2 THE BENEFIT OF A CRISIS MANAGEMENT PLAN BEFORE THE CRISIS HITS Carmen J. Lawrence Jonathan A. Forman Brenna C. Terry Fried, Frank, Harris, Shriver & Jacobson LLP If you find this article helpful, you can learn more about the subject by going to www.pli.edu to view the on demand program or segment for which it was written. 101
102
An ounce of prevention is worth a pound of cure. Benjamin Franklin A crisis is an unanticipated event that requires companies to make critical decisions to address complex, high-stakes, and time-sensitive issues. As part of good corporate governance, companies should implement (and, in many instances under the federal securities laws, are required to implement) compliance programs (including a written code of conduct and appropriate policies and procedures), which are specifically tailored to address the company s business activities. Compliance programs are particularly important because they may help prevent a crisis from developing and, in the event of a crisis, may limit any legal or regulatory action taken against or sanctions imposed on the company. For example, one of the four factors that the SEC Enforcement Manual considers in determining whether an enforcement action is necessary is a company s [s]elf-policing prior to the discovery of the misconduct, including establishing effective compliance procedures and an appropriate tone at the top. Also, recent SEC and DOJ public statements have underscored the importance of companies emphasizing a culture of compliance where open communication, integrity, and compliance are fostered by the company s management. 1 Although compliance programs significantly help prevent crises from developing, they may still occur despite a company s best efforts. Therefore, having a crisis management plan in place, as outlined below, will help a company more effectively and efficiently manage a crisis and avoid potential missteps along the way that could prove costly. Depending on the type of crisis, the management plan can vary in structure and level 1. See, e.g., Preet Bharara, U.S. Attorney for the S. Dist. of N.Y., Prepared Remarks at the CUNY School of Journalism (June 6, 2011) ( [I]f you are single-mindedly focused on walking the line, you are bound to end up afoul of regulators, and God forbid, criminal prosecutors. Even more dangerous perhaps, you are sending a message to every other person at the firm that line-walking is a good idea. ); Robert S. Khuzami, SEC Dir. of Enforcement, Remarks at Open Meeting Whistleblower Program (May 25, 2011) ( [C]ompanies with effective compliance programs and cultures of compliance are actually more likely to attract whistleblower information as a result of the incentives in today s rules. ); Preet Bharara, U.S. Attorney for the S. Dist. of N.Y., Prepared Remarks at SIFMA s Compliance and Legal Society Annual Seminar (Mar. 21, 2011) ( The best-conceived compliance policies and practices in the world will be too weak to stave off scandal if the core principles are not internalized.... It does not suffice to require training sessions in the minutiae of the regulatory structure. It does not suffice to have strong compliance programs that are fly-specked by a hundred lawyers. People need to know and feel it in their bones that the bosses will not tolerate lapses in integrity.... ). 3 103
of detail. The plan is not meant to be a step-by-step blueprint of what should be done in the event of a crisis, but rather to serve as a flexible resource and organizational tool. 1. IDENTIFY POTENTIAL CRISES The first step in any plan is identifying the types of potential crises that may arise. Because most crises are unanticipated events, this step requires the company to think analytically and creatively about likely crises and black swan events. In conducting this important exercise, a company should understand that crises do not occur in a vacuum and that, in many instances, a crisis of one type may quickly transform into a larger crisis including multiple types. For example, a financial crisis may quickly lead to a legal crisis involving civil lawsuits, government investigations, and other crises, such as loss of key personnel and reputational injury. A. Types of Crises. Companies are vulnerable to many different types of crises and from many different sources, including among others: i. Financial Crises bankruptcy, liquidity or credit crunch, excess leverage, counterparty credit risk; ii. Legal Crises investor or derivative lawsuits, whistleblower complaints, regulatory or governmental investigations; and iii. Other loss of key person, natural disaster, acts of terrorism, market disruption, operational disasters, reputational or political controversies. 2. FORM A CRISIS MANAGEMENT TEAM The team should consist of key officers, advisors, and representatives of the company s various functional areas (including the CEO, COO, CFO, and representatives from the legal, public relations, security, human resources, and information technology departments) to which information about the crisis will be directed and which will formulate the company s response. A. Determine a chain of command for the team and particular responsibilities for each of its members. 4 104
B. Designate a company officer as a contact person for employees. i. This officer may be the company s CCO or another employee in its compliance department. ii. Provide employees with this person s contact information and encourage them to contact them in the event of a crisis. C. Designate at least one of the team members as the company s spokesperson to the public. Such spokesperson(s) should be credible and experienced with speaking to the media. D. Identify or retain outside advisors, including among others: i. Outside counsel experienced in crisis management, including representation in connection with white collar criminal and securities regulation and enforcement defense; ii. Outside counsel experienced in the laws of the foreign countries in which the company operates; iii. Public relations firms that have expertise in crisis communications, are familiar with the industry and the company, and are able to act quickly during a crisis; iv. Outside experts in governmental relations or investor relations; and v. Linguists for the foreign countries in which the company operates. 3. KEEP THE CRISIS MANAGEMENT TEAM PREPARED AND ALERT After designating the team, the company should prepare and educate it to ensure an effective and efficient response to any crisis that may arise. A. Maintain a readily accessible list of contact information for team members and keep it updated. B. Provide the team with relevant information to be prepared to make informed decisions quickly. i. Maintain updated organizational flow charts. ii. Prepare a searchable database that contains all public disclosures and statements by the company. C. Assess the company s document management and retention system to ensure that all relevant documents (including e-mail and ESI) are 5 105
preserved and retained in an easily accessible manner such that they may be collected and reviewed to respond quickly to a crisis. i. Map out the physical/electronic locations of all relevant information. ii. Maintain a readily accessible list of contact information for custodians of databases and on-site/off-site facilities (including vendors) that the company would need to contact to implement a litigation hold. iii. Understand the company s document deletion cycles and how to halt them when necessary. D. Educate the team in relevant legal trends, other company crises, and the culture and customs of the foreign countries in which the company operates to anticipate the company s likely crises. E. Train the team through mock exercises/simulations and devise protocols or response scenarios for handling certain situations, including, among others, the following enforcement or investigatory scenarios: i. Search warrants. a. Determine the identity and location of items that are indispensable to the ongoing day-to-day operation of the business to enable the attorney to negotiate with the agents to retain working copies of those materials. b. Identify outside counsel that can immediately be present at each search site to: a. Liaise with the government agents and communicate that the company will cooperate with the search; b. Request a copy of the search warrant to validate the search and identify the areas and things authorized to be searched; c. Obtain names and contact information of the agent supervising the search and the prosecutor in charge of the investigation; d. Document any disputes relating to whether responsive materials may be found in a particular location on the premises or whether a particular type of document is responsive to the warrant; and 6 106
ii. iii. e. Instruct employees to limit conversations with agents they should only speak with agents to the extent it is required to help the agents conduct their search. Arrests of Employees. a. Identify which employees are integral to the day-to-day business of the company and which of their responsibilities and functions would need to be continued in the event of their arrest. b. Create an accession plan that identifies which employees would take over those responsibilities and functions. c. Train those employees so they are prepared to take over those responsibilities and functions. Receipt of Government Request Letters, Subpoenas, or Legal Complaints. a. Educate custodians of databases and on-site/off-site facilities (including vendors) on what they need to do when they receive a document retention notice from the company. b. Ensure that those custodians have the appropriate resources to comply with a document retention notice in a prompt and efficient manner. c. Develop a protocol for the orderly collection, review, and production of responsive documents, whether handled internally or with the assistance of outside counsel. 4. DEVELOP AND PREPARE A COMMUNICATION PROTOCOL AND PLAN FOR COMMUNICATING WITH EMPLOYEES, GOVERNMENTAL ENTITIES, THE MEDIA, AND THE PUBLIC Develop a consistent and thoughtful communication protocol and plan that can be implemented to facilitate communication both inside and outside the company once a crisis happens. In particular, this communication protocol and plan should be mindful of the following relevant third-parties: (i) regulatory agencies; (ii) local, state, and federal prosecutorial agencies; (iii) competitors; (iv) shareholders; (v) investors (for broker-dealers and investment advisers); (vi) creditors; (vii) lenders; 7 107
(viii) Congress; (ix) media; (x) auditors; (xi) counterparties; (xii) insurers; and (xiii) securities or options exchanges. A. Prepare the following measures to ensure that the company can communicate quickly and effectively with employees and relevant third-parties. i. Maintain contact information for employees of the company and individuals at various news sources, industry publications, and government agencies. ii. Draft templates for certain documents and get them approved by the company s management and counsel so that they may be filled out and deployed quickly in the event of a crisis, including among other things: a. Document retention notices to employees and vendors; b. Letters to investors, clients, and/or employees; c. Press releases; and d. Inactive website pages that may be activated to disseminate press releases or other company communications to the public. B. Adhere to the following guidelines when communicating with employees and third-parties. i. Emphasize that full disclosure and total candor should be followed do not speculate. ii. Ensure that all communications with the public and employees should be consistent in message, channeled through the spokesperson(s) and vetted by company counsel. a. Devise rules on the release of information to the public and employees. b. Instruct employees that, in the event of a crisis, they should not speak with the media or other third parties. If an employee is contacted, he/she should refer the inquiry to the company s spokesperson(s). c. Expect that all internal notices will become public and will be scrutinized by investigators after the fact. iii. The following SEC settlements illustrate that a company may face heightened or additional sanctions if it makes false or 8 108
misleading statements about an SEC investigation during or after the investigation. a. Without admitting or denying the allegations, Endocare, Inc. in July 2006 settled SEC charges that it engaged in a widespread accounting fraud and made false and misleading public statements about the results of an internal investigation. In particular, the complaint alleged that, after Endocare s auditors informed the audit committee that it could no longer rely on the representations of Endocare s management and that it was withdrawing its report on Endocare s financial statements for the last fiscal year, Endocare issued a press release announcing that the audit committee and its advisors, after an independent review and investigation, had concluded there was no indication of fraud or wrongdoing by management. This press release was allegedly false and misleading because Endocare had not conducted an independent investigation and its internal review had in fact revealed substantial evidence of fraud or intentional wrongdoing. Ultimately, Endocare agreed to pay a $750,000 civil penalty and be permanently enjoined from future violations of the antifraud, reporting, recordkeeping, and internal controls provisions of the federal securities laws. SEC v. Endocare, Inc. et al., Litig. Release No. 19772 (C.D. Cal. July 25, 2006). b. Without admitting or denying the allegations, Lucent Technologies, Inc. in May 2004 settled SEC charges that it improperly granted and/or failed to disclose extracontractual commitments that violated GAAP. After reaching an agreement in principle with the SEC staff to settle the case, Lucent s former Chairman/CEO and its outside attorney characterized a transaction that was subject to the SEC investigation as a failure of communication during an interview with a reporter. The SEC found that this public statement undermined both the spirit and letter of Lucent s agreement in principle with the staff to not deny the SEC s allegations and cited it as one of the examples of Lucent s failure to cooperate. Ultimately, Lucent agreed to pay a $25 million civil penalty and $1 million in disgorgement and to be 9 109
permanently enjoined against future violations of the anti-fraud, reporting, books and records, and internal controls provisions of the federal securities laws. SEC v. Lucent Technologies, Inc., Litig. Release No. 18715 (May 17, 2004); SEC Press Release 2004-67, Lucent Settles SEC Enforcement Action Charging the Company with $1.1 Billion Accounting Fraud (May 14, 2004). c. Without admitting or denying the allegations, Dynegy Inc. in September 2002 settled a cease-and-desist order and SEC fraud charges that it improperly accounted for and made misleading disclosures relating to a $300 million financing transaction, known as Project Alpha, involving special purpose entities and overstated its energy-trading activity resulting from round-trip or wash trades. Only after the SEC staff expressed concerns to Dynegy about Alpha did Dynegy disclose Alpha s impact on its financial performance in a Form 8-K that the company filed with the SEC on April 25, 2002. After those concerns were raised by the SEC, but before Dynegy filed the Form 8-K, Dynegy s former CFO falsely stated to the public that Alpha s primary purpose was to secure a long-term natural gas supply, and Dynegy continued to assert that obtaining a long-term gas supply was a principal purpose of Alpha. Prior to Dynegy s filing of the Form 8-K Dynegy officials did not acknowledge that Alpha s principal purposes were, in fact, to minimize the gap between Dynegy s reported net income and reported operating cash flow and to realize an associated tax benefit. Ultimately, Dynegy agreed to cease and desist from further securities laws violations, restate its financial statements, and pay a $3 million civil penalty, which reflect[ed] the Commission s dissatisfaction with Dynegy s lack of full cooperation in the early stages of the Commission s investigation, as discussed in the Commission s Order. In the Matter of Dynegy, Inc., Admin. Proc. File No. 3-10897 (Sept. 24, 2002); SEC v. Dynegy Inc., Litig. Release No. 17744 (S.D. Tex. Sept. 25, 2002). 10 110
NOTES 111
112 NOTES