Corporate crisis events are on the upswing. A faster-paced R&D cycle, improved (but potentially riskier) technology, 24-hour news… the list of potential triggers goes on. But our understanding of such events has not always evolved at the same pace. We speak of ‘a crisis’ as though it’s a single incident but, in reality, a chain reaction will likely ensue – and no sooner than one element appears under control, another will pop up.
A tumble into crisis
Let’s imagine a company that is consumer-facing and has a large, warehouse-based workforce. Let’s imagine it makes toys, sells them online and is called ‘Tumble Toys’. Speed and efficiency in dispatching little Billy or Betty’s current heart’s desire is one of its key market differentiators – its marketing campaign features a gorilla called Tumble, who makes his way through various perils to eventually ‘tumble’ into the child’s house in various amusing ways. As with many companies, Tumble Toys has outsourced warehouse staffing to a third party.
Let’s imagine you’re the GC of Tumble Toys. You have a varied workload and a decent team of five lawyers. Your work (amongst other things!) is primarily a mix of supplier agreements, employee- and IP-related issues. You’re in the middle of an engaging new project looking at whether Tumble the gorilla can become the mascot for a kid-friendly football event – a perfect brand tie-up.
Your phone rings and it’s the CEO, who has just received a call from a national newspaper, The Busy Rag, known for its crusading stance on labour-related issues. They have received a tip-off from a former UK warehouse worker that the Chinese manufacturer of the popular Tiny Tumble – a smaller version of the best-selling Tumble the Gorilla soft toy – contains a phthalate in its fabric dye, which does not confirm to the relevant set of EU safety regulations: REACH (Registration, Evaluation, Authorisation and Restriction of Chemicals). The phthalate could be hazardous to children by potentially damaging their reproductive systems.
The former employee has told The Busy Rag that they feel this is indicative of a shoddy attitude to the supply chain, exacerbated by Tumble Toys’ focus on speed of delivery. The newspaper will publish the day after tomorrow but wanted to give the company right to reply.
‘What are we going to do?’ demands the CEO. There’s a meeting in her office in ten minutes. Tumble the Gorilla stares back at you from the football flyer. What should your plan of action be, and where can you best add value?
Create a crisis response group – quickly
The most crucial initial step is making sure you have a crisis response group in place. Ideally, you would have established this beforehand, in anticipation of future crisis situations. If not, it needs to be pulled together ASAP.
‘Getting that core team in place as soon as we can will be critical to determining the outcome – positive or negative. Equally, having a defined and pre-agreed process or set of protocols in place for how to respond is invaluable,’ explains Jeremy Drew, head of RPC’s commercial group.
‘In our workshops, most agreed that the GC should be the person pulling those strings – the de facto crisis chief of staff. Depending on the nature of the crisis, the likes of HR and corporate communications should be involved too, but the GC should be conducting the choir. And it’s a choir that needs to sing in harmony – break down those internal silos and work as a team.’
Be careful how you deal with the press
It might be tempting to reach out to the newspaper involved and to intervene in the story breaking, but this may not be a good idea.
‘Clients need to tread carefully when it comes to interacting with the media. It’s rarely a good idea, for example, to establish contact between the legal team and a journalist. They talk fundamentally different languages, and the danger of things being lost in translation is consequently high. It’s much better for that bridge to be built through the PR or comms team,’ cautions Drew.
But isn’t this what injunctions were invented for? Not necessarily, he explains.
‘The law in the UK is heavily weighted in favour of the press. The journalist’s evidence may have been gathered through “unconventional” means – and the court may frown on the investigative methods – but a judge will still more than likely take the side of freedom of the press.’
Collaboration within the crisis response team is key, and each function must play to its strengths. Although the GC and legal team can be an important touchpoint, a situation like this can be where PR and comms (internal or external) come to the fore, because they speak the same language as the journalists and may also have valuable connections they can call upon – although he cautions against any notion that the press can be controlled or influenced in any material way. They can also help create a counter-PR strategy.
‘Deciding when and how to speak to the press is a difficult judgement call, which in most cases is best left to the comms or corporate affairs team – but it’s important not to let a vacuum arise that others will fill. That way you lose any opportunity you might have to influence how the story unfolds,’ says Keith Hubber, former general counsel of The John Lewis Partnership.
‘The old adage of “tell it all, tell it fast and tell it truthfully” applies, but that requires a different approach from the legal team; there simply isn’t time to wordsmith every sentence or vet every press release or social media statement. While the GC will inevitably be focused on potential future litigation, the chief executive and the comms team will rightly focus on dealing with the more immediate risk of trial by media; especially social media. The legal and comms teams need to understand and accommodate each other’s perspective, and I would always advocate establishing some clear protocols as part of your crisis response planning.’
The regulatory angle
It’s been a difficult few weeks for you, the GC of Tumble Toys. The Busy Rag published its article, which was picked up by most other national newspapers and TV stations. Your feel-good kids’ football brand tie-up has fallen through.
You have now been tasked with a thorough investigation of your supply-chain partner in China and the minutiae of your agreements with them, plus an evaluation of your whistleblower policies to ascertain why this issue went straight to the press and was not raised internally. You are summoned to frequent meetings to update the CEO and the board. On top of the day-to-day workload, you and your team are feeling pretty stretched.
But, finally, you feel like you’re beginning to come up for air… and then the next blow falls. 10 weeks after The Busy Rag published its article, Tumble Toys receives a letter from a government select committee, tasked with investigating Tumble Toys’ supply chain practices and how this apparent failure has put children in danger. The letter calls upon the CEO to give evidence at a select committee hearing in 12 weeks’ time. A copy of the letter has been published on the select committee website and provided to the press.
With a sinking feeling in the pit of your stomach, you realise that your phone is about to ring with an irate and worried CEO on the other end. On the one hand, as a lawyer, regulatory issues are your field, but on the other, you’ve never been involved in a select committee hearing. What’s the best course of action?
Beware the select committee
Few companies will relish the prospect of being hauled over the coals by MPs under the full glare of the media. Luckily, even fewer ever go through the experience. But, for those who do, there are some key elements to bear in mind, says Drew.
While the CEO may want to bury her head in the sand, avoidance is generally the worst tactic. ‘Even if the CEO or chairman is not legally compelled to attend, refusing to go rarely plays out well in the long run,’ he advises.
Though preparation is key, there can be too much of a good thing, he advises. ‘Avoid turning up with an army of lawyers. Having the main players is important, but too many starts to look defensive.’
In fact, says Drew: ‘Be prepared take a bit of medicine. The nature of the beast of the select committee is that we aren’t going to win, but we want to make sure we lose as little as possible.’
Rob Booth, general counsel at The Crown Estate, has first-hand experience:
‘Having both appeared at select committees and supported prep for them, the key thing for me is that approach will be as powerful as content. From the outset of the invite, through to appearing and follow-up clarifications, being respectful, genuinely engaging with the committee and – most importantly – not trying to point score, are all key to being given the air-space to actually make your points and defend your position. There is also a lot of value to be gained from getting expert insight on preparation, and there are some really good providers out there who can give you the benefit of analysing the best and worst of historic performances.’
Drew adds: ‘Whilst it is important to prepare for the lion’s den, authenticity is critical. To some extent you have to try and win, or at least appease, the hearts and minds.’
Through all of this experience, you reflect, there has been one silver lining. Tumble Toys has been spared that most modern (and complex) form of crisis: a data breach. But then, your complacency gets a wake-up call – in the form of a notification from the IT team, which has made a new discovery.
Around three weeks ago, a hacker exploited vulnerabilities in the content management software of one of Tumble Toys’ newly acquired subsidiaries, Gorilla Gamz Limited. The hackers sought to compromise the company’s e-commerce software but were unsuccessful. However, they were able to extract personal information relating to many Gorilla Gamz employees. No customer personal information was taken, but the sniff of a data breach around Gorilla Gamz’s key demographic of 13-17-year-olds (and their parents’ credit cards), is suddenly another huge issue.
A crucial decision as general counsel is how transparent you will be about the data breach to the Information Commissioner’s Office (ICO), to the public, and to your own employees. Given this breach hasn’t become public knowledge yet, is there an opportunity here to be seen doing the right thing – and for a PR win?
‘The priority when faced with a data breach is to secure the breach to prevent any continued data loss and then implement your data breach response plan,’ says Drew.
‘This should include (amongst other things) preserving evidence of the breach in case it’s required for any investigation, notifying your insurers so you can rely on their support/expertise, investigating the extent of the breach, identifying those affected and mitigating against the risk of harm coming to those individuals. In the new GDPR world, in this scenario you must notify the ICO within 72 hours; and you should decide on and document the approach as to whether to notify employees.’
RPC ran the workshop over the two days of the conference, mimicking the way that a crisis event can evolve into a series of interrelated events, and providing general counsel with a practical and focused opportunity to test ideas.
‘The nature of a crisis – any crisis – is that it’s unpredictable. So the more that we can have well-rehearsed systems, teams and processes in place, the more likely we are to achieve a positive – or, at least, less negative – outcome when the circus moves on. And if we can do that, the more value GCs can demonstrate to the business,’ says Drew.
Nilema Bhakta-Jones, former general counsel at Ascential and now CEO at Alacrity Law, sums up the experience:
‘Setting up a multi-functional crisis management team was vital. Everyone had a role to play, depending on the nature of the crisis, but not everyone needs to be involved in every decision. Knowing when and who to escalate to was part of the overall plan. We used simple methodology, and people were grouped into bronze, silver and gold. Ensuring everyone understood the importance of privileged communication was an essential part of the guidance and role-play,’ she says.
‘Appointing one spokesperson and establishing the sign-off procedure for press and social media strategy was included. We created multiple communication channels, including a WhatsApp group, in case getting to email was an issue. Then we tested it with mock scenarios. The crisis management plan was put to the test for real (but in relation to minor events) and it worked – but we had a few lessons to learn.’