A new survey of senior-level executives working in legal, ethics, compliance and related fields found that nearly two-thirds of them have misgivings about their company's crisis response plan.

The first-ever global Crisis Management Benchmarking Report was issued Thursday by law firm Morrison & Foerster in partnership with the Ethisphere Institute, an organization based in Scottsdale, Arizona, that advances ethical business practices. The law firm said the report is designed to give corporate legal departments insights into trends in crisis management and to highlight best practices for crisis planning.

Nearly two out of three senior executives surveyed reported being only somewhat (56 percent) or minimally confident (10 percent) in their crisis plans.

David Newman, of counsel in Morrison & Foerster's global risk and crisis management group as well as its national security practice, said in an interview: “While a crisis plan is a good start, over two-thirds of respondents expressed misgivings about their organization's plan. The most prepared companies don't just have a plan on paper—they practice it with the actual executives who would be in the room and seek their input before an actual event hits.”

Newman, who previously served as associate White House counsel to President Barack Obama and works in both D.C. and New York, said a key takeaway for general counsel from the report is that “companies across industries are investing significant resources and executive attention in developing a response plan for different crisis scenarios—including cyber events and incidents of workplace harassment that have dominated the news cycle over the past year.”

Of the executives who said they were very confident in their crisis-management plans, the report said such confidence came when their companies benchmarked against best practices on a regular basis, conducted drills on key risk areas at least once a year, and had designated a formal crisis management team.

Conducted in the spring of 2018, the survey collected about 250 responses from senior executives in ethics, compliance, legal, communications and risk functions from both public and private companies, as well as nonprofits, across the globe.

So what do these executives consider a corporate crisis that needs to be addressed in a crisis plan? The most common response was cyber breach, with 67 percent of respondents saying they have plans that address such an event.

Next, cited by 56.5 percent of respondents, was workplace violence or harassment, followed by environmental damage (44.8 percent), a government investigation (44.2 percent), anti-corruption violation (40.9 percent), intellectual property theft event (also 40.9 percent), terrorism (36.4 percent), high-stakes litigation (31.8 percent) and product recall (26 percent).

Nearly half of respondents (47.5 percent) said their chief information security officer plays an active role in crisis response. The report noted this makes sense in cyber breaches, but may not in other types of crises.

The report said that with over half the respondents saying their plans include scenarios involving sexual harassment allegations, that number appears set to rise in response to the #MeToo movement.

“Given the increased prominence of such issues, every company should plan for how they would effectively respond to allegations raising such issues, including allegations involving employees, especially senior executives,” the report recommended.

The report quoted Todd Cioni, vice president and chief compliance and ethics officer at CareFirst,
 as saying, “Your plan needs to be able to take into consideration everything from a water main break making your building inaccessible, to a data breach. The elements and stakeholders will be different, but the fundamental components will be the same: Know who is doing what, who needs to know what when, and who is responsible for getting information to those parties.”

Newman recommended testing a plan through tabletop exercises with the actual participants who would be using it in a crisis.

“Don't prepare in silos. Consider not just preparation within workstreams but true cross-functional planning,” Newman suggested in the report. “Part of the purpose of a good tabletop exercise is to give people the experience of working through challenging scenarios and elements of the response.”

Christine Wong, who formerly was head of international compliance at a multinational company, said in the report that she used the drills in which she participated while in-house as an opportunity to build relationships with crisis team members.

Wong, now a partner in Morrison & Foerster's investigations and white-collar defense practice, recommended, “Design them so people across the business have a chance to talk and get to know each other. That makes it more likely that in the thick of a crisis, information will flow the way it is designed.”