Photo courtesy of the author
The SEC, DOJ, and nationwide USAOs are increasingly encouraging organizations to self-report misconduct, fully cooperate with authorities, and meaningfully remediate. In return, companies may receive reduced penalties, up to and including a government agreement not to criminally prosecute and a declination to bring a civil enforcement action.
However, in addition to being costly and time-consuming, self-reporting presents reputational risks. There also is always a possibility that a sensitive matter will leak. In any event, having complementary legal and crisis communications strategies in place can help companies avoid costly missteps and mitigate reputational damage.
Understanding the Risks
Since the publication of the Holder Memorandum in 1999 – in which the DOJ laid out factors federal prosecutors should consider in bringing criminal charges against organizations, including whether a corporation timely and voluntarily disclosed wrongdoing and cooperated – the government has become more vocal about the benefits of voluntary self-reporting and cooperation and has formalized those benefits in multiple, overlapping whistleblower, pilot, and formal disclosure policies.
Cooperation has been touted by the government as beneficial to companies for several reasons, including: (1) allowing for significantly reduced fines and penalties as compared to companies that do not come forward; (2) the prospect of leniency in the form of non-prosecution and deferred prosecution agreements or declinations to prosecute; (3) accountability for companies to take responsibility for their actions and build and make improvements to their compliance frameworks; and (4) punishment of individual actors who have broken laws and caused damage to companies and their shareholders.
However, agreeing to self-disclose and cooperate, or, in the words of Deputy Attorney General Lisa Monaco, to “knock on our door before we knock on yours,” comes with considerable risks, including: (1) the cost of retaining legal and other advisors; (2) the time and internal resources dedicated to cooperating with the government; (3) the risk of debarment from doing business with the government; (4) the heightened risk of follow-on litigation; (5) for public companies, disclosure of the existence of and details about the investigation in securities filings; (6) the continual demand for information (which the company often cannot provide) from federal, state, and local authorities seeking to contract with the company; (7) ongoing questions from investors, customers, and business partners; and (8) potential for reputational harm if a matter becomes public.
Making a Decision
While there is no corporate decision tree for self-reporting, there are instances in which the decision is more obvious – for example, when a company has discovered credible evidence of misconduct that is egregious and enforceable, when a breach of controls is pervasive, when the misconduct involves senior level management and/or the board of directors, and when conduct materially impacts the company’s financials.
There are also circumstances in which a company that has discovered misconduct may not self-report (for instance, a situation in which the company thoroughly investigates the allegations of misconduct and takes appropriate remedial measures, including improvement to controls, enhancements to compliance processes, and appropriate discipline). There are advantages to this path. Companies know their own systems and cultures. They know where to find relevant documents and which employees to interview. Internal reviews allow the company to better control the narrative surrounding the misconduct and are generally much less costly and quicker.
If the appropriate decision is not clear, it is prudent to seek the advice of outside counsel, who can help assess the risks – especially on the question of what harms could befall the company if the government later learns of the situation and disagrees with the company’s decision not to report.
Developing a Communications Plan
The risk of sensitive matters becoming public or known internally to employees or others (and likely leaking thereafter) may exist regardless of a company’s action on this crucial decision point. When these matters do leak and companies are underprepared to respond, they can quickly become full-blown crises.
In investigations, while a company is working with its counsel to understand the nature and severity of the conduct and assessing whether to cooperate with the government, it should also be crafting a communications strategy that addresses internal and external stakeholders so that it is ready to reassure stakeholders, reinforce its values, convey its commitment to good governance, and build trust.
In general, companies should prepare before crises happen by assessing their most significant risks and conducting simulations to practice and improve on how they would respond in situations like a supply chain disruption, a cyberattack or system outage, a product recall or serious senior management misconduct. In addition to identifying which internal resources will be responsible to manage a crisis, a company should know which outside experts it will call on to mobilize quickly, including counsel and communications teams. This kind of preparation can help companies prevent fast-moving issues from becoming crises by positioning them to make sound decisions swiftly with clear and consistent messaging.
Crisis communications plans that contemplate investigations and other potentially damaging scenarios should: (1) determine internal and external teams responsible for managing the crisis; (2) identify key stakeholders who may need to be informed about the investigation, like employees, customers, partners, and investors; (3) contain clear and concise core messaging, understanding that many details of a given investigation cannot be disclosed, but that nevertheless explain the nature of the investigation, the company’s commitment to cooperation, accountability and ethics, and the steps being taken to remedy any issues; (4) contain talking points and anticipate difficult questions; (5) identify the right spokesperson(s) so that they can respond to media inquiries and correct inaccuracies or misleading information in media reporting as needed; (6) build in protocols for the regular assessment of the effectiveness of the plan both as a matter of course and following a crisis (e.g., tracking media coverage, social media sentiment, and stakeholder feedback, etc.); (7) ensure some measure of flexibility on strategy and messaging to ensure it resonates with key audiences and captures the most relevant information; and, (8) lays out potential tactics for reputation rehabilitation strategies in the aftermath of a crisis.
Conclusion
There are considerable risks to company investigations becoming public. Engaging experienced legal counsel and communications professionals as early in the process as possible will help mitigate risk so that a company can protect and even enhance its reputation.
A company wins trust in crisis situations by communicating openly and honestly with its stakeholders. By acknowledging the impact of a crisis, reassuring constituents that it is taking the matter seriously, conveying commitment to ethics and compliance, and communicating what’s being done to ensure the crisis will not recur, a company can rebuild trust and come out from a difficult situation stronger than before.
Cari Robinson is a Senior Managing Director at August Strategic Communications, a communications and crisis advisory firm. Previously, Robinson was the General Counsel at Revlon. Prior to joining Revlon, she handled internal investigations and cybersecurity at IBM and was a federal prosecutor in the SDNY.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).