As a director who has often come in after a major corporate crisis to clean up and reinvigorate the board. I share a few thoughts. After a crises boards realize they need to embrace change to mitigate further corporate vulnerability. I think it’s time for us to go “back to basics” and learn from the Southwest catastrophe and visit our crises management approach.
There are many flavors of a corporate catastrophe. For example, I am sure we will all remember examples of corporate fraud and corporate mismanagement from WorldCom and Enron. There was also the memorable HealthSouth catastrophe where 5 CFO’s in a row had cooked the books. HealthSouth was raided by the DOJ and FBI, and trading on the NYSE had been suspended.
When I initially joined HealthSouth it’s because the Delaware Court of Chancery had rejected their internal investigation as being tainted and biased. I was to chair a special committee to investigate the allegation that CEO Richard Scrushy had violated insider trading rules by front running the market on imminent Medicare reimbursement changes. This situation wasn’t one of anticipating crises and putting in controls to mitigate. This was rather with a house on fire. As soon as I joined the board, a couple of days later trading had been suspended on the NYSE and the company teetered into the zone of insolvency.
My key learnings on the HealthSouth crisis was a level of urgent catastrophe we weren’t sure if you could pay your employees and take care of your customers (who in this case were medical patients), you must convene the board and work through only one major crisis. Get to alignment and make a decision on each key issue one day at a time. For example, the first decision was identifying interim financing. The next day the key decision was identifying a restructuring firm. Third day was deciding which employees were under suspicion and isolating / ring fencing them, etc.
HealthSouth Key Takeaways:
-
- As a board facing crises you must convene, discuss, debate, align, and decide.
-
- Make one big decision each day. Stay focused.
-
- Keep meeting each subsequent day until each existential threat is decided; don’t be paralyzed.
-
- Don’t try to do it all at once; pick one key topic, get to a decision on one topic at a time.
Another type of crisis that I’ve experienced is improper conduct allegations when I joined the board of Wynn Resorts and Casinos following Mr. Steve Wynns’ departure. This was a situation of rebuilding a new board and creating a culture of engagement / transparency. The board along with management updated and implemented robust ESG policies to support our culture of investing and caring for our most asset: our employees.
Wynn Key Takeaways:
-
- Be open and face the big uncomfortable issues.
-
- Employees are always your most valuable asset, take care of them.
-
- Sometimes an overhaul of culture is needed.
-
- Enact policies that train, measure and build transparency and engagement.
Recall the Equifax breach of 2017. As a result, Equifax incurred over $87M in expenses related to the breach. It involved the theft of information of over 140M Americans.
For many boards, Equifax triggered a reactive review of their own cyber oversight and data management knowledge and compliance.
However, cybersecurity is not the only technological risk corporations must account for. As a board member ask and see what your company’s technical debt is. A glitch in the underlying / potentially antiquated infrastructure can have a cascading effect.
When we turn to the Southwest situation there are many lessons for us all on how to put in place robust plans to anticipate, assess, understand, and act on Enterprise Risk Management to avert a crisis. I want to share some recent learnings.
I have the privileged of being part of a group of public company women directors convened by Nancy Albertini of Kingsley Gate to talk about issues topical to the board. The most recent conversation was specifically about Southwest airlines.
Boards understand one of their key responsibilities is oversight of Enterprise Risk Management and ensuring that the company has plans to mitigate the highest priority potential crises or catastrophic issues.
Many companies have gotten narrow in how they are focusing on Enterprise Risk with the new requirements coming out of the SEC, cyber regulations, ESG compliance. Some of the core practices of foundational enterprise risk oversight deserve our reprioritization.
A quick forensic on Southwest catastrophe shows us some interesting takeaways:
-
- Southwest board had an early red flag in October of ‘21 when they had a technology crises / issue that cost the company 75M. The recent outage in December is reputed to cost the company 850M.
-
- We can all be smart looking back but it is interesting to note that reportedly their CIO has been at the company 18 years. Colleagues on my call pointed out that we all value longevity and perspective, but typically in a tech environment longevity is not always a good thing. One would typically want to see a broader, more varied / current set of experiences than 18 years at one company.
-
- Southwest was known to have technical debt given their tech issues in 2021. I would say technical debt is one of the biggest risks companies face. As part of assessing your technical debt compare yourself against who are the leaders and innovators in your industry. Assess how much are they spending in tech vs what are you spending. What is the commitment from management to invest in closing the technical debt gap? What does “best in class” look like? Does leadership think they need to be best in class? If so, what is the plan to get there?
-
- An example of the cascading effect technical debt can bring is exemplified by the FAA (largest transportation agency of the US Government) grounding all flights on January 11th, 2023 due to a technical glitch. They have reported it was caused by “a damaged database file”. This has resulted in a huge mess of cancelled flights / delays. This travel chaos has once again highlighted how outdated tech can result in catastrophe. The FAA system that went down is called NOTAM. It was created over 75 years ago.
-
- When assessing Enterprise Risk Management consider creating a matrix. Categorize the risk based on impact to the company and probability of it happening. Hone in on those that would have the greatest impact on the company. As a board member the next step is to ask for a mitigation plan. Ask yourself how you will oversee these risks? Is it a quarterly update/deep dive on each risk to see if management is making progress?
-
- As we think of a top 5 risk, no matter your industry or business, it’s likely that technology is part of your vulnerability and opportunity. There are three major parts of technology to really assess and consider.
-
- The foundational system of records that operates your business / back-office systems i.e. (SAP, Salesforce ServiceNow, etc.). This is what we would consider to be needed for “business as usual” (BAU).
- There are the systems that are the front office where there has been a huge investment in digital transformation. This is the customer experience. The user interface which is what we think of as “running the business” (RTB).
- Then there is the future of how you innovate / stay vibrant. This is what “changes the business” (CTB).
-
- Cyber is frequently part of the back office / business as usual systems. Understand the current level of your tech leadership / tech team as part of your risk assessment. Typically, as part of your comp or governance committee you review the senior leadership team. Do a skills assessment and gap analysis for development (9 box). Perhaps it merits going deeper on the tech area to understand if your leadership current. Also, how strong / current is the rest of the tech organization? It’s an interesting fact that 50% of everything your software developers / product team know becomes obsolete every 2 years… How are you developing and forward building the talent within that team?
-
- Once you have identified your top risks, I urge you to schedule a crises tabletop exercise event. You will likely be surprised when you go through this. There will be many gaps. In my recent experience walking through the crisis management: we did not have all the right names and contact info. Our emergency IR PR firm wasn’t in place. Our CEO actually wasn’t social media and TV ready. Once you peel back to the foundational assessment, you will uncover items that lead to key business decisions of where the company should invest its capital allocation to mitigate the risks.
-
- This leads us to how we rethink our committees going forward. I would posit that the time has come when technology must be on a committee. It’s too critical and foundational to almost every business. It’s critical to have an understanding on the board about the importance of the foundational back-office systems that ensure continuity of operation. Boards should also understand the front office systems that touch your customers. Frictionless UX UI is critical to any business staying competitive. An example of learning that came out of Southwest debacle was that their employee facing systems processes procedures and systems were very antiquated. This resulted in stranded flight personnel around the country who were timing out because they couldn’t get through the phone system to get new assignments. Without a good employee facing system, it’s hard to have a good customer facing system.
As you look at your board schedule for the coming year ahead here are some suggestions:
-
- Review your Enterprise Risk Management processes and how you assess the most important risks.
-
- Identify the top 3-5 risks.
-
- Then ask management to present plans to mitigate them.
-
- Look at scheduling an annual crises tabletop exercise.
-
- Look at the breadth of your committee remit and see if adding technology (and perhaps ESG) which are more forward-looking critical themes for your business vitality make sense.
I am sure we all were jolted by the operational cascading catastrophe that Southwest customers / employees faced. Thanks to all my smart and deeply insightful colleagues who shared so many good ideas. I am hopeful many of you readers will find these suggestions valuable
- PRINT: