Crisis Management 101: 6 Keys to Solidifying Your Crisis Response Plan
A panel of in-house and law firm leaders ran through their crisis response development, from planning to resolution and repair, at SuperConference 2019.
May 22, 2019 at 02:30 PM
7 minute read
Cyberattacks are bad, but know what's worse? A cyberattack that is then punctuated by an incomplete crisis management strategy and an ever-changing message.
Melissa Ventrone, a partner at Clark Hill PLC focusing on data privacy and cybersecurity, pointed to Target, Equifax and Facebook as examples of crisis management strategies that exacerbated preexisting problems. As she explained, “Once we say something, we have to expect, whether it's internal or external, that it's going to be public.”
Ventrone moderated the “Crisis Management 101: Reputational Risk & How to Develop an Action Plan for Immediate Response” panel at SuperConference 2019, where she and the assembled in-house counsel ran through six keys to developing a proper crisis management strategy. The in-house panel included Linda Dubnow, senior director and assistant general counsel at TransUnion; Stephanie Seay Kelly, general counsel and chief compliance officer at Chicago State University; and Kristopher Keys, deputy general counsel and chief compliance and ethics officer at Exelon.
|Key 1: Preparedness
It may seem simple to say that counsel should be prepared for a crisis, but it's a step that cannot be taken lightly. As Dubnow noted, “Taking the time and making the investment in developing a well thought out and issue response program … can help you develop structure and consistent responses, and to deliver them with expedient efficiency.”
Kelly broke down preparedness into two buckets: preparing for the foreseen crises, then developing a skeleton to apply to the unexpected. She noted that as Chicago State is a public campus, active shooters and public health concerns are obvious risks. But if there is a situation that happens such as, say, the deadly Unite the Right rally near University of Virginia, the school needs to prepare not only for the event itself but offshoot rallies and events as well.
How should organizations identify who should be involved in preparation? Keys said it's “testing, testing, testing. Literally.” Exelon's GridX program pulls in stakeholders like government officials and utilities to go over a national disaster program. Then, regional utilities all need to test their own plans on a local level. Finally, there are also functional area contingency plans, with legal, IT and other areas engaging in their own prep and training.
|Key 2: First Response
Once an event occurs, it's time to respond. Dubnow noted that for “every issue you identify, you should craft, at least in draft, your plan.” This means different plans for different crises—a weather incident, for example, has different engagement, notifications, and more from a cybersecurity incident.
“You're not going to have a lot of facts, but at the very beginning of an investigation you can develop a plan based on the severity of the incident, the supporting facts,” and mitigate issues, she explained.
Kelly added that there's often the tendency when a crisis emerges to run out and say something. “But it's really important that the first thing you say, it's going to be hung around your neck like an albatross, especially if it's incomplete or wrong.” She explained that the first reach out doesn't have to be much but should be factual, concise and quotable. “It should show that you are taking action, that it is being addressed and handled, and we are going to let you know.”
|Key 3: Keep Communicating
The first reach out isn't the only communication in a crisis; far from it. Dubnow explained that identifying stakeholders should have been part of the preparation, but often “inevitably something new will come into the mix.” She gave the example of a cyber incident that originates in a country outside the organization's normal purview, meaning that communications with a foreign, unfamiliar government are now necessary.
Kelly added to prioritize the intended audience based on the crisis. A weather emergency for her means contacting students, for instance, while a crisis in the middle of appropriations hearings means a call to government relations. “Undoubtedly, when there's a vacuum of information, people start to panic and they start to speculate,” she explained. “You need to flood the zone.”
Social media is also an important part of Kelly's world, as she said she needs to very carefully craft social media policies, especially considering First Amendment issues as a public institution. “We're not just doing old fogey emails the way that probably most of us in this room communicate,” she added. “You have to get on Twitter and other platforms as well.”
|Key 4: Resolution Strategy
How do you know when you're done? Kelly noted the importance of establishing milestones or goalposts during a crisis. “Each time you get to that milestone, you evaluate where you are and what you're communicating to folks.” She added that of course the legal department would love to finish quickly, “but the truth of the matter is, you're always going to have concerned constituents who want to know what's going on. … I think you're done when folks stop asking.”
Keys added that in a public company, part of any resolution strategy should be after-action review and reporting to the board. As the board has a fiduciary duty to shareholders to report on the goings on inside the company, keeping them updated of critical events and how they are resolved is simply good business. “I can't imagine a scenario where we notify the board of a crisis… and we don't circle back with that analysis,” he explained.
|Key 5: Legal Considerations
As noted before, a quick and accurate first response helps. But what a company doesn't want to do is admit liability. As Ventrone noted, “Once you push it out outside that control group, once public, always public.”
She explained that nuance is crucial when trying to defend a client down the road, while still showing sincerity in responding to an incident. “There's a balancing act,” Ventrone said. “You want to help the client and company protect their brand, but you don't want to open them up to liability down the line.”
So where is that line? According to the panel, it's a case-by-case basis, and sometimes can come down to a gut check. Especially when searching for a quick response, Kelly said, “You have to be guided by doing the right thing and communicating in a way that mitigates the larger risk to the organization, and hope you can carry that through in private litigation.”
|Key 6: Fixing What Goes Wrong
Finally, it's important to fix mistakes after event response is completed. One of the more common mistakes Keys sees is siloed plans, with legal not taking input from others. “When they are created by a single discipline in an organization, there's not the cross-functional collaboration. That's necessary to make it effective,” he explained.
Dubnow added that a major issue she sees is not continuing to enhance and improve a crisis plan based on one's own experiences or experiences in the industry or others. While some roll out training once and never again, “your employee base turns over time, and you need to continually emphasize [to] your employee base how to report an issue, how to communicate a concern.”
Keys agreed, adding that learning from other's mistakes has real value. “I hate to say it,” he said, “but take advantage of others' pain and develop scenarios based on what happened to them.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1The American Lawyer Names Industry Award Winners
- 2Regulatory Upheaval Is Coming. How Businesses Prepare and Respond Will Separate Winners and Losers
- 3Cravath Elevates 7 to Partnership, Up From Last Year
- 4Kline & Specter Hit With Lawsuit From Another Former Associate
- 5USPTO Director Kathi Vidal Announces Resignation Ahead of Administration Change
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250