Unfortunately, the world we live in can go from good to shockingly awful in a matters of hours. There is no starker reminder of this than the horrific events in Paris on November 13, followed by the terrorist assault on a hotel in Mali just days later. Besides terrorism, disasters arising from natural events (hurricane, pandemic, earthquake, tsunami) and man-made events (plane crash, fire, cyber-attack, workplace violence) lurk in the shadows as well. This is true for both individuals and businesses: tragedy does not discriminate.
One of the most important tasks you have as in-house counsel is to help ensure that your company is prepared for when disaster — man-made or natural — strikes. Protection of your fellow employees and corporate assets/shareholder value should always be top of mind. In some companies, planning for disaster falls within the Risk Management Department, in others it’s a mixture of different departments, including the Legal Department. Some companies simply have not gotten around to planning for disaster. Regardless of where your company sits on this continuum, Legal has a role to play in assisting the company plan for dealing with a crisis. If not already the case, you should ensure Legal has a seat at the table for such planning. This edition of Ten Things discusses things you can do as in-house counsel to help the business plan for when bad things happen:
- Business Continuity Plan. Every business should have a Business Continuity Plan (“BCP”). It is the gold standard in disaster planning. However, it is a big endeavor and not something that can be thrown together over the course of a week or two. A properly prepared BCP describes – in great detail – how a company will continue to carry on business in the event of a disaster. Ideally, the BCP will be structured with check lists and step-by-step instructions that allow management to quickly focus on the specific things they need to do to get the business back up and running. Given that the depth and breadth of a properly prepared BCP could easily be a separate “Ten Things” post (several in fact), I will not go into detail here about how to prepare a BCP. There are some resources noted near the end of this post that can help you get started preparing or updating one. Instead, I will touch on a few BCP basics and then discuss key parts of the plan (or related issues) so as to give you the ability to get some things into place now vs. waiting on creating an entire plan. Basically, a business continuity plan requires the company to think through risks and vulnerabilities to the critical parts of its business, and then set out in detail how it will manage any such risk should it come to pass. The key take-aways are: 1) have a plan, 2) disseminate it to management and employees, 3) train on and practice it, and 4) review it annually and update as needed.
- Identify the Crisis Team. Your planning will start with identifying which executives/employees will make up the Crisis Team, i.e., the people who will gather immediately once a crisis is declared and who will put the BCP into effect. They will also help create and update the plan. The team will largely be made up of senior executives from key lines of business and staff functions, with the goal to cover the entire business. Everyone’s role and responsibilities should be clearly set out (e.g., Crisis Team Chair, Communications, Security, IT, Legal, etc.). You must establish succession planning with clear instructions about who takes over for whom in the event that someone is not available to act. Contact phone numbers and email addresses should already be listed and made available to everyone on the team. Remember to get alternative phone numbers and alternative email addresses in case the primary numbers/email are not available. It is critical that everyone know how – and be able to – contact other team members. Additionally, identify contacts at key third party vendors (name, phone, email, description of service/products provided, etc.), as it is likely that some of your company’s vendors will need to be involved in dealing with your crisis. The list of third party vendors should include local utility companies.
- Travel. Your plan will need to cover executive and employee travel, i.e., what happens if there is a serious problem and how to avoid problems. First, it is best practice to ensure that not all of your senior management will be on the same flight. That way if there is an incident with the plane, other executives will be available to deal with the problem. Second, your company should know where its traveling employees are at all times. Your travel agent can help with this and likely has tools to automate the process. All traveling employees should have phone numbers and other ways to contact their travel planner in the event an emergency arises and travel plans need to change. Third, if your employees are traveling to foreign countries they should take steps to notify their government. In the U.S., you notify the State Department via the Smart Traveler Program which is a free service that allows U.S. citizens/nationals traveling abroad to enroll their trip with the nearest U.S. Embassy or Consulate. By doing so, travelers will receive important information from the Embassy about safety conditions in their destination country; help the Embassy contact them in an emergency of any nature; and help the traveler’s family and friends get in touch with them in an emergency. Fourth, your company should have plans regarding medical emergencies and provide employees with information about what do to if they become ill or are in need of medical attention while on the road. Lastly, you should have detailed plans around what to do if there is a kidnapping involving one of the company’s employees.
- Temporary Headquarters. In a crisis you should, if possible, have a dedicated room for managing the situation. This room can be on-site or off-site. The key is to plan for the room before it is needed. You will want phones, Wi-Fi, printers, and other key services available (all of which are especially important if the crisis room is off-site). Moreover, it may not be possible to continue to operate your business from its existing location (fire, bio-hazard, earthquake, bomb, etc.). Your plan should discuss where and how management and employees will work and communicate if this is the case. Many employees may be able to work from home or will simply be idle for some portion of the crisis. Others will need to be present at a temporary work location. Identifying a location (or a process to secure a location) in advance of a problem is an important step.
- Identify/Know First Responders. For each company location local executives should know who to call for which type of emergency. In the U.S., the most likely first responders will be police and fire (typically, call 911). But don’t forget about poison control, public health officials, FEMA, the FBI, Centers for Disease Control, Homeland Security (federal and state), and other public safety officials. Most countries will have similar agencies. Your security manager should reach out to each and touch base. First, just knowing who to call in an emergency is critical. Second, having a conversation with these officials now, before there is a problem, can provide access to other resources, information and guidance on how best to prepare for the worst. Once you identify the correct officials, their names, offices, and contact information should go into your business continuity plan (and be sure to refresh the first responder information regularly).
- Workplace Readiness/Security. In this day and age it is very important to make sure the work environment is as secure and safe as possible. There are no guarantees, but preventing a crisis will be easier if your building is properly readied and secure before there is a problem. The most common ways to do this are registration desks, security guards, entry check points, cameras, properly maintained secured access (e.g., card reader), well-lit facilities and parking areas, clean grounds, unobstructed exits, proper fire suppression system, fire extinguishers, etc. The list of what makes a building safe and secure is long. Additionally, there should be well-marked and properly stocked first aid kits throughout the facility. Defibrillators are becoming more and more common as well – in fact some U.S. states require them. Paramount on your list should be plans for and practice of building evacuations in case of fire, violence, weather, etc. (including having alternative locations for employees to gather in the event one selected location is not safe).
- Develop a Culture of Security. In addition to securing your building and premises, you need your employees to be on the ball as well. Developing a culture of security awareness can saves lives and property. For example, all employees should be on the lookout for people who do not belong on your premises. The easiest way to do this is to train employees to, politely, challenge (or report) people not wearing badges. Employees should also be on the lookout for anything out of place, including strange vehicles, packages/back-packs left unattended, or anything else that just does not “feel right.” There should be training as to what to do under such circumstances and posters or signage with reminders and phone numbers of who to call should be utilized. Think about the old World War II poster “Lose Lips Sink Ships.” A simple reminder to civilians about an important issue at the time. The Department of Homeland Security has a similar saying: “If You See Something, Say Something.” This can easily be incorporated into your own program. Additionally, providing first aid training, CPR training and defibrillator training can be an excellent way to help develop the right culture – and provide valuable skills in the event of a crisis. Support and participation by senior management cannot be over emphasized. While it can be annoying to stop what you’re doing to wander outside for a “fake” fire drill, it is very important that management get behind the importance of such drills and participate when the testing begins (i.e., no one should think they are too important or busy to participate in the drill). If the senior management does not take the drill seriously, then neither will the employees. As with many things, the tone at the top will help determine if security and crisis planning becomes second nature or is just another one of those “programs” that fails to catch hold because it only received lip-service from the executive team. Lastly, all employees should be aware of the general parameters of your crisis plan and where to go for information if they suspect a problem or there is a problem (e.g., website, designated persons, etc.). The overall goal here is to combat complacency among your employees when it comes to security and safety. You don’t want to over drill and rehearse but you also want to keep the training and messaging current so that people know what to do in an emergency and understand the need to be watchful and on guard.
- Insurance. Get some. Any planning for business continuity needs to contemplate insurance coverage for some part of the risk, especially catastrophic risk. Many companies have “business interruption” insurance to cover interruptions. Likewise, many companies also carry kidnapping insurance and other types of specialized insurance. See my prior post on Insurance Law Basics. A call to your insurance company may be among the first you make in the event of a crisis. Know who to call. Additionally, keep in mind that many insurers are generally happy to work with you on spotting issues, training, and planning around the risks they are insuring. Kind of like free consulting services. And everybody likes free. Your insurance broker can be very helpful here as well. You should be regularly reviewing the company’s insurance coverage and making sure it matches up against potential risks.
- Communications. One of the most important parts of your crisis planning is the communications process – both internal and external. Several key points here (and also see my earlier post on Crisis Preparation 101). First, you want to speak with one voice in the event of a crisis. Determine who that will be in advance and ensure that everyone knows who is authorized to speak for the company with respect to which issues. Typically this will be the head of corporate communications. You can prepare templates (email, press releases, etc.) in advance as well so that your communications have a uniform tone and look. With respect to internal communications you have two audiences. The first is the Crisis Team itself and ensuring that the communication flows back and forth without problems. Crisis Team members should identify an alternate, i.e., someone who will sit in for them if they are otherwise unable to perform with the team, and their contact information added to the plan. These people should be notified that they are the alternate and should be part of any training, meetings, etc. involving the Crisis Team so they are current and up-to-speed. The second internal audience will be the general employee base. They will be anxious for news about what is going on, what the company is doing in response, where they can go for more information or regular updates, and what they should be doing during this time of trouble. There is certainly a place for “all employee” communication blasts but also think about a cascade method of communication where different levels of the organization receive a message and are then responsible for getting the message down to their teams (along with any group-specific information they need or wish to add). For external messaging, be prepared to deal with questions from the press, shareholders, government officials, family members of your employees, etc. Having a website page dedicated to making the most recent/current information available 24/7 is a good idea and the shell can be prepared in advance of a crisis. Similarly a 24/7 recorded message on a toll-free line is also a good way to mass communicate. If you have a call center and/or central reception area, you will need to keep them in mind as you prepare materials so they have guidance and talking points for any inquiries that come their way. Finally, consider having all of your senior executives go through formal media training.
- Sources for More information: Here are some excellent sources (U.S. and International) I have found over time to help create a business continuity plan and otherwise understand and plan for business interruptions, terrorist incidents, and other types of crisis situations.
Regarding (10.7), I would like to give special mention to the “SAFETY Act.” This little known program of the U.S. Government provides protections to a wide range of technologies (including products, services, software, etc.) that are designed to identify, detect, deter, or respond to harm arising from an act of terrorism. If your products or services are “designated” by the government under this program then, in the event of a terrorist act, the following apply: 1) liability is limited to the amount of insurance recommended by Homeland Security; 2) no joint and several liability for non-economic damages, 3) no punitive damages or pre-judgment interest, and 4) any recovery is reduced by amounts from collateral sources. If your products are “certified” then there is complete immunity. This program should be very appealing to a lot of businesses (and may even provide competitive advantages). For example, and one most pertinent given the attacks in Paris, sports venues can obtain SAFETY designation or certification. A number of U.S. sports leagues and venues (and other businesses) are now designated or certified. For more about this program generally, I recommend you speak with Mr. David Olive of Catalyst Partners in Washington, D.C. (click here). Other governments may have similar programs (or other programs relevant to this discussion and it’s always worth finding out as those resources are usually very well prepared and free).
There is way too much information on preparing a BCP to do anything other than skim the surface and provide some high level guidance. But, with the list above, you and the Legal Department can become proactive and go to the business ready to raise and/or discuss the process to update or implement business continuation plans and get a seat at the table. Simply put: raise your hand and take the initiative. The skills needed to prepare such plans fit nicely into the skills most lawyers bring to the table already. If you are a young in-house lawyer, this can be a real opportunity to work with senior executives across the business and to work with and manage teams and complex issues. If a business continuity plan is well off in the future, pick and choose among the items above where you can go ahead and get started. Getting any of these plans into place or at least started will make your company and its employees safer and protect your shareholders’ investment in the company.
November 24, 2015
(If you find this blog useful, please click “follow” in the top right and pass it along to colleagues or friends and/or “Tweet” it. “Ten Things” is not legal advice or legal opinion. It is intended to provide practical tips and references to the busy in-house practitioner and other readers. You can find this blog and all past posts at www.TenThings.net. If you have questions or comments, please contact me at either email@example.com or firstname.lastname@example.org).
For my readers here in the U.S.A. – best wishes for the Thanksgiving holiday. For everyone, my first book “The Evolution of Professional Football” will be available for sale on December 8. You will be able to buy it at http://www.SterlingMillerBooks.com (website under construction), on Amazon, Google, and Barnes & Noble. More details to come.
PSS: The Department of Homeland Security just announced a webinar on The SAFETY Act. Details are:
SAFETY Act Webinar
Wednesday, December 2, 2015, 1:30 p.m. – 2:30 p.m., EDT
Protecting You and Informing Your Customers Webinar :
Our webinar will review what SAFETY Act protections are available to the Technology Seller, as well as what flow down liability protections are available. The discussion will provide an overview of the use of SAFETY Act Marks and tips on how to talk to your customers about your SAFETY Act protections.
Registration link: https://share.dhs.gov/safetyact120215event/event/registration.html
For registration issues contact the HSIN Help desk at 1-866-430-0162