The past few years have tested companies and their crisis and resilience capabilities in new and various ways. A global pandemic had far-reaching implications, and many companies also experienced a ransomware attack, major supply chain disruption, environmental disaster, major geopolitical event, or another crisis.

How did some companies seem to weather these storms more easily than others? It comes down to crisis planning. Companies with a robust, fluid, and well-rehearsed crisis plan were able to respond more quickly and do so more effectively.

Boards play a key role in this crisis preparedness. A director’s role is to ensure management makes the right decisions to support the long-term success and viability of a company. Earlier identification of potential crisis events and a better crisis response can have real benefits to the company’s brand and reputation, which in turn can translate to long-term shareholder value.

Boards will want to ensure that management is ready to handle a crisis—before, during, and after it occurs—whatever the crisis event might be. They can use their diverse perspectives and experiences to provide guidance and counsel to management when dealing with a crisis. And after a crisis, directors will want to ensure that the company continues to use lessons learned to improve its crisis planning. A nudge by the board to reflect on recent events and take a look at the effectiveness of its enterprise risk management program, crisis preparedness plan, and crisis response, will benefit the entire company. This will help the company be better prepared when the next crisis occurs.

You may be thinking that your company has been through a pandemic or another crisis so it knows how to deal with one. But performing a post crisis review and focusing on continuous improvement will position the company to come out ahead in the next crisis. Here, we’ll cover the key areas that should be addressed when considering your company’s preparedness.

Before a crisis: How effective is your company’s response plan?

Make sure there is a comprehensive crisis plan The best crisis plans are living documents. They are constantly updated and enhanced. It’s up to the board to push management on whether the company’s crisis response plan is up to date and ready to be deployed. This means making sure the plan has all the key elements and the right decision points. The plan should be crisis agnostic with the ability to flex to address various types of crises. It should also reflect lessons learned from what worked and didn’t work in the company’s own crisis experiences. The plan can also reflect insights learned from other companies whose crises have played out in the media. It should outline the designated crisis leader and the right cross-functiona crisis team members, and it should clearly define roles and responsibilities. It should also go beyond these topics to include outside expertise needed and the communication strategy and plan. Overall, the board should have confidence that the company can react quickly and effectively when a crisis event occurs.

We surveyed directors and only 28% told us that they understood the company’s crisis plan “very well.” This could be due to the board not spending the time to do so, or perhaps management had not presented the plan or developed a crisis plan. At this point, all companies and their sitting directors will have experienced a crisis and should have a better understanding of the crisis plan. A better plan can translate to an increased likelihood that the company can get back to normal more quickly and minimize the operational, financial, reputational, and other effects more successfully.

Boards will want to evaluate whether the plan has considered the critical elements. They should also assess whether the plan has enough detail to ensure the crisis team knows what to do when confronted with a problem. But it’s important to balance that detail with practicality. Since every crisis is different, there is no one-size-fits-all crisis plan.

Elements of effective crisis management plans

• Engages a cross-functional team for planning and execution
• Identifies crisis management leader(s)
• Delineates roles and responsibilities, including the CEO’s and board’s roles
• Defines the crisis escalation process
• Outlines expected crisis management activities
• Defines disaster recovery priorities
• Identifies outside advisors to retain as needed
• Provides guidance on crisis communication strategies, including use of social media
• Requires regular testing of the plan
• Implements a post-crisis performance assessment

As boards discuss the crisis plan with management, they will want to focus on who will be the designated crisis leader. All eyes should not be on the CEO, who should be involved, but needs to focus his/her attention on running the business during the crisis. The right person will have a senior leadership position and appropriate expertise, as well as stature and visibility across the business. Some companies may identify one person to consistently lead the crisis response team; others might have a few individuals lined up to lead, depending on the nature of the crisis. Either way, the board will want to make sure the company’s plan addresses the topic.

Another critical area for boards to look at is whether the crisis plan articulates a management-level governance structure that supports effective and timely decision making, communications, and accountability. As companies have dealt with crises, they likely experienced many competing priorities that needed immediate attention. The board will want to ensure the crisis plan articulates an approach to address this challenge with a company-wide response. They can ask about protocols that should be put in place for different workstreams, like communications, legal and regulatory, and operations to help with decision making and working closely together during a crisis.

Boards should also ask whether the crisis plan is aligned, coordinated, and tested with the disaster recovery plan and business continuity plan. There may be other plans too, like an incident response plan if there is a cyber breach. These plans are often developed individually at a company, but a centralized approach that includes and tests all plans together is critical for a company’s resiliency.

When a crisis occurs, the board needs to be informed at the right time. Some types of crises should trigger almost immediate notifications to the board, while in other cases, it may be appropriate to wait until the next board meeting. Recent crises that the company has navigated can provide an opportunity for the board to reflect and assess when it was notified, and whether that timeline was appropriate. If not, the board (working with management) can further define the board escalation expectations and the process in the crisis plan.

Ensure timely board escalation

When a crisis occurs, the board needs to be informed at the right time. Some types of crises should trigger almost immediate notifications to the board, while in other cases, it may be appropriate to wait until the next board meeting. Recent crises that the company has navigated can provide an opportunity for the board to reflect and assess when it was notified, and whether that timeline was appropriate. If not, the board (working with management) can further define the board escalation expectations and the process in the crisis plan.

The board will also want to discuss with management how it defines a “crisis” as well as what the quantitative and qualitative triggers are that will cause the board to be notified. It is valuable for the board to think through a variety of possible scenarios with management that would require board involvement. Board escalation procedures should be updated in the crisis plan for greater clarity and notification.

Get feedback on testing

With the increase in crises occurring at companies, a crisis response plan shouldn’t get filed away never to be looked at again. Boards will want to do their part in keeping this topic on the forefront by periodically putting crisis preparedness on their agenda. They will want to not only get an update from management on the current crisis plan, but also feedback on how the plan is continuing to be tested and what additional training and follow-up actions have been identified to improve the plan.

Boards can ask management about the different scenarios that it used to simulate a crisis and test the plan. These scenarios can be different from crises experienced by the company. Continual testing of the plan helps the crisis team understand how well the company would respond in real time, and whether roles and activities are working together as envisioned in the plan. It also can identify areas of confusion and uncertainty and expose gaps in the crisis response plan.

The board should make sure senior executives— including the CEO—are involved in crisis response plan testing. They set the tone and have critical roles. If the executives think a crisis exercise doesn’t warrant their attention, others won’t give it attention either.

Top 10 pitfalls of crisis management

Every crisis offers a learning opportunity. Captured below are the top ten mistakes that management can make when preparing for or dealing with a crisis. While these items are management’s responsibility, the board plays a role here, too. Directors will want to discuss and challenge management on how they are proactively preparing for and managing these pitfalls so that the company emerges stronger and more successfully from a crisis.

Before a crisis happens:

1) Having too many cooks in the kitchen. Identifying a crisis leader, team members, roles, responsibilities, and a governance structure is critical to a successful response.

2) Uncoordinated priorities. In the heat of a crisis, a weak governance structure— exacerbated by competing internal priorities—can lead to miscommunications, both internally and externally, which companies may later regret. Tackling the crisis piecemeal through siloed activities may sound like a good idea, but it can be more damaging than helpful.

3) Not recognizing familiarity bias. It’s natural to think of the next crisis in terms of what’s been splashed across the headlines. It can also lead to potential blindspots. The next crisis that the company faces may not look anything like those that have dominated headlines—and it may not be the one management expects.

4) Relying solely on “having” a crisis plan. “I have a plan” does not equate to a crisis response. While many companies say they have a crisis response plan, they also frequently forget to turn to it when a crisis occurs. A plan is only as good as its latest tests and training, which should be conducted frequently enough to create “muscle memory” to follow the plan when a crisis hits.

During a crisis:

5) Leaping before looking. Clear and accurate facts are not typically available as a crisis begins to unfold. Beware of the tendency to succumb to stakeholder pressures to take immediate action, before the company has a grasp of the full picture.

6) Not seeing the crisis for the trees. A toonarrow focus on the immediate or perceived issue, without considering other potentially impacted areas, is understandable. But that can lead to a cascade of secondary shocks and crises.

7) Minimizing the problem and paying for it later. Failing to acknowledge the severity of an issue—and not treating it with the respect it deserves—can severely damage a company’s reputation. History is replete with examples of companies that learned this the hard way, coming across as nonchalant, inauthentic, or even uninformed about the issue at hand.

8) Neglecting crucial stakeholders, including employees. When communicating under pressure, many companies tend to focus on one or two stakeholder groups at the expense of other, possibly more critical ones. Unfortunately, that can include employees, who are sometimes treated as an afterthought.

10) Losing authenticity—and credibility. Conducting the response in a way that is not aligned with the organization’s values can also damage the brand’s integrity—and the trust of its stakeholders—long after the crisis is over.

After a crisis occurs:

10) Not acting on lessons learned. The company has had a crisis, and focused on the facts—on the what and what’s next. But have you focused on the how and the why? Very few companies actually follow through and make changes based on a root cause analysis, which makes them significantly more vulnerable to the next one.

During a crisis: How does the board help management successfully navigate?

Once a company is in crisis response mode, the stakes are high. Companies—including the board— are judged on how well they respond. And if the response is mishandled, the impact will reach far beyond an operational problem. That’s when reputation and brand can really be eroded.

But as many boards and management will admit, responding to a crisis is hard. The scope of the crisis can be uncertain. Facts can be murky and inaccurate. News and rumors spread quickly through social and traditional media, adding to the pressure to respond quickly. On top of that, boards and companies may face pressure from stakeholders, the media, and the public to take action—even before they have a full picture.

As boards reflect on recent crises, they should discuss with management what went well and what didn’t go well in the company’s response. A critical assessment that targets improvements and pitfalls to avoid when a future crisis occurs is valuable.

Challenge the communications strategy

Having the right communications strategy internally and externally is critical when responding to an event. A company will want to tell its own story about how it is addressing the crisis. Without a communications strategy, a company can lose control of its story, or false narratives can take hold. This can result in damage to crisis efforts and company reputation. For these reasons, the board should understand and challenge management’s strategy on what the company should say, who should say it, and when they should say it. Importantly, people will want to know how the company is responding, even if the answer is, “we don’t know the answers yet.” Perception matters to stakeholders and acknowledging the issue is often more advantageous than staying silent.

Frequent communications and updates on the crisis are a necessity. As the crisis continues to unfold, directors should expect to get clear messaging on what is happening, who is accountable, how the company is responding, and what will be done next to address problems in the wake of the crisis. The board should push back if the communications don’t appear to align with the company’s core values, which can build significant trust with stakeholders long after the crisis is over.

Typically, the board should expect to see outside advisors built into the crisis plan and response. Law firms can advise on required communications, such as those that must be made to regulators. They can offer perspectives on how to ensure that any disclosures the company makes voluntarily don’t expose it to increased liability. Crisis communications experts can guide senior management on a communications strategy, including how frequently to make statements despite the absence of additional information. Crisis management firms can also provide strategic advice and additional resources to help a company balance responding to a crisis and running the business. In assessing the company’s response to recent crises, boards should ask management to reflect on whether they had all the right parties and experts involved from the start. Was there anyone that needed to be included in the last crisis that wasn’t part of the plan? If so, these learnings should be updated in the crisis plan.

Boards should also be aware that while the CEO is typically the company’s main spokesperson, that can present a problem if the CEO’s credibility is badly damaged—particularly if he or she is at the center of the crisis. Such cases often require someone else to step into the spokesperson role. That may be an interim company leader or even the board chair or lead director. The possibility of that situation means that the board should have a ready backup for the CEO in terms of a spokesperson as part of the board’s crisis response plan.

It can be valuable for boards to regularly review feedback from inside and outside the company to gauge how well the company is responding. Directors can follow news and social media channels to stay current, as well as get “sentiment analysis” from outside experts. Directors can also hold executive sessions with these experts just to be sure they’re getting the full picture. The board will need to challenge management and demand course correction if it senses that the messages aren’t working.

Management and the board should have an agreed upon approach for board communications. The board should expect to be updated regularly on how the crisis is being handled. As boards look back on their involvement in crises, they probably had a significant increase in communications with management and board meetings. But the board should ensure this communication is being done in the right way.

Sometimes a board designates a liaison to interact with the crisis team. Other times a board may elect to use a committee or the full board, depending on the nature of the crisis. Standing, frequent board calls can also be important. They provide an opportunity for all board members to discuss and weigh in on the latest events. These calls can occur daily or even more frequently at the height of the crisis. Whatever practices the board adopts, what’s critical is that it works for the board and for the situation. By updating the board-level crisis plan with the communication preferences learned through its experiences, the board can try to create a better experience next time.

Address all stakeholders

When communicating under pressure, companies tend to focus on one or two stakeholder groups, who may have the loudest voices, at the expense of other, possibly more critical ones. Boards play a role in ensuring the communications strategy includes communications with all stakeholders and considers their diverse needs and interests. They will want to ask the crisis team about feedback from stakeholders to ensure the company’s response is resonating with them and what additional actions can be taken to address concerns.

Internal communications are as important as external communications. In a crisis, management may be so externally focused that they overlook communications with their employees. Boards will want to make sure this critical stakeholder group gets attention. Employees are often the company’s strongest advocates and actively engaging with them during a crisis can help in the long term in retaining and attracting talent. Employees will continue to perform their responsibilities, deal with customers, and interact in their communities. They need to be informed about the crisis, receive regular updates, and know where to go to get more information and ask questions.

Get ahead of other risks

While the crisis team has to focus on the current crisis, the board will want to maintain a focus on the long term. They will want to ensure there are dedicated resources to look around the corner for follow-on effects in other areas of the business, particularly if a crisis is longer term. These individuals will want to look for other risks and opportunities that may present themselves over the next three, six, nine months or longer. There may be an impact on other business relationships, supply chains, workforce morale, and job security, to name a few. Getting ahead of these areas helps a company emerge from a crisis even stronger.

The ripple effect of crises

Crises can change a company’s risk profile quickly. A crisis event can trigger other risks at a company—that may not have been anticipated. As part of the company’s enterprise risk management program, a risk interconnectivity analysis can help identify these related risks. This way they can be managed and monitored alongside the core risk and accounted for considering the overall risk appetite framework. For example, the recent pandemic may have caused health and safety risks, liquidity risk, supply chain risk, cyber risk, and other business risks.

Remember the rest of the company

It’s easy for companies to get overwhelmed in a crisis. The board may need to step up their day-to-day involvement and oversight of management in order to keep the company on track. The management team will likely need to lean on the board for guidance. It demands a significant amount of time and energy from the CEO and senior leadership. But losing sight of the ongoing business can make the impact of the crisis worse. Competitors will be watching for ways to profit from a company’s woes. And other more nefarious actors— like cybercriminals—may also try to exploit various vulnerabilities, relying on the fact that management is distracted. Staying focused on the company’s operations in the midst of a crisis is imperative, and boards will want to monitor that this is happening.

After a crisis: How do we get better?

Once a crisis has passed, the tendency is to get back quickly to “business as usual.” But unless there’s a thoughtful post-event review and adjustments, if needed, to the crisis response plan, the company risks repeating any mistakes it made in future crises.

Discuss root causes and improve response plans

Directors will want to understand the root causes of the crisis the company has just weathered. This allows the board to weigh in and discuss whether appropriate follow-up actions have been taken. There may need to be an investigation based on the nature of the crisis, and management will often lead such investigations. But if management itself seems to be at the heart of the crisis, or if the event was significant enough, it may make sense for the board to decide whether an independent investigation is needed.

In addition to looking at root causes, there should be a continuous improvement mindset for the crisis response plan. Directors will want to discuss with management what was learned and how the plan will be improved as a result. It also can be valuable for management to get an external, objective assessment of the company’s crisis response for a different perspective from those that participated in it.

Don’t forget a post-event review

Once the crisis is over, a critical assessment of how well the company responded is valuable. Boards will want to have a candid and open discussion with management. They can consider asking management the following questions:

• Right crisis team: Did we have the right executives on the crisis team? Did we have the right internal subject matter experts and did we leverage the right outside experts? Is the team sustainable in the event of a long-term crisis?
• Useful plan: Did we have an enterprise-wide crisis response or continuity plan? Did we use it? Was it effective?
• Clear accountability: Was it clear who had decision making authority? Did it take too long to make decisions? Were there any bottlenecks in the process?
• Effective and timely communications: Were our communications to key stakeholders on point? Were they timely and was the frequency right? Could we have been bolder?
• Stakeholder focus: Did we consider all of our stakeholders? Did we address their key concerns? Were there a lot of unanswered questions?
• Response to feedback: Were we agile enough to respond to feedback from our stakeholders? From the market? Did we understand what our competitors were doing and were we able to react or respond quickly, if appropriate?
• Useful technology and data: Did we have the right tools to assist in our crisis response? Did we have the data we needed to make critical decisions in a timely manner? Is there a technology solution that we should have employed that would have made things easier to track crisis activities and provide relevant data and dashboards?

In conclusion…

Knowing the company has a sound crisis response plan can give directors greater confidence that management is ready to respond to a future crisis. Since many directors have had to deal with crises in their executive roles, they can use their experience to advise management. The better the plan and the more coordinated the effort to test and execute it, the more likely it will help a company handle a crisis quickly and effectively. Robust crisis preparedness can be viewed as a competitive advantage.