The mismanagement of bet-the-company business crises has become pandemic. Consider just the most recent examples.
ADVERTISEMENT |
In December 2016, Yahoo disclosed that three years earlier hackers had stolen confidential information from more than 1 billion accounts, including users’ names, birthdates, phone numbers, encrypted passwords, and backup security data. The company’s announcement of the theft followed its disclosure in September 2016 of another breach of 500 million accounts in 2014. Senior executives had been aware of the 2014 hacking but failed to properly understand or investigate it. Following the December 2016 disclosure, Yahoo’s market value plunged 6 percent, and the sale of its internet business to Verizon was discounted by $350 million. Yahoo’s general counsel resigned as well, and CEO Marissa Mayer lost her 2016 bonus.
Cuisinart launched a product safety recall in December 2016 regarding 8 million food processors with blades that can crack over time and cause injuries, a problem that was flagged five years earlier by consumers. Cuisinart announced the recall at a time of its choosing, unprepared to follow through with the fix. Phone lines set up to receive calls reportedly were deluged early on, and the company’s website was unable to process claims for replacement parts.
Wells Fargo appears to have botched the management of its recent crisis through lack of preparation. When CEO John Stumpf testified about the sham-account sales scandal before the U.S. Senate Committee on Banking, Housing and Urban Affairs, one frustrated senator later said, according to The Wall Street Journal: “It’s been going on for five years... and he doesn’t have any answers for this problem? By the time the questioning got to me, I was pretty well pissed off.”
These are only the latest high-profile mismanaged crises. There are many other examples, such as the crises arising from major bank violations of anti-money laundering regulations and related laws, and from automotive industry failures with ignitions, brakes, airbags, and emissions controls.
Contrast the above-companies’ performance with Johnson & Johnson’s handling of its tampered-Tylenol crisis in 1982, long considered a paradigm of successful crisis management. However, today its response probably would be regarded as a failure. The company took three days to decide how to respond. With the internet’s 24/7 news cycle, a company doesn’t have three days to take action; it may not have even three hours. Advance planning is critical.
But how does one plan ahead? Crises arise in many forms: a cyber-attack, a plant explosion (gas leak or terrorism?); the sudden death or incapacity of the CEO, a whistleblower alleging fraud, bribery, or regulatory evasion; the list is endless. But most board members and senior managers are generalists, and none has the special expertise to respond to every crisis.
Plans are useless, but necessary
Dwight Eisenhower, who made his reputation as a war planner, said, “Plans are useless—but planning is indispensable.” He knew that developing his arsenal of weapons would give him the resilience to respond to the unexpected in battle. Mike Tyson made the same point, but with more punch: “Everyone has a plan until he gets hit in the face.” Yet, no matter how often Tyson got hit in the face, he continued to train for the same reason that Eisenhower continued to plan.
So, how should a company’s board and senior managers prepare for crises?
Assess possible crises. First, identify those potential crises for which the company needs a response, assessing the likelihood of the crisis occurring and its impact on the business. In the jargon of crisis management, this is called “business impact analysis.” One can’t foresee and catalog every possible contingency, but that shouldn’t stop one from trying to anticipate the most critical threats and to build from there.
Build a team. Second, identify and interview the professionals likely to be needed in any crisis, such as media communications specialists, auditors and forensic accountants, IT professionals, and lawyers with appropriate practice backgrounds (including crisis management). Others will be appropriate for only particular problems, such as oil-well firefighters and product or system specialists (e.g., engine-emissions control technicians or SWIFT payment systems experts). Regulators may prefer some outside professionals, particularly those such as auditors and lawyers who will be assessing the conduct of the company’s personnel, to be independent of the company, i.e., they have done no previous, and expect no future, work from the company. But how then does one ensure that they still will be available and conflict-free when a crisis hits?
Build a notebook. Third, build a notebook for each board member (or board crisis-management committee member) and each senior manager with the contact information and brief professional background of all personnel to be contacted in a crisis, both company employees and outside consultants and professionals. You cannot master the three-ring circus until you have mastered the three-ring binder.
Keep it up to date. Building the notebook is not enough. Keep it up to date. When its rig exploded in the Gulf of Mexico, British Petroleum reportedly had in place an emergency oil-spill plan based on boilerplate plans cribbed from several other petro companies—right down to a telephone number for an expert who had died years earlier. And how are people to be contacted when computer and phone systems are down?
Run fire drills. Finally, run occasional “fire drills.” The New York Stock Exchange had a plan to stay open with a pared-down staff in the event of a disaster, and to shift execution of trades to its all-electronic sister exchange, Arca. However, when Hurricane Sandy hit more than a year later, NYSE-member banks and brokerage houses decided to close the NYSE for several days because, among other reasons, they had never tested their ability to trade using the contingency plan and were not sure it would work.
Internal investigations and regulatory review
Preparing to manage the eventual crisis should extend to planning for its aftermath: the potential internal investigation and regulatory review. Not all crises call for an internal investigation, but many do, particularly when malfeasance or culpable nonfeasance is suspected. Who controls the investigation, a lawyer who insists on following wherever the evidence may lead, or the company’s elected board that is ultimately responsible for the company’s conduct?
Ten years ago, the New York State Bar Association’s task force on the lawyer’s role in corporate governance concluded that “the client [the company] must define the scope of the investigation.” However, there are practical limits. The lawyer has the right, and possibly a duty, to resign if she believes that the scope is unduly narrow. Of course, if the matter under investigation is of interest to the company’s regulator(s), a less-than-full investigation would probably be unacceptable. As the corporate lawyer, Rodgin Cohen, has observed, “The most serious penalties are often reserved for situations where the institution has flunked the investigation of the underlying conduct, rather than the conduct itself.”
Not all internal investigations involve regulatory scrutiny. Those that do raise an issue of the degree to which the company should cooperate with its regulators. The New York State Bar Association’s task force noted that, “Great lawyers may counsel noncooperation just as they may counsel cooperation.” Really? However true that may have been 10 years ago, today the issue is less cooperation vs. noncooperation than how best to negotiate the scope of the investigation.
A business crisis can be a three-ring circus involving the company, outside professionals, and the government. Planning and drills are critical to managing it. Practice will not make us perfect, but it can make us proficient, and appropriate planning can prevent making the crisis worse, and instill confidence that the company is properly prepared to deal with it.
First published March 9, 2017, on the Knowledge@Wharton website.
Add new comment