Corporate crises are on the upswing. A faster-paced R&D cycle, improved but riskier technology, 24-hour news… the list of triggers goes on. But our understanding of such events has not always evolved at the same pace. We speak of a crisis as a single incident but, in reality, a chain reaction will likely ensue – and no sooner than one element appears under control, another pops up.
A tumble into crisis
Let us imagine a company that is consumer-facing and has a large, warehouse-based workforce. Imagine it makes toys, sells them online and is called ‘Tumble Toys’. Speed and efficiency in dispatching little Billy or Betty’s heart’s desire is one of its market differentiators – its marketing campaign features a gorilla called Tumble, who makes his way through various perils to ‘tumble’ into the child’s house in various amusing ways. As with many companies, Tumble Toys has outsourced warehouse staffing to a third party.
Imagine you are the general counsel of Tumble Toys. You have a varied workload and a decent team of five lawyers. Your work is primarily a mix of supplier agreements, employee- and IP-related issues. You are in the middle of an engaging new project looking at whether Tumble the gorilla can become the mascot for a kid-friendly football event – a perfect brand tie-up.
Your phone rings and it is the chief executive, who has just received a call from a national newspaper, The Busy Rag, known for its crusading stance on labour-related issues. They have received a tip-off from a former worker that the Chinese manufacturer of the popular Tiny Tumble – a smaller version of the best-selling Tumble the Gorilla soft toy – contains a phthalate in its fabric dye, which does not confirm to EU safety regulations: REACH (Registration, Evaluation, Authorisation and Restriction of Chemicals). The phthalate could be hazardous to children by potentially damaging their reproductive systems.
The former employee has told The Busy Rag they feel this is indicative of a shoddy attitude to the supply chain, exacerbated by Tumble Toys’ focus on speed of delivery. The newspaper will publish the day after tomorrow but wanted to give the company right to reply.
‘What are we going to do?’ demands the chief executive. There is a meeting in her office in ten minutes. Tumble the Gorilla stares at you from the football flyer. What should your plan of action be? Where can you best add value?
Create a crisis response group – quickly
The most crucial initial step is making sure you have a crisis response group in place. Ideally, you would have established this beforehand, in anticipation of future situations. If not, it needs to be pulled together ASAP.
‘Getting that core team in place as soon as we can will be critical to determining the outcome – positive or negative. Equally, having a defined process or set of protocols in place for how to respond is invaluable,’ notes Jeremy Drew, head of RPC’s commercial group.
‘In our workshops, most agreed the GC should be the person pulling those strings – the de facto crisis chief of staff. Depending on the nature of the crisis, the likes of HR and corporate communications should be involved too, but the GC should be conducting the choir. And it’s a choir that needs to sing in harmony – break down those internal silos and work as a team.’
Be careful how you deal with the press
It might be tempting to reach out to the newspaper involved and intervene in the story breaking, but this may not be a good idea.
‘Clients need to tread carefully when interacting with the media. It’s rarely a good idea, for example, to establish contact between the legal team and a journalist. They talk fundamentally different languages, and the danger of things being lost in translation is high. It’s much better for that bridge to be built through the PR or comms team,’ cautions Drew.
But isn’t this what injunctions were invented for? Not necessarily, he argues. ‘The law in the UK is heavily weighted in favour of the press. The journalist’s evidence may have been gathered through “unconventional” means – and the court may frown on the investigative methods – but a judge will still more than likely take the side of freedom of the press.’
Collaboration within the crisis response team is key, and each function must play to its strengths. Although the legal team can be an important touchpoint, a situation like this can be where PR and comms (internal or external) come to the fore, because they speak the same language as the journalists and may also have valuable connections they can call upon – although Drew cautions against any notion that the press can be controlled in any material way. They can also help create a counter-PR strategy.
‘Deciding when and how to speak to the press is a difficult judgement call, which in most cases is best left to the comms or corporate affairs team – but it’s important not to let a vacuum arise that others will fill. That way you lose any opportunity you might have to influence how the story unfolds,’ says Keith Hubber, former GC of The John Lewis Partnership.
‘The old adage of “tell it all, tell it fast and tell it truthfully” applies, but that requires a different approach from the legal team; there simply isn’t time to wordsmith every sentence or vet every press release or social media statement. While the GC will inevitably be focused on potential future litigation, the chief executive and the comms team will rightly focus on dealing with the more immediate risk of trial by media; especially social media. The legal and comms teams need to understand and accommodate each other’s perspective, and I would always advocate establishing some clear protocols as part of your crisis response planning.’
The regulatory angle
It has been a difficult few weeks for you, the GC of Tumble Toys. The Busy Rag published its article, which was picked up by most national newspapers and TV stations. Your feel-good kids’ football brand tie-up has fallen through.
You have now been tasked with a thorough investigation of your supply-chain partner in China, plus an evaluation of your whistleblower policies to ascertain why this issue went straight to the press and was not raised internally. You are summoned to frequent meetings to update the chief executive and the board. On top of the day-to-day workload, you and your team are feeling stretched.
But, finally, you feel you are beginning to come up for air… and then the next blow falls. Ten weeks after The Busy Rag published its article, Tumble Toys receives a letter from a government select committee, tasked with investigating how this apparent failure has put children in danger. The letter calls upon the chief executive to give evidence at a select committee hearing in 12 weeks’ time. A copy of the letter has been published on the select committee website and provided to the press.
With a sinking feeling, you realise your phone is about to ring with a worried chief executive on the other end. On the one hand, as a lawyer, regulatory issues are your field, but on the other, you have never been involved in a select committee hearing. What is the best course of action?
Beware the select committee
Few companies relish the prospect of being hauled over the coals by MPs under the glare of the media. Luckily, even fewer ever go through the experience. But, for those who do, there are some key elements to bear in mind, says Drew.
While the c-suite may want to bury their head in the sand, avoidance is generally the worst tactic. ‘Even if the CEO or chairman is not legally compelled to attend, refusing to go rarely plays out well in the long run,’ he advises.
Though preparation is key, there can be too much of a good thing. ‘Avoid turning up with an army of lawyers. Having the main players is important, but too many starts to look defensive.’
Says Drew: ‘Be prepared to take a bit of medicine. The nature of the beast of the select committee is that we aren’t going to win, but we want to make sure we lose as little as possible.’
Rob Booth, GC at The Crown Estate, has first-hand experience: ‘Having appeared at select committees and supported prep for them, the key thing for me is that approach will be as powerful as content. From the outset of the invite, through to appearing and follow-up clarifications, being respectful, genuinely engaging and – most importantly – not trying to point score, are all key to being given the space to make your points and defend your position. There is also a lot of value from getting expert insight on preparation, and there are some good providers out there who can give you the benefit of analysing the best and worst historic performances.’
Drew adds: ‘While it is important to prepare for the lion’s den, authenticity is critical. You have to try and win, or at least appease, the hearts and minds.’
Data (in)security
Through all of this experience, you reflect, there has been one silver lining. Tumble Toys has been spared that most modern (and complex) form of crisis: a data breach. But then, your complacency gets a wake-up call – in the form of a notification from the IT team, which has made a new discovery.
Three weeks ago, a hacker exploited vulnerabilities in the content management software of one of Tumble Toys’ newly-acquired subsidiaries, Gorilla Gamz Ltd. The hackers sought to compromise the company’s e-commerce software but were unsuccessful. However, they were able to extract personal information relating to many Gorilla Gamz employees. No customer personal information was taken, but the sniff of a data breach around Gorilla Gamz’s key demographic of 13-17-year-olds (and their parents’ credit cards), is another huge issue.
A crucial decision as GC is how transparent you will be about the breach to the Information Commissioner’s Office (ICO), to the public, and to your own employees. Given this breach has not become public knowledge, is there an opportunity to be seen doing the right thing – and for a PR win?
‘The priority when faced with a data breach is to secure the breach to prevent any continued data loss and then implement your data breach response plan,’ says Drew.
‘This should include preserving evidence of the breach in case it’s required for any investigation, notifying insurers so you can rely on their support, investigating the extent of the breach, identifying those affected and mitigating against the risk of harm coming to those individuals. In the new GDPR world, in this scenario you must notify the ICO within 72 hours; and you should decide on and document the approach as to whether to notify employees.’
Conclusion
RPC ran the workshop over the two days of the conference, mimicking the way a crisis can evolve into a series of interrelated events, and providing legal chiefs with a practical and focused opportunity to test ideas.
‘The nature of a crisis is that it’s unpredictable. So the more that we can have well-rehearsed systems, teams and processes in place, the more likely we are to achieve a positive – or, at least, less negative – outcome when the circus moves on. If we can do that, the more value GCs demonstrate,’ concludes Drew.
Nilema Bhakta-Jones, former GC at Ascential and now chief executive at Alacrity Law, sums up the experience: ‘Setting up a crisis management team was vital. Everyone had a role to play, but not everyone needs to be involved in every decision. Knowing when and who to escalate to was part of the overall plan. We used simple methodology, and people were grouped into bronze, silver and gold. Ensuring everyone understood the importance of privileged communication was an essential part of the guidance and role-play.’
‘Appointing one spokesperson and establishing the sign-off procedure for press and social media strategy was included. We created multiple communication channels, including a WhatsApp group, in case getting to email was an issue. Then we tested it with mock scenarios. The crisis management plan was put to the test for real (but in relation to minor events) and it worked – but we had a few lessons to learn.’