Last week, we explored the significant and immediate impact of rumors, innuendo, and short sellers cloaked as “citizen journalists” on companies ranging from small private enterprises to massive publicly-traded conglomerates. If you missed Part I, check out Tweets, LinkedIn, YouTube, Reddit and the fast moving rumor. This week, in Part II, we will explore risk management steps that you can make now and at the time of the event to at least attempt to diffuse the impact.
1. Stick to the plan
1a. The crisis plan
The thing with a crisis plan is that everyone knows they need to have them, but many communications departments create them and never pull them out again, or dust them off once in a blue moon when someone asks a question about them. Your crisis plan should have an owner, a regular review process, and even a standing place on a board or appropriate committee agenda. Even more interesting, a lot of companies do not have specific scenarios in their crisis plan with strategies on how to react when information is presented in the marketplace by outsiders and third parties, or rumors are started, that may be unrelated to known internal actions or the areas that traditional crisis plans cover.
What should these crisis management plans include? Rather than spend valuable space here, I recommend checking out GetFlack by
(another great Substack publication) who offers a free outline for your crisis communication playbook (get it here). If you want even more, check out this resource from Harvard Business School.One thing I would also highlight is: Your crisis plan needs to have an embedded sense of urgency and response time expectations for certain types of “all hands on deck” messages (a lot of organizations use special crisis communication apps to separate these type of messages from general work communications) so that all participants are clear that they cannot wait until they “give the kids” a bath to respond.
“Self-inflicted reputation damage may result from inappropriate employee behavior, setting unrealistic product or customer service expectations, rogue tweets of inappropriate messages intended for internal or personal use or inability to measure up to the openness, straight talk and transparency expected by customers and prospects seeking to engage. Customers or other parties can use social media to say negative things about the company. If the company doesn’t engage or is not paying attention, it won’t be able to manage the potential fallout and necessary improvements to products, and processes may be overlooked.” (10 Ways Social Media Impacts Your Risk Profile, Corporate Compliance Insights)
1b. The “other” plan
Do you have a social media and external communications plan which sets clear expectations as to who can speak on behalf of the company and the scope of topics they can cover in normal circumstances? Similar to the approach taken in crisis plans, this plan is more about creating responsibility, authority, and accountability for the proactive efforts that your company needs. Does it include how to capitalize on your customers’, investors’, and advocates FOMO (fear of missing out) by making sure they can rely on their ongoing, transparent relationship with you. Does it have measures of what a “good” proactive campaign or messaging would look like? Build a “phone a friend” networks with publications and content providers? Does it create an understanding that keeping up with communication opportunities is a job for everyone, not just communications?
In addition, does it have a cross functional and diverse team that vets the regular, non-crisis messaging for blind spots? Don’t “Jack Dorsey” it (though Block has responded publicly, their response isn’t getting nearly as much traction as the Hindenburg report did when it was released). And certainly don’t use the Elon model of communications (I often wonder, does he even have people helping him?)
2. “What’s up” with you?
One of the most common “disconnects” I see in organizations is a lack of communications between the individuals in charge of getting messages out to the public and the parts of the organization that have a front row seat for the most potentially damaging issues.
For example:
Is a testing or quality area seeing problems with a product?
Is the legal team embroiled in a lawsuit that is sure to grow ugly?
Is the compliance team working with a regulator on a consumer report or other inquiry into the company’s practices?
Has an employee filed a claim with the Equal Employment Opportunities Commission (EEOC) or other agency that could lead to unwanted and unflattering publicity?
Do your customers represent a certain profession, discipline, or group that might be facing their own issues with damaging rumors that might spread to or impact your organization?
While these are often confidential topics with a “need to know” audience, understanding what could be out there to assist in preparing for the worst far outweighs the risk of bringing one or two more trusted advisors into the fold.
3. Monitoring
Monitoring (with a clear escalation plan for findings) needs to be both thematic and specific to your company. You aren’t just looking for @mycompany references, because once you are tagged, the clock is already ticking. In addition to monitoring social media for references to your organization, key words, trademarks, competitors, key regulators and governing committees, monitoring should also be thematic for trends and potential risks in the industry, your customer base, recalls, and other related areas that are most damaging to you.
Even if you aren’t publicly traded, monitor the short seller reports and activist hedge funds. Understand what they are focused on and what they are actively talking about because their impact often extends beyond the current “take down” target.
4. Proactively and regularly review content that you post or make available
The number one mistake companies make is not regularly “scrubbing” their external materials and publicly available information, especially cleaning up the company website. For example, if your product used to have deer meat in it, and doesn’t now, make sure that is off the website immediately after the recipe changes. Again, diligence is key. Because if there is a drama stemming from the health or safety of deer meat, you don’t want to have outdated information on your own site working against you.
And, in the case of public companies, verify your information with the proxy advisors like Institutional Shareholder Services (ISS) and Glass Lewis. These companies publish detailed reports on the information in your proxy, but they are not infallible. A few incorrect facts could lead to bigger issues down the road.
5. Give them something ELSE to talk about
Establish yourself as a source of trust with your customers and partners before you need it. Have a direct contact person who your extended market can call. Proactively provide critical information that they are most interested in. Build a spirit of advocacy among your customers and partners - determine ways and provide information to assist them in coming to your side if you need it.
Finally, use traditional public relations techniques and establish yourself as a trusted source for reliable media, build those networks in advance, and stay in touch with your contacts. Provide well crafted content that doesn’t require rewrites. Make their jobs easier. Answer questions quickly. Become one of “their” extended team. And finally, consider entering the fray proactively - if an issue affects a lot of companies, you may want to establish yourself as a spokesperson for the larger group.
6. Understand the rules that apply
6a. Public companies are governed a number of disclosure rules
Public companies must comply with a number of rules and regulations about disclosure rules1. The key test is whether “reasonable investor” would consider the information (or the omission) relevant in making an investment decision.2 3
But this doesn’t protect us all from when someone, not affiliated with the company, makes public comments that impact a share price. And sometimes it doesn’t even protect us from the impact when the person is the most prominent insider in the organization, like Elon Musk, who paid a fine to the SEC for his “taking Tesla private” tweet but ultimately was found not guilty of fraud, even though his Tweets cost investors an estimated $12 billion.
6b. But what rules govern private companies' public disclosures?
Typically, virtually nothing except the rules of common law related to torts like fraud and misrepresentation. However, the SEC “has begun work on a plan to require more private companies to routinely disclose information about their finances and operations,” and has expanded private company debt securities through expanding Rule 15c2-11. It is also considering tightening the qualifications that investors must meet to access private markets, and increasing the amount of information that some nonpublic companies must file with the agency.
7. Test and model a wide variety of scenarios
No one is immune from this risk, though many Boards and executives think that their product or service is not controversial enough to fall victim to the fast moving rumor. How can you be sure your crisis plans and monitoring covers the full gamut of what they need to?
Consider the extremes (no, not the 80s band). What does this mean? Brainstorm some absolute horror stories that could feasibly occur, and use those as a starting point for testing your crisis plan and how you would even learn of such an occurrence in the first place.
For example:
What if the “sh*t” literally hits the fan, like it did for Jack Daniels? How would you deal with the fallout of protecting your trademark and brand?
Remember, Part I: what if an “influencer” makes an informal gesture that has an immediate impact on your product?
What if your founder or an executive gets “caught on camera” in a drunken tirade against a service provider?
What if you are a college or university, and something like this happens? Or this?
What if your business uses algorithms that have the potential to be discriminatory if managed improperly? What if a disgruntled ex-employee who catches the ear of a short seller or your customers shares how they believe your technology enables discrimination? How would you address this rumor with the regulators who are going to care as well as the customers who might worry they were negatively impacted?
What if you are a nonprofit and again, a disgruntled ex-employee starts sharing their belief that embezzlement is occurring among the financial control parties?
What if you are a hospital, and a physician is accused of groping a patient and other lewd acts?
And remember this one from The Strange and Wonderful World of Intellectual Property in the Robot Age? What if you are Adidas and you lose a lawsuit over stripes? How do you pick up the pieces from suing Thom Browne and losing?
What if your CFO starts interviewing somewhere else and word gets out? And you are up for funding with some very antsy investors?
What if an executive is accused of a heinous crime, or admits to one from years earlier?
And don’t forget your monitoring. Testing the content and delivery of response is critical, but testing your “seconds count” capture and escalation approach will determine if the other story gets too much of a head start.
“Heard it from a friend who, heard it from a friend who….”
We already know that word travels faster than anyone expects. Whether you are a board member, executive, social media leader, internal auditor, or founder, you have a role to play in ensuring that your company is ready for the impact of a rumor or other social media campaign on your company. And for investors, you should be asking these questions of your targeted startups as well as verifying the existence of crisis measures with seasoned, established companies.
For public companies (and private companies that want to scale up their governance):
Have you adequately disclosed your own use of social media as a “source of distribution” of otherwise nonpublic information?
Have you created adequate disclosure control procedures, including regular review and testing?
Are your risk disclosures adequate to cover the impact to shareholder value of a tweet by a short seller or other activist?
ESG and your Crisis Plan: In all the debates about whether ESG reporting helps or harms shareholders, I think one aspect is often missing from ESG guidance relating to content. It is the information related to a company’s crisis response plan, including key specifics about how the company will handle information in the social media stratosphere that could have an impact on reputation, value, or other critical business measure, especially given how quickly things can go from great to awful, and significant company value can be lost.
For all companies (public, private, small, large):
Understand how a crisis works with your current insurance or consider purchasing crisis specific insurance. In addition, in either your crisis plan or other strategies surrounding business emergencies, include how insurance providers (including D&O) will be notified and who will will be responsible for that.
Establish “fee free” master agreements (that includes an agreed upon work order form and pricing) with critical vendors (law firms, external PR companies, etc.) so that they are ready to go when needed.
In addition, investors in private companies should be asking for crisis plans, and employees should be aware of the risk and how they can help the company save itself.
Even external parties like lenders and regulators have a role to play:
Lenders, whose job it is to ensure the likelihood of repayment, should require proof of a crisis plan and some forethought related to crisis communications before issuing a loan.
And of course, "[regulators] need to be looking for any signs of unsubstantiated rumors, panic starting to mount on social media, and they've got to do it around the clock."
And I guess we can all learn a little something about turning a negative into a positive from Gwyneth Paltrow: “Goop Interest Skyrockets Nearly 200% Following Gwyneth Paltrow Trial.”
Espresso Shots
Some other interesting reads from the past week, and related to the topic at hand.
For more on Gwyneth, check out: Gwyneth Paltrow’s Trial Is Her Best Role In Years
Blue Checks: According to Twitter, starting on April 1st it would begin removing blue checkmarks from accounts that have not paid for the service. But until those marks start getting consistently removed, we will have to wait and see how “unverified” paid checkmarks further create misinformation.
Yikes: For a fascinating read about citizen sleuths and the terrifying impact of internet “investigators” on actual investigations, read Echoes in the Dark, Vanity Fair April 2023:
“After graduating from the police academy, a grueling process that involves physically demanding drills and literal obstacle courses, an aspiring homicide detective undergoes years of training…[but] considering oneself more capable of solving a quadruple homicide - from afar, using only a computer - speaks a larger delusion that online we do anything: get rich, become famous, lead revolutions, diagnose ourselves with rare diseases, and solve mysteries.”
Section 10(b) (yes, that 10-b, the one that also governs trading plans for executives and directors that will likely be the subject of many upcoming SVB discussions which amendments from the SEC may not have arrived quite fast enough) applies to all corporate communications, can create both civil and criminal liability, requires all information disclosed by a company insider to be accurate in all material respects and complete in its presentation (meaning no material omissions).
Public companies are also required to have disclosure controls and procedures designed to ensure that these two key rules are adequately addressed and the company has procedures in place to ensure compliance.
In addition, Regulation FD prohibits companies and insiders from “selectively disclosing” material, non-public information to certain investors or investment professionals without making the same disclosure “publicly” at the same time.