Crisis readiness has taken on increased importance and urgency for boards and management teams.
Product recalls, data breaches, government investigations, health scares, natural disasters, terrorist events, ailing business leaders, and more. The potential crises that can befall companies at any moment seem nearly endless. And thanks to social media, the news of a crisis (accurate or inaccurate) can go viral in a matter of minutes, with potential adverse impacts on share price and reputation, making the company's preparation and readiness to respond quickly and effectively to a crisis increasingly critical. As postmortem media reviews of numerous crises have demonstrated, when a company's response is deemed to have fallen short, a question that is always asked is, “Where was the board?” This is particularly true in cases where a crisis was preventable, early warning signs were ignored, or the crisis was attributable to the company's culture or tone at the top. The message for boards: Prevention is integral to crisis readiness and response.
While management has primary responsibility for crisis readiness and prevention, the board plays a crucial role in understanding and overseeing the company's efforts — in particular: management's crisis prevention activities; tone at the top, culture, and incentives; and the company's crisis readiness, particularly whether it has a robust crisis response plan.
Crisis prevention. Crisis prevention goes hand-in-hand with risk management, as risk management involves identifying and anticipating events that could occur, and putting in place a system of controls to prevent such crises and mitigate their impact should they occur. Boards, particularly audit committees, are increasingly focusing on key operational risks across the extended global organization, e.g., supply chain and outsourcing risks, information technology and data security risks, etc. Some questions for audit committees to address with management include:
⢠Does the company understand its critical operational risks?
⢠Has anything changed in the operating environment?
⢠Has the company experienced any control failures?
⢠Is management sensitive to early warning signs regarding safety, product quality, and compliance?
⢠How sound are the company's disaster recovery plans, and how often are they tested and refreshed?
⢠Is internal audit focused on the adequacy of the company's controls around key operational risks?
Audit committees play an important role in probing to determine whether management has a sound system of controls in place to mitigate critical risks and avoid crises.
Tone at the top, culture, and incentives. While a robust risk management process is essential to avoid and mitigate risk events, alone, it is insufficient. Many of the crises that have done the most financial and reputational damage to companies have been caused by a breakdown in the organization's tone at the top, culture, and incentives. As a result, boards should pay particular attention to these “capital R” risks, which may pose the greatest risk to the company. In today's business environment, it is more important than ever that the board be acutely sensitive to the tone from, and example set by, leadership; reinforce organizational culture (i.e., what the company does, how it does it, including a commitment to compliance and the management of risk); and understand the behaviors that the company's incentive structure may encourage.
Crisis readiness and response. A key role for the board is to work with management to develop and approve a robust crisis response plan tailored to the company's specific risk profile, periodically engage in disaster rehearsal exercises, and test and refresh the crisis response plan as appropriate. A critical component of any crisis response plan is the communications protocol. The protocol should address, among other things, processes, authority, and methods of communication. Questions to consider include:
⢠Who gets notified — the board, regulators, employees, customers, shareholders, and other stakeholders — and when?
⢠What channels will be used to communicate internally and externally?
⢠How will the company monitor and manage reputational issues — particularly via social media?
Even the best-prepared companies will experience a crisis. The ability to avoid disaster — and mismanagement of the situation — will largely be determined by the effectiveness of the company's crisis prevention efforts and response plan. While there is rarely a perfect response, companies that prepare by identifying key risk areas and implementing and battle-testing a robust response plan, and updating it as a needed, can better position themselves to manage a crisis effectively.
The author can be contacted at auditcommittee@kpmg.com.