At some point, your organization is likely to encounter a crisis situation. As CEO of a cybersecurity company, I work with many organizations responding to security crises, such as breaches or disclosure of security issues in their products. How companies respond to these situations can make or break their reputation and customers’ trust in the organization, and impact the cost of the incident. This is also true for non-security-related incidents.
As board members, you can support—or even mandate—a response that will see your business weather the storm as well as could be hoped. Nobody likes to think about worst-case scenarios, but as board members you must hold the organization accountable for doing just that to ensure it is prepared in case disaster strikes.
My seven steps to minimizing fallout through crisis response are as follows:
1. Determine your guiding principle. Before you begin planning for, or responding to, a crisis, determine the overarching goal or guiding principle that drives decision-making throughout the organization’s response. This should be a principle that has been articulated in advance and is well understood by all stakeholders.
Guiding principles can vary greatly, and could include: protecting users, investors, or employees; minimizing disruption or cost to the business; or demonstrating leadership in your community. Spend time with the executive team and other key leaders in your organization to determine what makes the most sense for your business. Be sure to discuss the risks, benefits, requirements, and payoffs of various approaches.
2. Preparation is key. Next, identify a handful of crisis scenarios that could affect your business, and to determine which key players will drive the response. This will likely change from scenario to scenario. Once you know your scenarios and stakeholders, assign an owner to build response plans. These plans should include basic workflows for every scenario and a detailed matrix of roles and responsibilities for all stakeholders. The owner should work through the processes and expectations to ensure that everyone understands their role, and what their teammates will need throughout the process.
As a board member, you can support this by asking:
Do we have an up-to-date incident or crisis response plan for the organization? What scenarios are covered? Are there applicable scenarios that have not been included?
Who was involved in creating, reviewing, and approving the plan? Do all stakeholders understand what is expected of them?
What assets most need protecting to ensure effective business continuity?
3. Practice makes perfect. There is no such thing as perfect when it comes to crisis management, but ensuring that your organization’s response plan has been practiced will help you identify potential kinks in the process before they become significant issues. It will also help your cross-functional team build trust and better understand each other’s processes and needs.
As a board member, you can support this by asking:
When was the last time we ran a drill for our crisis response process?
What points were identified as improvement areas in our last crisis drill?
How frequently does our response team run drills or tabletop exercises?
How many different scenarios have been walked through?
4. Build trust among core stakeholders now. If you have followed steps 1 through 3, then you know who your core team is for a variety of scenarios. Depending on the size and complexity of your organization, the key stakeholders may not know each other well and may have minimal experience working together. A crisis is an incredibly challenging time to begin building relationships and trust.
Encourage your crisis response leaders to get to know each other sooner than later, possibly through presenting the crisis response plan to the board. When presenting, ask them to demonstrate familiarity with each other and their alignment. For example:
Ask them to explain each other’s role and goals through a given crisis response scenario.
Ask how they collectively judge the success of a crisis response.
Ask them to explain what they need from each other and the board or leadership team, and what they will provide themselves.
5. Set clear expectations. As much as the crisis response leaders need to build a plan and determine workflows for crisis scenarios, the board should also establish clear expectations and share them in advance. Bear in mind that your role is to help, not hinder, the organization’s ability to respond to a crisis, so whatever expectations you set with the crisis leaders or executive team should be as minimal or efficient as possible.
Consider the following:
When do you want to be informed of a potential crisis situation? For example, when it’s first discovered? Once it’s been verified? Once it’s resolved? Are there any industry-specific regulatory requirements for the timing of reporting on a crisis?
How do you want to be informed? Do you want communication to be over email, or should everyone get together for a call?
Are there categories of incident severity that trigger different responses? For example, will there be situations that you don’t need to know about, some that can just be included in the regular board reporting, and others that warrant dedicated communication?
6. Glide like a swan. As board members, you are no doubt adept at maintaining a professional demeanor in the face of stressful situations. Never is this more vital than during a crisis response. You need to set a tone for the executive team and crisis response team. If you get heated or upset, that will likely perpetuate the same behavior, and a lack of calm generally encourages mistakes to be made and people to become less effective.
Similarly, a lack of calm among responders and executives will likely reveal itself to others, whether inside or outside the organization. This may result in speculation that does more harm to employee or customer morale, or to stock price, than the incident itself. Avoid being the cause of additional stress for those managing the response, and keep in mind point 5 above. It’s fine to want to be kept informed, but take care not to distract or further stress out the core team.
7. Capture learnings and avoid blame. When responding to a crisis, it’s important to enable people to be honest about what happened, what could have or should have been done differently, and what lessons and next steps can be taken away. If everyone is worried they will be fired or publicly blamed, they will be less likely to be honest about what happened. As such, it’s essential during the crisis response that you avoid recriminations and blame.
After the incident has been resolved, ask the crisis response leaders to present key learnings to the board, including what action will be taken to ensure the scenario is unlikely to occur again. At this time, it may be appropriate to discuss accountability; this should be handled privately and with sensitivity.
As board members, you typically will not be on the front line of a crisis response. However, you can still influence its outcomes by encouraging preparation, ensuring alignment, and supporting an open, calm, and blame-free approach. This will enable your organization to put their best foot forward, and hopefully weather crises in the best possible way.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
Every company will face a crisis at some point. It could be a government investigation, data breach, product recall, or other significant event. An effective communications strategy can minimize the impact of the crisis and demonstrate leadership’s ability to effectively steer the company. In contrast, an ineffective strategy may worsen a crisis or raise doubts about company leadership.
Directors should confirm that management has an effective communications strategy before a crisis occurs. Although no two crises are the same, thorough preparation can prevent the pressures of a crisis from interfering with the company’s message. When developing a strategy, directors should consider the following guidelines.
1. Establish Clear Lines of Authority and Communication
A crisis will generate media and government interest. To maximize control of the narrative and to ensure that accurate information is conveyed to the public, the company should have a concrete decision-making structure to quickly resolve key questions and prepare meaningful, clear, and truthful responses to media and investor inquiries. Once those questions are resolved with the input of company counsel, a media-savvy spokesperson (which could be an officer) should be designated to deliver the company’s narrative. An individual director, unless designated as the official spokesperson, should respect the company’s established communication channels and resist the urge to respond to inquiries, including those of investors, analysts, friends, professional acquaintances, and reporters.
2. Seek the Advice of Counsel
A crisis can cloud normal decision-making processes. Experienced legal and communications counsel will keep the company focused and help to minimize legal exposure. In consultation with counsel, the company should identify its objectives, create a specific strategy, and ensure that the company is disciplined in working toward its objectives.
3. Set the Narrative But Avoid Premature Disclosures
When a crisis leads to an internal investigation, the company has the advantage of knowing the facts before anyone else. This allows the company to set the narrative. Outside legal and communications counsel are critical resources for advising the company on what information to include in the company’s narrative, as well as when and how to convey it. Once the company decides to disclose information, the company and counsel should carefully script talking points (including answers to possible questions) to avoid miscommunications. The company should deliver all relevant information as soon as possible, thereby avoiding subsequent disclosures that unnecessarily prolong the crisis. Conversely, the company should avoid prematurely disclosing incomplete information or setting unachievable timelines, which may cause investors to lose confidence in company leadership and expose the company to legal liability. Care should be taken to avoid selective disclosure in violation of Regulation FD.
4. Guard Against Leaks
During an internal investigation, there is a risk that information will leak before the investigation is complete. Sensitive information should be shared on a strict need-to-know basis to prevent leaks, and the results of an investigation should not be shared with the public until the investigation is completed. If there are information leaks, the company should resist the temptation to disclose investigative results or information prematurely, which can make the situation worse.
5. Be Accessible
The nature of the crisis may require the company to speak publicly on multiple occasions. In such circumstances, the company should adhere to consistent and truthful talking points aimed at achieving the company’s strategic objectives. Where possible, a willingness to address press reports and allegations–even if merely acknowledging they are being investigated–demonstrates confidence, transparency, and a commitment to effectively resolving the crisis. There are potential pitfalls to addressing the public, however, and the company should consult with experienced legal and communications counsel before each public statement.
6. Be Mindful of Multiple Audiences
Publicly-traded companies have multiple audiences, including regulators, shareholders, and possibly plaintiffs’ lawyers. To achieve its objectives and comply with the law, the company should work with its counsel to develop a coordinated approach that considers how each audience will interpret the company’s statements. If there are parallel government investigations, counsel should make courtesy calls to the government agencies prior to any public disclosures. Additionally, the company should guard against possible Regulation FD violations by avoiding selective disclosures to certain parties such as institutional investors and investment professionals.
7. Be Prepared To Communicate Change
Often a crisis will result in changes to corporate priorities, enhancements of procedures and controls, or removal of key management personnel. Directors may be called upon to communicate significant decisions that could attract the attention of regulators, activist investors, and private plaintiffs. In these situations, outside legal and communications counsel can be effective in crafting communications for the public and for outgoing management that minimize legal exposure and government threats.
Bradley J. Bondi and Bart Friedman are partners with Cahill Gordon & Reindel LLP. They advise financial institutions and global corporations, boards of directors, audit committees, and officers and directors of publicly-held companies in significant corporate and securities matters, with particular emphasis on crisis management, internal investigations, and enforcement challenges. Michael D. Wheatley, a litigation associate at Cahill, assisted with this article.
Directors attending the recent NACD Directorship 2020® event in Denver, Colorado engaged in group discussions about how boards can anticipate and effectively respond to environmental and competitive disruptors in the marketplace.
The half-day symposium at the Ritz-Carlton on July 15 was the second of three NACD Directorship 2020 events this year addressing seven disruptive forces and their implications for the boardroom. Summaries of the Denver speakers’ main points are available here.
Following each speaker, directors developed key takeaways for boards. Those takeaways fell within the parameters of the five elements of effective board leadership defined at last year’s NACD Directorship 2020 forums: strategic board leadership and processes, boardroom dynamics and culture, information and awareness, board composition, and goals and metrics.
Environmental Disruptor Takeaways
Strategic Board Leadership and Processes
Crisis response plan. Ensure that the company has a contingency plan in place that takes into account a potential environmental crisis. The plan should include how the company will respond to disruptions in the supply chain and production cycle, as well as to employees, customers, and investors.
Boardroom Dynamics and Culture
Culture. Boardroom culture should reflect that directors are ready and willing to be held accountable for environmental or climatological issues that arise for the company.
Information and Awareness
Engagement. The company should have an established communications plan to use in response to requests from shareholders and stakeholders regarding environmental matters.
Goals and Metrics
Green metrics. Becoming a sustainability-focused company requires adopting a long-term commitment to the cause. The board can communicate that commitment by establishing environment-related performance metrics that align with the corporate strategy.
Competitive Disruptor Takeaways
Strategic Board Leadership and Processes
Board agenda. Set aside time on the board agenda to discuss forward-looking strategy, so that the board’s focus is not limited to reviewing the company’s past performance.
Boardroom Dynamics and Culture
Culture. Fostering innovation requires risk. The culture throughout the organization should support failure and risk taking within the company’s tolerances. Also invite outside experts—or “white space” teams—to help trigger new, innovative thoughts.
Composition. Board composition should reflect a diversity of thought and experience. Regardless of background, directors should be willing to ask probing questions and stay aware of marketplace trends.
Goals and metrics
Understanding the marketplace. Management should be able to answer who future competitors might be and what trends might gain traction.