Lessons from Mismanaged Crises at Yahoo, Cuisinart and Wells Fargo
Managing a
business crisis has become increasingly challenging in the world of 24-hour
news and Twitter. Today a crisis can make a company appear to be in the middle
of a three-ring circus, argues Mark P. Zimmett in this opinion piece. He says
there are some concrete steps firms can take – in advance — to avoid a lot of
the negative fallout that can accompany a crisis. Zimmett is a commercial
litigator in New York City with over 40 years’ experience handling domestic and
international business crises. He was a member of the New York City Bar Task
Force on governance, and has taught at the New York University School of Law.
The mismanagement of bet-the-company business crises has become
pandemic. Consider just the most recent examples. In December 2016, Yahoo
disclosed that three years earlier hackers had stolen confidential information
from more than one billion accounts, including users’ names, birthdates, phone
numbers, encrypted passwords and backup security data. The company’s
disclosure of the theft followed its disclosure in September of the same year
another breach of 500 million accounts in 2014. Senior executives had been
aware of the 2014 hacking, but failed to properly understand or investigate
it. Following the second disclosure, Yahoo’s market value plunged 6%, it
was forced to discount the sale of its internet business to Verizon by $350
million, CEO Marissa Mayer lost her 2016 bonus and the general counsel
resigned.
Cuisinart launched a product safety recall in December 2016 of
about eight million food processors whose blades can apparently crack over
time and cause injuries, a problem that was flagged five years earlier by consumers. But
although the company announced the recall at a time of its choosing, it was
unprepared to follow through with the fix: Phone lines set up to receive calls
reportedly were deluged early on and the company’s website was unable to
process claims for replacement parts.
Wells Fargo appears to have botched the management of its recent
crisis through lack of preparation. When CEO John Stumpf testified about
the sham-account sales scandal before the U.S. Senate Committee on Banking,
Housing and Urban Affairs, one frustrated senator later said, according
to The Wall Street Journal: “It’s
been going on for five years … and he doesn’t have any answers for this problem?
By the time the questioning got to me, I was pretty well pissed off.”
These are only the latest high-profile mismanaged crises. There
are many other examples, such as the crises arising from major bank violations
of anti-money laundering regulations and related laws and from automotive
industry failures with ignitions, brakes, airbags and emission controls.
Contrast the above-companies’ performance with Johnson &
Johnson’s handling of its tampered-Tylenol crisis in 1982, long considered a
paradigm of successful crisis management. However, today even its response
probably would be regarded as a failure. The company took three days to
decide how to respond. In our internet age with its 24/7 news cycle, a company
does not have three days to react; it may not have even three hours. Advance
planning is critical.
But how does one plan ahead? Crises arise in many forms: a
cyber-attack, a plant explosion (gas leak or terrorism?); the sudden death or
incapacity of the CEO, a whistle-blower alleging fraud, bribery or regulatory
evasion; the list is endless. But most board members and senior managers
are generalists, and none has the special expertise to respond to every crisis.
Plans Are Useless, but Necessary
Dwight Eisenhower, who made his reputation as a war planner,
said, “plans are useless – but planning is indispensable.” He knew that
developing his arsenal of weapons would give him the resilience to respond to
the unexpected in battle. Mike Tyson made the same point, but with more punch,
“Everyone has a plan until he gets hit in the face.” Yet, no matter how
often Tyson got hit in the face, he continued to train for the same reason that
Eisenhower continued to plan.
So, how should a company’s board and senior managers prepare for
crises? First, identify those potential crises for which the company needs a
response, assessing the likelihood of the crisis occurring and its impact on
the business. In the jargon of crisis management, this is called BIA,
business impact analysis. One cannot foresee and catalog every possible
contingency, but that should not stop one from trying to anticipate the most
critical threats and to build from there.
Build a team: Second,
identify and interview the professionals likely to be needed in any crisis,
such as media communications specialists, auditors and forensic accountants, IT
professionals, and lawyers with appropriate practice backgrounds (including
crisis management). Others will be appropriate for only particular problems,
such as oil well firefighters and product or system specialists (e.g., engine
emission control technicians or SWIFT payment systems experts). Regulators
may prefer some outside professionals, particularly those such as auditors and
lawyers who will be assessing the conduct of the company’s personnel, to be
independent of the company, i.e., have done no previous, and expect no future,
work from the company. But how then does one assure that they still will
be available and conflict-free when a crisis hits?
Build a notebook: Third,
build a notebook for each board member (or board crisis management committee
member) and each senior manager with the contact information and brief
professional background of all personnel to be contacted in a crisis; both
company employees and outside consultants and professionals. You cannot master
the three-ring circus until you have mastered the three-ring binder.
Keep it up to date: Building
the notebook is not enough. Keep it up to date. When its rig exploded in the
Gulf, British Petroleum reportedly had in place an emergency oil spill plan
based on boilerplate plans cribbed from several other petro companies – right
down to a telephone number for an expert who had died years earlier. And
how are people to be contacted when computer and phone systems are down?
Run fire drills: Finally,
run occasional “fire drills.” The New York Stock Exchange had a plan to
stay open with a pared down staff in the event of a disaster, and to shift
execution of trades to its all-electronic sister exchange, Arca. However, when
Hurricane Sandy hit more than a year later, NYSE-member banks and brokerage
houses decided to close the NYSE for several days because, among other reasons,
they had never tested their ability to trade using the contingency plan and
were not sure it would work.
Internal Investigations and Regulatory Review
Preparing to manage the eventual crisis should extend to
planning for its aftermath: the potential internal investigation and regulatory
review. Not all crises call for an internal investigation, but many do,
particularly when malfeasance or culpable nonfeasance is suspected. Who
controls the investigation, a lawyer who insists on following wherever the
evidence may lead, or the company’s elected board that is ultimately
responsible for the company’s conduct?
Ten years ago, a New York City Bar Task Force on the Lawyer’s
Role in Corporate Governance concluded that “the client [the company] must
define the scope of the investigation.” However, there are practical
limits. The lawyer has the right, and possibly a duty, to resign if he or
she believes that the scope is unduly narrow and, of course, if the matter
under investigation is of interest to the company’s regulator(s), a less than
full investigation would probably be unacceptable. As the pre-eminent lawyer
Rodgin Cohen has observed, “The most serious penalties are often reserved for
situations where the institution has flunked the investigation of the
underlying conduct, rather than the conduct itself.”
Not all internal investigations involve regulatory
scrutiny. Those that do raise an issue of the degree to which the company
should cooperate with its regulators. The New York bar task force noted
that “Great lawyers may counsel non-cooperation just as they may counsel
cooperation.” Just as? Really? However true that may have been 10
years ago, today the issue is less cooperation versus non-cooperation than how
best to negotiate the scope of the investigation.
A business crisis can be a three-ring circus involving the
company, outside professionals and the government. Planning and drills are
critical to managing it. Practice will not make us perfect, but it can
make us proficient, and appropriate planning can prevent making the crisis
worse and instill confidence that the company is properly prepared to deal with
http://knowledge.wharton.upenn.edu/article/lessons-from-mismanaged-crises-at-yahoo-cuisinart-and-wells-fargo/?utm_source=kw_newsletter&utm_medium=email&utm_campaign=2017-03-09
No comments:
Post a Comment