Merriam-Webster defines “crisis” as “an unstable or crucial time or state of affairs in which a decisive change is impending” or “a situation that has reached a critical phase.” An organization cannot predict when its next crisis will occur, but it can be sure that responding badly will have devastating consequences.

Corporate legal teams bear important responsibility for ensuring an organization’s preparedness. In addition to preparing others, the legal team itself must be prepared to take a leading role during a crisis. Here, we outline the fundamentals of corporate crisis management for the in-house legal team.

We present fifty “fundamentals” to use as a checklist when thinking about how to prepare your organization. The fundamentals cumulatively address the myriad drivers of exposure that organizations face when in crisis. They are generally applicable to any significant crisis facing an organization. (Our respective wives and five collective children may disagree as to whether we effectively employ these fundamentals on all crises on the home front).

BEFORE THE CRISIS Prepare for a crisis. Without such preparation, your organization will be slower, less flexible, and less capable in the critical opening days. You will waste crucial time attempting to invent organizational process instead of focusing on substantive decision-making and strategy.

  1. Plan now. Know what the organization will do, the process for doing it, and the people who will be responsible.
  2. Response protocol. The organization’s response protocol should be known and understood by anyone likely to have responsibilities for responding to and managing a crisis. Escalation triggers to bring in additional levels of management or the executive team are critical. Keep the immediate steps simple and reliable, so that responders can organize even if the unexpected happens. Be wary of over-reliance on technology given the technology could be compromised if the crisis arises from a cyber attack.
  3. Adaptable strategy. There is no way to foresee the exact crisis. The response protocol must focus on adaptable strategies. A detailed response plan hundreds of pages long, for example, is unrealistic in practice.
  4. Crisis simulations. Pressure test the response protocols so that key decision-makers, including the legal team, have experience and familiarity with the decision points they will face during a crisis. Practice builds confidence and is the most effective means of exposing any gaps in process or leadership. Practice also builds ties between different groups within an organization, and facilitates common understanding and a uniform approach to the response.
  5. Control group selection. Form a control group to manage the organization’s response. The group should be large enough to exert control across the organization and to address the various drivers of exposure the organization will face, but small enough to work together easily and make decisions quickly. Presumably, the organization will have different designated control groups depending on the severity of the issue, geography, or type of crisis.
  6. Defined role for legal. The legal team should play a central role in crisis response, including providing legal advice to the control group, supervising any internal investigation, and working with the organization’s communications teams—internal and external—to help balance the short-term goals of strategic communications with the longer-term legal concerns.
  7. Trained backups. The unexpected tends to occur at the most inconvenient times. Ensure that each key decision-maker has at least one designated and trained backup.
  8. Consider others and understand notification obligations. The ripples of a crisis will touch firms and people remote from your organization. Anticipate who will be affected and plan accordingly, preparing a list of mandatory notifications and identifying parties it may be prudent to notify.
  9. Retain key third parties for guiding the post-incident strategy. Know the key third parties your organization will retain, including crisis coordination outside counsel and a strategic communications guru. You do not need to waste time interviewing potential lawyers and public relations gurus in the immediate aftermath of an incident.
  10. Retain key technical experts. For any facet of any operation in which your organization is involved, identify the most respected technical experts in the field and be prepared to retain them quickly should an incident occur. Always important, this is a priority for firms that can expect counterparty litigation in the event of a crisis, given the likelihood that adversaries will try to hire the same experts.
  11. Required regulatory notifications. Fully understand the timing for any required regulatory notifications or other notifications required by law, and know how you will contact your regulator in the event of an incident.

IMMEDIATE RESPONSE Securing the safety of the community, customers, workers, and the site will be the primary concern of any organizational “emergency response” plan. Here, we assume that the organization is well versed in the technical emergency response, and we focus instead on the key decisions the legal team needs to lead in the first 24 to 48 hours following the start of the crisis.

  1. Convene the control group. Have a plan for how to convene the control group in short order. The simpler the process, the more effective, from wallet cards listing key phone numbers to secure messaging indicating the need to convene a conference call.

  2. Kickoff call with responders. Use a conference call with personnel managing the response to remind everyone of strategic and legal concerns, and to define the ground rules for working with the control group, providing information to any third parties, communicating generally, and investigating. Remind everyone that anything said and done in responding to a crisis may be thoroughly scrutinized in the future.

  3. Real-time post-incident interviews. Counsel should be ready on a moment’s notice in any location where you operate to interview (following appropriate Upjohn disclaimers) any potentially involved employees for purposes of providing legal advice to the organization.

  4. Implement communications protocols. Within the control group, implement clear instructions for how and when to communicate. As should be the case whenever drafting any e-mail, but especially during this time when the organization will be under heightened scrutiny, assume that any written communications could appear on the national news. Involving a strategic communications expert early can pay significant dividends.

  5. Establish plan for responding to information requests. Without a clear process for how to prioritize and respond to the overwhelming number of requests for information that the organization will receive—from the media, the public, internal employees, families of involved individuals—the control group will flounder. Legal needs to be involved with any communication during this time but cannot become a chokepoint.

  6. Address any safety concerns for other sites/operations. Consider the potential consequences on other sites or operations. For example, if the cause of an operational incident is not yet known, consider if any stop-work orders are necessary for other similar sites until the company learns more information.

  7. Insurance notifications. Some insurance policies require quick notifications of incidents potentially covered under the policy. And some require certain approved counsel to be in place if legal fees are going to be covered. Get your counsel pre-approved to avoid an unnecessary step in the crisis response.

  8. Beware diversions. An established process and defined control group responsibilities should help the entire control group avoid running to address every new fact or request for information that comes in the door. Keep the control group focused on the big picture.

  9. Remember the mundane. Task someone from the legal group to help the organization perform its routine functions without inadvertently creating a problem. Without coordination, personnel doing work like issuing press releases, handling stakeholder and investor calls, filing taxes, and dealing with regulators could make statements or admissions harmful to the company.

STRATEGIC COMMUNICATIONS All stakeholders, including the public and your employees, will want the organization to say something in response to the crisis. Building trust to mitigate reputational damage is paramount.

  1. You have to say something. Taking a two-year vacation to Sicily while the storm passes is not an option. As the legendary Bear Bryant said, “In a crisis, don’t hide behind anything or anybody. They’re going to find you anyway.”
  2. Think before responding. Keep cool under pressure. Remain disciplined. And help others do the same.
  3. Don’t make it worse. Once the organization speaks, it makes a record that doesn’t go away. Thoroughly vetted statements delivered by well-trained and prepared spokespeople are a necessity. The alternatives—misstatements, admissions, contradictions—increase confusion, diminish trust, and render the organization vulnerable to reputational and legal attack.
  4. Words matter. Believe it or not, the specific words chosen are critical. Be wary of legalese. Rewrite the message if Homer Simpson cannot understand it.
  5. Be proactive, not reactive. Get ahead of the public narrative. Stay ahead of the facts. Start thinking about a narrative theme early.
  6. Strategic communications with commercial parties. They don’t want to read about your troubles in the press, especially if they are involved in similar operations as those involved in the applicable crisis.
  7. Talking points for “warts.Every organization has warts. In a crisis with public interest, you will have to address them, even those that have nothing whatsoever to do with the incident or issue at hand.
  8. Proportional response. Not all incidents and issues require the same response. Understand your likely adversaries, the potential damage, and your goals.
  9. Whoever speaks better be good. There is not a one-size fits all approach to determining who should speak on the organization’s behalf to the public, but whoever it is, he or she better know what they are doing, have had intensive media training, and be informed about the current understanding of the facts the organization is willing to disclose.
  10. Resist the urge to blame others. Never a good thing, always comes back to bite you, creates bad soundbites.
  11. Focus on human impacts. The public does not care about how this may affect your business. Human lives and safety, the outlook for the involved communities, and the safety of the organization’s products all significantly outweigh any commercial impacts (especially any comments from executives complaining that they have to spend time dealing with the crisis).
  12. Consider all angles of any public apology. Just because you need to say something doesn’t mean that you should apologize for something the organization has done. If you apologize, it should be genuine. You can’t fake a public apology. Be wary of specific admissions that could be used against the organization later with respect to facts that are not yet known.
  13. Beware premature declarations. Do not underestimate the extent of the crisis. Similarly, declaring success at an early stage is a recipe for disastrous embarrassment.
  14. Don’t forget about your employees. Your employees want to know from the organization what is going on and what consequences it may have for them, especially if they work at the same or in similar locations.
  15. Consider reminder not to speculate. When communicating with employees, it may also be a useful opportunity to remind them about the organization’s media policy and to remind them not to speculate publicly, including on social media. Establishing a hotline for employees to call with concerns or to ask questions is helpful if the individuals receiving the calls are properly trained and can be helpful in preserving and boosting employee morale.
  16. Board and shareholder communications. Even more than line employees, the organization will need to communicate with the Board of Directors and key shareholders about the progress of the organization’s response. The Board will be involved in crisis response, but consider members of the control group making an early presentation to outline plans, identify risks, and set the ground rules for communication.

INVESTIGATION As with strategic communications, internal investigation is a necessity with a double edge. A well-managed investigation is essential to discovering the cause of a crisis, to mitigating its effects, and to assuring it does not happen again, and it is equally invaluable in winning the inevitable legal fight that follows. But if mishandled, it can become an enormous vulnerability.

  1. Boundaries of legal privilege. Understand the boundaries of legal privilege before launching an investigation. Will the legal team perform the investigation? Can legal privilege and work product protection attach? Is a separate legal investigation for purposes of providing legal advice to the organization necessary if the business is conducting its own investigation at the behest of management or in response to company policy? What are the risks of waiver and how are they mitigated? These questions can be assessed, and plans to address them outlined, well in advance of an incident. An investigative playbook familiar to the control group and tested through simulation is invaluable.
  2. Scope definition. Carefully define the scope of the organization’s investigation and ensure that the investigation remains true to that scope. Avoid mission creep. Contemporaneously document the scope and purposes of the investigation.
  3. Stick to the facts. The investigation team must stick to the facts and avoid unnecessary speculation and premature conclusions. Emails by investigators about their investigations that are sent socially, after-hours, in frustration, or otherwise outside the scope of investigation itself invariably pop up and cause trouble in litigation.
  4. Unnecessary materials. Do not create unnecessary materials and documents; some internal investigations merely create a roadmap for the organization’s opponents instead of adding value to the organization.
  5. Avoid buzz words. When communicating among team members or drafting the investigation report, avoid buzz words like “red flag” and “failure” as well as hyperbole and super-charged self-criticism. Aim for a fair and dispassionate approach to talking about and documenting the investigation.
  6. Make realistic recommendations. Be mindful of the investigation making unrealistic recommendations for the organization to implement. Keep in mind that prior investigation report recommendations (and the steps the organization has taken to implement) will be key fodder for any opponents in litigation.
  7. Training. Any personnel with key roles in post-incident response need adequate training, including anyone who will be a part of an internal investigation. Specific training on best practices and common missteps of investigations is critical.

LONGER-TERM CONSEQUENCES of SHORT-TERM ACTIONS The decisions the organization makes in the first 24–48 hours of a crisis will have significant and far-reaching consequences. The legal team must consider the legal consequences of public admissions or promises to act. The legal team must navigate the delicate balance of strategically communicating without undermining the organization’s position with counter-parties, regulators, or other adversaries.

  1. Civil litigation is inevitable. is highly likely, if not a given, that the organization will face at least one lawsuit arising from the crisis. Consider the optics of any decision the organization is making in court.
  2. Balance the public perception vs. litigation strategy line. As the fundamentals of strategic communication discussed above make clear, the organization cannot hide. Short-term preservation of the public’s perception of the company through public statements and action almost certainly will be at odds with how the litigation team would like to proceed. The legal team must understand where to give in the context of finding the right balance to address all drivers of exposure. Posturing for eventual litigation is greatly important, but it is not the only driver of exposure.
  3. Consider any criminal concerns. Do any individual employees need their own counsel in any requested interviews from the Department of Justice or regulators? As part of lining up post-incident crisis communication counsel, the organization should have a consulting criminal attorney on call if necessary.
  4. Ally activation. Depending on the scale of the crisis, the organization will need to activate all allies, including journalists, politicians, and trade groups.
  5. Preserve evidence. Issue a litigation hold and evidence preservation notice internally as soon as practicable, and do the same to any counter parties (or potential adversaries) where necessary.
  6. High alert for cyber attacks. Your organization is most vulnerable to cyber attack when focused elsewhere. Double your efforts in monitoring your systems, understand the ramifications of potential ransom demands, and do not be caught off-guard.
  7. Rely on reasonableness. A significant crisis will lead to years of investigation, public scrutiny, and litigation, which in turn will create thousands of dilemmas and choices for the company and its lawyers. Do not miss the forest for the trees. And when in doubt, err on the side of the reasonable decision. There are times, especially in litigation, when a seemingly unreasonable action is legally essential. But generally speaking, an approach that hearkens to fairness and can be explained in simple terms is best course.