It’s about corporate responsibility and accountability of Boards of Directors.

I have a theory. If you’re a Board member of Lehman Bros. on a Friday afternoon, and are surprised the firm has ceased to exist by Monday morning, then you have missed something as a Board member. If you’re a Board member of BP, and are surprised to learn the company lacks plans to deal with a massive underwater oil leak, then there is something more you should have done or required as a Board member.

This isn’t about wrongdoing. It’s about whether Board members are poorly prepared and knowledgeable about how to do their jobs.

It leads me to believe there should be standards for continuing education for Board members, to assure they stay up to speed in areas of their principal responsibility: risk management and oversight, governance best practices, strategic planning, and succession planning.

Congress is well along in identifying causes of the recent economic melt-down, and questioning the whereabouts of Boards as their companies burned around them. Moves in Washington to promote greater transparency in Board decision-making should be applauded. These include new Securities Exchange Commission rules for accurate disclosure of the Board’s role in the risk management process, compensation policies and their impact on risk-taking, director and director-nominee qualifications, company leadership structure, and potential conflicts of interest of compensation consultants.

Yet, how can we legislate or regulate integrity in corporate boardrooms and in Board decision-making?

It has been said that “Corporations determine far more than any other institution the air we breathe, the quality of the water we drink, even where we live. Yet they are not accountable to anyone.” Monks and Minow, Power and Accountability 1991. At the same time, the authors of this treatise go on with unforgettable words: “[B]oards of directors are like subatomic particles – they behave differently when they are observed.”

In the past, Americans have tried to balance the power of big business with regulations enforced by government, including those requiring better transparency. Today, many recognize that government regulation, while often necessary as well as effective, is inherently inefficient when unaccompanied by a culture of self-policing. The keys to creating wealth and maintaining a free society lie primarily in the same direction. Both require that broad based systems of accountability be built into the governance structures of corporations themselves, not solely or primarily in government regulation.

It requires simply this: self-enlightenment.

I would argue the most effective means to achieve this end is to establish systems not unlike those established for other key professionals in our society, and that is a system of continuing education.
Let’s put it this way. A Board of directors oversees a company, giving direction, leadership and advice, and ensures the company makes sound decisions. It’s a daunting task. They must be aware of activities of their organization, ensure its mission is carried out, and steward its resources. They must assure sustainability and long-term success. They must avoid actual and perceived conflicts of interest, and excessive risk-taking. They must ensure the organization meets legal requirements. And, they must do this on a part-time, sometimes essentially volunteer basis, failing which they could face personal liability, and hefty fines and jail time.

While many Boards do this well, it is obvious many could do better. Boards should always be seeking ways to improve performance and corporate oversight, and in all too many cases this falls quite short of the ideal.

Public and investor confidence in corporate America is not high, and Board directors have a key role in helping to restore this confidence. Boards today are seen as part of the problem, and our challenge is to show that Boards are part of the solution. If Board members don’t lead, someone else will. Even Congress.

The key to developing a great organization is cultivating an excellent Board. Board members can become disengaged from Board participation not from lack of caring, but because they lack clarity about their role, accurate and effective information about corporate strategy and risk, and the tools and resources to carry out that role. Yet, it is the responsibility of our Boards to ensure their companies operate efficiently and with integrity.

Effective Board education is an integral part of ensuring that companies, and their management, receive the oversight they need and deserve. Boards of directors must be willing to invest time and money into being high performing Boards, ultimately ensuring high performing organizations that effectively carry out their missions in the public interest. They need to know how and what to do as members of a Board of directors.

At the roundtable, presenters described renewed enforcement focus at the SEC, which now houses new investigative units for market abuse, asset management and the Foreign Corrupt Practices Act, and now armed with new “offensive strategies” that include criminal enforcement, non-criminal “cooperation initiatives”, and risk-based investigative programs. Remedies are wide-ranging, including disgorgement of financial gains for companies and clawbacks with a 3-year lookback for executive officers – both current and former. Whistleblower provisions provide huge incentives to individuals – between 10% and 30% of monetary sanctions – for information leading to successful enforcement actions under securities laws, and that arguably encourage whistleblowers to bypass company internal compliance systems. At the same time, say-on-pay and on golden parachutes, and proxy access, are here to stay with even more detailed proxy disclosure requirements.

It seems the ongoing march toward greater Board governance accountability is accelerating. The pressure on Boards and directors is intensifying, and it shows this last year, during which:

• The SEC sued three former outside directors of DHB Industries on grounds they were “willfully blind” to the company’s fraudulent accounting practices.

• In SEC v. Raval an audit committee chair was sued for failing to sufficiently investigate red flags surrounding expenses of a former CEO.

• In SEC v. Krantz an outside director and audit committee members were accused of being willfully blind to red flags of company’s accounting fraud.

In short, the SEC is not shy about targeting directors for what it sees as dereliction of duty.

The pressure on directors – and particularly outside directors – is mounting. Where does this leave our boards, and the willingness or propensity of directors to take on the new challenges? Perhaps directors should be more knowledgeable, spend more time on the job, be paid more for it, and stay for so long as they are still contributing. Maybe not. The debate is ongoing.

At a recent meeting of the National Association of Corporate Directors I had the opportunity to have a discussion with Robert C. Pozen, a nationally acclaimed expert on the Wall Street financial collapse and corporate governance, about the role of directors in a changing governance environment. A summary of that discussion appears here. Mr. Pozen is Chairman Emeritus of MFS Investment Management, and a senior lecturer at the Harvard Business School and a Senior Research Fellow at the Brookings Institution. He is an outside director of Medtronic, Inc, and Nielsen, Inc., and is the author of various books on financial mangagement and governance.

The discussion went like this. The Sarbanes-Oxley Act of 2002 (“SOX”) focused on the need for more independent directors on boards, audit procedures and internal controls, all intended to make governance more effective. Ten years later, the Dodd-Frank Act is another lengthy piece of legislation that in effect is an indictment of the failures of SOX. SOX did not protect Lehman Bros, ALG or other institutions from failure, each of which did have SOX protections in place. The key to good corporate governance is in the culture of the Board, and the way it functions in its oversight responsibility. One key to effective performance is the use of board executive sessions, without management present. Only in executive session where board members may freely debate issues of concern about the institution can effective decision-making begin. It is best to have such session before the full board meeting, for the purpose of helping establish the agenda and course of the board meeting.

There are three additional major issues boards need to address:

1. Size of the board. Less than 10 outside directors, with no more than one CEO insider is preferred. It is easier to reach consensus with a smaller board, and easier to avoid inattention by any one board member.

2. Experience. The majority of board members should have deep experience in the industry represented by the institution. The number of generalists on the board should be limited, while recognizing the need for financial experts, who likely will be retired members of audit firms. Otherwise, the pool of experienced director should come from among retired executives of competitors of the institution, who know the business thoroughly. Former Federal cabinet officials, and by implication public office holders, are not good recruits for boards. Reputation in government circles is not enough to bring business acumen or expertise to a board. Sitting CEO’s are not to be favored either, because they are too busy in their own business and not steeped in the business of the institution being governed.

3. Time. The amount of time a director spends on an institution’s governance reflects directly on how much a director knows. Those who cannot spend the time on the business do not have the ability to know the business. They are too reliant on the information provided by management, and tend to receive only the information that management wants the board to know.

Arguments against addressing these major issues:

1. Do retirees make good board members? They may not be up to date on current business issues. This is not necessarily so; many if not most sitting board members today are retired, and have no problem staying up to date.

2. Would directors pay will have to be increased to capture more of their time and attention? Raising director compensation is all right provided payment is primarily equity based, aligning directors’ interest with those of shareowners.

3. Would a more professional board tend to micro-manage the business? This can be overcome by carefully focusing directors’ attentions on issues appropriate for board consideration, and on informing the board of any management issue found by the auditors to be debatable “close calls”, as well as alternatives to management decision-making that were considered or that could have been considered. Audit committee members should feel free, and driven, to “walk around” and talk to people in mid- and line-management.

Ultimately, executive compensation is one of the most important issues of governance. Work done in the wake of SOX on bonuses and clawbacks is good. But, the measurement periods should be re-examined. A performance measurement period for bonus awards should be 3 years, not 1 year. Restricted shares don’t work, since their value depends on factors unrelated to performance. Options can better reflect performance-based measures and assure continued strong alignment with shareowner interests. Directors should be awarded performance-based stock options, and they should be required to hold exercised options for extended periods of time.

Advisory say-on-pay votes by shareowners are fine, but not largely effective in the long run. Compensation formulae and performance-based criteria are too complex for most shareowners to digest in voting the proxy. However, say-on-pay has been helpful in prompting boards to roll back excessive pay and truly underserved pay. For the more detailed compensation packages, the board should have the final decision.

Boards should be prepared to accept information brought to them by management, but also be prepared to seek out from among company managers information that may reinforce or contradict what management has offered. Boards should weigh management presentations, but also focus on weak points such as risk, plan execution, alternatives and operations.

Term limits and mandatory retirement should not be favored. Such arbitrary deadlines to not take appropriate account of knowledge, ability or understanding of the business. There are other ways to address ineffective or inattentive directors, through performance reviews.

Interesting food for thought, considering that up to 90% or more of the capital assets of the United States are within the management authority of our corporate and nonprofit boards of directors. Wit this thought in mind, look for future comments concerning mandatory education for directors.

ALL information you use in conducting business, whether in written documents, in electronic data, or graphics and maps, must be protected from unauthorized disclosure. Such a policy goes beyond the legal niceties that dictate what may be protected in a courtroom. It applies, simply, to ANY information at all that works to your advantage in conducting business. Don’t hand it out freely.

Essentially, disclosure should only be authorized if there is a legitimate need to know the informaTIon in order to conduct your business, and as directed by your appropriate management.

Every individual given access to this business information is on the first line of defense in protecting against damaging disclosure of business confidences. In your business, every employee, agent and vendor should be instructed on the policy, and think of how they can carry it out. Below is a copy of a template Policy on protection of business information. Have your people look these over and get acquainted with the key concepts. Set up consequences, including loss of job, should this policy not be followed. If you have any questions that are not addressed here, please feel free to contact me.

POLICY
Employees, agents and vendors have access to information that our business considers proprietary and/or confidential (“Confidential Business Information”). Improper disclosure of Business Information could cause irreparable damage to our business. You must presume that any information acquired in connection with work for our business is Confidential Business Information and must be kept confidential in accordance with this Policy, unless otherwise authorized by management. If you have any questions about certain information, consult your supervisor.

Electronic data, including emails and their attachments, photographs and video recordings, require special attention due to the ease and speed of transmission. You must only transmit email and other forms of electronic data to people who need such data for legitimate business purposes, and your transmittal must be clearly marked as “Confidential and Proprietary-For Authorized Use Only.”

You must not use or disclose Confidential Business Information except as necessary to perform work on behalf of our business or as otherwise authorized by management. You must use adequate safeguards to prevent the unauthorized use or disclosure of this information. These obligations continue after termination of your employment or contracting relationship for any reason.

Confidential Business Information includes, but is not limited to, business, financial, and marketing plans; plans for acquisitions and divestitures; pricing information and policies; customer and prospect lists; personnel information, including salary data (unless the employee consents to the disclosure of their personnel information); engineering and manufacturing know-how and processes, including the design of facilities; trade secrets; information about business relationships with third parties; and any other information not publicly known about our business. Confidential Business Information specifically includes electronic data such as email.

PURPOSE
To protect our business proprietary and confidential information.

SCOPE
This Policy applies in every geographic location in which we conducts business and applies to all Confidential Business Information, regardless of the media in which it is contained (written documents, computer files, etc.), except to the extent that this Policy conflicts with an obligation under applicable law.

RESPONSIBILITY
Each employee, agent and vendor, regardless of position must comply with this Policy. This includes employees engaged by joint ventures in which we maintain an interest. Each manager is responsible for assuring that employees, agents and vendors are informed of this Policy.

CONSEQUENCES
Compliance with this Policy is a condition of continued employment. Failure to comply with this Policy will result in employment disciplinary action, including possible termination of employment and appropriate legal action.

 In any crisis, as well as in planning for possible crises, legal counsel is an important adviser during the development and implementation of a crisis plan.  In some cases, claims and lawsuits will arise and legal counsel must be responsible for managing the outcome.  It makes sense that counsel should play a major role in all the phases of crisis management planning.

The Institute for Crisis Management (ICM) reports that the majority of business crises are of a “smoldering” nature.[1]   See, http://www.crisisexperts.com/essence_main.htm.  That is, the organization has some advance knowledge of the circumstances involved and the need to prepare.  Roughly a third of crises examined by the ICM are “sudden”[2] in the sense that they are unforeseen.  Whether smoldering or sudden in nature, crisis management planning can help an organization maintain control and minimize harm to people, organization reputation, assets, and customer loyalty.

Definitions

The ICM defines a crisis as:  “A significant business disruption that stimulates extensive news media coverage. The resulting public scrutiny will affect the organization’s normal operations and also could have a political, legal, financial and governmental impact on its business.”  On the other hand, the definition of “risk”, which may be said to be the precursor of crisis, can be defined as “the threat of an action, event, or circumstance that could adversely affect an organization’s ability to meet its strategic goals”.  Report of the NACD Blue Ribbon Commission, “Risk Governance: Balancing Risk and Reward”, National Association of Corporate Directors, 2009 (the “NACD Blue Ribbon Report”). 

 The planning that goes into identifying and preparing for risk and crisis can be variously described, starting with “Enterprise Risk Management”, or ERM, as “. . . a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, deigned to identify potential risks that may affect the entity, and manage risks to be with its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.  COSO (Committee of Sponsoring Organizations), “Enterprise Risk Management – Integrated Framework”, 2004.   

ERM and like titles for crisis planning all have similar underlying themes: organizations are recognizing value in assessing, prioritizing, and quantifying risks they face, with the ultimate goal of choosing the most effective and efficient mitigation or exploitation options available to them.  In other words, they all share in common the identification, prioritization and quantification of risk in order to help the organization effectively manage exposure, deal with uncertainty and associated risk and opportunity, thereby enhancing the capability to build value.

The objective, ultimately, is continuity of operations.  So, in turn, “Business Continuity Management” is defined as “a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation and value creating activities.”  http://www.thebci.org/certificationstandards.htm.  Business Continuity Management is closely associated with disaster recovery planning, but covers a broader scope.  For purposes of this seminar we have chosen to use a definition that focuses on how to ensure continuity of operations when we lose access to key people, facilities, information systems, resources and services due to a natural or human derived calamity.

 Consider as well as a part of this definition “Reputational Risk”, understood as the risk of loss from any event arising in the conduct of business which damages any stakeholder’s perception of the organization or brand.”  NACD Blue Ribbon Report.

 Importance of Planning, and a Plan

There are sufficient reasons to engage in crisis planning and management.  Crisis management emphasizes preparation because preventing problems is much less expensive than damage control after the fact.  Effective crisis management addresses the perceptions that surround organization practices, hazards, and accidents by recognizing that perceptions are often the true driver of a crisis situation.  By participating in such a process before a crisis actually develops, management also saves valuable time and stress.  Management will have hashed out their differences before the crisis, and will be able to more calmly address a major event when it occurs. 

 As stated by the ICM, http://www.crisisexperts.com, in instances where the crisis already has erupted, or it is inevitable the crisis will impact the organization’s key stakeholders, a crisis management plan is needed to minimize the disruption and financial damage. Developing a crisis plan can seem like a daunting task, but in actuality it can be a common-sense document. It involves identifying those functions and processes that are critical to the organization, then designating the management, operational and communication plans to deal with potential issues.

The General Counsel Roundtable (http://www.executiveboard.com/legalandcompliance) identifies certain primary objectives when creating an effective crisis and compliance management program:

• Reducing tension during the incident;
• Demonstrating commitment and expertise to deal with the situation;
• Controlling the flow and accuracy of information;
• Managing human, technical, and financial resources effectively throughout the crisis;
• Business and operations recovery; and
• Ongoing monitoring and gap analysis

 Crisis Management Plan Elements

There is no single crisis plan that works for every organization.  However, there are certain major, or “core”, components of any crisis management planning.  The major elements of effective crisis management planning typically include:

1. Identification of a Crisis Management Team (CMT);
2. Assessment of the most likely crisis scenarios;
3. Development of a written crisis management plan, prioritizing identified risks based on severity and probability, and other factors;
4. Periodic crisis training and evaluation exercises;
5. Crisis communications; and
6. Continual monitoring, review and refinement of the plan.

Crisis Management Team (CMT)

Each CMT member should bring an area of expertise to the table to work together.  Bringing together and integrating multidisciplinary functions in the planning process is essential, including:

• Legal.  This individual typically is the chief legal officer for the organization, and should be experienced in managing claims resolution and litigation, and also able to collaborate with the communication teams to advise on message content.
• Spokesperson.  This individual is responsible for the coordination and delivery of commentary to the press, employees, customers, suppliers, government officials, and other stakeholders.  Presumably, this individual will have a sensitivity for sound public relations.
• Technical and operations expertise.  These individuals are extremely knowledgeable of the way the company operates, and of its information systems, and maintain strong relationships with key operations personnel, with the background and experience to provide details on processes, normal operating parameters and causes and results of upsets.  If called upon, these individuals must be able to communicate in easy to understand terms.
• Financial.  This individual is in a position to instantly authorize large expenditures to remediate a crisis, if necessary.  The individual’s understanding of potential reactions by the financial community may be important information for the CMT.
• Risk Management.  In an event consequences to persons and/or property, internal or external to the organization, a person with expertise in property, life and health insurance is needed.  This person is essential to manage the multiple insurance companies and claims that often follow an event.
• Human Resources.  Someone must be assigned the duty of working with employees, as well as with the local community in the coordination of humanitarian assistance.  For instance, some crises may involve placing evacuated families in hotels for extended periods, and both employees and their families affected by a crisis may have a variety of immediate needs. 

The lawyer’s role in crisis planning warrants special analysis.  Crisis management planning must include consideration of the legal risks an organization faces and how the organization is going about responding to those risks on a day-to-day basis, with particular focus on the organization’s legal compliance program, as well as the organization’s planned responses if material litigation or government enforcement activity arises or is threatened.

An active, effective legal compliance program is an essential element of preparing for legal crises.  It will prevent many legal violations, identify legal problems at an early stage when they are more manageable, and pay dividends in lower penalties, and sometimes complete relief from legal penalties, if the organization is charged with violations of law.  Indeed, the United States Sentencing Guidelines for Organizations are written to encourage and credit organizations for maintaining an effective compliance program.

Consider the various possible sources of legal risk that could lead to a crisis, including:

• Violations of law, such as
  • obstruction of justice due to attempts to cover up wrongdoing in the wake of a crisis;
  • Securities violations, such as cashing in stock based on little-known information about a crisis;
• Injury to people or property;
• Violations of the organization’s agreements and commitments, or other legal rights of third parties;
• Conflicts of interest, particularly among those with fiduciary responsibility in management and on the board of directors; and
• Preference payments or “fraudulent transfers” on the eve of a declared bankruptcy, should the crisis yield this result for an organization.

Legal counsel should be available to identify such risks, and establish a means to best address them, without unduly burdening appropriate crisis response plans.

Crises identification

Once a crisis management team is assembled, participants begin to identify the most likely crisis scenarios the organization may face.  For this exercise, there are at least four basic questions to consider:

• What could go wrong?  What are the events that could expose the organization?
• To what degree would this truly impact the organization’s ability to execute its strategy?
• What are the key consequences that could arise from these events?
• Who within the organization is responsible for managing the particular risk exposure?

One method of starting out is to place potential crises in one or more of four general categories:  natural disasters, technological incidents, criminal activities, and marketplace/political situations.  Another method if identifying crises is to characterize them by the severity or length of time over which they may have impact on the organization.  This would include:

• Sudden, unexpected events that produce harm;
• Long-term crisis periods triggered by a sudden or incrementally growing event;
• Periods of change following key organizational decision-making and implementation; and
• Ongoing challenges to business culture resulting from any of the above scenarios.

Good starting points for the CMT is to consider historical problems or crises that have affected the organization in the past, as well as current events that could affect organization operations going forward.  After drafting an exhaustive list of possibilities, the CMT then prioritizes the list and determines an appropriate cutoff point for incorporation into the crisis management plan.  Important cut-off considerations are probability of occurrence, severity of the impact on the organization, and resources available for scenario development in the plan. 

Attached as an Appendix B is a PowerPoint presentation to a hypothetical board of directors illustrating this identification process, including a chart indicating the results of weighting each identified crisis based on probability of occurrence and severity of impact to the organization.  The weighting allows for prioritization of the various crises for better planning, attention, and allocation of resources.

Once potential scenarios, severity and probability of occurrence are determined, the CMT next considers the impact of these crises on a variety of stakeholders – for instance, the media, the community, employees, investors, customers, the financial community, government agencies, and regulators.  Once these scenarios are outlined carefully and the list of stakeholders identified, an organization can begin developing a written crisis management plan document.

Crisis Management Plan Document

The plan for addressing crises will inevitably vary among organizations, based on unique concerns about regulations, marketplace, staff, community, and other variables.  However, regardless of how the final planning product is arrived at, most plans will contain the following components:

• Specific and up-to-date listing of names, titles, contact numbers, and addresses of each CMT member, and any advisors.  This includes email and twitter addresses, and other social media contact information for key personnel, as well as a listing of the recovery responsibilities for each.
• Description of the process for identifying all critical issues, the potential problems that may arise  from these issues, and guidelines for activation of the CMT.
• A list of local and national agencies, organizations and elected officials that need to be contacted during and following a crisis.
• Identify minimal personnel, supplies, data, equipment, and other resources that will be essential to support key functions and recovery efforts.
• A list of key customers and vendors, including emergency supply vendors, who should be notified of any business continuity issues and immediate supply needs.  More specifically, identify services, business processes, applications, and normal support tools that must be sustained during any type of interruption.
• Possible scenarios for an unfolding crisis, and the roles and responsibilities of employees for each scenario.
• Information on how the crisis plan identifies and complements other existing emergency systems or procedures of the organization.
• Identification of each individual primarily responsible for handling each element of the crisis, as well as for ongoing operational management of the organization, and, in each case, the backup.
• Identification of the workplace location, supplies, and communications resources needed by the CMT.
• Procedures for ongoing documentation of the crisis events – chronicling – which will provide invaluable information that may be used later to reconstruct the incident and other details of the response.
• A process for handling claims and inquiries should litigation or other liability ensue.

The plan should detail the response expected of each CMT member in the course of a crisis, as well as during the following three critical phases associated with an incident:

• First actions – This involves stabilizing the situation immediately following a crisis incident.  It is useful to understand in advance the role, responsibilities and powers of the emergency services.
• Incident management – bringing the situation under control, following initial reaction and activation:
  • Communicating with staff, customers and other stakeholders and the media; and
  • Making strategic response decisions.
• Business resumption – the procedures needed to resume an organization’s processes:
  • Identify tasks to be undertaken by individuals on the CMT;
  • Identify key contacts, suppliers and resources;
  • Procedures for the recovery of information and documentation;
  • Telecommunications requirements for resumption of operations and communications; and
  • Staffing requirements for delivery of an acceptable level of service.

Crisis communications

A crisis inevitably will require dissemination of information, for the purpose of keeping stakeholders advised, to coordinate the response, and to meet regulatory obligations.  This begins the crisis communications phase.  This is at a point at which the control and/or flow of information is no longer primarily within the organization’s control, whether with employees, customers, vendors, government officials, or the public at large.

Good communications are at the heart of any crisis management team.  All communications in a crisis should reduce tension, demonstrate a corporate commitment to correct the problem, and take control of the information flow.  Messages should demonstrate real empathy and emphasize problem solving.  Good communications also involves listening to public concerns and following up on requests for information, and being scrupulously accurate.  Communication in a crisis requires good management, and provides an essential public service while helping to protect an organization’s reputation.

A written crisis communications plan should be prepared, containing the following elements:

• Local employee roles and responsibilities;
• Evacuation plans and assembly points;
• Procedures for resuming business;
• Guidelines for designated spokespersons;
• How to communicate with employees regarding work stoppages, injury, and general notifications;
• How to work with the media and community leaders;
• Organization assistance in community recovery efforts; and
• Maintenance of an event history log.

When dealing with the media, organizations should demonstrate a willingness to communicate openly and honestly to its audience, and present a plan to resolve the particular crisis.  The following strategies are key:

• Apologize to constituents, where appropriate – acknowledge failure and publicly recognize stakeholder and customer concern over issues, as this serves to maintain a positive image and impart a sense of responsibility.
• Outline response plan – discuss specific, positive steps taken to conclusively address an issue, as this instills consumer confidence and reassures stakeholders of the organization’s proactive efforts to resolve the situation.  Publicly announce any investigation, request or cooperation with appropriate public authorities.
• Emphasize the positive track record of the organization – demonstrate the organization’s positive past performance, as this limits speculation of widespread problems and encourages the public to recognize an organization’s prior good reputation.
• Provide continuous disclosure – transparency is a key tactic in alleviating public concern during a crisis, and leverages the media to effectively communicate to constituents ongoing response efforts as well as information on crisis resolution.

Periodic Crisis Training and Evaluation

Once an approved crisis management plan document is created, an organization must assure that everyone understands their roles, and the framework of the plan, on an ongoing basis.  Through a training process, the plan will be refined and employees will be more knowledgeable.  Other benefits of crisis training include:

• Addressing potential legal issues before an incident occurs;
• Developing and testing proactive investigation procedures;
• Identifying a need to update systems and equipment;
• Assessing the media relations skills of designated spokespersons; and
• Gaining additional insight while responding to unexpected developments.

These training sessions can include:

• Crisis drills;
• Reviewing facility emergency response plans, and related trainings; and
• Spokesperson ( “and surrogate”) training.

Crisis drills are a way to exercise the plan, and apply it to realistic fact situations.  The organization should periodically reassure itself that the plan still works, and that people are aware of the role they play, and also test the readiness of external suppliers or vendors.   The plan may need to be amended to address such things as:

• Errors that are identified in drills;
• Recent changes to the business;
• New requirements from customers or vendors; and
• Changing legislation and regulation.

6.      Monitor:

Once a plan has been determined, it should not be considered a one-time analysis, but rather a continual process implemented within the organization.  As time passes, a number of elements of your quantitative analysis will likely change:

• Refine the risk process – complexity or additional strategies may be added to the plan to make it more robust, and the organization may also determine that certain strategies no longer add precision or reflect its current view of the risk process.
• As time passes, the organization will evolve and new risks may be identified as candidates for analysis, and certain risks may diminish as the threats no longer warrant inclusion in the plan.
• Probability distributions and indicators may change over time.
• New mitigation options and insurance products may become available.
• Anticipate changes in the business model, competitive landscape or regulatory environment.
• Anticipate changes in technology, computing power and certain modeling techniques, for assessing risk will surely present themselves in the future. 

Role of the Board of Directors

The primary task for a company’s leaders, according to Peter Drucker, is “to make sure of the institution’s capacity for survival – to make sure of its structural strength and soundness, of its capacity to survive a blow, to adapt to sudden change, and to avail itself of new opportunities.”

The role of the board of directors for a well-prepared organization in a crisis situation is often not much different from its role outside a crisis – to be informed of the situation and management’s planned response, and to meet periodically as needed to receive reports of how management is doing and to provide the necessary authority for material actions by management.  The role of a board at an organization with poor to non-existent crisis response planning under the same conditions will be radically different – the board may be required to provide daily, hour-by-hour direction to management, or in some cases supplant management’s role entirely and assume responsibility for managing the crisis.

It is the board’s responsibility, ultimately, to see that crisis response planning receives appropriate emphasis among the many issues competing for the attention of the board and management.  Yet, no amount of work by a board will replace the work that management must do to implement effective crisis response planning.  Except in very unusual cases, directors are too far removed from the front lines to have the necessary information to be able to foresee the very large number of practical issues that a given crisis scenario may present for an organization.  Boards should bear in mind:

• Directors ensure good management, they do not provide it.
• Directors direct, they do not manage.
• The role of director is governance, not management.

What a board typically can do is determine whether the organization has the following elements of crisis planning in place:

• High standards of integrity throughout the organization;
• A risk evaluation and management program;
• A risk identification program;
• A multidisciplinary crisis response team identified;
• Crisis response drills;
• A written, organization-specific crisis response plan; and
• A written communication plan.

As stated earlier in this paper, the precursor to crisis is risk.  Risks that are appropriately identified and understood immediately become less likely to provoke a crisis.  An important role of the board is defining an acceptable level of risk-taking for the organization, and then monitoring management to ensure the defined levels of risk are not exceeded.  “Resilience is an important issue for many companies today, and boards need to be satisfied that their company has appropriate business continuity plans.”  NACD Blue Ribbon Report.

Among the “Principles of Effective Risk Oversight” for the board reported in the NACD Blue Ribbon Report are the following pertaining to crisis and risk management:

• “Understand the company’s key drivers of success.”  Knowledge of the organization’s business and industry, and staying abreast of the issues and developments affecting the organization, are important. 
• “Consider whether the company’s risk management system – including people and processes – is appropriate and has sufficient resources.”  Specifically, assure that management has
  • Identified the organization’s primary risks;
  • Assessed the potential severity, probability, timing and costs of impact of these risks;
  • Applied a strategy to avoid, manage, shift, or mitigate the risk;
  • Have a system in place by which to monitor the risks; and
  • Have a system in place to communicate about the risks throughout the organization.
  • In particular, the Report advocates that boards ask management to explain the following issues:
    • How will risk be measured – qualitatively or quantitatively, or both ways?
    • What measures and methodologies will be used to assess the risk?
    • How will risk analysis and reporting information be used during strategic planning?
    • How will risk be integrated into financial and strategic management processes?
    • How will risk be monitored?
    • How will management communicate risk and risk management to stakeholders?
    • “Encourage a dynamic and constructive risk dialogue between management and the board including a willingness to challenge assumptions.”  Open dialogue is described as an environment where directors are engaged, ask probing and illuminating questions of management, and seek out the opinions of other board members and management alike.
    • “Consider emerging and interrelated risks: What’s around the next corner?”  The board needs to look forward to understand elements in the environment that may impact the conduct and effectiveness of the organization in the future.
    • An important risk that every board needs to consider is ‘management risk’; that is, the risk that management will be unable or unwilling to perform and execute the strategy agreed upon by the board.
    • “Periodically assess the board’s risk oversight processes: Do they enable the board to achieve its risk oversight objectives?”  Questions that a board should address in this area:
      • Do our discussions reveal the extent of risk the organization is taking?
      • Do we have an efficient method to identify top risks to the organization?
      • Do we have the tools and resources to fulfill our risk responsibilities?
      • Are we receiving the necessary board education and training regarding risk?
      • Do we have a system to manage risks effectively?
      • Do we have systems in place to quantify the upside – as well as the downside – of the risks the organization is taking?

Conclusion

Crises are unavoidable, regardless of the size, type or business success of an organization.  Liability will be determined in a court of law, but the court of public opinion is just as important to an organization’s future.  A crisis management plan can effectively minimize effects of an incident or events to an organization’s reputation, market share and financial well-being.  More importantly, a crisis management plan can provide valuable leadership in restoring a community or stakeholder group adversely impacted by an event.  While there is no legal requirement for a crisis management plan, legal counsel must play an integral role in the development and implementation of any management plan.

Implementing a robust disaster or crisis recovery and continuity of operations plan is not an easy or brief endeavor.  The following steps can help smooth the way:

• Engage.  All stakeholders need to understand why the organization is investing in a disaster recovery and continuity of operations solution, starting with formation of the crisis management team, or CMT.
• Calculate.  It is important to convey in conversations among the organization’s top executives what a disaster recovery system will cost.  Management needs to understand not just the initial capital outlay but what it will cost to maintain.
• Plan.  It’s not enough to virtualize or build a plan on paper.  Organizations need to assess their operations and performance and understand how everything works together so they can plan and prioritize redundancy levels and response times for various parts of the plan.
• Test.  Don’t wait for a disaster to see if a recovery and continuity plan holds up under the pressure.  Test your plan to discover any gaps in coverage or documentation, and to make sure everyone understands their roles and responsibilities in an emergency.
• Monitor.  Implement a change control process to monitor and identify any changes that might affect the ability to perform disaster recovery.  Review and update the overall plan annually or whenever a significant change occurs.

 APPENDIX A

Sample Questions for Crisis Management Experts:

• How can our organization determine its readiness for business continuity planning, and the associated discipline/diligence needed to maintain the plan?
• What are the most important considerations when prioritizing services and their corresponding continuity measures?
• How can an organization determine a business continuity plan that best fits its environment and organizational culture?
• Should any organization require its risk or crisis managers have a business continuity certification?  I understand the Business Continuity Institute, in the United Kingdom, and DRI International, in Falls Church, VA, are nonprofits that offer certification at different grade levels:  Senior and Master levels respectively.
• Medtronic, Inc. made a strategic decision some years ago to stop “playing” the insurance marketplace for the purpose of shifting the financial burden of risk, and to free resources to focus increasingly on proactive risk assessment.  Is this accurate, and how is it working?
• How a crisis can become a disaster:
  • Assume that evidence of a problem must be wrong
  • When evidence mounts, cover up the problem; let the lawyers manage the response strategy – admit nothing
  • When the problem becomes public, minimize it
  • Never display remorse
  • Take plenty of time to study the problem
  • Have the highest-level responsible individual go into hiding
  • Attack the media
  • Anger the regulators
  • Frequently reverse your position and contradict yourself
  • Give priority to saving money on the front end
  • How and when do you determine how to address each risk –
  • Attorney-client privilege – when, how, why invoked?
  • Regulation FD – “fair disclosure” – avoid selective, material disclosures concerning the crisis and the risk(s) it represents.  Are there special rules or guidelines in the heat of a crisis that apply here?

• Prevention
• Avoidance
• Mitigation
• Transfer (insurance)

Mitchell links corporate irresponsibility to an age-old dilemma: how to reconcile the interests of the individual with those of the group. Groups, after all, make relatively few demands of themselves – there are collective or corporate interests and goals that transcend those of an individual member. So, rules may be established to restrain the individual’s desire for unfettered, harm-producing liberty, or to induce positively desired behavior through incentives or rewards.

When we address corporate law and governance, we face similar analysis; that is, reconciliation of the interests of individual shareholders with those of the corporate enterprise as a whole. In modern corporate structures this is pronounced, where a large, diverse and largely anonymous groups of owners – the shareholder – is quite separated from the management of the company. In providing money to a company while being legally and practically foreclosed from meaningful say over its management, shareholders rightfully expect that directors act as fiduciaries – and subvert their own personal interests to those of the shareholder or enterprise. The established structural governance arrangement largely precludes the shareholders from participating in matters of moral or ethical choice in corporations.

But this itself presents a dilemma for directors. The challenge is the task of figuring out how to act in a way that advances the interests of shareholders consistent with fulfilling the overarching interests or purposes of the corporate group. Legally, directors have discretion in areas of moral or ethical choice because of the social policy of the business judgment rule, which allows decisions largely free of second guessing. Directors, I would say, should see this as reflecting a social policy of entrusting them to use their discretion to act responsibly, based on prevailing social values as well as market realities, the responsible course of conduct might be. This requires moral deliberation, and not simple adherence to the maxim of shareholder wealth – although authorities such as Milton Friedman have disagreed.

In this reality, a combination of enlightened self-interest and economic incentives serve as a basis for responsibility, and this involves three factors: reputation (cost/benefit of goods/service, how employees are treated, and community investment); competitiveness (managing supplier/customer relationships, workforce diversity, and protection of the environment); and risk management (control of the wide range of risks that could disrupt corporate performance, be they financial, regulatory, environmental;, or customer attitude, among others).

The challenge, ultimately, is how to align corporate governance such that shareholder interest becomes more closely identified with that of society as a whole.
Paraphrasing Albert Einstein, with a bit of modification for relevancy – we should try not to be people of success, but rather people of value – people who apply skills, knowledge and energy to the betterment of ourselves and to the betterment of the lives of others and our society as a whole.

There continues to be a groundswell of support for greater activism by shareholders in company decision-making.  It has started with publicly traded companies, but there is interest anew as well in private and smaller companies.  Shareholders want to know how their investments are being managed, and where their money is going.

Now, shareholder “say-on-pay” advisory votes are reality for publicly traded companies, with newly adopted rules of the Securities Exchange Commission.  See, www.sec.gov/rules/final/2011/33-9178.pdf.

The gist of the rule is that shareholders must have the opportunity periodically to advise the Board of Directors on executive compensation as well as on “golden parachute” compensation arrangements .  The rule is effective for issuers filing on or after April 25, 2011, and for “smaller reporting companies” filing after January 21, 2013.   Shareholder say-on-pay votes are advisory only, and the Board may ignore the advice – although the presumption is that a Board will do so only at its peril.  The SEC has also provided the following non-exclusive example of a resolution that might be put before shareholders:

“RESOLVED, that the compensation paid to the company’s named executive officers, as disclosed pursuant to Item 402 of Regulation S-K, including the Compensation Discussion and Analysis, compensation tables and narrative discussion is hereby APPROVED.”

In addition, the SEC has adopted a new Form 8-K Item requiring disclosure of a company’s decision on the frequency of say-on-pay votes.  It is expected that shareholders will be given the opportunity to vote on the frequency of say-on-pay shareholder review, and the new 8-K Item requires disclosure of whether or not the company followed the shareholders’ advice, and if not why.

A quick review of recent filings – there were a total of 207 as of January 31, 2011 – indicates that most companies reporting say-on-pay advisory votes saw overwhelming support in favor of management’s compensation resolution, with only between 1% to 9% of shareholders voting against.  See, http://say-on-pay.com/say-on-pay-frequency-tracking.  Most also saw shareholders approve management’s recommendation on say-on-pay voting frequency of two (6.3%) or three (59.4)% years, although shareholders also indicated very strong interest in an annual (28.5%) review.  In at least one case, Mueller Water Products, a water treatment and distribution company with annual sales of $1.3 billion, there was a vote as high as 21% voting against the say-on-pay resolution.

Shareholders of The Monsanto Company on January 25, 2011, voted for one year frequency of say-on-pay voting (62.2% annual, 35.9% biennial, 1.4% triennial and 0.5% abstain) and against management’s three-year recommendation.

Signs of the times.

 Okay, holiday season again.  Gift-giving and -getting season, in the minds of some.  Seems an appropriate time to mention guidelines on gifts and gratuities in the workplace.  I’m not being the Grinch here.  There are good reasons for guidelines.  It keeps everyone out of trouble.   

 Generally, employees should avoid giving or receiving gifts under circumstances indicating they are given:

• With the expectation of a return obligation (future business, discounts, etc.);
• Intended to create any unfair advantage favoring the giver in the marketplace;
• Has the appearance of influencing a relationship with the employer; or
• Is extravagant – that is, more significant than a normal business courtesy or what is “nominal”.

Here are some FAQ’s.

1)        Can I give holiday gifts to customers/prospects?

Yes.  Cards or gifts of “nominal” value (see #2 below) at any time of the year shows customer appreciation.

 2)        Do employers generally have a limit for the value of acceptable gifts?   

Perhaps not “generally”, and policies that are out there do vary.  An appropriate policy would be to consider “nominal” value to be less than $100 during any 12-month period.  Meals or events where the value to you exceeds $200 should give you pause to reflect.

 3)        Can I accept meals or entertainment provided by a vendor?

Yes.  Holiday parties, business dinners and the like help build relationships.  Don’t go extravagant!  See #2 above.

 4)        What should I do with “lavish” gifts from business associates?

Send it back with a nice note.  If the gift is perishable or can’t be returned easily, donate it to a charity and notify the giver you have done so.   

 5)        Can I pass along an otherwise inappropriate gift to a friend or family member?

No.

 6)        What about gifts to government officials?

NO!

 Hey, enjoy the holidays!

While there are no federal or state laws that prohibit employee dating, neither are there laws preventing employers from forbidding employee dating; especially between managers and their direct reports.  Nevertheless, issues of invasion of privacy mean the employer must tread carefully in this area, even while issues of potential sexual harassment require that the employer take some type of action.  I will set up some rationale below, as well as serve up a possible solution.

What’s the problem?

An employer has a legitimate business interest in maintaining morale and productivity in the workplace.  An employer also has a legitimate legal interest in avoiding sexual harassment claims.  Both the business and legal interests have the potential of affecting the employer’s reputation in the community and its profitability.  Employees, on the other hand, have an interest in fairness and equity, and their right to privacy in their personal lives.

 That said, the types of problems that can arise from workplace dating include:

•  One of the couple continues to pursue the other at work after a breakup, trying to “patch things up”.  The employer could face a claim for sexual harassment.
• A supervisor dates a subordinate, making it very difficult to prove the relationship was consensual or that workplace favoritism has not taken place because of the differential in power.
• Public displays of affection, even among consenting adults who are dating each other, can create an atmosphere that either intimidates others in the workplace, or encourages other employees to engage in conduct that could constitute sexual harassment.

 If the employer does take action, enforcement could be a dilemma.  Some employees probably will date, so get over it.  A very strict company policy in such a case may be very difficult to enforce – the employer may find itself in the position of being forced to fire one or more of its valued employees, losing time and talent while affecting workplace morale.

 What’s to be done about it?

There are four ways for employers to address potential exposure to a sexual harassment claim arising from workplace dating:

1. Ignore it and hope no one claims harassment.  And pray.  If a claim does arise, address it under the employer’s sexual harassment policy, although such policies are notoriously silent on issues of workplace dating.  I would not recommend this approach without reviewing your existing sexual harassment policy (if you have one!).
2. Adopt a policy prohibiting dating.  But, employees do date.  A policy like this may only cause them to hide it from the employer, which creates a liability exposure for the employer if the relationship goes awry.  This is especially true in the supervisor-subordinate dating relationship.  So, avoid this step.
3. Adopt a policy that requires disclosure of the relationship so the employer can document the voluntary nature of the relationship, change supervisor-subordinate reporting relationships, and take other measures.  Ouch!  You would become the dating police – heavy maintenance, and intrusive.  So  avoid this step.
4. Provide guidance for appropriate conduct in the workplace, that allows dating but sets out conditions for any dating couple.  I recommend this route.

 What should you do?

It is best to have in place an pre-existing, established policy on workplace romance.  It should contain principles such as those listed at the end of this blog.  But, two cautionary notes first:

• Once a policy is issued, enforcement must be consistent across the workplace.  Disparate treatment of employees is one sure path to court.  And, have any policy patterned on point 4 above also apply to employees who marry.
• Make sure corrective action is clear, reasonable and in place when a workplace romance blooms. 

Policy Principles:

• The employer is not concerned about lawful activities engaged in by employees outside the workplace.  What employees do in their private lives generally is their business alone.  However, certain activities, including a workplace romance, sometimes influence or affect workplace conditions, in which case it becomes an issue that needs to be address.
• If employees are or are planning to develop a romantic relationship, they must follow certain basic guidelines concerning the workplace:

First, inform management of the relationship.

 Second, make every effort not to socialize at work, and only pursue or display the relationship outside of the workplace.

 Third, under no circumstances may a supervisory employee date or become romantically involved with a subordinate, as it could lead to an appearance of favoritism.

 Fourth, if the employer reasonably determines the relationship is interfering with the work environment or productivity, otherwise influences decision-making, or is not in the best interests of the employer, the employer may take appropriate action to remedy the situation.

 Remedies to mitigate the workplace influence of the relationship may include, but are not necessarily limited to, coaching or counseling of the parties and use of additional workplace-related guidelines, reassignment of one or both parties involved, and termination or one or both parties.

As you may now have heard, the SEC at this meeting approved changes making it easier for shareholders to nominate directors of public companies, allowing groups that own at least 3% of a company’s stock, for a period of 3 years or longer, to put their nominees for board seats on the company’s annual proxy ballot sent to all shareholders.  The rationale is that this allows supporters of Board candidates a better shot at influencing company policy, and it will be in place in time for next spring’s corporate elections season.  This action addresses corporate governance provisions of the Dodd-Frank Act.

 The National Association of Corporate Directors (“NACD”), a nonprofit organization providing educational programs and research studies on issues of governance for corporate directors, had previously advised the SEC that a federal, one-size-fits-all approach for proxy access could politicize elections, potentially leading to a more factionalized board with special interests represented.  And, constituent directors representing their own interests could violate the fiduciary duty of loyalty to the corporation as a whole, by failing to represent all shareholders.

 In February, the SEC’s final rule amending proxy disclosure rules became effective, requiring enhanced disclosures on:

• Compensation and risk, company leadership structure, and the board’s role in the risk management process;
• Director qualifications, in particular experience, qualifications, attributes, or skills that qualify the director or nominee to serve as a director and as a member of any Board committee the individual serves on, in light of the company’s business;
• Any directorships held by a director or nominee at any time during the past five years at public companies and registered investment companies;
• Legal proceedings involving directors anytime within the last ten years.

 In light of these new requirements, and the recent SEC hearing, NACD has developed a template proxy that addresses these disclosures, relevant for director qualifications, attributes, and skills.  See:  http://www.nacdonline.org/research/files/NACD-Proxy-Access-Disclosure-Template.doc

 As the SEC ponders new regulations in this area, NACD believes laws already in place allowing shareholders and boards to adopt proxy access and proxy reimbursement bylaws should be given a chance to work.  Boards of directors are an integral part of the governance process and while there is work to be done to help directors do their jobs effectively and efficiently, that work is underway.  To that end, over the years NACD has provided director education, publications, and research to improve the work of the board in every dimension: risk oversight, strategy, board composition, executive compensation, board evaluation, director orientation, and ongoing education, among many other key areas.  This includes shareholder communications and relationship, as well as director competency.  Its widely cited landmark Report of the NACD Blue Ribbon Commission on Director Professionalism, emphasizes the need for independent, qualified directors.  Our Key Agreed Principles to Strengthen Corporate Governance in U.S. Publicly Traded Companies, which provide a blueprint for boards to help improve the quality of discussion and debate about governance issues, emphasizes this as well:

• Principle III. Director Competency & Commitment - Governance structures and practices should be designed to ensure the competency and commitment of directors.
• Principle VIII. Protection Against Board Entrenchment - Governance structures and practices should encourage the board to refresh itself.
• Principle IX. Shareholder Input in Director Selection - Governance structures and practices should be designed to encourage meaningful shareholder involvement in the selection of directors.

 We will keep you advised of progress on shareholder proxy access, and other issues of importance to directors and their advisors.

We’ve recently been asked to provide advice in several situations where business organizations are trying to get business away from a competitor, or where a business customer has been approached by a competitor. There’s a fine line between appropriate and inappropriate action here, and a refresher would be helpful.

Generally speaking, it is inappropriate for someone to intentionally damage, or interfere with, the contract or business relationship between others – such as an organization’s contracts with customers.

In the case of contracts, a wrongful – or “tortuous” – interference can occur where a person (the “tortfeasor” for all you Jeopardy! fans) convinces one contracting party to breach the contract – walk away from it in mid-term, for example. It can also happen when the “tortfeasor” prevents someone from legitimately creating or maintaining a contract with another party.

We usually see this in two areas. First, when a potential customer is ending a relationship with one or your competitors and asks you how to do it. Now, any business has the right to display its products and services to anyone. What you really can’t do, however, is to coach potential customers on how to terminate a competitor’s contract – like teaching them how to make up pretend service-related complaints, helping prepare quit letters, or critiquing a competitor’s contracts.

What you can do is suggest that the customer look at their contract to see what their options might be, or suggest they talk to a lawyer about their rights under the contract. You also can ask the potential customer what the contract end date is on the competitor’s contract, and suggest that you contact them again for a demonstration near that date.

The second area usually seen is when a business organization is on the receiving end of a competitor’s attempts to steal one of your customers. Things to look for are widespread or recurring occasions where it is apparent that a competitor is “picking off” your customers – for instance, by frequently calling on your customers, presenting them scripts or sample letters to use in terminating your contract with them, or critiquing your contracts. These contacts by competitors may be actionable, but remember you do need to be able to build a case. This means witnesses – your sales representatives in the field and any of your customers that have been contacted. You will need to pull together the facts that show both inappropriate “mining” of your customers, as well as the real or threatened harm to your business. Then there may be grounds to go after the competitor.