A Changing Information Environment

Over the past year, the USA has seen the results of longer-term shifts in the information environment, which has become highly disaggregated. Americans across the political spectrum are increasingly turning to alternative, personality-driven and independent media sources, heavily relying on podcasts, newsletters and social media as primary news outlets. This shift has provided Americans with a diverse range of narratives about current events from a variety of sources – while pitting online talk shows and podcasts primarily designed to entertain with a point of view against mainstream media outlets bound by editorial standards and journalistic rigour. Growing distrust in institutions, including the press, has exacerbated the rising influence of these channels, while, at the same time, their proliferation has increased the potential for misinformation. For crisis mitigation and management, this new information landscape presents both a significant challenge and, if understood and harnessed correctly, an opportunity to engage and persuade key stakeholders during periods of intense scrutiny.

Many Voices, One Message

There have never been more ways to own and tell a story – meaning crises can no longer be easily managed in isolation, let alone privately and quietly. Additionally, in today’s environment, anyone and everyone has a microphone via social media. Crises can emerge and escalate on any platform, at any time, so organisations must prepare for how to address the many voices and pressures these channels may amplify. A key aspect of modern crisis management is determining where and how to engage stakeholders effectively and ensuring that defences are ready to be deployed swiftly across all relevant channels.

Regulated Industries Under Fire

Highly regulated and/or government-funded industries are typically the most vulnerable to crises in the USA. For example, industries involving consumer health and safety, such as airlines, health insurers and others, have faced a host of controversies and crises over the past year. This has also been a trend within higher education, where political debates and protests have played out on campuses, and an unprecedented number of university presidents have been summoned to testify before Congress. With the changing US Administration and new federal directives related to diversity, equity and inclusion (DEI), coupled with newly empowered activist pressures, companies face a reigniting of complex, highly visible, and socially and politically fraught discussions from both internal and external audiences. In contending with these issues, the education sector in particular has to consider a unique set of stakeholders and expectations around freedom of speech and academic freedom, both of which complicate their crisis response.

Crisis Prevention is Crisis Preparation

To protect against future crises, it is crucial for organisations and institutions to learn from each crisis experience, being careful to incorporate lessons into future preparations. Further, they should be careful to think ahead about issues and scenarios playing out in other sectors that could impact them down the line, whether DEI, continued geopolitical unrest, immigration and visa issues, tariff and antitrust policy, and more. Planning ahead about what positions they want to take on complicated or sensitive topics and how they will want to communicate with their various stakeholders can help mitigate future crises.

M&A activity tends to fluctuate during corporate crises, with some companies leveraging the moment to acquire assets at lower valuations. There are numerous examples of this in recent US history, including during the dot-com bubble burst, the 2009 global financial crisis and the COVID-19 pandemic. 

Integrating Legal Counsel Into Crisis Management

Every issue is different and will have its own set of legal and regulatory considerations in the USA. For example, in a cybersecurity incident, there are multiple sets of obligations at the state, federal, and even contractual level that dictate how an organisation must respond or disclose information. Understanding such laws, and how they apply to the situation at hand, is critical and necessitates deep collaboration with legal teams. Furthermore, a crisis incident in and of itself will often lead to litigation, regulatory scrutiny, or an enforcement action. This is why any organisation facing a crisis must have in-house and outside legal counsel as part of their core crisis team, not only to address compliance with the law itself, but also to consider and mitigate potential future liability risks.

There is no applicable information in this jurisdiction.

Integrating Government Affairs Into Crisis Management

Whether regulatory officials or elected representatives, the government at the federal, state and local level can often plays a significant role in crisis management and preparation, particularly for regulated industries that are inherently closely connected with governmental entities. The specific agencies involved will depend on the nature of the crisis, but every crisis response framework should include government affairs and these specific audiences as key stakeholders. Bringing in an experienced government relations team helps ensure all communications or other response protocols are filtered through the lens of this important constituency, protecting a company’s reputation among – and relationship with – these authorities.

Oversight by Public and Private Bodies

Some of the government agencies and regulatory bodies that oversee crisis management preparedness for companies and public bodies include the Federal Emergency Management Agency (FEMA), the Securities and Exchange Commission (SEC), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Reserve & Office of the Comptroller of the Currency, which ensures that financial institutions maintain contingency and disaster recovery plans. 

Some industry and private sector organisations that serve in the same capacity across various industries include the Business Continuity Institute (US Chapter), the American National Standards Institute’s National Emergency Management Standards and the Financial Stability Oversight Council.

Publicly traded companies in the USA are required by the SEC to disclose material risk factors in their public filings, including in annual reports or through a Form 10-K, meaning they must identify and explain to investors the most significant events, risks or financial factors that could potentially affect their business, operations and financial condition. As it relates to cybersecurity, for example, the SEC mandates that publicly traded companies must disclose “material” cybersecurity incidents on Form 8-K within four business days of discovering them, providing details on the nature, scope and potential impact of the incident.

Requirements vary industry-to-industry and crisis-to-crisis. Any organisation, particularly publicly traded companies or those in highly regulated industries, should work with legal experts and disclosure counsel to understand and prepare for the required disclosures or evaluations to which they may be subject.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

The Crisis Playbook

Effective crisis management plans typically consist of two essential elements. The first is an overall crisis response protocol, which outlines a set of core principles, team member roles and responsibilities, and a clear structure for evaluating, escalating and responding to potential crises the organisation may face. The second is a set of sample scenarios – often the top five or six most likely to occur or most problematic/impactful issues – and specific guidelines for how to address them.

This type of framework is the foundation for effective crisis management efforts and is the central document around which the crisis team organises and, if necessary, executes in real time.

Key Components of a Crisis Strategy

The crisis management plan should also take into consideration how stakeholders are managed during a crisis, including:

• a stringent but flexible decision-making and approval process;
• a holistic stakeholder strategy that can be adapted according to real-time insights into the most crucial internal and external audiences;
• a solid understanding of the facts and a strong narrative, communicated by well-prepared spokespeople;
• a shared commitment to rapid action during a crisis;
• an effective system for consistently disseminating information to key stakeholders as a crisis plays out and evolves; and
• strategic use of data and feedback to assess, target, and fine-tune the crisis response during and after the event.

Crisis Response Infrastructure

It is common and considered best practice to establish designated crisis committees or working groups, along with protocols and the necessary operational mechanisms to enable the committee to be notified, convene and implement those protocols in the event of a crisis.

From a communications perspective, this typically includes a rapid response system that identifies who needs to sign off on any internal or external communications, and an expedited process for obtaining said approvals that eliminates unnecessary delay. It is important to include representatives across relevant business functions and stakeholder groups in the working group. The right group of representatives will depend on the type of crisis but typically includes legal, PR and investor relations and may also include human resources, government relations, IT/data-security and others. Similarly, it is important to determine the core spokespeople and channels that will support each stakeholder group in delivering consistent messages, but tailored to specific audiences. Maintaining up-to-date contact lists of clients, shareholders, media and regulators also streamlines both communications efforts and crisis assessment, which could inform how the crisis response takes shape in real time. Lastly, many organisations will designate an Operations Room for severe crises that allows the core crisis team to work together in a focused and protected centralised location.

Considering an Outside View

Most companies will have some form of a crisis committee at the management level. At the board level, the responsibility for risk assessment and response typically lies with the audit committee, although some boards are establishing dedicated reputational risk committees. 

At the management level, the crisis working group should contain both internal representatives of the organisation and independent perspectives from, for example, external legal and communications counsel – and it is recommended that leaders engage external resources early in the committee building process to ensure the group is well-rounded. 

Representing Diversity of Thought

Because every crisis is different, an ideal crisis group will also have members from various parts of the organisation who have the expertise to handle the many different forms a crisis may take. Still, depending on the crisis, the group may need to add additional skills, voices or subject-matter experts to better navigate specific situations, and processes should be built that allow them to do so. Additional representatives from operations, compliance, security, human resources, government relations, finance, facilities management, information technology or investor relations should be identified in the event they are needed. Lastly, a physical location or alternative channels for electronic communications should be considered ahead of time.

Bringing a Team Together

Ultimately, the most important feature of a crisis committee is a willingness to work together; a group that is willing and able to take advantage of the many perspectives and skills at the table will be best equipped to adapt to whatever unpredictable challenges a crisis may bring. Additionally, ensuring the group can work smoothly together requires training. Crisis teams should build muscle memory by acting out crisis scenarios and/or conducting regular lessons and exercises.

Define Flexible Roles for a Unified Crisis Response Team

A strong crisis response team should consist of a diverse group of management members, senior leaders from the legal and communications teams and external legal and communications advisors. The roles of each member of the committee should be made clear so as to eliminate any confusion over responsibilities when a crisis strikes. However, that does not mean any member should operate independently. It is imperative that the group takes a holistic mindset and that every function, especially legal and communications, is completely integrated. Further, there should be no siloes between those who define the strategy and those who execute the plans, even if the team members responsible for execution are not part of the core crisis committee. Regular communication, simulation training and a cohesive overall approach ensure that all aspects of the crisis are addressed efficiently and effectively.

Effective Communication: The Cornerstone of Crisis Management

During a crisis, the team should meet regularly to identify new developments, correct inaccuracies, tailor messaging and plan for potential developments or new scenarios. Creating feedback loops is paramount, as continuous interaction and collaboration help maintain a unified and informed response, enabling the team to adapt swiftly to evolving circumstances and maintain a consistent and accurate narrative. To that point, communication among the crisis team and management should not be limited to moments of crisis. Tabletop exercises, red teaming or internal and external qualitative analyses should be done at least quarterly to help the group stay vigilant and prepared.

Maximising Success Through External Expertise

There are many external experts that can be invaluable to crisis prevention and management. For example, cybersecurity firms like Mandiant and Kroll are often brought in to help investigate and mitigate data breaches and cyber-attacks. Of course, there are also the more traditional experts like legal counsel and communications firms whose insights are required to effectively handle a crisis from a legal, regulatory and stakeholder perspective. Any advisors should be able to bring on specialists in specific issue areas such as digital reputation management, dark web monitoring or personnel security, which can prove critical in the event of these specific situations.

No One-Size-Fits-All Approach to Success

“Success” in the face of a crisis is not easily measured and looks different for every company. Still, some factors we might look at to evaluate a crisis response – and improve future planning – include the following.

• Response time – the time required to acknowledge and respond to the crisis, and whether the preparation done in advance was as complete as possible.
• Fundamental business impact – whether or not the company can return to regular business operations, or how long it takes stock price to recover.
• Public sentiment – leveraging field research to determine how key stakeholders like investors, consumers and potential employees now perceive the organisation.
• Internal sentiment – ability to retain current employees and employee morale.
• Legal and regulatory compliance – whether the company was knowledgeable on and equipped to address all relevant legal and regulatory requirements.

Taking the time to assess these measures and identify missteps or oversights helps bolster crisis strategies for the future and safeguard any successes in the long term.

The Importance of a Strong Response Framework

How quickly a company can identify a crisis and its implications depends on how prepared they are. An organisation that has taken the time to build a strong foundation for monitoring, assessing and escalating emerging or crises issues will be able to respond to and mitigate them more rapidly than one that first has to define roles, identify resource gaps and create a strategy.

Many companies will develop an internal framework by which to identify and assess a crisis. Typically, this contains a group of questions or a checklist that aim to uncover:

• how broad is the potential reach;
• what kind of risk will it introduce to stakeholders;
• what or who is driving the situation;
• what impacts might this have on operations;
• how quickly can this be addressed;
• are there legal or regulatory implications;
• are extra resources required; and
• is the safety of an organisation’s core constituents threatened.

The first step in any crisis situation would be to use these questions to understand the reach and impact of the situation. Once that has been decided, there should be yet another standard framework that dictates the escalation process and immediate next steps in terms of whom to involve, how to convene these resources and what to prioritise.

Building and Training on Crisis Plans

The most well-prepared companies have pre-set business continuity, cyber-incident and crisis communications response plans in place. These plans will outline guiding principles, clear step-by-step action plans and proposed messaging/materials that can then easily be implemented when a crisis strikes. So long as these plans are properly developed and trained on, they give crisis groups a head start and help guide them through the key decision-making processes required during a crisis.

Common elements of a crisis plan include:

• an overview of what constitutes a crisis, along with key principles, best practices, and typical errors;
• procedures for spotting and escalating potential issues early, including tracking social and digital media;
• clear definitions of the crisis team’s roles and responsibilities, including how and where crisis communications fit in;
• guidelines for reporting, evaluating, and responding to crises, including steps for escalation, crafting responses, and securing approvals;
• pre-prepared messages for the most probable and high-risk situations; and
• additional resources to ensure a smooth and effective response (eg, key stakeholder contact details).

Understanding Risk

Assessing risk starts with a vulnerability analysis, or an internal and external look at the issues that could impact an organisation’s constituents, reputation and/or normal course of business. Relevant risk factors include common crises such as natural disasters, cyber-issues or product outages or recalls, as well as any potential threats a management team has identified as part of its regular diligence. Regulatory changes or industry trends can also signal possible risk, as can perception studies that might reveal vulnerabilities to be aware of among an organisation’s stakeholders. Lastly, more organisations are realising that any number of reputational risks can impact their bottom line, licence to operate, ability to attract or retain talent or their competitive position.

Expect the Unexpected

At the same time, things that may seem outside the realm of possibility, but that would have highly problematic consequences, should also be considered. Monitoring crises impacting other organisations or playing out in other parts of the world should be part of this effort, even if they are not directly tied to the industry or business. Scenario planning should be conducted for events that are one, two or even three standard deviations from a “common” crisis to pressure test a company’s existing protocols and procedures.

Still, it is equally important for companies to remember that not everything is a crisis. Understanding what is not a crisis is as crucial as knowing what is, and is key to mitigating risk appropriately.

Simulations Create Smooth Real-Time Response

Companies should and often do use simulations, conducted across business levels and functions, to prepare for crises. These can take different forms, but should always be informed by risk analysis, tailored to specific areas of interest or need and designed to facilitate collaboration. Likewise, example scenarios will be case-by-case, but might include cyber and customer data issues, M&A leaks, public shareholder issues and shareholder activism issues, union and labour-related issues, DEI issues or any crisis that has come up within the business sector in the past.

Corporations: Integral Threads in the Fabric of Society

Additionally, today’s businesses are not isolated from broader social issues; they are expected to actively engage with and influence them. Therefore, it is crucial that they consider social and political scenarios in any simulation, such as how the business might respond if it were revealed that they are engaging with a divisive public figure and how they would handle hot-button social and political issues like DEI, climate change or political donations.

Employees are an Extension of the Crisis Team

Many organisations have started to leverage e-learning tools to extend crisis training or risk assessment protocols to the whole of the organisation. Typically, HR or compliance departments will mandate that these trainings be taken during onboarding or at a yearly cadence. This aligns with best practice, which is to ensure that all employees at all levels are aware of how to identify risk, how to assess it, the potential ramifications of their actions as they relate to potential crises, common policies that govern behaviour at work and interaction on public channels, and how to escalate situations that may arise in their course of work.

Empowering Employees Through Policy

Codes of conduct and policies on press, social media, cultural sensitivity, cybersecurity and more are all directly tied to how well equipped employees are to prevent and prepare for crises. Like with other traditional training courses, these policies and procedures can be mandated at an organisational level to ensure all employees are acting in a way that is commensurate with the overall crisis preparedness plan.

Sample Legal Challenges or Crisis Situations to Watch

The definition of a crisis will change from one organisation to the next, as will the relevant legal challenges. Some common issues that could stem from or result in litigation could include:

• allegations of executive or employee misconduct, malfeasance or corruption;
• significant workplace accidents;
• labour disputes;
• IP theft;
• unexpected regulatory developments;
• shareholder litigation or other actions; and
• congressional investigations or oversight.

There are a number of different enforcement authorities and regulatory bodies at the federal and state level that represent potential legal liability to companies and management.

Considering State-Level Enforcement

In a legal and mass claims context, one trend in this market is an increased use of delegated authority by state attorneys general to private plaintiffs’ attorneys. As a result, there are more opportunities for state-level enforcement actions against companies.

Companies co-operate with authorities frequently, and as needed based on jurisdictional and industry requirements. Heavily regulated industries, for example, frequently work in close consultation and co-operation with the appropriate regulatory bodies before, during and following a crisis.

Legal Counsel’s Role in Reputation and Crisis

Whether internal or external, an experienced attorney can help evaluate liability, limit exposure and mitigate damage by crafting a robust legal strategy from the outset. Sometimes, this action alone can be sufficient to prevent a situation from escalating. In other cases, a full-blown crisis may not be avoidable. In that event, the legal team and communications advisors must be aligned. A legal strategy that takes into account how its actions will be perceived by key stakeholders and the public will provide the company with the best opportunity to identify and navigate the legal and reputational challenges a crisis might present.

Lawyers as Communicators: Why This Consideration Matters

Legal representatives should be part of the central crisis management team and work with senior leaders and communications advisors to help steer the company through every stage of the crisis. Lawyers are skilled communicators, and by partnering with communications teams, lawyers can help inform more balanced and educated reporting while also ensuring any public statements are compliant and do not generate additional legal risk. This should be one of the key criteria a legal team or outside counsel is evaluated on, in addition to their ability to respond rapidly to ever-changing crisis situations and their experience working in close partnership with the many other members of the crisis team on high-pressure situations.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

Some insurance companies do offer policies for various types of crises. One of the most common is cybersecurity insurance.

Essential Steps for Reputation Recovery

Measuring the impact of a crisis on reputation is an important first step to rebuilding and protecting that image moving forward. A few ways to understand a crisis’s impact include undertaking field surveys or focus groups with key audiences, monitoring and analysing social media conversations or holding post-crisis interviews with stakeholders and media. The learnings from these exercises can then inform the development and execution of a targeted recovery plan.

See 2.5 Transparency Requirements and 2.6 Sectoral Requirements.

Co-Ordination is Non-Negotiable

Communication strategies are not one-size-fits-all; they must be tailored to the company, its usual methods of stakeholder engagement and the specific situation at hand, particularly its severity. However, co-ordination is non-negotiable, as it is essential for ensuring consistency. Legal and communications teams should own this co-ordination, working together to ensure that all messaging is appropriate for sharing and consistent across channels.

Take a Holistic Approach, Even Across Multiple Channels

In some cases, a single co-ordinated channel, such as a dedicated webpage for information about a product recall, may be the most effective means of disseminating a company's messages. In other situations, such as a settlement with a government enforcement agency, more targeted communications efforts may be required.

Each scenario will vary, but if a company has a clear understanding of who its stakeholders are, how it typically communicates with them and what their individual needs are in real-time, this will better enable it to execute a co-ordinated game plan effectively. Companies that fare poorly in crises are often those that adopt a siloed approach to communications, fail to put on a united front across different teams and/or say different things to various stakeholder groups.

While no two situations are the same, in crisis situations companies should plan to engage employees early and as often as possible, not only so that they are hearing from the organisation first, rather than reading about the company’s issues in the news, but also to make them ambassadors for the brand by helping them understand and articulate the organisation’s position. And if the right communications channels do not exist, the organisation should invent them. 

Overall, the lines between internal and external communications continue to blur. Today, the external is internal and the internal is external – meaning none of the communications happening within either sphere should be considered in a vacuum.

The Hub and Spoke Model: How and Why to Use It

The hub and spoke model is one approach to engage multiple stakeholders in a consistent manner. This means establishing one central, decision-making group – the hub – to define communications plans and messaging, and then using smaller groups or individuals – the spokes – to execute the plan across relevant stakeholder groups. The spokes will have a deep understanding of the unique channels each stakeholder uses and how to adapt the approach to the audience’s needs, while the hub helps ensure messaging is consistent and accurate across every platform.

Direct Communication Minimises Negative Impacts

Investors and shareholders are a key stakeholder group to engage regularly during a crisis. Keeping investors informed of the situation at hand and the company’s plans to address it may be legally required (if material), and can also bolster investor confidence and minimise the negative business impacts of a crisis, particularly to the extent investors need guidance on the potential financial and regulatory impact of the crisis. To that end, companies should consider disclosure options, bespoke investor newsletters or posting statements to their investor relations webpage – or a microsite if one does not exist – to ensure shareholders are receiving consistent and accurate information directly from the company.

Trust is a Two-Way Street

To maintain customer trust during a crisis, companies should establish and utilise feedback loops. Without real-time feedback on how messages are being received or how the situation is evolving, it becomes challenging to address emerging concerns directly and worse, it may give the impression that the company is being evasive. From this perspective, leveraging social media platforms during a crisis is important both to take the temperature on consumer sentiment as well as to distribute messages to large consumer audiences. However, thinking beyond pre-established protocols and platforms in a crisis and allowing for flexibility in engaging customers is key, such as by publishing open letters from the CEO directly to customers, or deploying a specific consumer spokesperson on broadcast channels to address customer concerns.

Do Not Let a Company’s Response Become Its Own Crisis

Employees are an increasingly vocal source of support and criticism who tend to base their judgement more on the company’s response to a crisis than the nature of the crisis itself. With that in mind, it is wise for companies to prioritise communications to this group, ie, act quickly and be sure to reference the company’s mission, vision and values in employee communications. Assuring employees that the organisation is living the values its culture is built upon helps to maintain their confidence and morale.

The Unique Role Employees Play in a Crisis

It is also important for companies to remember that employees play a unique role in crisis communications themselves. When telling employees about the resolution, companies should make sure they understand the company’s decision-making as well as any limits on what they can or cannot say publicly. This is especially important for employees who deal with outside parties, and who may have the matter brought up in the course of their work. Companies should be careful to explain any constraints on what they can say about the matter, while still fostering a sense of teamwork and authenticity.

Do Not Make Unnecessary Changes

The most effective channels are the ones that are typically used. If a company breaks protocol in the course of trying to reach its stakeholders, this can often confuse or worsen the problem. Still, some circumstances like data breaches may require new or specific channels of communication that are outside the traditional scope. The key for companies is to be aware of any legal, regulatory or other requirements like this ahead of time and to build those into the response framework, so all communications are consistent, compliant and compelling.

The Aftermath: Learning From Crises

There are several ways to extract lessons from crises both in the immediate aftermath and on a continued basis. A post-mortem internally, where leaders provide a qualitative review of the situation, and externally, where an expert reviews and assess protocols and plans, should reveal successes and missteps. Then ongoing tabletops where leaders simulate crisis situations can help uncover operational inefficiencies or gaps that may not have been relevant during the most recent crisis but that could come up in the future. The lessons from these types of exercises will become the foundation for a new and improved crisis management plan and should all be actioned into clear improvements to processes and protocols. Crisis management is a cycle: companies should prepare, respond, recover, assess, and then prepare again. Only by learning and iterating is it possible for companies to stay ahead.

Policies Demonstrate a Commitment to Change

As the company begins to move forward, it is crucial for board members, management and external advisors to engage in blame-free discussions about what worked well and what could be improved or changed or newly implemented for future crises. Additionally, they should review feedback from employees and the public, as well as their existing policies, marketing content, partnerships and other regular business engagements through the lens of the crisis to get a fuller picture. These insights should be used not only to update procedures and playbooks for future crises, but also to create new or revised policies that demonstrate a commitment to learning and change. Doing so can achieve two significant outcomes: positioning the company better for future challenges and strengthening relationships in the aftermath of the crisis.

Turn to the Experts

While adhering to industry standards and best practices, such as ISO certification, is important, it is also crucial for companies to work with experts who are up to date on evolving policies and practices. Collaborating with dedicated crisis management consultants who have a keen understanding of the latest trends and industry standards will give a company the best chance of being effective in crisis prevention and preparedness. Additionally, companies should consider ongoing training for their crisis team or entire employee base to ensure they remain current with best practices as they evolve. This proactive approach not only helps in preventing future crises but also ensures that the organisation is always prepared to respond effectively.