UK Law and Practice Contributed by: Ben Morgan, Ali Sallaway, Matthew Bruce and Emily Knight, Freshfields
crisis management plan. Training should cover any new or updated crisis risks identified and the procedures put in place to manage these risks. As crisis risks develop over time, training should be reviewed and updated accordingly. Tailored training can be overseen by in-house legal teams and/or external legal advisers or spe- cialists. Organisations may also wish to assess the training protocols of external suppliers that provide critical services to the organisation to ensure fitness for purpose and to integrate with the business’ own plans. 4.6 Policies and Procedures There are useful existing frameworks for devel- oping risk prevention procedures (see 3.1 Crisis Management Plans ). There are a wide spectrum of legal risks arising from a crisis, and the relevant challenges will be dictated by the particular incident. Fundamen- tally, businesses need to be able to continue to operate as normally as possible, while identify- ing and controlling the threats that a crisis spins off. Typically, incidents involve the assessment of risks related to confidentiality and privilege, related litigation, reporting requirements and internal and external investigations and poten- tial enforcement action. A crisis can often extend across borders, thereby requiring engagement with colleagues, enforcement agencies and/or advisers from other jurisdictions on legal issues. These legal risks cannot be assessed in a vacu- um, and commercial and reputational risks that may arise must also be taken into account. 5. Legal Strategy 5.1 Legal Challenges Senior managers and directors may face poten- tial personal liability for actions or omissions
in response to incidents. As such, generally, top-level (and, increasingly importantly, middle) management should be committed to improv- ing crisis management plans, with a view to pre- venting and reducing the risks related to a crisis. The level and nature of the involvement of senior management will vary depending on the size and structure of an organisation, but their role is likely to include: • communication and endorsement of the organisation’s stance on crisis management; • ensuring there is a clear governance hierar- chy; • involvement in the development and review of prevention procedures; • discussion and understanding of relevant policies and their implementation at board or senior executive level; • the endorsement of codes of practice and policies to address crisis management; • integrating plans and any incidents critically to address any gaps in existing safeguards; and • fostering “speak up” culture. 5.2 Dealing With Enforcement Authorities The relevant enforcement agency that may intervene will depend on the particular sector, the nature of the incident and the jurisdictions engaged as part of a crisis. For example, where criminal misconduct arises, the SFO and Crown Prosecution Office (CPS) may be involved; data breaches typically see the intervention of the ICO; and incidents in the financial services sec- tor will likely involve investigation by the FCA or the PRA. The SFO has continued its practice of entering into DPAs where serious misconduct has taken place and pursuing successful pros- ecutions over the last five years, securing a total of GBP1.7 billion in fines, penalties and awarded costs from DPAs alone. Since the first DPA in
141 CHAMBERS.COM
Powered by FlippingBook