GERMANY Law and Practice Contributed by: Rainer Wilke, Ingo Theusinger and Ralph Schilha, Noerr
In order to continuously improve crisis manage- ment strategies, companies conduct follow- up meetings after a crisis (see 7.1 Post-Crisis Review: Learning Lessons ). 4. Managing and Preventing Crises 4.1 Identifying a Crisis A company can identify a crisis and its poten- tial legal implications through several channels. These include a direct approach from authorities (such as a warrant or dawn raid), internal whistle- blower reports, subpoenas, or external sources (such as media articles). The way a crisis is iden- tified will often determine the immediate steps taken in response. Once a potential crisis is identified, companies typically undertake the following immediate steps to assess the situation. • Crisis identification – it is vital to gather as much information as possible to provide the appropriate response to the crisis. To ensure no data is lost, the document preservation protocols are activated. • Initial communication – companies reach out to the crisis management and leadership team to provide preliminary information. The crisis management team co-ordinates and aligns the response efforts. • External engagement – depending on the nature and severity of the crisis, companies might engage external legal counsel, forensic experts, auditors or other specialists. To assist with the crisis identification and com- munication, companies may use tools such as risk management software, alert systems and communication platforms. These tools stream- line information flow, enable swift internal com-
munication and ensure that accurate information is shared with stakeholders in a timely manner. 4.2 Planning Companies use various frameworks or models for crisis management, often inspired by interna- tional standards such as ISO 22301 providing a framework for business continuity management. In critical infrastructure sectors in particular, there are strict legal requirements, such as the KRITIS programme (see 2.6 Sectorial Requirements ) or the BSI IT baseline protection for cybersecurity (see 3.1 Crisis Management Plans ). Another essential standard is IDW standard No 6. It requires a comprehensive restructuring concept that assesses a company’s viability in crises, and is prepared by an independent third party. Additionally, a draft for a new IDW stand- ard (IDW ES 16), regarding the design of crisis early detection and crisis management accord- ing to Section 1 of the StaRUG, has been pub- lished. Typically, a company’s crisis response plan con- tains several key elements: • crisis identification and assessment; • response strategies; • communication plans for internal and external stakeholders; • roles and responsibilities; • resource management; • recovery strategy; and • business continuity measures to quickly resolve business interruptions. 4.3 Risk Assessment and Mitigation Companies usually identify and assess potential risks that could lead to a crisis as part of a sys- tematic risk management process. This process often includes the following steps.
89
CHAMBERS.COM
Powered by FlippingBook