As companies begin to dig out of the current pandemic and consider or re-evaluate business continuity plans, it is time for in-house counsel, risk managers and CLOs to consider ways in which to mitigate risks, including legal, operational and corporate. Here are a few considerations when contemplating risk assessments:
1. Conduct an Insurance Risk Assessment
i. Conduct a risk assessment of insurance policies. Such an assessment must be conducted to create a business risk profile to identify factors that have the greatest financial impact on the company as well as to identify appropriate risk transfer strategies to:
a) Stabilize insurance costs;
b) Mitigate extraordinary financial impact;
c) Ensure cost effective protection against catastrophic losses;
d) Optimize tax and accounting issues.
ii. Conduct an analysis of current coverage, amounts, deductibles, excess.
iii. Evaluate all insurance policies and insurance companies- coverage, costs, etc.
iv. Investigate establishment of captive insurance company.
v. Review insurance brokers to determine if the right programs are being put out to bid
vi. A review of all claims should be performed
2. Review Litigation Considerations of the Company and /or its Foreign Business Operations or Subsidiaries:
i. Affiliated companies or subsidiaries can be named as defendants. These companies will need coordination of defense and discovery matters. How do the companies handle this?
ii. Consider jurisdiction over foreign entities, including the parent entity.
a) Jurisdiction Issues
b) Maintaining Corporate Compliance
iii. Litigation Respecting Same Products in Multiple Jurisdictions-issue for electronics companies and home appliance manufacturers
iv. Insurance coverage-is it adequate? Has it been reviewed?
v. Litigation issues must be reviewed such as:
a) Coordinating billing from local counsel.
b) Insurance coverage notices and claims and updating carriers.
c) Budgeting for cases.
vi. Currently, many large US companies and subsidiaries of non-US based companies have numerous insurance related lawsuits involving class actions, product liability claims, bankruptcies, employment cases and antitrust and regulatory issues. These should be reviewed.
a) Product Liability Actions
b) Patent Actions
c) Regulatory Proceedings and Investigation
d) Commercial Disputes
e) Product Liability Costs
3. Consider Typical Legal Theories on which a Plaintiff May Base a Products Liability Claim and Class Actions In US and Elsewhere:
i. Breach of Express Warranty.
ii. Breach of Implied Warranty.
iii. Negligence.
iv. Strict Liability.
v. Deceptive and Unfair Trade Practices ("DUTP").
vi. Consumer Class Actions
4. TO ADEQUATELY PROTECT AND DEFEND AND MITIGATE THE RISK OF A COMPANY AND ITS U.S. AND FOREIGN SUBSIDIARIES, NUMEROUS PROCESSES AND PROCEDURES SHOULD BE IMPLEMENTED AND REVIEWED BY LEGAL COUNSEL AND/OR RISK MANAGERS. SUCH PROCESS GOALS ARE:
i. Product Risk Management Goals.
a). Encourage correct product use, increase customer satisfaction and minimize possible injury from use.
b). Improve ability to defend the company in the event of litigation by developing and substantiating defenses to liability, reducing exposure to liability, for example, by removing grounds to impose punitive damages.
ii. Adopt Product Loss Control Policy and Procedures which include:
1. Requiring product group or divisional officers to develop programs consistent with corporate guidelines.
2. Establishment of a group Claims Defense Committee.
3. As a part of the Research – Design – Development process, conduct formal hazard/failure evaluations on all new products.
4. Publish Quality Control Standards and Procedures for all components, materials, and processes critical to product, service, safety, and reliability.
iii. Product Management Consideration Respecting Limiting Potential Liability Exposure – Develop Checklist to include in Product Readiness Approval Objectives Including Product Design Considerations:
a) Written procedures for the design program, including:
b) Design choices – consideration of alternatives.
c) Specifications – definition of acceptable ranges of variation for each characteristic to assure that all designs are reviewed before they are released to manufacturer.
d) Establish a design review committee.
iv. Marketing
a) Review all published statements about the products including advertising, product listings and catalogues to assure that they do not: mislead users, encourage users to disregard directions and warnings contained in the labeling, or promote unapproved or inappropriate uses.
b) Include provisions in distribution and purchasing agreements so that distributor and/or purchaser will:
(i) complete and return surveys and questionnaires
(ii) notify the company of any product failures or malfunctions
The events over the last few days and even months have had a major impact on many companies worldwide, especially those in the US. From the Covid-19 lockdowns, unemployment, stock market collapse to the ongoing riots, companies are realizing that those proactively equipped to handle crisis are in a much better situation than those that are just reacting to the recent catastrophic events.
Companies that successfully manage crises have used risk management processes that contain four or five basic crisis management steps in order to prepare for a crisis. They include the following steps:
1. Identify the major areas of vulnerability the company faces.
2. Develop a plan for dealing with potential threats.
3. Form a crisis management team to deal with or handle threats.
4. Simulate crisis scenarios of potential threats to prepare the company.
5. Learn from the experience of managing the crisis.
Other companies have used a variety of processes or steps to handle crises, including:
Avoiding the crisis through proactive steps
Preparing for the crisis through preparation and planning
Properly reacting as soon as the crisis exists, and
Resolving the crisis
To help put everything into context, a company should realize that many crises, including international crises, occur in stages. The crisis management strategy should be prepared to deal with the stages as they unfold. Each stage requires certain responses from the company, and each stage has a certain impact upon a company. Typically, however, a company does not have a crisis management strategy in place, especially one that can handle the various stages of a crisis. Many times, a company is caught sleeping without a strategy and fails to adequately manage or resolve the crisis, which may severely impact the company. Usually, a poorly managed crisis follows a similar pattern:
-Early indications of a crisis starting—perhaps reports from the Service Department indicating product failure or serious defects.
-Warnings of the upcoming crisis are ignored by company management. Maybe the Service Department’s warnings go unheeded by management.
-The crisis explodes, overwhelming management as deaths or serious injuries are reported due to product failure or product defects.
-Management tries to resolve the crisis quickly but without success as it failed to consider the ramifications of the crisis and how to handle it.
-The company fails to take adequate measures to handle the crisis as the crisis continues to unfold as reported by the media.
-The company suffers the consequences of an outraged media, public, and even some or all stakeholders.
-The company’s existence and brand is severely threatened or put into jeopardy as its stock plummets and lawsuits are filed causing its reputation to be severely tarnished.
Though not all crisis unfold in the stages I describe above, all crisis require a strategy to deal with them. It’s best to work on crisis management strategies now instead of dealing with them during a crisis. Dealing with a crisis as it unfolds without a proactive strategy in place can be very costly and time consuming. And of course, a well thought out proactive strategy increases the chances of success.
Currently, antitrust laws in Korea provides that the Prosecutor’s Office may only bring criminal charges for antitrust violations when the Korea Fair Trade Commission (the “KFTC”) issues a criminal complaint to the Prosecutor’s Office. However, the Prosecutor’s Office has been actively enforcing the antitrust laws, especially in hard-core cartel cases since the creation of a specialized antitrust division within the Prosecutor’s Office in 2015. Since then, the Prosecutor’s Office has been investigating major antitrust violations independently from the investigations conducted by the KFTC. Therefore, Korea’s National Assembly is considering an amendment to the MRFTA that would abolish the KFTC’s exclusive right to criminal referral with respect to certain violations of the MRFTA, including the hard-core cartel cases.
Keeping up with such a trend, the Prosecutor’s office devised antitrust-investigation guidelines (the “Guideline”) for criminal prosecution in cartel cases, which came into effect this year. The Guideline includes a criminal leniency program, which clarifies the discretion exercisable by the Prosecutor’s Office to grant exemption from or mitigate sentences for leniency applicants who cooperate with cartel investigations in good faith. It also lays down the rules for the leniency program, which would enable applicants to avoid compulsory search and seizure, among other things. Although the leniency program is similar to that of the KFTC, it also differs in certain aspects that the leniency program of the Prosecutor’s Office also applies to individual leniency applicants
The Prosecutor’s Office has further clarified its intent to more actively investigate violations of Korea’s antitrust laws and publicized the existence of its own criminal leniency program. Furthermore, it is understood that the Prosecutor’s Office is hoping to finalize a memorandum of understanding (“MOU”) with the Antitrust Division of the US Department of Justice (“US DOJ”) before the end of this year. While the exact details of the MOU between the US DOJ and the Prosecutor’s Office are unknown, it is likely to contain provisions on how two agencies would cooperate in certain cartel cases. Entering into such MOU suggests that the Prosecutor’s Office intends to more actively investigate the international cartel cases in the future.
It is therefore recommended, that companies doing business in Korea review their antitrust compliance policies as they pertain to Korea as well as seek advice from local Korean counsel on how the latest trends could impact their business.
The mounting layoffs, furloughs and job losses currently creating havoc in the US do not bode well for the US economy. But such job losses also force companies to face another stark reality – the potential loss of all of its ESI. Many companies in today’s economy require employees to use laptops, cell phones, tablets and other digital devices in the scope of their duties. What happens when massive layoffs take place? Companies lose control of the digital devices that contain the company’s ESI as former employees are now at home or looking for work elsewhere. Why is ESI so important to a company?
Electronically stored information (ESI) exposes a company to a myriad of risks. The multi-dimensional universe of data privacy of course comes to mind. Cybersecurity is also very important today as many companies and governments continue to get hacked. However, companies not only have to worry about getting hacked or running afoul of the latest data privacy laws and regulations, but also what data to even store, where to store it and how long to store it. Failure to take the where, when and how into consideration can expose the company to unforeseen ESI issues- such as violating US based ESI discovery laws as well as the associated document retention risks.
Electronically Stored Information- Document Retention Risks and Concerns
If a company is involved with litigation in the United States, it has a duty to locate all relevant information, data, and documents—including ESI that are relevant to the case. This can be quite onerous, as it requires:
Familiarity with document retention policies
Involvement with IT personnel
Communication to “key players” of the litigation hold
Location and retrieval of all relevant information wherever that information might be
The legal risks facing a company that fails to handle the above requirements in an economical/efficient manner can be tremendous. Companies have been sanctioned millions of dollars for failing to abide by ESI requirements or, even worse, have lost the respective lawsuits, costing even more. What can a company do to mitigate the legal risks surrounding document management to comply with US legal requirements?
1. Plan of Action
A company must take steps to develop an adequate data and document management plan. It is not too surprising that even the IT Department itself may not have an adequate understanding of where all of the electronically stored documents are considering the plethora of handheld devices that may store documents and other electronic information. Therefore, a company’s management and IT folks need to sit down and map out where all of the documents are located if possible. A document management plan should take the following steps into consideration:
Assess the company’s current use of technology documents.
Locate all in the company’s possession and as well as its employee’s possession.
Use technology to leverage legal requirements.
Retain experts or outside consultants to above or to help implement systems/processes.
Implement policies and procedures addressing all legal risks posed by ESI.
2. Risk Assessment of ESI
To implement an appropriate plan of action, a company must conduct a risk assessment of its processes and capabilities by:
Seeking proposals of vendors (outside experts)
A top-to-bottom analysis
• ESI and paper documents
• Hardware and software
• Management of data
• Retention of data
• Litigation holds
• Disaster preparedness
3. Current ESI Issues
The legal risks facing companies in today’s legal and regulatory climate, especially in the United States, are enormous. Failure to implement a data and document management program that not only addresses a company’s business concerns but legal obligations as well can be disastrous. Therefore, companies must be extremely proactive in this regard before laying off thousands of employees. Not only must companies implement processes to gain control of all digital devices or ESI related devices that it has given to employees, but companies must also take steps to prevent loss of ESI and IP as a result of losing control over such devices.
The main concern a company should have during the Covid -19 related shut-down is whether or not it controls all of the company owned cell phones and laptops prior to laying off its employees. The implementation of a LRM program addressing these concerns is not a luxury but a necessity. It is highly recommended that a company implement a data and documentation management program that addresses ESI and all of its issues.
Before a crisis breaks out, it’s always a good idea for the company’s risk manager or the risk management department (RMD) if one exists to review his or her role, or in case of the RMD, its role within an organization. In today’s environment, including COVID 19 virus issues, it is very important. In order to understand the risk management department’s area of responsibility within an organization, I think it best to for the head of risk management to work with his supervisor in drafting corporate guidelines covering the risk management’s area or responsibility which can then be disseminated throughout the organization. No only should the RM or RMD’s are of responsibility be covered but each individual within the RMD should have his or her position and are of responsibility described in detail as well. It’s best to have everything outlined before the RMD has to contend with a crisis, especially a pandemic.
Areas of responsibility should include the purpose and policy of the RMD in the organization, the functions and execution points of the RMD (who does what, when, how, reporting lines, etc.) as well as a detailed outline of the procedures and processes of the RMD. Procedures and processes can include:
-conducting risk assessments of the organizations’ divisions and departments
-developing solutions for the various risk management issues
-developing business continuity plans
-coordination with various departments to assist with compliance issues
-oversee loss control concerns
-develop training for the organization’s employees covering various risk related areas of concern such as product safety, etc.
Besides managing risk, risk managers must also have a knack for good stakeholder management. In fact, in order to provide effective leadership in today’s corporate world, risk managers and those who have a risk management function, must understand the significance of good stakeholder management. The first step in leadership for any risk manager when looking at stakeholders is to ask the hard questions such as:
(I) Are you prepared to handle risk events relating to your stakeholders or not?
(II) In a crisis management event, such as a pandemic, are you ready to address your customers?
(III) Do you have the right information to communicate to your regulators?
(IV) What are the risk management process to use in case you have major employment related issues?
(V) Do you have a business continuity plan in place?
(VI) Have you coordinated your plans with Legal?
Providing effective risk management leadership requires the risk manager to understand what his or her role within the organization is as well as who the major stakeholders really are and what risk management reporting processes actually exist or should exist. Once a risk manager can answer the questions, the manager as well as the RMD itself is ready to provide effective risk management leadership.
Let’s face it- COVID -19 is creating havoc for many businesses. It is upending markets, impacting the travel and tourism industries, hitting the transportation industry and of course negatively impacting the world’s supply chain. It is a crisis. Which means, that companies must treat it as such. Instead of waiting for an official government proclamation that COVID -19 is now a pandemic, it is time to treat this as a serious crisis.
From a risk point of view, what should companies be doing? Well, it’s time to apply risk management processes. Such processes should seek to mitigate and minimize the impact of the COVID -19 crisis. Such processes can include:
- Mitigation of the spread of COVID-19. Does your company have processes in place to minimize the spread of the virus? How are you protecting your employees? Have you considered the HR issues you might face because of the rate of infection? These questions need to be considered.
- Business Continuity Plan. Have you considered a business continuity plan (BCP) to save the company or minimize the impact of the crisis? A BCP would cover the following steps:
1. Analysis- What aspects of the crisis could hurt the company and why?
2. Design- How do you design a response to the crisis? What measures should be created to address the threats?
3. Implementation- How do you implement the measures?
4. Testing- How do you test the Plan to make certain it addresses the threats?
In order to create and implement the BCP, consider the following risk management processes:
1. Assess the situation- assess the threats by setting goals and priorities
2. Identify all of the major risks
3. Do a risk analysis of the major risks identified by conducting a critical risk analysis
4. Implement a Plan that provides countermeasures to mitigate the major risks – i.e. an Action Plan
5. Review the Action plan to confirm whether it adequately addresses the risks and helps mitigate or minimize the risks facing the company.
It is uncertain how long COVID-19 will have an impact on the world's commerce. However, if you take the appropriate countermeasures now and mitigate your risks the less likely your company will later face threats that could seriously impact it.
