UK Law and Practice Contributed by: Ben Morgan, Ali Sallaway, Matthew Bruce and Emily Knight, Freshfields
7. Learning From Past Crises 7.1 Post-Crisis Review: Learning Lessons Following an incident, companies should com- plete an internal investigation to understand the causes of the crisis and assess how it was handled. The extent of the internal review will depend on the severity of the incident, but it will typically necessitate: • gathering essential information on the inci- dent; • identifying causes, areas of weaknesses and improvement; and • suggesting steps to improve future crisis response measures. It may be necessary to engage external advisers and legal counsel to support an internal review or conduct an independent external review. On occasion, regulatory agencies will insist that an independent review of an incident is completed. Such an exercise can assist in illustrating co- operation with regulators and the willingness of an organisation to improve, and may potentially result in a reduction in penalties. Depending on the lessons learned from the inci- dent, the company should assess the recom- mendations and then implement any accepted findings within a reasonable timeframe. The rec- ommendations should be monitored and reviewed periodically, and steps taken to recognise the consequences of any new measures should be clearly documented in order to provide a clear evidential trail. Documentation will be important to provide a clear evidential trail, particularly if it may be necessary to produce evidence to pros- ecutors and/or enforcement agencies.
A further immediate step is to update the relevant people and entities. As policies and procedures are amended, these should also be communi- cated, embedded and understood through inter- nal and external communications. This will likely require training (proportionate to the risk to which the organisation assesses that it is exposed) and carefully considered communications. Lessons can also be learned from recent enforcement activities, litigation and similar incidents. 7.2 Policy Update Recommendations on improvements follow- ing an incident typically include suggestions for improving existing policies and procedures, as well as identifying new measures, ideally to prevent a recurrence of a problem, but also to demonstrate the effort that has been taken to avoid an incident if it nevertheless does happen. Where a business identifies serious failings, it will likely be insufficient merely to refine existing policies; instead, systems, teams and proce- dures may need to be overhauled. 7.3 Effectiveness Measurement and Benchmarking To test the effectiveness of policies, it can be helpful to benchmark internal policies against guidance from trade and industry bodies and public agencies, which can provide an outline for best practice to adopt. It can also be use- ful to assess learnings from incidences arising in similar sectors to the business and look for opportunities to exchange helpful information via trade bodies or committees. Consulting with specialist experts and/or legal counsel can also assist to improve policies. It is important to note that maintaining operational resilience and cri- sis preparedness is not a tick box exercise, and should be embedded fully within an organisa- tion’s policies, procedures and culture.
147 CHAMBERS.COM
Powered by FlippingBook