The COVID-19 pandemic has thrown in-house counsel around the world into crisis management mode. The scale and speed of change of this crisis on how people are living and working has tested the capabilities of in-house departments in an unprecedented way and has made clear which companies were prepared and which were not. At Priori, we’ve received numerous questions from companies on how they should best manage this situation and how they can be better prepared next time a crisis hits. To provide answers, we asked three experienced crisis management attorneys, Hal Denton, Bill Waller and Gaye Montgomery.
Hal Denton is a New York-based practitioner who serves a wide range of clients through his law firm, Denton Tavares Paes, and for thirty years has been the General Counsel and Chief Risk Management Officer of one of the world’s largest youth exchange organizations. Hal is a graduate of UC Hastings Law School and his most recent book on risk management, No Complaints, No Lawsuits, can be found here.
Bill Waller is a Seattle-based former VP Chief Compliance Officer, and senior federal healthcare official who has also served as the Chief Regulatory Counsel for Chiron/Novartis Vaccines and Diagnostics. During the current pandemic, he has provided advice about COVID-19 issues to medical and technology companies. Bill is an alum of Covington & Burling LLP and a graduate of Harvard Law School.
Gaye Montgomery is a Virginia-based corporate risk and compliance attorney with previous experience as Vice President (Head, Law Department Global Compliance Practice Group) at Altria, where she was responsible for anti-bribery compliance, and as an Associate at Simpson Thacher & Bartlett LLP. Gaye is a graduate of Yale Law School.
What are the key components of a crisis management plan all GCs should have in their toolkit?
The velocity, magnitude and information overload of the ongoing COVID-19 pandemic has surprised even the most seasoned crisis managers. It truly has been like a slow-moving tsunami that suddenly arrived with overwhelming fury. In times like these, crisis plans, and even crisis team composition can change daily, but having a plan in place with trained team members is critical; it enables rapid deployment and re-deployment of personnel to meet changing needs. Having in advance clear definitions of the types of crises your organization might face and team member duty checklists allows the crisis manager to rapidly bring additional people in with minimal training. Typically, every team member has a backup, especially when the crisis may last, or some team members might become sick or unavailable. The team might include any or all of the following: team leader, internal communications contact, external information coordinator, media contact, legal contact, documenter, HR/office management, and information technology contact. Communication of accurate information is essential and must flow in all directions at all times. This ensures that the right people are doing the right things, attending the right meetings to share what they know and contributing to effective decision making. If the GC is also the CRMO, his/her goal should be to manage the crisis and protect the brand so that the CEO/CFO and board can focus on saving the organization and making the best possible decisions for the future of the organization.
How do you suggest an in-house legal team tests their crisis management plans?
Based on my experiences, the best tests are “tabletop drills” that simulate a crisis. These are discussion-based sessions where team members meet to talk through their roles during a crisis. Where a drill is not feasible, we have instead retained outside experts to complete a review of internal procedures followed by company-wide coaching for relevant departments. Unfortunately, I have found that senior leadership participation is often difficult to obtain due to scheduling conflicts, but it is imperative that they understand the importance of workable crisis management plans, and provide insights into the process. It is also important to have individuals on the team who are experienced in formulating and testing such plans (which can be an outside expert).
What immediate steps should my legal team take during a crisis?
The first step is always to define the type of crisis: (1) internal impact, (2) external impact, (3) full impact on a major part of the organization, or (4) emergency level, global impact. Consider ALL stakeholders of your organization: how will each be affected, who needs to be involved, consulted, or informed, what actions can be taken to support each group? Keep the well-being of your stakeholders front and center in your planning and decision making. Second, bring together the appropriate team members and back up members for the type of crisis involved, review team member responsibilities (checklists), and evaluate the crisis. Third, develop an initial response and bring in outside resources as needed, such as PR firms or IT specialists. Ensure communication channels are up to the task and add more team members where needed. Fourth, determine who should meet when, and what communication channels are most effective and efficient. Time is often the most precious resource, so getting the right team together, and ensuring proper, accurate, and timely communications become critical. All of those are required for effective, clear-headed decision making, which is what will ultimately make the most difference in the outcome.
How should a legal team determine how quickly normal business operations can resume following a crisis?
The response is dependent on the nature, length and extent of the crisis. In the current COVID-19 situation, for example, businesses such as restaurants and non-essential stores may be ready to open, but customers may remain wary. Similarly, businesses may be ready for employees to return to work, but personal concerns, day care needs and other issues may limit employee willingness. Myriad issues impact a return to normalcy, including government orders and decrees, risks and liability, HR concerns, insurance, corporate policies, regulatory issues, contract requirements and enterprise risk management. Governmental requirements, trade association guidelines and customer requests may guide this determination as well. Product and employee liability are special concerns among many current clients, which are in regulated and essential areas, but must consider legal risk exposure now and when resuming more normal operations.
How can the legal team ensure the company’s most valuable assets are protected during a crisis?
The most critical work must be done before the crisis begins. Insurance can protect against a wide range of financial losses, so careful evaluation of the insurable business risks is an important step in preparation. Often, however, brand or reputation risk becomes the most pressing concern in a crisis, particularly if your organization is at the center of the storm. Since this risk can’t be insured, it must be managed by effective crisis response at all levels. Effective crisis response requires (1) having a thorough grasp of all available facts, (2) prompt, data-driven (where possible) decision making, (3) clear, consistent communications with all stakeholders, and (4) agreed timelines for expected updates, even when no new information is shared.
The legal team should be involved in all aspects of the crisis response to ensure that information is clear and accurate, that decisions are grounded in the organization’s values and mission (which can diverge from immediate financial interests), and to support all other crisis team members with appropriate legal advice and review of communications and decisions. It’s far too easy in a crisis for imprecise communications to lead to wildly unrealistic expectations from stakeholders (including staff) about when decisions will be made or how the matter is going to resolve, or how soon. Even worse, inaccurate communications can lead to brand damage, complaints or litigation. So, careful legal review of materials being developed, decisions being considered and communications being prepared is central to any effective crisis response.
How do you suggest clients use this crisis as an opportunity?
“Never let a good crisis go to waste.” Attributed to Winston Churchill, this sage piece of wisdom both comforts and challenges us. It reminds us that crises eventually come to an end, but it also cautions that when we get to the other side of them, we will have shirked our responsibilities as leaders if we have failed to mine the crisis for potential opportunity. For decades, companies have been urged to create and, more importantly, keep the current standard suite of crisis management plans: disaster recovery, business continuity, crisis management, crisis communications, and emergency response. The plague of cybersecurity incidents over the past decade or so only heightened the need for crisis management plans, not the least because cyber incidents can compromise a company’s ability to fulfill two of its primary obligations during a crisis: to investigate and communicate.
COVID-19 revealed that many companies still hadn’t gotten the message. And for those that had, they dusted off their plans only to find that the plans lacked the specificity necessary to provide real guidance or had aged beyond the point of being useful. So, I’m not going to tell you that you need crisis management plans and that you need to keep them current; you know that already. And by now, a month into the national lockdown, you’ve either hastily created such plans or decided that managing the current crisis is more important than worrying about the next one. Instead, I’m going to focus your attention on a stakeholder typically overlooked by the crisis management commentariat: the company’s legal and compliance infrastructure.
Crises bring rare opportunities to secure investments in legal and compliance infrastructure that the organization sorely needs for which the perceived business case has hitherto been lacking. A crisis primes the organization to make legal and compliance investments precisely because, in the hindsight provided by the crisis, it becomes obvious that such investments would have placed the company on a more secure and potentially more competitive footing. During my twenty years’ in-house, I characterized this type of opportunity as “catching a moving train,” a key competency of successful and productive in-house legal and compliance departments. COVID-19 is one of those moving trains, and catching it presents legal and compliance departments opportunities they may never see again.
A survey conducted by Morrison & Foerster of 110 in-house general counsels on their biggest pandemic-related business challenges over the next 12 to 24 months revealed that contracts and supply chain issues were among the top three risks and were second only to HR and employment risks. Herein lies tremendous opportunity.
There is no better time to secure investments in e-signature technologies, centralizing contracts in the cloud, standardizing key contract provisions (such as exclusivity clauses), and systematic contract review than when the organization is insisting that your department scour contracts for contract defenses, such as force majeure, the doctrine of impossibility, the doctrine of impracticability, material adverse change, and material adverse effect. There is no better time to secure commitments to systematic business partner due diligence, third party payment controls, and a centralized (or, at least, more coordinated) procurement function. There is no better time to assess the organization’s adherence to existing contracting protocols and controls.
Now is the time to think strategically about leveling up your legal and compliance infrastructure for the future to ensure that your company emerges from the crisis stronger and that your department emerges better equipped to help the organization succeed.
If you would like to speak to Hal, Bill or Gaye or any other crisis management lawyers in the Priori network, please put in an RFP here. If you have other COVID-related inquiries you’d like us to pose to our network of attorneys, please email them to firstname.lastname@example.org