UK Law and Practice Contributed by: Ben Morgan, Ali Sallaway, Matthew Bruce and Emily Knight, Freshfields
4. Managing and Preventing Crises 4.1 Identifying a Crisis Companies should immediately assess the risks arising from a crisis, including any poten- tial liability that may arise, as well as identify - ing any steps that can be taken to mitigate the consequences of the incident. Whilst time is of the essence, companies should take care to ensure that actions follow a consistent and well-considered approach, which will be ena- bled by advance crisis scenario planning. The first 24–48 hours following a crisis can be critical for a business: this is when the business sets the tone of its response, manages relationships with authorities and stakeholders, and prepares for the investigations and potential litigation that may follow. The step that must be taken at the critical after- math time will be unique to the relevant crisis but the main considerations will include: • bringing together the crisis management team to assess the immediate steps to follow; • identifying the extent of the crisis using any mapped information obtained as part of crisis preparation plans and using the support of specialist forensic experts where necessary; • making considered and consistent communi- cations to the main stakeholders via agreed channels; • notifying and co-ordinating with the relevant regulatory agencies; • implementing agreed amelioration measures, including security controls; and • engaging specialist advisers to assess diffi- cult issues, including legal and public rela- tions matters. During the course of the crisis, the company should continue to review and address risks that
are arising. Engaging forensic experts can allow the use of specialist tools to identify and respond to a crisis – for example, cybersecurity experts can help respond to ransomware attacks. Public relations firms can also be employed to provide independent oversight of communications, albe- it ideally with legal input to ensure relevant legal risks are also ameliorated. Lawyers can assess the follow-on regulatory and litigation exposure, and determine ways to manage privilege and ensure the correct operation of the contractual environment governing the business’s ongoing operations, despite the extreme circumstances it is encountering. 4.2 Planning See 3.1 Crisis Management Plan . 4.3 Risk Assessment and Mitigation Businesses should assess the nature and extent of exposure to the crisis risk both internally and externally. This will be an important initial step in the process of preparing for a crisis, and organi- sations ought to ensure their risk assessment is dynamic, documented and reviewed, and that it covers a wide range of emergency situations. It may be helpful to classify each risk into two components of likelihood and impact, and to provide a description of why a classification has been chosen under each of these headings. Areas of potential exposure to crisis should face close scrutiny, including: • fraudulent activity, including in public state- ments (especially those that might influence investors or customers), representations to counterparties (eg, in a trading context), and where an organisation has obligations to dis- close (eg, to auditors or a regulated market); • cybersecurity; • data breaches;
139 CHAMBERS.COM
Powered by FlippingBook