Step 2: Assess risks and prepare response plans
Once the RDM team and communication strategies are in place, it is critical to start assessing the risks and potential liabilities that have already materialised and come up with a plan on how to best respond to them. At the same time, it is important to identify potential issues and set up a monitoring and escalation system for rapid action and response, if risks and potential liabilities materialise from those issues.
Dealing with performance/legal risks
When dealing with performance/legal risks, such as failure to deliver/supply, termination of contracts for goods or services (including labour), and inability to pay, it is necessary to:
Understand contractual rights and obligations, including:
- The governing law and dispute resolution mechanism.
- Whether there are defences that apply that allow for non-performance, suspension and/or deferment of performance (e.g. force majeure clauses, material adverse change clauses or frustration) or exclude and/or limit liability (e.g. exclusion, limitation or liquidated damages clauses).
- Whether there are other contractual provisions that may provide relief (e.g. indemnities, guarantees, performance bonds, insurance).
Understand the implications on your business/operations:
- What are the consequences of non-performance and/or termination on the contract in question and/or other related contracts (e.g. downstream contracts, financial agreements, investment agreements).
- Do you have a backup plan – is another counterparty able to step in at short notice, and has the other counterparty been vetted for legal/compliance risks?
For those facing difficulties and/or an ability to perform, consider:
- Whether the difficulties and/or inability to perform are caused by the outbreak of COVID-19 and/or the measures to contain it, and document evidence of the difficulties and/or inability to perform.
- Whether there are any steps that can be taken to perform the contract and/or mitigate loss, and if so, take those steps and document evidence of the steps taken.
- Where performance is not possible, document evidence of the inability.
- Strengths and weaknesses of your case, options/alternatives etc., and prepare to communicate in a timely manner with counterparties to notify that there are difficulties and/or inability to perform, to negotiate a resolution, and if unsuccessful, to prepare for proceedings.
We would recommend using a checklist of key matters that need to be established and/or done and running through them. This would help ensure that issues are assessed consistently and methodically. It also gives you a list of action items to attend to in preparing to communicate and negotiate with your counterparties and/or prepare for proceedings.
Dealing with regulatory/compliance risks
Apart from legal and performance issues and risks, there could also be regulatory/compliance issues and risks that may arise due to the COVID-19 disruptions and the focus on health/welfare and/or business continuity issues.
One such key risk is data protection risks due to the need to monitor employees’ personal and health data, the increased use of the internet for financial and other transactions, and the increased adoption of flexible working arrangements. Care needs to be taken to ensure that the following data is appropriately and carefully collected, stored and used:
Personal data, health data and health history of employees
Company’s sensitive and confidential information
Customers’ personal and confidential data
There are also other regulatory and compliance risks that may arise due to:
Lack of attention/supervision due to business continuity stresses and flexible working arrangements:
- Missing regulatory filings
- Non-timely or inaccurate disclosures of price sensitive information
- Insider dealing
- Cybersecurity incidents
Pressure of ensuring business continuity:
- Making improper payments to secure scarce raw materials/parts and/or their transportation
- Working in new jurisdictions and/or new counterparties without completing proper due diligence and onboarding requirements
Economic hardship driving employees to engage in bribery and/or fraud
Criminals exploiting the chaos:
- Using cyber tactics to infiltrate networks to steal data, demand ransom, commit fraud
- Laundering funds by asking for payments to be made to new bank accounts or third parties
We would also recommend using checklists to keep track of these matters and the issues that need to be monitored and addressed to mitigate such risks.
Key step 3: Implement response plans and report
Once the materialised risks and potential liabilities have been assessed, it is important to promptly decide on and implement key intervention actions, mitigation and contingency plans for responding to these risks and potential liabilities. These actions should include the following:
Preparing countermeasures bearing in mind the key issues that need to be addressed:
- Your position – are you a defaulting party or a non-defaulting party
- Both parties’ rights and obligations
- The reasons for non-performance/delay in performance
- Potential defences
- The consequences of failure/delay in performance
- Options/alternatives available (e.g. insurance, government assistance, alternative customers, suppliers and logistics providers)
- Steps that can be taken to mitigate loss
- Evidence that needs to be collected to support your position and the steps taken.
Determining whether disclosure/notice needs to be made/given under contracts, law and/or regulations.
Taking appropriate steps to:
- Make disclosures/give prompt notice
- Explore options/alternatives, including ways of performance, mitigation, relief
- Conduct appropriate compliance checks and requirements when looking for and engaging alternative buyers, suppliers and transportation options
- Mitigate and reduce losses.
Documenting steps taken, losses suffered and mitigated.
Preserving and collecting all relevant information, including reasons for failure/delay in performance, options/alternative ways to perform considered and mitigation steps taken, taking into account laws and regulations governing disclosure, transfer of sensitive/personal data and data localisation laws, particularly if cross border transfers are envisaged.
- Prepare communication for relevant stakeholders
- Report to board and obtain approval for response plan.
Key step 4: Explore solutions and communicate with counterparties
Once countermeasures have been prepared, it is critical to communicate with your counterparties to explore options/solutions in a timely way. Some key points to bear in mind follow:
Be well prepared, taking into account:
- Interests, positions, needs and values of each party
- Strengths and weaknesses of each party
- Knock on effect on other relationships/obligations
- Alternatives in the market
- Costs associated with change
- Compromises that can be made
- Best alternative to a negotiated agreement i.e. proceedings, taking into account what can be achieved, how long it is likely to take, potential costs involved, and its implications for your relationship with your counterparty.
When communicating, be upfront about ability/inability to perform and impacts/consequences:
- Explore options
- Stay alert and note strengths and weaknesses discussed in case proceedings become necessary.
If no settlement is achieved but further negotiations are warranted, regroup and try again. Otherwise, start preparing for proceedings.
Key step 5: Plan for the future
An important part of RDM is to make use of all that has been learnt about your ability to deal with a crisis like COVID-19, including the strengths and weakness of your operations, contractual arrangements, compliance framework and internal controls. Bearing these factors in mind, consider the improvements that can and should be made to ensure better business resilience and continuity for the future.
Some of the key steps we would recommend considering are:
Reviewing and renewing business continuity plan, considering workforce related issues, including health and safety obligations, IT security, supply chain, and crisis management response.
Diversifying supply chain:
- Best not to work with and depend on only one supplier or suppliers in one country
- Make sure that proper risk based due diligence and compliance checks that satisfy legal, regulatory and compliance requirements are conducted.
Reviewing and enhancing internal controls and compliance requirements, addressing any internal control and/or compliance shortfalls.
Reviewing and revising upstream and downstream contracts, for example considering including force majeure and exclusion clauses, and making sure epidemics are included as a force majeure event.
Reviewing insurance policies to ensure appropriate coverage, e.g. consider if policies include business interruption and event cancellation, and whether it allows appropriate extensions.
With the advancement of technology, these processes need not be too cumbersome or costly, particularly when recourse can be had to artificial intelligence and/or legal managed services.