Yellow abstract of floor level.

TerraLex crisis management regulatory reference guide 2019

When a crisis hits your organisation, you need to take action quickly. What practical steps can you and your team take to minimise the impact on your business? What are your reporting requirements in the relevant jurisdiction(s)? What legislation applies there?

Our guide provides you with the answers to these questions in relation to key jurisdictions and it supports your understanding of the relevant local legal framework. It also provides high level practical guidance for those crucial first 72 hours, together with contact details of the local TerraLex firm for when you need specialist advice.

We at RPC are very grateful to all who have taken part in and contributed to this project. We hope you will find our guide a useful resource for understanding your regulatory obligations following a crisis.

Crisis checklist

A crisis, by its nature, is both serious and unexpected and your response and actions within the first 72 hours will most likely define its impact on your organisation.

It is therefore important to have in place robust procedures that, if followed, will help minimise the adverse consequences.

These next steps are common across all jurisdictions. Please refer to the chapter for the relevant jurisdiction for more detailed guidance on your obligations in that country.

Immediate actions

Response team – Assemble a core team of individuals to manage the response (eg from HR, IT, data privacy, facilities, legal & compliance) and identify the main point of contact and reporting procedures

Appoint consultants – Depending on the nature of the crisis, appoint external advisers to assist, including:

  • Forensic accountants
  • Cyber/IT specialists
  • Lawyers
  • PR agency (see below)

Scoping and action plan – Have a clear plan of action with reference to internal policies and procedures. Identify key priorities for first 72 hours.

Containment? – Consider whether any immediate measures are required

Criminal activity? – Consider involving the local law enforcement body (see country chapter guide)

Internal communications

Board notification – Notify the Board

Staff communications – Consider who should be told, what information will be provided and how the message is best conveyed

Confidentiality – Remind staff of confidentiality obligations, including any relevant clauses in their contracts. Staff should not refer to the ongoing events on social media

Document preservation – Inform staff that they should not destroy any relevant paper or electronic documents

External communications

Reputation management/PR – Inform your PR agency and/or in-house PR team. They should take charge of internal and external communications

Early communication? – Consider whether it would be advisable to issue a holding statement or early communication in order to control the narrative

Communication with shareholders – Consider what communication there should be with shareholders, including any obligations to report to the market for listed companies


Consider your notification requirements under any relevant insurance policies covering, for example:

  • Employers’ liability
  • Cyber cover
  • Directors & officers

Notifications and reporting to Regulators

Please refer to the individual country chapters.

When a crisis arises, which regulatory bodies do I need to notify and what is the relevant legislation?

From data breaches to dawn raids, whistleblowing and internal investigations, to navigate the rules applying in key territories across the Americas, Asia and Europe, follow the direct country links or download the full PDF below.

Australia | Bolivia | Brazil | Canada | Cayman Islands | Czech Republic | Ecuador | England and Wales | European Union | Finland | Germany | Hong Kong | India | New Zealand | Scotland | Slovakia | Switzerland | Turks and Caicos Islands | US (North Carolina)

TerraLex Crisis Management Regulatory Reference Guide 2019 - download the full guide File type: PDF Size: 2048 KB