USA: An Introduction to Crisis Management
What Keeps You Up at Night?:
Preparing for the Unknowable and Planning to Win
Every organisation will face a crisis. Most organisations will face many. And as soon as a crisis hits, it is an all-encompassing event which can determine the future of both the institutions and individuals involved. We often ask our clients, “What keeps you up at night?” And the answers are endless and constantly evolving. Indeed, the crises our clients face reflect the ever-changing world in which we live.
Geopolitical risks and tensions are higher and more complex today than they have been in decades. Russia’s invasion of Ukraine is the largest and most significant military conflict in Europe since World War II. This war has had and will continue to have global ramifications and an immeasurable humanitarian toll. In the United States, the Department of Justice, Treasury, and many other federal agencies are issuing broad new sanctions and ramping up enforcement, as are allied governments with often overlapping authority over our clients.
As a result, our clients must consider their potential exposure to sanctioned parties and sanctioned activities, and review their current compliance measures to prevent sanctions violations. And the war in Russia is only one among the myriad regional and international conflicts, tensions, and rivalries that institutions must be prepared to address.
Cyberattacks – carried out by dangerous state actors and unrelenting ransomware groups – continue to increase in frequency, scale, and sophistication. Ransom attacks have increased at an alarming rate over the past two years, with cyber extortion demands heading into unprecedented levels, with some at tens of millions of dollars. The networks of every major institution in the world, including governmental entities, corporations, universities, and medical institutions, are more at risk from cyber threats than ever before, as are companies of all sizes. The disruption to the work force from the pandemic and the resultant prevalence of remote work across industries has resulted in an exponential increase in cyberattacks, and the potential consequences of the resulting breaches continue to escalate in parallel.
The global pandemic also has had a profound impact on daily life, leading not only to over six million deaths worldwide at the time of this writing, but also to significant global disruption in our financial system and supply chains, contributing to severe economic uncertainty. Inflation has hit levels like never before, and many predict an impending recession. ESG and the attendant regulatory requirements related thereto have taken a front and centre role in many corporations. Additionally, social justice protests and the #MeToo movement have demanded change and seen results. It is clear that all organisations will spend more money, effort, and time navigating a host of political, cultural, environmental, and social issues for many years to come.
Any of the above could affect our clients at any moment and have a severe and lasting impact on the success of an organisation. No client (or lawyer) can control the economy, malicious foreign actors, criminal syndicates, or war. But you can control your response to a crisis and manage these risks as they arise. We help our clients face all of these issues, and many more. Dechert’s deep bench of lawyers around the world guides our clients through extremely sensitive and volatile matters. Companies and government agencies alike trust us to assess and mitigate risk before an event occurs, and to coordinate strategic responses to crises in real-time.
After all, every second counts when a crisis hits. The first hours and days are critical. Whether that involves responding to a dawn raid, navigating a new sanctions regime, responding to a cyberattack or unwelcome takeover bid, product recall, or personnel crisis in the 24-7 news cycle, we formulate and execute strategies to minimise the impact of emerging threats to the organisation and the people involved.
We understand that this means not only mitigating risks to the financial, operational, and personal interests of our clients, but also managing reputational risks and the narrative before adverse messaging takes hold in the media (traditional, social, or otherwise). This will not stop activist shareholders, journalists, cyber criminals, or critics from attacking an organisation’s actions and response. But our expertise will soften the blow, help you navigate any crisis response, and work towards the future.
We also work closely with our clients to embrace crisis readiness and prepare for the unknown. As the saying goes, if you fail to plan, then plan to fail. We help our clients plan to win.
At Dechert, we will always work with our clients during any stage of a crisis. But our clients serve their stakeholders best when they work with us before the crisis hits. To aid boards of directors, C-suite executives, and global legal teams, we work with our clients to develop and implement risk clarity assessments, conduct tabletop exercises, review policies and procedures to maximise readiness and decrease risk. These assessments happen weeks, months, or years before a crisis happens. Our team works individually with each client to assess where the organisation may be most vulnerable and identify potential threats, both inside and outside of their workplace.
First, our team meets with the client’s principals to determine what they think risks and issues may be within their organisation; in short, we find out what keeps them up at night. Next, we work with each client to identify employees and stakeholders who may be more directly exposed to potential financial, operational, cultural, or political risks to understand whether there are additional issues that may not have reached executive leadership. And we review key policies, procedures, and internal controls and systems based on these discussions. Through tabletop exercises, mock regulatory exams, or other tools, we maximise readiness and minimise risk.
These assessments, performed by our multi-disciplinary team, allow us to help clients prepare for a wide range of potential issues in a single assessment. We have the legal expertise, communications skills, and public policy experience to understand how possible crises may impact an organisation. Our agile and diverse lawyers leverage their experience, expertise, and relationships to provide strategic action plans that address both anticipated risks and provide frameworks for organisations to respond to unanticipated crises. And our assessments combine these risk evaluations with practical guidance on how to implement both a crisis operations plan and crisis communications plan that can be scaled to address both identifiable risks and unanticipated emergencies.
It does not end there. We are focused on the design, implementation, and enforcement of sound risk management measures, including not only emergency response plans, but pre-emptive policies, procedures, and education. At our clients’ request, we conduct in-house training, including mock regulatory inspections and interactive exercises, including tabletops. Our advice is centred around minimising risk, encouraging early detection of potential problems, and identifying subtle issues. Socialising senior leadership to the issues likely to arise saves valuable time and decreases pressure in a crisis. We also work with clients to ensure they have appropriate insurance coverage in place to help mitigate the financial impact of a crisis.
These recommendations make a tangible difference to a client’s risk profile. And the best part is that risk clarity assessments and crisis readiness protocols are put in place before the world’s eyes are on your organisation. When the crisis comes, our clients do not have to reinvent the wheel. They have a plan and are prepared to solve problems under the pressure of tight media deadlines and shareholders’ phone calls.
So what can organisations do today to better prepare for the unknowable? Here are some practical tips that you can make sure your organisation is following:
• Get Advice Early and Often. Do not wait for problems to find you. Staying informed about the latest risks and recent regulatory changes, anticipating problems, and asking questions now will help you avoid issues down the road. Think about today’s decisions and tomorrow’s consequences. Whatever you do and say today is going to affect everything that comes after, including potential litigation, government disclosures, and other strategic decisions.
• Remember Attorney-Client Privilege. When appropriate, looking at potential issues with attorneys will minimise exposure and reduce risk in the event that outsiders turn their sights on your organisation. Does the team know what is meant by this term, how to protect privileged communications through appropriate labelling or how the attorney-client privilege can be waived? A crisis is not the time to educate employees on these issues.
• Have a Plan. And Use It. Rely on your crisis management or incident response plan. If you have one, use it. If you have one and do not know what it says, read it now. If you do not have one, make one now. In a crisis, each key employee needs to know their role and what is expected of them. Complacency is not an option.
• Create a Culture of Integrity. It starts with the tone at the top. In our experience, many times it is not the original issue or the crime, but the cover-up or the less than truthful statement that leads to negative consequences. Create a culture of candour – one that encourages employees to bring issues to management and maintains zero tolerance for deceit. Often, a company is judged for how issues are handled or communicated once they are brought to the attention of management.
• Truthful Communications to the Outside World. Some organisations decide to make multiple statements, very aggressively, right from the beginning and throughout a crisis. Other organisations decide to stay relatively silent, being selective about what is shared. No matter what strategy is used – tell the truth. Looking at any potential statements or communications to third parties (whether regulators, shareholders, or the general public) to determine if they might be viewed as misleading, either in hindsight or once all the facts are determined, will go a long way to minimising risk.
• Internal Communications Best Practices. These practices and protocols can be frequently misconstrued or even monitored by a threat actor in a cyberattack. Do you have a plan for communication if the systems are down? Do your employees know the pitfalls of unthoughtful or loose communications in email or texts or messaging platforms like Slack, especially before all the facts are known? The time for training on best practices on these issues is before a crisis hits.
• Use a Crisis to Your Advantage When Possible. As Winston Churchill famously said, “never let a good crisis go to waste.” In a crisis, true leadership can emerge and bring out the best in people and in an organisation. An organisation may lose money or see some bad press on Day One, but if the organisation responds in the right way, its reputation may benefit in the long run. Customers and shareholders may become more loyal and proud of how the company acted addressing the crisis, and may more easily forgive the underlying transgressions, if there are any.