JAN-MAR 2014www.riskandcompliancemagazine.com
RCrisk &compliance&
Inside this issue:
FEATURE
The evolving role of the chief risk officer
EXPERT FORUM
Managing your company’s regulatory exposure
HOT TOPIC
Data privacy in Europe
REPRINTED FROM:RISK & COMPLIANCE MAGAZINE
JAN-MAR 2014 ISSUE
DATA PRIVACY IN EUROPE
www.riskandcompliancemagazine.com
Visit the website to request a free copy of the full e-magazine
Published by Financier Worldwide [email protected]
© 2014 Financier Worldwide Ltd. All rights reserved.
R E P R I N T RCrisk &compliance&
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO CORPORATE CRISES
���������������������������������
������������
risk &complianceRC&
������������������
�������
����������������������������������������
������������
���������������������������
���������
���������������������������������������������������
REPRINTED FROM:RISK & COMPLIANCE MAGAZINE
JUL-SEP 2017 ISSUE
www.riskandcompliancemagazine.com
Visit the website to requesta free copy of the full e-magazine
Published by Financier Worldwide [email protected]
© 2017 Financier Worldwide Ltd. All rights reserved.
2 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017
risk &complianceRC&
www.riskandcompliancemagazine.com
www.riskandcompliancemagazine.com 3RISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
MINI-ROUNDTABLE
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO CORPORATE CRISES
4 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
Rhoda H. Woo leads a practice that helps clients with the lifecycle of crisis activities: preparing, responding and recovering. Services include crisis planning, business continuity, war gaming, real-time crisis response, natural disaster recovery and post-event reviews. Ms Woo brings 30-plus years of experience in advising F500 clients on financial and technology risk management. She was most recently the national leader of Cyber Risk Services, and co-authored, ‘In the Heat of Corporate Crisis, Mind Over Matter’, Deloitte Review, July 2015.
Rhoda H. Woo
Managing Director, US Crisis Management
Leader
Deloitte & Touche LLP
T: +1 (212) 436 3388
PANEL EXPERTS
Charlie Hanbury is a director for Hiscox Special Risks, providing insurance to organisations around the world for risks associated with complex security and political issues. Their products include Security Incident Response – a policy designed to give companies a simple and robust mechanism to respond to a growing range of business integrity, terror, criminal and political violence threats via the expert services of their partners, Control Risks, the global risk consultancy. Hiscox is the global leading insurer for the provision of services and financial protection around these kinds of events. Mr Hanbury has 13 years’ experience in this field.
Charlie Hanbury
Director
Hiscox Special Risks
T: +44 (0)20 7448 6079
With more than 25 years of experience, Harlan A. Loeb is a recognised expert in crisis and reputational risk management. With extensive experience in global crisis preparedness, he has developed a reputational risk decisional model for corporate officers. Mr Loeb has worked across all industry sectors representing clients including: Wells Fargo, Samsung, United Airlines, Enron, Chevron, Gilead Sciences, Harley-Davidson, Juniper, Waste Management, CME Group, Mitsubishi Corporation, Dow Chemical Company, HSBC, Kraft, Grosvenor, GE Healthcare and SC Johnson. Before joining Edelman, Mr Loeb was a founding principal of Financial Dynamics’ Chicago office and a member of its US board of directors.
Harlan A. Loeb
Global Practice Chair, Crisis & Reputation
Risk
Edelman
T: +1 (312) 240 2624
Marco Remy Mille is Vice President for Security at Siemens AG.
Marco Remy Mille
Vice President for Security
Siemens AG
T: +49 89 6363 1717
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...
www.riskandcompliancemagazine.com 5RISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
RC: In general, do you believe directors & officers (D&Os) pay enough attention to anticipating and reacting to corporate crises? To what extent are such events constantly evolving?
Woo: In conjunction with Forbes
Insights, we surveyed more than 300 board
members and more than three-quarters of
respondents – 76 percent – believe their
companies would respond effectively if a
crisis struck tomorrow. Yet fewer than half
say they have engaged with management
to understand what has been done to
support crisis preparedness. And only
49 percent have playbooks for likely
scenarios. Even fewer, 32 percent, say their
companies engage in crisis simulations or
training. We believe the reason companies
are not more actively preparing is driven by
overconfidence in being able to handle anything, an
overly optimistic viewpoint that a minor brushfire will
not become a wildfire and a belief that the company’s
systems are more resilient than they really are.
Loeb: D&Os are not sufficiently engaged in crisis
risk governance. But given the dramatic escalation in
corporate crises – roughly 1000 percent over the last
decade – D&Os are now fully accountable for crisis
risk governance, including reputational risk. Though
a growing number of boards oversee threats to
their company’s reputation, a considerable business
deficit exists in grasping the value of reputation,
both as a strategic asset and risk. Furthermore, few
organisations possess adequate capabilities and
management strategies to mitigate, prepare for and
build the resilience to manage crises and recovery
effectively. Since reputation risk is not hedgeable,
companies are challenged that much more by the
strategic imperative of holistic risk management
design. As the complexity of this century’s business
and global risk expands, boards are recognising that
new crisis risks can destroy organisations in ways
that were not possible even five years ago.
Hanbury: Directors and officers are
understandably more focused on growing their
business along the financial metrics that their
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...
Harlan A. Loeb,Edelman
“As the complexity of this century’s business and global risk expands, boards are recognising that new crisis risks can destroy organisations in ways that were not possible even five years ago.”
6 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
stakeholders are focused on. When it comes to the
issues that might generate crises, the expectation,
quite naturally, that directors and officers have is
that those issues are picked up through the normal
risk management processes. As long as health and
safety arrangements are appropriate,
there is some form of business continuity
management in place and their enterprise
risk management people are looking
at them to say yes, there are some red
risks but we have process, governance
and procedures in place, then that is
probably good enough for most directors
and officers. Events are evolving because
factors like technology change and the
nature of terrorism changes but the
frequency in which they happen appears
to be altering. In our experience, most
directors and officers will experience some form of
crisis every few years.
Mille: One needs to differentiate between
attention paid to crisis anticipation versus attention
paid to crisis reaction, whereby crisis anticipation
would include crisis prevention and crisis
preparedness. D&Os do not really have a choice
when it comes to reacting to an emerging crisis
– when a crisis occurs, they have to react. However,
if more time and resources were dedicated to crisis
prevention, there would be less need for crisis
reaction as fewer crises would actually occur. And
if more time and resources were spent on crisis
preparedness, crisis reaction would become more
effective. I do not necessarily support the view that
crisis scenarios are constantly evolving. A crisis
occurs if a high impact incident occurs that you are
not prepared to deal with adequately. And that can
always happen. Therefore, I put so much emphasis
on prevention and preparation. What becomes
increasingly important, though, is the impact of
social media on crisis management. Issues which in
the past might only have raised local interest now
can become viral and global in a heartbeat, thus
increasing the impact and reducing reaction time.
RC: What policies and procedures should companies have in place that will allow them to promptly identify and mitigate risks that can evolve into a crisis, and if
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...
Rhoda H. Woo,Deloitte & Touche LLP
“Policies and procedures are critical, but culture is also important in mitigating crises.”
www.riskandcompliancemagazine.com 7RISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
necessary, effectively respond to such a crisis?
Hanbury: It is important to have some form of
approach to enterprise risk management – a process
for horizon scanning and making sure that mitigation
measures are appropriate to the risks facing the
company. The second thing is to have an effective
business continuity management plan which most
medium to large organisations will have because
customers and regulators demand that they do. But
an area where we see gaps is that the plans often
focus on the more routine risks such as fire, flood
and power outage, and the recovery of IT systems.
There is not the same level of rigour applied to
responding to non-interruption crises, which often
fall outside the business continuity plan. These crises
could include cyber extortion – the systems are still
running but there has been a breach – or related to
a duty of care issue, or something like a suggestion
of financial impropriety which could have huge brand
implications. We have identified that as a major
shortcoming.
Mille: Companies need a global enterprise risk
management process, reliable incident management
processes, a clear understanding of what
differentiates an incident from a crisis, and robust
crisis management policies and processes at all
company levels.
Loeb: In today’s environment, D&Os must ‘lean’
into risk with a concerted bias for action. Reactive
crisis management is not only ineffective, it
mortgages credibility and destroys value. Boards and
C-suite executives must view crisis risk dynamically
and build soft risk management into their broader
corporate strategy to protect their company’s
reputational value. For boards with a risk committee,
their risk governance mandate should include
strategic crisis and reputational risk management.
This requires a shift in mindset, moving beyond
‘crisis risk avoidance’ to an operational framework
that embeds new and agile thinking and systems to
develop a ‘pre-emptive mindset’. An organisation’s
business strategy, processes and culture must
integrate with principled leadership and robust
processes and capabilities to dismantle the highly
siloed nature of traditional risk management. Such
an old-style approach disconnects directors, the
CEO, risk officer, communications director and other
leaders from the frontlines. A pre-emptive mindset
requires strong intelligence, measurement and
decisional rights to succeed.
Woo: Policies and procedures are critical, but
culture is also important in mitigating crises.
Procedures are frameworks which enable people
to act, but they need to be supplemented by
experience and expertise. One thing companies
can do is empower frontline employees to provide
early warnings, escalate issues and act to prevent
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...
8 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
a crisis from ever happening. Employees should be
encouraged to use their ‘gut’ where they have a
concern even when they may not know the exact
problem. The ‘gut’ is not merely a seat-of-the-
pants judgment; it incorporates the sum total of
an individual’s experience. Fostering this culture
of vigilance and maintaining a bias toward action
leverages the talent on hand.
RC: What do you consider to be the essential requirements of an effective crisis management strategy? How important is it for D&Os to have recourse to an enterprise risk management (ERM) programme?
Loeb: Reputational crises inherently possess an
‘activating agent’ that frequently triggers multiple
enterprise risks. Our experience demonstrates that
four core capabilities must be integrated to mitigate
crisis risk and decrease probability. First, strategic
and cultural business integration serves as the
strategic imperative in creating a risk intelligent
organisation. Second, risk-sensing readiness
capabilities, data mining technologies, real-time
analytics, scenario planning and rapid activation
capacity must prevail across the enterprise and
corresponding geographies. Third, fluid decision
making with clear decisional rights, multichannel
communication capacity, readiness stress testing
and scenario planning generate effective crisis risk
management. Fourth, a properly calibrated public
engagement strategy defines crisis resolution and
recovery and frequently enhances and rebuilds trust
and operational credibility. Companies must test their
enterprise-wide crisis management plan and develop
specific plans for the top 20 risks that link most
closely to their core market competency. To be sure,
crises prove to be testing grounds for the leadership
and character of D&Os. They also determine if
and how strongly a company recovers. As such,
‘preventable crisis risks’ do the most enduring
damage to franchise value, trust and leadership
longevity.
Woo: There are things you cannot write into a
crisis plan, for example, how to rally the troops and
how to make decisions, among others. D&Os should
operate at a strategic level in a crisis, yet many
leaders often overlook practical tactics that can
enhance decision making. First and foremost, know
your team. Consider the make-up of your crisis team.
Who is more vocal or reserved? How will formal and
informal relationships impact team interactions?
You need to understand individual strengths and
weaknesses, and how they foster creativity and the
important ability to generate options. Second, avoid
common decision-making pitfalls. Groupthink is when
a group’s need for consensus trumps the judgment
of individual members. It often happens when senior
leaders are vocal, thereby stifling alternative views.
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...
www.riskandcompliancemagazine.com 9RISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
Confirmation bias is only taking in information that
confirms our preconceptions.
Mille: Ensure a common understanding of
the crisis management policy and
related processes, make certain crisis
management teams are nominated and
trained at all company levels, and enlist the
backing and tone from the board. Create
executive awareness and acceptance that
crises will occur in spite of all preventive
measures, and promote preparedness. An
ERM programme is essential to identify
potential risks and to develop mitigation
plans in order to reduce risk exposure.
Risks that have been identified and
mitigated down to an acceptable residual
risk level are less likely to develop into
a crisis. An effective ERM programme defines and
quantifies the ‘known unknown’ – accepted residual
risk – thus reducing the ‘unknown unknown’.
Hanbury: The critical piece of an effective crisis
management strategy is there must be clarity
on who owns it and where it sits, and that there
is also effective integration between the crisis
communications plan and the crisis management
plan. The crisis management plan should be short
and understood by the stakeholders, and well
rehearsed. Having an ERM approach is critical, as
is the close integration between ERM, business
continuity management and crisis management,
particularly as these three areas tend to sit in
different parts of the organisation.
RC: What are some of the potential liabilities that may face D&Os? How would you characterise their awareness of fiduciary duties and responsibilities in the event of a corporate crisis?
Mille: There are many potential sources for
liabilities for D&Os during crises, like ‘duty of care’
requirements, other legal obligations, insurance
limitations and compliance related issues. Profound
legal expertise is required in order to ensure
compliance with all those obligations, which often
defer from one country to the other. Therefore, it
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...
Marco Remy Mille,Siemens AG
“There are many potential sources for liabilities for D&Os during crises, like ‘duty of care’ requirements, other legal obligations, insurance limitations and compliance related issues.”
10 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017
is essential for each crisis management team to
include in their core functions a legal expert who
will ensure that D&Os are made aware of their
liabilities and act accordingly.
Hanbury: The most important area is the duty
of care liability. Depending on whichever legal
jurisdiction a company is operating under, it is
likely that in responding to a crisis a company will
have its actions scrutinised in US or EU courts,
both of which are quite clear on duty of care
obligations. The awareness of duty of care is much
better than it was five years ago but there is still
no standardised approach to delivering duty of
care obligations across an enterprise.
Woo: Time and time again, we
see that D&Os can unwittingly
become their own biggest
liability. For those
executives who have
not taken the time
to participate in
crisis planning
and exercises,
there is a
propensity to
swoop in to play
‘saviour’ and
actually disrupt the
response to a crisis.
They may need to stand down until the time
comes to receive their briefing. Another common
mistake is to get into the weeds of technical
resolution of an issue. The question is, ‘what do
we do about this?’ not
‘why did this happen?’
Companies need
executives
to exhibit
leadership,
but to stay
strategic.
And to trust
RISK & COMPLIANCE Jul-Sep 201710 www.riskandcompliancemagazine.com
MINI-ROUNDTABLE
www.riskandcompliancemagazine.com 11RISK & COMPLIANCE Jul-Sep 2017
the process that the team has trained on and
practiced. A crisis is ultimately a test of leadership
where D&Os are judged by their response – by
markets, investors and customers.
RC: To what extent do companies struggle to understand the respective roles of management and D&Os in preparing for and responding to a crisis? In your experience, what roles have D&Os played effectively during a crisis, and what trends have you seen in their involvement?
Woo: The board is less clear than management
on their roles and responsibilities in a crisis. For
malfeasance and CEO issues, the role is more
obvious and board tends to be highly involved.
For other crises, such as product recalls
or weather events, maybe less so, but
involvement could still be critical. We
encourage boards to break down their
responsibilities during a crisis in three
ways. With management, the board
should counsel management to keep
people ‘in the today’, encourage
them to be proactive, and serve as
a sounding board and endorser of
key decisions. With shareholders,
the board has a fiduciary
responsibility to act ethically
and decisively even when shareholder interests
diverge from those of management. With key
stakeholders, the board is the steward of the
company’s reputation and should consider the
impact and attitudes of key constituents and the
best ways to address their concerns and reactions.
Hanbury: A problem often occurs when senior
executives, who may not have had the close
involvement that perhaps they ought to have
done in developing the crisis management plan,
realise that there is a crisis and step in. Leaders
of large organisations are more inclined to trust
their judgement and want to get on and lead the
response – which is entirely understandable but
can often be counterproductive. In terms of roles,
senior leadership often, in the absence of a well
rehearsed plan, focus far too much on resolving
the operational parts of the problem, rather than
the strategic issues. There can also be ‘paralysis
through analysis’ meaning it is important to have
an agreed process for decision making so senior
leaders can make decisions based on possibly
incomplete or even incorrect information.
Loeb: Crisis risk governance is highly variable.
Few organisations are equipped adequately
with direct board access to those executives
accountable for a rapidly growing universe of crisis
risks. In many management structures, even risk
experts are not well aligned, integrated or even
RISK & COMPLIANCE Jul-Sep 2017 11
MINI-ROUNDTABLE
www.riskandcompliancemagazine.com
12 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
equipped to confront multi-variable crisis risks as
one coordinated operating unit. This explains why it is
urgent that CEOs oversee and direct the integration
of internal and external risk experts, not only to
ensure seamless and instant response to a crisis but
to work collaboratively in building and constantly
improving the design structure of
proactive and durable crisis risk mitigation
and prevention capabilities. As partners,
the CEO and the board should develop
their own ‘balanced scorecard’ approach
to ensuring that preventable, strategic and
existential risks are mapped thoroughly
and plotted clearly on a radar tool. Also,
the board and the CEO must have constant
access to risk experts and to real-time
intelligence on the organisation’s ‘state of
crisis readiness’.
Mille: By definition, a crisis is an incident with a
major impact that cannot successfully be handled by
the regular line management in the available time.
Therefore, crises cannot be successfully resolved
by the line management, but a dedicated crisis
management team composed of essential experts
is required. The challenge for companies often is
to define what essential core competencies are,
and when to switch from line management to crisis
management, or in other words, when an incident
becomes a crisis.
RC: What final piece of advice would you give to companies, and their D&Os, in terms of implementing a robust crisis management culture and a structure that will allow them to anticipate and react to a corporate crisis scenario?
Hanbury: Keep it simple and have a single plan
that covers all perils – do not have separate plans for
a travel safety incident, for example, or a business
continuity incident. Also, it is important to ensure
that the senior people who are likely to want to lead
in the event of a major crisis are involved in the
development and the rehearsal of the plan. It is also
important to stress test the plan. This takes someone
to throw some nasty problems at the team to stress
test what the likely issues will be. When a crisis hits, a
leadership team is faced with three priorities: maintain
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...
Charlie Hanbury,Hiscox Special Risks
“When a crisis hits, a leadership team is faced with three priorities: maintain business as usual, manage the crisis, and innovate their way out of the problem.”
www.riskandcompliancemagazine.com 13RISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
business as usual, manage the crisis and innovate
their way out of the problem. No leader can do it all,
which means having pre-arranged arrangements
with the third parties who can swiftly provide the
appropriate resources and expertise is critical.
Mille: Have a well established crisis management
team, talk to each other, go through scenarios,
identify risks early, accept that things can go wrong,
think about possible stakeholders and partners
and ‘make friends’ before a crisis arises and
communicate what you are doing. And finally: crises
will happen, period. They hit you where or when you
did not expect it, or else you would be prepared for
them. So while you train for specific scenarios, be
aware that a crisis will never follow your plan. Crisis
management is not about plans, it is about planning.
Woo: While less than half of all companies have
crisis management procedures, far fewer companies
train on those procedures, and even fewer actually
exercise them. Where many companies ultimately
fail is to establish a regular cadence of exercising
activities as part of their crisis management
programme. By practicing realistic crisis simulations,
you mature from simply having a plan to possessing
a capability to manage a crisis effectively. You are
only as strong as your weakest link, so all response
teams from the executive team to sites should
participate in regular crisis simulations. Simulations
bring to life specific weaknesses and challenges
in a way nothing else can. They provide a sense of
shared experience, an understanding of what all
team members are supposed to be doing, and build
confidence. As with most disciplines, you are only as
good as your last performance, so is it not better to
learn in practice rather than in a real event?
Loeb: The tone at the top is critical. It sets the
course for the seriousness and urgency with which
organisations approach dynamic and durable crisis
management design. Effective crisis management
involves building capacity, heuristics and muscle
memory – a purely functional approach is futile.
RC: Going forward, what types of corporate crisis scenarios do you foresee D&Os having to deal with?
Loeb: The probabilities that organisations will
experience an enterprise-wide crisis continue to
climb well above 60 percent. Reflecting cyber attacks,
whistleblowers, shareholder activism, product quality
issues, viral online videos and business sabotage,
among other catalysts, the age of constant crises
continues to expand both in complexity and speed.
Fifty-three percent of companies struck by a crisis
do not regain their previous share price after one
year, and that percentage will only rise if enterprise
crisis management capability does not evolve
substantially. With increasing scrutiny on executive
compensation, particularly surrounding stock awards,
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...
14 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017
MINI-ROUNDTABLE
key constituents will provide little to no sanctuary to
CEOs when preventable crises erupt. And because
facts and truth have been hacked and now rumours
and ‘breaking news’ trade instantly as ‘true’ for at
least the crisis moment, organisations must become
both media companies and intelligence agents on
constant alert.
Woo: We now live in a world where retail and
healthcare companies are redefining themselves as
tech companies. While we do not pretend to have
a crystal ball, our hunch is that more crises will
be triggered by technology events. Cyber threats
are top of mind, from cyber extortion and massive
data breaches to losses of intellectual property. But
D&Os should not only concern themselves with the
nefarious threats. Rising complexity in businesses
introduced through the ever-increasing reliance
on technology makes companies more vulnerable
to technology breakdowns. The linking of various
technologies and applications creates more tightly
coupled systems and greater potential for failures
to cascade from one system to another. And as
companies grow more sophisticated in developing
risk management controls, they actually create more
dependencies that could fail. We believe this may
lead to more breakdowns, more catastrophic in
nature, driven largely by a company’s own design.
Mille: As long as companies have vulnerabilities,
they are liable to become subject to a crisis. The
crisis scenarios can be as diverse as the different
types of vulnerabilities a company has. And while I
am convinced that yes, each company will definitely
face a major crisis of one kind or another at some
point, the question is: given the often complex and
volatile nature of today’s corporate world, can any
company afford not to be prepared for a major crisis?
Hanbury: Businesses should expect to see the
use of stolen information – obtained via a cyber
breach, for example – driving the frequency of
extortion events. Sadly, another likely scenario will
be further terrorist attacks in parts of the world
previously considered relatively benign, such as
western Europe. This form of transnational terrorism
is impacting countries in the western world in an
inconsistent manner, which means that having
appropriate measures in place so a business
meets its duty of care obligations to its employees
will be key. Addressing their safety and managing
the changing expectations of employees will be
important. In many of these circumstances, these are
incidents that are not just systemic issues – where
lots of different organisations are impacted, such as
with the recent WannaCry incident – it is where the
focus will absolutely be on one organisation. Another
scenario likely to emerge is around regional instability
where an area has a significant political meltdown.
This means that organisations must have a plan for
markets and geographies which suddenly turn out to
be not so stable. RC&
DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...