UK Law and Practice Contributed by: Ben Morgan, Ali Sallaway, Matthew Bruce and Emily Knight, Freshfields
Guidance emphasises the need to ensure training is monitored for effectiveness and kept updated, and that training includes references to the company’s whistle-blowing policies and procedures. • Monitoring and review: effective review com- prises detection, investigation and ongoing review/monitoring. An important part of this process is learning from experiences of previ- ous incidents. For cyber incidents, the NCSC has designed a Cyber Assessment Framework, by which companies can manage cyber risks voluntarily and which provides a useful way to prepare for cybersecurity breaches. 3.2 Internal Governance Prior to a crisis, it is helpful for organisations to identify specific personnel with adequate technical knowledge of operations, who can form a crisis committee. The committee should include members of business departments such as legal, public relations, IT and compliance. Each member of the team should be assigned a specific area to oversee as part of the crisis response, and there should be a protocol for agreeing measures designed to allow the team to work effectively. It can also be useful to have specific teams for particular crisis situations and to include exter- nal experts where necessary. The crisis manage- ment team(s)/committee(s) will have a pivotal role in risk assessment exercises and in adapt- ing prevention procedures to prepare for crisis situations. They should meet regularly, with the frequency of meetings depending on several factors, with quarterly engagement generally required as a minimum.
When a crisis does occur, organisations should ensure that the crisis management team is brought together quickly. Whilst organisations can identify the individuals who should form part of the crisis team, it is important to remain flex- ible and tailor crisis management team members to the relevant risks faced. 3.3 Crisis Committees: Composition and Attributes Crisis committees should be formed from an early stage of crisis preparation and include relevant internal and external personnel who will analyse the situation and determine the company’s strategic response. Best practice dictates that the committee should meet regu- larly and engage prior to a crisis developing to check and fine-tune crisis management plans and procedures. Test run exercises to check on the performance of a plan before it is required in earnest are also worthwhile. The policies of the committee should be communicated regularly to internal and external stakeholders. It is important for senior management to ensure adequate measures are in place to respond to a crisis, particularly within the regulated sector. As a result, some members of senior manage- ment should be part of the crisis management committees, although the extent of involvement will depend on the situation. Generally, all mem- bers of senior management should support the work of the crisis committees/teams and give the members the independence to make recom- mendations that are embedded into the busi - ness with adequate resource support. Nonethe- less, they should also understand and scrutinise the work of crisis committees/teams and, where necessary, intervene to facilitate suggestions for improvements to act as a check on the feasibility of plans and procedures.
137 CHAMBERS.COM
Powered by FlippingBook