Business crime and crisis simulation: Practice makes preparedness

There has been a succession of corporate scandals in recent years that have given rise to thousands of column inches on how best to prepare for and react to a crisis. Whether it be large scale data breaches, accounting scandals, employee wrongdoing, health and safety issues or alleged corruption, allegations of criminality are never very far away.

These types of crises share a number of common facets: from a legal and communications perspective, they tend to give rise to internal investigations, intense media and political scrutiny and a complex overlap between civil, regulatory and criminal proceedings; and from a practical perspective, they tend to suck up large numbers of people across numerous disciplines, flood the email inboxes of those people, and paralyse business decision-making. Heads tend to roll, corporate and individual reputations are savaged, and balance sheets are depleted until, at least for the deep-pocketed companies, the long road to recovery can begin.

The central premise of this article is that, whilst drafting crisis management plans and checklists is a very useful exercise in preparing for a corporate crisis, there is no substitute for simulating crisis response with tailored scenarios. It is these practical exercises that will help executives to exercise sound judgment under pressure, not devising complex flow diagrams. The second key theme is the importance of effective project management. In the writers’ experience, bad decision-making and mistakes in a crisis are often the result of poor communication and delay caused by ineffective project management. We set out some practical tips below as to how this can be improved.

The crisis simulation

There are now many professional advisory firms, including PR and law firms, offering crisis simulations or “war games”, as distinct crisis management products. These sessions can range from hour-long discursive workshops to day-long intensive simulations with live Twitter feeds, news broadcasts and actors posing as FBI agents and journalists, where the objective is to make executives sweat and see if they can demonstrate sound decision-making under pressure.

For those that like to work under pressure, these simulations can be a lot of fun. Furthermore they serve a number of other useful functions, including forcing a company to:

• think about the crisis it fears the most (for many companies this is currently a large scale data breach or regulatory dawn raid);
• consider who its key lieutenants and external advisers are;
• identify its crisis management plans and relevant company policies;
• understand both the scope of and the gaps in its insurance; and
• establish how it would communicate and manage documents in a crisis.

For those companies wanting to draft crisis management plans from scratch, crisis simulations are an excellent starting point to ascertain what is required. For those with existing plans, they are a great way of stress-testing those plans and determining what changes and updates are required.

A common outcome of crisis simulation is for companies substantially to amend their crisis management plans to simplify them and build in practical and technological tools to assist project management. Documents now need to be mobile friendly and inch- thick crisis manuals tend to be largely ignored in a real crisis. Other practical outcomes from these sessions are discussed below.

A crisis simulation can take many forms, but here are a few pointers to get started:

• Consider the crisis most likely to hit the company – draft the worst case scenario in stages, starting with an innocuous-looking incident and building up to a full scale corporate crisis that threatens the existence of the company. Drop in new information every half hour.
• Pull together a list of key people (preferably no more than 15) from around the business (preferably those that would actually handle the crisis in practice).
• Consider how long is required (at least half a day is normally required to flush out enough issues) and block out time weeks in advance. Ban use of mobile phones and email during the session.
• Consider what external support you require to help organise, facilitate, observe and feed-back on the session (legal, PR, cybersecurity, former regulators).
• Pull together relevant crisis management plans, checklists, policies and contact sheets.
• Consider whether you want to simulate a crisis as realistically as possible (for example, with live simulated press and social media) or allow time for relaxed discussion and deviation from the crisis scenario.
• Consider what practical exercises would be useful to carry out during the simulation (e.g. dealing with a hostile TV interview, drafting a list of external stakeholders, drafting a 5 minute summary presentation for the CEO, responding to Twitter complaints).

Bespoke solutions

In drafting a scenario, it is important to flush out problems and issues that might arise for particular types of crisis. For example:

• In relation to dawn raids, who determines access to premises? Where are documents (hard copy and electronic) kept? Which business crime lawyer would you call? What are the legal requirements for a search warrant? How do these requirements vary in each jurisdiction in which the company faces a dawn raid threat? What are they consequences of failure to co-operate?
• In relation data security incidents, where the company’s data and confidential information store? How do the company’s IT systems inter-connect? Who has access to the systems? What data is encrypted? What IT services are outsourced? Who are the data controllers? Which cybersecurity experts would you call? What are the notification requirements? Which section of the police could help and how can it be contacted?
• In relation to financial matters, what documents and information are in the possession of the company’s accountants? Where is the latest copy of the Terms of Engagement with the accountants? Where is financial data stored? How can an investigation be conducted discreetly? Which financial regulatory lawyer would you call?

In carrying out bespoke simulations, a common outcome is that companies realise that the crisis management plan is not a one-size-fits-all solution but only an outline structure. It needs to be supported by subject matter specific checklists of key issues to think about.

Different types of crisis also require the involvement of different experts both within and outside the organisation. A useful exercise within a simulation can be to ask participants to make a list of internal and external stakeholders and consider the messaging to each of those stakeholders and what their involvement might entail.

Companies ought to have accessible contact lists not just for their core crisis team but also a list of experts internally and externally for different types of situation.

Communication and project management

Whilst some of the crisis simulation software products available today do simulate email, this is one area which is very difficult to simulate.

Imagine if the crisis hits just as the company is involved in a major acquisition or the announcement of a new project in which the CEO and General Counsel are heavily involved? Business must go on as usual where possible and this means that email inboxes can suddenly be deluged with hundreds of emails on top of already busy workloads. This presents a real challenge to crisis project managers to ensure their action lists and key messages are communicated in an efficient and secure way.

Many companies are now looking at email alternatives for crisis communication. Since WhatsApp started offering end-to-end encryption, a number of companies have set up private WhatsApp groups. While this depends on having an internet connection, WiFi is rarely far away these days and so this can be an effective tool, particularly as messages are grouped in an efficient manner (although sharing attachments is less easy). This can be especially useful if the company email system is compromised in a data breach or a more restricted form of communication is required.

However, it is not sufficient simply for the crisis team to be able to send and receive messages. It is usually important in a crisis to be able to access key documents at a moment’s notice (for example, the most recent press statement, the factual chronology, the contact list, the action plan etc).

Key executives need to be able to access these documents from anywhere in the world, at any time, from any device. And so internet and cloud based solutions are being developed to create extranets or project working rooms which can act as document repositories and communication tools. The benefit of these solutions over intranet solutions is the ability easily to provide authenticated access to external members of the crisis team, such as lawyers and PR advisers.

For all of those communications solutions, thought must be given not just to security (which will be paramount) but also how confidentiality and legal privilege will be retained where possible. Practical tips to assist in this respect include:

• Assign a project name to the crisis and use it in the subject heading of email and text communications (this is particularly helpful in electronic disclosure exercises later down the line as part of investigations or litigation).
• Mark documents as “Privileged & Confidential” (and also “Prepared for the purposes of litigation” where appropriate to assist in attracting wider litigation privilege).
• Create carefully defined subgroups for meetings and communications (e.g. Gold teams, Silver team) with clearly defined access rights.
• Communicate to the crisis team a simple communication protocol, including practical guidance as to when legal privilege applies to communications.
• Encrypt the most sensitive documents (for example, sensitive legal advice).
• Consider carefully document retention obligations and whether certain discussions should be committed to paper at all.

In many large scale corporate crises, the communications team will circulate a Q&A document, intended as a blueprint for how to respond to tricky questions. Whilst useful for those who have to face the media, this can be a dangerous document as it will often be a combination of fact and spin.

Not many people in a crisis can remember scripted answers to 20 difficult questions and so it is important for the Q&As to be supplemented by the 3-4 key messages which every member of the crisis team should know (for example, in a data breach key messages may be “We have been attacked” (rather than “We have suffered a data breach”), “We are investigating” and “We are taking steps to protect our employees/ customers”.

If crime has been alleged, a key message will often be that “We are co-operating with the authorities” and “It would be inappropriate to comment further at this stage”. Such simple messages can often be lost in the detail of a media storm.

The truth, the whole truth and nothing but the truth

It is inevitable in a crisis that the facts are often twisted or lost in a deluge of advice and opinion. However, this can be extremely damaging, not least when a CEO goes in front of the television cameras armed only with yesterday’s outdated facts.

There will inevitably be many documents circulating that contain a mix of facts, speculation, advice and opinion but it is important to separate the facts and keep them in a document that is clear, up to date, and accessible to the crisis team.

Again, a web-based document repository can work well here as team members will be less likely to search their emails for the most recent version, which is likely to be out of
date.

It can also be helpful to assign an individual to be “master of the facts”, making it his/her role to stay up to date with the factual position as the investigation unfolds and to update
the chronology and fact sheet accordingly. A mid-level in-house lawyer is often well suited to this role.

Crisis simulations are a great environment to practice some of these techniques and see what works well for the company in question having regard to the resources available to it.

Managing conference calls and meetings

The crisis management team should be alerted as soon as it becomes clear that there is a potential crisis. The manner in which the team can be alerted has changed over the years. The traditional ‘phone-tree’ involving the cascading of calls down a chain to inform the team is now rarely used (although may still be maintained as a back-up system).

Today’s mass notification systems make it possible for automated messages, calls, emails, texts, voicemails and social media messages to be sent simultaneously to a number of individuals across various devices, thus mitigating the chance of delay in convening the team.

Effective management of the calls and meetings themselves is vital. We have all been in meetings where we can’t get a word in edgeways because a dominant character is holding forth. Whilst strong personalities can be valuable in a crisis, listening to others will also be a key skill. There is a tendency in a crisis for everyone to consider the issues from the perspective of their own expertise, which can mean that a dominant lawyer may want to spend too much time talking about the legal risk or a communications professional may labour on the Q&A or what is happening on Twitter. A crisis simulation can demonstrate this conflict nicely.

The project managers play a crucial role here in ensuring that appropriate airtime is given to the issues that most matter. It is therefore important that conference calls and meetings
are planned and that the participants adhere to the plan. In this respect, practical tips include:

• Circulate an agenda prior to meetings and calls and list issues in order of priority.
• Consider carefully the timing and regularity of calls and meetings and keep them short and punchy. Too much time spent on calls and in meetings can distract from getting on with important tasks. Early morning calls tend to work best before the day’s events unfold but of course this will not work for everyone if the crisis is international.
• Divide all issues into three broad buckets: (1) Legal and Risk; (2) Communications (internal and external); (3) Investigation. There will be considerable overlap between these buckets but this will help the crisis team to think straight, compartmentalise issues, allocate tasks and approach the issues methodically.
• Ensure that someone notes and circulates action points.
• Devise a one page template that is easy on the eye and records key facts, messages and action points across the above three categories. This should be updated and circulated regularly to keep the team focussed on the important issues and to maintain consistency of messaging.

Conclusion

There is a temptation for legal and compliance teams to think that a thick crisis manual with colourful flow charts demonstrates that the company takes crisis management seriously and is ready to react. The reality is that there often isn’t time to consult a detailed manual. In the social media age, crises tent to break and unfold at break-neck speed and test the mettle of all involved.

If the key people involved have practiced a crisis unfolding and considered the key issues and practicalities in advance, they are far more likely to react quicker and be able to spend more time analysing the factual nuances of this situation at hand than considering procedural issues.

Every crisis is different and so there is only so much planning that can be done and equipping the right people with the right skills is a great place to start.

This article was published in Compliance & Risk Journal, Vol 6 Issue 1, and is reproduced with the consent of the publisher.