An unlimited number of things could cause a corporate crisis even when a company works hard to prevent it. Business decisions can have unintended consequence; natural and man-made disasters can create a domino effect in supply chains; and there’s always the risk of a data breach. According to PwC, about 65% of CEOs stated that their companies had experienced a crisis within the past three years. About 73% of CEOs expect to face at least one crisis in the coming three years. No board wants to wake up to find that they’re the next bad media story. Boards should evaluate their crisis management best practices annually to ensure that they’re ready for whatever comes.
If a crisis occurs, it can be difficult to contain it. The 24-hour news cycle combined with the viral nature of social media means that bad news travels faster than ever. A corporate crisis can have significant financial, legal and regulatory consequences. No matter how well they prepare, boards can’t prevent a single crisis from happening, but how the board handles it is a reflection of effective governance. In the best-case scenario, boards will manage a timely, well-coordinated crisis response and communicate responsibly with stakeholders.
Board Oversight of the Crisis Management Program
Crisis prevention is a board priority. A 2016 PwC director survey indicates that only 31% of boards believe that their management reviews their crisis plan well, although the 2019 PwC Directors’ Survey indicates that 96% of boards have discussed their management’s plan for how to respond to a crisis. Advanced crisis preparation should be a close second on the priority list for boards.
The board has many responsibilities in overseeing and challenging all aspects of its crisis management program before, during and after a crisis. Overall, they need to ensure that the right framework is in place and that the company has sustainable capabilities to respond and recover appropriately. The board needs to ensure that the crisis plan will be managed by someone who has the proper legal and compliance experience and can manage the daily operational and tactical responses.
The board should also look for assurance that the internal and external communications leaders are prepared to articulate decisions and messages clearly and directly. In addition, the board should be aware of the roles and implications of all stakeholders.
A crisis management plan should be integrated with their ERM program to ensure that it is aligned with and informed by the company’s strategic plan and falls within the company’s risk tolerance. A rigorous enterprise risk management (ERM) program is important to the foundation of risk management to mitigate losses and prevent litigation. The plan should be flexible so as to account for changes to risk assessments and priorities.
Finally, boards should be participating in various simulations and tabletop exercises with management to enhance their knowledge and effectiveness during an actual crisis. According to the 2019 PwC Directors’ Survey, 56% of boards are engaging in tabletop exercises, compared with only 28% the prior year.
Involve Stakeholders in Crisis Response
Perhaps the most difficult part of overseeing a crisis management plan is knowing all the stakeholders that need to be involved in crisis response and gaining assurance that each of them knows and understands what their responses should be if a crisis occurs. The entire C-suite should be involved in some fashion.
The CEO takes the main lead in crisis management. This individual will need to work swiftly in coordinating efforts. The chief operations officer (COO) or business operations manager should work quickly to assess the wide impact of the crisis and get an understanding of the impact on customers and suppliers. The COO’s main goal is how to get the company back to business as usual as quickly as possible. Legal counsel should be involved at all points. Their responsibility includes reviewing all media talking points and scripts and being familiar with insurance requirements. The CCO should be prepared to use communication to establish trust and to share credible and transparent messaging that describes what happened and what the company is doing to stabilize, and keep investors and others updated.
The chief revenue officer (CRO) works with counsel to manage risks proactively and create the proper messaging. The chief financial officer (CFO) has many important duties during a crisis, including filing the necessary disclosures and filing insurance claims. In addition, the CFO needs to assess the impact on the investors and work with the executive team on creating the proper responses. The external auditor is the one who evaluates the potential adverse financial impacts of the crisis and monitors regulatory, legal and internal controls.
In the event of a crisis due to a cyber event, IT teams take the main lead and work with others to restore the system and put backup systems or workaround systems into place. External investigators are responsible for identifying, gathering and discovering and coordinating internal and external communications.
Oversight of Key Goals Before, During and After a Crisis
Before a crisis occurs, boards need to evaluate their early warning systems and decide if there is any way to enhance them by prioritizing key issues. Boards should understand the definition of all roles during a crisis, including who is responsible for all areas, who makes decisions and how they should be made. Strong oversight also means that the board should be familiar with all external allies and advisors and that they have agreements or drafts of agreements in place so they can move quickly. For example, those parties who are responsible for communications should have drafts of press releases ready in advance. Boards should collaborate with management to participate in crisis response rehearsals and note any gaps in the crisis management plan. All parties that are involved should have a copy of the centralized response program.
During a crisis, the board should put additional financial resources and working capital in place until the company can transition normal operations. Boards should also insist on getting regular briefings from management and third parties and be on the lookout for new risks created by the crisis.
After the crisis, the board needs to ensure that the company is producing timely and open communications with employees, customers, shareholders, joint ventures and other key stakeholders to help create transparency, enhance a culture of integrity, and restore their reputation and confidence.
It’s also important for the board to work with management to identify any underlying causes of the crisis and remedy them. Finally, the board should also assess management’s response, as well as their own. Best practice for crisis management is for the board to utilize a board management software system like Diligent Boards as a secure means for secure communications and coordination during a crisis, to prevent further complications.
In conclusion, the board should support a risk-aware culture and set the tone at the top. This is an important step to help elevate the need for crisis preparedness and readiness.