Leading Through Crisis

In the early 2000s, The LEGO Group was on the verge of collapse.

It sounds hard to believe today, since the company is one of the largest and most successful toy sellers in the world. But in 2003, the Denmark-based company was on the brink of insolvency, with massive debt and a negative cash flow of DKK $1 billion.

LEGO needed new leadership. It promoted Jørgen Vig Knudstorp, a former consultant, to CEO. Along with Chief Financial Officer Jesper Ovesen — a former banker — Knudstorp gradually righted the ship by instilling organizational discipline and forming a strong financial foundation for the company.

The new executives were brutally honest with LEGO’s board and employees about the challenges the company faced. To survive, everyone needed to focus on turning things around, correcting the company’s problems so they could plan its future.

That required clear thinking and a dose of reality.

“Before LEGO could even begin to reignite a sense of what was possible for LEGO, they first had to persuade people that decades of unfettered growth offered no assurance that the company would ever get its groove back,” writes David Robertson in “Brick by Brick: How LEGO Rewrote the Rules of Innovation and Conquered the Global Toy Industry.”

Crises come in all shapes and sizes. They can be small and isolated in a single company, like LEGO’s need to refocus itself after years of mismanagement. Or they can be caused by broader, external factors that affect industries and economies.  

No matter the source, crises call for strong leadership. The coronavirus pandemic is just the latest example.

Carla Harris, vice chairman of wealth management and a senior client advisor at Morgan Stanley, shares what leaders today must do to weather the current crisis in a discussion that kicks off Microsoft’s Envision Virtual Forum for Financial Services.

First, great leaders are visible, says Harris. “There’s something powerful in being able to see the person that you’re following.”

They’re also transparent and empathetic. Employees and other stakeholders “want to see empathy, but they also want to see confidence and positivity,” she says. It’s an uncertain environment, and we’re all feeling a wide range of emotions due to the health and economic consequences of this crisis.

“One of the biggest learning moments for me as a leader was watching financial services leadership during the financial crisis. There were some leaders who didn’t really say anything to their people, and there were some leaders who were out front every day,” she says. Harris has spent over three decades on Wall Street, joining Morgan Stanley in 1987. “There was a regular cadence that people came to rely on, and that was frankly empowering.”

While the unfolding crisis is unique even among crises, with an especially broad range of potential outcomes, leaders have arguably never been better equipped from a technology standpoint to take action. Companies may be locked down for the most part, with employees largely working remotely, but leaders can still communicate directly with staff. For example, Boston-based State Street Corp. uses video conferencing technology to host virtual forums where employees can interact with senior executives to get answers to their questions.

Harris also recommends that leaders be flexible in today’s environment and open themselves up to input from diverse viewpoints. Strategic goals may shift in response to the Covid-19 environment, or leaders may need to consider new ways to achieve their objectives. “Don’t have rigid views of what you think things are going to look like on the other side” of this crisis, she says. “This is the time now to be an inclusive leader, and the hallmark of being an inclusive leader is to solicit other peoples’ voices.”

I’d suggest one addition to the actions Harris outlines, based on my conversations with business leaders like Horst Schulze, the co-founder and former president of the Ritz-Carlton Hotel Co.

Lead with purpose.

There is no one-size-fits-all personality for leaders, and leadership skills are developed over time. But all great leaders share one trait: They have a vision and inspire employees to achieve it.

“We need leadership,” says Schulze. “Leadership implies, ‘I have a destination in mind.’ It means, ‘I show my people the destination, and I show them how it’s beautiful for them, how it’s great for them, how it’s exciting for them, how they should join me in reaching that destination.’”

Great leaders are rare. But in times like these, they can be the difference between surviving a crisis or thriving despite it.

How Banks Can Improve Crisis Planning


We discovered last month that cyber risk was the thing most directors worried about when we informally polled members of our bank services program. This month, we decided to poll experts on what banks could do to improve crisis planning. Not surprisingly, cyber risk planning came up often as an area that could use some improvement. Several of the people polled think banks could benefit from role playing exercises that would walk employees and the board through possible scenarios. The Federal Deposit Insurance Corp. has a few videos that help banks imagine some scenarios. Although planning documents are widely recommended, one consultant says they are pretty useless in a real emergency. Below are their responses.

How Could Banks Improve Crisis Planning?

Mills-Scott.pngCrisis planning is getting more attention these days because we are constantly reminded of events that could not only impact our business, but have significant impact on our reputations. One data breach and we stand to lose faith in our ability to safeguard our clients’ money. While planning is expected, bankers could really get value from practice in two areas: 1) tabletop exercises and 2) media training. Tabletop exercises are role playing crisis scenarios whereby bank management gets on a conference call and develops responses, assigns roles, identifies tasks and develops timelines. Banks would benefit from doing this on a quarterly basis. Media training allows bank executives to learn how to look and respond appropriately to a tense situation only after they learn how to answer questions and the ground rules for working with the media. Turn on a video camera and see how well your team does. Crisis planning is better if treated as an ongoing discipline.

—Scott Mills is president of the William Mills Agency, a public relations and marketing firm specializing in financial services

Taylor-Nathan.pngTesting, testing and more testing! Banks typically have multiple plans that can be triggered in the event of a significant cyber-related “crisis,” including, for example, a business continuity plan, incident response plan and crisis communication plan. Multiple groups within a bank likely have responsibility for these plans. And, the plans may not be aligned from a response standpoint with respect to significant cyber events. In the event of such a crisis, it is critical for a bank to be able to respond in a uniform and effective way at the enterprise level. Bringing a bank’s various teams together to test or tabletop a significant cyber event can shed light on how the bank’s various plans (and teams) will work together. This will also provide a valuable opportunity for refinement and alignment of the bank’s related response plans.

—Nathan Taylor is an attorney and cybersecurity expert at Morrison Foerster LLP

Miller-RaeAnn.pngBusiness continuity and disaster recovery considerations are an important component of a bank’s business model. In addition to preparing for natural disasters and other physical threats, continuity also means preserving access to customer data and the integrity and security of that data in the face of cyberattacks. For this reason, the FDIC  encourages banks to practice responses to cyber risk as part of their regular disaster planning and business-continuity exercises. They can use the FDIC’s cyber challenge program, which is available on the FDIC website. Cyber challenge was designed to encourage community bank directors to discuss operational risk issues and the potential impact of information technology disruptions.

—Rae-Ann Miller is associate director of the FDIC’s Division of Risk Management Supervision

Sacks-Jeff.pngBanks can improve planning by developing a crisis plan ahead of a data breach or cybersecurity issue. These action plans should include:

  1. Determining data to be protected along with the protection level required.
  2. Classifying incidents or scenarios into categories.
  3. Understanding threats the bank may face, starting with known threats, then creating on-going monitoring for emerging threats.
  4. Determining the stakeholders and defining the incident response team.
  5. Setting up a command center and appointing a command center leader.
  6. Developing an incident plan, including a containment and investigation strategy.
  7. Executing a communication plan to customers, media and agencies.
  8. Testing and training end users in the application of the incident response plan.
  9. Conducting a “lessons learned” session and updating [Incident Response Plan] procedures.

—Jeff Sacks is a principal in Risk Consulting for Crowe Horwath LLP, specializing in technology risk

McBride-Neil.pngThough banks understand the risk of cyberattacks, many are unprepared to act quickly and effectively to mitigate damage when faced with a serious cyber breach. To improve crisis planning, banks should consider conducting simulated cybersecurity exercises involving key personnel. Moving quickly following a cyber breach is critical to limiting unauthorized access to sensitive data and the resulting harm. Such exercises demonstrate why an effective cybersecurity program is more than an “tech issue,” and requires coordinated institutional mobilization across business segments, with oversight from senior management. Most banks will eventually find themselves in a hacker’s crosshairs no matter how advanced their defenses, and a coordinated, rapid response will not only limit short-term data loss and legal exposure, but will also help preserve a bank’s reputation and customer relationships.

—Neil MacBride is a partner at Davis Polk & Wardwell

Carroll-Steve.pngPlanning activities generate lots of documents, which are fascinating to auditors but useless in an emergency. You don’t have to give planning reports to your response team. Your phone is a perfect emergency communications console. Social media, including Twitter, YouTube and even Facebook, are indispensable as communications tools. You can monitor events as they unfold or push messages out to staff and public. Cyber is the new disaster. Compare today’s threat assessment with one from 2010. Notice that blizzards and hurricanes have dropped out of the top ten, replaced by data breaches and identity theft.

—Steve Carroll is a director with Cornerstone Advisors, a consulting firm specializing in bank management, strategy and technology advisory services

Planning Helps Institutions Survive a Cyberattack


4-8-15-AllClear.pngThe list of notable organizations who have suffered a cyberattack is all too familiar. The likelihood of joining that list—whether by malware, ransomware or data breach—increases almost daily.

While the hazards are higher, so too is the cost of an attack. According to the Ponemon Institute, the price tag for each lost or stolen record containing sensitive or personal information rose to $201 in 2014, up from $188 in 2013.

And that’s just the beginning. When a cyberattack occurs, how an organization responds will determine whether there is long-term fallout and irreparable damage to the brand.

Ultimately, there is one audience who makes that determination: your customers.

Ponemon research saw customers are more likely to terminate their relationship with an organization that had experienced the security breach. Financial institutions top the list of industries most affected.

The key to maintaining customer loyalty during a time of increased anxiety is thoughtful preparation. Organizations that survive data breaches often have these three principles in mind during the preparation process.

Put Plans in Place
There are numerous steps to mitigate risk factors. Being prepared allows you to reap the benefits of a quick response, including relieving customer concerns. After a breach, customers want to know what happened and how your organization will assist to relieve any harm that may occur.

To be truly effective, an incident response plan must operate across all functions and involve key stakeholders. Hacking is not just an Information Technology issue; in the event of a breach, response efforts extend well beyond the IT department. A well-crafted plan will begin with the customer in mind and will be carried out by virtually every department in an organization.

A stagnant plan will be of little use. Hackers are constantly evolving their methods—and plans should be updated regularly and flexible enough to deal with new types of threats. Additionally, plans must undergo end-to-end testing using data breach simulation exercises. A critical component of a successful response involves simulation testing with internal stakeholders and external partners that have a role in a live breach response.

Realize that Success Depends on Openness
Making public statements without a clear understanding of the facts can create confusion and mistrust while opening up further risk. However, remaining silent is not the answer either.

In 2010, the town of Poughkeepsie, New York, lost $378,000 when its accounts were hacked. The Town Supervisor blasted the bank on two counts. The first was obvious: failing to detect the breach. Nine attempts were made, four were successful. But equally galling to town leadership: No one from the bank explained the hack in person.

More recently, retail giant Target saw customer satisfaction with service drop more than 3 percentage points in the six months after its data breach. Among its high-end customers—who are more likely to use the company’s credit cards—that drop was 9 percentage points. Target was dinged for its slow response and its failure to point out how it would prevent such an attack in the future.

Companies in the midst of a data breach must be honest, open, and accurate in sharing available information. Having to go back and correct information that was previously released often escalates the situation further.

Put Customers First
Customers rely on the organization affected to make things right. Although frustrations associated with the attack are high, individuals frequently do not take steps to protect themselves. A survey found that only 27 percent of consumers had taken steps to protect their information in the wake of the Target attack.

Customers will judge harshly if they feel the organization has failed to protect them. This judgment can have a lasting impact on customer loyalty and the bottom line. That’s an important realization—one which should drive all of an institution’s cybersecurity efforts.

Free credit monitoring often is offered immediately to customers when a firm’s data has been breached. Yet customers continue to show that they resent being forced to register with an outside organization to receive the credit monitoring service. Explore all solutions and select the one that makes accessing protection as simple as possible for your customers.

Companies that put their customers first will make the right decisions every time. A cyberbreach response must be built with the customer in mind first.

Where Did GM Go Wrong?


Did General Motors make a series of bad mistakes in its handling of ignition switch problems on certain vehicles, as well as its handling of recalls? The Detroit automaker has now recalled more than 20 million vehicles worldwide this year, a continuous stream of recalls that has kept the bad news in the headlines. Also, investigations have focused on internal problems that caused the company to keep making vehicles without fixing known problems, according to news reports.

What can we learn from the way General Motors has handled the ignition switch issue?

Stanford_Cliff.pngAs described in the investigative report, GM executives adopted a decision process forever identified as the “GM nod,” where everyone would nod in agreement with a proposal and then leave the room without having established responsibility and accountability for the decision made. The lesson for any company is to insist, from the top-down, on responsibility and accountability. By comparison, Alan Mulally famously reformed Ford’s culture to reward those who accurately reported risks and mistakes and took responsibility. The results have showed up in quality of the products of each company and the perception of these companies in the market. These lessons can certainly inform management at banks, particularly with regard to the bank’s risk culture. The first line of defense in any bank to managing risks is in the line of business itself, which should be held accountable by senior management and the board of directors for appropriately identifying and mitigating risks. This should not be left to the auditors, examiners, and risk managers to instill risk management discipline.

—Cliff Stanford, Alston & Bird LLP

Gonzalez-Christian.pngA slow reaction to a problem can result in more than just a bad day in the office. The biggest headline was not the recall. The media focused on the fact that General Motors knew about the problem long before the recall and failed to react resulting in lawsuits, congressional hearings and calls for boycotts, all of which have negatively impacted the automaker’s reputation and bottom line. Bankers should take notice of such missteps in responding to potential cyber-attacks launched at their institutions. It is not enough to simply have security measures in place. Directors also need to ensure that their institutions have proper response policies to react quickly to minimize potential damage to customers and to take corrective measures to address the cyber-attacks head on. Failing to respond in a timely manner can result in more than just a few angry customers and can expose the banks to regulatory and legal penalties.

—Christian Gonzalez, Dinsmore & Shohl LLP

Monroe_Bob.pngIt appears there was little enterprise risk management stressed and in place at General Motors. The General Motors situation has taught us the need to encourage/require employees at any level of a bank hierarchy immediately to report problems so that material issues can be handled and solved by executive management with reports, if necessary going to the full board. Bank employees must not hide material issues. When discovered, the issues may lead to very embarrassing situations for the bank and its parent.

—Bob Monroe, Stinson Leonard Street LLP

Nuccio_Mark.pngGM probably learned a few lessons from the experience of the banking industry and was more prepared to navigate the horror of becoming a public whipping boy. When something has gone terribly wrong inside a large organization, it’s terribly important to get on top of the facts as soon as possible. And that’s not easy. To avoid embarrassment and compounding the problem, you have to resist the temptation to speak before you have assembled the facts. Measure your statements carefully, and support them with facts identified by an investigation by an outside firm and reported to the board or committee of the board charged with overseeing the investigation. [CEO] Mary Barra deserves serious praise for her authentic brand of leadership in the midst of a corporate crisis.

—Mark Nuccio, Ropes & Gray LLP

Fisher_Keith.pngThe GM ignition switch debacle is nothing new and merely underscores a series of well-known precepts that directors should internalize as official bank policy. Playing ostrich never works. Problems must be faced, not ignored in the hope they will disappear. Cover-ups never work either. The underlying problem always comes to light, and the consequences in terms of reputation risk, regulatory risk, and legal risk end up being exacerbated, and any judgments and penalties enhanced. When an issue is identified by any employee, including even the lowest level employee, steps must be taken by management promptly to investigate the issue and, if it is significant, bring it to the board’s attention and implement a strategy to address it. The board should have a crisis management policy in place for handling really serious issues; this will entail assembling a team of specialists to handle the public relations, compliance, security, IT, and legal components of the problem, including where necessary, an internal investigation.

—Keith Fisher, Ballard Spahr LLP

Are You Prepared to Manage a Crisis?


7-14-14-article.pngMore than most companies, banks rely on the trust and confidence of the public. The 81-year-old deposit insurance program has made Depression-era bank runs, where frightened depositors once lined the street waiting to withdraw their money, a relic of the past. But there’s a new risk that the deposit insurance system can’t protect against—the theft of sensitive customer information by cyber crooks—and banks of all sizes need to have a crisis management plan at the ready in case they get hacked.

Recently, I participated in Bank Director’s 2014 Bank Audit & Risk Committees Conference in Chicago, where there were several presentations on cyber security, and one message came through loud and clear: All banks are at risk, including even small and medium-sized ones. In fact, smaller institutions might be in even greater danger than much larger ones because the bad guys—and I’m talking about hackers in Eastern Europe and Russia—figure that they’re an easier mark.

Any community bank CEO or director who thinks their institution is too small to worry about cyber crime is living in an altered reality.

There were also a couple of presentations on crisis management, which goes together with cyber crime like ham and eggs. Not only is your bank at risk of getting hacked, but you need to have a crisis management plan that can be put into effect quickly in case it does. This is important! If your data systems are broken into and sensitive customer information gets into the wrong hands, your customers will feel differently about the bank unless something is done quickly and done well.

The issue here is public trust and confidence.

It’s important to know in advance what to do—and what not to do when a crisis explodes (and often that’s how crises announce themselves to the world, with a big boom) because you probably won’t have a lot of time to react.

In her presentation on crisis management, Rhonda Barnat, a managing director at the New York-based communications firm The Abernathy MacGregor Group, cautioned against the urge to over-disclose information such as how many customers were impacted by the breach, or how the breached occurred, because this factual information will end up becoming the story. Barnat also said banks should be careful how they use social media during a crisis—for example, they shouldn’t necessarily respond to a negative video on YouTube with a rebuttal video. Instead, the bank’s primary focus should be on taking care of the affected customers. In other words, the best way to rebuild trust and confidence is to fix the problem and make customers whole, not wage a public relations campaign. Do the right thing and word will get around soon enough.

Barnat says there are 10 common mistakes that companies make when managing a crisis, including getting out in front of the story, which often just leads to confusion because facts have a way of changing.

Maureen Morrissey Brown, who is the senior vice president and public relations director at Huntington Bancshares, also gave a presentation on crisis management. Brown said it’s important to have a plan in place so that if a data breach does occur the bank can hit the ground running. This plan should do the following:

  • Create a crisis management team that can quickly go to work if the bank is hacked and customer information is stolen. This team would normally include the CEO, legal counsel, the bank’s compliance officer, senior public relations officer and an outside public relations firm.
  • Take some time to identify possible scenarios – a data break is one such scenario obviously, but others might be an acquisition gone bad, an earnings restatement if it’s a public company or old-fashioned fraud by an insider.
  • Create what Brown refers to as “holding statements,” which are statements that you will release to the public if any of those scenarios occur. These might have to be modified depending on the circumstances, but at least you’ll have something to work with.
  • Appoint a spokesman to deal with the media and give that person training on how to respond publicly in crisis situations.
  • Assign roles and responsibilities to team members so that everyone knows who does what.

Brown had this last bit of advice: Design the plan to be comprehensive but allow for unforeseen situations, update the plan frequently, always be on the lookout for developing challenges, and monitor the reactions of competitors, peers, customers and suppliers.

Brown ended her presentation with a recent comment that Warren Buffet made to CNBC about General Motor’s poor handling of the controversy involving faulty ignition switches, which have been blamed in 13 deaths.

“Get it right. Get it fast. Get it out. And get it over.”

The Corporate First Responder: 15 Questions to Consider When a Corporate Crisis Strikes


When a business enterprise is confronted with a situation that suggests that there has been a violation of law, the judgments made at the outset may well be critical to the ultimate outcome.  Indeed, poor choices concerning how the matter should be handled— perhaps made in a rush and almost certainly without full facts—may prove even more prejudicial and damaging to the enterprise than the underlying conduct.  As has often been said, corporations get into real trouble more often due to “flunking the investigation” than due to the conduct being investigated.

The objective of this article is to identify issues that should be considered when a potential violation of law surfaces, and to venture some thoughts on the considerations relevant to addressing them.  The article presents 15 questions to consider at the outset of any crisis investigation.  All of our questions will not be relevant to all situations, and there will undoubtedly be others that will need to be answered in whatever situation you may face.  That said, we chose these 15 questions because, based on our experience, they provide the decision-maker with sufficient insight to develop a picture of the challenge facing the enterprise—and, of equal importance, of what the decision-maker does not know.  

We intentionally have not prioritized the questions because they are so interrelated.  It is not possible to answer many of them until some consideration has been given to all of them.  

We offer one caution in approaching a newly discovered problem.  Sometimes you may find that there is no real issue but merely a misunderstanding.  But once a real problem is identified, as one probes it, it seldom gets better.  As Admiral Nimitz exhorted the fleet in the context of storms of a different sort, “[n]othing is more dangerous than for a seaman to be grudging in taking precautions lest they turn out to have been unnecessary.”

Question 1:  Has the conduct stopped?

It is an obvious principle that illegal conduct must be stopped as soon as it is uncovered.  When faced with illegal or improper conduct, the enterprise must demonstrate its total intolerance of, and swift response to, such conduct to its employees, its shareholders, its regulators and the public.  If misconduct is allowed to continue once known by the enterprise’s governance and control structure (such as the legal department), the enterprise’s exposure is exponentially increased.  At a minimum, if later investigation reveals that an illegal scheme was uncovered and ignored or disregarded, or that the company proceeded at too leisurely a pace, the firm’s ability to argue for leniency will be compromised.  

To view all 15 questions, please click here to download the white paper.

When the Sky is Falling, Don’t be Chicken Little


crisis.jpgFor bank executives and directors, crisis situations can take many forms. In the post-financial meltdown environment, there are an ever-growing number of crises that can arrive at your door.  Your bank does not have to be on the verge of failure to face a crisis. A bad examination, an inquiry from the SEC, a data security breach, a money laundering or lending discrimination allegation or a major compliance issue could make you feel like the sky is falling.  Advance preparation can go a long way in helping you effectively sort through and address these issues.  When your institution is faced with one — or increasingly a combination — of these issues, the key is not to lose your head. Instead, pause and then implement these five basic steps:

1. Assemble your Crisis Management Team

You should have a crisis management plan available in preparation for the day when the sky falls. Plans provide a blueprint for responding to crises and are favored by regulators because they mitigate the negative impact of crises. The plan should designate a crisis management team to handle the crisis. This team typically includes a member of executive management, the bank’s chief legal officer, a senior officer from the affected line of business, and outside counsel experienced in these kinds of major regulatory breakdowns. This core team may be supplemented by others, such as human resources, public relations, information technology, finance, compliance, and/or internal audit. 

The plan also should outline the timing for informing the board of directors and the board’s level of involvement in responding to the crisis. Plans should require the audit committee chairperson to be informed immediately, with a clear understanding about how the rest of the board will be notified. This is especially important, not only because directors are the ultimate stewards of the institution, but also because board members are keenly aware of the reputational and legal impact a crisis can have on the institution and perhaps even on the board members themselves.

2. Take Immediate Action

If the crisis involves an ongoing activity, consult with legal counsel and the relevant business executives to discuss permanently or temporarily shutting down the activity in an efficient, orderly manner to avoid further harm. Consistent with the crisis management plan, the board’s audit committee chairperson (and other board members as appropriate) should be apprised promptly of the actions taken or to be taken. 

3. Develop a Short-Term Plan

The institution’s short-term plan for addressing the crisis should include an evaluation of the need for an internal investigation by internal or outside counsel. The short-term plan also should consider whether the institution’s regulator(s) or law enforcement should be notified and the extent to which key constituencies, including employees, customers, shareholders, and the public need to be informed. It is essential to act in an expedited yet careful fashion to assess key evidence and the applicable legal framework in formulating a short-term plan.

4. Follow a Coordinated Approach

A crisis often creates multiple areas of exposure in the form of government enforcement actions, private litigation, reputational harm and customer relations issues. The institution’s approach to responding to the crisis must take into account all of these risks. For example, an institution will need to decide whether there are mandatory disclosures (e.g., under the securities laws or various customer notification laws for data security breaches) or other disclosures (e.g., to regulators) that must be made. These disclosures, in turn, may affect other areas of exposure.

5. Develop and Execute a Long-Term Plan

To weather a crisis effectively, an institution must stay focused on its key objectives, while remaining flexible to adjust.  An institution’s long-term plan, depending on the crisis, may include: remediation of the harm, implementation of enhanced internal controls, improved management reporting to ensure appropriate monitoring, and increased internal audit standards to test the institution’s compliance responses.

Conclusion

Too often, an institution returns to business as usual after a crisis. However, one of the best ways to avoid future crises is to incorporate lessons learned from the current crisis. Effective crisis management requires considered and concerted action. Incorporating these five steps will better position your institution to respond to crises when they occur. Advance preparation will serve as shelter, shielding your institution on that fateful day when the sky actually does fall.