Lessons from Mismanaged Crises
at Yahoo, Cuisinart and Wells Fargo
Managing a business crisis
has become increasingly challenging in the world of 24-hour news and Twitter.
Today a crisis can make a company appear to be in the middle of a three-ring
circus, argues Mark P. Zimmett in this opinion piece. He says there are some
concrete steps firms can take – in advance — to avoid a lot of the negative
fallout that can accompany a crisis. Zimmett is a commercial litigator in New
York City with over 40 years’ experience handling domestic and international
business crises. He was a member of the New York City Bar Task Force on
governance, and has taught at the New York University School of Law.
The mismanagement of bet-the-company business
crises has become pandemic. Consider just the most recent examples. In December
2016, Yahoo disclosed that three years earlier hackers had stolen confidential
information from more than one billion accounts, including users’ names,
birthdates, phone numbers, encrypted passwords and backup security data.
The company’s disclosure of the theft followed its disclosure in September of
the same year another breach of 500 million accounts in 2014. Senior executives
had been aware of the 2014 hacking, but failed to properly understand or
investigate it. Following the second disclosure, Yahoo’s market value
plunged 6%, it was forced to discount the sale of its internet business to
Verizon by $350 million, CEO Marissa Mayer lost her 2016 bonus and the general
counsel resigned.
Cuisinart launched a product safety recall in
December 2016 of about eight million food processors whose blades can
apparently crack over time and cause injuries, a problem that was flagged five years earlier by consumers. But although the
company announced the recall at a time of its choosing, it was unprepared to
follow through with the fix: Phone lines set up to receive calls reportedly
were deluged early on and the company’s website was unable to process
claims for replacement parts.
Wells Fargo appears to have botched the
management of its recent crisis through lack of preparation. When CEO John
Stumpf testified about the sham-account sales scandal before the U.S. Senate
Committee on Banking, Housing and Urban Affairs, one frustrated senator later
said, according to The
Wall Street Journal: “It’s been going on for
five years … and he doesn’t have any answers for this problem? By the time the
questioning got to me, I was pretty well pissed off.”
These are only the latest high-profile
mismanaged crises. There are many other examples, such as the crises arising
from major bank violations of anti-money laundering regulations and related
laws and from automotive industry failures with ignitions, brakes, airbags and
emission controls.
Contrast the above-companies’ performance
with Johnson & Johnson’s handling of its tampered-Tylenol crisis in 1982,
long considered a paradigm of successful crisis management. However, today even
its response probably would be regarded as a failure. The company took
three days to decide how to respond. In our internet age with its 24/7 news
cycle, a company does not have three days to react; it may not have even three
hours. Advance planning is critical.
But how does one plan ahead? Crises arise in
many forms: a cyber-attack, a plant explosion (gas leak or terrorism?);
the sudden death or incapacity of the CEO, a whistle-blower alleging fraud,
bribery or regulatory evasion; the list is endless. But most board members
and senior managers are generalists, and none has the special expertise to
respond to every crisis.
Plans Are Useless, but
Necessary
Dwight Eisenhower, who made his reputation as
a war planner, said, “plans are useless – but planning is indispensable.” He
knew that developing his arsenal of weapons would give him the resilience to
respond to the unexpected in battle. Mike Tyson made the same point, but with
more punch, “Everyone has a plan until he gets hit in the face.” Yet, no
matter how often Tyson got hit in the face, he continued to train for the same
reason that Eisenhower continued to plan.
So, how should a company’s board and senior
managers prepare for crises? First, identify those potential crises for which
the company needs a response, assessing the likelihood of the crisis occurring
and its impact on the business. In the jargon of crisis management, this
is called BIA, business impact analysis. One cannot foresee and catalog
every possible contingency, but that should not stop one from trying to
anticipate the most critical threats and to build from there.
Build a team: Second, identify and interview the professionals
likely to be needed in any crisis, such as media communications specialists,
auditors and forensic accountants, IT professionals, and lawyers with
appropriate practice backgrounds (including crisis management). Others will be
appropriate for only particular problems, such as oil well firefighters and
product or system specialists (e.g., engine emission control technicians or
SWIFT payment systems experts). Regulators may prefer some outside
professionals, particularly those such as auditors and lawyers who will be
assessing the conduct of the company’s personnel, to be independent of the
company, i.e., have done no previous, and expect no future, work from the
company. But how then does one assure that they still will be available
and conflict-free when a crisis hits?
Build a notebook: Third, build a notebook for each board member (or
board crisis management committee member) and each senior manager with the
contact information and brief professional background of all personnel to be
contacted in a crisis; both company employees and outside consultants and
professionals. You cannot master the three-ring circus until you have mastered
the three-ring binder.
Keep it up to date: Building the notebook is not enough. Keep it up to
date. When its rig exploded in the Gulf, British Petroleum reportedly had in
place an emergency oil spill plan based on boilerplate plans cribbed from
several other petro companies – right down to a telephone number for an expert
who had died years earlier. And how are people to be contacted when
computer and phone systems are down?
Run fire drills: Finally, run occasional “fire drills.” The New York
Stock Exchange had a plan to stay open with a pared down staff in the event of
a disaster, and to shift execution of trades to its all-electronic sister
exchange, Arca. However, when Hurricane Sandy hit more than a year later,
NYSE-member banks and brokerage houses decided to close the NYSE for several
days because, among other reasons, they had never tested their ability to trade
using the contingency plan and were not sure it would work.
Internal Investigations and
Regulatory Review
Preparing to manage the eventual crisis
should extend to planning for its aftermath: the potential internal
investigation and regulatory review. Not all crises call for an internal
investigation, but many do, particularly when malfeasance or culpable
nonfeasance is suspected. Who controls the investigation, a lawyer who insists
on following wherever the evidence may lead, or the company’s elected board
that is ultimately responsible for the company’s conduct?
Ten years ago, a New York City Bar Task Force
on the Lawyer’s Role in Corporate Governance concluded that “the client [the
company] must define the scope of the investigation.” However, there are
practical limits. The lawyer has the right, and possibly a duty, to resign
if he or she believes that the scope is unduly narrow and, of course, if the
matter under investigation is of interest to the company’s regulator(s), a less
than full investigation would probably be unacceptable. As the pre-eminent
lawyer Rodgin Cohen has observed, “The most serious penalties are often
reserved for situations where the institution has flunked the investigation of
the underlying conduct, rather than the conduct itself.”
Not all internal investigations involve
regulatory scrutiny. Those that do raise an issue of the degree to which
the company should cooperate with its regulators. The New York bar task
force noted that “Great lawyers may counsel non-cooperation just as they may
counsel cooperation.” Just as? Really? However true that may have
been 10 years ago, today the issue is less cooperation versus non-cooperation
than how best to negotiate the scope of the investigation.
A business crisis can be a three-ring circus
involving the company, outside professionals and the government. Planning and
drills are critical to managing it. Practice will not make us perfect, but
it can make us proficient, and appropriate planning can prevent making the
crisis worse and instill confidence that the company is properly prepared to
deal with it.
http://knowledge.wharton.upenn.edu/article/lessons-from-mismanaged-crises-at-yahoo-cuisinart-and-wells-fargo/?utm_source=kw_newsletter&utm_medium=email&utm_campaign=2017-03-09
No comments:
Post a Comment