Managing a business crisis has become increasingly challenging in the world of 24-hour news and Twitter. Today a crisis can make a company appear to be in the middle of a three-ring circus, argues Mark P. Zimmett in this opinion piece. He says there are some concrete steps firms can take – in advance — to avoid a lot of the negative fallout that can accompany a crisis. Zimmett is a commercial litigator in New York City with over 40 years’ experience handling domestic and international business crises. He was a member of the New York City Bar Task Force on governance, and has taught at the New York University School of Law.

The mismanagement of bet-the-company business crises has become pandemic. Consider just the most recent examples. In December 2016, Yahoo disclosed that three years earlier hackers had stolen confidential information from more than one billion accounts, including users’ names, birthdates, phone numbers, encrypted passwords and backup security data.  The company’s disclosure of the theft followed its disclosure in September of the same year another breach of 500 million accounts in 2014. Senior executives had been aware of the 2014 hacking, but failed to properly understand or investigate it.  Following the second disclosure, Yahoo’s market value plunged 6%, it was forced to discount the sale of its internet business to Verizon by $350 million, CEO Marissa Mayer lost her 2016 bonus and the general counsel resigned.

Cuisinart launched a product safety recall in December 2016 of about eight million food processors whose blades can apparently crack over time and cause injuries, a problem that was flagged five years earlier by consumers. But although the company announced the recall at a time of its choosing, it was unprepared to follow through with the fix: Phone lines set up to receive calls reportedly were deluged early on and the company’s website was unable to process claims for replacement parts.

Wells Fargo appears to have botched the management of its recent crisis through lack of preparation. When CEO John Stumpf testified about the sham-account sales scandal before the U.S. Senate Committee on Banking, Housing and Urban Affairs, one frustrated senator later said, according to The Wall Street Journal: “It’s been going on for five years … and he doesn’t have any answers for this problem? By the time the questioning got to me, I was pretty well pissed off.”

These are only the latest high-profile mismanaged crises. There are many other examples, such as the crises arising from major bank violations of anti-money laundering regulations and related laws and from automotive industry failures with ignitions, brakes, airbags and emission controls.

Contrast the above-companies’ performance with Johnson & Johnson’s handling of its tampered-Tylenol crisis in 1982, long considered a paradigm of successful crisis management. However, today even its response probably would be regarded as a failure. The company took three days to decide how to respond. In our internet age with its 24/7 news cycle, a company does not have three days to react; it may not have even three hours. Advance planning is critical.

But how does one plan ahead? Crises arise in many forms: a cyber-attack, a plant explosion (gas leak or terrorism?); the sudden death or incapacity of the CEO, a whistle-blower alleging fraud, bribery or regulatory evasion; the list is endless. But most board members and senior managers are generalists, and none has the special expertise to respond to every crisis.

Plans Are Useless, but Necessary 

Dwight Eisenhower, who made his reputation as a war planner, said, “plans are useless – but planning is indispensable.” He knew that developing his arsenal of weapons would give him the resilience to respond to the unexpected in battle. Mike Tyson made the same point, but with more punch, “Everyone has a plan until he gets hit in the face.” Yet, no matter how often Tyson got hit in the face, he continued to train for the same reason that Eisenhower continued to plan.

“You cannot master the three-ring circus until you have mastered the three-ring binder.”

So, how should a company’s board and senior managers prepare for crises? First, identify those potential crises for which the company needs a response, assessing the likelihood of the crisis occurring and its impact on the business. In the jargon of crisis management, this is called BIA, business impact analysis. One cannot foresee and catalog every possible contingency, but that should not stop one from trying to anticipate the most critical threats and to build from there.

Build a team: Second, identify and interview the professionals likely to be needed in any crisis, such as media communications specialists, auditors and forensic accountants, IT professionals, and lawyers with appropriate practice backgrounds (including crisis management). Others will be appropriate for only particular problems, such as oil well firefighters and product or system specialists (e.g., engine emission control technicians or SWIFT payment systems experts). Regulators may prefer some outside professionals, particularly those such as auditors and lawyers who will be assessing the conduct of the company’s personnel, to be independent of the company, i.e., have done no previous, and expect no future, work from the company. But how then does one assure that they still will be available and conflict-free when a crisis hits?

Build a notebook: Third, build a notebook for each board member (or board crisis management committee member) and each senior manager with the contact information and brief professional background of all personnel to be contacted in a crisis; both company employees and outside consultants and professionals. You cannot master the three-ring circus until you have mastered the three-ring binder.

Keep it up to date: Building the notebook is not enough. Keep it up to date. When its rig exploded in the Gulf, British Petroleum reportedly had in place an emergency oil spill plan based on boilerplate plans cribbed from several other petro companies – right down to a telephone number for an expert who had died years earlier. And how are people to be contacted when computer and phone systems are down?

Run fire drills: Finally, run occasional “fire drills.”  The New York Stock Exchange had a plan to stay open with a pared down staff in the event of a disaster, and to shift execution of trades to its all-electronic sister exchange, Arca. However, when Hurricane Sandy hit more than a year later, NYSE-member banks and brokerage houses decided to close the NYSE for several days because, among other reasons, they had never tested their ability to trade using the contingency plan and were not sure it would work.

Internal Investigations and Regulatory Review

Preparing to manage the eventual crisis should extend to planning for its aftermath: the potential internal investigation and regulatory review. Not all crises call for an internal investigation, but many do, particularly when malfeasance or culpable nonfeasance is suspected. Who controls the investigation, a lawyer who insists on following wherever the evidence may lead, or the company’s elected board that is ultimately responsible for the company’s conduct?

“Preparing to manage the eventual crisis should extend to planning for its aftermath: the potential internal investigation and regulatory review.”

Ten years ago, a New York City Bar Task Force on the Lawyer’s Role in Corporate Governance concluded that “the client [the company] must define the scope of the investigation.” However, there are practical limits. The lawyer has the right, and possibly a duty, to resign if he or she believes that the scope is unduly narrow and, of course, if the matter under investigation is of interest to the company’s regulator(s), a less than full investigation would probably be unacceptable. As the pre-eminent lawyer Rodgin Cohen has observed, “The most serious penalties are often reserved for situations where the institution has flunked the investigation of the underlying conduct, rather than the conduct itself.”

Not all internal investigations involve regulatory scrutiny. Those that do raise an issue of the degree to which the company should cooperate with its regulators. The New York bar task force noted that “Great lawyers may counsel non-cooperation just as they may counsel cooperation.” Just as?  Really?  However true that may have been 10 years ago, today the issue is less cooperation versus non-cooperation than how best to negotiate the scope of the investigation.

A business crisis can be a three-ring circus involving the company, outside professionals and the government. Planning and drills are critical to managing it. Practice will not make us perfect, but it can make us proficient, and appropriate planning can prevent making the crisis worse and instill confidence that the company is properly prepared to deal with it.