Anyone in an organization can take the lead on risk management, simply by posing the right questions to department heads and top executives before crisis arrives. You don’t have to be the CEO to make sure that your company is ready for one of the inevitable bumps and bruises that every company will eventually go through. The first step in leadership for any team is to look at the long list of stakeholders is to ask the hard questions.
What are these hard questions? To start with, take a long, hard look at all of your stakeholders and consider both what perils could face and what perils they can bring! From there, come up with some concrete questions regarding issues that may come up regarding PR risk, Credit Risk, HR risk. Here are some examples of good questions to ask to prevent crisis:
What are your communication protocols? Who comes up with the initial messaging? What communication channels do you have? Who is responsible for each of them?
When things go pear shaped, time will be of the essence, so you need to have the plan ready before the crisis hits. Don’t be left flat-footed when it does.
Where do you keep your compliance records, including evidence of training? Does your compliance program include relevant training for employees? Who determines the training you give to employees?
Your legal team should be actively supplying you with the relevant laws and regulations for your industry, and you need to keep meticulous records to show that you are in compliance with them. If not, when the regulators come calling you’ll make it easy for them to potentially levy fines. And if you don’t have the proper records, if your company is charged with crimes, such as antitrust violations, your company may not get credit for being in compliance.
Have you conducted an audit of the HR department to determine what risk issues exist? If you offer employee benefit plans, have you audited the employee benefit plans to determine if you are in compliance? What risk management processes are in place to prevent harassment claims?
Disgruntled employees - and former employees - are a fact of life. If you have properly trained your entire team by giving them guidance on acceptable and unacceptable behavior, and recorded your compliance and training records, then you can defend your organization against unfair allegations. If you didn’t then you’ll find yourself paying out in the end.
What processes are in place to protect your client’s data? Are you in compliance with all privacy policies of the countries you do business in? Do you train your employees on protocols to properly protect your data? What IT systems do you have in place to protect your data from hacking?
Target, SK Telecom, Uber, Equifax, even America’s NSA have been hacked. The fact that it has happened to so many organizations means that it can happen to anyone. You need to be actively testing your own systems, protocols and employees to make sure that it doesn’t happen to you.
In an effort to follow through on his populist promises, President Moon Jae-in and his administration have pledged to achieve “economic democratization” by rolling out changes to competition regulations and by strengthening the fair trade regulatory framework. These changes are likely to have a significant impact on compliance requirements and should be monitored closely by corporate leadership and risk management professionals.
The suggested changes include:
1. Strengthened investigatory and enforcement powers granted to the Korea Fair Trade Commission (KFTC), including a stepping criminal enforcement capacity, and a stricter regulation of conglomerates (chaebols) to ensure transparency in their corporate governance structures.
2. Prevention of abuse of superior economic power. They include:
a. Criminal sanctions for obstructing KFTC Investigations. Amendments to the Monopoly Regulation and Fair Trade Act (MRFTA) took effect on July 19 of this year that substantially increased the penalties for spoliation of evidence (i.e. tampering or destruction of evidence) or refusal to submit information/materials in a KFTC investigation.
b. Expansion of punitive damages to competition laws. Punitive treble damages have been newly introduced in amendments to various regulations, such as the recently amended Fair Retail Agency Transactions Act (FRATA) - under which retail agents may recover up to three times the damages incurred due to forced purchase or provision of economic benefit in violation of the FRATA. The amended Product Liability Act (PLA) which becomes effective in April of 2018, also introduces punitive treble damages and lowers the burden of proof for product liability claims.
c. New regulations to address abuse of superior economic power (“Leveling the playing field”). Various new laws and amendments have been introduced in order to prevent abuse of superior power for transactions such as franchising, subcontracting, agency transactions, and online transactions, among others. They will take effect over the course of the next year.
1. Abolishment of the KFTC’s exclusive criminal referral authority.
Currently, the KFTC has the exclusive authority to refer any alleged competition law violations to the Prosecutor’s Office for criminal prosecution. The KFTC has generally reserved referrals for severe violations. The Moon Administration has pledged to abolish this exclusive authority, which would enable the Prosecutor’s Office to initiate its own investigations into competition law violations and allow others to file complaints directly with the Prosecutor’s Office.
2. Class action suits for competition law violations.
The Moon Administration will likely seek to introduce a class action system to redress consumer harm caused by competition law violations. The Moon Administration has also stated that it will establish a fund to support consumers that suffer from anticompetitive conduct.
3. Increased regulation of conglomerates (chaebols).
In addition to its measures to prevent abuse of superior economic power (which will focus largely on the conglomerates), it is likely the Moon Administration will also regulate questionable practices prevalent among Chaebols.
After considering whether to eliminate the KFTC’s exclusive right to refer antitrust cases to the Prosecutor’s Office, the Chairman of the KFTC created a task force to consider potential reforms to the overall enforcement of antitrust laws in Korea. The task force, led by the Deputy Chairman of the KFTC, consists of government officers, professors and private sector professionals, including the leadership of NGOs.
The first meeting of the task force was held on August 29 and will finish its review by January of 2018. The task force will publish a white paper covering the overall review as well as an interim report that will contain a discussion of issues and recommendations that the National Assembly may consider. The task force will consider issues involving civil enforcement, administrative enforcement and criminal enforcement as well.
Equifax, Credit Agencies and Risk (mis-) ManagementRecently, one of the largest credit reporting agencies in the US, Equifax, joined the long list of companies that have been the victim of a major data breach. Equifax is now trying to explain how over 143 million Americans — effectively most of the U.S. adult population — had their personal data compromised.
The company tracks the detailed financial affairs of all Americans in order to gauge their credit worthiness. Along with TransUnion and Experian, they maintain personal data on millions of US citizens, but that once breached, the information can expose nearly every American adult to identity theft.
Under the threat of massive litigation, which may cause its downfall, Equifax is finding out how important it is to protect the personal information of its users and why data privacy has become a growing area of concern around the world. There are five main reasons why data privacy has become a major area of extreme risk requiring the attention of a company’s management. They are:
Managing the risks inherent in data privacy related issues can be quite a task. However, failure to adequately protect customers’ personal data will lead to great reputational harm and risk to a company’s brand.
In determining the risks a company faces, an organization must answer a series of painful questions, including but not limited to the following:
Only once these questions have been answered and the risks associated with personal data has been considered is a company in the position of creating and implementing a risk management process to handle its personal data. But remember - the tough questions must be answered first.
Korea is unique in the world with regards to the extent to which directors on a company board and chief executive officers can be held personally liable for a wide range of corporate liabilities. Considering this situation, if you don’t already have Directors & Officers (D & O) Insurance, then you need to spend some time considering how you could be liable in the event of a catastrophe - man-made or otherwise - and may want to access the risk with a professional.
Obviously, to protect the BOD as well as officers from frivolous lawsuits, including shareholder actions, a company should purchase directors and officers insurance (D&O insurance). Whether to use D&O insurance is a question that must be decided in the context of legal risk management.
Good corporate governance requires the board to be fully informed as to the major risk issues facing the company. D&O insurance may be necessary to protect the BOD as well as executive management from lawsuits stemming from fiduciary responsibilities or lack thereof.
For American companies operating in Korea this is particularly relevant. Corporate governance scandals brought about Sarbanes-Oxley Act (SOX) in the United States in 2002. SOX requires, among other things, that proper internal financial controls be established in publicly traded companies as well as whistleblower provisions and compliance policies.
In fact the U.S. laws and regulations regarding compliance requires that the board of directors (BOD) are not only trained in compliance but also has compliance oversight.
Similar measures have been passed in other jurisdictions as well. The result of SOX and other laws in other jurisdictions was to force upon the BOD the obligation of ensuring that not only proper financial controls are in place and properly maintained but that the Board be apprised of all relevant risk management process as well.
Hence, risk management processes in general must be considered by the board of directors in light of the board’s fiduciary and legal responsibilities. As director’s have a duty of care to the company, they have a duty to protect corporate assets and IP, review risk management plans, including crisis management plans and take all actions that a prudent businessman or businesswoman would take to protect the company.
The fiduciary obligation directors’ have to their respective corporations includes the duty to be fully informed and knowledgeable on major issues of risk. Whether it is compliance issues, currency risk, antitrust, or, geopolitical risk, etc., the BOD must be fully informed to make the appropriate decisions involving the management of the company.
Due to its very nature, the BOD cannot escape its fiduciary obligations with regard to understanding and approving risk management processes.
Considering the potential litigation directors might face in light of geopolitical events, such as the current situation concerning North Korea, it is prudent to consider D&O insurance. What is the status of D&O insurance in your company? Have you examined the legal risks facing your directors and CEO recently?
What happens if things fall apart or the situation dramatically deteriorates? If you haven’t addressed the situation, the wise thing to do would be to sit down with your insurance broker, if you have one, and discuss the pros and cons of such insurance policies.
Korean media has recently reported that the Prosecutor's Office in Korea is investigating a claim that McDonald's Korea may have violated food safety rules based on the allegation by a family that their daughter contracted hemolytic-uremic syndrome ( "hamburger disease") after consuming a hamburger at a McDonald's outlet in Pyeongtaek, Korea. Though McDonald's has denied responsibility, the investigation into McDonalds Korea, brings back memories of the Jack In the Box e-coli crisis that resulted in the near destruction of the Jack in the Box brand. It also highlights the issues facing companies caught up in an international or cross border crisis.
Managing an international crisis or a crisis with cross border implications can be a daunting task. Especially if it requires internal investigations to be conducted at a foreign venue or an overseas subsidiary. Conducting an investigation can be an emotion-charged, time-consuming process that requires expertise and effective planning. Are you ready to handle one? Managers and other staff who investigate sexual harassment claims in an organization or even claims involving corruption or bribes, harassment, or theft as well as other allegations should be prepared to conduct interviews and document the investigation in a proper and thorough manner.
Among the issues that add to the complexity of an international investigation are of course issues dealing with foreign laws, culture, communication, personnel security as well as data security and even differences in time. All of the issues combine to make international investigations very complex and rather daunting. For instance, who will handle the investigation? What privacy rights do employees have and what data privacy rights do they have. What laws will govern the investigation? And do the rules of attorney-client privilege and work product apply? These questions will have to be answered in order to set the stage for the investigation and to provide the framework needed for setting the ground rules of the investigation itself.
In most cases, courts will very closely scrutinize the employer’s internal investigation processes when deciding whether to find in favor of the employer or the employee. The employer will be held to a very high standard, and mistakes, slowness, inadequate documentation and other problems could make the difference between winning and losing the case. It may also decide whether a company faces criminal liability or criminal penalties.
The ultimate goal of an investigation is to enable the company’s decision-makers to resolve matters fairly and effectively. The immediate goal of an investigation is to obtain the facts. Therefore, to be effective, an investigation must be:
The investigative team involved in the investigation, if from the home office may face visa, medical and personnel safety issues that others don't face. The team may also be denied access to sensitive data that they are normally given access to back at home or they may have a hard time accessing databases that would allow them to track property ownership and court filings. These issues must also be taken into consideration when handling an international internal investigation.
To successfully handle or manage an international internal investigation as well as the international crisis itself requires a great deal of planning. The more planning that is done the easier the investigation will be.
The KFTC recently released its figures on its compensation to whistleblowers. Unlike leniency, which is used by most of the world’s antitrust regulators to encourage the reporting of cartels, awarding compensation to whistleblowers for reporting antitrust violations is not common. (more…)
