Crisis management and the board

Crisis management is a vital organizational function, enabling resilience and mitigation against potential adverse implications associated with disruptive events such as financial instability, cyberthreats, operational breakdowns, and reputational harm—any of which may jeopardize ongoing operations and an organization’s long-term viability. The board of directors plays a crucial role in this area by providing strategic oversight, establishing governance frameworks, and making informed, important decisions, particularly in today’s increasingly complex risk landscape.

This Board Practices Quarterly is based on a recent survey of members of the Society for Corporate Governance representing public and private companies. The survey, fielded in Q4 2025, examined organizational crisis preparedness and board governance, including topics such as crisis plan formalization, types of crises addressed in the plan, management functions within crisis teams, and the role of the board of directors.

Respondents, primarily corporate secretaries, in-house counsel, and other governance professionals, represent 76 public companies and 17 private companies of varying sizes and industries,¹ and the findings pertain to these companies. The actual number of responses for each question is provided. Some survey results may not sum to 100% as questions may have allowed respondents to select multiple answers.

Highlights

• Cybersecurity incidents/data breaches are commonly reported crises: Public companies most often report facing reputational, cybersecurity incident/data breach, and supply chain/geopolitical crises, while private companies most often report facing regulatory investigations, cybersecurity incident/data breach, and major litigation.
• Many have plans, but associated practices vary: Most respondents report having a formal, documented crisis management plan, but whether and how often the plan is reviewed or tested varies across organizations.
• Coverage gaps exist between “experienced” and “planned for” crises: Survey results indicate gaps crises organizations have experienced and those anticipated and included in crisis plans. Some crises (like major litigation and regulatory investigations) are experienced more often than they are included in plans.
• Readiness practices differ: Most companies define when their board should be involved in a crisis, but whether companies delineate board vs. management responsibilities in a crisis yielded disparate results (25%–73%).