indirect part of the compact between the board and management.
3. The Standard of Conduct Another lesson is for the board to reconsider the effectiveness of its own cybersecurity oversight efforts. The leading judicial decisions have to date established a high Caremark-style barrier for demonstrating breach of cybersecurity oversight responsibilities. Notable in this regard was the decision of the court in the Home Depot case to extend the protection of the business judgment rule to the board’s conduct, despite its clearly expressed concerns about the speed with which the board implemented protective measures.
However, boards should not place unreasonable reliance on Caremark protection. As instances of cyberbreaches become more egregious, it is reasonable to project a stricter approach to director liability in future cases.
4. The Self-Critique Perhaps the most basic governance lesson from Equifax is the need for board self-evaluation. Any board-driven internal investigation of a corporate controversy will benefit from consideration of the adequacy of the full board’s related oversight efforts. For example, the Wall Street Journal reported that weaknesses in Equifax’s cybersecurity measures were “apparent to outside observers in the months before the hack.” Was the board made aware of these weaknesses? If not, why not? Such a self-critique has been an accepted component of truly comprehensive internal investigations since the “Powers Report” from the Enron board. The willingness to consider how possible governance inadequacies may have contributed to crises can serve as a powerful demonstration of the board’s good faith and assumption of ultimate responsibility.
Equifax is not, as some have characterized it, the second coming of Enron. That’s unnecessary hyperbole at this point. As exaggerated as commentary may be, what is known about the crisis offers a valuable teaching moment to boards about expectations of fiduciary conduct in crisis situations, cybersecurity or otherwise.
Michael W. Peregrine, a partner in McDermott Will & Emery, advises corporations, officers and directors on matters relating to corporate governance, fiduciary duties and officer/director liability issues. His views are his own and do not necessarily reflect the views of McDermott Will & Emery, its clients, or NACD.
If power and cellular phone service to your plant were inoperable because of a devastating hurricane, how would you reach employees to confirm their safety first, and then address the status of the facility? If your company handled classified projects and a building’s power grid failed in a natural disaster, how long would backup generators work before being refueled by trucks that might not have an easy route to the building? What if the building’s doors were unlocked after the back-up locks failed—could the classified work within the facility be compromised?
These real-life stories, shared at the April program of the NACD Carolinas Chapter, illustrate the unpredictable nature of crises. How can companies prepare for the unknown, and what role does the board play in oversight and direct response in the event of a crisis?
James H. Hance, director for The Carlyle Group, Cousins Properties, Acuity Brands, and Ford Motor Co. (and a former director of Sprint Nextel Corp., Bank of America, and Morgan Stanley), and Linda P. Hudson, chair and CEO of The Cardea Group, and director of Bank of America, Southern Company, and Ingersoll Rand, shared their experiences and advice on crisis management. They were joined by Deloitte’s Henry Phillips and Theresa Drew, who moderated the conversation.
Lessons learned from real-world crises and how the boards of their companies responded follow.
1. Establish and understand what amounts to a crisis.
“As a director, you know the company will have a crisis,” said Hance. “But what will that crisis be and how do you prepare?” He defined a crisis as an immediate problem that “requires the CEO of the company to be involved.”
Further, the initial measure of a company’s successful response tends to be tied to how early the crisis is identified. Social media may lead to the whole world knowing about the crisis very quickly, so the company must be agile enough to respond very quickly in kind.
2. Prepare for the known, but expect the unknown.
According to Hudson, if your company hasn’t thought through the possible risks involved in crisis scenarios, then the company likely will fail in its response. However, even if risks have been evaluated, there “isn’t a high probability the crisis that happens will be what was originally identified.” Hance added that those companies with a robust enterprise risk management function will likely be more prepared for a crisis, whatever it might be.
During her time as CEO at BAE Systems, Hudson deployed playbooks that addressed key crisis management questions. Some of the most critical items included in those playbooks follow.
Who will identify the situation as a crisis?
Who is on the team that is pulled together to respond to a crisis?
What is the escalation protocol?
Who calls whom (ex., customers, regulators, and other stakeholders)?
Who will be the public face of the company?
3. Board oversight is critical.
“The board must be in the escalation cycle in a crisis management plan,” said Hudson. Hance agreed. He also added that the board should exercise policy oversight. Hance pointed to a recent story in the news. A board would not, for example, look at how passengers are removed from planes. However, it would review the airline’s policy for bumping passengers, as well as the company’s culture, and make suggestions to management based on those considerations.
Phillips also emphasized the role of the lead independent director given that a crisis can be very emotional for board members closer to the company. The lead independent director can act as a source of calm leadership through a crisis. In addition, Hance emphasized, “The CEO needs to have a sounding board, and this group of people should be identified and set up ahead of time.”
4. Learn from each crisis and study your competitor’s crises to help prepare for your own.
Each crisis—whether one of your own or one happening at a competitor’s company—is an opportunity to learn. For example, panelists pointed out how well the CEO of General Motors Co. handled the ignition switch crisis, and called out the genuine connection the company made with affected people. Hance concurred and noted that other car companies were watching and learning. He also shared how Ford changed some of its processes after Toyota Motor Corp.’s crisis over sticking accelerators.
Unexpected events like 9/11 and Hurricane Katrina taught companies valuable lessons. For example, many New York banks routed electronic traffic through networks at the World Trade Center. When those networks went down, so did the banks’ ability to do business, according to Hance. Similarly, Hudson shared that after Hurricane Katrina made landfall on the Gulf Coast in 2005, landlines and cell phones alike stopped functioning. Now the company has satellite phones in each of its locations, enabling seamless communications in the event of a communications-disrupting crisis.
5. Use outside help judiciously.
Depending on the industry, Phillips noted the importance of ensuring that the company has the right connections to important officials in the event of a crisis. For example, does the company have an established contact at the Federal Bureau of Investigations in case of a cyber-attack?
The panel agreed that, while legal help can be critical, it is also important to be open and honest, resisting any advice to keep silent during the crisis. Liability will follow, regardless. When asked about involving public relations firms, Hudson shared that each company “should tell its own story.” Doing so can be more authentic.
6. Always do the right thing.
The panelists agreed that the best defense in a crisis is to be sure the company directly addresses the personal needs of those impacted—whether they’re employees or members of the community. After Katrina, Hudson’s company assisted employees in Mississippi who had no access to banks by meeting their need for cash through the recovery period. The company never asked for that cash back.
Hance noted that the board is likely to be criticized in a crisis regardless of whether the proper oversight was exercised. So, as a company, the best approach is to identify what feels like the correct response for each event, and simply to “do the right thing.”
NACD Carolinas would like to thank the panelists for sharing their experiences with attendees and Deloitte for its support of the program.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.