How Legal Should Prepare for Crises in the Digital Era

The axiom that “by failing to prepare, you’re preparing to fail,” holds especially true for corporate crisis management practices as digital disruption creates new risks and social media increases the likelihood that bad news will be shared — quickly and broadly.

“ As organizations adapt to the shifting business environment, they are intentionally changing organizational structures and modes of working, and unintentionally adding layers of complexity”

Public scrutiny and criticism of issues related to corporate data use and culture is growing, and tolerance of missteps is low. General counsel (GC) must prepare for these risks, and understand how a failure to manage them can create direct costs, reputational harm and financial costs.

Operational complexity hinders response

Digital disruption has increased the urgency around crisis response, while simultaneously complicating the task. Shifting business models generate new risk exposures. Complex digital products make it difficult to quickly identify and understand the root cause of an issue.

“As organizations adapt to the shifting business environment, they are intentionally changing organizational structures and modes of working, and unintentionally adding layers of complexity that prevents any one person or team from understanding an entire project,” says Stephanie Quaranta, Director, Gartner. Today, a typical digital project has six team members, 10 stakeholders and a wide network of partners contributing to and relying on the output.

At the same time, many teams are increasingly relying on third-party contractors. These relationships add to the complexity. In the gig economy, for instance, employees who are technically contractors can still significantly damage a brand by their actions. Target, a U.S. retailer, experienced the largest data breach in history in 2013 when credentials stolen from a third-party vendor were used to infiltrate Target’s system. Target paid a heavy price for the breach — in both direct costs and reputation.

Bad news travels fast

Digital and social media have also quickened the pace at which external stakeholders respond to crises. More than ever, customers can propagate messages about the crisis (with varying accuracy) to other customers in costly ways. Within hours, news of a crisis spreads to social media, expanding the scope and increasing the potential impact. Eighty-five percent of lawyers believe social media increases the potential of a minor issue becoming a major crisis.

“ Organizations mitigate risks by releasing responsible, factual messages immediately following a crisis”

The social messages that propagate in the absence of company responses may be harmful or misleading. However, if the harmful or misleading message takes hold, it can be difficult to dislodge entrenched beliefs. A late response can therefore be deadly to a firm’s crisis management efforts, since entrenched believers can slow or stop the propagation of more accurate messages.

Although it’s nearly impossible to anticipate and plan for every possible crisis, GC can focus on proactively identifying crises, monitor for signs of impending issues and explore ways to mitigate potential damage.

Learn more: Board and C-Suite Support for General Counsel

4 important changes to enact now

Follow these steps to prepare the organization, define an organizational crisis management plan — including communication plan — and improve on current practices.

1. Prepare the business to report. Most crises require fast action, so build a culture and infrastructure that encourages early reporting. Use due diligence, contracting and supplier codes to manage third-party risk. Leverage a code of conduct, multiple reporting channels and employee education initiatives to complement the strong culture that supports employees’ ability to confidently speak up.
2. Have the information ready. Once a crisis has occurred, it’s too late to collect the crucial information needed to respond. Understand what information — both internal and external — is needed and maintained. Create a process for obtaining data not maintained day to day during a crisis. Simulation exercises are a way for leaders to pressure-test their ability to access the resources needed to successfully manage a crisis.
3. Create a plan for statements. While gathering full information isn’t always possible before a public response, you can simplify in-the-moment decisions by having a written policy for how much time will be dedicated to information gathering and when public statements will be made. Organizations mitigate risks by releasing responsible, factual messages immediately following a crisis. Legal and compliance functions contribute to responsiveness by helping executives assess the facts from the situation, separating the signal from the noise, and advising business decision makers on how to best demonstrate responsibility.
4. Don’t underinvest in prevention.Invest resources proportionally in crisis planning and prevention. Risks with low probability but high impact are especially difficult to manage. They are also the risks — when they do manifest — most likely to lead to a crisis. Decisions about how much to invest in a particular risk can depend on its likelihood, impact on the business and the required speed with which legal should manage it.

Learn more: Reduce Risk During Business Change and Uncertainty