There can be intentional and unintentional leaks but there are many things that companies can do to mitigate risk of both

Arthur Kohn is a partner in the New York office of Cleary Gottlieb Steen & Hamilton LLP.  His practice focuses on compensation and benefits matters, including executive compensation, pension compliance and investment, employment law and related matters. He repeatedly has been recognized for his work on behalf of clients by the business and legal press.

Robert Bostrom is Senior Vice President, General Counsel and Corporate Secretary of Abercrombie & Fitch. He has global oversight and management responsibility for all legal, compliance, ethics and regulatory strategies, services, resources, corporate governance matters and the corporate secretary function. Abercrombie & Fitch Co. is a global specialty retailer of high-quality, casual apparel for Men, Women and kids under the Abercrombie & Fitch, Abercrombie and Hollister Co. brands. The company operates stores in the United States and across Canada, Europe, Asia and the Middle East. The Company also operates e-commerce websites.


Christopher P. Skroupa: How can companies take precautions to avoid internal leaks? Is there even a way to avoid leaks?

Robert Bostrom: There can be intentional and unintentional leaks but there are many things that companies can do to mitigate risk of both. First, careful and well-thought out policies, procedures and training about the handling of confidential information is a good first step. This should start with confidentiality agreements and the basics of reminders about conversations in public places, emails, and documents.

Second, creating a sound culture of speaking up and a culture of positively responding to speaking up and reporting bad conduct to provide an institutional outlet for grievances and bad conduct. Third, it is imperative to have IT security controls and detection regarding movement of information.

Fourth, conducting careful exit interviews and identifying angry employees who may have or be likely to deliberately leak or take information. Finally, implement sound internal controls policies over who has access to what information and how.

Arthur Kohn: We almost always take the view, for purposes of legal analysis and trying to map out a strategy for trying to address risks, that the information that’s out there will become known, sooner or later. I think that’s the right perspective, but that doesn’t mean companies either do or should give up hope of managing the flow of information. There are appropriate ways to do that, and what comes to mind most directly in the issue of putting together a well-designed policy for dealing with whistleblowing activity.

The whistleblower rules are incredibly important today and I think that trends suggest that whistleblowing will be an important element in the regulatory process for the foreseeable future. There are companies that have designed a system for reporting and dealing with complaints in fair and appropriate ways that is viewed as equitable in the eyes of the companies and their constituencies, and there are companies that have a bit of work to do in that regard.

There are some legal implications in that regard, and there’s a case that the U.S. Supreme Court just accepted on the question of how the whistleblower and bounty rules work when all you have is internal reporting as opposed to reporting to the SEC, so there’s still legal uncertainties. But companies that have not thought hard about having a well-designed or up to date whistleblower program ought to have that on their agenda.

Skroupa: What is the best procedure to handle a scandal? Let it die down in the news, or address it head on? How do you tell by the context which route to take?

Bostrom: It depends on the crisis. But generally with the big crises we are seeing it is necessary to respond keeping in mind there are many in the audience that you must be sensitive to. These include employees, vendors, customers, shareholders, regulators, Congress, the Administration and local communities.

A good simple rule is not to get ahead of the facts. But as we have seen with the Equifax situation, there has to be prompt disclosure about what is known and a message that communications will be forthcoming as facts are known. Other recent examples of poor crisis management response and a poor communication response would include Uber and Sofi.

Kohn: Perhaps because of my background, I’m inclined to put at the top of the list of considerations the legal concerns, which are substantial in these circumstances, in making that judgment. Premature disclosure can give rise to difficult issues, but by the same token certainly the case for transparency and a comprehensive approach to identifying the issues, and communicating with all the stakeholders, is strong in order to mitigate risks.

The legal risks, and financial exposure, when you have that kind of situation, which I think is evident in all situations that we’ve seen in the last couple of years, can be very material. I think that, together with the legal considerations, the issue is very much about setting the right tone at the top. The instinct to try to minimize significant lapses that may exist is strong and the reason for doing that is not always nefarious. Rather, it can be perhaps a perspective that a situation can be managed best by attempting to minimize the situation. But when the facts don’t warrant that, if you’re not forthright and comprehensive in your response and disclosure, you end up giving a signal that you’re not serious. Whether that is the intended signal or not, that is communicated and can have reverberations that are harmful to the company.

Skroupa: Are scandals avoidable for large corporations?

Kohn: Companies can mitigate the risks, but I would say scandals are not avoidable. In the real world, inevitably situations will rise where people act improperly. Human nature is not going to change tomorrow, so we cannot avoid scandals, but companies through governance structures, whistleblowing practices, setting the right tone at the top and so on, can do a good job of mitigating the risks of significant compliance issues.

Bostrom: The probabilities can certainly be reduced by creating and nurturing an ethical culture and sound enterprise wide risk management programs. The consequences can be mitigated by a sound crisis management plan.

But it takes a commitment by Board and management to focus on creating an ethical culture, sound enterprise-wide risk management, and an effective crisis management plan. There must be an active and ever evolving assessment by the Board of the appropriate risk tolerance levels for the company and communication to management. It is essential to have an integrated risk management program that identifies, assesses, prioritized and mitigates the risks and a crisis management program in place when an identified risk or a new risk materializes.

Make sure that financial performance goals are not unachievable and the compensation systems do not incentivize bad behavior. Be ever vigilant for red flags. For example, dismissal of heads of control functions: legal, risk, audit and compliance; tolerance of de minimis violations because there is no harm or because the penalties or fines are cheaper than compliance; tolerance of audit findings not being remediated for long periods of time; absence of independent control functions and decentralized control functions; and an imperial CEO.

Originally published on Forbes.com. More articles by Christopher Skroupa on his Forbes column.