UK Law and Practice Contributed by: Ben Morgan, Ali Sallaway, Matthew Bruce and Emily Knight, Freshfields
• misconduct by employees or agents that could create criminal or regulatory liability for the company, such as bribery and corruption; • negative environmental impacts or human rights-related concerns in the supply chain; • exposure to major incidents; and • potential consumer or product-related crises. Once the mapping and metrics of risk are iden- tified, the next step is to assess prevention procedures. It is likely that a wide spectrum of risks will be identified during the course of an organisation’s risk assessment, and each should be targeted in a reasonable and proportionate manner, with the highest risk areas requiring the most rigorous levels of oversight and immediate attention, followed by areas of lesser concern, but all risks should merit some consideration even if to conclude that it is not appropriate to have prevention measures in place for a particu- lar reason. Organisations might wish to focus initially on a limited selection of test scenarios to assess how they can tackle critical incidences, which can then be systematically applied across the business and/or to other types of emergency situations. There will also need to be clear training and com- munication to equip colleagues and third parties with the knowledge to respond to a crisis. 4.4 Crisis Simulation Ideally, organisations should ensure that simula- tion exercises are embedded within crisis man- agement plans. By way of example, the National Protective Security Authority has published two crisis simulation scenarios for a fictional private sector tech company relating to sabotage and unauthorised disclosure. In the financial ser- vices sector, there have been centrally organ- ised crisis stimulation exercises conducted by the FCA, the PRA and other agencies as part of
the Cross Market Operational Resilience Group, established in 2015. In October 2024, the Bank of England undertook a market-wide simulation exercise, known as SIMEX24, in collaboration with UK Finance, HM Treasury, the FCA and the wider financial sector. The exercise assessed the financial sector’s response to a major infrastruc- ture failure that would require a total shut down and restart of the sector. Such steps can be useful illustrations of attempts by an organisation to ensure effective risk preven- tion and response procedures in the aftermath of a crisis, particularly if there are subsequent regu- latory investigations and/or enforcement action. Recent years have seen an uptick in dawn raids as part of regulatory investigations, which can add to or trigger a crisis. To prepare, in-house counsel and external dawn raid advisers need to know the rights of the company and individuals, and need to be aware of the precise data/docu- ment collection powers of each authority and appreciate what the limits are, especially when it comes to accessing personal data. Now is the time for companies to ensure that their dawn raid training and guidelines are fit for purpose as part of crisis management. 4.5 Training A further part of crisis management is the regular updating of relevant personnel and related par- ties. As policies and procedures are amended, these should also be communicated, embedded and understood through internal and external communications. This will likely require training (proportionate to the risk to which the organisa- tion assesses that it is exposed) and carefully considered communications. Companies should promote and organise tai- lored training for employees that is proportion- ate to the crisis risks faced and aligned with any
140 CHAMBERS.COM
Powered by FlippingBook