Cyber attacks, corporate scandals, environmental disaster… just some of the threats businesses face as they go global. Legal Business asks leading GCs how to handle – and avoid – a crisis.
‘I’ve dealt with many crises… government investigations, data privacy breaches, pollution… they’re all nauseating. Your gut churns when you get that call and know the next few weeks or even years are going to be tough.’
Bjarne Tellmann, general counsel, Pearson
‘What happened to Lehman Brothers? And to Bear Stearns? I’m not sure even the people at Lehman or Bear Stearns could tell you. The only certainty is the fourth and fifth largest investment banks in the US are no longer. And that it happened with breathtaking speed.’
Peter Beshar, general counsel, Marsh & McLennan
In his recent book, The Inside Counsel Revolution, Harvard Law professor and former General Electric legal chief Ben Heineman argues that the core mission of global corporations should be the fusion of high performance with robust integrity and sound risk management.
Heineman notes that when you consider the impact of major events – whether it is Deepwater Horizon, Enron, Lehman Brothers, or the Siemens’ bribery scandal – on international businesses, knowing when to expend time and resource responding to emerging risks or potential crises is one of the hardest but most important questions for chief legal officers.
And the risks businesses and general counsel (GCs) face in a globalising, networked and more heavily-regulated world are clearly increasing. A 2013 study of 320 GCs by KPMG, ‘Beyond the law – how General Counsel are turning risk to advantage’, found more than 90% of respondents citing the volume and complexity of regulation as their greatest organisational risk (the report already noted the mounting and ultimately justified concerns that cyber security would be the next major front to open on business risk).
With this in mind, and last month’s UK vote on EU membership sending shockwaves through markets, Legal Business canvassed experienced in-house counsel and advisers to find some lessons learned at the sharp end of a crisis.
Ground control
If crisis response has long been a feature of the GC role, recent years have seen expanding in-house teams called to manage and neutralise risks in a more proactive fashion, focusing earlier in the process.
Articulating the need for the right level of resources to assume that preventative role is pivotal. As such, time should be set aside to consider the impact of catastrophic error and criminal acts that significantly affect confidence in the business, as well as more standard framework risks, if GCs are to make a reasoned cost-benefit case on the resource required. It is impossible to anticipate everything, so building the right infrastructure and culture will minimise the damage of crisis.
When in-house veteran Philip Bramwell joined defence company BAE Systems as legal chief in 2007 from O2, the company was facing a plethora of regulatory challenges and investigations over allegations of corruption in dealings across a number of foreign countries.
Bramwell says that the legal team share responsibility for maintaining a system of effective internal framework. ‘If you have a modern system right across your business from the ground up everyone will be a censor for analysing risks faced by our products and the territories we operate in. That is the basic legal structure, which produces awareness on the part of the executive leadership of the risks to implementing your business plan and the risks of, frankly, existing as a large public company.’
‘It’s not easy being a regulator. If things have not gone well and you’ve got a broken or difficult relationship, you’ve got to try and recover that.’
Philip Bramwell, BAE Systems
‘This industry has had problems with standards of business conduct,’ says Bramwell. ‘Every generation of management has scars on its back from the crises suffered over the years. So we tend to be attuned to those.’
Deutsche Bank’s outgoing head of strategy for legal, Emma Slatter, who served as a figurehead charged with handling many of the bank’s post-crisis regulatory and compliance problems, agrees that creating a defined governance team is key to managing risk. Slatter stresses the importance of the group being centralised and wholly independent of other functions to provide coherence to the risk and ethical policies across borders. ‘The concept originated in Asia. [Deutsche Bank’s] geographical spread means individual jurisdictions need central co-ordination. The purpose is to establish governance around an issue and have a steering group of senior-level participants. You need to know who is making decisions. It imposes governance internally and you know who to report to.’
A major element in assessing ‘framework risks’ that legal heads at plcs increasingly wrestle with, warns Heineman, is building sophisticated industry knowledge to help them understand flashpoints far outside their legal training. Heineman, a persistent critic of legal education for failing to address business and commercial issues, cites as an example the failure of banking GCs and lawyers to understand the finance models their companies were using ahead of the credit crunch.
A crisis case study – Marsh & McLennan
Marsh & McLennan, the US insurance and consultancy group, in late 2004 faced a complaint from the New York attorney general Eliot Spitzer. The morning the complaint was announced, two Marsh staff had pleaded guilty to illegal bid rigging. Announcing the charge against the pair, Spitzer refused to negotiate with Marsh and said it would ‘very possibly’ indict the company.
Marsh’s share price plunged, its corporate credit rating was immediately cut, and a series of regulatory and legal actions followed within days, recalls Marsh general counsel (GC) Peter Beshar in a case study on the episode. Clients were ‘outraged’. A $12bn-revenue company with 60,000 employees was under the threat of collapse. Enron’s auditor, Arthur Andersen, had collapsed three years previously amid an indictment.
Beshar was at the time a US disputes partner at Gibson, Dunn & Crutcher and was drafted in as GC. He had 48 hours to accept the offer and seven days to start.
An initial complication was dealing with multiple competing agencies and regulators, which had different agendas, a dynamic that was to become a feature of global enforcement across many areas, including white collar, competition and more recently data security.
After tough negotiations with Spitzer, Marsh secured a deal, despite resisting a lot of what the attorney general had pushed for. This triggered a new stage of wider fallout. Says Beshar: ‘Within minutes of announcing the settlement on Monday morning [with the attorney general], we reached out to regulators. Some hung up on us.’
Marsh was repeatedly told internally and externally not to engage their clients in the immediate period after Spitzer’s announcement. Marsh’s legal team under Beshar ignored that advice and ‘tried to humanise a company that had been demonised’. Notes Beshar: ‘We rejected this advice for fear that, if we waited, there might not be any clients left.’
Marsh sent a letter to all clients and conducted five ‘open microphone’ calls with clients. On the first call, 9,000 lines were used and they had claimant lawyers on the line.
One client asked if Marsh could come to their offices and inspect their files. Beshar signalled no, the chief executive instead responded: ‘Of course.’ Hundreds of clients took up that offer. In May 2005 Marsh sent notices to 100,000 clients describing their remedial steps (largely involving restitution of client funds).
Marsh did not try to advocate for the settlement to be signed – they left the choice to the client. Over 90% signed. The releases became a critical element of subsequent defence to civil claims.
Says Beshar of the tone of their response: ‘We tried to communicate continuously even though uncomfortable questions kept being asked. We didn’t have hard answers to all these questions, but we kept the dialogue open.’ During the most intense period, Marsh conducted seven all-staff conference calls during three months.
Beshar’s recommendations for crisis management:
1. Stay in touch with your stakeholders.
2. Conduct a serious risk assessment early.
3. After the risk assessment, put it to one side because it will still fail to anticipate the unpredictable. Appreciate planning but also the limits of planning.
4. Remember that the response is not just about senior management – senior management can be part of the problem. You need the board fully engaged – if there is a vacuum, they are the best chance to fill it.
5. Be decisive. This is the biggest challenge for lawyers as they always want more information for a better decision. In a crisis you don’t have that option. Make your best stab on the information available and move on.
6. Be positive. In a crisis people are shell-shocked. You need to tell staff: ‘We are going to get through this.’
7. Keep going. Beshar concludes by quoting Churchill for a crisis: ‘When you are going through hell, by all means keep going.’
This case study is based on Peter Beshar’s article ‘Living through a Corporate Crisis’, published in the 2009 book Bright Ideas: Insights from Legal Luminaries Worldwide.
In assessing the low-probability, high-impact risks – the category most likely to trigger a true crisis – Heineman suggests corporates consider the military technique of having separate red team/blue teams to independently critique the other team’s prevention and crisis response plans to provide the most rigorous assessment.
Also relevant to mobilising staff to monitor and help address risks is driving what Bramwell dubs an ‘awareness culture’, which can be managed in training with simulation exercises. Bramwell’s team ‘lock themselves in the boardroom’ and are presented with mock TV interviews, press articles and work with a specialist crisis management provider – all to predict the potential aftermath of a crisis.
‘The only way to get through it is practice, practice and practice,’ he says. The exercise also encourages the team to consider macro-economics and geopolitical factors that affect the industry. ‘Consider the incoming risk three to five years ahead that’s relative to the existence and prosperity of this company. You do this and you’re likely to be able to alight upon some scenarios which are foreseeable.’
Bjarne Tellmann, GC at publishing giant Pearson, is another advocate of simulation exercises. Preparing for turbulent times has been a feature for Tellmann of late, after the company announced in January it was to shed 4,000 jobs – 10% of its global workforce. ‘You have your outside experts, your internal PR, your legal team come up with a scenario and break into groups. I play the chief operating officer, give them a scenario and tell them to formulate a response. After ten minutes, I come back and watch how they deal with the pressure. There’s no better way to start than that.’
After a potential crisis emerges is when the planning begins to pay dividends. Dan Fitz, GC of BT, wrote a piece in 2013 on effective response for legal chiefs. He cited a basic three-stage protocol that BT used for crisis response:
- Identify the individual to project manage crisis response and clarify reporting lines.
- Identify the wider ‘crisis’ team to handle the matter until resolved.
- Delegate and get the rest of your team to focus on the day job.
Fitz – another advocate of risk exercises – stresses the need for likely response teams to have met and built links before an actual problem to improve communication, as speed is crucial. He also warns that the team needs to be constantly reminded that the company, not the C-suite or senior officers, is the client and so early separate legal representation of staff with divergent interests is important. Bramwell echoes this theme: ‘Your client is the company, not the management. Maintaining such fierce independence can sometimes be very uncomfortable for some people.’
Amol Prabhu, director and head of EMEA emerging markets for legal at Barclays Bank, says: ‘You can never start too early learning about crisis. If you build a foundation for the legal team then you’ll be in a position to assist. It’s the lawyers at the table who are able to ask forensic, detailed questions and push assumptions made. We must [also] have collaborative and meaningful relationships with regulators, and it’s critically important we can define our business strategy – that sets the risk parameters of the business you’re doing.’
Prabhu’s point that GCs need to understand a company’s strategy and business model to help shape a considered and effective framework to manage risk is echoed by his peers, not only to avoid crisis, but in some cases challenge the business over risks it is taking.
The message
Once a crisis hits, you need to know how to handle communications, internally and externally. Having a good working relationship with your PR team – a feat many GCs struggle with – is increasingly valuable. Says Tellmann: ‘There are two courts you will deal with: the court of law and the court of public opinion. Both are equally important for the company’s survival. You can win in court, but if you do that without recognising the importance of your communications, you will win the battle and lose the war. As the crisis unfolds, it’s well advised to ensure there are certain subjects the media might cover that get immediately communicated to the chief executive. Has someone been killed? Be clear who is doing regular updates [to avoid] five separate versions on what happens in a day. The legal department needs to make sure the business only communicates when it’s needed – preserve legal privilege wherever you can.’
‘You can win in court, but if you do that without recognising the importance of your communications, you will win the battle and lose the war.’
Bjarne Tellmann, Pearson
It is important not to bow to media pressure. The desire for an immediate response from journalists seeking facts can hinder your ability to manage a crisis. ‘It’s assumed as a large company you have all the facts at your disposal,’ says Bramwell. ‘In any crisis you will come under extreme pressure to perform. Don’t start informing the public unless you know something to be true.’
Bramwell adds: ‘It brings in competing pressures where the media tell you they want the facts. But operations might say: “We just don’t know yet.” It’s a heads you win, tails I lose – choose the least worst option. People will judge you not on their own standards but the standard they project onto major multinationals who are presumed highly competent in every field.’
Many GCs advise being relatively candid about areas in which you do not know the answer, rather than appearing evasive. However, communication should be stripped down to core messages. Coherent, consistent and tailored to the medium, with social media, for example, requiring a different tone and delivery, even though the underlying substance is the same.
A recurring theme stressed by battle-hardened GCs is to be as open as you realistically can be, and communicate a lot both internally and externally to clients, which will involve repetition of simple messages. Crisis veterans emphasise the importance of communicating verbally through conference calls and face-to-face meetings rather than relying on emails or written statements. A reassuring tone, and signalling that the situation is being dealt with, helps to steady staff and boost confidence.
An increasingly important question for GCs in many contexts will be dealing with regulators and asking if there should be early disclosure to relevant watchdogs. While the answer will depend on the situation, increasing liabilities for failing to report early mean GCs will usually have to have a clear strategic and legal rationale if they choose not to report.
With regulators under pressure to crack down, and increasingly competing and co-operating nationally and across borders, Bramwell warns that in-house teams must strive to maintain constructive relationships with watchdogs. ‘It’s not easy being a regulator. The public have expectations that they can cure any ill. It’s a tough job. If things have not gone well and you’ve got a broken or difficult relationship, you’ve got to try and recover that.’
Learning lessons
There are many examples of in-house legal departments demonstrating effective crisis management, and providing a playbook of dos and don’ts for peers.
‘I am most impressed with Rupert Bondy [GC] at BP,’ says Tellmann. ‘His team have been remarkable with the energy, effort and years of life that went into management of that crisis. They made sure they were responding to what was an absolute catastrophe.’
Tellmann also cites the effective handling by GC Christopher Reynolds of Toyota’s sudden acceleration scandal of 2009-10, which led to a $1.2bn civil settlement, noting: ‘What he did was remarkable and it made his career.’
Interestingly, Heineman is more critical of BP at a corporate level, focusing on Deepwater Horizon in some depth in his book. In particular, he highlights the failure of BP to implement its own recommendations on improved safety following the Texas City refinery explosion in March 2005, which killed 15 workers, as contributing to the Deepwater spill.
Heineman also cites poor handling in the aftermath of the spill, which ultimately cost the company more than $50bn, calling the episode ‘Exhibit A for every general counsel who has to convince business leaders about the importance of a safety culture and expending resources on low-probability but high-impact events’.
His book notes: ‘BP’s reputation was severely impaired by its mishandling of the immediate response to the disaster… clearly the whole BP upper echelon in corporate headquarters was broadly responsible. Six weeks after the explosion, a Harvard Business School professor said BP had flunked any test of leadership: failing to state or face facts, minimising the problem, promising action that couldn’t be delivered, and blaming others.’
Concludes Heineman: ‘They made a mistake – no safety culture, but the mistake was made in two hours. The rig blew up five years later – $50bn in change.’
Other episodes are cited as case studies to learn from, with Siemens’ high-profile bribery scandals in the 2000s being one of the most noted. The case led to a $1.6bn legal settlement by Siemens with American and European authorities.
Its then GC Peter Solmssen was lauded as a key figure charged by Siemens chief executive Peter Loescher to help clean up the company’s culture. Heineman notes that Solmssen was a ‘protégé of mine’ and says: ‘[Solmssen] changed the chief executive and handled it well. He did a good job in the response, but not the prevention.’
Peter Beshar, GC at US insurance group Marsh & McLennan, was on the front line of the successful response of a threatened corporate indictment in the US after several staff pleaded guilty to bid rigging in 2004 – a genuine bet-the-company matter (see case study, page 29).
Last year, supermarket giant Tesco was exposed for a £250m overstatement of profits thanks to an internal whistleblower reporting to group GC Adrian Morris. It is currently under investigation by the Serious Fraud Office and faces a £100m damages claim from its investors.
Heineman notes that the risk agenda for in-house counsel in the future will increasingly relate to cyber security. ‘This is the number one threat to public and private security – there is so much turmoil. The terrorists have been aiming at soft commercial targets – power plants, chemical plants, planes… the idea being: destroy it and create havoc in the community.’
‘BP made a mistake – no safety culture, but the mistake was made in two hours. The rig blew up five years later – $50bn in change.’
Ben Heineman, Harvard Law
RPC’s director of GC services, Julia Chain, who previously worked as legal chief at T-Mobile, warns that while GCs have made strides in fostering a culture of integrity, there is considerable room to improve. ‘Today it’s clear we have some alignment to risk management. This is often followed by not being able to get the company to invest in it significantly and not involving in-house lawyers in all business decisions. I’m not seeing this whole area being taken as seriously as it should.’
Heineman agrees: ‘There’s a repetitiveness of corporate crisis where major companies have not learned to create a culture of integrity. We see enough in the day-to-day of corporate failures to see it is not universally learned.’
Adapting to newly-implemented legislation for human slavery will also see corporates under pressure to ensure the right balances and checks are in place for emerging market jurisdictions they are operating in. In truth, tougher regulation is advancing globally across all sectors, while the prevalence of the internet and social media has increased the chances of damaging information leaking and then spreading uncontrollably.
And of course, the fallout from last month’s Brexit vote will test GCs’ crisis response to the limit.
Ultimately, while the tension between the progressively embedded commercial role required of GCs collides with a wider risk brief, there is plenty of opportunity for an increasingly mature legal profession to assert itself.
Tellmann concludes: ‘You should never let a good crisis go to waste. It is your best opportunity to shine. A live crisis is one moment where the entire executive leadership, board and legal advisers are aligned. You are in a unique position to take leadership of that crisis. If you try to absolve yourself from being accountable this can make or break your career. Don’t ever underestimate the value of a good crisis.’
As Bramwell notes of the satisfaction for GCs in coming out the other side: ‘You’ve added enormous value, you’ve preserved jobs, people’s investments, pensions… It doesn’t get any better than that.’ LB
sarah.downey@legalease.co.uk