When the Sky is Falling, Don’t be Chicken Little

For bank executives and directors, crisis situations can take many forms. In the post-financial meltdown environment, there are an ever-growing number of crises that can arrive at your door.  Your bank does not have to be on the verge of failure to face a crisis. A bad examination, an inquiry from the SEC, a data security breach, a money laundering or lending discrimination allegation or a major compliance issue could make you feel like the sky is falling.  Advance preparation can go a long way in helping you effectively sort through and address these issues.  When your institution is faced with one — or increasingly a combination — of these issues, the key is not to lose your head. Instead, pause and then implement these five basic steps:

1. Assemble your Crisis Management Team

You should have a crisis management plan available in preparation for the day when the sky falls. Plans provide a blueprint for responding to crises and are favored by regulators because they mitigate the negative impact of crises. The plan should designate a crisis management team to handle the crisis. This team typically includes a member of executive management, the bank’s chief legal officer, a senior officer from the affected line of business, and outside counsel experienced in these kinds of major regulatory breakdowns. This core team may be supplemented by others, such as human resources, public relations, information technology, finance, compliance, and/or internal audit. 

The plan also should outline the timing for informing the board of directors and the board’s level of involvement in responding to the crisis. Plans should require the audit committee chairperson to be informed immediately, with a clear understanding about how the rest of the board will be notified. This is especially important, not only because directors are the ultimate stewards of the institution, but also because board members are keenly aware of the reputational and legal impact a crisis can have on the institution and perhaps even on the board members themselves.

2. Take Immediate Action

If the crisis involves an ongoing activity, consult with legal counsel and the relevant business executives to discuss permanently or temporarily shutting down the activity in an efficient, orderly manner to avoid further harm. Consistent with the crisis management plan, the board’s audit committee chairperson (and other board members as appropriate) should be apprised promptly of the actions taken or to be taken. 

3. Develop a Short-Term Plan

The institution’s short-term plan for addressing the crisis should include an evaluation of the need for an internal investigation by internal or outside counsel. The short-term plan also should consider whether the institution’s regulator(s) or law enforcement should be notified and the extent to which key constituencies, including employees, customers, shareholders, and the public need to be informed. It is essential to act in an expedited yet careful fashion to assess key evidence and the applicable legal framework in formulating a short-term plan.

4. Follow a Coordinated Approach

A crisis often creates multiple areas of exposure in the form of government enforcement actions, private litigation, reputational harm and customer relations issues. The institution’s approach to responding to the crisis must take into account all of these risks. For example, an institution will need to decide whether there are mandatory disclosures (e.g., under the securities laws or various customer notification laws for data security breaches) or other disclosures (e.g., to regulators) that must be made. These disclosures, in turn, may affect other areas of exposure.

5. Develop and Execute a Long-Term Plan

To weather a crisis effectively, an institution must stay focused on its key objectives, while remaining flexible to adjust.  An institution’s long-term plan, depending on the crisis, may include: remediation of the harm, implementation of enhanced internal controls, improved management reporting to ensure appropriate monitoring, and increased internal audit standards to test the institution’s compliance responses.

Conclusion

Too often, an institution returns to business as usual after a crisis. However, one of the best ways to avoid future crises is to incorporate lessons learned from the current crisis. Effective crisis management requires considered and concerted action. Incorporating these five steps will better position your institution to respond to crises when they occur. Advance preparation will serve as shelter, shielding your institution on that fateful day when the sky actually does fall.