Today, all institutions face a range of potential crises, including significant accounting and financial fraud issues, allegations over a range of matters, such as sexual abuse and misconduct by senior executives, discrimination claims, hacking of sensitive customer information, global Foreign Corrupt Practices Act problems, and mistreatment or defrauding of customers and clients, to name just a few. For banking organizations, these issues can be even more serious than for other institutions because of regulatory expectations, the political focus on the banking sector, and the special role that banks play in our day-to-day lives.
The skills needed to successfully manage particular crises will vary, and decisions made at the outset, including choosing the right legal and public relations advisers, may dictate in large part whether the crisis is contained or spirals out of control. If a crisis is not handled properly and quickly, regulatory and reputational risks can cascade, potentially leading to damage to reputation, stock price, and financial well-being, and may even endanger the existence of the organization.
This article reviews key considerations for crisis response, in particular: regulatory expectations relevant to crisis management, the heightened role of trust and reputation for a banking organization facing a crisis, considerations for whether to form a special committee of the board to respond to a crisis, and practical principles to help manage a crisis effectively.
Regulatory Expectations and Crisis Management
While crisis management is an important issue for all companies, the boards of banking organizations face increased pressure that raises the stakes when a crisis hits. The increased pressure primarily emanates from the overlay of regulatory expectations that apply to boards of banking organizations and the fact that reputation and customer trust are at the core of the banking industry. Put a different way, although the board of any company needs to thoughtfully work to fulfill the standard fiduciary duties of care and loyalty, the boards of banking organizations face additional expectations from regulators and their clients, customers, and counterparties.
For example, the Office of the Comptroller of the Currency (OCC) has adopted “heightened standards” for the boards of large institutions that the agency regulates. Under the OCC’s expectations, a board is expected to actively oversee risk-taking activities and hold management accountable for adhering to the firm’s risk governance framework. In addition, the Federal Reserve Board (FRB) in August 2017 proposed guidance setting out expectations for “effective” boards of large institutions that it regulates. The FRB’s proposed guidance outlines five key attributes that boards will be expected to possess.
Each of the attributes touches on issues that arise in responding to a crisis. For example, the FRB’s proposed guidance expects boards to provide clear, aligned, and consistent direction on strategy and risk tolerance, both issues that can contribute to a crisis and may be necessary to examine when the underlying causes of a crisis are evaluated. A board also is expected to make sure that it stays informed and holds senior management accountable. These, too, can be key points when responding to a crisis. Further, the proposed guidance provides that boards should support the independence and stature of independent risk management (including compliance) and internal audit and work to maintain a board composition and governance structure that supports the needs of the firm. Again, each of these issues can require careful examination when evaluating what caused a crisis and how to respond.
In summary, beyond the normal corporate law fiduciary duties that all companies face, banking regulators expect the boards of institutions they regulate to be highly focused on issues that are directly relevant when a crisis arises, in terms of evaluating the causes of the crisis, how to respond in the near term, and whether any changes to the organization should be made in the longer term.
Heightened Role of Trust and Reputation
In addition to regulatory expectations, nearly all crises can cause a company to lose the trust of its important customers, clients, and counterparties. This risk is even more pronounced for banking organizations, whose business model and marketing are built in large part on public trust and important customer and other relationships. At one level, a banking organization’s most important task when responding to a crisis is to avoid a cascading loss of trust and relationships, with not only its regulators but also its clients, customers, and counterparties. Erosion of trust and relationships can be precipitous and quickly turn an otherwise isolated incident into an existential crisis for the organization.
Consider a Special Committee
One decision that may be especially important when a potential crisis arises is whether a special committee of the board is necessary to investigate and determine the appropriate response. These types of committees are established on an if-and-as-needed basis through board resolutions that provide for their membership, resources, responsibilities, and authority.
At the outset, it is important to note that not all crises require the use of a special committee. They typically are needed only when there is suspected internal wrongdoing at a company’s management level. Even in these cases, some internal investigations may be handled by the company’s internal counsel. However, when there are indications of serious corporate wrongdoing, it is vital that the board thoughtfully consider appointing a special independent committee to handle the investigation. This is especially true when any corporate executives or directors are alleged to have participated in any misconduct, the suspected misconduct relates to financial statements or false or misleading statements in public disclosures, the misconduct otherwise could have material effects on the company, the misconduct involves bribery of foreign officials, or there is a possibility for regulatory sanctions. If the board determines a special committee is necessary, several key attributes should be carefully considered.
First, the special committee must be credible. Credibility will be built in a number of ways, including by adhering to the attributes noted below. In the end, however, credibility is the most important attribute, as it will dictate whether the committee’s work is viewed as trustworthy by regulators, law enforcement, and other interested constituents.
Second, the special committee should have a mandate to be comprehensive; it should be given the authority and resources to fully pursue the investigation and thoroughly carry out its charge. It is important that there not be any limitations placed on the committee that could lead regulators, law enforcement, or others to question the committee’s thoroughness and, as noted, its credibility in pursuing unbiased answers.
Third, to be comprehensive, the special committee must be independent and bring objectivity to its task. To meet this standard, the committee’s members should not have conflicts of interest with respect to the bank or the matter being addressed. Otherwise, the committee’s process and conclusions could be questioned (i.e., seen as not credible), which would obviate the goal of forming the committee.
Fourth, the special committee’s process should be well documented and explained. Credibility requires that interested parties be able to understand what the committee considered and how it conducted its process. This type of transparency adds to credibility and supports the committee’s role in providing an objective, independent view of a sensitive matter.
Fifth, the special committee should work as quickly as possible. As discussed below, an institution that faces a crisis generally should respond as promptly as practical. The committee should have the resources and authority to move swiftly to conduct its work.
Practical Principles for Responding to a Crisis
Crises that threaten a company’s brand, reputation, and even its existence are not new phenomena, but they have certainly proliferated and unquestionably move much more quickly as communication technology has developed. Today’s crisis managers face incidents captured by smartphone cameras that go viral on YouTube and other forums, 24/7 media coverage, and the politicization of many issues that in the past could be managed without the added attention and publicity of congressional hearings, stump speech tirades, and presidential tweets. Hence, there is a heightened need today to be well prepared for a potential crisis and to move quickly, decisively, and thoughtfully when a significant crisis does occur. The following practical principles may be useful as basic guidelines to follow in the event a crisis occurs.
First and foremost, it is imperative to make sure the company has assembled the right crisis response team, including the outside advisers that it needs. In a crisis, this group typically will include in-house and outside counsel and representatives from the bank’s investor and public relations, business operations, government affairs, treasury, finance, and compliance divisions. Institutions should take into account the particular experience and expertise that is needed to successfully manage the kind of crisis it is facing. The choice of advisers must not be driven by familiarity, convenience, or (apparent) cost. Failure to put in place the right team with appropriate resources at the outset will have a ripple effect on the decisions and events that follow, and may dramatically increase the ultimate costs and burdens on the company.
Keep in mind all of the various constituents you need to address during a crisis (the public, regulators, auditors, the board, shareholders, employees, analysts, the press, Congress, state authorities, lenders, customers, counterparties, vendors, etc.). Formulate a plan for each, including with regard to the requisite communications. Consider that communications with respect to one constituent will have implications for others (e.g., damaging congressional testimony may undercut the company’s position in court and with enforcement agencies, and it could harm the company’s reputation with customers, clients, counterparties, and shareholders).
Have your regulators in mind and communicate with them. Let them know what has happened, and make it clear to them and the public that you are actively addressing the issue. Try to coordinate your response to regulatory investigations and align their resolutions if you can. Be careful not to make statements claiming that no wrongdoing occurred or that disparage the government’s investigation. This rule applies even if you think that the company or individuals currently in the crosshairs ultimately will be exonerated.
Be, and appear to be, promptly responsive to the crisis. In some cases, this will require the chief executive to be on-site where the crisis is centered or at least to speak personally about it. All board members of a company facing significant crises should be present and prepared at contentious annual shareholder meetings. Listen to your lawyers, but don’t let them impede what you need to do and say at the outset of a crisis. That said, it is also important not to overreact or make a statement about every over-the-top comment or online post. It is important that neither the CEO nor other company spokespeople speak publicly about the potential crisis until the institution has determined what its message will be. Do your best to control leaks and careless disclosures by well-meaning employees. Listen to the advice of your public relations consultants to avoid giving legs to a story that would die quickly on its own.
Commit to the public and regulators to get to the bottom of the issue to determine its root cause and to engage in the appropriate remediation to prevent a recurrence (see the earlier discussion about forming a special committee of the board). However, be careful to avoid overpromising by pledging to give full, factual updates by a certain date. The company will need flexibility with respect to the content and timing of disclosures. Also, avoid promising something you cannot deliver (e.g., “after the enhancements we have made, there will never be another data breach”).
If continuing customer harm is involved, make addressing that paramount. Make sure that you immediately stop or correct the problematic practice that continues to cause or risk harm. In these situations, it is a grave mistake to perform cost-benefit analyses. Such analyses will likely be Exhibit A in any future proceedings and congressional hearings.
Speak with one voice on the crisis, take responsibility, and apologize early, often, sincerely, and from the top. Remember, “the buck stops here,” irrespective of personal involvement or the lack thereof. It is essential not to minimize the issue or blame customers or other parties. Emphasize that you are proactively figuring out the scope of the problem and will take appropriate action in response. The principle that “the customer is always right” must govern. At the same time, don’t concede legal liability immediately. There is a crucial distinction between acknowledging responsibility and conceding liability.
Focus on what can be promptly remediated and quickly develop a plan for longer-term remediation (again, in this regard, a special committee may be helpful). The remediation plan should be discussed with relevant regulators, keeping in mind their supervisory expectations. Also, be sure to think beyond what is quantitatively material. A relatively small number of clients who experienced harm could nevertheless present a compelling story that other clients and the public may view as important. Keep in mind that the actual customer harm is not always an indicator of the impact or significance of the misconduct.
Take decisive actions with respect to those allegedly responsible and make it clear publicly and internally that you have done so. Think beyond those directly responsible to consider those who had oversight responsibilities. If senior executives or other key employees are implicated in wrongdoing, do not spare them when meting out deserved discipline. Banks may consider suspending bonuses or other incentives until it is clear who is directly and indirectly responsible.
Attend to running your business and to helping your employees focus on their jobs. One pillar of good crisis management is to ensure that you continue to address all of the demands and challenges of your enterprise that are necessary for its present and future well-being. Banking organizations’ greatest resources are often their people, and maintaining company morale during a crisis should always be a focus and priority. Those people and their morale are key for maintaining trust with clients, customers, and counterparties. Even a significant crisis must not be allowed to overshadow your day-to-day responsibility to run the company. You may need to insulate part of your management team in order to effectively manage both. Don’t let the lawyers who are (rightly) focused on government investigations and shareholder suits, for example, impede you from being in front of customers, getting your financials done promptly, talking to analysts, and doing all of the other things that are necessary for the long-term success of the business.
These are the cardinal principles of optimal response in most crisis situations. Although many of them may seem obvious, it is stunning how often they are not followed, sometimes as a result of knee-jerk reactions, the absence of a crisis management team equipped with a comprehensive plan with clear lines of execution, or naiveté about what is required to successfully navigate a crisis today and what regulators expect. There is also no substitute for preparation to meet and anticipate challenges and crises.
Market glitches, data service interruptions, and other unanticipated events inevitably will occur, and having an identified group ready to spring into action, as well as templates of appropriate public communications, will make the initial response quicker and more effective. Having open lines of communication with key regulators also is important; calling on key regulators for the first time when a crisis hits is not ideal. Planning and forethought also will help ensure that the expectations that regulators put on the boards of banking organizations are satisfied. Crisis management, before the crisis hits, should be basic training for all executives, boards, and key employees.