When boards should act, not react, in a crisis
Asking the right questions
Written by Natalia Smalyuk and first published on February 26, 2019 on the Proof blog
There should be a close relationship between Management and Boards of Directors, and that is particularly true during a crisis. Many organizations do not include, or even mention, their Board in their crisis plans. However, some are learning – often the hard way – that guidance and oversight matter the most when stakes are high.
At the same time, competent Boards are creating Risk Management Frameworks that assess the likelihood of negative events and how to prevent or mitigate them. These Frameworks should be developed collaboratively with the Board and Management.
In some cases, the Audit Committee provides oversight to the Risk Management process. The Risk Management Framework is intended to be constantly evolving, as risks and operations change. Management should be required to report regularly to the Board of Directors on those areas or activities with the highest risk.
There should also be a definition of risk, such as an action or event which may lead to a loss of revenue, an increase in costs, or a negative impact on credibility or public image.
When it’s “business as usual,” the Board carries out its Governance work behind the scenes, steering the strategy of the organization and overseeing the CEO. But when something goes seriously wrong, stakeholders, including investors, want to see Boards act, not just react.
A U.S. court recently approved a $90 million settlement in an investor lawsuit filed against 21st Century Fox directors for lost share value allegedly caused by failing to address sexual misconduct involving the company’s executives. In another case, G.M. shareholders sued current and former Board members for “failing to exercise their fiduciary duty to oversee management” following the ignition switch recall.
Media point to some common perceptions of why, in the public eye, corporate stewards don’t step up to the plate:
1. BOARDS DON’T KNOW THERE’S A PROBLEM.
A plaintiff lawyer in a lawsuit filed by G.M. shareholders against Board members was quoted in the New York Times saying: “they set up a system that is calculated not to inform them about safety issues.” Intentional or not, the environment where flags don’t get to the top makes organizations crisis-prone.
2. BOARDS ARE TOO SLOW TO REACT.
“G.M.’s board is seen as slow in reacting to safety crisis,” says the New York Times headline. The assumption here: when things go wrong, somewhere along the line responsibility shifts to the Board. When Management isn’t addressing a problem, we, the public, expect Boards to spot and fix issues before they become even bigger problems, triggering bad press, lawsuits or tumbling shares – all of which will require a crisis communications response.
3. BOARDS ARE TOO HANDS-OFF.
In the fallout from Target’s 2013 breach that involved data theft from up to 110 million credit and debit cards of shoppers, the CEO stepped down, following “extensive discussions” with directors. Boards are often seen engaging when, for any number of reasons, backing up Management decisions is no longer an option.
The public holds Boards accountable. The #MeToo revelations involving senior executives are a cautionary tale. When public scrutiny is intense, Boards need to get in front of the questions they may be asked: How come you didn’t know? Why didn’t you disclose? Is there an ethics policy and methods for enforcement?
So, is there a formula for Board engagement when there is a lot at stake? While there’s no one-size fits all, here are five ways directors can help make organizations more resilient.
1. ACT AS A MORAL COMPASS
In a crisis, we might hear from a corporate spokesperson: “We have zero tolerance for misconduct.” What does this mean? Merely a statement on paper or a policy lived and breathed – in other words, an environment where everyone knows there are consequences for breaking the rules? The Board can help cross the chasm between these two points by asking better questions:
Are organizational values clear?
Is there a code of conduct?
Are there effective policies, including whistleblower protections?
Is there a culture where there’s no fear for reporting misbehaviour?
2. WELCOME BAD NEWS
Asking questions is not enough. They must lead to better outcomes. Using the Risk Management Framework, Boards can review a dashboard of risks ranging from strategic and operational to legal and reputational. Uncovering predictable surprises and dealing with them as quickly as possible should be embedded in the system. It is also important to review any past incidents and how they were handled. A corporate communications partner or public relations agency can assist greatly in this process by providing third-party outside counsel with a fresh perspective.
3. ADD PREPAREDNESS TO THE BOARD AGENDA
Boards need to know when to engage in situations involving major risks, and understanding the organization’s lines of authority will help navigate the turf. Questions to ask:
Does the organization have a crisis plan?
Does the plan include the rules for Board engagement?
Has the Board been trained on these rules through crisis simulations and tabletop exercises?
4. HAVE A BOARD-LEVEL CRISIS PLAN
After Equifax CEO stepped down following the disclosure of a massive data breach, the Board said in a statement that it “remains deeply concerned about and totally focused on the cybersecurity incident.” In a range of situations, the Board may step in to manage the crisis directly. To do this, it needs its own crisis plan, asking in advance:
What roles will individual directors play in a crisis?
Who will be the spokesperson in a crisis communications situation?
Who will the Board call for independent counsel – for example, a law firm or public relations agency?
5. DON’T REPEAT THE SAME MISTAKES
Not taking the time to stop and reflect after each crisis means organizations miss a precious opportunity to learn. The result: repeating the same mistakes over and over again. The Board should insist on a full debrief after each crisis. Questions to ask: What went wrong? What should change? While learning from one’s own mistakes is costly, learning from others is free. Case studies built into crisis simulations and desk-top exercises will help prepare for the evolving patterns of risk. Again, it would be wise to engage a corporate communications agency in this assessment for third-party validation.
Managing risks, and being aware of them, is essential to good governance. If prevention is not enough, managing a crisis should include Board leaders and senior Management.