Prevention is key to crisis readiness: while there is rarely a perfect response, you can better position yourself to manage a crisis effectively.

• Author: Rodriguez, Jose R.
• Position: ON THE GOVERNANCE AGENDA

Crisis readiness has taken on increased importance and urgency for boards and management teams.

Product recalls, data breaches, government investigations, health scares, natural disasters, terrorist events, ailing business leaders, and more. The potential crises that can befall companies at any moment seem nearly endless. And thanks to social media, the news of a crisis (accurate or inaccurate) can go viral in a matter of minutes, with potential adverse impacts on share price and reputation, making the company's preparation and readiness to respond quickly and effectively to a crisis increasingly critical. As postmortem media reviews of numerous crises have demonstrated, when a company's response is deemed to have fallen short, a question that is always asked is, "Where was the board?" This is particularly true in cases where a crisis was preventable, early warning signs were ignored, or the crisis was attributable to the company's culture or tone at the top. The message for boards: Prevention is integral to crisis readiness and response.

While management has primary responsibility for crisis readiness and prevention, the board plays a crucial role in understanding and overseeing the company's efforts--in particular: management's crisis prevention activities; tone at the top, culture, and incentives; and the company's crisis readiness, especially whether it has a robust crisis response plan.

Crisis Prevention. Crisis prevention goes hand-in-hand with risk management, as risk management involves identifying and anticipating events that could occur, and putting in place a system of controls to prevent such crises and mitigate their impact should they occur. Boards, particularly audit committees, are increasingly focusing on key operational risks across the extended global organization, e.g., supply chain and outsourcing risks, information technology and data security risks, etc. Some questions for audit committees to address with management include:

* Does the company understand its critical operational risks?

* Has anything changed in the operating environment?

* Has the company experienced any control failures?

* Is management sensitive to early warning signs regarding safety, product quality, and compliance?

* How sound are the company's disaster recovery plans, and how often are they tested and refreshed?

* Is internal audit focused on the adequacy of the company's controls around key operational risks?

Audit committees play an important...