JAN-MAR 2014www.riskandcompliancemagazine.com

RCrisk &compliance&

Inside this issue:

FEATURE

The evolving role of the chief risk officer

EXPERT FORUM

Managing your company’s regulatory exposure

HOT TOPIC

Data privacy in Europe

REPRINTED FROM:RISK & COMPLIANCE MAGAZINE

JAN-MAR 2014 ISSUE

DATA PRIVACY IN EUROPE

www.riskandcompliancemagazine.com

Visit the website to request a free copy of the full e-magazine

Published by Financier Worldwide Ltdriskandcompliance@financierworldwide.com

© 2014 Financier Worldwide Ltd. All rights reserved.

R E P R I N T RCrisk &compliance&

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO CORPORATE CRISES

���������������������������������

������������

risk &complianceRC&

������������������

�������

����������������������������������������

������������

���������������������������

���������

���������������������������������������������������

REPRINTED FROM:RISK & COMPLIANCE MAGAZINE

JUL-SEP 2017 ISSUE

www.riskandcompliancemagazine.com

Visit the website to requesta free copy of the full e-magazine

Published by Financier Worldwide Ltdriskandcompliance@financierworldwide.com

© 2017 Financier Worldwide Ltd. All rights reserved.

2 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017

risk &complianceRC&

www.riskandcompliancemagazine.com

www.riskandcompliancemagazine.com 3RISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

MINI-ROUNDTABLE

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO CORPORATE CRISES

4 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

Rhoda H. Woo leads a practice that helps clients with the lifecycle of crisis activities: preparing, responding and recovering. Services include crisis planning, business continuity, war gaming, real-time crisis response, natural disaster recovery and post-event reviews. Ms Woo brings 30-plus years of experience in advising F500 clients on financial and technology risk management. She was most recently the national leader of Cyber Risk Services, and co-authored, ‘In the Heat of Corporate Crisis, Mind Over Matter’, Deloitte Review, July 2015.

Rhoda H. Woo

Managing Director, US Crisis Management

Leader

Deloitte & Touche LLP

T: +1 (212) 436 3388

E: rwoo@deloitte.com

PANEL EXPERTS

Charlie Hanbury is a director for Hiscox Special Risks, providing insurance to organisations around the world for risks associated with complex security and political issues. Their products include Security Incident Response – a policy designed to give companies a simple and robust mechanism to respond to a growing range of business integrity, terror, criminal and political violence threats via the expert services of their partners, Control Risks, the global risk consultancy. Hiscox is the global leading insurer for the provision of services and financial protection around these kinds of events. Mr Hanbury has 13 years’ experience in this field.

Charlie Hanbury

Director

Hiscox Special Risks

T: +44 (0)20 7448 6079

E: charlie.hanbury@hiscox.com

With more than 25 years of experience, Harlan A. Loeb is a recognised expert in crisis and reputational risk management. With extensive experience in global crisis preparedness, he has developed a reputational risk decisional model for corporate officers. Mr Loeb has worked across all industry sectors representing clients including: Wells Fargo, Samsung, United Airlines, Enron, Chevron, Gilead Sciences, Harley-Davidson, Juniper, Waste Management, CME Group, Mitsubishi Corporation, Dow Chemical Company, HSBC, Kraft, Grosvenor, GE Healthcare and SC Johnson. Before joining Edelman, Mr Loeb was a founding principal of Financial Dynamics’ Chicago office and a member of its US board of directors.

Harlan A. Loeb

Global Practice Chair, Crisis & Reputation

Risk

Edelman

T: +1 (312) 240 2624

E: harlan.loeb@edelman.com

Marco Remy Mille is Vice President for Security at Siemens AG.

Marco Remy Mille

Vice President for Security

Siemens AG

T: +49 89 6363 1717

E: marco.mille@siemens.com

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...

www.riskandcompliancemagazine.com 5RISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

RC: In general, do you believe directors & officers (D&Os) pay enough attention to anticipating and reacting to corporate crises? To what extent are such events constantly evolving?

Woo: In conjunction with Forbes

Insights, we surveyed more than 300 board

members and more than three-quarters of

respondents – 76 percent – believe their

companies would respond effectively if a

crisis struck tomorrow. Yet fewer than half

say they have engaged with management

to understand what has been done to

support crisis preparedness. And only

49 percent have playbooks for likely

scenarios. Even fewer, 32 percent, say their

companies engage in crisis simulations or

training. We believe the reason companies

are not more actively preparing is driven by

overconfidence in being able to handle anything, an

overly optimistic viewpoint that a minor brushfire will

not become a wildfire and a belief that the company’s

systems are more resilient than they really are.

Loeb: D&Os are not sufficiently engaged in crisis

risk governance. But given the dramatic escalation in

corporate crises – roughly 1000 percent over the last

decade – D&Os are now fully accountable for crisis

risk governance, including reputational risk. Though

a growing number of boards oversee threats to

their company’s reputation, a considerable business

deficit exists in grasping the value of reputation,

both as a strategic asset and risk. Furthermore, few

organisations possess adequate capabilities and

management strategies to mitigate, prepare for and

build the resilience to manage crises and recovery

effectively. Since reputation risk is not hedgeable,

companies are challenged that much more by the

strategic imperative of holistic risk management

design. As the complexity of this century’s business

and global risk expands, boards are recognising that

new crisis risks can destroy organisations in ways

that were not possible even five years ago.

Hanbury: Directors and officers are

understandably more focused on growing their

business along the financial metrics that their

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...

Harlan A. Loeb,Edelman

“As the complexity of this century’s business and global risk expands, boards are recognising that new crisis risks can destroy organisations in ways that were not possible even five years ago.”

6 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

stakeholders are focused on. When it comes to the

issues that might generate crises, the expectation,

quite naturally, that directors and officers have is

that those issues are picked up through the normal

risk management processes. As long as health and

safety arrangements are appropriate,

there is some form of business continuity

management in place and their enterprise

risk management people are looking

at them to say yes, there are some red

risks but we have process, governance

and procedures in place, then that is

probably good enough for most directors

and officers. Events are evolving because

factors like technology change and the

nature of terrorism changes but the

frequency in which they happen appears

to be altering. In our experience, most

directors and officers will experience some form of

crisis every few years.

Mille: One needs to differentiate between

attention paid to crisis anticipation versus attention

paid to crisis reaction, whereby crisis anticipation

would include crisis prevention and crisis

preparedness. D&Os do not really have a choice

when it comes to reacting to an emerging crisis

– when a crisis occurs, they have to react. However,

if more time and resources were dedicated to crisis

prevention, there would be less need for crisis

reaction as fewer crises would actually occur. And

if more time and resources were spent on crisis

preparedness, crisis reaction would become more

effective. I do not necessarily support the view that

crisis scenarios are constantly evolving. A crisis

occurs if a high impact incident occurs that you are

not prepared to deal with adequately. And that can

always happen. Therefore, I put so much emphasis

on prevention and preparation. What becomes

increasingly important, though, is the impact of

social media on crisis management. Issues which in

the past might only have raised local interest now

can become viral and global in a heartbeat, thus

increasing the impact and reducing reaction time.

RC: What policies and procedures should companies have in place that will allow them to promptly identify and mitigate risks that can evolve into a crisis, and if

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...

Rhoda H. Woo,Deloitte & Touche LLP

“Policies and procedures are critical, but culture is also important in mitigating crises.”

www.riskandcompliancemagazine.com 7RISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

necessary, effectively respond to such a crisis?

Hanbury: It is important to have some form of

approach to enterprise risk management – a process

for horizon scanning and making sure that mitigation

measures are appropriate to the risks facing the

company. The second thing is to have an effective

business continuity management plan which most

medium to large organisations will have because

customers and regulators demand that they do. But

an area where we see gaps is that the plans often

focus on the more routine risks such as fire, flood

and power outage, and the recovery of IT systems.

There is not the same level of rigour applied to

responding to non-interruption crises, which often

fall outside the business continuity plan. These crises

could include cyber extortion – the systems are still

running but there has been a breach – or related to

a duty of care issue, or something like a suggestion

of financial impropriety which could have huge brand

implications. We have identified that as a major

shortcoming.

Mille: Companies need a global enterprise risk

management process, reliable incident management

processes, a clear understanding of what

differentiates an incident from a crisis, and robust

crisis management policies and processes at all

company levels.

Loeb: In today’s environment, D&Os must ‘lean’

into risk with a concerted bias for action. Reactive

crisis management is not only ineffective, it

mortgages credibility and destroys value. Boards and

C-suite executives must view crisis risk dynamically

and build soft risk management into their broader

corporate strategy to protect their company’s

reputational value. For boards with a risk committee,

their risk governance mandate should include

strategic crisis and reputational risk management.

This requires a shift in mindset, moving beyond

‘crisis risk avoidance’ to an operational framework

that embeds new and agile thinking and systems to

develop a ‘pre-emptive mindset’. An organisation’s

business strategy, processes and culture must

integrate with principled leadership and robust

processes and capabilities to dismantle the highly

siloed nature of traditional risk management. Such

an old-style approach disconnects directors, the

CEO, risk officer, communications director and other

leaders from the frontlines. A pre-emptive mindset

requires strong intelligence, measurement and

decisional rights to succeed.

Woo: Policies and procedures are critical, but

culture is also important in mitigating crises.

Procedures are frameworks which enable people

to act, but they need to be supplemented by

experience and expertise. One thing companies

can do is empower frontline employees to provide

early warnings, escalate issues and act to prevent

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...

8 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

a crisis from ever happening. Employees should be

encouraged to use their ‘gut’ where they have a

concern even when they may not know the exact

problem. The ‘gut’ is not merely a seat-of-the-

pants judgment; it incorporates the sum total of

an individual’s experience. Fostering this culture

of vigilance and maintaining a bias toward action

leverages the talent on hand.

RC: What do you consider to be the essential requirements of an effective crisis management strategy? How important is it for D&Os to have recourse to an enterprise risk management (ERM) programme?

Loeb: Reputational crises inherently possess an

‘activating agent’ that frequently triggers multiple

enterprise risks. Our experience demonstrates that

four core capabilities must be integrated to mitigate

crisis risk and decrease probability. First, strategic

and cultural business integration serves as the

strategic imperative in creating a risk intelligent

organisation. Second, risk-sensing readiness

capabilities, data mining technologies, real-time

analytics, scenario planning and rapid activation

capacity must prevail across the enterprise and

corresponding geographies. Third, fluid decision

making with clear decisional rights, multichannel

communication capacity, readiness stress testing

and scenario planning generate effective crisis risk

management. Fourth, a properly calibrated public

engagement strategy defines crisis resolution and

recovery and frequently enhances and rebuilds trust

and operational credibility. Companies must test their

enterprise-wide crisis management plan and develop

specific plans for the top 20 risks that link most

closely to their core market competency. To be sure,

crises prove to be testing grounds for the leadership

and character of D&Os. They also determine if

and how strongly a company recovers. As such,

‘preventable crisis risks’ do the most enduring

damage to franchise value, trust and leadership

longevity.

Woo: There are things you cannot write into a

crisis plan, for example, how to rally the troops and

how to make decisions, among others. D&Os should

operate at a strategic level in a crisis, yet many

leaders often overlook practical tactics that can

enhance decision making. First and foremost, know

your team. Consider the make-up of your crisis team.

Who is more vocal or reserved? How will formal and

informal relationships impact team interactions?

You need to understand individual strengths and

weaknesses, and how they foster creativity and the

important ability to generate options. Second, avoid

common decision-making pitfalls. Groupthink is when

a group’s need for consensus trumps the judgment

of individual members. It often happens when senior

leaders are vocal, thereby stifling alternative views.

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...

www.riskandcompliancemagazine.com 9RISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

Confirmation bias is only taking in information that

confirms our preconceptions.

Mille: Ensure a common understanding of

the crisis management policy and

related processes, make certain crisis

management teams are nominated and

trained at all company levels, and enlist the

backing and tone from the board. Create

executive awareness and acceptance that

crises will occur in spite of all preventive

measures, and promote preparedness. An

ERM programme is essential to identify

potential risks and to develop mitigation

plans in order to reduce risk exposure.

Risks that have been identified and

mitigated down to an acceptable residual

risk level are less likely to develop into

a crisis. An effective ERM programme defines and

quantifies the ‘known unknown’ – accepted residual

risk – thus reducing the ‘unknown unknown’.

Hanbury: The critical piece of an effective crisis

management strategy is there must be clarity

on who owns it and where it sits, and that there

is also effective integration between the crisis

communications plan and the crisis management

plan. The crisis management plan should be short

and understood by the stakeholders, and well

rehearsed. Having an ERM approach is critical, as

is the close integration between ERM, business

continuity management and crisis management,

particularly as these three areas tend to sit in

different parts of the organisation.

RC: What are some of the potential liabilities that may face D&Os? How would you characterise their awareness of fiduciary duties and responsibilities in the event of a corporate crisis?

Mille: There are many potential sources for

liabilities for D&Os during crises, like ‘duty of care’

requirements, other legal obligations, insurance

limitations and compliance related issues. Profound

legal expertise is required in order to ensure

compliance with all those obligations, which often

defer from one country to the other. Therefore, it

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...

Marco Remy Mille,Siemens AG

“There are many potential sources for liabilities for D&Os during crises, like ‘duty of care’ requirements, other legal obligations, insurance limitations and compliance related issues.”

10 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017

is essential for each crisis management team to

include in their core functions a legal expert who

will ensure that D&Os are made aware of their

liabilities and act accordingly.

Hanbury: The most important area is the duty

of care liability. Depending on whichever legal

jurisdiction a company is operating under, it is

likely that in responding to a crisis a company will

have its actions scrutinised in US or EU courts,

both of which are quite clear on duty of care

obligations. The awareness of duty of care is much

better than it was five years ago but there is still

no standardised approach to delivering duty of

care obligations across an enterprise.

Woo: Time and time again, we

see that D&Os can unwittingly

become their own biggest

liability. For those

executives who have

not taken the time

to participate in

crisis planning

and exercises,

there is a

propensity to

swoop in to play

‘saviour’ and

actually disrupt the

response to a crisis.

They may need to stand down until the time

comes to receive their briefing. Another common

mistake is to get into the weeds of technical

resolution of an issue. The question is, ‘what do

we do about this?’ not

‘why did this happen?’

Companies need

executives

to exhibit

leadership,

but to stay

strategic.

And to trust

RISK & COMPLIANCE Jul-Sep 201710 www.riskandcompliancemagazine.com

MINI-ROUNDTABLE

www.riskandcompliancemagazine.com 11RISK & COMPLIANCE Jul-Sep 2017

the process that the team has trained on and

practiced. A crisis is ultimately a test of leadership

where D&Os are judged by their response – by

markets, investors and customers.

RC: To what extent do companies struggle to understand the respective roles of management and D&Os in preparing for and responding to a crisis? In your experience, what roles have D&Os played effectively during a crisis, and what trends have you seen in their involvement?

Woo: The board is less clear than management

on their roles and responsibilities in a crisis. For

malfeasance and CEO issues, the role is more

obvious and board tends to be highly involved.

For other crises, such as product recalls

or weather events, maybe less so, but

involvement could still be critical. We

encourage boards to break down their

responsibilities during a crisis in three

ways. With management, the board

should counsel management to keep

people ‘in the today’, encourage

them to be proactive, and serve as

a sounding board and endorser of

key decisions. With shareholders,

the board has a fiduciary

responsibility to act ethically

and decisively even when shareholder interests

diverge from those of management. With key

stakeholders, the board is the steward of the

company’s reputation and should consider the

impact and attitudes of key constituents and the

best ways to address their concerns and reactions.

Hanbury: A problem often occurs when senior

executives, who may not have had the close

involvement that perhaps they ought to have

done in developing the crisis management plan,

realise that there is a crisis and step in. Leaders

of large organisations are more inclined to trust

their judgement and want to get on and lead the

response – which is entirely understandable but

can often be counterproductive. In terms of roles,

senior leadership often, in the absence of a well

rehearsed plan, focus far too much on resolving

the operational parts of the problem, rather than

the strategic issues. There can also be ‘paralysis

through analysis’ meaning it is important to have

an agreed process for decision making so senior

leaders can make decisions based on possibly

incomplete or even incorrect information.

Loeb: Crisis risk governance is highly variable.

Few organisations are equipped adequately

with direct board access to those executives

accountable for a rapidly growing universe of crisis

risks. In many management structures, even risk

experts are not well aligned, integrated or even

RISK & COMPLIANCE Jul-Sep 2017 11

MINI-ROUNDTABLE

www.riskandcompliancemagazine.com

12 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

equipped to confront multi-variable crisis risks as

one coordinated operating unit. This explains why it is

urgent that CEOs oversee and direct the integration

of internal and external risk experts, not only to

ensure seamless and instant response to a crisis but

to work collaboratively in building and constantly

improving the design structure of

proactive and durable crisis risk mitigation

and prevention capabilities. As partners,

the CEO and the board should develop

their own ‘balanced scorecard’ approach

to ensuring that preventable, strategic and

existential risks are mapped thoroughly

and plotted clearly on a radar tool. Also,

the board and the CEO must have constant

access to risk experts and to real-time

intelligence on the organisation’s ‘state of

crisis readiness’.

Mille: By definition, a crisis is an incident with a

major impact that cannot successfully be handled by

the regular line management in the available time.

Therefore, crises cannot be successfully resolved

by the line management, but a dedicated crisis

management team composed of essential experts

is required. The challenge for companies often is

to define what essential core competencies are,

and when to switch from line management to crisis

management, or in other words, when an incident

becomes a crisis.

RC: What final piece of advice would you give to companies, and their D&Os, in terms of implementing a robust crisis management culture and a structure that will allow them to anticipate and react to a corporate crisis scenario?

Hanbury: Keep it simple and have a single plan

that covers all perils – do not have separate plans for

a travel safety incident, for example, or a business

continuity incident. Also, it is important to ensure

that the senior people who are likely to want to lead

in the event of a major crisis are involved in the

development and the rehearsal of the plan. It is also

important to stress test the plan. This takes someone

to throw some nasty problems at the team to stress

test what the likely issues will be. When a crisis hits, a

leadership team is faced with three priorities: maintain

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...

Charlie Hanbury,Hiscox Special Risks

“When a crisis hits, a leadership team is faced with three priorities: maintain business as usual, manage the crisis, and innovate their way out of the problem.”

www.riskandcompliancemagazine.com 13RISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

business as usual, manage the crisis and innovate

their way out of the problem. No leader can do it all,

which means having pre-arranged arrangements

with the third parties who can swiftly provide the

appropriate resources and expertise is critical.

Mille: Have a well established crisis management

team, talk to each other, go through scenarios,

identify risks early, accept that things can go wrong,

think about possible stakeholders and partners

and ‘make friends’ before a crisis arises and

communicate what you are doing. And finally: crises

will happen, period. They hit you where or when you

did not expect it, or else you would be prepared for

them. So while you train for specific scenarios, be

aware that a crisis will never follow your plan. Crisis

management is not about plans, it is about planning.

Woo: While less than half of all companies have

crisis management procedures, far fewer companies

train on those procedures, and even fewer actually

exercise them. Where many companies ultimately

fail is to establish a regular cadence of exercising

activities as part of their crisis management

programme. By practicing realistic crisis simulations,

you mature from simply having a plan to possessing

a capability to manage a crisis effectively. You are

only as strong as your weakest link, so all response

teams from the executive team to sites should

participate in regular crisis simulations. Simulations

bring to life specific weaknesses and challenges

in a way nothing else can. They provide a sense of

shared experience, an understanding of what all

team members are supposed to be doing, and build

confidence. As with most disciplines, you are only as

good as your last performance, so is it not better to

learn in practice rather than in a real event?

Loeb: The tone at the top is critical. It sets the

course for the seriousness and urgency with which

organisations approach dynamic and durable crisis

management design. Effective crisis management

involves building capacity, heuristics and muscle

memory – a purely functional approach is futile.

RC: Going forward, what types of corporate crisis scenarios do you foresee D&Os having to deal with?

Loeb: The probabilities that organisations will

experience an enterprise-wide crisis continue to

climb well above 60 percent. Reflecting cyber attacks,

whistleblowers, shareholder activism, product quality

issues, viral online videos and business sabotage,

among other catalysts, the age of constant crises

continues to expand both in complexity and speed.

Fifty-three percent of companies struck by a crisis

do not regain their previous share price after one

year, and that percentage will only rise if enterprise

crisis management capability does not evolve

substantially. With increasing scrutiny on executive

compensation, particularly surrounding stock awards,

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...

14 www.riskandcompliancemagazine.comRISK & COMPLIANCE Jul-Sep 2017

MINI-ROUNDTABLE

key constituents will provide little to no sanctuary to

CEOs when preventable crises erupt. And because

facts and truth have been hacked and now rumours

and ‘breaking news’ trade instantly as ‘true’ for at

least the crisis moment, organisations must become

both media companies and intelligence agents on

constant alert.

Woo: We now live in a world where retail and

healthcare companies are redefining themselves as

tech companies. While we do not pretend to have

a crystal ball, our hunch is that more crises will

be triggered by technology events. Cyber threats

are top of mind, from cyber extortion and massive

data breaches to losses of intellectual property. But

D&Os should not only concern themselves with the

nefarious threats. Rising complexity in businesses

introduced through the ever-increasing reliance

on technology makes companies more vulnerable

to technology breakdowns. The linking of various

technologies and applications creates more tightly

coupled systems and greater potential for failures

to cascade from one system to another. And as

companies grow more sophisticated in developing

risk management controls, they actually create more

dependencies that could fail. We believe this may

lead to more breakdowns, more catastrophic in

nature, driven largely by a company’s own design.

Mille: As long as companies have vulnerabilities,

they are liable to become subject to a crisis. The

crisis scenarios can be as diverse as the different

types of vulnerabilities a company has. And while I

am convinced that yes, each company will definitely

face a major crisis of one kind or another at some

point, the question is: given the often complex and

volatile nature of today’s corporate world, can any

company afford not to be prepared for a major crisis?

Hanbury: Businesses should expect to see the

use of stolen information – obtained via a cyber

breach, for example – driving the frequency of

extortion events. Sadly, another likely scenario will

be further terrorist attacks in parts of the world

previously considered relatively benign, such as

western Europe. This form of transnational terrorism

is impacting countries in the western world in an

inconsistent manner, which means that having

appropriate measures in place so a business

meets its duty of care obligations to its employees

will be key. Addressing their safety and managing

the changing expectations of employees will be

important. In many of these circumstances, these are

incidents that are not just systemic issues – where

lots of different organisations are impacted, such as

with the recent WannaCry incident – it is where the

focus will absolutely be on one organisation. Another

scenario likely to emerge is around regional instability

where an area has a significant political meltdown.

This means that organisations must have a plan for

markets and geographies which suddenly turn out to

be not so stable. RC&

DUTIES OF D&OS IN ANTICIPATING AND REACTING TO...