Recent events have given the term “corporate crisis” a whole new meaning. From cyberattacks and pandemic disruptions to political divisions and tweets that go viral, companies are being challenged in ways they never have before. How should they respond in a fast-moving crisis? How can they identify risks and mitigate them? And who should execute their strategy? Our latest episode of The Sidley Podcast grapples with those questions and many others. Join host and Sidley partner, Sam Gandhi, as he speaks with two of the firm’s thought leaders on crisis management and corporate risk — Yvette Ostolaza and Raymond Bonner.
Yvette is chair-elect of Sidley’s Management Committee. She is also a member of the firm’s Executive Committee and global co-leader of its Litigation practice. Ray founded the firm’s Food, Drug, and Medical Compliance and Enforcement practice. He is lead counsel for the firm’s Risk Management and Critical Matters team and a member of the firm’s Executive Committee.
Executive Producer: John Metaxas, WallStreetNorth Communications, Inc.
Recent events have given the term corporate crisis a whole new meaning. From cyber attacks and pandemic disruptions to social media posts that go viral, companies are being challenged in ways they never have before.
How should they respond to a fast-moving crisis? How can they identify risks and mitigate them? And who should execute that strategy? We’ll find out in today’s podcast.
Those first 24 to 48 hours are critical.
I’d like to say to boards and companies when they face a crisis to really stop, look and listen. Don’t immediately react and don’t go into autopilot.
Your main goal is to get accurate information out there. If you’re not accurate it just has a continuing impact with regard to how the public perceives the company.
It’s a folly to attempt to solely use internal people to mitigate a crisis because they already have a fulltime job.
From the international law firm Sidley Austin, this is the Sidley Podcast, where we tackle cutting-edge issues in the law and put them in perspective for business people today. I’m Sam Gandhi.
Hello and welcome to this edition of the Sidley Podcast, episode number
21. Today we speak with two thought leaders in crisis management and corporate risk, Yvette Ostolaza and Raymond Bonner, about how companies can take actions to avert or mitigate crises. Yvette is the chair- elect of Sidley’s Management Committee. She’s also a member of the firm’s Executive Committee, the managing partner of its Dallas office and global co-leader of its Litigation practice. She has extensive experience advising clients at each stage of complex, multijurisdictional commercial disputes and corporate investigations.
Ray founded the firm’s Food, Drug, and Medical Device Compliance and Enforcement practice. He is lead counsel for the firm’s Risk Management and Critical Matters practice and is a member of the firm’s Executive Committee. He is a partner at the firm’s Washington, D.C., office and represents life sciences clients on government investigations, enforcement proceedings and litigation. Yvette and Ray, thanks for joining us on the podcast.
Thank you, Sam.
Thank you, Sam.
Yvette let me start with you. Given all your work with corporations in crisis situations, provide us with context on crisis management. How does the company initiate the process on the ground once they become aware of an issue?
Well, it certainly depends on the crisis, but crisis management sits at the intersection between legal, board governance and PR. Consistency of collaboration between all those teams and having them work together is important. I’d like to say to boards and companies when they face a crisis to really stop, look and listen. Don’t immediately react, don’t go into autopilot, but give yourself some time, and some time that is a very short period of time, to come up with a plan and the next steps. It’s a folly to attempt to solely use internal people to mitigate a crisis because they already have a fulltime job before the crisis developed and this may be their first crisis. So, they may not have the right skill set or the time to address all of the issues that a company needs on a real time basis.
A company and a board are best protected, in my opinion, having the best professionals on retainers before a crisis develops and to have a plan in advance for those types of crises that a particular industry faces. For example, if you are concerned about a proxy fight or activist activity you should have that proxy professional retained well in advance or an action plan in place with decision points. Legal professionals that specialize in that area, retaining PR professionals through counsel, for example, to attempt to have a privilege on PR. By contrast, if you’re concerned with cybersecurity risk, as so many companies are now, having the correct legal and forensic professionals in advance who know your management, legal regulatory experts, a board, and IT can be a game-changer.
And Ray will address that a little bit more in detail in his expertise in that area, and PR is the key. Don’t attempt to fight everything in the media. Too many times, early PR is used against management, and statements have been made. It’s important to gather all the facts, to pause and to work with professionals that understand all the risks that your company can face depending on what statements it makes.
Thinking about recent catastrophic events obviously every company has been dealing with COVID-19, but there are a number of other breaking crises in the news. Last week we saw in the news that one of the largest independent physician groups based out of Chicago began notifying over a half million of its patients that their personal information may have been compromised during a July cyberattack. Ray, from your experience, what are clients asking you about the most when it comes to a crisis that they’re facing?
So, Sam, glad to address that. Let me talk about four different areas we’re getting a lot of questions about, and they cover a range of issues. So, let me pickup on your example that you referenced. First is cybersecurity or some type of computer attack. Given recent events, companies are now dedicating even more resources to developing stronger preventative controls. I’ll give you one example from the world that I typically am engaged in. The FDA has provided information to medical device and pharmaceutical manufacturers on steps companies should take to mitigate against cybersecurity issues and actions companies should take if they believe a cybersecurity incident or attack has occurred. This is critical in the medical device space because oftentimes those devices are connected to the internet, hospital networks and even other medical devices.
So, as a result of cyber attacks, they have the potential to impact the safety and effectiveness of critical patient devices. One of the things we’re starting to see companies focus on more and more getting into greater planning would be to establish a cybersecurity incident planning team. What I mean by that is a company needs to get its subject-matter experts pulled together both from a preventative standpoint, and if there is an event, a reactive standpoint. You need a playbook that provides the team with clear guidance for responding to an incident, and that includes, for example, a playbook that sets forth a plan to engage with national and international law enforcement authorities, as well as any regulatory agencies that are responsible for your industry. Also, companies need to focus resources on the manufacturing and supply chain systems from a cybersecurity threat.
Let me be specific. You need to map your full supply chain, including the development of supply redundancies. Those are just a few examples, picking up on Sam’s point, of questions we’re getting from industry.
Second, the ESG area has become more and more important to a lot of stakeholders. That would be the private sector, the government and shareholders. Many companies, from our perspective, are now asking more and more questions about how do we develop an infrastructure and systems to manage these types of issues in a holistic manner? So, the focus here needs to be on an assessment of both risks and opportunities.
Let me give you an example. If a multinational company has a large global supplier network, you need to assess not only the quality and supply chain issues, but you also need to carefully review your supplier’s ESG practices, such as labor and environmental compliance. In some parts of the world, there are unfortunately situations where labor conditions are very problematic, and if your suppliers are in a situation where they’re having circumstances such as forced labor, the company that relies on those suppliers need to take action, need to be addressing those issues in a proactive way. Also, of course, from an environmental standpoint, clean air and water-related matters or more specific issues and risks in countries beyond the United States.
Let me talk to you about a third issue that we are now getting a lot of questions about and that is data integrity. Companies on a regular basis use and rely upon data, both the accuracy and the validity of that data, to make business decisions, to make compliance decisions, to make product release decisions. So, in a world in which we’re going more and more electronic and digital everyday relying on accurate critical data is important. Let me give you an example, once again, from the life sciences sector. So, for years the FDA has been focusing on what they call good documentation practices. But they have also found numerous instances in which companies have falsified data. If a regulator or internal audit discovers data integrity problems of a systemic nature, the company needs to take a deep- dive into the situation, including determining the scope of the problem and assessing related issues.
The industry regulatory example that I just talked about from a life sciences perspective also could apply to a number of other industries. Think about the data that the automotive industry relies upon. Think about the agribusiness sector. The chemical industry, which does a lot of testing with regard to its chemicals it releases for a variety of purposes to industries across a number of sectors. Energy and technology as well. Finally, we are getting a lot of requests from clients about how do you develop a governance process and audit program and a corrective and preventative action program? Let me give you a few situations for companies to focus on. First, given the situations I’ve just described, cybersecurity, ESG and data integrity, does the company have the experience and expertise to assess these new developing areas or do you need to go beyond your internal resources to get a fresh perspective on the state of those programs?
Second, when was the last time the company conducted an independent baseline audit or diagnostic regarding risks in these areas? Third, were the corrective and preventative actions you took in connection with earlier audits effective? Are they sustainable? In other words, are they working?
Fourth, are those issues getting escalated in your governance system so that management is aware of those issues and then driving solutions? The bottom line is you can’t address what you don’t know, and so we’re getting a lot of questions in the compliance enforcement space about how a company can improve its audit program.
Thanks, Ray. Yvette, let me ask you, when you get a call in the middle of the night from a client lately and the number of crises that you deal with, what do clients typically need the most?
Clients are looking now, in particular, in the area of cybersecurity because, as Ray says, there’s so much regulatory infrastructure that’s being developed in that area and also because of ransomware attacks that have made the front headlines of many papers, and so they’re concerned about that. But during COVID-19, what we also saw is the development of black swan plans, in particular as they dealt with succession planning, because there were unfortunately executives, board members and others that succumbed to COVID or were sick for a period of time. And so, I saw an uptick in succession planning and making sure that there was an identification in advance of how that process would go should an emergency happen. Another area that we saw was in the area of manufacturing accidents. For example, in energy if there is a spill, most of the companies have some type of crisis management plan of who you involve, when you involve them, how do you notify the insurers, how do you notify the governmental entities, what you do for the families. If you’re in an area of manufacturing, that is something that you should consider to update on a constant basis.
The other area that I’ve seen a development on are whistleblowers, in particular in the Me Too area when they involve the C-suite, and more and more plans developed and how that should be handled. Making sure that there is a spokesperson that’s been identified at the company that is trusted. And depending on whether the C-suite is involved in that, who will be the primary person at the board that will be coordinating that. Those are the kinds of things that I’m seeing clients do, and in reaction to COVID-19 in particular, this crisis area of succession planning and also shutting down, closing down, restructuring entities on a quicker basis and what’s the reaction to that with bankers, lenders and different constituencies.
Well, let’s just follow up on those different constituencies. Who are the stakeholders in these crisis situations, and generally what do you see as their needs? And how do you prioritize that when you counsel a board.
So, the different types of constituencies that at least you should have on your checklist include management, your employees, your shareholders, and regulatory agencies, in particular if you’re a regulated entity or if the nature of the crisis will cause regulators to be interested. And of course your accountants, depending on what they’re doing, as they’re conducting their audit and the timing, they have to be very involved. Insurers, again, depending on your industry, have to be involved at an early stage. Lenders. All of those are constituencies that you can consider and depending on the nature of the crisis, some of them will be more involved than others in you having to make sure that you communicate in a manner that is meaningful to not create further harm to the company.
And Ray we’ve talked a lot about how companies have been thoughtful in advance about anticipating these crises and how they can manage it. But when a crisis occurs, from your perspective, in the pivotal early moments of a critical matter, what needs to happen?
So, Sam, I think the first thing that needs to happen is essentially a group needs to be formed very quickly of senior people, decision-makers, who can coordinate the efforts in a careful and strategic way. Of course, things are going to move fast. You have to be nimble. You have to be agile in order to respond, because you’re going to have a lot of accurate and sometimes inaccurate information headed your way from a number of sources. So, those first 24 to 48 hours are critical. They’re going to require early dives on some of the major issues and allegations to the extent they exist. And that team needs to be the recipient, the senior team I described earlier, needs to be the recipient of that information flow so they can assess it and start making decisions sooner rather than later, because time is of the essence in terms of getting a response.
Someone during that process, and oftentimes it will be outside legal counsel, needs to pump the breaks to make sure that the issues that are being developed from a fact standpoint are accurate. That’s important.
You’re moving fast, but you want to get things accurate from the start. Your history record is being made. There also needs to be an early focus that goes beyond immediate legal issues to understand and address how the customer issues, financial concerns and public communication components are going to interact. In my experience, when issues become aware to the general public or are receiving significant media scrutiny, customers are going to be calling a range of people at the company. The people that are talking with customers need to also provide accurate information and regular updates, as more and more information becomes known.
The other issue that you have to keep in mind if you’re a global company is if you’re talking to a regulatory authority in the U.S., you’re also going to get questions or in many cases you need to be updating international regulatory authorities so that they have the same regular information flow that U.S. authorities may have. And the last point I want to drive home is that you’ve got to get your response right from the start; you’re not going to have all the answers, because a flawed response can worsen the problem both immediately and long-term.
When you talk about a flawed response, do you mean an inaccurate response? Do you mean a nonresponse? Do you mean too much of a response? What do you mean by a flawed response?
Sam from my perspective a flawed response could be, in the first instance, you just get information wrong. You’re moving so quickly that you don’t have enough information to provide at least a real snapshot, an accurate snapshot, of what the company’s situation currently is. Second, if for some reason you learn additional information or information that might change the original response, you then have to bring that information forward to all the constituents that Yvette was describing, but equally important to customers and regulatory authorities to make sure they have the most recent update. Because at times, you’re not going to have all the information. At times, the information is going to change; for example, if you’re doing a recall of a product, the scope of that recall may broaden further and you may need to increase that information flow both internally and externally.
You’re listening to the Sidley Podcast, and we’ve been speaking with two thought leaders on crisis management and corporate risk, Yvette Ostolaza and Ray Bonner, about how companies can best avert or mitigate crises. News of a crisis or an impending crisis is now delivered at lightning speed because of the use of social media. Yvette, how does a company handle that landscape where blistering, often inaccurate, tweets or postings about a business can go completely viral?
This is where having a specialist that you have retained well in advance of the crisis that understands your industry and your business is so key. There are PR and investor relations companies that deal with social media. And what’s important is to consider the pace of the information, how quickly it goes out, what you want to respond to and what you don’t want to respond to. Sometimes your response becomes the story and feeds into tweets or to social media that nobody really cares about. One of the things that I suggest to clients is to have in advance proxies to assist you in handling inaccurate statements.
Some of the experts that Ray mentioned, for example, would be a proxy that is not directly attributable to the company, but is somebody that’s an expert in the field that can say this is just wrong. Some of the social media experts, for example, will help you in working together to make sure that, for example, favorable former employees, if it’s an employee issue, come and speak forward in social media to address the concerns. Rapid deployment to make sure that an accurate story with a favorable media outlet that later can be tweeted or attached in terms of social media is important too. Because that is still more credible than a random person sending out a tweet.
So, Ray, let me come back to you on building that public and PR response, whether it’s through social media or traditional PR. How does a company build a communications plan and execute that right response so it isn’t flawed?
So, from my perspective, Sam, I’ll go back to the fundamental point I mentioned earlier, you have to have that core team established. Because in large part a company, I think, can anticipate where some of these events may occur. So, obviously, senior management needs to be engaged, they need to be engaged substantively, they need to be engaged with regulatory authorities, they need to be engaged with the press. Second, in-house and outside counsel can provide a valuable role in terms of being a checkpoint for information that’s flowing at a rapid pace and then being delivered to the public or other authorities. That checkpoint is important so, of course, ultimately try to get the information accurate.
Third, picking up on Yvette’s excellent point, it’s a theme I want to sound again internally at the company. Companies will have subject-matter experts, and some of these are technical experts, some are product experts, some are industry experts. They’re going to be able to provide more sophisticated expertise and advice on sometimes technical issues or the scope of the problem. They can contribute early and throughout the process to make sure you have a scientifically sound or a business sound explanation for what happened and what the company’s doing to address the issue. In other words, what’s realistic and what’s the timeline.
And then last, as Yvette has noted in her earlier comments, you have to have your internal communications team and you have to have an outside communications team to essentially develop your company’s perspective on the developing events and to assure both the public and others that you’re going to be providing regular updates. As I said before, your main goal is to get accurate information out there. If you’re not accurate, it just has a continuing impact with regard to how the public perceives the company from a trust factor and then second even a going-forward operational level.
And the accurate information, because when you’re going real time and sometimes depending on the nature of the incident, for example, if you’ve had a shooter incident or you’ve had a manufacturing accident, people are going to want to know answers real time, but you may not have that information. And making sure that you pause until you have not perfect, but close to perfect, information is going to be important. Because the story changing is: you’re going to get hurt more than by giving information and reacting because people asked you. And I think that’s one of the most important things that your legal professional advisers should do is to make sure that everybody understands that there’s a reason to respond. There is a reason to push back and say we don’t have all the facts right now and building that credibility even if all the newspapers are calling and saying you should know or management is being criticized by not knowing the answer.
Waiting a week, sometimes, is the difference between having better information and the story changing, but having the commentary and saying these are the things that we’re doing and the process that we’re undergoing to make sure we have the right information is important. I think it’s also important to note that you don’t always have to speak to the media for attribution. Going on deep background or going on background can be as effective as having a quote from the company. And working with the media to give you more time; often what the media wants is the information that’s accurate too. They’re on the same boat. And so, making sure that you’re talking, but you don’t have to do it or always be quoted on behalf of the company is an option that you have and that PR professionals are great at working with the media.
Yvette, when you say that a company doesn’t have the information and don’t speak to the media — you don’t really mean being silent, you’re really talking about talking to the media or talking externally, whether upfront or on background, to basically say that you don’t know or you don’t have all the information. Is there a time where a company should be silent and a time where a company should just go out there and say we don’t know?
I think if you’re undergoing an internal investigation and you want to make sure that, that internal investigation or review is the type of review that people will want to speak to you about and is viewed as independent, it’s important to say we’re going to go through our process. We see that a lot in the whistleblowing context. You don’t want to have been viewed as making a decision go one way or the other until you have gone through the process. There’s a reason internal reviews are confidential where people come and speak to you, you look at documents, you look at emails, and you’re able to put together the facts.
I think when you have that kind of internal review, it is especially important to let the process work and talk about the process that you’re going through and the professionals that you’ve retained. Often at the end of that process, because of privilege, you will not be disclosing your results, but there will be remedial steps that are taken. And making sure that you’re acting in the best interest of the company and preserving that privilege is also as important. The other area that I would say is when you’re dealing with an accident of some sort, where all the facts are not known and you still want people to come and you have forensic testing that’s happening, that’s also an important time to say we’re not ready to comment, but we’re going through a process too.
Let me go back to something you just said in terms of legal privilege. When a company first gets into trouble or realizes there is a crisis, there is a moment around the table where everyone discusses what happens and how to respond. How does a company protect those communications under legal privilege, and what should a business know about how to protect those communications?
So, that’s a complicated answer depending on the jurisdiction that you are in. But assuming that you’re in the United States, if you have retained outside counsel to provide legal advice in connection with a matter and you have an engagement letter that reflects that, you usually will have the benefit of the privilege. So, what things do you have to be afraid of? Well, one of the things that you have to be afraid of are people that are communicating with each other and not engaging the lawyers on seeking legal advice. So, for example, when I first involve a board in that first call, I’ll say this is not the time for all of you to be texting each other or sending emails about this. Because if you’re not seeking legal advice and you’re commenting during that time period it may be difficult depending on the jurisdiction to find that there was privilege even if there was litigation.
So, what’s important instead is to make sure that you use the phone. The phone is your friend. If you have a question call your general counsel, call your outside legal professionals, let’s have that information all at the same time. If you want to have deliberations or discussions let’s hold a special meeting, so that you can have that, and make sure you’re seeking legal advice. The other area that you have to be careful with is the area of investor relations and PR. Often some of the early PR statements or drafts that are made by an outside professional that denies something or take a strong position, for example with respect to an activist, can be used later to say you never kept an open mind. Look, you know, this management never wanted to really consider our proposal even though management may have not been involved in drafting that.
So, when there is a kind of issue that is crisis management or a crisis that the company is dealing with outside counsel, often what we do is we retain the PR professionals to assist us as legal counsel in advising the company and making sure that as we’re defending the company, we’re using the right information from a PR standpoint too. Because sometimes they may tweak words or they may be in a better situation to advise as to what they see in different constituencies in the country, if it’s a national crisis. There may be different opinions in Texas than there are in New York on a particular issue. So, retaining those outside professionals through legal counsel in a cybersecurity attack, for example, the legal counsel often does retain the forensic professionals that are going to go in there and see.
The goal that we want is a company to be able to look at both the good facts and the bad facts and get good legal advice to protect the company going forward. And the best way to do that is under privilege, the same with respect to when you’re dealing with regulators. You want people to be open to the concerns that they have and get that legal advice from their lawyers. And so, I say please, if you have this issue if you’re management or if you’re the board and you’re dealing with this, make sure that you’re involving an attorney that is providing you with legal advice so that you have a chance of privilege attaching to that. The other concern that sometimes is raised is if you’re doing a compliance audit. That sometimes in some jurisdictions those are not viewed as privilege. And so, the intersection between compliance and privilege is something that’s very dependent on the jurisdiction that you’re in. And getting early advice as to what law applies will be important in ultimately protecting the company and the privilege.
Ray, let me come back to you. How does a company then mitigate risks and hopefully prevent future crisis events?
So, Sam, one of the things that we’ve been doing in particular industries is conducting what we call a diagnostic risk assessment. What you’re doing there is identifying the more significant risks the company faces or could confront. We take a look at the historical risks that the company’s had and that the industry’s had. One of the reasons we do that is, just like we learned in high school, history repeats itself. History can repeat itself with regard to risk resurfacing again and again and those risks not being fully addressed. So, that diagnostic risk assessment can look at historical risks, current risks and then third what we call coming around the corner risks. It gives the company and management an overall perspective and a prioritized risk map going forward to address issues of significance in the hope that you can address those issues and then hopefully not have a crisis. No guarantees as part of that process, but it is a healthy process and one that companies find to be very productive in terms of learning information from the various levels of the company.
Because in our experience one of the common threads for crisis situations or critical situations are circumstances where some place in the company someone knew about the risk, either tried to escalate it or didn’t escalate it and as a result that was percolating well below management’s level and as a result no action or little action was taken. Of course, the postmortem then develops a scenario in which the company was aware at some level of the problem. So, those risk assessments can be very healthy for an organization and very productive in terms of managing your risks. Second, once that risk assessment is done and there’s report outs to senior management by the law firm, those are privileged report outs. Once management becomes aware of a situation, then you want to develop the term of art is corrective and preventative actions, otherwise known as CAPAs. CAPAs are designed to address the problem both in a thorough and comprehensive way, but also to assess what was the root cause of the problem? Because the root cause can manifest itself elsewhere in the organization. So, it could be a cultural issue from a corporate escalation standpoint. Or it could be a substantive issue that was never fixed earlier from a technical or manufacturing standpoint.
The next step would be after you develop and start implementing those CAPAs, you pick a time out in the future to do effectiveness checks. Did we actually select the right corrective and preventative action? Has the issue repeated itself? Do we have full resolution of the issue? Is this particular CAPA sustainable? It’s a way, once again, not only to mitigate risk at the front-end from your evaluation process, but operationally at the company in terms of going forward.
You’ve described a little bit about diagnostic risk assessment. What’s the difference between that and a company that just conducts an internal investigation?
Very good question. Most of the times, companies will call in law firms to do the internal investigation. That’s typically a look back at the historical facts, who is doing what, who was responsible, who made the right decisions, who made the problematic decisions and usually at that stage there is a significant amount of spotlight on the company either internally or externally. In other words, fingers start to get pointed, and rightfully so in some situations. You’re going to have to respond to the government in terms of inquiries or other third parties.
The diagnostic is different. It is very business-oriented. It is not finger- pointing. It’s there to identify the significant risks, come up with a collaborative approach to address the most significant risks, and then take business action that can put the company in a better competitive situation going forward with third parties or to avert a potential crisis. In other words, if you see others in the industry moving in a certain direction and then all of a sudden there is some government scrutiny in that space, well, that diagnostic may help you assess your situation in a non-finger-pointing way to get in a better position. In other words, to assess the health of your systems and do it in a more productive way.
And Sam on your question on the internal review, and I agree with everything that Ray has said, when I’m conducting an internal investigation or a review on behalf of a board, one of the things that I say is you paid a lot of money for somebody to delve into your organization and give you some background. Every internal review should have an aspect of a proposed remediation or recommendations. Some of those recommendations may be that the company’s doing a great job and you just need to update on a particular area. The key thing is that after you’ve conducted that internal review that resulted from some event, that the company is left better off than when it started. I’d like to think that one of the reasons our crisis management team has been ranked as number one in the country is because of that. It is because we’ve spent a lot of time saying what have we all learned? Not being judgmental. We all learn from these new experiences, whether it’s COVID-19 or an accident, or a Me Too investigation and how can the company self-remediate in the future to do better?
That’s important to come up with those, with management being involved and the board, and that comes out of 99.9 percent of the investigations I’m involved in, is sort of a reflection. But then the second part is not just having those recommendations in a piece of paper that’s stuck in a drawer. It is how are you going to monitor those so those are implemented and the company gets better? So, one of the things that I think is important, if you’re dealing with legal counsel, is to make sure that you think of who is going to be in charge of making sure these remedial steps or these recommendations are implemented? If the nature of the crisis was, for example, an accounting issue, then the audit committee would be somebody that could report to the board or management and the financial team will report to the audit committee on a regular basis.
If it dealt with a Me Too or an employment issue that required training, that would be something that the HR professionals could report to the board on some period of time, so that the board is aware that the risk is being mitigated. If you have a cybersecurity incident and then you’ve learned from that cybersecurity incident that, for example, you need to have tabletop exercises or you need to have a new system in place. Making sure the right committee is reporting to the board in how they implement it and provided with a firm timetable. Because in many companies there are changes in employees, and so sometimes those transitions result in the ball being dropped in an important area.
So, let me give you another concrete example. Let’s say, for example, you’re a manufacturer of an important product. And let’s say, for example, you are located in an area that is susceptible to hurricanes or take it to another part of the world earthquakes. Let’s say that’s the only plant that you have to produce that product and let’s say unfortunately one of those disasters hit, hurricanes or earthquakes, and you don’t have a backup manufacturing network or another supplier of that product that can fill the gap until you recover. You’re in a situation where if you had identified that issue ahead of time, you could’ve had a plan in place to continue production until you restored your facilities to an appropriate manufacturing quality level.
And as a result of that, you stay in business, maybe you’re relying on another supplier for a short period of time, but it shows your commitment to the public, to your customers and you then have an opportunity to be resilient and get back in production. You would be surprised how often that kind of situation plays out, where companies don’t have one type of redundancy or another. So, the risk assessment, the diagnostic assessment, uncovers, identifies and provides solutions for those situations before they develop rather than reacting afterwards.
So, Yvette, to follow up on that, are companies doing enough to proactively mitigate risks?
I think most of the top companies nowadays are focused on mitigating risks in certain areas in particular now that they’ve learned from the pandemic on succession planning, like I said earlier, on the cybersecurity risks that their company has, on insurance risks. Many companies are doing that and of course there’s a lot to be learned from a crisis averted. As a general matter, companies are well advised to devote more resources to proactive risk mitigation, including by enlisting the help of third parties, engaging in tabletop exercises, constant training of employees because of the changes that are happening in real time, for example, during COVID-19. With so many people working remote, that exaggerated sort of the need to make sure that there was more cybersecurity testing and training done by the company to make sure that employees did not respond and cause risk to their company. That’s a perfect example of that, and I saw many companies do that and do a lot of training.
In the world that we live in, not only from Me Too, but all of the different social issues that are being raised is having more and more training in those areas, management training, on how to deal with different types of employees, the importance of diversity. I’ve seen more diversity and inclusion training happening across America from companies. So, I do see companies engaging proactively to mitigate risks. It’s when there’s a financial crisis and the company doesn’t have enough money that sometimes those issues are set aside and projects are procrastinated on that you have to be careful, in particular if it’s something that is important to your company. If you’re in retail and consumer information is sacred and you end up with a leak, that can be a very expensive situation for you and the company. So, it’s important to think of your industry and what are the kinds of crises that could bankrupt the company and make sure you’re always spending money on those.
Ray, let me end the podcast with you. When you talk about the historical crisis that a company has gone through, what has historical crisis taught us about risk management and crisis prevention?
My focus here Sam, as I said before, is on history. Because a lot of the situations that we see when we do diagnostic assessments is that this issue of significance or this pattern of a problem has been percolating for a period of time. And it does get some attention, but it doesn’t get the attention it deserves, and then the issue builds and then you have a pattern and then you have a systemic problem. So, as a result of the diagnostic process you can get in and find those issues, escalate those issues, so that history can get addressed and problems can get solved. One example that we sometimes use is the Challenger shuttle example that occurred a number of years ago. I won’t get overly technical here, but briefly in that situation with NASA there had been a longstanding design flaw that allowed some of the pressurized hot gases and flames to “blow by” the O- ring and make contact with an external tank. This resulted in a structural failure of the shuttle.
That design flaw was susceptible to a number of environmental factors including the unusually cold weather on the day of the launch of the shuttle. And then a commission was formed after that tragic accident in which the Rogers Commission, as it was called, found that the disaster was “an accident rooted in history.” That O-ring design flaw was known for almost a decade but was never properly addressed. Engineer concerns about launching Challenger in that unusually cold weather, which could exacerbate the O-ring issues, were not escalated to senior decision- makers. So, what the diagnostic process does for a company is it allows you to get people from throughout the organization to contribute their view of risk and then for management to prioritize those risks and take actions.
In other words, history is addressed.
We’ve been speaking with two thought leaders on crisis management and corporate risk, Yvette Ostolaza and Ray Bonner. Yvette and Ray, this has been a great look at the landscape on crisis management and what corporations face today. Thanks for sharing your insights on the podcast.
Thank you, Sam.
Thank you, Sam, for the good questions and the guidance.
You’ve been listening to the Sidley Podcast. I’m Sam Gandhi. Our executive producer is John Metaxas and our managing editor is Karen Tucker. Listen to more episodes at sidley.com/sidleypodcast and subscribe on applepodcast or wherever you get your podcasts.