Today organizations can quickly and unexpectedly find themselves blindsided and in damage control mode as a result of an ever-growing likelihood of some form of crisis: labor disputes, cyberattacks, executive misconduct, and product safety issues just to name a few. Yet all crises carry a common risk of a sustained impact on shareholder value, management distraction, and reputational damage.
“By understanding the structural commonalities in managing responses to these events, organizations can navigate regulatory crises and mitigate associated risks,” notes Don Fancher, a principal with Deloitte Financial Advisory Services LLP, and global leader for Deloitte Forensic. In addition, organizations can take steps to prepare for crisis events in advance, such as by avoiding common mistakes, sensing for emerging risks with advanced data analytics, designating a core team beforehand, and organizing their tools and methodologies to conduct more effective internal investigations.
Common Mistakes
“Despite the growing number of risks, many companies still tend to think that a regulatory crisis won’t strike or if one does, that they’re more prepared than they really are, or that being pretty good might be sufficient,” says Rob Biskup, a managing director with Deloitte Forensic at Deloitte Financial Advisory Services LLP. When facing a crisis, some organizations understand at a high level the importance of independence, speed, and accuracy in getting to the bottom of the facts. However, by not taking a broader view, these same organizations can find themselves making some common and fundamental mistakes, including:
-
Lack of a defined, structured approach for overall crisis management
-
Underestimating early warning signs of crisis and speed of onset
-
Failure to be proactive and accurate in marshalling the facts
-
Underestimating data management challenges
-
Failure to anticipate capacity challenges
-
Lack of a defined pool of go-to external advisors and resources
-
Absence of defined structures and protocols for effective internal investigation deployment and management
There appears to be a growing convergence of thought among regulators both in the U.S. and globally on how crisis events need to be triaged and managed, especially if organizations want to be credited for cooperating with regulators. The operational aspects of managing a global regulatory crisis should begin with the team that will lead the response. The core team is typically led by senior counsel within the organization and should include executives from various groups and functions, some of which may not be top of mind, such as HR and eDiscovery consultants (see chart below).
Organizations likely will struggle during a global regulatory crisis if they do not assemble a comprehensive, cross-functional team that routinely communicates and is consulted for buy-in on decisions.
“It cannot be stressed enough how important it is to assemble this core team and set a regular cadence for meetings before a crisis hits,” says Andy Ruckman, a principal with Deloitte Forensic and Discovery for Deloitte Transactions and Business Analytics LLP. “Once the crisis hits, there will be overwhelming pressure from regulators, shareholders, the board, etc., to respond. There is no time to be thoughtful about key stakeholders, response strategies, or tactics resulting in key viewpoints and thoughtful risk mitigation approaches not being considered.”
The Internal Investigation
From the standpoint of meeting regulatory expectations, capping financial exposures, reducing penalties, and improving the company’s business processes and controls,an effective internal investigationis central. The question is, where does the organization look for the early warning signs of an emerging crisis?
“It’s probably not enough to navigate solely on intuition; it’s becoming essential these days for organizations to actively monitor a host of internal and external data sources for faint signals of a potential emerging regulatory concern or crisis,” says Biskup.
Once the early warning system identifies one or more of those faint signals, the organization should consider a number of important threshold considerations. These considerations are multifaceted and complex, and no one size fits all. However, it is possible for companies to develop a presumptive taxonomy for the management and handling of issues and data based on the specific case type and the DNA of the organization’s own experience with unusual events. This strategy can be a significant accelerator — and ultimately a cost efficiency play, as well. Specific issues to consider at the outset include:
-
Who should lead the investigation
-
Role of external counsel and advisors
-
Development of a structured and collaborative process
-
Role of management and/or board of directors
-
Impact of an investigation on attorney-client privilege and work-product privileges
-
Scope and plan of the investigation
-
How the investigation should be conducted (document collection, internal interviews, and external interviews)
-
Defined strategies for addressing vast data management challenges
-
Who should receive the end-product, and in what form
All About the Data
One of the first orders of business in a crisis concerns the preservation and legal hold of data. It’s important for organizations to achieve that fine line between meeting compliance and regulatory obligations and being overly broad. Preserving excessive data can create tremendous downstream problems and significantly strain IT systems. Because data is critical in a crisis, the organization will require an e-discovery team, whether in-house or an outside provider. It is vital that the organization centrally track all of the information it is collecting as part of its response, all the way through the discovery process — from preservation to collection to processing to review.
“Typically, it’s recommended that organizations collect information, log it, and bring it into a centralized repository where all the data is cross-linked to allow for easy reporting,” says Satish Lalchand, a principal and U.S. Forensic Analytics leader for Deloitte Transaction and Business Analytics LLP. “If the data is centralized, the organization can more easily report on a timely basis to questions posed by a regulator or outside counsel, and when organizations don’t follow some level of discipline and regulators request information, challenges can arise,” he adds.
The Role of Analytics
New analytics tools and technologies are equipping organizations to better manage the data requirements when investigating a crisis across the spectrum of activities, from identifying issues and conducting risk sensing to issue resolution. Gone are the days where people cast a very wide net, catch a lot of interesting transactions, and then have to peel through them,” says Lalchand. These technologies allow organizations to look at both structured and unstructured data — financial, accounting, email, chat, and social media — in a combined manner to connect the dots. As a result, executives can ask smarter questions: For instance, if there are known issues, are there similar instances elsewhere in the organization that can be identified through the data?
Further, using analytics and technologies during a crisis can help deliver more actionable information to the organization faster, allowing it to act more quickly. Several tools and techniques have come on to the market — particularly for discovery and litigation — that can help identify faint signals across a variety of data sources, for example, text analytics and natural language processing and rare event modeling, where the organization seeks to identify whether anything unusual exists within the data.
“Of course, the output of analytics depends on good data, which derives from managing information in a precise and consistent manner,” notes Fancher. A good start is to establish a process to manage the data with detailed roadmaps of how — and where — information exists, so that executives can be better prepared to reduce crises in the first place and manage those that do occur more quickly and effectively.”
While organizations cannot control their fate in terms of when and how a regulatory crisis may happen, “they can control their ability to better manage those situations when they occur, by applying a measure of prudent forward planning to their crisis risk management efforts,” says Rhoda Woo, a managing director with Strategic and Reputation Risk for Deloitte & Touche LLP.
Article originally published by The Wall Street Journal