Board Practices: Crisis Management and the Board

Crisis management is a vital organizational function, enabling resilience and mitigation against potential adverse implications associated with disruptive events such as financial instability, cyberthreats, operational breakdowns, and reputational harm—any of which may jeopardize ongoing  operations and an organization’s long-term viability. The board of directors plays a crucial role in this area by providing strategic oversight, establishing governance frameworks, and making informed decisions that are important, particularly in today’s increasingly complex risk landscape.

This Board Practices Quarterly is based on a recent survey of members of the Society for Corporate Governance representing public and private companies. The survey, fielded in Q4 2025, examined organizational crisis preparedness and governance, including topics such as crisis plan formalization, types of crises addressed in the plan, management functions that participate in crisis teams, and the role of the board of directors.

Respondents, primarily corporate secretaries, in-house counsel, and other governance professionals, represent 76 public companies and 17 private companies of varying sizes and industries,[1] and the findings pertain to these companies. The actual number of responses for each question is provided. Some survey results may not sum to 100% as questions may have allowed respondents to select multiple answers.

Findings are organized into two sections: the first presenting results for public companies in the aggregate, and an appendix that sets forth results for private companies and public companies by market cap size.

• Cybersecurity incidents/data breaches are commonly reported crises: Public companies most often report facing reputational, cybersecurity incident/data breach, and supply chain/geopolitical crises, while private companies most often report facing regulatory investigations, cybersecurity incident/data breach, and major litigation.
• Many have plans, but associated practices vary: Most respondents report having a formal, documented crisis management plan, but whether and how often the plan is reviewed or tested varies across organizations.
• Coverage gaps exist between “experienced” and “planned for” crises: Survey results indicate gaps between crises organizations have experienced and those anticipated and included in crisis plans. Some crises (like major litigation and regulatory investigations) are experienced more often than they are included in plans.
• Readiness practices differ: Most companies define when their board should be involved in a crisis, but whether companies delineate board vs. management responsibilities in a crisis yielded disparate results (25%–73%).

Which, if any, of the following types of crises has your organization faced in the last three years? Select all that apply. (71 responses)

Does your company have a formal, documented crisis management plan? (69 responses)

Which of the following potential issues does the crisis management plan specifically address? Select all that apply. (46 responses)

Note: No respondent answered “Not applicable as there is no formal plan.”

Which of the following are included in your company’s crisis management plan? Select all that apply. (43 responses)

Note: 2% of respondents answered “Not applicable as there is no formal plan,” and 2% answered “Other (please specify).”

Which departments or functions are included in your organization’s designated crisis management team? Select all that apply. (53 responses)

Note: 4% of respondents answered “Not applicable, e.g., we do not have a designated crisis management team.”

What is your board’s role in crisis management preparation? Select all that apply. (54 responses)

Note: 4% answered “Other (please specify).”

What best describes your board’s involvement in scenario planning and/or tabletop exercises? (53 responses)

Which, if any, of the following types of crises has your organization faced in the last three years? Select all that apply.

For public companies, the most reported crises were brand or reputational incident; data breach or cybersecurity incident; and supply chain disruption or other geopolitical developments. For private companies, the crises most commonly faced were regulatory investigation; data breach or cybersecurity incident; and major litigation.

There are a few notable differences between market caps. In particular, 44% of large-caps compared to 22% of mid-caps reported experiencing a brand or reputational incident; 41% of large-caps compared to 22% reported experiencing a supply chain disruption or other geopolitical development; and 25% of large-caps compared to 6% of mid-caps reported experiencing a regulatory investigation.

Some notable differences between public and private companies pertain to regulatory investigations (15% public companies; 41% private companies) and executive misconduct or leadership crisis (3% public companies; 18% private companies).

Does your company have a formal, documented crisis management plan?

A majority of both large- and mid-caps have a formal crisis management plan; however, 31% of mid-caps and 13% of large-caps do not have a formalized plan. Of those with a formalized plan, 57% of large-caps and 25% of mid-caps review and test their plans at least annually or biennially; another 28% of mid-caps review (but do not test) their plans.

82% of private companies have a formalized plan, and 44% review and test it at least annually or biennially

Note: No private company respondent answered “No plan or protocols in place.”

Which of the following potential issues does the crisis management plan specifically address? Select all that apply.

Both large- and mid-caps include data breach or cybersecurity incident and natural disaster among the topics most frequently addressed in their crisis management plans. Overall, results were fairly consistent across market caps with a notable difference in whether the crisis plan includes executive misconduct or leadership crisis, reported by 18% of large-caps and 35% of mid-caps.

For private companies, the most common responses were data breach or cybersecurity incident; natural disaster; and plans that do not address specific discrete topics.

Responses for “Other (please specify)” included “sudden severe illness/physical incapacity or death of CEO and/or CFO (not misconduct related),” “pandemic,” and “facility crime/violence.”

There are some noteworthy discrepancies between the prevalence at which some crises have been experienced (mentioned earlier in this report) and whether the particular crisis is included in the crisis management plan, specifically:

• 41% of large-caps experienced a supply chain disruption or other geopolitical development; 32% include this issue in their crisis management plan.
• 28% of large-caps experienced major litigation; 9% include this issue in their crisis management plan.
• 25% of large-caps experienced a regulatory investigation; 9% include this issue in their crisis management plan.
• 41% of private companies experienced a regulatory investigation; 8% include this issue in their crisis management plan.
• 35% of private companies experienced major litigation; 8% include this issue in their crisis management plan.
• 29% of private companies experienced a brand or reputational incident; 8% include this issue in their crisis management plan.

Note: No respondent answered “Not applicable as there is no formal plan.”

Note: No respondent answered “Not applicable as there is no formal plan” and “Other (please specify).”

Which of the following are included in your company’s crisis management plan? Select all that apply.

The greatest variation between market caps were:

• Delineation of board vs. management responsibilities in a crisis, as reported by 73% of large-caps and 53% of mid-caps
• Scenario planning/tabletop exercises, as reported by 64% of large-caps and 47% of mid-caps
• Determination of external advisors, as reported by 59% of large-caps and 41% of mid-caps

Compared to public companies, relatively fewer private companies reported a delineation of board vs. management responsibilities or internal and external communication response plans.

Responses for “Other (please specify)” included “a communications response plan that is separate from the crisis management plan” and “a separate data breach policy/plan.”

Note: No large-caps and 6% of mid-caps answered “Other (please specify)” and “Not applicable as there is no formal plan.”

Note: No respondent answered “Not applicable as there is no formal plan.”

Which departments or functions are included in your organization’s designated crisis management team? Select all that apply.

Large- and mid-cap findings were fairly consistent, with the most notable differences in departments included in the designated crisis management team being:

• Legal, as reported by 79% of large-caps compared to 92% of mid-caps
• Human Resources/Talent, as reported by 50% of large-caps compared to 69% of mid-caps

Compared to public companies, relatively fewer private companies reported including the following departments: Investor Relations, Corporate Secretary’s Office, Corporate Communications/PR, and Risk Management.

Responses for “Other (please specify)” included Operations, Internal Audit, and Contract functions, as well as crisis-dependent (e.g., a team is created based on the nature of the incident).

Note: 8% of large-caps and no mid-caps answered “Not applicable, e.g., we do not have a designated crisis management team.”

Note: 7% answered “Not applicable, e.g., we do not have a designated crisis management team” and no respondent answered “Investor Relations.”

What is your board’s role in crisis management preparation? Select all that apply

Compared to large-caps, mid-caps reported higher levels of board involvement across several answer choices pertaining to crisis management preparation—particularly review of the crisis management plan, evaluation of crisis response capabilities and readiness, and participation in post-crisis review.

Responses for “Other (please specify)” included “the plan provides for when executives inform the board of an incident” and “periodic updates to the board on how we handle various types of crises, so they have effective oversight.”

Note: 4% of large-caps and mid-caps answered “Other (please specify).”

Note: 7% of respondents answered “Other (please specify)” and no respondent answered “Development of crisis management framework.”

What best describes your board’s involvement in scenario planning and/or tabletop exercises?

Fewer than 10% of large- and mid-caps and private companies reported that their full board participates in scenario planning and/or tabletop exercises or that a designated board member(s) or committee participates and reports back to the full board.

While board participation is not widely reported, 42% of mid-caps are considering board participation, compared to 4% of large-caps and 14% of private companies.

Responses for “Other (please specify)” included “the board does not regularly participate but can choose to participate voluntarily to observe,” “there is a tabletop specifically for the board,” and “the board is informed of the annual tabletop exercise outcome.”

1 Public company respondent market capitalization as of December 2024: 43% large-cap (which includes mega- and large-cap) (> $10 billion); 47% mid-cap ($700 million to $10 billion); and 9% small-cap (which includes small-, micro-, and nano-cap) (< $700 million). Respondent industry breakdown: 29% consumer; 26% financial services; 25% energy, resources, and industrials; 14% technology, media, and telecommunications; and 5% life sciences and health care. Private company respondent annual revenue as of December 2024: 53% large (> $1 billion); 29% medium ($250 million to $1 billion); and 12% small (< $250 million). Respondent industry breakdown: 47% financial services; 24% consumer; 18% energy, resources, and industrials; 12% technology, media, and telecommunications; and 0% life sciences and health care. Small-cap findings have been omitted from this report due to limited respondent population.(go back)