Natalie Cooper, a Senior Manager at Deloitte LLP, and Randi Morrison, General Counsel and Chief Knowledge Officer at the Society for Corporate Governance, have co-authored a comprehensive report, “Board Practices Quarterly: Crisis Management and the Board,” which delves into the critical role of boards of directors in navigating organizational crises. This extensive analysis, based on a recent survey of members from the Society for Corporate Governance, highlights the current state of crisis preparedness and governance across a spectrum of public and private companies. The report, also authored by Christine Davine, Maureen Bujno, Krista Parsons, and Caroline Schoenecker, underscores that effective crisis management is not merely a reactive function but a proactive strategic imperative for organizational resilience in an increasingly unpredictable global landscape.
The Evolving Landscape of Corporate Crises
In today’s interconnected and rapidly changing world, organizations face a growing array of potential disruptive events. These can range from severe financial instability and sophisticated cyberthreats to operational breakdowns, supply chain disruptions, and significant reputational harm. Any of these challenges, if not adequately managed, can jeopardize ongoing operations and the long-term viability of a company. The board of directors, as the ultimate oversight body, is tasked with providing strategic direction, establishing robust governance frameworks, and making informed decisions that are paramount to weathering these storms. The findings of this report, fielded in Q4 2025, offer a granular look at how companies are preparing for and responding to these threats.
The survey engaged professionals such as corporate secretaries, in-house counsel, and other governance experts, representing a diverse group of 76 public companies and 17 private companies. These organizations span various sizes and industries, providing a broad and representative sample of current corporate practices. The report meticulously details the findings, organized into sections that present aggregate results for public companies and then delve into more specific breakdowns for private companies and public companies categorized by market capitalization.
Key Findings: Public Company Crisis Preparedness
The report’s findings reveal a landscape where crisis management is recognized as vital, yet preparedness levels vary. When asked about the types of crises their organizations had faced in the last three years, a significant portion of the 71 surveyed public companies reported experiencing a range of challenges. The most frequently cited crises included brand or reputational incidents, data breaches or cybersecurity incidents, and supply chain disruptions or other geopolitical developments. These findings underscore the multifaceted nature of modern business risks, demanding a holistic approach to crisis planning.
A substantial majority of public companies have formalized their crisis management efforts. Out of 69 respondents, a significant percentage indicated that their company has a formal, documented crisis management plan. This suggests a growing awareness of the need for structured protocols to guide responses during challenging times. However, the presence of a formal plan is only the first step. The report further probes the content of these plans.
Content and Scope of Crisis Management Plans
When examining what potential issues are specifically addressed within these crisis management plans, the data shows a clear focus on certain high-probability threats. Data breaches or cybersecurity incidents and natural disasters emerged as the most commonly included topics. This aligns with the reported experiences of companies, indicating a practical application of planning efforts towards prevalent risks.
Interestingly, the survey also highlighted some discrepancies between the crises companies have experienced and those explicitly addressed in their plans. For instance, while supply chain disruptions and geopolitical developments were frequently reported as experienced crises, their inclusion in formal plans showed some variation. Similarly, regulatory investigations, a significant concern for many, were not universally integrated into all crisis management frameworks.
The components included within these crisis management plans are also a critical indicator of preparedness. The survey revealed that common inclusions are communication response plans, data breach or cybersecurity incident response plans, and business continuity plans. These elements are foundational for mitigating damage and ensuring operational continuity during a crisis. However, the report also points out that some crucial elements, such as clear delineations of board versus management responsibilities in crisis situations, were less consistently present in the plans of some companies, particularly private ones.
The Role of the Board in Crisis Management
The board of directors plays an indispensable role in crisis management, extending beyond mere oversight. The survey explored the board’s involvement in preparation, revealing that a significant portion of public companies involve their boards in reviewing the crisis management plan, evaluating crisis response capabilities, and participating in post-crisis reviews. These activities are crucial for ensuring that the organization learns from past events and continuously improves its resilience.
Scenario planning and tabletop exercises are vital tools for testing crisis readiness. The findings indicate that while a portion of boards engage in these exercises, there is still considerable room for improvement. Fewer than 10% of large- and mid-cap companies and private companies reported that their full board participates in scenario planning and/or tabletop exercises. However, the data also suggests a growing interest, with a notable percentage of companies considering increased board participation in the future. This indicates a recognition of the strategic value of such exercises in preparing directors for their critical decision-making roles during a crisis.
Divergent Preparedness: Public vs. Private Companies and Market Cap Variations
The report’s appendix provides valuable insights into the differences in crisis management practices between public and private companies, as well as across different market capitalization segments.
Public Companies by Market Cap:
- Experienced Crises: Large-cap companies were more likely than mid-caps to report experiencing brand or reputational incidents (44% vs. 22%) and supply chain disruptions or geopolitical developments (41% vs. 22%). Conversely, mid-cap companies reported experiencing regulatory investigations at a higher rate than large-caps (25% vs. 6%).
- Formalized Plans: While a majority of both large- and mid-cap companies have formal crisis management plans, 31% of mid-caps and 13% of large-caps indicated they did not have a formalized plan. Among those with plans, large-caps were more likely to review and test them annually or biennially (57% vs. 25% for mid-caps).
- Plan Content: Both segments commonly included data breaches and natural disasters in their plans. However, executive misconduct or leadership crises were addressed by a larger percentage of mid-caps (35%) compared to large-caps (18%).
- Board Involvement: Mid-cap companies reported higher levels of board involvement in crisis management preparation, including reviewing plans, evaluating response capabilities, and participating in post-crisis reviews, compared to large-caps.
- Scenario Planning: Board participation in scenario planning and tabletop exercises was low across both segments, though mid-caps showed a greater consideration for future board involvement.
Public vs. Private Companies:
- Experienced Crises: Private companies were significantly more likely to face regulatory investigations (41% vs. 15% for public companies) and executive misconduct or leadership crises (18% vs. 3% for public companies).
- Formalized Plans: A strong majority of private companies (82%) have formalized plans, with 44% reviewing and testing them annually or biennially. Notably, no private company respondent indicated having no plan or protocols in place.
- Plan Content: Private companies reported including fewer specific elements like board vs. management responsibilities and internal/external communication plans compared to public companies.
- Crisis Management Teams: Private companies were less likely to include Investor Relations, the Corporate Secretary’s Office, Corporate Communications/PR, and Risk Management in their designated crisis management teams.
Implications for Corporate Governance and Resilience
The findings from this Deloitte and Society for Corporate Governance report offer critical insights for boards and management teams striving to enhance organizational resilience. The increasing complexity and interconnectedness of global risks necessitate a proactive and strategic approach to crisis management.
The prevalence of cyber threats and reputational risks highlights the need for robust cybersecurity measures and proactive reputational management strategies, integrated into crisis plans. The variations observed between public and private companies, and across market caps, suggest that tailored approaches to crisis preparedness are essential. Companies, particularly those with less formalized plans or lower levels of board engagement in crisis preparedness, may face a heightened risk of significant disruption and prolonged recovery periods.
The report implicitly suggests that a gap exists between the recognition of crisis management’s importance and its consistent implementation across all facets of an organization. The board’s active involvement in scenario planning, tabletop exercises, and regular reviews of crisis management frameworks is not merely a governance best practice but a fundamental requirement for effective oversight and strategic decision-making during times of adversity. As organizations continue to navigate an uncertain future, strengthening crisis preparedness will remain a top priority for ensuring long-term sustainability and stakeholder trust. The ongoing collaboration between Deloitte and the Society for Corporate Governance promises to shed further light on evolving best practices in this critical domain.