Crisis Management & Risk and Liability Mitigation – Resolution of Corporate Disputes, Non-Compliances & Remedies Important Questions

Question 1.
POB Limited wants to design and implement an effective Enterprise Risk Management (ERM) system. Evaluate the challenges likely to be faced by the Company during implementation of ERM system.
Answer:
Risk management is also known as Enterprise Risk Management (‘ERM’), is a systematic and holistic approach for firms to address all their risks, whether operational, strategic or financial, Comprehensively. ERM focuses on identifying risks, developing and monitoring risk management system and reacting to risk events when they occur.

POB Limited may face the following challenges in designing and implementing an effective ERM system, including:
1. Effectively linking risk and strategy: Integrating risk management into the overall corporate strategy is a challenge for many Indian firms. The challenge is to have an ERM system that encompasses a process capable of being applied in strategy setting across the enterprise.

2. Implementing cost-effective risk management for small and medi¬um-sized enterprises: While the costs of risk management failures can be high, designing and implementing efficient ERM can also be quite costly, especially for small and medium-sized firms.

3. Addressing all major areas of risk: ERM requires a firm to take a portfolio view of risk; boards must consider how various risks inter-relate, rather than treating each business and risk individually. This is a significant challenge for many boards.

4. Mitigating new risks: In India, many complex areas of risks have emerged in the last decade or so, which has made risk management particularly challenging. For example, some traditional areas of risk, such as political instability and strikes and unrest, appear to have subsided while others, such as information and cyber security as well as terrorism and insurgency, have increased in prominence.

Companies operating in various industries have experienced the theft of data and sensitive information. For companies in major cities, the threat of terror attacks has become a growing cause for concern, which can be hard to manage by the company itself.

Question 2.
ABC & Co., Chartered Accountants, are the Statutory Auditors, as well as the Internal Auditors of Super Sky Limited. Evaluate whether the same is permitted under the Companies Act, 2013. If not, what are the penal provisions under the Companies Act, 2013?
Answer:
Yes, the additional fee does not absolve the Company from the liability of penalty or any other action under the Act for such default or failure. One of the significant changes brought in by the Companies (Amendment) Act, 2017 is the amendment in section 403 of the Companies Act, 2013.

Pursuant to the said amendment, the non-offence period of 270 days has been omitted from the Companies Act, 2013 and the filing of forms, returns or documents within the time prescribed under the relevant provision has been made mandatory.

Accordingly, the non-filing of forms, returns or documents within the time prescribed under relevant provision (for e.g., Form AOC-4 within 30 days of date of AGM) is now considered as a default or failure and the payment of additional fees does not absolve the company from the liability of penalty or any other action under the Act for such default or failure.

Question 3.
Distinguish between General Liability Insurance and Professional Liability Insurance.
Answer:
General Liability Insurance covers business from a few “general” lawsuits that any business could face. It triggers when a third party (Le., anyone who doesn’t work for the company) sues the business over:

  1. Bodily injuries they incurred on the commercial premises,
  2. Damage caused to their property,
  3. Advertising injuries (e.g. slander, libel, misappropriation, and copyright infringement).

General Liability Insurance pays for the legal expenses (lawyers’ fees, court costs, and settlements or judgments). Any small-business owner, no matter their industry or the size of their business, can face these claims. That’s why many consider this policy to be the keystone of a business protection plan. Professional Liability Insurance is also known as “Errors and Omissions Insurance” or “Malpractice Insurance”. Its coverage focuses specifically on the lawsuits that stem from the professional services rendered.

Though this policy is especially important for service providers to carry, most small business owners can benefit from its coverage. It shields the insured from third-party lawsuits alleging:

  • Negligent professional services.
  • Failure to uphold contractual promises.
  • Incomplete or shoddy work.
  • Mistakes or omissions.

These torts are among the most expensive a business owner can face. One need not be at fault to be sued, an unhappy client may name the business in a lawsuit to recoup the “losses” they incurred because of the work carried out. “Crisis Management is not necessarily the same thing as risk management”.

Question 4.
What is Crisis Management and how is it different from risk management. Explain in detail guidelines/recommendations for establishing a good crisis management plan.
Answer:
1. Crisis management is the identification of threats to an organization and its stakeholders, and the methods used by the Organization to deal with these threats.

2. An organization may face various types of crises like natural crisis, technological crisis, confrontation crisis, etc.

3. Crisis management involves dealing with crises in a manner that minimizes damage and allows the affected organization to recover quickly. Dealing properly with a crisis can be especially important for a company’s public relations.

4. Businesses that effectively put a continuity plan in place in case of unforeseen contingencies can mitigate the effects of any negative event that occurs. The process of having a continuity plan in place in the event of a crisis is known as crisis management.

5. Crisis management is different from risk management. Unlike risk management, which involves planning for events that might occur in future, crisis management involves reacting to negative events during and after they have occurred. For example, an oil company may have a plan in place to deal with the possibility of an oil spill, but if such a disaster actually occurs, the magnitude of the spill, the backlash of public opinion, and the cost of clean-up can vary greatly and may
exceed expectations.

6. As Crisis may come in several forms and it is recommended in all cases that a company be prepared ahead of time with a crisis management plan.

The following guidelines are recommended for establishing good crisis management plans:

  • Employ a professional crisis manager who can help in planning crisis management processes.
  • Initiate frequent training and refresher courses on handling crisis. Drills and fake operations must frequently take place to keep refreshing stakeholders on emergency responses to crisis.
  • Form a crisis team to work under Initiate systems that can effectively monitor or detect foreseeable crisis signals
  • early enough in order to tackle the situation before it gets out of hand. ,
  • Provide a list of key persons in case of a crisis and their contacts. The contact information must be displayed where anyone can see and easily access them.
  • Identify the ground person to be notified immediately when a crisis occurs.
  • Apart from a crisis manager, there must be a coordinating person among employees who possess firsthand news on a looming crisis. It should be the same person who can be trusted by his colleagues with vital information on any suspected crisis.
  • Identify a central point where the employees can assemble and the exit points to use in case of a crisis. Emergency exit doors with ease of opening them must be labelled well and an emergency central place identified and properly labelled as well.
  • Regular testing of the crisis management process and emergency equipment and updating them frequently or as needed the leadership of a crisis manager.
  • Planning responses and crisis management processes for various potential crises is highly recommended. It takes several approaches and processes to address different crisis.

Question 5.
“Directors and Officers (D & O) insurance has become closely associated with broader management liabilities insurance, which covers liabilities of the corporate itself as well as the personal liabilities for the directors and officers of the company”. Enumerate the reasons to buy D & O policy.
Answer:
Directors and officers insurance affords protection to directors and officers from liability arising from actions connected to their corporate responsibilities. The policy provides indemnity to the directors and officers in respect of Legal costs in defending proceedings brought against them alleging wrongful acts.

Key reasons to buy D&O insurance are:
1. Personal assets of directors are at risk: If a director has been accused of breaching duties, their personal assets are at risk in case they don’t have any D&O insurance.

2. Defending a legal action is an expensive affair: The legal costs and expenses in litigations involving directors are usually complex and costly.

3. Investors can file a case: If investors believe that they have incurred losses due to mismanagement of the company, they could approach the court to seek compensation.

4. Employees can sue: It is not only shareholders who can file a case against the directors as even employees reach the court to challenge the decision of the directors. It is a hard reality that in today’s corporate world, there has been a rise in the number of cases filed by employees, related to sexual harassment or wrongful dismissal.

5. Customers can take legal actions: In some cases, customers also reach the court against misrepresentations made in the advertisement materials and deceptive trade practices.

6. Enquiry initiated by regulatory authorities: Regulatory bodies like SEBI, Revenue Department, etc., can initiate enquiry against directors.

7. In case of bankruptcy or insolvency: If faced with bankruptcy, creditors can pursue legal action against directors if they think that they have not acted in their best interest.

8. Helps in attracting/retaining talent: Not having a comprehensive D&O may discourage talented employees from joining the company as they know will not be guarded against any legal case if arise in future.

9. D&O claims are not covered under any other policy: Most of the people believe that D&O claims are also covered under other liability insurance plans like professional indemnity.

Question 6.
“A legal compliance program is generally defined as a formal program specifying an organization’s policies, procedures, and actions with an in- lent to prevent and detect violations of laws and regulations”. Comment briefly.
Answer:
A legal compliance program is a set of internal policies and procedures of a company to comply with laws, rules, and regulations or to uphold business reputation. A compliance team examines the rules set forth by government bodies, creates a compliance program, implements it through¬out the company, and enforces adherence to the program.

Legal Compliance programs need to be tailored to the specific company’s needs, there are principles to consider in reviewing a program like:
There should be a strong “tone at the top” from the board and senior management emphasizing the company’s commitment to full compliance with legal and regulatory requirements, as well as internal policies.

There should be clear reporting systems in place both at the employee level and at the management level so that employees understand when and to whom they should report suspected violations and so that management understands the board’s or committee’s informational needs for its oversight purposes.

Question 7.
“Several large companies and financial institutions worldwide no Longer exist today as they neglected the basic rules of Corporate Governance, Risk Management and Control”.
Answer:
The importance of corporate governance in risk management is amply supported by the reasoning of the Kumar Mangalam Bina Committee on Corporate Governance to implement corporate governance in India.

Risk Management is an integral component of corporate governance and good management. There is a growing realization that corporate governance has an impact on enterprise risk management. Several large companies and financial institutions worldwide no longer exist or have been taken over precisely because they neglected the basic rules of risk management and control.

Some common risk management problems in relation to corporate governance that appeared in many financial institutions before and during the crisis according to the OECD (2009) was because of following reasons:

  • Risks were frequently not linked to strategy which is a key issue to ensuring that risk management has a focus on the business context;
  • Risk definitions are often poorly expressed. Better risk definitions (context, event, consequence) are contrary to a lot of current thinking in risk management which has shorten risk descriptions to the smallest number of words possible;
  • Organizations weren’t always in a position to develop intelligent responses to risks;
  • Boards didn‘t take stakeholders and guardians into account in detailing responses to risk
  • Important parts of the value chain were outsourced to others

Question 8.
“Anticipating future risks is a key element of avoiding or mitigating those risks before they escalate into crisis.” Explain.
Answer:
The company’s risk management structure should include an ongoing effort to assess and analyze the most likely areas of future risk for the company, including how the contours and interrelationships of existing risks may change and how the company’s processes for anticipating future risks are developed.

This includes understanding risks inherent in the company’s strategic plans, risks arising from the competitive landscape and the potential for technology and other developments to impact the company’s profitability and prospects for sustainable and long-term value creation.

Anticipating future risks is a key element of avoiding or mitigating those risks before they escalate into crises. In reviewing risk management, the board or relevant committees should ask the company’s executives to discuss the most likely sources of material future risks and how the company is addressing any significant potential vulnerability.

Question 9.
“Errors and Omissions Insurance is a special type of coverage that protects a Company against claims that a professional service provided, caused client to suffer financial harm due to mistakes on the part of professional or because he may have failed to perform some service.”
Answer:
Professional indemnity insurance is also known as professional liability insurance and also as Errors & Omissions (E&O) insurance. It is a type of liability insurance that works to protect businesses and individuals who provide consultation and services with the compensation for full and hefty costs arising from the loss that they have caused to their client.

The coverage provided by the insurance company focuses on the alleged failure of the service delivery by the Company, which has led to the financial loss due to errors and omissions in the service or consultation.

Some reasons that might make it necessary to have E&O are as under:
High risk of lawsuits: Not having professional indemnity insurance may put a person at high risks as many companies may take advantage of the professionals since they are not completely secured. Moreover, it can put the Company/Professional in a financial loss if a case is filed against them.

Risk of losing business: Many clients prefer those companies which has such insurance for doing business, at times they are keen to know if the Company or any of its employees makes a mistake, whether it will be covered or not.

Question 10.
Taking a case of Crisis Management in corporate houses, throw light on its significance.
Answer:
1. Facebook’s silence about its data breach:
The social media giant reportedly chose to stay silent even though it had known for three years that Cambridge Analytica – the consulting firm hired by President Donald Trump’s 2016 campaign – improperly accessed information on millions of people.

Since then, the company has racked up misstep after misstep. From the failure to issue an immediate statement from Chief Executive Officer Mark Zuckerberg when Facebook finally admitted what happened to hiring a shady opposition research firm to investigate its critics. Facebook was the subject of more trouble when the New York Times reported that it shared even more user data with outside companies than previously acknowledged.

Significance of Crisis Management:
When the news broke, disclosure is the most effective strategy in a crisis because the truth always emerges. Companies and even the government need to explain what happened on their own terms and regain confidence by demonstrating that they have learned a lesson and are taking immediate steps to change course.

2. Coca-Cola PR Crisis Management:
Background:

  • The company came under a storm of criticism after The New York Times charged that Coca-Cola was funding obesity research that attempted to disprove the link between obesity and diet and shift the problem to lack of exercise.
  • The article says Coca-Cola, desperate to halt sliding sales, financed the new non-profit Global Energy Balance Network. Critics call it a front group created to espouse misinformation and deflect the role of soft drinks in the spread of obesity and Type 2 diabetes.

Kent’s reaction to the crisis:

  1. Corporations under fire can look to Kent’s op-editorial for guidance when responding to attacks and considering apologies.
  2. Kent outlines the company’s response and admits the company’s misstep while not exactly apologizing in his opinion, Coca-Cola: We’ll Do Better.
  3. In a matter-of-fact tone, Kent takes the accusations head-on, acknowledging the accusations that it has deceived the public about its support for scientific research. He defends the company by saying it is attempting to tackle the global obesity epidemic and has always had good intentions.

A New Strategy:

  • Kent also admits the company’s strategy “is not working.” “I am disappointed that some actions we have taken to fund scientific research and health and well-being programs have served only to create more confusion and mistrust,” he writes.
  • He explains how the company will act going forward. First, he says it will act with even more transparency. The company will publish a list of health and well-being partnerships and research activities it has funded in the past five years on its website and will update the list every six months.
  • The company will continue its efforts to provide healthy options, he says, such as waters, lower-calorie and lower-sugar drinks, diet soda and zero-calorie drinks. At the same time, he inserts a sales plug by referring to Coca-Cola’s wide range of beverage options.
  • Opinion stresses the company’s commitment to fighting obesity. “We want to get focused on real change, and we have a great opportunity ahead of us,” he says. “We are determined to get this right.”

Kent successfully filled the three O’s of crisis management
Mark Braykovich, vice president at Atlanta-based The Wilbert Group, says Kent successfully filled the three O’s of crisis management: Own up to it. Assuming responsibility at some level usually helps the corporate reputation over the long run. Get the CEO Out front.

The CEO is the best spokesperson for the corporation. Most PR disasters happen when companies shield the CEO, or the CEO appears to have little interest in the problem. Make an Outsized response. Overaction is preferable to small measures or ignoring the critics.

Kent directs the president of Coca-Cola North America to create an oversight committee of independent experts to provide governance on company investments in academic research, and engage experts to explore opportunities for research and health initiatives. Brockovich says he gives Kent an A for using the three O’s.

Conclusion:
Coca-Cola’s response to accusations that it financed a front group to protect its interests at the expense of public health is a case study in PR crisis management. As opined by Coca-Cola CEO Muhtar Kent epitomizes a corporate response that contains the essential elements of effective corporate PR crisis management.

Question 11.
Do General Liability and Professional Liability Ever Cover the Same Claims?
Answer:

  • Both policies cover certain liabilities, but they don’t cover the same liabilities. General Liability and Professional Liability Insurance are alike based on the following:
  • Both policies deal with (separate) unavoidable liabilities. Small business owners have targets and bear the cost of civil tort if any.
  • General Liability and Professional Liability policies work together to mitigate expenses when accidents and oversights lead the business owners in legal trouble.
  • Client Contracts would also require either policies.
  • In case of certain Construction contractors, there is a requirement by the general contractor to carry one’s own General Liability (and Workers’ Compensation Insurance) coverage.
  • Big contracted projects including IT consultants, need Professional Liability coverage to address potential lawsuits.

Question 13.
Write a short note on Enterprise Risk Management (‘ERM’)
Answer:
1. Meaning ERM:
Risk management, also known as Enterprise Risk Management (“ERM”), is a systematic and holistic approach for firms to address all their risks, whether operational, strategic or financial, comprehensively.

2. ERM Focus:
ERM focuses on identifying risks, developing and monitoring a risk management system and reacting to risk events when they occur.

3. ERM an Effort:
As ERM is a firm-wide effort to manage all the firm’s risks, involvement by the company’s board of directors and senior management is imperative.

4. ERM in India a Fundamental Function of the Board:
In India, both the Companies Act, 2013 and the Listing Guidelines view risk management practices as one of the fundamental functions of the board of directors.

5. Committee of Sponsoring Organizations of the Treadway Commission role in ERM:
Beginning in the mid-1980s, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), initially formed in part to study fraudulent financial reporting, began to articulate a risk management framework.

6. In 2004, following several corporate governance scandals around the world, COSO issued a detailed report defining ERM as “… a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

7. The COSO approach presents eight interrelated components of ERM:

  • internal environment (the tone of the organization),
  • setting objectives,
  • event identification,
  • risk assessment,
  • risk response,
  • control activities,
  • information and communications, and
  • monitoring

8. The significance of ERM can be seen in the value it creates when effectively implemented and the value it destroys when there are shortcomings in leadership and implementation.

9. ERM facilitates Value creation:
ERM is a critical component of value creation. ERM must play a central role in every substantive business decision. Effective ERM can enable a company to manage potential future events that create uncertainty and respond to uncertainty in a manner that reduces the likelihood of downside surprises. ERM supports a company to improve the quality of risk-taking and thereby, give the company a competitive advantage.

10. Avoiding value destruction:
A company cannot preserve its value if its ERM is below standard. This role of preserving corporate value is far more visible when ERM fails than when it succeeds.

11. Failures in risk management have contributed to some of the most significant scandals and losses suffered by companies.

Question 14.
Reasons to buy a Director and Office Insurance Policy.
Answer:
1. Personal assets of directors are at risk:
If a director has been accused of breaching duties, their personal assets are at risk in case they don’t have any D&O insurance.

2. Defending a legal action is an expensive affair:
The legal costs and expenses in litigations involving directors are usually complex and costly.

3. Investors can file a case against you It may sound unlikely, but things can go downward. If investors believe that they have incurred losses due to mismanagement of the company, they could approach the court to seek compensation. For instance, if any action of a director results in a drop in share price, which leads to loss to shareholders and investors, then there is a high possibility that they may bring a class-action lawsuit against the company and directors.

4. Employees can sue directors:
It is not only shareholders who can file a case against the directors as even employees each the court to challenge the decision of the directors. It is a hard reality that in today’s corporate world, there has been a rise in the number of cases filed by employees, related to sexual harassment or wrongful dismissal. For example, in 2016, a sacked software engineer won case against HCL Tech. The court called his dismissal unlawful and asked the company to reinstate the petitioner with continuity of service and paid full salary along with other benefits.

5. Customers can take legal actions:
In some cases, customers also reach the court against misrepresentations made in the advertisement materials and deceptive trade practices.

6. Enquiry initiated by regulatory authorities:
Regulatory bodies, like SEBI, Revenue Department, etc.; can initiate enquiry against directors.

7. In case of bankruptcy or insolvency:
If faced with bankruptcy, creditors can pursue legal action against directors if they think that they have not acted in their best interest.

8. Helps in attracting/retaining talent:
Not having a comprehensive D&O may discourage talented employees from joining the company as they know will not be guarded against any legal case if arise in future.

9. D&O claims are not covered under any other policy:
It is a belief that D&O claims are also covered under other liability insurance plans like professional indemnity. However, it is not true.

Question 15.
What are international laws and regulations relating to Cyber Security?
Answer:
1. General Data Protection Regulation (GDPR):
The European Union’s (EU’s) General Data Protection Regulation (GDPR), effective from May 2018, raises the regulatory bar, and it sweeps more broadly than some on-EU-based companies may realize.

The GDPR imposes stringent requirements on both data collection and data processing, including increased data security mandates, enhanced obligations to obtain data owner consent, and strict breach notification requirements.
GDPR is extra-territorial in its reach and carries severe penalties for non-compliance-up to 4% of worldwide revenue.

2. Issue of detailed and prescriptive regulations by the United States to protect Consumers Data
In the United States, the New York State Department of Financial Services (DFS) has implemented detailed and prescriptive regulations of its own, requiring covered institutions-entities authorized under New York State banking, insurance or financial services laws to meet strict minimum cybersecurity standards.

The revised regulations require, among other things that covered institutions have in place a cyber-security program designed to protect consumers’ private data, approved by boards of directors or senior corporate officers and accompanied by annual compliance certifications, the first of which was required to be filed on February 15, 2018.

3. Guidance for market disclosures issued by the SEC (Securities Exchange Commission) – 2011
The SEC has turned its attention to market disclosure and breach notification. Since 2011, when the SEC’s Division of Corporation Finance issued interpretive guidance regarding cyber security disclosures, public companies have been required to “disclose the risk of cyber incidents if they are among the most significant factors that make an investment in the company speculative or risky.”

4. SEC 2018
In February 2018, the SEC issued new guidance to clarify its expectations on such disclosures focusing on “reinforcing and expanding upon” the 2011 guidance, advising public companies to evaluate the materiality of cyber risks and incidents and make necessary disclosures in a timely fashion, while warning that the SEC is watching closely.

However, the 2018 guidance explores the board oversight, disclosure controls and procedures, insider trading and selective disclosures. As it regards risk oversight, the 2018 guidance advises that public companies should disclose the role of boards in cyber risk management, at least where cyber risks are material to a company’s business. Therefore, while most boards are likely already engaged in some form of cyber risk oversight, the call by the SEC for more public disclosure may prompt consideration of whether to deepen or sharpen that engagement.

5. SEC to take more aggressive approach on the Enforcement side
On the enforcement side, the SEC has signalled that it may move towards a more aggressive approach, alluding to the feasibility of disclosure-based enforcement actions, amid reports that it is engaged in investigations of companies like Yahoo and Equifax.

In its newly issued guidance, the SEC warns that “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material non-public information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”

Question 16.
What are the different types of crisis?
Answer:
The different types of crisis are provided below
1. Natural Crisis
Disturbances in the environment and nature lead to natural crises. Such events are generally beyond the control of human beings. Tornadoes, Earthquakes, Hurricanes, Landslides. Tsunamis. Flood, Drought all result in natural disasters.

2. Technological Crisis
Technological crisis arises as a result of failure in technology. Problems in the overall systems lead to technological crises. Breakdown of machines, corrupted software and so on give rise to technological crisis.

3. ConfrontatIon Crisis

  • Confrontation crises arise when employees fight amongst themselves. Individuals do not agree to each other and eventually depend on non-productive acts Like boycotts, strikes for indefinite periods and so on.
  • In such a type of crisis, employees disobey superiors; give them ultimatums and force them to accept their demands.
  • Internal disputes, ineffective communication and Lack of coordination give rise to confrontation crisis.

4. CrisIs of Malevolence

  • Organizations face crisis of malevolence when some notorious employees take the help of criminal activities and extreme steps to fulfil their demands.
  • Acts like kidnapping company’s officials, false rumours all lead to crisis of malevolence.

5. Crisis of Organizational Misdeeds

  • Cases of organizational misdeeds arises when management takes certain decisions knowing the harmful consequences of the same towards the stakeholders and external parties.
  • In such cases, superiors ignore the after-effects of strategies and implement the same for quick results.

Crisis of organizational misdeeds can be further classified into following three types:
Crisis of Skewed Management Values: Crisis of Skewed Management Values arises when management supports short term growth and ignores broader issues.

Crisis of Deception: Organizations face crisis of deception when management purposely tampers data and information. Management makes fake promises and wrong commitments to the customers. Communicating wrong information about the organization and products lead to crisis of deception.

Crisis of Management Misconduct: Organizations face crisis of management misconduct when management indulges in deliberate acts of illegality like accepting bribes, passing on confidential information and so on.

6. Crisis due to Workplace Violence:
Such a type of crisis arises when employees are indulged in violent acts such as beating employees, superiors in the office premises itself.

7. Crisis due to Rumours:
Spreading false rumours about the organization and brand lead to crisis. Employees must not spread anything which would tarnish the image of their organization.

8. Bankruptcy:
A crisis also arises when organizations fail to pay its creditors and other parties. Lack of fund leads to crisis.

9. Crisis Due to Natural Factors:
Disturbances in environment and nature such as hurricanes, volcanoes, storms, floods; droughts, earthquakes etc. result in crisis.

10. Sudden Crisis:
As the name suggests, such situations arise all of a sudden and on an extremely short notice. Managers do not get warning signals and such a situation is in most cases beyond any one’s control.

11. Smouldering Crisis:
Neglecting minor issues, in the beginning, lead to smouldering crisis later. Managers often can foresee crisis but they should not ignore the same and wait for someone else to take action. Warn the employees immediately to avoid such a situation.

Question 17.
What are the special considerations regarding Cyber Security Risk?
Answer:
1. Increasing dependency of technology increases chances to Cyber Crime:
The ever-increasing dependence on technological advances that characterizes all aspects of business and modern life has been accompanied by a rapidly growing threat of cybercrime, the cost of which, according to a 2017 report by Herjavec Group, is expected to grow to more than $6 trillion annually by 2021.

As recent examples (e.g., the hacking of computer networks belonging to the SEC and to Equifax) have highlighted, network security breaches, damage to IT infrastructure and theft of personal data, trade secrets and commercially sensitive information are omnipresent risks that pose a significant financial and reputational threat to companies of all kinds. With computing devices increasingly embedded in everyday items and connected to the “Internet of Things,” virtually all company functions across all industries are exposed to cyber security risk.

2. Attention towards Cyber Security Risk:
In light of the growing number of successful cyber-attacks on even the most technologically sophisticated entities, lawmakers and regu¬lators in the United States and abroad have increased their attention to cybersecurity risk.

3. Guidance by General Data Protection Regulation (GDPR):
In the United States, regulatory and enforcement activity relating to cybersecurity has continued to ramp up at the state level. Internationally, the European Union’s General Data Protection Regulation (GDPR) will take effect in May 2018, significantly increasing data handling requirements for companies with even a minimal European nexus. Companies are thus facing a two-front storm, with regulatory risks compounding the security threat.

4. Implementation of comprehensive cyber security risk mitigation pro-grams with recent defensive technologies having adequate focus on security procedures:
In response, engaged corporate leaders should implement comprehensive cyber security risk mitigation programs, deploying the latest defensive technologies without losing focus on core security procedures like patch installation and employee training, executing data and system testing procedures, implementing effective and regularly exercised cyber incident response plans, and ensuring that the board is engaged in cyber risk oversight.

5. As cyber security risk continues to rise in prominence, so too has the number of companies that have begun to specifically situate cyber security and cyber risk within their internal audit function.

6. Role of Director to ensure technical expertise and relevant time for Internal Audit Function:
Directors should assure themselves that their company’s internal audit function is performed by individuals who have appropriate technical expertise and sufficient time and resources to devote to cyber security risk. Further, the internal audit team should understand and periodically test the company’s risk mitigation strategy, and provide timely reports on cyber security risk to the board’s audit committee.

7. Boards preparedness for Cyber security breach:
In satisfying their risk oversight function with respect to cyber security, boards should evaluate their company’s preparedness for a possible cyber security breach, as well as the company’s action plan in the event that a cyber security breach occurs.

Question 18.
Write note on “A Strategic Cyber-Roadmap for the Board” released in November 2016.
Answer:
With respect to preparation by the boards for a possible cyber security breach the board should consider the following actions, several of which are also addressed in The Conference Board’s “A Strategic Cyber-Roadmap for the Board” released in November 2016:
1. Identify the company’s “Crown Jewels”-Le., the company’s mission-critical data and systems-and work with management to apply appropriate measures outlined in the National Institute of Standards and Technology (NIST) Framework;

2. Ensure that an actionable cyber incident response plan is in place that, among other things, identifies critical personnel and designates responsibilities; includes procedures for containment, mitigation and continuity of operations; and identifies necessary notifications to be issued as part of a pre-existing notification plan;

3. Ensure that the company has developed effective response technology and services (e.g., off-site data backup mechanisms, intrusion detection technology and data loss prevention technology).

4. Ensure that prior authorizations are in place to permit network monitoring.

5. Ensure that the company’s legal counsel is conversant with technology systems and cyber incident management to reduce response time; and

6. Establish relationships with cyber information sharing organizations and engage with law enforcement before a cyber-security incident occurs.

Question 19.
Write a short note on “Scenario of D&O Policy in India”.
Answer:
I. India – OpenIng and Growth of Economy:
Almost 25 years have passed since India ushered in a new era of commercial liberalization and reform. This continuous and gradual opening up of the economy, driven by a rapid growth in domestic consumer demand, has resulted in an influx of foreign investment, which in turn has strengthened private Indian companies.

2. Lack of Professionalism in Indian Companies:
Economic growth also has its dark side. India is a victim of corporate fraud and scams. Significance cultural differences in Indian companies function vis-à-vis their international counterparts, Indian companies are often seen as less professional.

3. Trends Prevalent In Indian Companies:
Though the scenario may be changing, the ‘family business’ outlook of many Indian enterprises and an occasionally backward approach to various compliance and disclosure requirements continue to prevail. Siphoning of funds through related-party transactions, accounting irregularities, and corruption are just a few of the common, unfortunate trends that are prevalent in Indian companies.

4. Management and Promoted driven Frauds In India:
In the case of Satyam. Lilliput, or NSEL, numerous instances of Management and promoter-driven fraud have come to light.

The concern surrounding director liability has also been highlighted by the arrests of Stefan Schlipf, the managing director of BMW India Financial Services, and William Pinckney, managing director and chief executive officer of Amway India, along with two other directors.

5. Liability of Corporate Directors
The ubiquitous issue of corruption and the high risk of internal fraud raise serious concerns about the liability of corporate directors. American litigators representing Indian companies or advising clients interested in becoming corporate officers in India would advise on the director and officer liability under Indian law.

6. Director liability in India can be divided into two principal areas:

  1. liability under the Companies Act of 1956 (the 1956 Act), which has now transitioned to the Companies Act of 2013 (the 2013 Act); and
  2. liability under other Indian statutes. There has been a seminal shift in the Indian corporate legal regime with the enactment of the 2013 Act and more recent amendments.

7. Critical failure of Indian corporate law highlighted:
Critical failure of Indian corporate law highlighted during corporate and financial scams, such as the Harshad Mehta episode or the Satyam fiasco. Various investors also discovered that money had been siphoned off by promoters through related-party or customer-vendor transactions.

8. Directors and officers (D&O) liability insurance:
Directors and officers (D&O) liability insurance is insurance coverage intended to protect individuals from personal losses if they are sued as a result of serving as a director or an officer of a business or other type of organization. It can also cover the legal fees and other costs the organization may incur as a result of such a suit.

9. Applicability of Directors and officers (D&O) liability insurance:
Directors and officers liability insurance applies to anyone who serves as a director or an officer of a for-profit business or non-profit organization.

A directors and officers liability policy insures against personal losses, and it can also help reimburse a business or non-profit for the legal fees or other costs incurred in defending such individuals against a lawsuit.

10. Payment of Directors and officers (D&O) liability insurance:
Directors and officers liability insurance is paid to directors and officers of a company, or to the organization(s) itself, for losses or reimbursement of defence costs if a legal action is brought against them. Coverage can extend to criminal and regulatory investigations/trials defence costs. Civil and criminal actions are often brought against directors and officers simultaneously.

D&O insurance has become closely associated with broader management liability insurance, which covers liabilities of the corporation itself as well as the personal liabilities for the directors and officers of the corporation.

11. Increased liability under the Companies Act, 2013 beneficial for accountability of directors:
Shareholder disputes, the increased liability under the 2013 Act are beneficial to increase pressure on defaulting directors, nominating shareholders, or promoters. Resignation may protect a director from subsequent defaults, an erstwhile director may still continue to be liable for any defaults that took place during his or her tenure under section 168(2) of the 2013 Act.

The Companies Act, 2013 prompted concerns about the role, accountability, and responsibility of non-executive, nominee, and independent directors, who could be caught on the wrong side of the company’s disputes.

Question 20.
Enumerate what is Professional Liability Insurance? How does a Professional Liability Insurance Work?
Answer:
Professional liability insurance – How does it work:
1. Professional liability insurance policies are usually arranged on a claims-made basis, which means coverage is good only for claims made during the policy period.

2. Typical professional liability policies will indemnify the insured against loss arising from any claim or claims made during the policy period by reason of any covered error, omission or negligent act committed in the conduct of the insured’s professional business during the policy period.

3. Incidents occurring before the coverage was activated may not be covered, although some policies may include retroactive date.

4. Coverage does not include criminal prosecution, nor all forms of legal liability under civil law, only those listed in the policy.

5. Cyber liability, covering data breaches and other technology issues, may not necessarily be included in core policies. However, insurance that covers data security and other technology security-related issues is available as a separate policy.

6. Some professional liability policies tightly worded. Number of policy wordings are designed to satisfy a stated minimum approved wording, which makes them easier to compare, others differ dramatically in the coverages they provide.

7. Example, breach of duty may be included if the incident occurred and was reported by the policyholder to the insurer during the policy period.

8. Wordings with major legal differences can be confusing. Example, coverage for “negligent act, error or omission” indemnifies the policyholder against loss/circumstances incurred only as a result of any professional error or omission, or negligent act (Le., the modifier “negligent” does not apply to all three categories, though any non-legal reader might assume that it did).

9. Meanwhile, a “negligent act, negligent error or negligent omission” clause is a much more restrictive policy, which would deny coverage in a lawsuit alleging a non-negligent error or omission.

Question 21.
Explain what are Legal Compliance Programs.
Answer:
1. Appropriate review of the company’s legal compliance programs Senior management should provide the board or committee with an appropriate review of the company’s legal compliance programs and how they are designed to address the company’s risk profile and detect and prevent wrongdoing.

2. Compliance programs to be well-tailored to the specific needs of the company
The compliance programs will need to be tailored to the specific company’s needs, there are a number of principles to consider in reviewing a program. There should be a strong “tone at the top” from the board and senior management emphasizing the company’s commitment to full compliance with legal and regulatory requirements, as well as internal policies.

A well-tailored compliance program and a culture that values ethical conduct continue to be critical factors that the Department of Justice (DOJ) will assess under the Federal Sentencing Guidelines in the event that corporate personnel engage in misconduct.

3. In addition, while Deputy Attorney General Rosenstein has announced a review of all DO enforcement guidance memos, including the 2015 “Yates memo” on holding individuals accountable for wrongdoing, we expect that an emphasis on individual accountability will remain a key feature of the enforcement landscape, highlighting the continued importance of companies swiftly and responsibly investigating and remediating indications of possible misconduct.

4. A compliance program should be designed by persons with relevant expertise and will typically include interactive training as well as written materials.

5. Compliance policies should be reviewed periodically to assess their effectiveness and to make any necessary changes. Policies and procedures should fit with business realities.

6. There should be consistency in enforcing stated policies through appropriate disciplinary measures.

7. Clear reporting systems in place both at the employee level and at the management level so that employees understand when and to whom they should report suspected violations and so that management understands the board’s or committee’s informational needs for its oversight purposes.

8. A company may choose to appoint a chief compliance officer and/ or constitute a compliance committee to administer the compliance program, including facilitating employee education and issuing periodic reminders. If there is a specific area of compliance that is critical to the company’s business, the company may consider developing a separate compliance apparatus devoted to that area.

Question 22.
What are the challenges faced by the Board of Directors in developing the ERM
Answer:
Challenges facing Boards of Directors in developing ERM:
Over the past several years, corporate India has become much more engaged with and sensitized to ERM. Leading companies have formed risk management and compliance teams that are integrated within the firm and that provide valuable information to the board. Nevertheless, there is room for improvement.
Indian boards face significant challenges in designing and implementing an effective ERM system, including:

(a) Effectively linking risk and strategy:
Integrating risk management into the overall corporate strategy is a challenge for many India firms. The challenge is to have an ERM system that encompasses a process capable of being applied in strategy setting across the enterprise. “Effective risk management is not about eliminating risk-taking, which is a fundamental driving force in business and entrepreneurship.” In other words, taking appropriate risk needs to be at the heart of corporate strategy. The board must understand and guide the company’s appetite and ability to take risk, and communicate the same to the company’s risk management team.

Operationally, ‘tying risk with strategy’ means that risk managers must be integrated in implementing the company’s strategy and must not be separated from the board and management so that the actual risk taken is tied to the company’s risk appetite and ability. ERM programs must be developed with input from various functions in the organization, such as finance, sales, legal etc.

(b) Implementing cost-effective risk management for small and medium-sized enterprises:
While the costs of risk management failures can be high, designing and implementing efficient ERM can also be quite costly, especially for small and medium-sized firms.

Hiring consultants or the necessary staff to develop stress-testing and early warning systems to alert the board regarding significant risks can be difficult to do in smaller companies.
While large firms can establish a ‘chief risk officer’ function with direct report to the board, doing so is much harder for smaller companies.

(c) Addressing all major areas of risk: ERM requires a firm to take a Portfolio view of risk;
Boards must consider how various risks inter-relate, rather than treating each business and risk individually. This is a significant challenge for many boards.

(d) Mitigating new risks:
In India, many complex areas of risks have emerged in the last decade or so, which has made risk management particularly challenging. For example, some traditional areas of risk, such as political instability and strikes and unrest, appear to have subsided while others, such as information and cyber security as well as terrorism and insurgency, have increased in prominence.

Companies in a wide variety of industries have experienced the theft of data and sensitive information. For companies in major cities, the threat of terror attacks has become a growing cause for concern, which can be hard to manage by the company itself. According to a 2015 survey, the top five risks for Indian firms include:

  • corruption, bribery and corporate fraud;
  • information and cyber security;
  • terrorism and insurgency;
  • business espionage; and
  • crime.

Resolution of Corporate Disputes Non-Compliances & Remedies Notes