Being the trusted adviser to clients during crises, some of which may threaten the very existence of the company, is a true privilege. Helping a client prepare for the unexpected and then seeing this client execute on the crisis management plan feels really rewarding. The same is true for helping clients to identify the key lessons learned from a past crisis and implement that learning into the client’s risk management system, making the company more resilient in the future. We work collaboratively with boards, crisis management teams, PR and other advisors to support an organisation’s response to a crisis.
When talking about a ‘crisis’, everyone will have different ideas of what a crisis actually is. Generally speaking, a crisis can be any external or internal circumstance that poses an acute and significant risk to a company’s reputation, its assets or its operations, thereby triggering the need for immediate action.
Mitigating or avoiding risks
Some risks that have the potential to turn into an actual crisis can, if recognised in time, be mitigated or even avoided. Other crisis situations are hard, if not impossible, to predict and will hit the company out of the blue without any warning. However, even if some crises cannot be avoided, at least their consequences can be mitigated. Hence, preparedness is key for any company. Crisis preparedness will involve an organisational risk assessment to evaluate, assess and quantify the operational, financial and reputational risks the company might face and thus enable the company to scan the horizon for any signals of an impending crisis.
Crisis response plan
In addition, to address the potential for disruptive and unexpected events, any company should have a crisis response plan that it can roll out once the crisis hits. Having a plan ready and merely needing to execute it will allow the company to focus on the multitude of issues that usually require immediate attention in a crisis situation. Time that would otherwise be spent on setting up organisational structures can be better used for the important strategic decisions that may need to be taken at the outset of a crisis.
The triggers for a crisis
The triggers for a crisis can be manifold. As different as the business activities of each company are, so too are the possible risks that a company might be exposed to. This is why it is impossible to provide an exhaustive list of every potential crisis. However, while there are some unique risks for companies emanating from their own specific operations, general areas of risk include accidents and natural catastrophes such as fires, earthquakes or floods, power outages, cyberattacks, financial distress, political disruption, data breaches, compliance incidents and regulatory or criminal investigations.
A company should be clear about the potential sources of a crisis that might affect its business. It should also have a view on the potential impacts of such risks, which may again be manifold, ranging from financial implications and reputational damage to disruption of the company’s supply chain and the risk of litigation proceedings.
Crisis management plan
Once such a risk assessment has been finalised, the company should set up the crisis management or crisis response plan as a framework for its internal decision-making, should an actual crisis occur. This will include setting up effective team structures. Besides the actual crisis management team, which will be in charge of managing the company’s response to the crisis, the company will need clear escalation guidelines to allow for further management levels to be involved as needed. Although responsibilities should be clearly allocated, each key team member should also have an identified substitute to provide coverage in situations of unforeseen absence or the like.
Having a plan is one thing, being able to execute it is another. Companies should therefore run training to ensure that people are familiar with the crisis response plan and know the role they have to play. This training could also involve simulations of crisis scenarios to test people’s actual response. In criminal investigations, the public prosecutor’s offices regularly conduct dawn raids at a company’s premises if the allegations raised concern individuals associated with the business, such as employees or members of management. In order to be prepared for this, it has proved useful to set up dedicated training sessions on the “dos and don’ts” should such a dawn raid occur, so that the staff know what to expect if the prosecutor knocks at their door.
Any crisis management plan should be flexible enough to suit the needs of any particular crisis since it is impossible to predict the exact disruptive event. It almost goes without saying that any plans should also be revisited at regular intervals to make sure that they are still up-to-date and fit for purpose.
Neither does it come as a surprise that there is no one-size-fits-all crisis response plan that applies equally to all companies. Only if the plan is tailored to the individual needs and organisational structures of the respective company can it fulfil its purpose. Reporting obligations vis-à-vis regulators fall into this category. Each company should know its statutory reporting obligations since, depending on the problem at hand, the company may be legally required to disclose the issue and make a report to the authorities. Knowing the legal framework under which the company is operating, including any mandatory timings for making a report, will be key for the members of the crisis response team and should therefore be built into the crisis response plan.
In addition to the crisis response plan, companies may also consider creating a suite of off-the-shelf communications material focusing on specific scenarios. Having pre-agreed language in place will help ensure the company’s timely and sure-footed response to the media and staff alike. The latter should not be underestimated since only if it is clear from the beginning of a crisis situation who may communicate what to which employees will it be possible to prevent contradictory statements, ambiguities and rumours.
Individual risk profile
Each company’s risk profile is different, which is why each company needs to understand its individual risk profile to assess the key risks it is exposed to. Only if the company knows its actual and potential risks can these risks be mitigated through appropriate measures.
Conducting a risk analysis is, however, not simply a ‘nice-to-have’ for commercial organisations. In Turkey, the owner of a company may be held liable for failing to take appropriate supervisory measures that would, had they been taken, have prevented or materially impeded a breach of duties incumbent on the owner. Obviously, appropriate supervisory measures can only be taken if there is clarity on where the risks lie.
Content of the risk analysis
Typical areas of focus for any company concern the fields of anti-bribery and corruption; competition and anti-trust law; environment; health and safety; human rights and supply chain risks; employment risks; data protection and data privacy; and IT security. In the light of increased and accelerated digitisation as well as an increased use of personal devices, and the fact that more and more employees work remotely from home, cyber risks have gained importance, in particular following an increased number of attacks from hackers. Not surprisingly, cyber is therefore often said to be one the most important issues that a board has to deal with these days. Hence, IT security is likely to play a major role in each company’s risk assessment.
In addition, sanctions and export controls have gained significant importance in light of the restrictions being imposed in February 2022. Companies with existing Russian business, be it through their own subsidiaries in Russia or through the import or export of goods to and from Russia, have had to and still must pay close attention to the constantly changing sanctions environment, in particular since most violations of EU sanctions regulations are criminal offences in Turkey.
When a crisis erupts and becomes public, companies can be sure of one thing: constant media attention. Companies are then faced with a dilemma. In most crisis situations, companies will not initially have all the facts about what actually happened, who is affected and what the impacts are. Putting out a statement at a very early stage may risk having to make corrections to that statement afterwards. Companies will have to consider when the right time to actually put out a statement may be and whether they have enough facts at this early stage or whether it would be better to wait until more information can be obtained or initial allegations have been verified.
Demonstrating that the company is in control of the situation
Again, there is no one-size-fits-all approach to each and every crisis situation, which is why companies need to assess their communications strategy with respect to the individual case. Nonetheless, it is important that the company makes a statement due to the expectations that will come from the press, the general public and internal stakeholders. Remaining silent for too long carries the risk of rumours being spread or the suspicion being raised that the company is not in a position (or is perceived not to be in a position) to be able to handle the situation, or that the crisis is even worse than it seems. However, the company will have to consider its initial statement carefully because this first statement will set the tone for any further communications. A company that overcommits at the outset and promises actions or measures to be taken should be aware that it will be measured against its initial commitments. Failure to take the action announced at the outset may have a negative impact on the company’s overall public perception.
Therefore, companies are usually well advised to put out a ‘human’ statement showing concern about what happened and demonstrating that the company is in control of the situation. In particular, if not all the facts are known, it might be best to put out a short and simple statement only and not elaborate on issues that have not yet been established by the company.
Tension between the legal team and the public relations team
Often, there is tension between the legal team and the public relations team as to what the right strategy is. This is particularly important with respect to any litigation that the company might face following the crisis. Although any admissions on culpability may lead to a more positive perception of the company in public, admitting responsibility in a legally binding way could be detrimental to the company in any later litigation proceedings. This is even more true if those statements are made at a time when not all facts have been established and where the initial admission of guilt may later turn out to be incorrect.
Right person is to speak to the press
Furthermore, putting out a written press release is one thing, responding orally to requests from reporters is another. This is why companies also have to carefully consider who the right person is to speak to the press. It is usually preferable to have someone who is used to dealing with the media appointed to communicate with the press. Companies may therefore consider offering media training to key individuals at the company, ideally as part of their crisis response plan, so that people are already trained when the crisis hits.
Proactive or reactive
Clearly, the company needs to monitor the situation constantly. If an internal investigation that has been triggered by the initial crisis reveals further facts, the company may consider putting out additional statements. Often, it might be good to be proactive rather than reactive, but, again, the appropriate strategy needs to be assessed depending on the individual case.
While it is certainly important to get communications with the media right, companies should not forget about internal communications, which are equally important. Not only will the crisis management team have to regularly update the company’s board and shareholders, employees will also expect to hear from the leaders of the company about what is going on and whether or not there are any negative consequences of the crisis which will impact their employment. In this context, it is advisable to name a point of contact for employees to whom they can turn with requests in relation to the crisis, and to ask employees not to engage in any discussions and speculation with the media themselves.
Widespread civil liability and many claimants
Under Turkey civil procedure law, the standard mechanism for bringing claims is based on individual litigation proceedings. A class action procedure as known under US law does not exist in Turkey. However, over the past years, various collective redress procedures have been developed. These are mainly model case proceedings in specific areas of law or collective proceedings initiated by certain authorised organisations that aim to protect the interests of others.
Even if a settlement is concluded in a model case proceeding, it should be noted that this will only take effect for and against the registered consumers. Registered consumers will be bound by the settlement and will not be allowed to bring individual claims against the company concerning the same subject matter. However, injured parties who have not registered on the register of claims in the model case proceedings may still bring individual claims, provided that the statute of limitation has not expired.
Settling a case
Leaving aside these procedural specifics of Turkish law, any strategy for settling a case will depend on the prospects of success of the claim, as well as the financial situation of the company. It is possible to reach out-of-court settlements before the claimants initiate litigation proceedings, but companies will have to carefully weigh the pros and cons of agreeing to a settlement at this stage.
Whether or not a claim has good prospects of success is often not clear when the crisis begins. Typically, only in the course of the internal investigation, which will usually involve extensive fact-finding, will the company get further clarity about how strong its position is. Therefore, both workstreams (the internal investigation and the defence against claims from injured parties) must be closely aligned, since developments in either workstream will affect the other.
Regulatory or criminal investigations
The situation can also become more complicated if external investigations, such as regulatory or criminal investigations, are also taking place in which enforcement authorities are conducting their own fact-finding exercise. The company will then often also have to consider if and to what extent any information obtained in the context of the authorities’ investigation can be used for defending the litigation claims. If criminal investigations proceed to trial, it may be appropriate for the company to consider whether it is worthwhile actively applying for a stay of the civil litigation proceedings in light of the ongoing criminal investigations, if the outcome of these criminal trials will affect the merits of the civil case.
When assessing the merits of the case and collecting all evidence, it is also important to bear in mind that Turkish civil procedure law does not provide for pre-trial disclosure of documents. There is only a limited possibility to request the production of certain specific documents or narrowly defined categories of documents, but fishing expeditions (for unspecified documents) are not allowed under Turkish law. Compared to other legal systems, the substantive right of disclosure is generally limited and only stems from each party’s civil law duty to perform its obligations in good faith. This will impact any fact-finding exercise in Turkey and should be considered when forming a view on how strong the case is and whether and when it could make sense to engage in settlement discussions.
How can our lawyers help to establish what went wrong and minimise the impact of those issues on the underlying business?
A crisis situation always involves individuals being under severe stress with the potential for such pressure to affect their decision-making. It is of significant importance to get the focus right at the outset, and this is where lawyers can play a crucial role in helping the in-house team steer through the crisis.
Although it is perfectly understandable that a company wants to have clarity as soon as possible about how the crisis could have happened, how things could have gone wrong and who is responsible, there are two important aspects which need to be considered. First of all, before jumping into an analysis of the root cause, the immediate issue needs to be remedied. For example, if there is an issue with the company’s IT security leading to a cyberattack, then the vulnerability of the IT system must be addressed first to avoid further data loss, before the analysis of how this could have happened in the first place commences. In this phase, it is particularly important to comply with any reporting obligations vis-à-vis regulators that the company is subject to, given that failure to comply with such obligations might lead to additional issues with severe consequences. Additional scrutiny from regulators might also be expected if the company fails to make any required notifications to the market. To the extent there are, for example, ad hoc notification obligations, being prepared for this reporting should already be part of the crisis response plan, but will have to be assessed from a legal point of view individually in each case.
How any impact on the ongoing business can be mitigated
Second, while it is certainly important to investigate the reasons for the crisis, such an investigation must be planned sensibly. Again, here is where our lawyers will add value by helping the company decide about the purpose of the investigation and its objectives and setting out a plan to structure the subsequent investigative steps. It goes without saying that the lawyers need to work closely not only with the in-house legal team, but also with the business to fully understand the organisation’s operations and structures. This will enable lawyers to not only be in a position to assess the reason for the crisis, but also to advise on how any impact on the ongoing business can be mitigated.
Helping companies focus on the priorities – which is not only the company’s reputation but also its people and ongoing operations – is where our lawyers can add value. This also involves assessing the governance of the company, in particular making sure that there is good corporate governance during the crisis situation. This requires proper information management and independence, both with respect to the investigation and with respect to decision-making generally. No individual who might be involved in the incident or who might have an interest in its outcome and thus have a conflict of interest should play a part here.
Lessons learned from the crisis and consequent investigation
Last but not least, our lawyers can play a crucial part in helping companies assess the lessons learned from the crisis and consequent investigation. This will involve setting up a process of how to deal with the findings, including the assessment of any reporting requirements and the need for any public statements. It also includes an analysis as to what changes might be required to the organisation’s operations in light of the investigative outcome. In addition, the lessons learned will also involve a review of the company’s governance, not only with respect to the underlying issues but also with respect to how the crisis has been managed. There will be lessons to be learnt from each crisis for each company, and helping the company implement any recommendations is where lawyers can play a key role.