SLRM Blog | Page 8 of 39 | Bryan E. Hopkins

Before a crisis breaks out, it’s always a good idea for the company’s risk manager or the risk management department (RMD) if one exists to review his or her role, or in case of the RMD, its role within an organization. In today’s environment, including COVID 19 virus issues, it is very important. A risk management department may have multiple reporting lines within an organization or may report to one department head. Are those reporting lines clear? If not, it is time to clarify them.

In order to understand the risk management department’s area of responsibility within an organization, I think it best to for the head of risk management to work with his supervisor in drafting corporate guidelines covering the risk management’s area or responsibility which can then be disseminated throughout the organization. No only should the RM or RMD’s are of responsibility be covered but each individual within the RMD should have his or her position and are of responsibility described in detail as well. It’s best to have everything outlined before the RMD has to contend with a crisis, especially a pandemic.

Areas of responsibility should include the purpose and policy of the RMD in the organization, the functions and execution points of the RMD (who does what, when, how, reporting lines, etc.) as well as a detailed outline of the procedures and processes of the RMD. Procedures and processes can include:

-conducting risk assessments of the organizations’ divisions and departments
-developing solutions for the various risk management issues
-coordination with various departments to assist with compliance issues
-oversee loss control concerns
-develop training for the organization’s employees covering various risk related areas of concern such as product safety, etc.

Besides managing risk, risk managers must also have a knack for good stakeholder management. In fact, in order to provide effective leadership in today’s corporate world, risk managers and those who have a risk management function, must understand the significance of good stakeholder management. Considering the high employee and investor turnover rates it is no wonder that risk managers must take the lead in providing risk management information to various stakeholders not only from a compliance perspective but from a profit/loss perspective as well.
Who are the various stakeholders that a risk manager must concern himself or herself with? Of course the more sophisticated a company, the more stakeholders there might be. Nonetheless, the main stakeholders of any company or organization usually include:

1. Employees
2. Upper Management including the Board
3. Customers
4. Suppliers
5. Regulators
6. Investors
7. Business partners; and
8. Credit Analysts

The first step in leadership for any risk manager when looking at stakeholders is to ask the hard questions such as: (I) Are you prepared to handle risk events relating to your stakeholders or not? (ii) In a crisis management event, such as a pandemic, are you ready to address your customers? (iii) In case of litigation, do you have the right information to communicate to your regulators? , and (iv) What are the risk management process to use in case you have major employment related issues?
Providing effective risk management leadership requires the risk manager to understand what his or her role within the organization is as well as who the major stakeholders really are and what risk management reporting processes actually exist or should exist.

Once a risk manager can answer the questions, the manager as well as the RMD itself is ready to provide effective risk management leadership.

In the past I have commented on crisis management and the tools needed to handle crisis in today’s business environment. It is clear however, that an international crisis, such as the COVID 19 virus, is harder to deal with than a domestic crisis. A pandemic, or potential pandemic as the CVOVID 19 virus is, by its very nature, an international crisis. Therefore, In essence, the COVID 19 virus presents international crisis problems, issues and concerns to many companies, organizations and even governments. Like other international crisis, the COVID 19 virus crisis is of course harder to handle than domestic crisis. Why? Because of international considerations, an international crisis is harder to manage than a domestic crisis. As it is more complex, companies caught up in an international crisis have to pay more attention to international, cultural, and communication issues than they would in a purely domestic scenario. Cross-border crisis management has become very important. Therefore, an international crisis requires a number of steps, including:

• Planning for an international crisis
• Appointing a crisis manager
• Establishment of a crisis management team
• Knowledge of foreign situation and its impact
• Communications
• Cross-border management of the crisis

The principle focus of any crisis management strategy, especially in an international contest, is communications. All crisis management plans call for effective crisis communications, which many times are not always executed. Inadequate or failed communications lead to bad publicity, unhappy stakeholders, and potential disaster. An effective crisis communication strategy is necessary for any international crisis. A number of companies and even governments have failed to defuse international crisis because of poor communications.
An effective crisis communication strategy is necessary when dealing with an international crisis .A number of processes are need to implement an effective crisis communication strategy to manage an international crisis, including:

• Creation of the crisis communication team.

• Identify key spokespersons who will speak for the organization. Who are they? What are their roles?

• Training on cultural issues, if the crisis involves other cultures.

• Establishment of communication procedures and protocols. Who communicates to whom and why?

• Identify key messages to communicate to key stakeholders and groups.

• Has a budget been approved for the crisis?

• Have the facts surrounding the crisis been established?

• How will the company use social media?

• Identify third party consultants that can add value to the communication and PR process- whether it is a PR Communications firm or a third party company.

• Has a communications war room been set up to handle communications?

Though companies try and resolve the crisis at hand and spend significant sums of money to do so, if they fail to properly communicate to the media and the public, they in effect have lost and can expect outrage and consumer dissatisfaction to such an extent that the very existence of the company can be threatened. This is particularly so for cross boarder crisis as the failure to manage international communications can lead to cultural issues which play out in the press or on social media.

So remember, a company doing business internationally has to plan for eventual crisis which may pose a potential threat to the company. If it fails to handle communications properly, it faces not only a potential loss of business but a negative impact on its brand.

As the Corona Virus continues to spread and cause some issues in the world’s supply chain as well as the major equity markets, corporate governance issues are now being thrust into the spotlight. After all, how does the Board of Directors react to a pandemic? What are the rights of shareholders? What corporate governance practices are necessary to help companies address major crisis? To address these issues, it helps to first consider what corporate governance really entails. Hence a little summary on Corporate Governance and what In-House Counsel should consider.
1. When in-house counsel is briefing the Board of Directors, the briefing should at least cover the following:

• The structure of the corporation
• Basic Organizational Documents
• The role of the shareholders
• The annual meeting of the shareholders
• Liability of shareholders, if any
• The role of the Board of Directors
• Board Meetings
• Board Committees

2. What are the basic organizational documents

• In the US, the organizational structure and roles and duties of the shareholders, directors and officers are determined by the laws of the state in which the corporation is formed and by the basic organizational documents for a corporation. In the US, many corporations are incorporated in the state of Delaware, known for its advanced laws relating to the establishment of corporations.
• One of the documents is the Articles of Incorporation (Charter). The charter sets out the fundamental characteristics of the corporation such as its name, nature of business and classes of stock.
• Another document is called the Bylaws. The bylaws determine the specific procedures for governing the corporation, including:
- Procedures for shareholder and board meetings
- The size of the board
- The officers that the corporation may elect or appoint

3. The Role of the Shareholders

• The shareholders elect the directors
• The shareholders approve certain matters including:
- Authorization of additional shares of stock
- Mergers and acquisitions involving the corporation
- Sale of the corporation’s businesses or substantially all of its assets.
- Dissolution of the corporation
- Change of the corporation’s name
- Amendment of the Bylaws
- Management and operation of the corporation’s business are not included within the legal scope of the shareholder activity
- An annual meeting of the shareholders is required at which the shareholders elect or re-elect the directors

4. Liabilities of Shareholders

• Under US laws, a corporation is a distinct entity, a separate form and independent of its shareholders. A parent company (as a shareholder) as a rule is not liable for the debts, judgements and other liabilities of its subsidiary.
• Shareholders in SU are not usually liable for the debts and liabilities of the company.
• However, the shareholder, may become liable for liabilities for the company if corporate formalities are not followed.
• It is therefore essential that formalities of the corporate existence separate from shareholders be adhered to.
• Processes need to be developed to prevent the -“Piercing of the Corporate Veil”.
• The theory of “piercing the corporate veil” is not a test but a judgment as to which circumstances warrant a departure from the general rule of limited liability.
• Sound corporate practices requires consideration of the various factors that are used in determining whether to pierce the corporate veil.
• Elements of “Piercing the Corporate Veil” include:
-control by the shareholder (often a parent company) to such a degree that the subsidiary has become its mere instrumentality
-fraud or wrong by the parent or shareholder through its subsidiary
-unjust loss or injury to a third party claimant (such as insolvency of the subsidiary)

5. The Role of the Board of Directors

• The board of directors is accountable to the shareholders
• The board must ensure that effective systems of control are in place for safeguarding the corporation’s assets
• The board of directors may legally act only as a body and function in accordance with the Bylaws
• Directors are not responsible for running the business on a day-to day basis
• If a director is an officer, he or she executes documents in the capacity of the office held
• States confer broad powers upon board members and imposes corresponding duties and obligations
• To protect the board’s managerial power, Courts employ the business judgment rule
• The business judgement rule protects directors from liability as long as the directors acted :
- On an informed basis
- In good faith
- In the honest belief that the action taken was in the best interests of the corporation

• The specific responsibilities of the Board includes:
- Strategy
- Planning
- Control
• Duties owed by the Board of Directors to the shareholders and corporation include:
- The duties of care, loyalty and disclosure
- The duty of care focuses on the processes and methods by which the Board reaches decisions
- Standard for a breach of the duty is gross negligence

• Informed judgement requires a director to be :
-Fully informed on matters before the board
-Fully informed of all material information available to the board
-Fully informed of the terms, conditions and consequences of the transaction
- Discussion by the board should be frank, deliberate and open

• The board must represent the interests of the company and shareholders and proceed with a critical eye
• The board must independently assess matters before the board
• Each board member must act in a deliberate and knowledgeable manner
• The duty of due care means each board member must act in good faith
• Decisions must be rational
• As a general matter, each board member owes undivided allegiance to the corporation

6. Board Meetings

• The board of directors should meet as often as necessary
• The bylaws set the minimum number of directors
•
• A director cannot delegate his or her vote by proxy to another director
• Board meetings are governed by formalities
• Decisions are reflected in resolutions
• Minutes of board meetings:
- Should not recite details of the discussions during the meetings
- The minutes should be limited to recording the normal decisions of the board and key information essential to decisions.
- The board is permitted to adapt actions in writing without a meetings and without the requirement of notice using a “Unanimous Written Consent”

Recently, a number of airlines have announced plans to cancel flights to South Korea due to the corona virus outbreak. Korean companies such as Samsung and LG have had to shut down production lines in some of their Korean based plants as well, causing a cascading number of economic issues to impact Korea’s economy as well as the world’s supply chain. Much of the world’s high tech based supply chain is based in Northeast Asia ( China, South Korea, Japan, etc.) and the negative effects of the corona virus can be seen everywhere. As a major supplier of memory chips, cell phones, computers, consumer electronics and home appliances, any disruption in Korea’s economy spells trouble for the rest of the world.

Until recently, for companies doing business in South Korea, the most pressing geo-political risk was the threat of war. Seoul is not far from the DMZ and any altercation between North and South Korea would have an immediate impact upon Seoul and its surrounding cities. However, the impact of the current virus, drives home the fact that for companies doing business in South Korea, not only do they have to think of geo-political risk in terms of war, but as health emergencies and pandemics as well. Therefore, a company contemplating potential business projects in Korea must at least on a tactical level consider the implications of geopolitical risks as well as everyday market risks such as financial, legal and operational risks.

Considering recent geo-political events, many companies should review old risk management policies and procedures, in case updates are needed. Companies are only now beginning to realize they are not prepared to handle the escalating risks caused by the corona virus. Of course, what happens if there really is a true global pandemic? Many companies are not prepared for that. Some risk management processes that should be reviewed are not being considered as they are viewed as too expensive or impractical. Such is the case with political risk insurance.

Companies face many kinds of risks when engaged in offshore projects; of course geo- political risk is one of them. This comes about when a government changes its policy, ideology or even itself which creates instability, disorder, war, strikes, riots, etc. Or of course health risks that effect the region. What must be done to manage such risks? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) is subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries which have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country which lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs.

For more on political risk see my previous blog: “Managing Political Risk” at Seoullegalriskmgmt.com.

Of all the risks facing companies in today’s business world, reputational risk is one of the most serious. Reputational risk can not only damage a company’s brand, but can even lead to the demise of the company. It is of primary importance to executives, in-house counsel and risk managers in many multinational companies and is seen as one of the top risks a company may face. In fact, in Aon’s recent Global Risk Management Survey, it is one of the top ten risks that are of concern to companies. Deloitte surveyed companies as well and found out that the majority of companies it surveyed rated reputational risk as more important than strategic risk. Many of those surveyed acknowledged they had suffered a brand risk or reputational risk event that resulted in a loss of brand value or a loss of earnings.

Damages caused by reputational or brand risk events are not tied to just domestic related issues. Approximately half of the executives that Kroll polled for its recent Global Fraud Report opined that their companies are at risk of vendor, supplier, or procurement fraud tied to overseas expansion. Many of those surveyed felt their companies were highly or moderately vulnerable to corruption and bribery risks which can of course lead to reputational risk or loss of brand as well as FCPA investigations and fines. According to the respondents in the Kroll Global Fraud Report, ethics and integrity (or lack thereof) was the major cause of reputational risk.

The reputational risk caused by supply chain issues can escalate out of control unless properly managed. Loss of brand value can happen quickly if a fraudulent event becomes public or if a bribery scandal is publicized in the media. Just look at the some of the crisis that happened over the last decade. Many people have been affected (some have died) because of the crises or mega-crises that have happened. Many of them also included reputational risks as well. Examples include:

The financial and housing collapse and major recession of 2008

Toyota implicated in recalls because of brake issues

Major Banks having their credit card customers’ names stolen by computer hackers

Volkswagen was implicated in a pollution emissions scandal

Target’s customers had personal data stolen due to lax security systems. Over 40 million
Credit and debit card customers effected

Sony Pictures- Sony as well as its employees had confidential information stolen

It is undisputable that a major crisis can pose serious threats to a company, and, therefore, the crisis must be managed. Crises can result in (a) government fines, (b) loss of retailer confidence, (c) loss of investor confidence, (d) loss of employee confidence, and (e) massive litigation, including class actions. In other words, the end of the company! Crises also result in reputational risks or damage to the company’s brand which may have a greater effect on the company’s bottom line than the damage caused by the original crisis itself.

When considering brand risk issues during a crisis ask the following questions:
• Is there a Crisis Management Plan in place to handle brand risk once a crisis starts?
• Does the Company have an effective internal investigation process in place that may shorten the time taken to discover internal risks and mitigate reputational harm?
• Has the appropriate decision makers been trained to handle PR and media issues once a crisis has occurred?
• Does the Company have appropriate 3rd party consultants, including risk management companies and media crisis companies in place to help mitigate reputational/brand risk once a crisis event takes place?
• Does the Company have an appropriate international Crisis Management Plan in place in case the crisis is international in scope?

Companies must realize that there are many risks associated with doing business internationally as well as domestically. Brand or reputational risk is very serious and can lead to the loss of money or even the destruction of a company unless the right steps to mitigate or prevent brand risk are in place. So when considering what risks should be addressed on a regular basis, remember reputational risk should be of primary importance.

The recent outbreak of the Corona Virus is a perfect example of how risk, whether biological in nature, man-made, environmental or regulatory, can rapidly change a company’s business plan or effect the current global business outlook. As the virus continues to spread, business plans are being impacted, especially the business plans of companies in the travel, tourism and convention industries. This should give everyone pause and perhaps encourage everyone to reflect on the current risk management processes they have in place including employee safety related processes. Perhaps it is time to change the processes. Or at least re-examine them.

When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after the financial meltdown of 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?

I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model actually is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future. Do the processes really mitigate risk or not?

I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Does the safety program really work? Maybe the plans worked properly 5 years ago. But what about today?

Remember, if local or national laws have changed maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? What about the regulatory environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them?

It is a fundamental truth that all things change. Some change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary.