Allan Dunlavy – Schillings

What types of work are you seeing at the moment in reputation management? Have there been any changes post-pandemic?
A lot of the work we’re doing at the moment, particularly with corporates and their senior leadership team, is about building resilience into their online profiles – so both the corporate profile and the individuals’ profiles. One of the things we’ve seen more recently, and I don’t think it’s necessarily pandemic-related, is an appreciation that companies do not stand apart from their people in this space. If your people have good reputations and resilient online profiles, then this will support the company and vice versa. There’s a connectivity between the two that didn’t really exist in the way it does now. So, we’re seeing that really take off.

The other thing we’re seeing, particularly post-pandemic, is that this isn’t about crisis mitigation or risk mitigation necessarily – although both are clearly factors – it’s also about the fact that your online profile is essentially your 21st Century shop window, your business card. There is a significant element here about being able to take advantage of new opportunities in the market to achieve your business objectives, like increasing your share price, building capital value or your ESG goals for example. Building and maintaining digital resilience really helps you to be well positioned to take advantage and achieve those goals. It’s grasping the positive rather than avoiding the negative.

Over the last year, what have been some of the key cases or hot topics?
The biggest regulatory issue that we’ve been dealing with is the Online Safety Bill – that’s very specific but there is also the more general discussion around regulating big tech, how we do that and what we want to do with it. We’ve had the whistle-blower Frances Haugen reveal the Facebook documents which was incredibly powerful in terms of understanding what they can do versus what they will do. I think there has been a growing appreciation that companies aren’t as hamstrung and unable to act as they perhaps have led us to believe and the negative consequences of being attacked online aren’t inevitable – actually, some of it is built in and intentional because negativity and controversy builds engagement. What we’ve learnt is that you can actually enjoy the benefits of social media, the internet and Big Tech without necessarily suffering from all the negatives and so that’s now feeding into the discussion around regulation.

The area which has been regulated a lot particularly since GDPR is of course, data. What is happening with people’s data? How is it moving around? Who’s getting it? Why are they getting it? Do they really need it to collect and hold your data? I think we’re going to see even more data regulation and even more enforcement, such as fines and penalties, as we better understand how it is being collected, used and abused.

What is the link between data protection and traditional reputation management?
When we think about data, there is a direct relationship. Data and privacy is what people ‘know’ about you – what they ‘know’ might not be true or up to date – and in reputation, we say it’s what people think about you. With incomplete, out of date, or just straight up fake data, it really affects the presumed knowledge which then affects the consequential reputation.

I’m aware of the P&O Ferries situation, which was more of an employment law issue, but from the reputation management side, what are the implications of this?
When you think about reputation, there’s usually an underlying issue. Yes, it was an employment issue, but it was actually about how they were dealing with the pandemic, the government assistance and the issues around that. There is usually an underlying issue that causes a crisis – whether you’ve had a data leak or a product recall issue. – it leads to this reputation consequence and there are two parts to it. One is obviously solving the underlying issue; you have to quickly identify what the problem is and start solving it so you can work out how to stop it from having a ripple effect. That’s a stone in the pond that might affect other parts of your business and there might even be jurisdictional ripples, so I think you have got to think carefully when making these decisions. A great example from P&O Ferries is there’s actually a P&O Cruises which used to be associated with the P&O Ferries company but has been separate and independent for around 20 years. They had to issue a statement to clarify that even though they have the same name, they are not associated with P&O Ferries and didn’t do anything wrong.

What you really need to have are company values, and the decisions you make need to be taken in accordance with your values so that when there is a problem, you can stand by your decision. For us, what we always talk to clients about is that it isn’t about reputation management or protection, it’s about working out what your company stands for and ensuring that it is incorporated into your decision making at the front end – not the back end.

What is the best way to respond to negative media coverage for a business?
Crisis management is not one size fits all. It depends on what the crisis is, what your company is and how it has arisen. But there are three things you need to think about. First – figure out what the actual problem is and your position on it. Get the facts right quickly. Then work out what your stance is on the situation and start communicating. You want to avoid drip-feeding information, changing your response, and making multiple apologies.

The fact gathering exercise is the foundation upon which your entire crisis response will be built and then you need to engage with stakeholders – the media, employees, customers, shareholders, regulators, anyone that has a stake in your business in the broader sense of it. Different stakeholders require different responses – something your lawyer sends to the regulator may not be the same thing you send to your customer. You need to tailor the channel and the content so you can engage effectively. But much of this can, and should, be done before the crisis comes. You should have a map so you can scenario-plan. There have been a number of black swan events in the last five years, between the war in Ukraine, the pandemic and the housing crash, but actually most corporate crises are relatively foreseeable. What I always say to clients is yes, you want to expect the unexpected, but actually, expecting the expected is a good place to start.

The other thing to consider is your employee team, the people that are going to be involved with the crisis response, both internally and externally, need to have defined roles. What you don’t want to be doing is going out and trying to find a lawyer when you’re in the crisis. You’ve got plenty to do so you need these advisers already and internally, everyone needs to know what they’re doing in advance and practice it. You don’t want the first time everyone’s doing these things to be under pressure and your house is on fire. Having internal and external teams that are well briefed and well prepped is a material difference in the effectiveness and efficiency of crisis response.

What are the key things GCs need to be aware of from a reputation, privacy and security perspective?
We are seeing that attacks can come from anywhere, for any or no reason. If information gets out about the company and your senior leadership team which may be true or may be false, we often see a snowball effect and it gets out of hand. It’s really important for companies to be constantly looking at what’s out there so that they can build resilience by being in the conversation – if something happens, you don’t want the first time you’re engaging on social media to be when you have a problem. You have to build that resilience, that engagement and trust beforehand. The earlier you can get into the social conversation, the better chance you have of getting your message out there.

What are the disadvantages, if any, of appointing a GC over a specialist team of external advisers?
Most GCs don’t come from this sort of background – they come from a corporate or M&A background because that’s much more useful to the business on a day-to-day, month-to-month basis. I’ve seen GCs who have been through crises before and therefore have a tonne of experience, but I’ve not seen a GC from this background as it’s a very niche area.

I obviously don’t run a large corporate, but my instinct would be that my GC is my general counsel – their job is to deal with everything that comes up all the time so I want someone best placed for that. If there are niche issues, like an SEC investigation or a crisis, then get people who deal with that all the time. My focus would be on having a GC who understands the business but bring in experts to deal with digital resilience, privacy issues and reputation management.

What are your three top tips for GCs or in-house teams handling reputation, privacy and security issues?
My three top tips are:

  1. Be proactive – understand and know what’s out there. Know what people are saying.
  2. Be prepared – expect the unexpected and the expected. Be ready – practice, take steps, define roles. If you can spend the time and money, it’s never wasted. Even if that crisis doesn’t happen, everyone is well prepared.
  3. Be resilient – don’t start planning when the crisis starts. You need to do this before; you want to have that resilience and the right channels so you can engage with and address the problem. n