In this modern world of social media, increased regulations, whistleblowing, #metoo and a heightened focus on environment and sustainability concerns, managing corporate risk and brand reputation is a critical challenge for legal leaders.
This article explores key risk types that General Counsel are facing, how they can support and influence stakeholders, as well as strategies for proactively and reactively responding to issues when they arise.
Current state of risk
A brief consultation with recent publications regarding corporate matters for the legal function will quickly reveal that new regulatory demands, evolving customer expectations, increased accountability and constraints on resources are among a growing list of factors that are having a major impact on business operations and amplifying the risk exposure of many organisations. In addition, being that General Counsels (GCs) usually operate at the centre of their organisation and are thus tasked with advising, guiding, and communicating to different parts of the organisation, the role of corporate risk and reputation management generally falls within their scope of responsibility. Combined with the list of factors impacting business operations mentioned above, GCs are confronted with the challenge and pressures of having to balance already constrained resources with the need to effectively address existing legal needs andemerging (sometimes unknown) legal needs.
Further, with the General Counsel a trusted legal advisor and leader with an organisation, they are challenged to provide not just legal advice – “can we do” – but rather consider the holistic view, including the moral and legal ramifications through the lens of “should we do.” Recent media coverage has brought this to light in an article in the Australian Financial Review where an organisation repeatedly tried to conceal misconduct from regulators and sought legal advice that focused on how to avoid getting caught rather than whether acts were illegal.
Major risks on GCs radars
Regulations
One major risk on GCs radars involves breaches of regulations in an environment where regulators are increasingly active and litigious. GCs are dealing with a rapidly evolving regulatory environment where governments are drafting legislations and Courts are making rulings that have potential to set new precedents in the area of social media and privacy. A recent example is the ongoing Fairfax Media & Others v. Voller, case in which the Australian High Court has ruled that media companies are indeed publishers of comments made on their social media page and can thus be held liable for defamatory comments made on their social media pages by third parties. Whilst the effects of this ruling are more instrumental in the ongoing proceedings of the case, GCs are already concerned about the potential implications and what they may mean for their organisation’s social media policies and external communication processes.
Employee misconduct
A second major risk involves variations of employee misconduct including social media use, sexual harassment, fraud, and workplace cyber safety issues. In the case of social media, the rise of consumer action fuelled by social media means organisations and brands have the potential for devastation while their leaders are sleeping. The issue of sexual harassment, which in part has been fuelled by social media awareness campaigns such as #metoo, has recently come to the forefront in Australian corporate and public workplaces, with many organisations making adjustments and taking steps to create more safe environments for their female staff. The risks that arise from this issue are reputational, as well as operational, where organisations may lose talented staff by failing to prevent or in some cases, enable sexual harassment. Cyber safety related issues due to COVID-19 is another major risk on GCs radar. The growing number of staff working from home as a result of the 2020 and 2021 lockdowns in Australia means organisations have become more vulnerable to cyber-attacks and are also less able to monitor their employees to ensure they are doing the right thing. Consequently, GCs must collaborate with their IT teams to mitigate cyber risks while developing new methods and processes to constructively engage remote employees and ensure compliance with updated policies.
Freedom of Information requests
A third major risk on GCs radar, particular those in the Australian public sector, involves the increasing requests from the public to access internal information under the Federal Freedom of Information Act 1982 (FOI) or the NSW Government Information (Public Access) Act 2009 (GIPA),as examples. In effect, FOI and GIPA requests from the public mean the government and its agencies are under immense and growing scrutiny. This places the GCs in a unique position, in which they must balance the risk in terms of ensuring the government fulfils its obligations and duty to the public and does not infringe upon the rights of its constituents whilst maintaining privilege of information where it is required for security or other reasons.
Strategies for managing reputational risk
Whilst it is naïve to think that an organisation can be immune to a crisis or a reputational situation, the ideal solution is being able to proactively identify issues and prevent them becoming potential incidents or risks. As such, being able to acknowledge and accept that no organisation is immune from reputational risk is a critical first step in identifying issues and developing strategies to manage potential incidents and risks. Experts suggest a strategy for managing reputational risk should focus on planning for what you know could happen and having appropriate structure and strategies in place to respond in an agile way to incidences that you cannot foresee.
Strategic and proactive planning
Having preventative measures in place to avoid incidents is crucial, however organisations still require strategies for when potential issues arise so that they can respond quickly and effectively. Proactive strategic planning involves establishing frameworks and processes for identifying future risks and dealing with those potential risks using actual rather than theoretical examples to estimate the probability of occurrence and illustrate the potential damage that may occur. Some models that can be employed to help a team plan appropriately include:
- Horizon scanning – Looking ahead with consideration to the economic, regulatory, technological, and social environments to ‘predict’ what issues may arise and how these could become a risk for the organisation.
- Benchmarking – Getting anonymised benchmarking data from legal and professional services firms that show what risks other organisations are facing and the methods through which they are responding and managing the risk.
- Internal policies and processes– Developing organisation-wide frameworks that can identify, govern and guide risk and crises management procedures.
- Monitor social media and resolve issues – Creating teams that can moderate your organisation’s social media pages in a timely and appropriate manner.
- Having a well-thought through and structured panel of specialist external advisors for when issues arise – Ensuring the organisation has external support when it is needed.
How do you respond to incidents when they inevitably occur?
The way that an organisation responds to an incident is critical and it is an opportunity to demonstrate leadership through how fairly, quickly, and appropriately they respond to the situation. Importantly, there will be significant scrutiny from stakeholders, both internally and externally, on how issues are managed. When responding to a crisis or incidents, it is important that there is a consistency in advice that is provided by the legal team. This will reduce the risk of confusion and speed up the management process of the crisis or incident. Additionally, consistency with previous decisions that were made for similar incidences and crises can build confidence within the organisation in how to deal with future risks. Lastly, having standard processes, agreements and language embedded into the organisation regarding risk ensures that everyone in the organisation can be on the same page and better understand the steps to dealing with an incidence within established parameters.
Conclusion
A well-managed crisis or incident presents an opportunity for the organisation to do better, to learn and have deeper conversations with their stakeholders. In this way a negative situation can become a positive one with the right structures, strategies, and leadership in place.