NORWAY Law and Practice Contributed by: Elisabeth Roscher, Tine Vigmostad, Geir Sviggum and Kristin Nordland Brattli, Wikborg Rein Advokatfirma AS
crisis management practices. For example, the Directorate for Civil Protection (DSB) published guidelines for crisis management following the COVID-19 pandemic, as well as a more general guideline for crisis communication. Additionally, some authorities have established guidelines or benchmarks for certain specific crises – for instance, the Data Protection Authority regard- ing data privacy breaches. Many companies also engage external expertise (eg, legal counsel) to stay updated on best practices within the rel- evant industry, from those with experience in managing cross-border investigations and crisis management teams. 4.3 Risk Assessment and Mitigation Companies typically identify and assess poten- tial risks that could lead to a crisis through analy- sis of risks related to the sector and jurisdiction(s) in which the company operates, as well as other factors relevant to the company’s risk profile (for more on the type of risk assessment often conducted, see 3.1 Crisis Management Plans ). Such analysis could include data analysis of past crises, identifying relevant regulatory exposure as well as key risks and vulnerabilities. In some instances, this may also involve engaging with industry organisations, public authorities and other stakeholders. Relevant risk factors for the preparation for a crisis may consist of (inter alia): • legal and regulatory risks; • operational risks; and • financial and reputational risks. All of these must be taken into account in the risk identification and assessment process. Preventative measures commonly implemented to mitigate risks may include:
• robust compliance programmes tailored to the relevant risks and exposure; and • incident response plans to ensure prepared- ness for various types of crisis situations. 4.4 Crisis Simulation Simulation exercises are used in employee training, and may include (for instance) practi- cal scenarios where there is a risk of corrup- tion that may lead to a crisis for the company, or simulated phishing emails in order to prevent cybersecurity attacks. There may also be sector- specific simulation exercises within certain sec- tors – for instance, exercises in the oil and gas sector or pandemic response exercises in the Most companies (typically larger companies) promote and organise crisis prevention and response training for employees. Such training may consist of information sharing about crisis prevention, as well as response plans and proto- cols, discussions and simulation exercises (see 4.4 Crisis Simulation ). Training sessions should be tailored such that high-risk functions receive more bespoke training than for all employees. Training is usually held by the chief compliance and risk management officers (or similar), and in health sector. 4.5 Training Companies usually adopt crisis management plans and procedures (see 3.1 Crisis Manage- ment Plans ). Some companies also have risk management policies outlining the company’s approach to risk identification, assessment and mitigation, and such policies are some- times made publicly available. Such policies and procedures are effectively implemented by (inter alia) communication, training and raising some cases by external advisers. 4.6 Policies and Procedures
120 CHAMBERS.COM
Powered by FlippingBook