"Board Oversight in Crisis: Why Preparation is the Key to Navigating Operational Disruptions"

Operational disruptions are not just possible - they’re inevitable. Whether caused by extreme weather, global supply chain issues, political unrest, vulnerabilities with third-party partners, or cyberattacks, every organization will face a crisis at some point. It’s not a matter of “if” but “when.” This reality makes it imperative for the Board of Directors and the CEO to ensure their company is not only prepared for these disruptions but has a plan in place to handle them effectively when they occur. Crisis preparedness isn’t just good practice; it’s an essential part of a company’s long-term success and resilience.

Yet, despite this critical need, only 48% of companies have created a formal crisis management escalation policy, according to PwC's 2024 Annual Corporate Directors Survey. This statistic is staggering, especially when you consider that 96% of directors surveyed believe they are capable of guiding their companies through a crisis. The confidence is there, but it raises the question: Could the absence of a formal policy and plan compromise the company’s ability to weather a storm? I’ve found, through my experience as both a Board Member and CEO, that having a well-thought-out policy and framework in place can make all the difference between successfully managing a crisis and being overwhelmed by it.

The stakes are only getting higher. Even with a crisis management plan, laws change, new risks emerge, and companies still face threats from malicious actors or environmental events. Regulators, investors, and other stakeholders are no longer just hoping companies have a crisis plan in place - they are demanding it. For example, the SEC’s new cyber disclosure rules, adopted in July 2023, require companies to provide a detailed account of how they assess and manage cyber risks. This kind of transparency is becoming the norm, and companies that fail to comply or are slow to respond to crises risk more than just financial loss - they risk damage to their reputation, investor trust, and regulatory standing.

So, why the gap between perceived preparedness and formal planning? Is it overconfidence or hubris? Whatever the reason, it’s a potential disaster waiting to happen, and boards need to take proactive steps to address it.

First, the Board should engage directly with the C-suite - particularly the CEO, CFO, CIO, and Chief Risk Officer - to establish and continually update processes and controls aimed at minimizing risks associated with the company’s key vulnerabilities. It’s not enough to have a plan sitting in a drawer; that plan needs to be actionable, and the company needs to have a playbook for how to respond when those risks materialize. Regular reviews, ideally conducted by external parties, can ensure that crisis management strategies stay relevant and effective.

It’s also essential for the Board to understand how the company’s crisis management plan compares to standardized frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Benchmarking the company’s preparedness against industry standards - and even against competitors - can provide valuable insights into potential weaknesses and areas for improvement.

The goal should be to develop a holistic risk management process that not only minimizes the impact of bad actors and external events but is also tested and implemented thoroughly across the organization. The team should be clear on what to do, who to involve (including external experts when needed), and how to communicate effectively when a crisis hits. Having these protocols in place could mean the difference between a brief operational hiccup and a full-blown crisis, potentially saving the company millions of dollars and safeguarding its reputation.

A culture of risk awareness must be embedded within the organization. The Board plays a crucial role in ensuring that crisis preparedness is integrated into the company’s strategic planning and day-to-day operations. Critical vulnerabilities should be addressed in the budgeting process, and capital must be allocated to mitigate these risks. Leadership communications should reinforce the importance of risk management throughout the company, ensuring that employees (especially those on the front lines) are well-versed in the protocols and trained to act swiftly in a crisis. Regular tabletop exercises and “lifeboat drills” can help reinforce these practices and make crisis responses second nature.

Additionally, the Board should insist that key performance metrics include not just financial outcomes but also measures related to employee training and awareness of threats, such as cybersecurity risks. By doing so, crisis preparedness becomes ingrained in the company's culture, not just a box to check during an annual review.

Every Board member needs to ask themselves whether their organization requires a formal crisis management escalation policy. If the answer is yes, and in today’s unpredictable environment, it’s hard to imagine a scenario where the answer would be no, then there’s work to be done. The fact that half of companies still don’t have such a policy is a glaring gap that needs to be addressed.

A comprehensive approach to crisis preparedness should involve thoughtful oversight, clear reporting structures, and a collaborative relationship between the Board and the executive leadership team. By building a robust crisis management framework, companies will not only be better equipped to handle disruptions but will also position themselves to recover faster, limit financial damage, and maintain stakeholder trust. In a world where crises are inevitable, preparation is not just a safeguard - it’s a competitive advantage.