Insights for Leaders Logo
September 2021

On All Fronts: Preparing for the Unexpected

Best Practices in Crisis and Risk Management

The events of the past year have vividly illustrated the need for corporate leaders to anticipate and prepare for a crisis. Cross-border cybersecurity breaches, expanding expectations of businesses and their leaders related to social and environmental concerns, and an increasingly polarized political environment all create the risk of incidents that could lead to media firestorms, government investigations, or high-profile litigation.

Or more likely, all three. That’s how Ellyce Cooper, one of the lead lawyers on Sidley’s Crisis Management and Strategic Response team, defines a crisis in today’s environment.

“A crisis, in our definition, involves the potential for multiple break-the-company problems coming at a client at the same time,” she says. “It isn’t only a breach, or a government investigation, or a class action suit, or a high-profile piece of legislation. It’s more than that, sometimes all of that.”

The threat of compounding calamities looms even larger today, given our 24/7 media climate, an interwoven global business landscape, and a new presidential administration’s shifting enforcement priorities — not to mention a mounting expectation that leaders weigh in on sensitive social and political questions. 

A crisis response is triggered by a sudden and unexpected threat to a company’s core business or brand. However, crisis management starts long before a crisis hits a company. Yvette Ostolaza, co-leader of Sidley’s global Litigation practice, and a board member of a public company, notes that “Because of its fiduciary duty to protect the interests of the company and its shareholders, boards should consider oversight of risk management and crisis preparedness among its priorities.”

“Corporate behaviors that just a couple of years ago may not have been called out may now cause full-on reputational crises,” says Holly Gregory, co-chair of Sidley’s global Corporate Governance and Executive Compensation practice. “Expectations are changing in fundamental ways, and the failure of corporations to respond sensitively in any number of different areas can give rise to employee or consumer activism — activism that often plays out publicly on social media.”

Karen Popp, a Sidley partner and lead lawyer in high-stakes matters — often with complex legal, political, and public relations components — has had a front seat to some of the past year’s most pressing crises. 

Popp says trends such as #MeToo and racial, gender, and equality claims are only going to pick up steam. “In fact, we expect it to broaden and really surge. New laws and aggressive enforcement of existing protections from the Biden administration are likely to continue. Many states have expanded whistleblower protections over the past year, and while the U.S. has traditionally had some of the strongest laws and regulations in the world, an EU directive has been issued to integrate whistleblower protections — many of which exceed protections available under U.S. law — into their national laws by December 17. This is likely to mean rapid developments in whistleblower law across the EU before the end of 2021.”

In other words, the crises at the corporate level — and the need to effectively manage them — will only broaden.

Here, we provide insights on crisis management for business leaders. After outlining different types of crises facing organizations today, we provide thoughts on managing through a crisis; a discussion of the board’s role in a crisis; and, finally, some observations on how to mitigate a crisis before it starts. Throughout, we focus on the critical leadership qualities for effectively navigating an organization through a crisis.

What Constitutes a Corporate Crisis?

A real crisis — one that rises to the level of needing crisis management — involves significant reputational damage and a variety of threats from enforcement agencies, civil lawsuits, class action litigation, negative press, or board turmoil — often at the same time. Crises often touch multiple jurisdictions, and legal and business matters, simultaneously.

Understanding what defines a true crisis and the various types of corporate crises is critical in helping executives identify, early on, what they need to do to prepare, who they need to bring in to help, and which new issues or complications might arise as they move forward. 

To mitigate multifaceted crises, Sidley has developed an industry-focused approach to crisis management, with dedicated teams focused on banks and financial institutions, education and other non-profits, healthcare providers, the media and entertainment industry, crises involving toxic torts, and the automotive industry. 

“Our deep industry experience can be a game-changer,” says Cooper. “We’ve seen it make all the difference to help clients quickly assess the situation at hand, and make sound, critical decisions in order to stabilize the immediate situation, mitigate further damage, and chart a clear path forward.”

“We often work with insurers who are involved in board cases. There is a playbook to follow,” says Ostolaza. “It is important to follow best practices depending on the crisis.”

How to Manage Through a Crisis

A crisis occurs. What’s the first move? 

Cooper says centralized coordination and clear communication are key. “A crisis is like spokes on a wheel, with public relations, legal, and internal challenges all occurring at once, and the company in the center,” she notes. “That means you’ve really got to know who’s in the middle, assigning roles and ensuring that everyone’s moving in the same direction, delivering the same messages.”

It sounds simple, but given the number of players involved, and the reality that tensions run high in a crisis, it’s “very easy to lose track of what’s going on, which can be dangerous.”

In today’s social media age, where everyone has a platform and information spreads instantaneously, corporations in crisis have to make these coordinated communications decisions fast. While it might be tempting to act first and speak later, reactions without clear communication strategies can have dire reputational (and business) consequences. 

Case in point: When a manufacturer of computer games realized their intellectual property was being compromised by users adapting the characters of their most popular games, they instructed their law firm to write aggressive cease and desist letters to hundreds of individuals. Unfortunately, these individuals turned out to be, on average, 11 years old. The company’s rash action led to an outcry in the gaming community. Rival firms seized on the opportunity, offering the recipients of the letters internships so they could create games of their own.

Consistency across the board is another crucial element at play — especially when it comes to government investigations. 

“It’s easy to say, ‘This isn’t going to work with the jury, but it will work with the government,’” Cooper says. “But ultimately the government is going to know you did or said something different, and that’s going to take away your credibility. If you’re inconsistent, it will come back to bite you.”

Accuracy is also critical. In a government investigation, for instance, the company should be able to present information to back up its story. Ostolaza says there’s no reason companies shouldn’t be prepared to communicate with regulators — and be confident in what they deliver.

“It’s an open-book exam. Pull the emails, look at the texts, interview witnesses. There’s no reason for you to be guessing in these scenarios,” she says. “You don’t need to be reactive.”

Lead With Compassion

A good crisis management strategy doesn’t just enable the organization to move quickly. It also helps support its reputation. To that end, it must be built on compassion.

“I find myself advising, ‘If this happened to your child, what would you expect someone to say to you?’” says Sara George, a former prosecutor for the UK’s Financial Services Authority and a Sidley partner with extensive experience helping global corporations navigate crises. “Be absolutely straight, and if you don’t know the answer, don’t fudge it — someone will ultimately go sell the information they have to the media.”

This can run contrary to traditional legal advice, which dictates that leaders should not accept responsibility or express regret. In today’s cultural and media landscape, however, this approach will do little to protect organizations from liability, and may cause significant damage in the court of public opinion. Instead, management has to be clear that they understand what happened, and the part they played in it. 

For instance, when an industrial accident resulted in chemicals contaminating a nearby river, the company’s senior management should have owned up to it. Instead, they decided on a policy of denial and instructed its in-house counsel to threaten proceedings against local community members who were alleging the company was harming wildlife. The media coverage was overwhelmingly hostile and led to international calls to boycott the company’s products, and inevitably forced the resignation of senior management. 

“This is when we were brought in,” recalls George. ”We immediately counseled incoming management to take ownership of the accident, focus on helping with remediation, and publicly acknowledge their responsibility for the incident.” 

The new management team made substantial and immediate donations to support the clean-up efforts and wrote to thank the good Samaritans who had worked to save as many animals as possible. They also issued a public apology and conducted a transparent investigation into what had gone wrong, and committed to adopt the investigation’s recommendations to prevent a similar incident from occurring again.

“In a crisis, what you tend to not have control over are actions that occurred in the past by people in your company,” says David Hoffman, former Deputy Chief in the U.S. Attorney’s office and partner on Sidley’s Crisis Management and Strategic Response team. “What you do have control over is how the company speaks and acts moving forward — in a way that maximizes authenticity and integrity, and accounts for how these words will be judged in the present environment.”

Internal Communications: Stay Visible and Build the Right Team

Internal communications are sometimes just as important, particularly amid an internal investigation. This requires assessing how the crisis will play out with employees, and managing and identifying the key stakeholders inside the company. Throughout the crisis, it’s crucial that senior management remain visible. As George says, “There’s nothing worse than that photograph of the executive on holiday while their company is in flames.”

To help make these decisions, it’s important that legal and communications teams work hand in hand. But they’re not the only team members who need to get involved; depending on the situation, the team might include a number of different types of lawyers (for instance, those with deep experience working with relevant government agencies), a PR team, HR professionals, insurance counsel, and IT experts, among others. The key is to identify the essential players. 

“Too many people looped in slows down decision-making,” says Yuet Ming Tham, one of Sidley’s lead crisis management lawyers in Asia. “You need the right team members who can move fast and be nimble. If they can do 75 percent of the job, you can supplement from there.”

Take, for example, an organization that was dealing with the aftermath of a cybersecurity incident with legal ramifications in multiple jurisdictions. By limiting information about the incident during the initial assessment phase to a specific response team (including the CEO, general counsel, and heads of IT security and public affairs), the organization quickly formulated and coordinated strategy across different continents and channels — all before the news broke and inquiries from concerned business partners started pouring in. 

“Early on in a crisis, a tight-knit response team with the power to make things happen can help companies get out ahead of what tend to be incredibly fast-moving events,” adds Tham. “In this case, the team’s agility and strategic coordination went a long way towards restoring stakeholder confidence and limiting fallout.”

Efficiency, agility, and levelheadedness are often more important on the crisis team than being the best at a specific function. 

“Sometimes an employee may think that because they do something well in their everyday job, they’ll be able to handle it in a particular crisis — but not everyone can rise to the occasion or know what the best practices are across an industry with respect to a particular crisis,” says Ostolaza. “That’s why it is important to consult with third-party professionals who may have a bigger picture.”

Looking Forward

When the crisis is finally in the rearview mirror, be sure to assess its lessons — not only to prevent future crises, but also to demonstrate to the government (if it’s involved) and other stakeholders that your company has used the opportunity to improve its compliance and ethics program. 

“In response to a crisis, leaders should consider what lessons were learned by the company. They should decide what remediation, if any, should take place and determine how the company can perform better in the future,” Ostolaza says. “This might entail a task force — composed of senior management and/or the board — that identifies, for example, whether the company should add personnel and how to implement, monitor, and report on that remediation.”

No matter the case, navigating a crisis and mitigating new ones on the horizon is an ongoing process, one that requires constant review and analysis.

“One of the things company leaders excelled at last year was continually reassessing the situation, and understanding that there were different stages of the pandemic,” Gregory says. “COVID-19 really brought home that as leaders anticipate the unexpected, they must be prepared to make decisions at times based on the best information available — even though they know that the information is not complete or only provides a partial view. And then they need to continue to adjust the response as the situation evolves or the situation becomes clearer.”

The Board’s Role: A Balancing Act Requiring “Constructive Tension"

The board’s role in a crisis depends on a number of factors. In most instances, the CEO and senior management team lead the crisis response, keeping the board informed as appropriate to the situation, with the board providing oversight as well as coaching and input on key decisions. In some situations, however, the board plays a more active role — for example, if the crisis implicates senior management. 

Earlier and active board participation likely would have helped during a crisis last year, when the CEO of a bank instructed an external law firm to conduct an internal investigation designed to exonerate his misconduct. After his subordinates — knowing the investigation would not be independent or objective — leaked evidence to the business press, the CEO threatened the journalists involved, which ultimately led to his resignation and the initiation of police and regulatory investigations into his behavior. 

Providing oversight while also coaching management, however, is a balancing act that requires what Gregory calls “a constructive tension” with management. “Boards need to be supportive, while maintaining a healthy skepticism that can help them spot and address red and yellow flags.”

It’s important that this “constructive tension” extend to the board’s own culture. After all, the board is a deliberative body that functions at its best when diverse viewpoints are welcomed and discussed. That said, there’s a point at which too much tension hinders the board’s effectiveness. 

“In a well-functioning board, the directors usually reach consensus, and when they don’t, the directors respect and support the decision of the majority even though they may have preferred an alternate course of action,” says Gregory, who is frequently called on to advise boards regarding sensitive crisis matters involving significant reputational exposure. “However, if there is always a split majority/minority vote — with the same directors divided into the same camps — that is a warning sign of potential trouble. Further cracks may well develop when the board comes under the increased tension presented by a crisis, which is precisely when a well-functioning board matters most. Thoughtful attention to board culture in the regular course of business — as in the yearly board evaluation, for instance — pays dividends in a crisis, as does attention to internal controls, ethics, and compliance.” 

A crisis also requires effective planning to support deliberate, coordinated actions in the heat of the moment. Directors, like management, need to understand roles and responsibilities in a crisis. They need to be clear and aligned in their delegation of authority to management and in their expectations regarding the level of board or committee — or special committee — involvement and the flow of information. They need to be positioned to make rapid decisions on these issues and, if called for, in determining the board’s own external advisors. 

Once a crisis hits, the nature of the incident and the potential for related risks needs to be determined quickly (with the caveat that the situation will likely continue to develop) and decisions need to be made about who will run crisis management for the company and how involved the board will be. 

“Board involvement is dependent on the scope of the problem and the circumstances at hand,” Gregory says. “If the senior management team is implicated, directors will have to be far more engaged. But in most cases, the CEO and key members of her team will be the best positioned, with the board there to advise and provide guidance as appropriate to the circumstance.”

“A misstep we often see is that when a crisis involving potential concerns about management malfeasance arises, someone on the board comes out and says — prior to any investigation — ‘We have full confidence in management,’” Gregory observes. “That is usually a big mistake. The board and board spokesperson should understand communication guardrails that apply in a crisis, and this is work that should be done in advance.”

In some situations — including those that involve allegations or concerns of malfeasance by a senior officer — the board will delegate to a committee of independent directors oversight of the crisis response, including the internal investigation into the alleged wrongdoing. 

Throughout, the board should be prepared for the situation to worsen while keeping the big picture in mind — how much is known and unknown, the impacts the crisis could have on customers, employees, suppliers, investors, and liquidity, and the risk of related litigation, regulatory enforcement activity, and other follow-on problems. 

“By nature, management teams are optimistic,” says Gregory. “They believe they can manage the crisis. Often they’re right, but they may be wrong, or miss an important follow-on risk. That’s where healthy skepticism from the board can be extremely important.”

Risk Management: Preventing a Crisis Before It Happens

“The best crisis is the crisis averted,” says Raymond Bonner, lead lawyer for Sidley’s Risk Management and Critical Matters team. “And the best way to avert a crisis is to get out ahead of significant potential risks.”

For instance, consider a manufacturer that produces pharmaceutical products using glass vials. If the manufacturer relies on a single vial supplier, it is exposed to increased risk. An adverse event at the vial supplier — for example, a quality issue that results in a recall — will have a direct effect on the manufacturer. Such events can result in significant supply chain disruptions, reputational damage, litigation, regulatory action, and an impact to the company’s financial condition.

With proper risk controls in place — be it supplier diversification, continuous monitoring of key performance indicators, or frequent risk auditing — those issues can be mitigated or avoided. But in a world where known and unknown risks abound, it can be challenging to know where to start. A good place to begin is by conducting a diagnostic review of historical, current, and “coming around the corner” risks. 

“History repeats itself,” Bonner says. “And while companies will likely have implemented corrective/preventative actions, oftentimes no one has gone in and actually assessed whether these actions were effective or not, and so they require further assessment.”

“Current risks can arise when a company wants to take strategic steps to stay competitive and advance their business goals,” notes Bonner. “That’s when it becomes extremely important to make sure the right measures and controls are in place from a legal, enforcement, and business standpoint. For instance, if you’re entering a new market you’ve got to ask yourself: is our strategic plan strong enough to fully appreciate the new risks that come with entering this new business sector or geographic region?”

Finally, there are the “coming around the corner” risks. “Nowadays you really need to have some regular cadence of review concerning what’s coming around the corner,” says Bonner. “That means thinking through significant factors like evolving government priorities and enforcement areas, what your competition is doing and how you might respond to it, and where you want to take the business next.”

Undertaking a diagnostic review can guide an organization’s strategic risk management plan and advance its business goals. But for the diagnostic review to be effective, it has to be a collaborative effort. “This isn’t a reactive internal investigation,” says Bonner. “It’s a proactive assessment driven by an awareness of any number of different risks and business threats. It works best when employees at multiple levels are encouraged to collaborate and provide substantive input — input that will ultimately enhance the company’s systems and mitigate identified risk issues.” By defining the company’s risk profile and escalating critical matters to senior management, diagnostic reviews can help position companies to take a sound, strategic approach to risk management. 

This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and the receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers. The content therein does not reflect the views of the firm.
We want to hear what you think about our content. Please email us at to share any feedback you have.
Insights for Leaders Logo