When a crisis erupts, the first 24 to 48 hours are critical for a company. The steps taken in those first hours may set the tone for how the crisis unfolds and is eventually resolved. Crises may arise in many possible ways: an arrest of a C-suite executive, law enforcement raids, allegations of serious misconduct at company events, viral media stories or social media posts, cyberattacks, or natural disasters. While each type of crisis requires and warrants special considerations, there are a series of questions to address at the beginning that are universal to all crises.
Olivia Radin and Kimberly Zelnick, partners at the global law firm Freshfields, explain the do’s and don’ts of crisis management. They discuss how to approach a crisis from day one and the key issues to consider, including identifying the stakeholders, setting a plan for leadership, preserving documents, preparing mitigation measures, and making statements to the public and regulatory authorities.
Olivia Radin is a partner in and a founding member of Freshfields’ US white-collar and global investigations group. She is a member of the firm’s global Board.
Kimberly Zelnick is the head of Freshfields’ global financial institutions disputes group and is a partner in the global investigations and complex litigation practice group.
Interview with Risk Management, Investigations, and Disputes experts – Olivia Radin and Kimberly Zelnick
Joel Cohen (Host): The first 24 to 48 hours after a crisis can be critical for a business. It can allow the company to set the tone of the response, to manage relationships with authorities or stakeholders, and to prepare for investigations or potential litigation that may follow. Today, we'll be discussing crisis management, and we'll get a strategic roadmap that companies can use as they find themselves in the eye of the storm. Hello, and welcome to TalksOnLaw. I'm Joel Cohen. Today, we're joined remotely by two experts on crisis management. We have Olivia Radin and Kim Zelnick of the global law firm Freshfields.
Olivia Radin (OR): Thanks, Joel. Great to be here.
Kim Zelnick (KZ): Thanks, Joel.
Framework for Crisis Management
Host: What are some of the basic strategies or the framework that you like to give as companies are addressing crisis management?
KZ: One of the things we like to say is at first do no harm. There can be an impulse to sort of get right out there and say, oh you know, there's no problem here, we've got it under control; or to tell regulators, oh, that it's absolutely untrue, we just flatly deny the allegations. And that's really not what you want to be doing because you're speaking before you have the facts. You know, there can also be a desire to go in and to interview senior people to find out what they have to say about what if there are allegations that involve them, and to do that without giving them the benefit of their documents, without having done the work, without knowing what else is out there, you can actually make a situation far worse than it needed, than it actually is.
OR: On that point, you know, there can be tremendous pressure from a commercial perspective and a brand management perspective to get out into the marketplace and say we are shocked and horrified at these terrible allegations, I can assure you this never happened, we'll get to the bottom of this, and we'll fire those responsible. The reason that what we do is called investigations work and advising on the legal implications of the conduct that we discover in the course of that is because it requires investigation to really understand what happened, and so, to make a categorical statement at the beginning of a crisis is really fraught with danger. That's why it's really important to get PR involved but also to coordinate with your legal counsel on these because there can be diametrically opposed incentives in terms of what you say at the beginning.
Do’s in Crisis Management
Host: Let's transition now into the do's and don'ts. How about some best practices to kick off first?
KZ: So you want to identify who your key stakeholders are: which regulators are going to be interested in this, are your banks going to be asking questions, your customers, your shareholders, maybe your boards of directors? But who are the people who are going to be asking and what are you going to be telling them? Second, you want to know who's in charge: who's going to be leading this investigation? That's important to determine on day one.
OR: You also want to identify your regulatory notifications, and this will vary based on jurisdiction. If you're operating in more than one country that's relevant to the conduct at issue, you want to think about, in each country and for each regulator because multiple regulators can be involved in each country, what your notification obligations and expectations might be. And following on from that, you also want to ensure you have consistent messaging. You certainly can't say inconsistent things to different regulators or different stakeholders, but you also may decide to approach a regulator or another stakeholder who you wouldn't otherwise approach because your hands are tied elsewhere. So for example, if you're operating in multiple jurisdictions and you're obligated to make a report in one jurisdiction, that usually means that you should make a report in all jurisdictions.
KZ: You want to prepare mitigation measures: do you need to be setting up some controls, do you need to be monitoring someone's emails, how are we going to mitigate this, what needs to be done? The second is prepare yourself. There's a flood of complaints that might be coming your way. You want to be, do you need to set up some call centers, how are you going to deal with that, what's your script, what are you going to say? Do you have a standing press statement? What are you going to do when people call to find out what's going on, how are you responding?
OR: So also right at the beginning, you do want to take steps to make sure that you're preserving relevant documents based upon a reasonable assessment of what those documents might be. That means talking to IT, talking to others to preserve documents and ensure that nothing's getting destroyed. And then last and very importantly, based on what you know on day one, you should make an initial assessment of your legal obligations and your potential legal exposure. This is, of course, going to change as the investigation proceeds and as you learn more, but you should always be keeping your eye on the ball and assessing what your legal obligations might be.
Don’ts in Crisis Management
Host: And one more before we let you go, some mistakes to avoid, how about some don'ts?
KZ: Well first, do not investigate without knowing the local rules. So don't just start conducting witness interviews in jurisdictions where you don't know whether that's allowed. Don't just start grabbing people's data if you don't know what the data protection rules are. You need to know what the rules are in wherever it is that you're investigating before you just go in and start conducting an investigation. The second is when you're talking to a regulator, do not, do not overpromise and then underdeliver. So we see this all the time. There's a desire to say we're gonna do this right away, we're gonna get back to you next week, we're gonna get back to you tomorrow. You don't need to do that a lot of times. You just take your time, take a breath and just, we'll get back to you when we can, we'll keep you updated, and just take it as it comes because it's a marathon, it's not a sprint.
OR: So a couple of other don'ts. Don't give in to the pressure in the first few days or even months and make knee-jerk public statements about what did or didn't happen. The truth of the matter is that the company won't have a good factual basis to evaluate that for some time. That's a really hard truth to live with, but it's the reality, and you really don't want to put the company on the record in what we call, you know, the public square saying this did or didn't happen when you just haven't done the work yet to know. Another really important don't in the world of investigations is, you know, don't create documents that add to the problem. When you're investigating, you know, think very carefully about what you put down on paper. These are complicated, nuanced situations, and so be careful about the shorthand you use. For example, when you're taking notes or when you're drafting a memoranda, make sure that you're including enough nuance to reflect the nuance that exists in the factual record and that you're not creating admissions that don't otherwise exist.
Host: Kim Zelnick, Olivia Radin, thank you for your time today.
KZ: Joel, thank you. It's been a pleasure.
OR: Joel, thanks for having us. It's been great talking to you.