Crisis Management 2026 Comparisons

Though crisis management practices are constantly evolving, the last 12 months have seen a marked shift in how a broad range of organisations – from Fortune 500 companies to non-profits and leading civic institutions – think about and seek to address their crisis management needs. The factors driving this rapid change include both understood and emergent geopolitical risks, rapid shifts in the legal and regulatory landscapes precipitating a re-evaluation of business and enterprise-wide objectives, a reorientation towards external pressure being driven by government (federal and state) actions rather than non-governmental events or actors, and general uncertainty affecting public attitudes and market trends. These factors, coupled with an increasingly diffuse and fraught media environment and technological transformation driven by the rapid build-up and deployment of artificial intelligence (AI)/large language model (LLM) technologies, have created a dynamic moment for organisations and practitioners to reassess how they practise and execute their crisis management strategies before, during and after a specific matter arises.

While crisis management practices have always been on the radar of corporate and organisational leaders, the last year has seen crisis management take on a significantly more prominent role across sectors and within organisations. Faced with a broad range of salient threats and risks to their operations, leaders have increasingly abandoned taking a “wait and see” approach to preparing for potential crises, instead adopting a “prepared and ready” posture when it comes to identifying and readying for internal and external enterprise risks. As part of this sea change, crisis preparation and management are no longer something for executives to delegate and be read in on later – increasingly, top executives are taking a more active role in understanding and shaping crisis-readiness plans, ensuring that awareness and the ability to respond to risks is a well-honed function from the most junior employees all the way to the C-suite.

In practice, this new stance has been defined by corporations, institutes of higher learning, health systems, global civic organisations, and other organisations increasingly prioritising the time and resources they dedicate to crisis-preparation needs, ensuring they have the appropriate operational infrastructure and internal and external stakeholder engagement plans in place before they need them. This increasingly includes much more robust scenario planning that goes beyond matters considered standard for such exercises – eg, dealing with a cyber-attack, on-site security incident, or death of an executive – and contemplating how to prepare for emergent risks ripped from the headlines, including becoming the target of a government inquiry, shareholder activism, corporate restructuring, more aggressive scrutiny from state and federal agencies, and adverse regulatory actions affecting permissions to operate. This new posture has allowed organisations to fully evaluate their communications and operations to identify gaps and ensure alignment on messaging, escalation protocols, and response strategies, all before becoming a target.

Characteristic of the last 12 months is a broadening of risk, such that virtually all industries are potentially vulnerable to an enterprise-threatening crisis or issue. Businesses and industries that may have previously considered themselves more insulated from public scrutiny – eg, the non-profit, higher education, professional services, and retail sectors – are indeed susceptible to political, economic and social volatility – and from a broader range of stakeholders – not to mention enduring operational risks like cyber-attacks and supply-chain disruptions.

This is reflected in trends this year around crisis preparation as more businesses and organisations shift to a proactive approach in readying their response strategies and, in best practice cases, adjusting how they operate and communicate with key stakeholders before an issue arises, to foment trust and support. In the past, organisations with more intensive physical operations – eg, manufacturing, oil and gas, aerospace, healthcare, and others – have led the way in crisis-preparedness best practices. Recent months and years, however, have seen many more industries prioritise this critical business planning.

More so than particular sectors, organisations with under-developed workforce communications strategies have been challenged, as the line between internal and external communications has become ever blurrier. Internal stakeholders are increasingly attentive to what their employer is communicating externally to the market, to clients, and to the media – and vice versa. Internal communications rarely remain so, and the past 12 months have seen a number of companies face scrutiny (including from regulators and elected officials) over perceived inconsistencies in messaging and values. This trend highlights the importance of a cohesive, holistic approach to communications to ensure a consistent narrative across internal and external audiences.

No two crises present the same legal landscape, and in the US, applicable rules can vary state by state and industry by industry. For this reason, legal advisers, both internal and external, should be embedded in the crisis response team from the outset, not only to navigate real-time obligations but to protect the organisation against the downstream legal exposure that so often follows.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

Government actors, including federal, state and local independent agencies, regulators and policymaking bodies, can play a significant role in a crisis based on the nature and magnitude of the situation. Potential crises confronting companies and major institutions, including environmental disasters, shareholder activist campaigns, significant cyberbreaches, incidents involving law enforcement, corporate restructuring, and product recalls, are more likely than ever to require engagement with government entities. For this reason, it is imperative that government relations/public affairs functions be readily integrated into broader crisis mitigation planning and response frameworks. These entities can be one of, if not the most important, stakeholder audience in the event of a crisis, so ensuring that insights and perspectives from internal and external government relations professionals are incorporated as part of a broader strategic response can be invaluable.

As noted in 2.1 Primary Laws, regulations applying to many common crisis scenarios can vary widely at the state and national level. For instance, a data breach may trigger dozens of overlapping notification requirements spanning state statutes, federal regulations, and private contractual commitments, each with its own timeline and procedural demands. Companies must incorporate these differing obligations into their overall communications approach, guided always by legal counsel.

Central to any crisis response strategy should be ensuring that the affected entity is able to continue to have permission to operate, fulfil its mission, and achieve its business and organisational objectives. A key facet of any crisis plan therefore needs to acknowledge and address the critical role played by state and municipal regulatory bodies, as well as other policymakers and law enforcement entities, in the event of a crisis. Whether it be state attorneys general, legislators, or a local mayor, school system, or county commissioners, these stakeholder audiences can play a significant role in a crisis, particularly in the event the matter affects their constituencies. Strategies should also contemplate the growing trend of local and state officials co-ordinating efforts, particularly with respect to state attorneys general, resulting in multi-district litigation or joint federal-state enforcement efforts. In some cases, these groups can even be valuable surrogates supporting an organisation or highlighting its value in times of crisis. For this reason, it is imperative that crisis response teams identify these stakeholders as part of a broader planning process and contemplate the best way to engage them, should internal and external events require a broader crisis response.

When a crisis raises questions about institutional judgment or conduct, appointing an independent monitor or oversight body can be a powerful signal to regulators, courts and the public that the organisation is committed to accountability beyond its own walls. Independent oversight or investigation also creates a contemporaneous record of good-faith remediation efforts, which can prove valuable from both a legal and reputational standpoint in the future.

Companies and other organisations responding to a crisis must always incorporate as part of their strategy any mandatory reporting requirements or other regulatory obligations they are required to fulfil in the event of a crisis. Particularly for publicly traded companies, entities such as the Securities and Exchange Commission and Financial Conduct Authority frequently have in place specific obligations with respect to disclosing material information to investors and providing transparency under certain regulations. Similarly, companies dealing with a cybersecurity incident or other unplanned disclosure of customer information (eg, health records) frequently face specific reporting requirements to regulators and notification obligations to customers as dictated by local and federal laws. In all crisis situations, understanding these obligations and incorporating them within the broader legal and crisis response strategy should be a priority for crisis response teams, as these mandatory filings and/or customer notifications can be a key impetus for both public and stakeholder communications.

Many industries – particularly those in highly regulated spaces – have reporting or notification requirements from accrediting bodies and industry-specific regulators (eg, the Federal Aviation Administration or FAA). A strong crisis-preparedness plan will include clear checklists and “maps” of these requirements and key relationship owners so that in the event of a crisis incident, the company can quickly and unambiguously act to remain in compliance with reporting and other oversight requirements. Proactive engagement is often essential with these industry-specific oversight bodies so that companies can build trust and confidence by outlining, in advance, their comprehensive crisis response plans and seek feedback to ensure they meet with approval. Working with legal counsel to provide subject-matter expertise is especially critical in these industries.                                                                                                                         

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

There is no applicable information in this jurisdiction.

Given the global nature of today’s business and communications environment, organisations facing crisis scenarios are frequently required to address matters from a cross-border perspective. Where multiple countries are involved, it is critical to consider tensions between regulatory and legal requirements across jurisdictions (for instance, varying data and privacy laws in the US and EU) or competing stakeholder interests. In order to co-ordinate responses across borders and regulatory regimes, it is necessary to have a comprehensive understanding of the internal and external communications imperatives and the ability to identify instances where jurisdictional nuances need to be factored into the broader strategic response. Additionally, crisis responses should emphasise robust internal co-ordination to ensure alignment across jurisdictions and avoid any cross-border disconnect between leaders and workforces in different regions.

A common mistake in communicating through a cross-border crisis is treating every jurisdiction the same. Legal constraints on public commentary vary widely and cultural expectations around the same issue can be equally divergent. Effective cross-border work requires a framework that maintains strategic coherence across jurisdictions while adapting to the distinct legal, regulatory and cultural realities of each.

The way individual companies structure their approach to crisis and issues management should be largely unique to an organisation and its stakeholders – that is, its specific business objectives; how it has structured key functions and management teams; various reporting requirements for public versus private companies, including unique communications for shareholders; and how it communicates with internal and external audiences. That said, the foundation of any actionable and effective crisis management strategy is based on universal elements that can make the difference between successfully navigating business-critical moments or prolonging a crisis and creating new risk vectors for the organisation. These universal elements include: 

• An established decision-making crisis response team – This should be made up of a cross-functional mix of senior leaders who have clear lines of sight across the organisation’s business, regulatory and compliance needs to provide a holistic perspective, as well as the ability to react nimbly and drive decision-making in response to an escalating situation. The time to build out the crisis response function is not when you need it; the most successful crisis strategies begin with ensuring the right members of the organisation are already in place for when they are needed.
• Clear lines of communication at all organisational levels – A potential crisis can start at any level of an organisation, so having clear channels in place for employees to report potential developments, either within their business function or through HR or legal-specific channels, is critical for allowing rapid assessment and potential escalation to the rapid response team. Similarly, in moments of crisis, having clear channels through which to engage internal stakeholders is invaluable in ensuring a co-ordinated response and buy-in across the organisation.
• Defined responsibilities for assessment and response – Successful crisis strategies allow organisations, led by the crisis response team, to quickly assess whether a development qualifies as a crisis and the nature and appropriate calibration of any response. Defining organisation-specific criteria in advance, along with clear escalation guidelines, scenario planning, and an organisational responsibilities matrix, can allow for more rapid activation of the crisis response strategy.
• Stakeholder and risk mapping across the organisation – Identifying in advance the core stakeholder groups that will need to be engaged in a crisis and the potential risks across the business are fundamental to the most effective crisis response strategies. Regularly engaging key leaders across the business to understand the specific risks related to specific functions, including critical regulatory and compliance obligations, along with the audiences who would be affected in a moment of crisis, is critical to shaping a strategy that will effectively mitigate and reduce the long-term impact of a negative situation.
• Scenario plans – Companies should also prepare for a wide variety of both likely and possible incidents that could affect the organisation and develop scenario-specific materials and protocols to address these. Common scenarios include cybersecurity breaches, employee or executive malfeasance, physical security incidents, severe weather events, IT or other operational interruptions, and so on.

As noted, a common feature of organisations with the most effective crisis response strategies is to have in place in advance a dedicated crisis response team made up of a handful of senior leaders across functions who can prioritise operability and provide a holistic perspective across the business to ensure any potential matters can be rapidly assessed and properly evaluated for a potential response. While this team can be expanded to include additional members on an ad hoc basis, according to the specifics of a particular matter, it is typically organised to include key members from senior leadership across:

• the office of general counsel;
• the executive committee/senior management team;
• communications/investor relations;
• people/human resources (as appropriate);
• operational/business unit leads (as appropriate to the situation);
• information security or the CTO (as appropriate to the situation); and
• government/regulatory affairs (as appropriate to the situation).

It is imperative that this team convenes on a regular basis to understand the organisation’s current and potential risk/threat profile, evaluate potential external advisers who could be engaged in a crisis, and conduct scenario planning for matters that may potentially require a crisis response.

Corporate crises can carry personal consequences for directors and executives, from regulatory enforcement actions and individual liability claims to reputational damage that follows executives long after they leave the organisation. Communications strategy must account for this reality, carefully distinguishing between the institution’s interests and those of its officers and directors, who may need independent counsel and a separate messaging framework.

In deciding on the composition and characteristics that define a company’s crisis response team, it is important to consider the following points:

• The rapid and evolving nature of a crisis argue for a committee that is agile, able to prioritise operability, and able to make quick yet fully informed decisions. Additionally, the committee should not include overly burdensome bureaucracy and/or an excessive number of members, both of which can slow down an effective response.
• The crisis response team must also bring a holistic perspective of an organisation so that any potential response is evaluated in the context of its effect on business objectives, legal impact, brand reputation, and other competing factors. This requires broad representation rather than silo decision-making with one specific group.
• The crisis response team must also as a core function conducting ongoing issues management and awareness, to ensure the organisation identifies, monitors and is prepared to handle matters well before they become an acute crisis. Issue-spotting should be a key facet of crisis committee discussions.
• Maintaining a robust and effective channel of communication with both senior executives and boards of directors is critical for response effectiveness. Ensuring ongoing alignment across these groups is important as it will allow the crisis response team to remain nimble and empowered to make quick decisions to execute on the approved strategy.
• External advisers can also play an invaluable role in building out an effective crisis response team, providing an external perspective and experience in commensurate situations, while also helping to facilitate ongoing scenario planning and serving as a tripwire for potential risks.

As noted, it is recommended that companies have a well-established crisis response team in place to make key decisions and to identify and prepare for potential crisis scenarios in advance. The structure of these teams will likely be specific to an individual company’s corporate structure, but in general, it is likely to include senior leaders across key corporate functions:

• the office of general counsel;
• the executive committee/senior management team;
• communications/investor relations;
• human resources (as appropriate to the situation);
• operational/business unit leads (as appropriate to the situation);
• information security or the CTO (as appropriate to the situation); and
• government/regulatory affairs (as appropriate to the situation).

Additional members of the crisis management team could include external advisers, internal subject-matter or business line experts, and other ad hoc participants who complement the broader team. Regardless of the specific structure, the crisis management team is responsible for filling a number of critical roles to ensure a robust response. This can include the following:

• A crisis team leader who serves as a point person with ultimate responsibility and decision-making authority for the team.
• A board and executive team liaison who is responsible for communicating with company leadership and key stakeholder audiences regarding an ongoing response.
• Response function leads who manage day-to-day workstreams and specific functions such as legal, communications, or regulatory affairs. Subject-matter experts from within the company should be included based on their proximity to the specific crisis. This may often include representatives from operations, security or facilities management, HR, IT or finance.
• A project manager who is responsible for ensuring cross-functional teams are executing on the approved strategy.

The specific logistics of an individual crisis response situation are largely determined by the matter itself – the structure of the crisis response team, its cadence for meeting, and its ongoing activities should all be designed to adjust to circumstances in real time to allow for the successful execution of the response strategy. In some instances, a team may be required to establish a live “war room” where cross-functional teams can collaborate in person to address breaking developments. A more controlled matter, however, may require a regular cadence of meetings.

A note on boards: A company’s board of directors – in particular, members of the audit and risk committee – may play a strong role in crisis response, depending on the scale and gravity of the event as well as certain governance factors, for instance, in the event that a C-suite executive is not able to lead the response due to their involvement.

The role of external crisis experts has grown considerably in recent years as the threat landscape and nature of potential crises have continued to rapidly evolve. Companies are increasingly turning to trusted outside advisers who are able to navigate public conversation, markets, as well as legal and regulatory environments, and who can develop and facilitate an effective organisational crisis response both in advance of and during a crisis, providing needed support to internal crisis responders and giving executive teams and boards of directors counsel and greater confidence in any strategy being deployed. External experts can provide objectivity and a sense of perspective that internal teams may struggle to maintain during a burgeoning crisis, given their proximity to the matter. External advisers can also bring to bear learnings and experiences that can help companies navigate a potential crisis more adroitly, preventing escalation and mitigating long-term risks.

In evaluating potential crisis response experts, company decision-makers need to ensure potential partners are deeply experienced in managing complex risks and are prepared and able to quickly and fully integrate themselves into the crisis response team. The ideal team will be able to quickly incorporate an organisation’s business, reputational and legal objectives into the broader strategic approach, ensuring the crisis response appropriately balances competing internal and external challenges to best position a company to successfully navigate any exigent matter.

A key priority in any crisis situation is to ensure operational continuity of the broader enterprise, maintaining operations and limiting spill-over from any crisis matter into the day-to-day business. A core component in properly calibrating for this dynamic is making sure any crisis response strategy appropriately contemplates the communications imperatives with respect to vendors, supply chain constituents, and other business partners who may become aware of a specific matter. Incorporating specific communications to address potential concerns on the part of these audiences and ensuring they are appropriately informed, in line with the broader legal and response strategies, can help mitigate any knock-on reputational or operational impact.

Companies employ a broad range of quantitative and qualitative tools to assess the success of ongoing crisis management efforts, as well as to identify opportunities to adjust strategies in real time, including through an increasing array of technological tools that complement existing techniques. These capabilities are important in continually gauging outcomes and sentiments. As an effective crisis response is dynamic, strategies will need to be adjusted and recalibrated as new facts and information emerge, stakeholders respond, and the external environment shifts in response. A number of standard metrics can underpin this process and help determine how a crisis response is being interpreted across core stakeholder audiences, including whether key narratives and fact sets are being pulled through in media coverage and third-party commentary. For public companies, share price is one (but not the sole) important quantitative metric of stakeholder confidence and response success. Contemporaneous public and stakeholder opinion research, as well as ongoing analyses of the flow and tone of outreach from customers, business partners, investors and other stakeholders, can help provide a more complete picture of the external response to complex crisis situations. These tools, coupled with specific internal metrics, including the rate and tenor of media enquiries, employee feedback, personnel surveys, and concerns raised through existing human resources channels, can help crisis responders understand and effectively evolve their response as the external landscape shifts.

The ESG landscape has shifted considerably in recent years. Therefore, communications strategies around ESG issues must be calibrated to audiences who may have opposing expectations – what reassures stakeholders in one jurisdiction may provoke a backlash in another.

A fundamental tenet guiding any crisis response, particularly when human rights and the safety of individuals are involved, is that any actions taken or communications being deployed should prioritise compliance with all applicable laws, the mission and values of an organisation and its leaders, as well as the health and safety of company stakeholders, above all else.

Quickly and accurately identifying a crisis is critical to ensuring a strong and calibrated response. Similarly, launching a crisis response when it is not warranted or failing to calibrate the response appropriately can be harmful.

Ideally, a company will have undertaken a robust crisis planning and preparation exercise in advance of any crisis occurring, particularly in the face of any anticipated increases in regulatory, legal or geopolitical risk. This plan should identify not only specific crisis scenarios that could impact that company but also tailored assessment metrics and criteria that can be used to evaluate an incident to determine whether it qualifies as a true crisis. These metrics will be specific to the company and its operations and may include measures such as the projected financial impact, number of inbound enquiries, number of clients or work sites affected, a qualitative assessment of media and social media attention, and more. Key business and functional leaders in the organisation should be trained to assess these criteria and proactively identify issues and incidents that could evolve into a crisis. 

Often, a crisis or potential crisis is first identified by “on the ground” employees, so it is key that companies have clear escalation protocols for employees to follow when they identify such risks. They must know who to inform, when, and how to do so. These protocols should typically incorporate a company’s legal team from the outset so that legal risk and implications are considered from the beginning.

Frameworks for crisis planning are helpful, but for a response plan to be effective, it must be highly tailored to the company, its culture and operations, its stakeholders, and ways of communicating. There are typical elements that should be included in any strong response plan.

Basic Elements in a Response Plan

Assessment criteria

As noted in 4.1 Identifying a Crisis, it is important to be able to identify what is and is not a crisis – and equip employees to identify what might become a crisis in the future. Companies must define objective criteria to determine whether an incident rises to the level of a crisis, so any response is appropriately calibrated. Example criteria may include: financial or share price impact, level of operational interruption, volume of inbound enquiries from customers or the media, public sentiment tracking numbers, etc.   

Escalation guidelines

Instructions should be provided so employees know what to do as soon as they identify a potential crisis. 

Crisis team and roles

It should be clear who will lead the crisis response, who will assist, who needs to be kept informed, and who the key decision-makers will be. Instructions should include multiple forms of contact information and back-up designees for each person and role. 

Communications protocols

It should be decided how the company will communicate during and about a crisis. This should include contingencies in the event that key systems, like company emails, are compromised. The employees who will “own” specific communication channels (eg, LinkedIn, company-wide emails, etc) should also be identified.

Operational checklists

Key steps that the core crisis response team should take in the event of a crisis should also be articulated. These may include scenario-specific and department-specific checklists.

Stakeholder map

Core company stakeholders who will need to be kept informed in a crisis situation, and the means/media the company will typically use to reach these audiences, should be identified. Details of statutory and contractual notification requirements for certain parties (eg, in the event of a data breach) should also be noted. 

Scenario plans

Possible crisis scenarios that may impact a company should be outlined. Some scenarios should be included in almost every company’s plan – for instance, a cyber-attack or data breach, security incident, or death of a critical executive – while others may be specific to an industry or individual company, such as an environmental disaster or major operational disruption of a plant site. For publicly traded companies, shareholder activist campaigns and potential corporate restructurings should also be anticipated.

Communications templates

Messaging, statements, and other communications materials (eg, an employee email, customer alert, social media response copy, media or third-party protocols for employees) for key scenarios should also be drafted, ready to be quickly updated and deployed in a crisis.

The process of developing a crisis preparation plan is often the most effective way for a company to identify risks and vulnerabilities. Companies should involve key leaders from across the business in the process to audit what they each see as core risks to their functional areas – in other words, what is keeping the chief people officer, chief information officer, or chief operations officer up at night? A holistic process can give the company a 360-degree view into where crises may arise. 

This also plays an important role for a company’s external advisers, such as strategic communications, outside counsel, government affairs, cybersecurity advisers, and others. They provide a critical outside perspective and help the company see the forest, as opposed to just the trees, in identifying brewing crises as well as what peer companies and other industries are experiencing. 

Crisis simulation exercises are helpful and necessary tools for a company and leadership teams to put plans into practice and, importantly, identify gaps and weaknesses before a true crisis hits. The frequency and format of a crisis simulation should vary based on the team and its function, but should be conducted frequently enough that the planning and learnings are not out of date when a crisis actually occurs. 

Format

Tabletop exercise

This is an abridged exercise, usually lasting two to four hours, designed to put a team through the decision-making processes of a particular crisis scenario. Executives will typically outline action plans and high-level messaging for a given scenario. This format is well suited to executives and company directors with more limited availability or as a “refresher” session to prior simulations.   

Full simulation

This is a real-time exercise that simulates all aspects of a crisis event, typically taking place over an entire day. Participants carry out the same actions they would be tasked with in an actual crisis event, such as drafting media statements, reporting to the C-suite and board, and developing and executing operational response plans. A simulation will often incorporate additional “inputs” throughout to further test participants’ ability to pivot during dynamic and evolving scenarios.

Plan reviews and postmortems

Companies should review their crisis plans at least annually. Best practice also suggests that companies should examine and augment their planning in the wake of internal incidents or following a crisis impacting a peer or industry competitor. Companies should conduct a postmortem to assess how effectively their own crisis plan worked in practice, or whether it would have addressed the issue experienced by another company. 

Frequency and Approach

• Company boards and executive teams should ideally participate in an annual tabletop exercise.
• Leaders and teams responsible for crisis response processes should conduct a simulation at least annually. That said, certain functions should consider doing so more frequently, eg, biannually, quarterly, or even monthly (for functions like IT).
• Scenarios for a crisis simulation or tabletop should be specific to the team participating. A cyberbreach is among the most common and important for every company to prepare for, as well as a security incident (eg, an armed assailant) or operational failure (eg, a plant shut-down or environmental disaster).

Training for relevant leaders, managers and employees is a key element of crisis preparedness and planning. All management-level employees should at least be trained in how to identify a potential crisis and how to escalate it within their business unit. Employees must also understand their role in crisis prevention and response – including what they should do and not do (eg, how they should respond if approached by the media or a third party).

This guidance should generally come from the office of the general counsel. Many companies include this as part of onboarding for relevant teams and employees and then conduct refreshers on an annual basis through online training and other methods, to ensure employees are aware of how to identify risks and escalate them through the appropriate channels.

Outside advisers are another tool in the training arsenal for many companies and leaders, as outside crisis-management firms bring worthwhile perspectives on industry best practices and learnings from experience in the trenches. 

Companies should have protocols and methods in place to monitor risk across the business and trigger a response process when needed. These will depend on the specific business and its operations but may include, for example, media and social media monitoring tools and specific policies for relevant staff on when to escalate a particular item. Similarly, such policies will exist across all business lines and functions – people management, operations, and more. Such policies help expedite an early response to a potential issue, ideally preventing an isolated incident from growing into a full-blown crisis. 

Any crisis situation, no matter how contained, can create legal challenges that could lead to a corporation or organisation facing litigation and/or regulatory scrutiny. Whether a cyber-incident, an instance of employee or executive misconduct, a failed financial transaction, earnings restatement, or another matter triggering a crisis response activation, these issues should always be viewed as requiring a unified communications and legal response. In crisis situations, it is frequently the case that the approach to communications can either exacerbate the legal risks an organisation faces, or – in an appropriately managed situation – help mitigate the extant legal risks a situation may present.

As part of any holistic crisis response strategy, it is imperative that the crisis-response planning team has a full understanding of the law enforcement, regulatory and policy-making bodies who will serve as key stakeholder audiences, ensuring that any messaging and communications are mindful of the important role these entities may play in successfully navigating a crisis. In most crisis scenarios, organisations will want to craft messaging and stakeholder engagement plans that specifically address the needs and priorities of these authorities.

As noted in 5.2 Dealing With Enforcement Authorities, a company’s communications strategy should align with their engagement posture with enforcement authorities. In cases where a company is co-operating closely with or being guided by these authorities, public communications may defer to these bodies. Alignment with counsel is, as always, critical.

Companies addressing a crisis situation typically contemplate a broad range of factors in assessing their potential legal risks and liabilities. Such evaluations frequently involve both quantitative and qualitative assessments, including the potential impact on sales or broader business objectives, the potential erosion of brand equity, the effect any regulatory or legal scrutiny may have on in-process or planned M&A/transactions, litigation costs, and other relevant factors in determining a response strategy.

Internal and external legal counsel are key members of the broader crisis team and are central to an effective and successful crisis response strategy. Given the myriad legal risks that can result from a crisis such as a cyberbreach, product recall, or environmental issue, the crisis response strategy and legal strategy will necessarily be intertwined to ensure alignment. In that respect, lawyers – both internal and external counsel – are central to the crisis response process. In addition to advising on legal strategy and obligations, lawyers can also be effective communicators in crisis situations. Companies may choose to have their external counsel serve as an on-the-record spokesperson as a way to provide some distance between the matter and the company.

Communicators (and all members of the crisis response team) should be aware that their work product and conduct during a crisis may later become discoverable in future litigation. Crisis response teams should establish appropriate collaboration methods and infrastructure to responsibly manage this dynamic in a crisis.

Communicating around a settlement after a crisis – and indeed the decision about whether to communicate at all – requires a balance between signalling resolution and avoiding language that can be construed as an admission of liability or that may invite follow-on claims. Communications strategy should be closely co-ordinated with legal counsel to ensure that approach and language used do not create unintended precedents for the future.

How an organisation communicates during a crisis can affect its ability to recover under applicable insurance policies. Timely notice to carriers and careful co-ordination between legal and communications teams on public statements should all be embedded in the crisis response from the outset.

Measuring the effect of a crisis on an organisation’s reputation can take the form of both quantitative and qualitative assessments that help determine the depth and breadth of the impact on the organisation across stakeholder audiences and in the broader environment. Drawing a complete picture of the reputational impact of a particular crisis can involve tools such as monitoring the company’s share price; public opinion research and social media listening; evaluating the rate and tenor of media enquiries related to the specific matter; tangible indicators such as sales numbers, foot traffic, or customer satisfaction ratings; measuring the flow and tone of outreach from business-critical stakeholders including partners, employees, customers, regulators, and policymakers; and internal metrics, including employee feedback surveys, concerns raised through management or HR channels, and organically through day-to-day operations.

Assessing and understanding the environment in which a company is operating is imperative to successfully executing an effective reputation management strategy, as is understanding the limitations that may be in place due to extant legal or other risk factors that are important to incorporate in any planning. These will determine how a company’s reputation repair strategy is received across internal and external stakeholder audiences and can help elucidate specific tactics, messaging, and the voices that can be deployed to maximise the impact of these efforts.

While the specific elements of a particular crisis will play a large part in defining the approach an organisation must take to manage its reputation post-crisis, common steps are likely to include:

• laying out a clear vision and plan of action, prioritising tangible, authentic elements supported by tailored messaging to define the organisation’s reputation;
• identifying substantive tactics to permit bespoke engagement across critical stakeholder groups to engage and reinforce the broader reputational strategy; and
• manufacturing opportunities or taking advantage of external moments to highlight and elevate organisational values and ethos, and driving those moments home to key audiences.

As noted previously (in 2.8 Transparency Requirements and 2.9 Sectorial Requirements), there are several crisis scenarios in which a company may be required to fulfil mandatory reporting and regulatory requirements. Incidents including cyberbreaches, the theft of financial or personally identifiable information (PII), health records, or materially important information frequently trigger reporting requirements. This is why it is imperative that legal and regulatory affairs officers be included as part of the broader crisis response process, to ensure these issues are fully addressed and considered within the context of the response strategy.

Unified and co-ordinated communications to key audiences are critical in a crisis – not only to protect a company’s reputation and relationship with important stakeholders, but also to preserve permission to operate and to minimise legal risks that can arise from putting out misaligned or conflicting narratives. For this reason, the crisis response team must include a communications leader (usually a chief communications officer or head of external affairs) who can oversee all communications messaging and activities to ensure they align with overall response plans. Importantly, legal counsel should also be closely involved in all communications that a company issues during a crisis. 

Cross-functional business and communications leads – for instance, from government affairs, internal communications, community relations, and others – can play a role in engaging with stakeholders. Such groups are also critically important for gathering and filtering up to the crisis response team specific stakeholder feedback and assessing the impact and efficacy of the company’s messages and response, which can be fed back to the crisis response team.

Communications channels should be tailored to the situation and stakeholder communication needs. Generally, it is preferable to communicate directly with stakeholders who are impacted or concerned. This way, they hear from the company itself, instead of relying solely on public statements or media to convey key information or messages, which can cause messaging to be diluted or misconstrued/taken out of context. This also has the benefit of not elevating a crisis event that may not already be on the radar of the broader public.

In a large-scale, fast-moving crisis event of national significance, companies can consider establishing a central “newsroom,” microsite, or webpage to host official updates and statements, which would then be disseminated broadly across the company’s other communications channels (eg, social media, intranet, customer communications, etc).     

Ideally, a company’s crisis plan will outline (in advance) specific steps and individuals to alert in the case of a possible or actual crisis event. This checklist will be scenario-specific, with individual names, contact information, and back-up contacts, as well as detailed responsibilities (if any) in responding to the crisis.

This checklist should always include the following contacts, at a minimum: 

• the office of the general counsel;
• the communications department;
• executive and operational leads for the relevant or affected business unit(s);
• information security or the office of the CTO;
• the head of the impact location(s) or office (if relevant to the scenario, ie, in the case of a physical threat); and
• the head of government/regulatory affairs (if relevant to the scenario, ie, in the case of a regulatory or congressional inquiry).

As the company responds to the crisis, its internal communications must be guided first and foremost by legal counsel’s advice. In some cases, there may be an imperative to minimise written communications, so other channels for co-ordinating and communicating will be established: frequent calls, an in-person “war room”, an open and available conference or Zoom line, etc.

The most common challenge for companies communicating in a crisis is balancing the value of transparency with working with shifting circumstances which creates a lack of certainty. Crisis situations are fast moving; a company may not understand the full extent of an issue or may not have resolved a problem, and yet they will face pressure to address questions about their actions. Above all, the company’s external communications must be guided by legal and business imperatives with a “do no harm” mindset. Even while balancing reputational needs to make a public statement, the company must ensure it protects its permission to operate and that it does not create future legal risks in doing so.

With that said, very often, a company must communicate publicly even while it grapples with an incomplete picture or unclear path to resolution. In such cases, it is often most effective for a company to lean on (i) its process, (ii) its values, and (iii) its commitments to stakeholders moving forward. The company can convey any immediate actions and processes that are under way to address the situation and it can reiterate the core values that will drive its response (eg, ensuring safety and security). It can also communicate what stakeholders can expect from the company moving forward (ie, regarding future updates).

Communications should be centrally co-ordinated to ensure consistency and accuracy. To that end, it is critical that a communications executive(s) be included in the core response team to inform the overall response in line with reputational considerations and to enable effective engagement with internal and external stakeholders. While many companies have historically considered external and media engagement as separate and apart from direct stakeholder outreach (including customers and employees), in today’s communications environment there is very little distinction. The speed of information flow and the role of social media means that internal communication is external. Thus, the messaging and information should be tailored but aligned. 

It is also important to note that in the new media landscape, where audiences are increasingly siloed across diffuse platforms and channels, the once central role of media as the primary method to communicate with and through during a crisis is diminished. Of course, the media is one important way to reach key audiences, but direct and owned channels – like email, owned social media platforms, website (or dedicated microsite), and internal intranet – are ever more critical.

Typically, communication to investors and shareholders (in the case of a public company) is managed on a reactive basis in all but the most extreme crisis scenarios, where there is a significant risk of material impact or public company reporting obligations are triggered. In most circumstances, a company will rely on its public statement(s) and its IR team to address inbound questions and concerns from investors. One exception is ensuring that IR proactively engages sell-side analysts to offer a briefing to ensure they understand the issue and any impact. The communications leader overseeing the crisis response will ensure that the IR team is informed throughout and, if needed, has guidance on how to answer anticipated questions, particularly around major industry events such as industry-wide conferences (e.g., the Consumer Electronics Show). In addition, the IR team should provide a feedback loop to the crisis response team to advise on the volume and substance of questions they are receiving.

When there is a substantial impact on share prices or in material news, swift and clear communication with the markets is paramount. The company should convey clear guidance on the expected financial impacts of a crisis (to the extent known) and focus messaging on business continuity. Communications mediums that may be considered include: 

• press release and/or 8-K filings; 
• investor and analyst calls;
• individual analyst briefings; and 
• meetings with top shareholders and investors, as needed.

Public companies must also remember that regulatory filings, such as 8-Ks, are an effective communications tool. It is important for the communications lead to review any such materials to maintain alignment with other public messaging and to be aware of potential questions that may arise from required disclosures.

The way a company responds and communicates with customers in a crisis is significant in avoiding an erosion of trust and maintaining brand reputation and confidence in operational efficacy. Above all, in determining an appropriate response, the crisis response team must balance short-term demands with long-term thinking to prioritise maintaining customer trust. Once trust is lost, it is virtually impossible to regain it. The archetypal case study of crisis response done right is Johnson & Johnson’s recall of the pain-reliever Tylenol in 1982 in the USA, after it was discovered that cyanide had been added to the product on sale in the Chicago area after it left the factory. The company issued mass warnings in the media and recalled the 31 million bottles of Tylenol in retail stores at the time, prioritising consumer trust over a significant near-term financial hit. 

This customer-first approach remains valid 40 years later. What has changed, however, are consumer expectations of brands and the way brands reach their consumers. In 2026, customers no longer rely on traditional media for news and information. Companies must be the source of their own truth. “Owned” channels, such as social media and company websites, and direct-to-customer email or other forms of engagement, are the most effective channels for communicating in a crisis. The company may also consider paid channels, including promoted posts and display advertisements. These channels enable the company to convey its message without an intermediary and ensure the message reaches its target audience without being distilled or mischaracterised.

To maintain customer trust, the company must seek to address what the customer most wants to hear: “What does this mean for me?” The company should explain what happened, how (if known) customers are impacted, and – most importantly – what steps the company is taking to mitigate that impact or make it right. As the Tylenol case study has shown, “making it right” can be costly, but there is a greater long-term cost by not doing so. When effectively managed and communicated, a crisis can, in fact, serve as an opportunity to solidify customer trust long into the future.

Companies must remember that employees are both an audience and important messengers to carry the company’s communications out into the world. Thus, in a crisis, the company must communicate with its employee bases and arm them with guidance and tools on how they, as employees, can or should be communicating about the issues themselves (keeping in mind that, at times, that guidance may be to not communicate about it at all). 

Regular and transparent updates to employees, even if short and non-substantive, are important in helping employees feel engaged, informed, and empowered during a crisis. This is often a daily (or more frequent) email update or internal post in a shared workspace (eg, Teams, intranet, Slack). Maintaining a consistent flow of updates that employees can expect helps create a sense of normalcy in what may be uncertain circumstances. 

“Town halls”, whether virtual or in-person, can be effective ways to engage employees, particularly after an event, to provide a sense of coming together, allowing them to ask questions, address learnings, and go forward with changes that may be implemented as a result.

Above all, when it comes to internal and workforce communications, companies must remember that internal communications inevitably become external communications. This underscores the importance of messaging alignment across all audiences.

When communicating with parties affected by a crisis event, it is particularly important that the approach and messages be driven by legal counsel to avoid creating liability or legal risk. In some scenarios – such as a data breach – there may be legal or contractual requirements to notify parties within certain timeframes or about certain parameters (eg, in the case of a data breach, what information has been compromised), including specific channels that must be employed (eg, direct mail, email, paid advertising, etc). Companies should, ideally, document these requirements in their crisis-preparedness planning to enable more nimble action when an incident occurs.

Assuming all legal factors and statutory requirements have been considered, direct communication channels – email, direct mailings, and automated texts or calls (when situationally appropriate, eg, an emergent security issue) – are the most effective way to reach affected stakeholders. 

Online and social media monitoring and sentiment tracking remain a critical component of a crisis response strategy; however, organisations are increasingly taking a more nuanced view of digital platforms in terms of the degree to which they factor the impact of online platforms into their response decisions.

In a crisis scenario, it remains critical for organisations to ensure they have proper tools and processes in place to monitor and respond to issues that arise on these digital platforms, as well as track sentiment and volume. This must include, at the least:

• clear guidelines and response scripts for the team or employees within the organisation who manage public-facing channels during a crisis;
• escalation instructions for employees to identify when posts or trends should be addressed at a higher level;
• daily (or more frequent) reporting templates on volume, sentiment, conversation drivers, and other metrics; and
• influencer mapping of key voices leading conversation around the brand or organisation, or the topic at hand – enabling the institution to activate online supporters and monitor detractors.

Social media and other digital platforms provide valuable monitoring opportunities that enable companies and institutions to:

• identify emergent threats and issues;
• assess general sentiment trends over time; and
• track overall conversation volume over time.

With the evolution of social media platforms and the rise of a new digital media landscape, organisations are increasingly weighing the importance of these online channels alongside real-world metrics and direct communications tactics – and rightly so. Since many channels have become overrun by bots and AI-generated content, organisations are deprioritising digital clout in favour of direct engagement with their core audiences. Similarly, in determining the right response strategy in a crisis scenario, it is much more important to look at real-life measures – such as share price, sales impact, customer complaints, and employee or recruitment retention – than to the number of posts or “likes”. This helps an organisation avoid overreacting or over-pivoting their response towards a vocal minority; there are many instances when the best course of action is to weather a period of online negativity when real-world markers indicate the “crisis” may be much less impactful than social chatter would suggest. This also centres the response around the true concerns of stakeholders, with whom the company is directly engaging, rather than basing messaging or tactics on potentially manufactured online conversation from people or accounts who hold little relevance to the company (and, in fact, might not even be real).

Effectively incorporating relevant technologies and new tools can be a critical component of any crisis management strategy, enabling and informing better communications, providing valuable insights to crisis response teams, and helping manage workstreams. With the introduction of a growing number of large language model and artificial intelligence-based platforms and novel technologies, companies are understandably eager to assess the efficacy of these tools within their broader approach to crisis planning and management. In many respects, this interest is twofold: given the still-nascent state of the AI/LLM marketplace, and the rapid evolution in both the potential use cases and understood limitations, companies across sectors are naturally evaluating these tools both for how they can potentially support crisis response planning, and for how these new technologies can introduce new points of vulnerability or risk they should be prepared to address.

While the adoption of these technologies and their incorporation will be unique to every organisation, crisis response leaders should understand that at a foundational level, any tool needs to complement the broader legal and corporate response strategy. With respect to emerging technologies, this is increasingly taking a number of shapes, including using AI-based tools to support more granular stakeholder sentiment and landscape analysis, conducting the rapid analysis of broad datasets or documents, running complex scenario-planning exercises to better understand various permutations of how a crisis may evolve, and providing real-time analytic “trip wires” allowing leaders to separate the signal from the noise of an emerging crisis. Certain tools already being deployed by organisations – such as AI-based chatbots and virtual agents – may also be useful in a crisis to quickly and efficiently provide answers to expected questions from customers or employees as part of a broader matter-specific microsite or landing page. Online training tools are also useful in ensuring employees are regularly refreshed on the importance of risk identification and any relevant internal escalation protocols.

As AI-based tools and other technologies continue to shift the way organisations and individuals work, their incorporation in crisis management and planning will continue to grow, allowing companies to better allocate human resources to more critical tasks and better respond to challenges.

As artificial intelligence tools rapidly evolve and are increasingly deployed across organisations and the economy writ large, new risks are created that crisis response teams must be aware of in evaluating how and when they rely on AI for informing decision-making during a crisis. This is particularly true as the legal ramifications of deploying AI/LLMs in situations involving crises and/or litigation are still being defined and understood, and the jurisprudence around these matters is largely a work in progress.

In many respects, the risks associated with deploying these new technologies largely fall into two distinct categories: i) the inherent limitations embedded in the technologies and how these can affect work product and the decision-making process; and ii) the way an overreliance on these technologies can disrupt or interfere with cross-function alignment around a legal and crisis response strategy. While manageable, it is imperative that crisis response teams address and think through these challenges in advance of a crisis to ensure that proper mitigation strategies are incorporated and that proper consideration is given to these variables. This can include the fact that AI and LLMs face challenges in providing useful analysis in novel or low-data matters; limitations with the technology such as hallucinations or inherent bias in how models are trained; and new cyber and operational security risks. There is also the challenge that comes with removing human oversight from crisis response strategies – if calibrated poorly, and too much human engagement is eliminated, this can risk hurting alignment with legal and communications strategies. To combat this, it will be useful for crisis response teams to ensure robust checks on AI-generated work product and analysis, particularly if this is going to be used directly with stakeholders.

A post-crisis review provides a valuable opportunity for a company to assess a response strategy’s effectiveness, as well as identify learnings that can be incorporated by the crisis response team to better prepare the organisation for future situations that may arise. In determining the scope of any after-action review, it is important for a company to consider whether the situation requires or would benefit from a third-party review – either independent or at the behest of the board or senior leadership – or if an internal review team is appropriate.

A successful post-crisis review will identify specific opportunities to improve a company’s overall performance by targeting common focal areas for review, such as:

• decision-making processes and outcomes;
• communications strategies and messaging;
• operational issues that may have occurred;
• the success of enterprise-wide collaboration;
• the efficacy of pre-crisis planning and whether it was sufficient to the circumstances encountered; and
• whether company policies – including escalation protocols – were effective.

The review process is likely to include the collection of internal documents and data, external metrics such as media coverage and stakeholder engagement outputs, interviews with crisis response team members and senior leaders, and a root cause analysis of the precipitating event behind the crisis. 

How the review is shared would be largely determined by the nature of the matter being managed by the crisis response team, with specific consideration given to any potential legal ramifications for how the information is communicated or shared with internal stakeholders. Given the goal of such an exercise is to identify and address operational or procedural weaknesses, the emphasis is primarily on updating and improving existing crisis management plans and protocols, identifying opportunities to improve future responses, and putting in place ways to monitor whether necessary changes are being addressed.

One of the primary lessons from any crisis is the importance of fostering an enterprise-wide culture of preparedness, where employees at every level are encouraged to be proactive in identifying and escalating potential risks to the company. For many companies, this lesson is coupled with the findings of a post-crisis review to form the foundation of any subsequent updates to existing policies and procedures. This can take the form of updating existing crisis management plans to address any identified weaknesses, refocusing on crisis scenario planning and conducting simulations to assess readiness, providing additional resources to strengthen enterprise-wide resilience, and updating training and onboarding materials to ensure crisis preparedness is a point of emphasis across the organisation.

The engagement of external advisers, including crisis communications specialists, external legal counsel, and other vendors, is a primary channel major corporations and institutions use to understand crisis response trends and the applicability of emerging technologies, as well as in measuring the efficacy of their crisis response planning. Consultants serving as subject-matter experts (eg, in cybersecurity) can provide useful perspectives on issue-specific strategies, while communications and legal practitioners can provide useful insights and learnings from past engagements with respect to crisis management best practices.