Incidences of corporate fraud are not new and most companies get exposed to such crises at one time or another. From sexual harassment lawsuits, misconduct complaints, to misleading financial statements or money laundering, frauds have become a reality for corporations today and often result in organizational crisis while putting the employees and other key stakeholders under scrutiny. However, whether known or unknown, all types of crises end up sapping the precious time and energy of management as they inherently possess the risk of destroying brand and shareholder value. I am reminded of the famous saying by a former US Deputy Attorney General, “If you think compliance is expensive, try non-compliance”.
Today, organizations have to be well prepared to prevent such instances and if they can’t be prevented, then organization should be prepared to do damage control when the crisis erupts. Active risk management is the need of the hour.
Prevention of crisis
Whether mandated by law or not, organizations have no choice but to anticipate risks, and not only look at the risks emanating from health and performance of the company but also keep a close watch on risks associated with strategy, operations, politics, reputation, corporate culture, data protection, security, changes in regulations etc. Most of the corporate governance codes mandate companies to have risk management framework to identify and lay down mitigation methods. SEBI, in the case of certain listed companies, mandates the formation of a risk management committee for monitoring and reviewing risk management plans. Such risk management systems and internal controls are further required to be evaluated by an audit committee.
But are these risk management frameworks able to identify real risks such as the recent fraud encountered by public sector bank in India? The public sector bank that was in news recently for fraudulent transactions also had a documented risk management policy, which recognized the management of risk as an integral component of the effective and efficient management of the organization. Despite this, the internal controls failed to detect ongoing fraudulent practices.
Undetected risks of such huge scale raise many questions. Had the board being more engaged with risk management processes, looked at risks more closely and more often, such a crisis could have been avoided.
Turning questions into answers
Having an effective risk management framework should be seen as a competitive advantage and not merely a compliance requirement.
Apart from identifying risks and understanding the implications, the board and management should be prepared with contingency plans ahead of time to deal with a range of crises. These plans should specify important ground rules or codes of conduct in crisis. For example, who would be involved in the core group to respond to the crisis? A core group may consist of the CEO, CFO, general counsel or communication officer, and depending on the nature of crisis, functional experts or external advisors may be called on. For instance, in case of a whistle-blower complaint on sexual harassment, the HR head, and an external investigation team should be involved. For such situations, it is crucial to have a list of advisors or experts who can help in swift action. Another significant question would be to ask, who will be the point person for the board? Or how will information be processed and effectively communicated to various stakeholders? As the crisis unfolds, the ability to receive and communicate information to the right people on real-time basis becomes crucial. The designated team assigned to confront crisis should have the skills to obtain and examine information from a variety of sources. They should be able to discern critical information and generate multiple options. Here, the board must bring their experience and support the management to fill in the blind spots.
Decision-making and managing stakeholders
A crisis is a time of intense difficulty or danger – a time when difficult or important decisions need to be made. Crisis management is an essential factor in leadership that requires swift decision-making and the ability to navigate the organization through chaos. To take decisions at this stage, organizations need to identify the most affected stakeholders and the most influential ones. Accordingly, an organization will have to categorize different stakeholders and devise a strategy to engage with each one of them.
Depending on the type of crisis, the following stakeholders should be considered and paid attention to:
- Employees: In all crises, employees should be the foremost priority for the leadership and it cannot be ignored. For instance, if the CEO of the company has been imprisoned on allegations related to corruption or gender inequality, keeping the employees updated will help in restoring the morale in the organization. Employees, being representatives or touch points along with other stakeholders, if kept well informed, can play a major role in handling crisis.
- Customers: An airplane crash may be commonly anticipated risk in case of an airline company. Unfortunately, irrespective of whether they were anticipated or not, if not handled properly, such a crisis can be damaging to the organization. Having a strong and clear communication with the customers and commitment to take corrective action helps in mitigating such risks.
- Shareholders: Shareholders are the real owners of the company. Communication is key while resolving any shareholder concern. A recent instance of a boardroom coup of largest Indian conglomerate resulted in eroding a decade’s worth of shareholder value. In such situations, keeping things transparent and real with the shareholders can restore shareholder confidence.
- Board: As often said, the board can make or break a company. From anticipating risks to addressing crisis, the board plays a crucial role in risk/crisis management. For instance, when activist shareholders call, the board needs to welcome them with an open mind to understand their concerns. In certain situations, where there may be a conflict of interest between certain stakeholders (founders’ interest vis-à-vis major shareholders), the Board must act independently and provide a balanced perspective while keeping in mind the interest of the company.
- Regulators: Depending on the crisis, engagement with regulators may vary. Especially in scenarios such as a fraud, corruption allegations or data breach where no one knows how long and deep problem is, maintaining good relations with the regulators is a must before such situations are fully blown into crisis.
- Society: Every business has a certain impact on the society and in turn assumes certain social responsibilities. In cases of product ban or emission scandal, the negative consequences on the society can be huge, but hard to measure. Especially for brands which have been household names for decades, managing expectations of the society including media and different interest groups can be challenging at the time of crisis. However, businesses can’t afford to ignore the society in which they operate and therefore must communicate clearly and address their concerns. Corporations with an overarching culture towards social responsibility go a long way in maintaining stakeholder confidence in the event of a crisis.
Just as fire drills in large buildings are a routine, every organization needs to have a contingency plan to respond to a crisis. Such a plan must be periodically rehearsed to test how well the processes are working. Once an organization has sailed through a crisis, the company should look back and strengthen its systems to establish zero tolerance for reoccurrence. By consistently doing this, organizations can tide over such incidents and sustain themselves.