The Penn State sex-abuse scandal. Wal-Mart exposed for possible Foreign Corrupt Practices Act (FCPA) violations. The Cinemark movie theater shooting in Colorado. Sandy Hook Elementary School.

Last year, companies and organizations faced an array of crises that forced them to confront some of their worst nightmares. And general counsel likely were at the front lines.

“Often, when there is a crisis, it's either because of a legal matter—an investigation, some type of bet-the- company litigation—or it's something that likely will result in a lawsuit,” says John Wilson, a partner at Foley & Lardner. “Therefore, the general counsel needs to be a key player in forming and carrying out a company's crisis-management plan.”

Some lawyers who've been involved in corporate crises compare the experience to trying to tame a wild beast. “The situation is what one fellow described to me as riding a tiger,” says Tom Campbell, a partner at Pillsbury Winthrop Shaw Pittman and leader of the firm's crisis-management team. “Over the months, he became so exhausted and overwhelmed that he felt like he couldn't hold on. But he knew that if he let go, he'd be consumed alive.”

Unfortunately, when it comes to crisis management, experience is the best teacher, according to Patricia Poole, a partner at Baker Hostetler and head of the firm's emergency-response and crisis-management team. “Once a company goes through a crisis, no matter how small, it generally knows what its strengths and limitations are,” she says.

Because all crises are fact-specific and unique, it's impossible to plan out highly detailed response and management strategies. But there are common threads that companies can anticipate, which will help them prepare for forthcoming bumps and prevent problems from evolving into explosions.

On the following pages, experts share crisis-management tips that aim to help GCs guide their companies when they find themselves in dire situations.

Imagining the Worst

Shortly after Sandra Leung became the corporate secretary at Bristol-Myers Squibb in 1999, the biopharmaceutical company experienced a series of regulatory crises that she worked hard to navigate. Leung, who now is the company's general counsel and corporate secretary, says she's immensely proud of helping Bristol-Myers Squibb work through those crises and contributing to a commendable turnaround that has helped the company thrive over the past decade. Part of what helped her to succeed was keeping a level head and following the company's crisis-management plan.

“It's important to have a crisis plan because if you don't navigate through the crisis well, you could have disastrous results within the company—not only from a shareholder and stock price perspective, but also from a public opinion perspective,” she says. “The company's reputation could be damaged if a crisis is not handled appropriately. Companies must be proactive in crisis management and actually have a plan in place.”

To formulate effective crisis-management plans, GCs should complete broad risk assessments to ascertain their companies' weaknesses as well as the possible natural disasters they could face. GCs and their boards should conceptualize all-encompassing crisis-response plans for their companies, as well as individual plans for each of the company's business units.

“Companies should have a written crisis-management plan that includes as many scenarios as possible,” says Poole. “It depends on the nature of the business. For some businesses, a chemical spill or explosion is possible. And depending on location, companies need to plan for tornadoes and snow storms. All companies are subject to fire crises and workplace fatalities, too.”

Randy Mastro, a partner at Gibson Dunn and co-chair of the firm's crisis management practice group, says having procedures and protocols in place for reporting, decision-making, investigative steps, public relations, disclosure obligations and crisis-response actions helps mitigate crises when they actually hit. “There's a tendency to react spontaneously or emotionally to crisis situations,” he says. “Having protocols in place helps eliminate problems down the road and reduces panic.”

Once plans are in place, companies should drill employees on them and update them annually, according to Poole.

Cyber Concerns

There's one potential crisis that threatens nearly every company in the world: cyber-attacks. The Ponemon Institute recently found that the mean annual cost of cybercrime was $8.9 million per company, and companies experience an average of 1.8 successful cyber-attacks per week.