Good risk management matters as much as brand building
March 2018 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2018 Issue
Businesses rightly focus very heavily on building their brands. However, many businesses are less focused on planning ahead to deal with a crisis or major issue which can fundamentally weaken and even destroy its reputation, by damaging the trust placed in it by customers, staff and other stakeholders. In contrast, a company which manages a crisis well can enhance its brand and strengthen its relationship with stakeholders. This article will outline best practice in planning for and handling a crisis, as well as the pitfalls to avoid.
The last 12 months have produced some noticeable examples of corporate failures. From film companies, to law firms, to PR agencies, a poorly-handled crisis can quickly turn a well-established brand into an infamous story of what not to do. There were fundamentals that those running such organisations appear to have variously overlooked including good governance, proper risk management and business leaders who understood what was being done on their watch, to name but three.
Without these fundamentals in place, it can be extremely difficult to salvage your reputation. What is crucial for corporates to take away from this is that a poor reputation goes straight to the bottom line. It hits their share price, their credit lines and the willingness of others to work for or with them. Companies should therefore view crisis planning and risk management as a crucial component to their long-term success.
Crises come in all shapes and sizes, and obviously companies cannot plan for every eventuality. However, by establishing a solid risk management practice and maintaining a thorough and up-to-date crisis plan, the chances of recovery are infinitely higher.
Prevention
Even before something goes wrong, there are practical steps companies can take to reduce risk and make them more resilient in a crisis. Good risk management involves implementing some fundamental practices that help to prevent risks arising.
A strong culture and set of values is without question the single most important step that can be taken. The revelations involving Harvey Weinstein and the impact on the Weinstein Co is a spectacular example of how badly a toxic culture can affect an organisation. Any business with good, strong values that all of its staff buy into will be significantly better prepared to avoid a crisis and to respond much more effectively to a crisis or issue, when it arises.
Leadership in a crisis can also make a considerable difference to its outcome. A recent example is the leadership shown by Nick Varney, chief executive of Merlin Attractions, in response to an accident on a ride at Alton Towers which resulted in four people being seriously injured. Despite severe criticisms of a failure to take technical steps to reduce the chances of an accident, from the outset Mr Varney accepted responsibility, put the interests of those injured first and responded empathetically. In contrast, the failure of Uber's former chief executive, Travis Kalanick, to deal with a number of crises that hit the company in 2017, has resulted in long-term reputational damage from which it may be difficult for the business to recover.
Regular risk review and adequate planning are also essential to crisis prevention. The mere exercise of identifying threats will help a business to establish its weak points and implement improvements. Some of these threats will be common to all businesses while others will require consideration of the unique vulnerabilities affecting a particular sector. A crisis management plan requires assessing the level of risk and preparing a response to this. This will improve a company's response to a crisis, even if it was not the one you had identified, because the framework for crisis management is already in place.
The information threat
A common risk that applies is the information leak. The law firms Appleby and Mossack Fonseca recently found themselves separately at the centre of a global campaign against offshore tax schemes after confidential details of many of their clients’ business affairs and tax schemes were leaked by hackers. In both cases, apparently inadequate technical controls made it much easier for the hackers to steal their clients’ confidential information. In addition to opening themselves up to lawsuits from their clients, the damage done to each firm’s reputation is likely to be permanent. Failure to identify weaknesses or to put in place adequate cyber security protections can have serious consequences for a company's reputation and its balance sheet.
For companies operating in Europe, there is the added risk of falling foul of European data protection law. In October 2016, TalkTalk was hit with a record fine of £400,000 from the Information Commissioner’s Office (ICO) after a cyber attacker accessed customer data including names, addresses and bank details. In a damning report published on its website, the ICO denounced Talk Talk’s “failure to implement the most basic cyber security measures”. The crisis resulted in a drop in Talk Talk’s pre-tax profits by over 50 percent, producing a bill of as much as £60m.
TalkTalk may have received the biggest fine in the UK to date, but this is set to change with the implementation of the General Data Protection Regulation (GDPR) in May 2018. From 25 May, fines will rise up to 4 percent of an organisation’s global turnover or €20m, whichever is greater. The GDPR also imposes much more stringent requirements on data controllers and makes it easier for victims to bring compensation claims. All businesses process personal data and should therefore ensure that they are fully compliant with the GDPR’s requirements before it comes into force, or expect to be penalised accordingly. The increased risk posed by a data breach also means that cyber and information security will be the key risk all businesses must manage.
The insider threat
Although the threat of an unknown hacker is not to be dismissed, what many businesses fail to see is that the biggest threats come from within. In 2016, the National Crime Agency (NCA) reported that approximately 85 percent of all data breaches resulted from mistakes or misconduct from within an organisation or a third party contracted to provide services to it. Good risk management therefore requires paying due attention to internal vulnerabilities and prioritising good governance, education and proactive management.
Failure to identify an insider threat had particularly disastrous consequences for Morrisons. In December 2017, the company became the first employer to be held vicariously liable for a data breach committed by a disgruntled employee who posted confidential information online. Although the court accepted that Morrisons had no primary liability for the breach, the actions of its employee were sufficiently connected to his employment to make Morrisons vicariously liable.
Although the judgment is subject to appeal, all businesses should consider its implications. With the GDPR making it easier to bring class actions for data breaches, organisations need to work expeditiously to build a robust response to a data breach, including one arising from within.
Responding to a threat: crisis management plans in action
Not every problem can be prevented in advance, but preparing a crisis management plan will help to improve a business’ resilience, reducing the chance of catastrophe. All crisis management plans should include certain steps to take if disaster strikes. These are listed below.
First, speed and efficiency are vital. A crisis management plan should be put into action immediately and appropriate external advisers should be brought on board as quickly as possible.
Second, a crisis management plan will include establishing the extent and factual context of the crisis as quickly as possible. This will involve carrying out expeditious investigations and establishing what measures need to be put in place to prevent further damage.
Third, where appropriate, certain individuals and/or organisations will need to be notified of the incident. This may include those affected, law enforcement, the ICO and employees. Any evidence that a business has been withholding critical information is likely to lead to additional reputation damage and financial risk.
Finally, a clear communication strategy is a key part of a crisis management plan. Such a plan should recognise that there is likely to be a range of stakeholders in the business with whom it will be necessary to communicate at the appropriate time. It is vital that the relevant information is ascertained before any statements are made. TalkTalk’s chief executive Dido Harding was criticised after an interview in which it became clear that she had a limited grasp of the extent of the data breach.
It is also essential that any crisis management plan is kept up-to-date. It is no use preparing a thorough response to a crisis, only to discover that key individuals or advisers are no longer in place when the worst happens. Just as risks need to be regularly assessed, a crisis management plan should be frequently reviewed. Today, there are an increasing number of insurance policies available. A business should look at which policy most suits its needs and, indeed, pocket.
Evaluation
It may be unfortunate to face a crisis, but it would be disastrous to find your company in a similar situation again. The final stage in a crisis management plan should therefore be evaluation. Learning from your mistakes, as well as those of other businesses, can help you to better prepare for the future.
Businesses are sometimes reluctant to incur the cost of preparing for a situation that has not yet happened. However, when it comes to risk management, the costs of poor preparation are often much, much greater and can take a long time to recover from. Crisis planning should be viewed as an essential insurance plan in its own right. A business will, without hesitation, take out public liability insurance. It should treat crisis planning in exactly the same way.
Julian Pike is a partner at Farrer & Co. He can be contacted on +44 (0)20 3375 7217 or by email: julian.pike@farrer.co.uk.
© Financier Worldwide
BY
Julian Pike
Farrer & Co.
FORUM: Managing financial crime risk and AML processes with technology
Risk management – impact of increased regulatory risk
The need for curated data for asset managers and institutional investors
The innovation of compliance insurance covering costly corporate investigations
Good risk management matters as much as brand building
Cyber attack – incident response communication
Supply chain risk strategies every organisation must know
Managing the convergence of changing sanctions and the human rights and anti-corruption movements
Who owns the commitment to procurement integrity?
AI in corporate foreign exchange hedging
To serve your community or sit in jail: is there any reward to this banking risk?