Of all the risks facing companies in today’s business world, reputational risk is one of the most serious. Reputational risk can not only damage a company’s brand, but can even lead to the demise of the company. It is of primary importance to executives, in-house counsel and risk managers in many multinational companies and is seen as one of the top risks a company may face. In fact, in Aon’s 2019 t Global Risk Management Survey, it is one of the top risks that are of concern to companies. Deloitte surveyed companies as well and found out that the majority of companies it surveyed rated reputational risk as more important than strategic risk. Many of those surveyed acknowledged they had suffered a brand risk or reputational risk event that resulted in a loss of brand value or a loss of earnings.
Damages caused by reputational or brand risk events are not tied to just domestic related issues. Approximately half of the executives that Kroll polled for its recent Global Fraud Report opined that their companies are at risk of vendor, supplier, or procurement fraud tied to overseas expansion. Many of those surveyed felt their companies were highly or moderately vulnerable to corruption and bribery risks which can of course lead to reputational risk or loss of brand as well as FCPA investigations and fines. According to the respondents in the Kroll Global Fraud Report, ethics and integrity (or lack thereof) was the major cause of reputational risk.
The reputational risk caused by supply chain issues can escalate out of control unless properly managed. Loss of brand value can happen quickly if a fraudulent event becomes public or if a bribery scandal is publicized in the media. Just look at the some of the crisis that happened over the last decade. Many people have been affected (some have died) because of the crises or mega-crises that have happened. Many of them also included reputational risks as well. Examples include:
The financial and housing collapse and major recession of 2008
Toyota implicated in recalls because of brake issues
Major Banks having their credit card customers’ names stolen by computer hackers
Volkswagen was implicated in a pollution emissions scandal
Target’s customers had personal data stolen due to lax security systems. Over 40 million
Credit and debit card customers effected
Sony Pictures- Sony as well as its employees had confidential information stolen
As you can see from the examples above, there are numerous kinds of crises that a company should be prepared to handle, especially in an international context. Among them are financial crises, natural disasters including pandemics, product failures, workplace violence, cyber-attack, or hacking, and, of course, terrorism. However, most if not all have resulted in serious reputational crisis which also led to legal risk.
It is undisputable that a major crisis can pose serious threats to a company, and, therefore, the crisis must be managed. Crises can result in (a) government fines, (b) loss of retailer confidence, (c) loss of investor confidence, (d) loss of employee confidence, and (e) massive litigation, including class actions. In other words, the end of the company! Crises also result in reputational risks or damage to the company’s brand which may have a greater effect on the company’s bottom line than the damage caused by the original crisis itself.
The problem facing any risk manager or in-house counsel is that the media in today’s society has become very anti-business. As this anti-business culture of attack has gotten worse over the last twenty years, a crisis can no longer be handled by a simple PR or marketing statement. A full-fledged crisis management operation must be put in place. Damage control is now a very serious matter for any potential crisis, no matter how small. Today, more and more companies have to consider issues that negatively affect the company’s brand and how best to counteract them.
Key considerations when considering potential brand or reputational risk caused by ethical or fraudulent behavior within the company or within the company’s supply chain:
-Compliance- does the Company have a compliance program and is it up to date?
-Compliance- does the Compliance program and code of conduct promote an ethical culture within the company?
-Supply Chain- has the Company’s vendors involved in the supply chain been vetted? Do they follow the Company’s code of conduct? Do they have compliance programs?
-Are there sound corporate governance and control processes in place?
Major considerations for handling brand risk once a crisis has started includes:
-Is there a Crisis Management Plan in place to handle brand risk once a crisis starts?
-Does the Company have an effective internal investigation process in place that may shorten the time taken to discover internal risks and mitigate reputational harm?
-Have the appropriate decision makers been trained to handle PR and media issues once a crisis has occurred?
-Does the Company have appropriate 3rd party consultants, including risk management companies and media crisis companies in place to help mitigate reputational/brand risk once a crisis event takes place?
-Does the Company have an appropriate international Crisis Management Plan in place in case the crisis is international in scope?
Companies must realize that there are many risks associated with doing business internationally as well as domestically. Brand or reputational risk is very serious and can lead to the loss of money or even the destruction of a company unless the right steps to mitigate or prevent brand risk are in place. So when considering what risks should be addressed on a regular basis, remember reputational risk should be of primary importance.
Today, many in house lawyers and corporate executives still think of risk management or legal risk management as the department that manages insurance policies. Many in house lawyers as well as some corporate managers don’t believe risk management is part of their job description. However, given the globalization of business, the increased volatility of today’s business climate and the changes in social media that has increased communication tenfold, the management of risk is now part of every manager’s job description, including the in house lawyer. Risk management should be viewed as an essential part of everyday management, including Legal Risk Management or LRM. Managing a company’s risks is not only important but vital. Until recently, lawyers have been trained to think reactively- i.e. to react to a threat or risks. But given the recent changes in the global business environment, in house counsel must now learn to manage risks. Such proactive management encompasses a large area of not only pure legal risks but also business risks that could lead to legal threats and issues. In essence, an in house counsel must now learn to proactively manage risks by minimizing risk, mitigating risks, transferring risks and eliminating risks. All are in a sense a proactive response to a risk rather than a purely reactive response.
The main role of in-house counsel in corporations or legal entities is now, of course, to mitigate legal risk in connection with the sale of products or services provided by the company. In essence how the company protects its success will be based in part on its ability to manage, control, and minimize legal risk, especially in a litigious society such as the US marketplace. Legal counsel must take an active effort in developing strategies, systems, and processes that will minimize the legal risks faced by the company on a daily basis. The area of risk management for in house counsel has become so large it can now be labeled “Legal Risk Management” or LRM. What is LRM? First you must define legal risk. A good definition is:
"The probable occurrence of a future event or non-event that will have a negative impact on the company that could result in law suits, fines, investigations, crisis, reputational harm, financial harm and of course the destruction of the company’s brand or even the company."
Using this term, legal risks are in fact many. Legal risks can be operational, strategic, financial, regulatory, contractual or corporate in nature. Virtually any risk that can result in litigation, fines, investigations or pose harm to the company or organization (reputational, etc.) can be included. A number of legal risks a company may face can be associated with the following:
Corporate Responsibility Risks
Brand / Reputation Issues
R&D Development Strategy
Corporate Governance standards
Loss of Intellectual Property
Foreign exchange risks
Pension Liabilities and related laws
Fraud / Money Laundering-FCPA risks
Receivables / Credit-Insolvency risks
Inside a company risks may be placed in many categories:
• Legal and Regulatory
• Contractual breaches and damages
Legal risks and business risks intertwine to such an extent that business risk have legal impact. Therefore, in house counsel must become involved in the day to day management of business risk itself. This leads to the question of a company’s appetite for risk. For a company, as well as its in house lawyer, to properly manage risk- management has to understand what risk it is willing to take in the market place and what risk it is not willing to take. Is it willing to buy inferior parts for its product and risk the probability of a product liability lawsuit in order to make a greater profit or not? What does the Board of Directors think about risk? Has the BOD ordered a risk audit of the whole company? Is the company willing to accept more risk than it currently accepts, and if so, what is the rate of return it needs to justify the additional risk? A company may have competing objectives that result in increased risk or a decision to accept additional risk. Does the company have a business model that compares the benefits over the potential increased risk?
Not only must the in house counsel identify legal risks but he must assess the inherent likelihood and impact of the legal risk. Will the impact of the risk be very minor or could it be a major event. Once the in house counsel analyses the risks and assesses the potential impact of the risk, he can then determine how to handle the risk- such as risk mitigation, risk transference, risk avoidance and risk acceptance. The law department of a corporation can serve it well by playing a substantial role in the corporate wide management of risk by proactively managing potential legal risk instead of just reacting to it. By working with cross corporate teams to manage legal risks through corporate governance, compliance, loss control, review of HR processes or product safety concerns, a corporation’s law department increases its value to the company.
By controlling and managing legal risk, an organization is able to control its future. Without adequate Legal Risk Management (LRM) processes, a company is exposed to claims, lawsuits, fines, and investigations. It is imperative that an organization and its in house legal team understand that by controlling and managing legal risk, an organization is able to control its future. It is imperative that an organization understands the role that LRM plays in an organization and that adequate systems, processes, and procedures be implemented to minimize, control, and transfer such legal risk.
As the Corona Virus continues to spread and cause some issues in the world’s supply chain as well as the major equity markets, corporate governance issues are now being thrust into the spotlight. After all, how does the Board of Directors react to a pandemic? What are the rights of shareholders? What corporate governance practices are necessary to help companies address major crisis? To address these issues, it helps to first consider what corporate governance really entails. Hence a little summary on Corporate Governance and what In-House Counsel should consider.
1. When in-house counsel is briefing the Board of Directors, the briefing should at least cover the following:
• The structure of the corporation
• Basic Organizational Documents
• The role of the shareholders
• The annual meeting of the shareholders
• Liability of shareholders, if any
• The role of the Board of Directors
• Board Meetings
• Board Committees
2. What are the basic organizational documents
• In the US, the organizational structure and roles and duties of the shareholders, directors and officers are determined by the laws of the state in which the corporation is formed and by the basic organizational documents for a corporation. In the US, many corporations are incorporated in the state of Delaware, known for its advanced laws relating to the establishment of corporations.
• One of the documents is the Articles of Incorporation (Charter). The charter sets out the fundamental characteristics of the corporation such as its name, nature of business and classes of stock.
• Another document is called the Bylaws. The bylaws determine the specific procedures for governing the corporation, including:
- Procedures for shareholder and board meetings
- The size of the board
- The officers that the corporation may elect or appoint
3. The Role of the Shareholders
• The shareholders elect the directors
• The shareholders approve certain matters including:
- Authorization of additional shares of stock
- Mergers and acquisitions involving the corporation
- Sale of the corporation’s businesses or substantially all of its assets.
- Dissolution of the corporation
- Change of the corporation’s name
- Amendment of the Bylaws
- Management and operation of the corporation’s business are not included within the legal scope of the shareholder activity
- An annual meeting of the shareholders is required at which the shareholders elect or re-elect the directors
4. Liabilities of Shareholders
• Under US laws, a corporation is a distinct entity, a separate form and independent of its shareholders. A parent company (as a shareholder) as a rule is not liable for the debts, judgements and other liabilities of its subsidiary.
• Shareholders in SU are not usually liable for the debts and liabilities of the company.
• However, the shareholder, may become liable for liabilities for the company if corporate formalities are not followed.
• It is therefore essential that formalities of the corporate existence separate from shareholders be adhered to.
• Processes need to be developed to prevent the -“Piercing of the Corporate Veil”.
• The theory of “piercing the corporate veil” is not a test but a judgment as to which circumstances warrant a departure from the general rule of limited liability.
• Sound corporate practices requires consideration of the various factors that are used in determining whether to pierce the corporate veil.
• Elements of “Piercing the Corporate Veil” include:
-control by the shareholder (often a parent company) to such a degree that the subsidiary has become its mere instrumentality
-fraud or wrong by the parent or shareholder through its subsidiary
-unjust loss or injury to a third party claimant (such as insolvency of the subsidiary)
5. The Role of the Board of Directors
• The board of directors is accountable to the shareholders
• The board must ensure that effective systems of control are in place for safeguarding the corporation’s assets
• The board of directors may legally act only as a body and function in accordance with the Bylaws
• Directors are not responsible for running the business on a day-to day basis
• If a director is an officer, he or she executes documents in the capacity of the office held
• States confer broad powers upon board members and imposes corresponding duties and obligations
• To protect the board’s managerial power, Courts employ the business judgment rule
• The business judgement rule protects directors from liability as long as the directors acted :
- On an informed basis
- In good faith
- In the honest belief that the action taken was in the best interests of the corporation
• The specific responsibilities of the Board includes:
• Duties owed by the Board of Directors to the shareholders and corporation include:
- The duties of care, loyalty and disclosure
- The duty of care focuses on the processes and methods by which the Board reaches decisions
- Standard for a breach of the duty is gross negligence
• Informed judgement requires a director to be :
-Fully informed on matters before the board
-Fully informed of all material information available to the board
-Fully informed of the terms, conditions and consequences of the transaction
- Discussion by the board should be frank, deliberate and open
• The board must represent the interests of the company and shareholders and proceed with a critical eye
• The board must independently assess matters before the board
• Each board member must act in a deliberate and knowledgeable manner
• The duty of due care means each board member must act in good faith
• Decisions must be rational
• As a general matter, each board member owes undivided allegiance to the corporation
6. Board Meetings
• The board of directors should meet as often as necessary
• The bylaws set the minimum number of directors
• A director cannot delegate his or her vote by proxy to another director
• Board meetings are governed by formalities
• Decisions are reflected in resolutions
• Minutes of board meetings:
- Should not recite details of the discussions during the meetings
- The minutes should be limited to recording the normal decisions of the board and key information essential to decisions.
- The board is permitted to adapt actions in writing without a meetings and without the requirement of notice using a “Unanimous Written Consent”