TerraLex crisis management regulatory reference guide 2019
When a crisis hits your organisation, you need to take action quickly. What practical steps can you and your team take to minimise the impact on your business? What are your reporting requirements in the relevant jurisdiction(s)? What legislation applies there?
Our guide provides you with the answers to these questions in relation to key jurisdictions and it supports your understanding of the relevant local legal framework. It also provides high level practical guidance for those crucial first 72 hours, together with contact details of the local TerraLex firm for when you need specialist advice.
We at RPC are very grateful to all who have taken part in and contributed to this project. We hope you will find our guide a useful resource for understanding your regulatory obligations following a crisis.
Crisis checklist
A crisis, by its nature, is both serious and unexpected and your response and actions within the first 72 hours will most likely define its impact on your organisation.
It is therefore important to have in place robust procedures that, if followed, will help minimise the adverse consequences.
These next steps are common across all jurisdictions. Please refer to the chapter for the relevant jurisdiction for more detailed guidance on your obligations in that country.
Immediate actions
Response team – Assemble a core team of individuals to manage the response (eg from HR, IT, data privacy, facilities, legal & compliance) and identify the main point of contact and reporting procedures
Appoint consultants – Depending on the nature of the crisis, appoint external advisers to assist, including:
- Forensic accountants
- Cyber/IT specialists
- Lawyers
- PR agency (see below)
Scoping and action plan – Have a clear plan of action with reference to internal policies and procedures. Identify key priorities for first 72 hours.
Containment? – Consider whether any immediate measures are required
Criminal activity? – Consider involving the local law enforcement body (see country chapter guide)
Internal communications
Board notification – Notify the Board
Staff communications – Consider who should be told, what information will be provided and how the message is best conveyed
Confidentiality – Remind staff of confidentiality obligations, including any relevant clauses in their contracts. Staff should not refer to the ongoing events on social media
Document preservation – Inform staff that they should not destroy any relevant paper or electronic documents
External communications
Reputation management/PR – Inform your PR agency and/or in-house PR team. They should take charge of internal and external communications
Early communication? – Consider whether it would be advisable to issue a holding statement or early communication in order to control the narrative
Communication with shareholders – Consider what communication there should be with shareholders, including any obligations to report to the market for listed companies
Insurance
Consider your notification requirements under any relevant insurance policies covering, for example:
- Employers’ liability
- Cyber cover
- Directors & officers
Notifications and reporting to Regulators
Please refer to the individual country chapters.
When a crisis arises, which regulatory bodies do I need to notify and what is the relevant legislation?
From data breaches to dawn raids, whistleblowing and internal investigations, to navigate the rules applying in key territories across the Americas, Asia and Europe, follow the direct country links or download the full PDF below.
Australia | Bolivia | Brazil | Canada | Cayman Islands | Czech Republic | Ecuador | England and Wales | European Union | Finland | Germany | Hong Kong | India | New Zealand | Scotland | Slovakia | Switzerland | Turks and Caicos Islands | US (North Carolina)