COVID-19: Five key steps to proactively manage risks and disputes
9 April 2020 | Kareena Teh, Philip Kwok, Catherine Wong
The outbreak of COVID-19 has struck communities across the globe, catching governments and businesses off-guard. The short-term impact has been catastrophic, with organizations facing multiple challenges, including the health and wellbeing of employees, downturn in demand for discretionary goods and services, disruptions in the supply chain, defaults/breaches of legal obligations, working capital shortages, as well as cybersecurity and other regulatory/compliance issues. Many companies have put together crisis teams to respond to disruptions. Due to the types of challenges faced, and their short and potential long-term impact on businesses and operations, any crisis response plan must necessarily include proactively assessing legal risks and liabilities, responding efficiently to mitigate and head them off, and making improvements for the future.
In this article, we set out our recommended approach that involves five key steps for risk and dispute management (RDM), namely:
Setting up response and communications strategies
Assessing risks and preparing response plans
Implementing response plans and reporting
Exploring solutions and communicating with counterparties
Planning for the future
Step 1: Set up response and communications strategies
As a first step, we recommend setting up a dedicated RDM team to:
Undertake risk assessment and scenario planning to consider the risks and potential liabilities that are already evident to business and their operations, their short-term and medium-term impact on business and operations and identify key intervention actions.
Set up a situation monitoring and analysis capability across different functional areas and jurisdictions (where appropriate) to monitor and analyse the risks and potential liabilities identified and escalate them for rapid action and response.
Implement the response plan.
Propose and implement improvements to ensure better business resilience and continuity for the future.
The RDM team should preferably be led by a board member who reports to the board or a committee of the board, and include persons with appropriate seniority, authority and knowledge of the company’s business and operations to ensure the timely and proper discharge of its responsibilities, including rapidly responding to mitigate and resolve any risks and potential liabilities. The RDM should also be multidisciplinary, with personnel from different functional areas and jurisdictions (where applicable), to ensure a thorough consideration of all aspects of the business or operations. Each member should have clearly defined roles and responsibilities having regard to their areas of expertise and experience. Depending on the breadth and size of the business or operations, a core team comprising the board representative, legal, regulatory/compliance, finance operations, human resources, and communications, can be set up, with other members joining to cover specific risks within their area of responsibilities. External professionals could be included as required.
There should also be communications strategies and protocols for communications amongst RDM team members, with personnel whom they need to work with to gather information etc., with the board who they report to and with stakeholders they communicate with.
The overarching objectives of the strategies are to protect brand reputation, sustain stakeholder relationships, enlist support, business continuity and prepare for proceedings (if they are unavoidable). The strategies should therefore have those objectives in mind while facilitating:
The collection of relevant information for RDM from internal and external sources.
The identification, assessment and response to risk and potential liabilities.
Timely, consistent and concise reporting to the board and communications with stakeholders.
Given the different objectives and purposes of the communications, it is important that the strategies differentiate between external and internal communications and have specific plans for different classes of stakeholders, taking into account their different interests and needs.
Additionally, due to the sensitivity of the matters considered by the RDM team and the possibility of ensuing proceedings, it is important to have protocols in place that protect the confidential and sensitive information being collected and assessed, and the client/lawyer confidential communications and work product prepared, for obtaining and providing legal advice and preparing for proceedings. The protocols should:
Nominate a designated person reporting to the board, with others from the RDM team reporting only as and when necessary on their relevant areas of expertise.
Limit discussion with persons outside the RDM team of issues, risks, potential liabilities and plans (other than what is necessary for gathering information or implementing response plan and providing approved updates to stakeholders).
Limit circulation and sharing with persons outside the RDM team of communications and/or work product (e.g. analysis of risks, potential breaches and disputes, alternatives and options, mitigation and remediation plans, pre-action and negotiations strategies and issues arising).
Step 2: Assess risks and prepare response plans
Once the RDM team and communication strategies are in place, it is critical to start assessing the risks and potential liabilities that have already materialised and come up with a plan on how to best respond to them. At the same time, it is important to identify potential issues and set up a monitoring and escalation system for rapid action and response, if risks and potential liabilities materialise from those issues.
Dealing with performance/legal risks
When dealing with performance/legal risks, such as failure to deliver/supply, termination of contracts for goods or services (including labour), and inability to pay, it is necessary to:
Understand contractual rights and obligations, including:
- The governing law and dispute resolution mechanism.
- Whether there are defences that apply that allow for non-performance, suspension and/or deferment of performance (e.g. force majeure clauses, material adverse change clauses or frustration) or exclude and/or limit liability (e.g. exclusion, limitation or liquidated damages clauses).
- Whether there are other contractual provisions that may provide relief (e.g. indemnities, guarantees, performance bonds, insurance).
Understand the implications on your business/operations:
- What are the consequences of non-performance and/or termination on the contract in question and/or other related contracts (e.g. downstream contracts, financial agreements, investment agreements).
- Do you have a backup plan – is another counterparty able to step in at short notice, and has the other counterparty been vetted for legal/compliance risks?
For those facing difficulties and/or an ability to perform, consider:
- Whether the difficulties and/or inability to perform are caused by the outbreak of COVID-19 and/or the measures to contain it, and document evidence of the difficulties and/or inability to perform.
- Whether there are any steps that can be taken to perform the contract and/or mitigate loss, and if so, take those steps and document evidence of the steps taken.
- Where performance is not possible, document evidence of the inability.
- Strengths and weaknesses of your case, options/alternatives etc., and prepare to communicate in a timely manner with counterparties to notify that there are difficulties and/or inability to perform, to negotiate a resolution, and if unsuccessful, to prepare for proceedings.
We would recommend using a checklist of key matters that need to be established and/or done and running through them. This would help ensure that issues are assessed consistently and methodically. It also gives you a list of action items to attend to in preparing to communicate and negotiate with your counterparties and/or prepare for proceedings.
Dealing with regulatory/compliance risks
Apart from legal and performance issues and risks, there could also be regulatory/compliance issues and risks that may arise due to the COVID-19 disruptions and the focus on health/welfare and/or business continuity issues.
One such key risk is data protection risks due to the need to monitor employees’ personal and health data, the increased use of the internet for financial and other transactions, and the increased adoption of flexible working arrangements. Care needs to be taken to ensure that the following data is appropriately and carefully collected, stored and used:
Personal data, health data and health history of employees
Company’s sensitive and confidential information
Customers’ personal and confidential data
There are also other regulatory and compliance risks that may arise due to:
Lack of attention/supervision due to business continuity stresses and flexible working arrangements:
- Missing regulatory filings
- Non-timely or inaccurate disclosures of price sensitive information
- Insider dealing
- Cybersecurity incidents
Pressure of ensuring business continuity:
- Making improper payments to secure scarce raw materials/parts and/or their transportation
- Working in new jurisdictions and/or new counterparties without completing proper due diligence and onboarding requirements
Economic hardship driving employees to engage in bribery and/or fraud
Criminals exploiting the chaos:
- Using cyber tactics to infiltrate networks to steal data, demand ransom, commit fraud
- Laundering funds by asking for payments to be made to new bank accounts or third parties
We would also recommend using checklists to keep track of these matters and the issues that need to be monitored and addressed to mitigate such risks.
Key step 3: Implement response plans and report
Once the materialised risks and potential liabilities have been assessed, it is important to promptly decide on and implement key intervention actions, mitigation and contingency plans for responding to these risks and potential liabilities. These actions should include the following:
Preparing countermeasures bearing in mind the key issues that need to be addressed:
- Your position – are you a defaulting party or a non-defaulting party
- Both parties’ rights and obligations
- The reasons for non-performance/delay in performance
- Potential defences
- The consequences of failure/delay in performance
- Options/alternatives available (e.g. insurance, government assistance, alternative customers, suppliers and logistics providers)
- Steps that can be taken to mitigate loss
- Evidence that needs to be collected to support your position and the steps taken.
Determining whether disclosure/notice needs to be made/given under contracts, law and/or regulations.
Taking appropriate steps to:
- Make disclosures/give prompt notice
- Explore options/alternatives, including ways of performance, mitigation, relief
- Conduct appropriate compliance checks and requirements when looking for and engaging alternative buyers, suppliers and transportation options
- Mitigate and reduce losses.
Documenting steps taken, losses suffered and mitigated.
Preserving and collecting all relevant information, including reasons for failure/delay in performance, options/alternative ways to perform considered and mitigation steps taken, taking into account laws and regulations governing disclosure, transfer of sensitive/personal data and data localisation laws, particularly if cross border transfers are envisaged.
- Prepare communication for relevant stakeholders
- Report to board and obtain approval for response plan.
Key step 4: Explore solutions and communicate with counterparties
Once countermeasures have been prepared, it is critical to communicate with your counterparties to explore options/solutions in a timely way. Some key points to bear in mind follow:
Be well prepared, taking into account:
- Interests, positions, needs and values of each party
- Strengths and weaknesses of each party
- Knock on effect on other relationships/obligations
- Alternatives in the market
- Costs associated with change
- Compromises that can be made
- Best alternative to a negotiated agreement i.e. proceedings, taking into account what can be achieved, how long it is likely to take, potential costs involved, and its implications for your relationship with your counterparty.
When communicating, be upfront about ability/inability to perform and impacts/consequences:
- Explore options
- Stay alert and note strengths and weaknesses discussed in case proceedings become necessary.
If no settlement is achieved but further negotiations are warranted, regroup and try again. Otherwise, start preparing for proceedings.
Key step 5: Plan for the future
An important part of RDM is to make use of all that has been learnt about your ability to deal with a crisis like COVID-19, including the strengths and weakness of your operations, contractual arrangements, compliance framework and internal controls. Bearing these factors in mind, consider the improvements that can and should be made to ensure better business resilience and continuity for the future.
Some of the key steps we would recommend considering are:
Reviewing and renewing business continuity plan, considering workforce related issues, including health and safety obligations, IT security, supply chain, and crisis management response.
Diversifying supply chain:
- Best not to work with and depend on only one supplier or suppliers in one country
- Make sure that proper risk based due diligence and compliance checks that satisfy legal, regulatory and compliance requirements are conducted.
Reviewing and enhancing internal controls and compliance requirements, addressing any internal control and/or compliance shortfalls.
Reviewing and revising upstream and downstream contracts, for example considering including force majeure and exclusion clauses, and making sure epidemics are included as a force majeure event.
Reviewing insurance policies to ensure appropriate coverage, e.g. consider if policies include business interruption and event cancellation, and whether it allows appropriate extensions.
With the advancement of technology, these processes need not be too cumbersome or costly, particularly when recourse can be had to artificial intelligence and/or legal managed services.