Skip To Content

Proactive crisis management: Expecting the unexpected

Mar 8, 2017

Risk is multi-faceted and a crisis can strike a business at any given moment. Mismanaging or neglecting risk can have widespread negative and costly financial, operational and reputational repercussions – not only for a business but for its key stakeholders as well.

For enterprises, having a crisis management plan in place to strategically respond to business critical situations is key to effectively anticipating and managing the potential fallout. As part of our Brief the Board series,  Osler partner Lawrence Ritchie, who specializes in crisis response and risk management, and Deloitte partner Alan Stewart provide resources that outline crisis management and communication strategies for proactively managing a crisis situation. In particular, these tools review

  • the key elements of a best-in-class crisis response plan
  • general counsel’s role and what the board needs when a crisis arises
  • key challenges and lessons learned when dealing with a crisis

Every enterprise will face a crisis sooner or later. These resources provide counsel with a framework to  prepare for the unexpected:


The essentials

  • Directors expect counsel to identify potential advisors before the company is in a crisis situation
  • Prepare and test a crisis response plan before crisis hits
  • Develop a culture of compliance and culture of preparedness

Access the PDF of TakeawaysReview the slide deck



Video transcript

ERIC MORGAN: Hello and welcome to Osler's webinar series "Brief the Board." I'm Eric Morgan. I'm an associate in Osler's litigation department in Toronto. This is a series of webinars that Osler is presenting on how counsel can brief their board members and senior executives about a variety of litigation topics.

In today's webinar, we will be discussing briefing boards and executives about risk management. I'm joined today by Larry Ritchie, a partner here at Osler in Toronto and the chair of Osler's crisis response and risk management group, and Alan Stewart, a partner with Deloitte Forensic, and leader of the Canadian practice. If you have any questions during the webinar, please email us or type them into the area provided on your screen. And we'll respond to them as time permits.

So with that, I'm going to turn it over to Larry and Alan.

LAWRENCE RITCHIE: Eric, thank you very much. And thank you first and foremost to the listeners, people who are participating in this webinar. And thank you, Alan, for joining us today.

Today, as Eric said, we're going to talk about proactive crisis management and what it means to expect the unexpected. And I think a good place to start is to summarize some of the research that we were involved in putting together with the Institute of Corporate Directors last year on how directors feel about crises and their general response and what they feel about their individual companies for which they serve.

First and foremost, board members agree over 75% that reputation building, reputation maintenance, and crisis management preparation are all very important parts of their mandate. They see, in terms of risks for their own organizations flagged by the directors, risk as being 83%, ethical concerns 77.9%, financial reporting about the same, and cybersecurity up there as well. Those are the four areas that they see as major concerns to keep an eye on when they're safeguarding the reputation of their organization.

What is a surprise-- and we suspect that this would change as the years go by, maybe the weeks go by-- that social media is not recognized amongst the survey directors as a potential concern. As said, we believe that it should be. And we'll see when we go back to directors to see what their concerns are in a few years what they have to say about that. Alan?

ALAN STEWART: Yeah, that's actually a surprise to me. We're seeing more and more social media plays a role in our investigations. Certainly, in terms of fact finding, it's very helpful in some cases. But also recently, we were able to identify a threat issued over social media to a corporation from two or three different people that the corporation itself had not picked up on. So there was basically an underlying threat from an environmental group to take some physical action on the company's premises.

LAWRENCE RITCHIE: And you could see how easy it is to damage one's reputation through rumors, innuendos, unsubstantiated facts through social media that we feel directors should be concerned about. So that's something that we'll watch in the years-- I keep saying the years to come, but it'll be much sooner than that. Now, the other thing that's interesting is that directors generally-- at least the survey directors generally believe that they're ready for a crisis. Over 2/3 of them state that their company has a formal crisis response plan for dealing with a sudden crisis. And a significant number-- 80%-- feel that management teams have the skills to handle the crisis.

However, when really pushed, only 30% feel confident that their enterprise risk management system has identified all of the material risks. And less than 25% believe that they don't or don't know if they have a succession plan in place. And when you think about how succession is so important and planning for succession is so important to companies and an important role for boards, you can see an inconsistency in terms of their confidence and their true feelings about facts on the ground would suggest that perhaps board members are a little overconfident in their feelings about the ability of the companies to respond to crises.

So let's just quickly walk through some of the summaries of these reviews based on the survey. There is a general recognition of the importance of board oversight of corporate reputation building, maintenance, and crisis management. They understand that risks should be and have been identified by directors. And they include reputational, ethical, financial reporting, cybersecurity, but not social media. They believe their organizations are ready for a crisis and that management teams have the necessary skills. But as we have said, we worry that they're a bit overconfident in these feelings. Directors expect to use existing company advisors for advice for a crisis, yet they recognize that more diligence is required to protect board members.

And Alan, just generally, what's your perception of those findings? And what does it mean?

ALAN STEWART: Well, I think there's no doubt that crises have taken on a much more public persona in the last, say, 10 years. And therefore, directors are clearly much more aware of their importance, which is highlighted by this. I think it's a little concerning that they believe that their organizations are ready and that they have the necessary skills in-house. I think generally, directors are not as prepared as they think they are when we get involved in crisis situations, Larry, when we've been working together on them, that they tend to underestimate the impact that it can have on the organization's business as usual.

So the organization's working hard, business as usual. And then something comes along that they just can't necessarily carve out a sufficiently large and skilled team internally to deal with the problem.

LAWRENCE RITCHIE: I agree with those observations. And I think that it's interesting as well that a vast majority of the directors at first blush rely on management to deal with and contain a crisis. I think that's probably right from a corporate governance point of view, although I do think that it also suggests that the things that they're thinking about are capable of being handled by management. And it does question whether the organization is nimble enough to deal with problems that are caused by something within the core of management that needs to be dealt with in a different way as opposed to in the ordinary course.

And that's really what would I think of-- and I think, Alan, you as well-- as a crisis is something that has that happens that's out of the ordinary that when you look at the consequences or potential consequences, it could really shake the organization to its foundations because of the impact it has on its reputation and on its ability to continue to do what it does and does best because of a loss of confidence amongst its stakeholders. And that's very difficult to plan on.

ALAN STEWART: Agreed. And just to add to that, these crises-- and I agree with your definition-- they require more time from the board, or maybe the special committee or whatever subset of the board is dealing with it. It requires a lot more involvement and time from the board. And I've been in situations where some individual directors are not ready to do that. It comes as a shock to the system that they have to meet every week or every two weeks to deal with that crisis.

LAWRENCE RITCHIE: When you're right in the midst of.

ALAN STEWART: When you're right in the midst of it and you need-- as an independent advisor, you need instructions from the board and not from management, to your point.

LAWRENCE RITCHIE: Right. And they can take on different roles and sizes and shapes and have different origins. But I think there is a pattern. And the pattern is-- as you can see from the screen, it starts with, in the center, an identification of the problem. And part of the key aspect of dealing with these situations is to properly identify and characterize what that problem is. And it does have a cascading effect. And it has the potential of taking over, as you said, Alan, a much more time and expense and strategy time of the board than one would think.

So you have a problem. You have to do an analysis of what that problem is. It can lead to an internal investigation. And if it's a problem that has been identified by others outside of the organization, whether it's a whistleblower or a regulator or a policing organization, it can give rise to regulatory or criminal investigations and proceedings. And the very fact that a company is involved in those is a crisis that needs to be managed as well.

It can give rise from there to changes in management, whether it's something that requires management to be changed at the instance of the board because, in response to this problem, or because of a unforeseen development with a senior person, a CEO, or other senior person. It could give rise to a reshuffling of the deck in terms of the executives involved. All of these events often make companies quite vulnerable to shareholder class actions or oppression litigations, and that becomes high profile and quite time consuming. And ultimately, it becomes something that, in a public company situation, it's not unusual with all the resources diverted to dealing with these problems that they take their eye off the ball and they become vulnerable for takeover bids and challenges to the board. So you can see how a single incident really can have all of those effects that become ultimately an existential threat to the whole of the organization.

The other thing, too, is that it's important in terms of directors to understand that risks can't be siloed, that something that starts off-- and this goes to the proper identification and assessment of the problem. Something that happens in an individual unit of a business often has an impact if not properly dealt with through the whole organization. And unless there is a proper information flow amongst the various silos and up to the board of directors, it's very difficult to have a holistic approach to dealing with a problem that could have crisis implications in a proper way.

So really, what are we talking about? We're talking about being in a position to position the organization to be able to proactively manage the fallout from something that can happen that was unforeseen. And we see this really characterized-- it's a bit oversimplified, but we can see two general baskets of these types of situations. It's the spark. It's a crisis that has happened by a single event. Or it's the slow burn, something that's manifested from ongoing activity. And both of those risks from those circumstances have to be managed proactively as part of the role of the board as well as the role of the compliance people and in-house counsel and management, generally, in very different ways that work together.

So you minimize risk in terms of the potential spark situation by institutionalizing centralized oversight and decision making and having a response plan before a crisis hits. And in terms of ongoing activity, you do that through implementing ongoing daily and regular compliance systems and processes so that you can identify potentially affected stakeholders throughout your business activities and prioritize strategies to reduce harm when something goes out of whack in terms of the day-to-day aspects. The one thing before I turn it over to you, Alan, is to emphasize communication.

Communication is key, both in terms of planning, both in terms of making sure that the information about the potential problem and its cascading effect getting to the right decision makers and throughout the organization and to external stakeholders-- it's very, very important. So you have to, as part of any plan, on an ongoing basis as well as in responding to these problems, to have an extensive internal and external communications strategy throughout the piece.

ALAN STEWART: Right. So I agree with that absolutely. The different stakeholder's point is very interesting. So in these crises, you certainly can have multiple and competing stakeholders in terms of those impacted by the investigation or by the crisis. Fundamentally, the same facts should influence dealing with any stakeholder. The problem may be that you just haven't developed the facts or you don't know all of the facts, certainly at the beginning. And so that's typically the first action is to find the facts.

But you can see that, if it's a public company, the competing demands of the public for information, the regulator for information, there might be a class action-- they generally start fairly soon after some announcement-- litigation, and also your employees. Don't lose sight of the employees for information. It gets pretty tricky.

LAWRENCE RITCHIE: The employee issue is a very important one which is often overlooked, at least at the beginning. It's not overlooked when you're in the thick of things because you will know when people are leaving and jumping ship when you've done a suboptimal job of managing communications within the organization for your employees. Getting the facts, as I'm speaking to a forensic expert, is obviously a very important point. But also, how you get the facts and all of the things and the stakeholders and the concerns that you've just expressed are something that right at the outset, the team that is responsible for dealing with this situation has to make a very quick-- and it's not just quickness. It has to be a smart and well considered decision about whether this is something that should be examined by the people who are already involved, or whether you go out and have a level of independence.

And all of that leads into the importance of having a crisis response plan, because those are some of the factors that you can plan a process as to how to make those decisions. Yet because of the way we've defined crises and the unforeseen aspect of the nature of it, you can't you can't have a script that you have to be married to. So that really means that you should identify building blocks for a crisis response plan. And we've set out some that we've identified. Obviously, there's no hard and fast rule, but these are things that we think are absolutely crucial that you can have in place, steps and an understanding of how things will evolve in advance to help you navigate through the problems as they arrive.

The first is to identify your team. And that's something we can drill down on in a moment. You want to develop an internal and external communication plan for the reasons that we have discussed. You want to conduct an internal investigation of some kind. It doesn't have to be the kind that you and I would be called into to dig around a problem, although we like those the best. But there has to be a process and an understanding of how it's going to be dealt with.

And in certain circumstances, you're going to have engagements, if you're in a regulated business, with the regulator. And you're going to have to make decisions whether you do that voluntarily and how you approach that. And that's going to be a very, very important role for legal advisors to assist with.

And also, if it's not voluntary, if they're using compulsion such as search and seizures, how you're going to respond, what you want to position the organization-- and it's not an easy call whether you want to be cooperative or whether you want to rely on your rights. But really, first and foremost as well-- and I know I've used that expression a lot in here-- but really what overlays all of this is you want to anticipate and manage fallout throughout every step of this and throughout.

And finally, particularly for those who are advising boards and sitting on boards all the way through this, you have to make sure that you are not immunized from getting good help and good guidance by making sure that-- because what you're doing is basically shooting yourself in the foot if you think you're just wanting to be left alone. You need up the ladder reporting and down the ladder communication. Alan?

ALAN STEWART: Yeah, I think that's right. In these things, sometimes you just never know where the crisis is going to take you. So careful consideration up front as to who your team is and how you operate is really important.

So for example, in the worst case scenario, you've got litigation. You've got regulatory action as well. The same e-discovery will-- the same documents will influence everything. It's better to collect those all up front potentially rather than collect them piecemeal or maybe duplicate collections throughout the piece as a new stakeholder is uncovered. So anticipating the future when you start to assemble your team and conduct the review is very important.

LAWRENCE RITCHIE: When you are assembling your team, what is difficult for all of us is you want to be as prepared and have as much in the can as you possibly can. But as we've said, you have to ensure that you're nimble and you can-- and that you can direct yourself to the problem with the right people around the table.

And that means that you just have to really have an understanding of what can go wrong and how and the type of process that you're going to apply as opposed to, as I said before, having a script, because often, when you go back to one of the earlier slides, our experience, Alan, is that when you identify the problem on day one and think about the risks that can occur and prioritize those, day 19, the assessment looks quite different than it does in day 1 because that fact gathering, that fact process, and the reporting up and the communications throughout the organization is such an iterative process that it changes, and you to really motivate-- you have to be directed to those changes as they evolve.

ALAN STEWART: Right. So for example, if you start the review with in-house counsel and internal audit, for example, that's a pretty good, cost effective way to start a review. And 9 times out of 10, that may be sufficient and get to where you need to go. But at some stage that in-house counsel may not want to be a witness to whatever people are telling him or her, may seek counsel from external advisors to say, am I doing the right thing? Is the scope right?

And when is that point? So when do they start to seek advice? And when do you start to bring in more independent people who can bring different skill sets and independence? That's always a balancing act.

LAWRENCE RITCHIE: Right. And you can lose time. And you can lose that nimbleness if you don't get it right at the outset. But at the same time, you have to make sure that you are flexible enough that if you have made a misstep in terms of the first couple of decisions that you can't unwind it or change direction because it's very important, as I've said before, to be nimble.

And that's why what do you know should happen at every case. You should have a protocol in place in terms of assembling your team. You should have a way that these decisions are made. You should have a business point personnel, legal point person depending on the issue, and an internal communications point person and an external communications. Some of those people can be the same, but you want to have clear lines of who's responsible and who's doing what. And then, as you've alluded to, Alan, you want to consider early what your external needs are going to be and be in a position, as I've mentioned before, that if you do make a decision to not reach out to legal, communications, or forensic experts, that you'll be able to bring them into the piece if the matter cascades into something unforeseen.

And this is here on the screen. This is an example of the type of team that would be set up. You want accountability. You want someone who is responsible. And you want to be surrounded not just by the legal and communications people, and even the forensic people who are more process oriented. You want to be you want to be surrounded by subject matter experts. And you want that team-- each organization and situation is different. But you want it to be-- in order to be nimble, you want it to be a tight and accountable.

And here we've set out what we think is the role of the team, is to support the response, to ensure that the priorities that are set by the board or senior management are properly addressed, to set out and change and properly assess on an ongoing basis your objectives and policies for this management, and to be responsible in management, the communications strategy, and to constantly assess and take steps to minimize impact to the organization. The team does not act on its own. The team is the conduit for the organization. And in most cases, as the matter proceeds, it reports to the board or someone who is identified as having ultimate responsibility.

Alan, why don't you speak to assessing the incident? We've talked about this and how it changes, but what are we dealing with here?

ALAN STEWART: Well, assessing the incident really gets to the scope. So what's the scope of what is going to be done by the crisis response team? And typically, you don't want to boil the ocean at the beginning. You have to assess what you're dealing with. You have to go around that to make sure that it is everything that you're aware of.

So have you got one incident? Have you got 1 or 10 incidents? If it's a cyber breach, typically that would be one. But often we found investigating cyber breaches that that same group has potentially attacked and failed on previous occasions. And that can lend information to the investigation.

So the scope of what you're doing is really important. And that needs to be controlled. And typically, that would be perhaps a special committee of the board or that directing lane for the further review.

That constantly needs revisiting. So the scope of whatever you're doing needs revisited very regularly to make sure that not too much is being done, but to make sure that enough is being done to address the concerns of the various stakeholders.

LAWRENCE RITCHIE: Yeah, this concept of scope and mandate creep in. And we've been in a couple of matters where it's been difficult to know exactly what the objectives are because we're service providers but that was coming from the board. From this side of the table, I do like special committee mandates because you have a group of-- you have a group of people who are independent directors who are responsible. You tend to be able through legal to set out their mandate in writing and to then give you as the team, as the service providers, as the assisting bodies, the opportunity for them to give specific instructions. And then as they evolve, they can be done in writing.

The process doesn't have to be overly formal. But it does help in terms of understanding, especially after the fact and learning lessons, to see how it's evolved so that you can make sure that nobody is going off on a frolic. And as people who are living by billing clients, that tends to be music to our client's ears because it's a greater control over costs that can run amok. So assessing the incident on an ongoing basis is also very assisting to the service providers.

ALAN STEWART: Yeah. That's right. Obviously, shareholders demand appropriate use of company money. And so you just can't go writing a big check and saying, investigate everything. But you do want to be able to answer the question why from the regulators. Why did you do this? And why did you not do this?

LAWRENCE RITCHIE: So one of the things that are part of the plan that you have to really keep in mind-- and there's a lot that we're throwing out. But really, part of it is also to understand the needs of the people who are key actors. And the needs of the board and the needs of management and legal are quite different in these situations. But in our experience, in my experience, the needs of the board generally remain kind of the same, that they require regular and timely reporting.

They want to understand the communication strategy and their role in it. They want a constant assessment of the quantification of exposure, which can be quite-- frankly can be to seem to us in the midst of it can be annoying because we're dealing with unforeseen. But at the same time, it's very fair for directors to want to know what the exposure is and understand where it's going to go.

The board of directors want accountability in terms of good governance. And so they want to have a point of contact in the group that's involved in this. The board may want separate legal representation, and that has to be worked out depending on the nature of the issue.

And they want a clear statement of the questions that they need to decide. So as advisors, we want to tell them what they need to know. And they need to know that we'll be responsible for the things that they need to know. So the outcome is a consistent general PR strategy and a problem-solving strategy top to bottom of the organization benefiting from the board's guidance.

The role of legal in these kinds of things is also very important. They play a very important role. They have to monitor the process and understand what went well and what didn't go well. They have to determine the facts and root causes of the events because when we as the outside advisors leave, they have to deal with the fallout and make sure that something like this doesn't happen again.

They're constantly asking or being asked, is this our incident? And so they have to really facilitate the concept that you should leave the blame game to the end of the game and deal with how to best protect the organization and move forward. They need to make sure that their internal policies, the people's duties in compliance and insurance are all in place. They have to obviously look after privilege. We could talk for hours on privilege in these circumstances. It's a very tricky issue, as you know. And they have a role to review and have input on communications because legal is-- communications also has a very important role.

Often, there's a report to be prepared. There's shared learnings. They have to determine the assistant determining the corrective actions and determine responsibility and assess risk at the end of the game, all of that within the context of a privileged relationship that really only legal-- that legal uniquely shares.

So that is, in summary in a very short period of time, the building blocks to the response plan. And now for the five minutes or so that we have, we'd like to just talk about how to use learnings from previous experiences or to really anticipate these things happening by having what we've called "the best defense is a good offense." And maybe the line beside number one is a giveaway that Alan-- how does one best do that? How does one best become prepared?

ALAN STEWART: I think the culture of compliance has to start at the top. And it has to be just consistently flowed down through the organization. It has to be more than-- it has to be meaningful. It has to be more than just words on a page or processes in a book. People actually have to believe it and live it every day.

And so when we talk about the procedures and mandatory training and a reporting system, the best ones are active and in place and people buy into them. The worst ones are thick volumes or thick websites that people have to flick through once a year and sign off on.

LAWRENCE RITCHIE: The point you raise is a crucial one. It's not enough to simply have policies and processes and protocols on the books. It's like a fire drill. You really have to walk people, at least the people who are going to be the decision makers and be active in this-- no, I'm going to take that back. I actually think everybody has to understand how these things are going to unfold and be tested and reviewed and do more, as you've suggested, than just have them on the books.

ALAN STEWART: I think it's always a good question to ask if you're a director to ask of whoever it is who would be in charge of the program. How many whistleblower complaints have we had? If the answer's zero, there's two potentials for that. One, there's absolutely no issues. And in an organization of significant size, that might be surprising, even if they're crazy issues.

So there's two possibilities. One would be that the process doesn't work at all. So people don't believe in it because it's reporting the wrong place or whatever.

LAWRENCE RITCHIE: Right. And our experience is that it's rarely the former. And there's lots of red flags in terms of those types of things for whistleblower policies. And one of the things that really does-- and it's the second to last bullet there-- really, really is important to maintain a proper reporting system and an information gathering system is to make sure that when there are problems that you are able to communicate to an important stakeholder that internal stakeholders that those problems will be remedied. And you want to create appropriate incentives for people who identify problems to come forward in a confidential, safe way. And in this environment when regulators and government organizations are creating competitors to the internal reporting system, you want to make sure that there is an incentive for aggrieved persons or people who have identified wrongdoing can report properly within the organization.

ALAN STEWART: Yeah. I was going to raise that. So the OSC's office of the whistleblower has created an absolute imperative for companies to have an effective program themselves. So they hear from the employees first.

LAWRENCE RITCHIE: So here are some best practices that we've identified for a healthy compliance program. There are roles. This is not something that should be siloed out to the legal department or that the legal department make sure that it's the exclusive purview of management or some other group. It's something that is really, as you've suggested, holistic. And the legal group has a very important role to play in terms of education and supporting businesses and really to identify the potential risks where this can go so that the organization can be better equipped.

But as you've suggested, it's really management and board testing and putting pressure on management to make sure that they promote and enforce these programs consistently and that they take disciplinary action, as I mentioned before, against violators and be seen to take it seriously. And employees and all people who are affected have a role. Obviously, they have a role to make sure that they don't hide from a problem, they self report, and they bring compliance managers-- bring facts to the compliance managers, and that basically what we encourage them to do-- and the program should encourage them to do-- is to err on the side of overreporting. And so it becomes a natural thing that something that's an anomaly is brought to the attention of the compliance people, of the people who are handling these programs so that an assessment can be made properly.

ALAN STEWART: Yeah. And obviously, depending on the size and nature of the organization, how big or small the compliance group is will determine some of the responsibilities.

LAWRENCE RITCHIE: So in closing, we want to say that the culture of compliance requires developing and fostering a culture of preparedness. And it's all interconnected in terms of how the compliance regime is articulated and understood and in an understanding that these things are dealt with systemically as opposed to as on an ad hoc basis, that there's a way to recognize that incidences are evolved to a certain state that they cascade into other areas, that the organization, through its protocols, will have a way to de-escalate the problem, to make timely decisions through clear thinking, and recognize that these extraordinary conditions are part of what ultimately should be expected and dealt with in the ordinary course.

So finally, going back to the board point of view, you want to encourage the board to ask questions and to hold management and the legal group to account for what they're doing and how they're doing it. You want to be able to test the crisis response plan, and when there is a crisis or an unforeseen problem, to be able to properly review the results and understand the consequences. Alan, final words?

ALAN STEWART: Yeah. I think it's always a very good question for a board member to ask is, what if we were hit by this? How would we react? What would we do?

Often, in the cases you and I have been involved in, Larry, we're faced with board members who are dealing with something for the first time. And they may not have a plan in place or may not have had a plan in place. They would have been better off if they had.

ERIC MORGAN: Terrific. Thanks very much, Larry and Alan. I think we've got time for a few quick questions. The first one's about prevention. And it's, as you review your clients' crisis response procedures, what is the one thing that is routinely missing? Larry, do you want to start with you?

ALAN STEWART: Or start with me. I would suggest that routinely, the client underestimates the demand for information in a crisis and how to respond to that. So be that from the review itself or from regulators, they routinely underestimate that and how much diversion of internal resources that can take.

LAWRENCE RITCHIE: Eric, I agree with that. I would also say that our experiences Alan just stated before are experiences that clients often don't have a crisis response plan at all. And that's what's missing from their crisis response plan. So even thinking about these issues, the fact that there are people listening to our program right now is a very positive thing and a recognition that it's a very important thing to have. I think people should roll up their sleeves and make sure they have a plan in place.

ERIC MORGAN: We've got one more question on the issue of reaction. And it's, what are some best practices for insuring crisis response doesn't overwhelm day-to-day operations?

LAWRENCE RITCHIE: Well, I'll start with that. I think that's a great question. And I think it really goes-- I think the answer is what we've talked about, is if you have a protocol in place which isolates the decision makers-- it's one thing that we probably didn't really emphasize the value of having the identifying the teams and identifying the problems and having a clear reporting line, is that the other people in the organization shouldn't be involved in that issue. They're just going to annoy and over run the organization with problems. They have to get back to the day-to-day work, the important work of providing value to the shareholders and to their stakeholders. And so I think the best way to ensure that the situation doesn't overtake the operations is to have a clear plan that's implemented where people are accountable and the rest of the organization just gets on with their day-to-day work. Alan?

ALAN STEWART: Yeah. The only thing I'd add to that is you need a separate team within the organization with clear decision making authority so that, for example, if we have to get data from the IT group, the IT group's priorities are able to be set appropriately according to the desires of the organization. So you need somebody senior, in other words, to manage that.

ERIC MORGAN: Thanks very much. Well, thank you very much to everyone listening for joining us today for this webinar. Hope it's given you some useful insights and definitely a lot of food for thought. You can find out more information and commentary on risk management by going to Osler's risk management blog at or at under the Resources tab.

Thank you again for attending this webinar. And have a good day.