Let’s face it- COVID -19 is creating havoc for many businesses. It is upending markets, impacting the travel and tourism industries, hitting the transportation industry and of course negatively impacting the world’s supply chain. It is a crisis. Which means, that companies must treat it as such. Instead of waiting for an official government proclamation that COVID -19 is now a pandemic, it is time to treat this as a serious crisis.
From a risk point of view, what should companies be doing? Well, it’s time to apply risk management processes. Such processes should seek to mitigate and minimize the impact of the COVID -19 crisis. Such processes can include:
- Mitigation of the spread of COVID-19. Does your company have processes in place to minimize the spread of the virus? How are you protecting your employees? Have you considered the HR issues you might face because of the rate of infection? These questions need to be considered.
- Business Continuity Plan. Have you considered a business continuity plan (BCP) to save the company or minimize the impact of the crisis? A BCP would cover the following steps:
1. Analysis- What aspects of the crisis could hurt the company and why?
2. Design- How do you design a response to the crisis? What measures should be created to address the threats?
3. Implementation- How do you implement the measures?
4. Testing- How do you test the Plan to make certain it addresses the threats?
In order to create and implement the BCP, consider the following risk management processes:
1. Assess the situation- assess the threats by setting goals and priorities
2. Identify all of the major risks
3. Do a risk analysis of the major risks identified by conducting a critical risk analysis
4. Implement a Plan that provides countermeasures to mitigate the major risks – i.e. an Action Plan
5. Review the Action plan to confirm whether it adequately addresses the risks and helps mitigate or minimize the risks facing the company.
It is uncertain how long COVID-19 will have an impact on the world's commerce. However, if you take the appropriate countermeasures now and mitigate your risks the less likely your company will later face threats that could seriously impact it.
In the past I have commented on crisis management and the tools needed to handle such crisis in today’s business environment. Of course what companies are finding out is that international crisis are harder to handle than domestic ones. Why? In today’s world, many companies do business internationally. Because of international considerations, an international crisis is harder to manage than a domestic crisis. As it is more complex, companies caught up in an international crisis have to pay more attention to international, cultural, and communication issues than they would in a purely domestic scenario. Cross-border crisis management has become very important. Therefore, an international crisis requires a number of steps, including:
• Planning for an international crisis
• Appointing an international crisis manager
• Establishment of an international crisis management team
• Knowledge of foreign situation and its impact
• Cross-border management of the crisis
The principle focus of any crisis management strategy, especially in an international context, is communications. All crisis management plans call for effective crisis communications, which many times are not always executed. Inadequate or failed communications lead to bad publicity, unhappy stakeholders, and potential disaster. An effective crisis communication strategy is necessary for any international crisis. A number of companies failed to defuse an international crisis because of poor communications. A number of processes are need to implement an effective crisis communication strategy to manage an international crisis, including:
1. Creation of the crisis communication team.
2. Identify key spokespersons who will speak for the organization. Who are they? What are their roles?
3. Training on cultural issues, if the crisis involves other cultures.
4. Establishment of communication procedures and protocols.
5. Identify key messages to communicate to key stakeholders and groups.
6. Has a budget been approved for the crisis?
Though companies try and resolve the crisis at hand and spend significant sums of money to do so, if they fail to properly communicate to stakeholders such as the media and the public, they in effect have lost control of the situation and can expect outrage and consumer dissatisfaction to such an extent that the very existence of the company may be threatened. So remember, a company doing business internationally has to plan for an eventual crisis which may pose a threat to the company. If it fails to handle communications properly, it faces not only a potential loss of business but a negative impact on its brand and reputation.
One of the main drivers of my success over the years has been the ability to “change”. If you look around you, change is everywhere. In fact, it is the only constant in life. Everything changes whether we like it or not. I’ve been fortunate enough over my 40 year career to change-whether by changing my law practice or by changing my location or even both. In several instances, I even changed countries of residence. All of the change I have gone through has contributed to what success I have achieved.
Change in careers happens if one is willing to grow and experience new avenues of life. I started out as a public defender in Florida and ended up as a general counsel of one of the largest consumer electronics companies in the world. I never expected I would end up as a GC, but I did grasp the willingness to change.
Change not only happens in everyday life but in the workplace as well. Risk managers must always be on the lookout for change. As business changes so do risks. As regulations change so do legal threats. As employees change or as a company’s appetite for risk changes, so does the internal management of risk. In essence, risk is not static- it is always evolving and always changing. So the management of risk must change as well.
The concept of risk itself has changed over the years. Twenty five years ago, risk management was not perceived as a vital function in many organizations. Sometimes companies lumped risk management in with Insurance, Service or QA. But as the perception of risk has evolved along with compliance and SOX related laws, rules and regulations, risk is now deemed a major part of a company’s management structure.
Those organizations that perceive the need for an up to date robust risk management function are most likely to weather the storm of litigation, fines, audits and investigations facing most companies today. Crisis management (part of risk management) is now front and center in many large organizations as well. Companies are realizing that the perception by the public is far more important than in many cases the facts. How do you manage a crisis? When does a serious event become a crisis? How has crisis management changed over the last few years and why? How has compliance changed? All concepts of risk are subject to change as are standard processes for identifying and eliminating risk. Metrics used 20 years ago are no longer valid in many cases. Look what happened in 2008.
To handle risk and all of the consequences that it entails in an effective manner requires the willingness to accept change and in many cases to seek change out. Companies must be willing to change their concept of risk. They must be willing to change processes that may have been set in stone years ago. They must be willing to change not only how they perceive risk but how they address risk.
Yes, change is everywhere.
Korea is unique in the world with regards to the extent to which directors on a company board and chief executive officers can be held personally liable for a wide range of corporate liabilities. Considering this situation, if you don’t already have Directors & Officers (D & O) Insurance, then you need to spend some time considering how you could be liable in the event of a catastrophe - man-made or otherwise - and may want to access the risk with a professional.
Obviously, to protect the BOD as well as officers from frivolous lawsuits, including shareholder actions, a company should purchase directors and officers insurance (D&O insurance). Whether to use D&O insurance is a question that must be decided in the context of legal risk management.
Good corporate governance requires the board to be fully informed as to the major risk issues facing the company. D&O insurance may be necessary to protect the BOD as well as executive management from lawsuits stemming from fiduciary responsibilities or lack thereof.
For American companies operating in Korea this is particularly relevant. Corporate governance scandals brought about Sarbanes-Oxley Act (SOX) in the United States in 2002. SOX requires, among other things, that proper internal financial controls be established in publicly traded companies as well as whistleblower provisions and compliance policies.
In fact the U.S. laws and regulations regarding compliance requires that the board of directors (BOD) are not only trained in compliance but also has compliance oversight.
Similar measures have been passed in other jurisdictions as well. The result of SOX and other laws in other jurisdictions was to force upon the BOD the obligation of ensuring that not only proper financial controls are in place and properly maintained but that the Board be apprised of all relevant risk management process as well.
Hence, risk management processes in general must be considered by the board of directors in light of the board’s fiduciary and legal responsibilities. As director’s have a duty of care to the company, they have a duty to protect corporate assets and IP, review risk management plans, including crisis management plans and take all actions that a prudent businessman or businesswoman would take to protect the company.
The fiduciary obligation directors’ have to their respective corporations includes the duty to be fully informed and knowledgeable on major issues of risk. Whether it is compliance issues, currency risk, antitrust, or, geopolitical risk, etc., the BOD must be fully informed to make the appropriate decisions involving the management of the company.
Due to its very nature, the BOD cannot escape its fiduciary obligations with regard to understanding and approving risk management processes.
Considering the potential litigation directors might face in light of geopolitical events, such as the current situation concerning North Korea, it is prudent to consider D&O insurance. What is the status of D&O insurance in your company? Have you examined the legal risks facing your directors and CEO recently?
What happens if things fall apart or the situation dramatically deteriorates? If you haven’t addressed the situation, the wise thing to do would be to sit down with your insurance broker, if you have one, and discuss the pros and cons of such insurance policies.
Recently, Korean media reported that the Prosecutor’s Office in Korea is investigating a claim that McDonald’s Korea may have violated food safety rules based on the allegation by a family that their daughter contracted hemolytic-uremic syndrome (“hamburger disease") after consuming a hamburger at a McDonald's outlet in Pyeongtaek, Korea. This was the second claim during the same day that a McDonalds store in Korea served an uncooked meat patty.
Though McDonald's has denied responsibility, the investigation into McDonalds Korea, brings back memories of the Jack In the Box e-coli crisis that resulted in the near destruction of the Jack in the Box brand. It also highlights the issues facing food franchises caught up in an international or cross border crisis. See the following link for more info.
One of the reasons that Jack in the Box failed to handle the e-coli crisis was its failure to communicate with the press, stakeholders and yes, the public, properly. The principle focus of any crisis management strategy, especially in an international contest, is communications. All crisis management plans call for effective crisis communications, which many times are not always executed. Inadequate or failed communications lead to bad publicity, unhappy stakeholders, and potential disaster. An effective crisis communication strategy is necessary for any international crisis. It should be noted that a number of companies failed to defuse an international crisis because of poor communications. McDonalds Korea should take heed.
An ineffective crisis response caused by a failed communications strategy can significantly harm a company’s reputation, operations, and even its position in the marketplace. Whether a company survives a crisis or not is determined less by the severity of the impact than the response to the crisis. A company that responds effectively with a clear communications strategy will not only survive but find that its reputation has been enhanced. A company that does not respond with a clear communication strategy may not survive.
Look at some of the crisis in the past which were not defused properly because of a lack of attention to communication- Toyota, perhaps being one of the more recent. Though Toyota spent time and money to find out the issue surrounding the brake issue, its failure to communicate in a timely fashion lost the goodwill of many customers and hurt the brand.
An effective crisis communication strategy is necessary when dealing with an international crisis. In order to implement an effective crisis communication strategy, a number of processes must be implemented such as:
In order for McDonalds Korea to come out of the crisis in Korea unscathed, it must implement a crisis communication strategy. The “patty controversy” has not yet been properly addressed by McDonalds from a communication/PR standpoint which can lead to further reputational harm and negative financial impact. As claims of uncooked meat or even e-coli have haunted restaurants (especially hamburger or food related franchises) in the past, it is advised that regardless of the outcome, McDonalds and other franchises should have a crisis communication plan or strategy already set up and ready to implement.
You may already be in a crisis and not know it----One of the main problems with managing a crisis is that the crisis event may have occurred long before a company realizes it is actually in the middle of a crisis. Companies tend to disregard the warning signs of a crisis up until the very end, leaving very little room to maneuver and limiting a company’s options. If you scratch the surface of a corporate crisis you will find the signs were there months in advance. Yes, there was indeed trouble but departments don’t like to raise red flags. People don’t want to lose out on bonuses-it human nature. Who wants to rock the boat and get blamed ? That is precisely why you should think of your company as already being in a crisis or in a pre-crisis stage. Because, it probably is.
When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?
I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model actually is out of date and is no longer viable? Just because it worked in the past doesn’t mean it will work in the future. What about your company’s products and services? If your company relies too heavily on a particular product and that product is found defective or non-conforming that could spell catastrophe. Has your QC department verified all production protocols have been met? What about sub-components? Does your company rely on third parties to provide key components? Have you outsourced your service department to a third party service provider? Are you monitoring your third party suppliers?
I therefore caution everyone not to blindly accept the status quo even when it appears things are humming along. What about your company’s risk management processes? Are those up to date? Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does your compliance program really work? Maybe it did 5 years ago. But what about today
If local or national laws have changed maybe the current manufacturing processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them?
It is a fundamental truth that all things change. Some change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary. Dont rely on your manufacturing processes- they could also be out of date.
Remember; whether you know it or not, your company might already be in a crisis. Maybe it is time for a crisis management review.