Knowledge Hub

Risk Crisis management

Managing in a crisis: a guide

What's the best way to prepare for and manage a crisis? Philip Kirkpatrick, Deputy Managing Partner at Bates Wells, shares some quick pointers and a handy checklist.

 

Even if your governance, policies and procedures are gold standard, there are no guarantees that your charity won’t ever face a crisis. As we have seen with the impact of the Covid-19 pandemic, not all crises can be foreseen.

There’s a huge range of issues that might prompt a crisis – examples include finance, safeguarding, racial equity and other EDI (equity, diversity and inclusion)-related issues, criminal activity, data breaches, reputation, governance, employment and allegations of a broken or toxic culture – to name but a few.

How you respond will of course vary significantly depending on the nature of the crisis. We outline on the following pages some of the main issues that you might need to consider when a crisis hits. They won’t all be relevant – and some of them may seem obvious – but in our experience having a checklist to hand can help you to focus more clearly on what needs to be done at the time.

To decide what you need to do in the interests of your charity, you need to:

• Find out the truth, as best you can
• Be open and honest and own up to any failings of the charity
• Be fair and inclusive, while recognising some people may be hurt and you are unlikely to be able to please everyone
• Be proportionate. And be aware that criticism frequently isn’t
• Be willing to take responsibility
• Be mindful of your employment law duties
• Be mindful of your data privacy duties
• Be careful of defamatory statements
• Balance the short-term and long-term risks of your decisions

 

Crisis checklist

Act quickly

You may need to act quickly to bring any immediate risk under control. This might involve contacting emergency services, suspending staff under suspicion (on a carefully considered basis – ideally after obtaining legal advice – rather than as a
‘knee-jerk’ reaction), temporarily ceasing an activity or getting appropriate emergency specialist help. If you are facing a cyber attack, for example, a first step will be to change all your passwords.

Notify regulators and stakeholders

Make necessary notifications to relevant authorities, regulators, commissioners and funders so that they know what has
happened and can initiate their own procedures and maintain appropriate oversight. Do not wait until you have concluded your own investigation.

Charities will need to consider whether they need to make a serious incident report to the Charity Commission. This is important: the commission expects serious incidents to be reported promptly, in line with its serious incident reporting guidance. It considers that failings in incident reporting may be evidence of mismanagement by the trustees.

We find that it’s helpful for charities to have a system in place to identify serious incidents promptly and escalate them. Trying to establish reporting mechanisms after an incident has occurred is often too late. We recommend putting in place – and implementing – a serious incident reporting policy. This can also be helpful in demonstrating general good practice if the trustees are challenged.


Insurance

Do you need to notify your insurers? Coverage may be lost unless notifications are made in accordance with the terms
of your policy. You may also need to clear your communications and methods of investigation in relation to the incident with the insurers, especially anything that might be perceived as an admission of fault. An early approach and regular dialogue is vital.

Check the scope of your cover. Does it cover liability arising from the incident during the insured period, or claims made during that time? What about communications advice and legal advice and representation? Does it cover advice for individual trustees and other officers, including employees, if that is needed?


Investigation

You will clearly need to conduct a thorough internal investigation, but the timing is crucial. You may need to agree with relevant authorities (such as the police or local authority) that you can investigate without prejudicing the exercise of their public functions.

It may be wise or necessary to bring in an experienced external independent investigator. Doing so shows how seriously you are taking the issue and it can help you to avoid rushing to make immediate responses that would not be in the charity’s interests. Be aware that you will typically be expected to publish outcomes. And be very clear about the cost and terms of reference, as well as the scope and timescales of any investigation.

Where necessary, take evidence from staff and other potential witnesses as soon as possible. Make sure that any interview notes are agreed with the interviewees. Do not offer to treat these notes as confidential – a regulator or public body may be able to force you to disclose them; you may be required to disclose them as part of a Data Subject Access Request; or you may wish to disclose them yourself on reputational grounds, or use them as part of your own internal disciplinary proceedings.


Governance

It goes without saying that you need to ensure appropriate board involvement. Some responsibilities may be delegated, but this should be in accordance with an agreed framework: make sure that your delegation and reporting mechanisms are fit for purpose. Some decisions must rest with the trustees: ultimate responsibility for serious incident reporting, for instance, rests with the board.


Take advice

It is notoriously (and understandably) difficult for people caught up in a crisis to be completely clear-eyed about it. An uninvolved, impartial adviser can help you see the real extent and significance of the events, the options available and the likely consequences of different actions, inactions and statements. Taking relevant professional advice can in some circumstances also shield the trustees from personal liability.

If your crisis relates to reputational damage arising from a racial inequality or other EDI (equity, diversity and inclusion)-related issue, consider taking advice from an EDI specialist consultant or adviser. They can add a much-needed fresh perspective, and can help you to navigate through and seek to balance the different perceptions and stances of your various stakeholder groups, as well as those marginalised communities who may feel directly or indirectly impacted by the crisis.


Dealing with your stakeholders

Develop an appropriate stakeholder management plan, including how any internal, service user, beneficiary, public and/or press enquiries will be dealt with. As part of this process, consider how the crisis – both the underlying event and your response to it – might affect different groups of beneficiaries, staff and other stakeholders, and how you can mitigate adverse effects.

Although it will be important to prioritise, organisations should take into account how the wider consequences or perceptions of a particular situation might impact marginalised or underrepresented groups – especially at a time when stakeholders may feel particularly vulnerable – and aim to involve such groups within the decision-making process for the crisis, where you can.


Communications strategy

There may be a period when one allegation quickly follows another and you may be tempted to jump to respond. Understandably, failing to respond allows the story to develop and the more that is published without response or denial, the more may be believed. But take your time: don’t rush into communications (especially public communications) that may not be well thought through.

Consider how your communications may affect others. As part of this, you will need to be attuned to the potential for conflict and competing rights between your different stakeholder groups, particularly for a crisis that touches on ‘culture wars’. Any reaction that is made without proper consideration of all sides of a story – or is not presented in a fair and balanced way – could result in back-tracking and risks negative public attention.

On a similar theme, when communicating your message, don’t just focus on those with the loudest voices. Resist the pressure to give rushed and placating reactions without thinking through how your responses could impact your stakeholders as a whole. One of the dangers of reacting in a way that primarily seeks to placate the most demanding, is that your organisation could respond in a way that actually alienates your other stakeholders, leading to a situation where the crisis could potentially be worsened – with bridges being burned and relationships with and between stakeholders being damaged.

You should aim to think clearly about what your charity is actually seeking to achieve, and to message this in a way that is persuasive and is able to ‘build bridges’, where possible, of understanding and connection with and between your stakeholder groups.

For all communications, ensure that confidentiality is appropriately maintained, that you comply with data protection
principles and, where relevant, be conscious of the rules on defamation.


Co-operate with your regulators

Co-operate with regulators and public bodies where they are exercising their functions appropriately. Do not, unless mission critical or required by insurers, wait for them to use any coercive powers. Early and full co-operation can go a long way in heading off later criticism or sanctions. Do let your regulators know early if deadlines cannot be met.

Unless it is, again, mission critical or you are required to do so by insurers, do not try to defend the truly indefensible. This is likely to undermine confidence in you as a suitable organisation to be carrying out a regulated activity and to attract criticism and possibly harsher sanctions – particularly where the regulator is acting fairly and in accordance with its functions in seeking information or assurances and/or there is clear evidence that the incident occurred and could and should have been avoided.

However, where you believe the regulator is not acting appropriately, you may want to seek advice on the extent to which and the way in which you respond.


Record keeping

Ensure that all of your paperwork and records are retained, in order, organised and accessible, especially if your regulator(s) are involved or likely to become so.

This may include policies and procedures, risk assessments, case notes, staff recruitment/supervision information, staff training records, incident logs, CCTV or equipment recordings and any other material that is relevant to the issues at hand, such as records of key decisions (including minutes of trustees’ meetings).

Ensure that all relevant information and material is kept securely and not deleted or destroyed even if in accordance with your usual data retention policies. It may be required by authorities or in the event of any litigation.

You should take care to share information carefully and in accordance with GDPR and data privacy principles, using appropriate safeguards where necessary. If in real doubt as to your ability to share material with a regulator or public body, ask them to require you to do so as this is likely to ensure a lawful basis under data protection principles.


Lessons learned

You should clearly focus on lessons learned. It is the right thing to do, and regulators will want to know that you are thinking about it. At an appropriate point, carry out an internal or – if warranted – external review of how the incident arose and how it was handled, setting out lessons learned and an action plan to optimise your policies and procedures going forward. Ensure that any actions are taken and completed in a timely manner, and set periodic review period(s) to follow up on these.

Looking to the future, consider whether your long-term response to the crisis could offer a renewed opportunity for your organisation to embed EDI (equity, diversity and inclusion) principles more deeply in how you operate. This may, for example, involve taking steps to ensure that your governance and decision-making engages and reflects views from a variety of backgrounds, skills and viewpoints.

It could mean confronting any existing (albeit potentially inadvertent) power imbalances – for example, between your charity and beneficiaries from underrepresented groups, or within different levels in your own organisation – so that you are able to nurture a more inclusive culture and deliver your charitable objects more effectively.


And remember...

Crises do pass. They can be survived and indeed your organisation can grow and strengthen as a result.

 

This guide to crisis management was first published in Bates Well's publication Managing in a crisis: a guide for charities, November 2021, and has been reproduced here by kind permission of Bates Wells.

 

« Back to the Knowledge Hub