Key Aspects of Crisis Management

For the purposes of this article, the authors define “crisis” as any internal or external situation that poses an acute and significant threat to an organisation’s reputation, assets or operations and that therefore requires immediate action. Crisis management is understood as dealing with such situations.

The following aspects are particularly important.

Economic challenges

Germany’s 0.2% GDP contraction in 2024 has prompted companies to enhance their crisis preparedness. Businesses are focusing on financial resilience and supply chain stability to navigate economic uncertainties.

Global political developments

Recent political manoeuvres have introduced new risks, leading companies to reassess their crisis management strategies to address potential political instability. Political changes can lead to delays or changes in the legislative process and can affect the country’s geopolitical stance, potentially altering international relations and trade agreements.

Regulatory changes

Germany and the EU have ramped up their crisis legislation. Companies are adapting by updating compliance systems and engaging in scenario-planning to align with such new regulations.

Cyber-attacks and AI

Cyber-risks have become increasingly significant – especially due to an increase in cyber-attacks and the malevolent use of AI.

Product liability/green claims

Companies face liability for defective products and misleading green claims, which can lead to legal action.

Whistle-blowing

As critical behaviour or actions can often only be identified from within an organisation, regulators and other bodies place great importance on employees having appropriate channels to raise concerns. This can effectively spotlight unlawful behaviours that would have otherwise gone unnoticed.

ESG/working conditions

The increasing importance of ESG poses legal risks. This global trend reflects society’s increasing focus on sustainability, which is leading to greater scrutiny and potential legal consequences for companies. As Germany faces more natural disasters, there is an urgent call for enhanced crisis response frameworks that can address environmental catastrophes.

Anti-money laundering

Certain laws, such as Section 5 of the German Anti-Money Laundering Act (Geldwäschegesetz – GWG), mandate risk analysis for money laundering and terrorist financing. The European Union (EU) has established the Anti-Money Laundering Authority (AMLA), which will commence its operations in summer 2025. Companies must stay alert to regulatory changes and address their money-laundering risks.

Competition law and antitrust

Competition law and antitrust regulations play a crucial role in crisis management by promoting fair competition and preventing monopolistic practices that can exacerbate economic downturns. During a crisis, effective enforcement of these laws ensures that businesses remain accountable and prevents anti-competitive behaviour, such as price-fixing or collusion, which can hinder recovery efforts.

Sanctions

Sanctions and export controls have become increasingly important following Russia’s invasion of Ukraine in 2022. Businesses with ties to Russia must remain vigilant as EU sanctions violations are legally punishable in Germany. To strengthen enforcement, Germany introduced the Sanctions Enforcement Acts I and II (Sanktionsdurchsetzungsgesetz – SDG I and II) in 2022, which expanded powers to investigate and seize assets, established a centralised sanctions enforcement body and increased anti-money laundering measures.

Fraud

Another concern is internal fraud, which is experiencing a resurgence. Further development of new technologies and AI presents growing opportunities for malicious actors to exploit them, leading to increasingly sophisticated and innovative fraud schemes.

The following aspects affected crisis management past practice.

Integration of AI

AI and machine learning enhance sales, predictive analytics, real-time monitoring and automated responses. However, ethical considerations are often overlooked, creating risks of manipulation and misconduct. Irresponsible implementation, especially in the absence of clear regulations, can become a catalyst for crises and lead to severe management failures. However, the use of AI in crisis management processes — ranging from predictive analytics for crisis forecasting to automating response plans — has become increasingly important.

Emphasis on mental health

The recognition of mental health’s role in crisis management has grown. Companies are increasingly implementing support systems for employees and communities affected by crises, acknowledging the psychological impact of emergencies.

These trends have driven organisations to adopt proactive and comprehensive crisis management approaches, emphasising agility, regulatory compliance and stakeholder communication to effectively navigate developments.

The energy-intensive industries and the automotive and logistics sectors were the most susceptible to crises in the past 12 months. Geopolitical tensions (eg, between Russia and Ukraine) led to production stoppages, supply chain disruptions and increased costs. To enhance resilience, supply chains are being diversified, and investments in renewable energy are increasing. This is supported by government measures and technological innovations.

In past crises, there have been the following notable examples of acquisitions, in particular.

• Noerr advised the Schwarz Group during the second financing round for the start-up Aleph Alpha. The challenge in this matter stemmed from the need to design complex structures in the areas of corporate, digital, tax and non-profit law, and particularly from structuring the open-source research associated with the investment.
• Noerr has advised numerous companies, such as Mercedes-Benz, on the sale of their Russian business activities due to Russia’s invasion of Ukraine in 2022 and the corresponding sanctions imposed by the EU.

These examples highlight how major German companies have actively used acquisitions to adapt and strengthen their operations in response to the challenges and opportunities that have emerged from recent crises.

The primary laws governing crisis management in Germany include the following.

• The Constitution of the Federal Republic of Germany (Grundgesetz, orGG) provides a framework for crisis responses. The GG stipulates that disaster control/relief is the responsibility of the federal states. However, special provisions allow disaster relief efforts by federal authorities in the event of natural disasters and accidents.
• Each of the 16 German federal states has its own legislation on disaster management, specifying the roles and responsibilities of local authorities in crisis situations.
• The Civil Defence and Disaster Relief Act (Gesetz über den Zivilschutz und die Katastrophenhilfe des Bundes, or ZSKG) regulates the protection of the population in the case of crises, and defines the framework for disaster assistance in the event of natural disasters and major emergencies.
• The Act on Fire Protection, Assistance and Disaster Control (Gesetz über den Brandschutz, die Hilfeleistung und den Katastrophenschutz, or BHKG) regulates fire protection and disaster control measures at state level and the duties of local authorities.
• The German Civil Code (Bürgerliches Gesetzbuch, orBGB) contains special clauses on force majeure. These clauses allow companies to modify or suspend contracts in the case of natural disasters and other unforeseeable events.
• The Environmental Damage Act (Umweltschadensgesetz, or USchadG), the Environmental Liability Act (Umwelthaftungsgesetz, or UmweltHG) and the Federal Soil Protection Act (Bundesbodenschutzgesetz, or BBodSchG) are relevant for man-made crises, such as industrial accidents. 
• The Federal Emission Control Act (Bundesimmissionsschutzgesetz, orBImSchG) is relevant for man-made crises, such as industrial accidents.
• The Infection Protection Act (Infektionsschutzgesetz, orIfSG) defines safety measures to protect public health in the event of pandemics and infectious diseases.
• The Corporate Stabilisation and Restructuring Act (Gesetz über den Stabilisierungs- und Restrukturierungsrahmen für Unternehmen, or StaRUG) provides companies with instruments for early restructuring and avoiding insolvency by enabling them to take independent restructuring measures and involve creditors in the process.
• Company owners can be held liable under Section 130 of the German Administrative Offences Act (Gesetz über Ordnungswidrigkeiten, or OWiG) if they fail to take appropriate supervisory measures that could have prevented or significantly impeded a breach of duty. Effective supervision therefore requires a clear understanding of the risks and a constant risk analysis.
• The duty to assess risks also arises from the duty of legality (Legalitätspflicht) pursuant to Section 93 of the German Stock Corporation Act (Aktiengesetz, or AktG). Additionally, Section 91 of the AktG mandates a monitoring system to identify threats at an early stage. The German Federal Court of Justice emphasises that board members fulfil their obligations only by establishing a compliance programme focused on risk prevention. This requires a profound culture of compliance within companies.

These laws are enforced by federal, state and local governments and their designated authorities.

In Germany, there have been recent amendments to or ongoing discussions about amending the following laws, based on past crises.

• The catastrophic floods in Germany in July 2021 have triggered discussions about enhancing disaster preparedness and response mechanisms in relation to the ZSKG.
• Throughout the COVID-19 pandemic, the IfSG was amended multiple times to expand the powers of health authorities. At the same time, a temporary easing of insolvency law was introduced to give companies more room for manoeuvre and to avoid insolvencies – for example, by suspending the obligation to file for insolvency.
• There are currently discussions about laws designed to enhance economic crisis resilience. These changes aim for a more dynamic crisis management approach, enabling companies to respond swiftly and efficiently to challenges. Key aspects include:
1. increased labour market flexibility for adjustable working arrangements;
2. adaptive tax policies for temporary relief; and
3. the simplification of bureaucratic processes so as to reduce administrative barriers for implementing crisis measures.

The Federal Ministry of the Interior (Bundeministerium des Inneren und für Heimat, or BMI) is responsible for co-ordinating civil protection and disaster management at the federal level. It oversees preparedness actions, develops policies, provides guidelines and supports state authorities. The Federal Office of Civil Protection and Disaster Assistance (Bundesamt für Bevölkerungsschutz und Katastrophenhilfe, orBBK) plays a central role in co-ordinating civil defence measures. It implements civil protection policies, organises training, and provides resources and information for crisis management.

The Federal Agency for Technical Relief (Technisches Hilfswerk, or THW) plays a crucial role in technical support during disasters and emergencies, providing equipment and personnel to assist local authorities in their response efforts.

The federal government monitors and evaluates crisis response measures through reporting by the ministries and authorities involved, as well as through reviews and follow-up of operations to optimise future procedures.

Each German state has its own disaster management authority, which is responsible for implementing federal policies and co-ordinating local responses. It works closely with the federal government and local governments to ensure effective crisis management.

Local governments play a key role in crisis management, as they are responsible for the implementation and realisation of specific measures. This includes the implementation of emergency plans, the co-ordination of local resources, and helping affected populations.

As part of their duties, public authorities are obliged to review their ability to respond adequately to crises. This ensures that effective action can be taken if necessary.

The German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, or BaFin) plays an important role, ensuring that institutions in the financial sector have appropriate emergency and crisis plans in place. It is responsible for monitoring of such institutions’ financial stability.

The Federal Network Agency (Bundesnetzagentur, or BnetzA) ensures that critical infrastructure sectors such as energy, telecommunications and transportation meet specific security and preparedness standards. For public institutions, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) provides guidelines on IT security and resilience, and assesses measures to secure the digital infrastructure. Independent studies and audits contribute to the review of crisis preparedness and ensure that both private and public organisations have a suitable framework for crisis situations.

There are mandatory mechanisms to ensure public reporting and provide transparency in Germany. This includes but is not limited to sector-specific disclosure requirements designed to create transparency in dealing with crises. For example, there is an ad hoc disclosure obligation in capital markets, and there are reporting obligations under the German Banking Act (Kreditwesengesetz, or KWG) for the granting of certain loans, with regard to ESG, as well as under the Freedom of Information Act (Informationsfreiheitsgesetz, or IFG).

• The ad hoc disclosure obligation requires listed companies to promptly publish information that could significantly affect their share prices. This includes transparency about financial health and reporting on crises’ impacts, disclosing material risks from economic downturns or disruptions. This obligation aims to ensure market transparency and prevent insider trading, as outlined in the European Market Abuse Regulation (MAR). In Germany, the BaFin enforces compliance, and violations can result in administrative penalties and significant fines.
• According to Section 18 of the KWG, credit institutions are sometimes obliged to disclose the financial circumstances of their borrowers.
• Though primarily focused on ESG aspects, the Corporate Sustainability Reporting Directive (CSRD) requires large companies to report on their sustainability and resilience strategies, including those related to crisis situations. The CSRD has yet to be implemented into national law.
• Furthermore, the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, orLkSG) mandates that companies report on their efforts to identify and mitigate human rights and environmental risks within their supply chains. As part of their due diligence obligations, companies must publicly disclose actions taken to address these risks, which can also include crisis-related measures.
• In the public sector, Germany has the IFG, which allows citizens to request information from federal authorities. This contributes to transparency by enabling public access to government-held information, including crisis response actions.

These mandatory mechanisms ensure that both private and public entities remain accountable and transparent about their crisis response actions, thereby enhancing the overall resilience and preparedness of German society.

Germany has established specific regulatory requirements for crisis management and prevention across key sectors such as healthcare, finance, and critical infrastructure.

Healthcare

Hospitals are mandated to enhance their IT security measures in order to comply with the standards of the BSI. By the end of 2021, all hospitals were required to upgrade their IT systems accordingly. Furthermore, each state has its own health authority to supervise public health crisis management, requiring the development of guidelines and response protocols for health crises.

Finance

Financial institutions must adhere to stringent crisis management protocols as outlined by the BaFin. These include maintaining robust risk management frameworks and ensuring liquidity to handle potential crises.

Critical Infrastructure

Since 2009, Germany has a National Strategy for Critical Infrastructure. The Critical Infrastructure Umbrella Law (KRITIS-DachG) should introduce cross-sector requirements for operators of critical infrastructures, necessitating comprehensive risk management strategies. Companies are required to register and implement protective measures to comply with this legislation. The KRITIS-DachG has not yet been adopted. Once implemented, this legislation aims to enhance the resilience of critical infrastructures, ensuring that vital sectors such as energy, water and transportation can withstand crises and continue to operate effectively.

Monitoring and evaluation of these actions are conducted through regular audits and assessments by relevant regulatory bodies. Non-compliance can result in penalties, emphasising the importance for companies to proactively implement and maintain effective crisis management and prevention measures.

In Germany, there are several pre-structured public-private co-operation frameworks to enhance crisis prevention and response.

• The BBK expressly promotes co-operation between public and private sectors in relation to civil protection. It develops concepts and programmes that facilitate the involvement of private companies in crisis prevention and management.
• The federal government of Germany’s “Disaster Risk Management in and by Germany” (Katastrophenrisikomanagement in und durch Deutschland) initiative (KatRiMa) provides detailed information on actors, strategies, instruments or best practices for disaster risk management in and by Germany. As KatRiMa is a participatory information platform, this information is provided by the respective stakeholders, compiled in co-operation with them and/or on the basis of publicly accessible sources.
• In Germany, PPP models in infrastructure and technology sectors can also be adapted for crisis situations. These partnerships allow for shared investment and risk management in projects that strengthen resilience, such as critical infrastructure development and maintenance.
• The BSI collaborates with private companies to enhance cybersecurity resilience against threats that could escalate into crises. Information-sharing initiatives and joint exercises are part of this co-operative framework, ensuring that critical infrastructures are protected and prepared.
• Agreements between the THW and private logistics companies are in place to provide support during disasters. This ensures that logistical capabilities are immediately available to transport essential goods and services during emergencies.
• In sectors such as energy and finance, specific alliances exist to prepare for and respond to crises. These alliances often involve contingency planning, joint simulations and communication protocols to minimise disruption and facilitate a swift recovery. One sector-specific alliance in Germany is the so-called Energiepartnerschaft (Energy Partnership) framework. This initiative involves co-operation between public authorities, energy companies and industry associations to address energy security, grid stability, and crisis preparedness. By uniting key stakeholders, the Energy Partnership aims to ensure that Germany’s energy sector can effectively manage crises and transition towards more sustainable energy sources.

Germany has a national crisis management policy framework that is structured to address various types of crises. This framework is anchored in several laws and regulations as well as in the crisis management developed at federal and state level.

The national crisis management plan is divided into several stages: prevention, preparation, response and recovery. It includes co-ordination between various state institutions, such as the BBK and other relevant authorities at state and local level.

It is implemented through regular exercises, training and assessments to ensure that the agencies involved can work together effectively.

The BMI supervises crisis management and co-ordinates with other ministries (such as the Federal Ministry of Health) during health crises. Central to this is the federal government’s crisis team, which unites relevant ministries and authorities for a co-ordinated approach when necessary. At the operational level, situation centres in ministries, such as the BBK, are responsible for crisis response (see 2.8 National Crisis Management Plan).

Regular co-ordination at various government levels facilitates real-time communication and strategy adaptation. Federal and state agencies conduct joint exercises and simulations to refine protocols, test communication channels and enhance co-ordination.

Specific laws and guidelines outline the roles and responsibilities of different government entities. This legal structure ensures clarity in operations and decision-making processes during emergencies. Through these mechanisms, Germany ensures that government entities can work together effectively.

Companies typically structure their crisis management plans to align with:

• legal requirements;
• industry best practices, such as the German Corporate Governance Code;
• standards issued by the Institute of Public Auditors in Germany (Institute auf Auditors, or IDW); and
• international standards such as ISO 22301 (Business Continuity Management) and ISO 31000 (Risk Management).

German companies emphasise risk assessment, regulatory compliance and structured response protocols to ensure resilience during crises.

Key components of an effective crisis management strategy in Germany are as follows.

• Risk assessment and prevention:
1. identifying potential crises;
2. conducting vulnerability and impact analyses; and
3. establishing preventative measures to minimise risks.
• Legal and regulatory compliance – ensuring compliance with German regulations such as the LkSG, the GDPR and the IT Security Act.
• Crisis team and leadership structure:
1. designating a crisis management team with clear roles;
2. establishing a chain of command and decision-making hierarchy; and
3. assigning an incident commander to oversee response efforts.
• Crisis communication strategy:
1. developing internal and external communication protocols;
2. ensuring transparency and timely updates to stakeholders; and
3. utilising multilingual communication where needed (especially for multinational corporations).
• Business continuity planning:
1. creating contingency plans for operations, IT infrastructure and supply chains;
2. ensuring redundancy in key areas; and
3. regularly testing and updating continuity plans.
• Emergency response and operational resilience:
1. establishing a Standard Operating Procedure (SOP) for different crisis scenarios;
2. conducting training and simulation exercises; and
3. co-ordinating with local emergency services and government agencies (eg, BKK).
• IT security and cyber-resilience:
1. implementing cybersecurity protocols in line with the BSI guidelines;
2. preparing for cyber-attacks with incident response plans and back-up solutions; and
3. conducting penetration testing and continuous monitoring.
• Regular testing and exercises – conducting exercises to test incident response.
• Post-crisis evaluation and adaption:
1. conducting a “lessons learned” analysis after a crisis;
2. updating policies; and
3. engaging in stakeholder feedback.

In Germany, various legal provisions require the establishment of a risk management system (eg, Section 91 paragraph 2 of the AktG). However, the specific design of this system is not mandated by law; companies are allowed to design this system according to their individual needs.

Therefore, the organisation of companies’ internal governance depends on multiple factors, such as size of the company, risk proneness of the services provided and previous points of contact with critical issues. Companies typically organise their internal governance for crisis prevention and response through different structures that sometimes also include special crisis committees dealing specifically with the preparation and management of crisis situations. However, there is no obligation to establish a crisis committee; whether this is necessary depends on the impact of the crisis. While a crisis with a low impact might be handled by a sole crisis manager, crises with a higher impact might need to be handled by a dedicated risk management committee.

Larger companies or those in high-risk industries tend to have permanent crisis committees to evaluate risks and prepare for potential crises, while others convene them on an ad hoc basis as required. Their formation and structure can vary by industry, company size and the respective crisis. Common features of crisis committees are a clear structure with defined roles and responsibilities, regular meetings to update crisis plans and the organisation of crisis exercises. In terms of the degree of independence, a crisis committee usually has limited autonomy and works closely with the company management.

A crisis management team typically consists of members from various key departments to ensure a comprehensive response. These members usually include the following:

• head of crisis management – often a senior executive or a person in a high-level management position such as the Chief Operations Officer or Chief Risk Officer, who oversees the overall crisis management efforts;
• legal and compliance officer – responsible for assessing legal implications and ensuring compliance with relevant regulations;
• public/investor relations officer – manages internal and external communications, drafts messages for stakeholders (including capital markets communication) and maintains the company’s public image;
• HR representative – looks after employee matters during a crisis, manages internal communications and oversees any necessary changes related to staffing levels;
• IT and security expert – deals with data security issues and ensures the integrity and resilience of IT systems;
• operations manager – focuses on maintaining or restoring normal operations and minimising disruptions;
• financial officer – assesses the financial impact of the crisis and manages budgetary considerations; and
• external experts (if needed).

The frequency of meetings depends on the severity and nature of the crisis. The team may meet daily or even several times a day to assess and respond to urgent developments. In less urgent situations or during regular reviews, meetings may be held quarterly or semi-annually.

In Germany, effective communication is essential for handling crises efficiently. Companies set up internal communication channels to provide regular updates and hold meetings to discuss ongoing developments and the current situation. Collaboration between different departments in the company ensures a cohesive response. Involving management in regular briefings allows for strategic decision-making based on the current situation.

Companies usually engage external experts (such as lawyers and communication experts) to manage crisis management and prevention, especially if they lack specific expertise or need an unbiased, objective perspective. External experts provide specialised knowledge, experience from past crises and resources that are not readily available within the company. If lawyers serve on the crisis committee as external experts, communication may be protected by attorney-client privilege.

External advisers possess strong analytical skills, strategic foresight and the ability to make quick, informed decisions under pressure. Their experience helps businesses prepare for crises. Their investigative skills allow them to assess past failures, mitigate risks and implement sustainable solutions to prevent recurrence.

The criteria for selecting external experts usually include:

• expertise and experience – the expert’s track record in dealing with similar crises or their specific industry experience are key;
• reputation and references – companies often look for experts or firms with a good reputation and positive references from previous clients;
• approach and methodology – the strategies and methods proposed by the experts should be in line with the needs and culture of the company;
• availability and responsiveness – the experts must be available to respond quickly, as crises can occur unexpectedly;
• communication skills – clear and effective communication is essential to ensure co-operation and understanding between the company and the external experts; and
• cost-effectiveness – as regards budget considerations, companies may assess the potential return on investment of hiring external experts against the costs involved.

Common indicators used by companies to assess the success of crisis management efforts include the response time and the effectiveness of communication strategies. Other indicators include minimising financial losses, maintaining business operations, employee and stakeholder satisfaction, and feedback from people involved in crisis management.

In order to continuously improve crisis management strategies, companies conduct follow-up meetings after a crisis (see 7.1 Post-Crisis Review: Learning Lessons).

A company can identify a crisis and its potential legal implications through several channels. These include a direct approach from authorities (such as a warrant or dawn raid), internal whistle-blower reports, subpoenas, or external sources (such as media articles). The way a crisis is identified will often determine the immediate steps taken in response.

Once a potential crisis is identified, companies typically undertake the following immediate steps to assess the situation.

• Crisis identification – it is vital to gather as much information as possible to provide the appropriate response to the crisis. To ensure no data is lost, the document preservation protocols are activated.
• Initial communication – companies reach out to the crisis management and leadership team to provide preliminary information. The crisis management team co-ordinates and aligns the response efforts.
• External engagement – depending on the nature and severity of the crisis, companies might engage external legal counsel, forensic experts, auditors or other specialists.

To assist with the crisis identification and communication, companies may use tools such as risk management software, alert systems and communication platforms. These tools streamline information flow, enable swift internal communication and ensure that accurate information is shared with stakeholders in a timely manner.

Companies use various frameworks or models for crisis management, often inspired by international standards such as ISO 22301 providing a framework for business continuity management. In critical infrastructure sectors in particular, there are strict legal requirements, such as the KRITIS programme (see 2.6 Sectorial Requirements) or the BSI IT baseline protection for cybersecurity (see 3.1 Crisis Management Plans).

Another essential standard is IDW standard No 6. It requires a comprehensive restructuring concept that assesses a company’s viability in crises, and is prepared by an independent third party. Additionally, a draft for a new IDW standard (IDW ES 16), regarding the design of crisis early detection and crisis management according to Section 1 of the StaRUG, has been published.

Typically, a company’s crisis response plan contains several key elements:

• crisis identification and assessment;
• response strategies;
• communication plans for internal and external stakeholders;
• roles and responsibilities;
• resource management;
• recovery strategy; and
• business continuity measures to quickly resolve business interruptions.

Companies usually identify and assess potential risks that could lead to a crisis as part of a systematic risk management process. This process often includes the following steps.

• Identification of risks – companies use tools such as SWOT (strengths, weaknesses, opportunities, threats) analysis, brainstorming sessions and stakeholder consultations to identify potential risks in their business, industry and external environment.
• Risk assessment – once the risks have been identified, they are assessed based on their likelihood and potential impact. Companies use risk matrices and quantitative models to prioritise risks and focus on those that pose the greatest threat.
• Monitoring – continuous monitoring of identified risks using Key Risk Indicators (KRIs) and other metrics helps organisations monitor for changes that could increase the level of risk.
• Regulatory and compliance reviews – companies often need to comply with legal and regulatory requirements that require specific risk assessments, particularly in highly regulated industries.

Risk factors relevant for crisis preparation include:

• operational risks – issues related to supply chain disruptions, equipment breakdowns, or inefficient processes;
• financial risks – market instability, currency fluctuations, credit risks and risks of insolvency;
• destructive intervention – destructive intervention (existenzvernichtender Eingriff) occurs when the company’s shareholders unlawfully withdraw the assets necessary for repaying its debts, thereby causing a crisis and potentially the company’s insolvency;
• reputational risks – negative publicity, brand damage and customer dissatisfaction;
• regulatory and compliance risks – changes in regulations, legal disputes and non-compliance with industry standards;
• geopolitical risks – political unrest and government changes;
• environmental risks – natural disasters, climate change impacts and resource scarcity;
• cybersecurity risks – data breaches, cyber-attacks and IT system failures; and
• product liability/green claims – defective products or misleading marketing claims.

These risks can generally be mitigated by preventative measures:

• developing crisis management plans – creating comprehensive plans that define specific responses and responsibilities during a crisis;
• regular training and exercises – conducting training and simulations to prepare employees for various crisis scenarios;
• insurance and financial protection – use of insurance policies and financial instruments to protect against financial losses from identified risks;
• robust IT security and infrastructure – implementing cybersecurity protocols and investing in secure IT infrastructure to prevent data breaches;
• supplier diversification – reducing supply chain risks by sourcing materials from multiple suppliers;
• compliance programmes – establishing an actual culture of compliance within the company to ensure compliance with legal and regulatory requirements; and
• developing standard crisis communication materials – implementing communication structures and preparing statements that are easily adaptable to the crisis at hand.

By systematically identifying and assessing risks and implementing preventative measures, companies seek to minimise the likelihood and impact of potential crises.

Simulation exercises can prepare companies for potential crises. The frequency of such simulation exercises depends on company size, sector and risk exposure. Many companies conduct them at least annually. Some high-risk industries, such as finance, may perform exercises more frequently to ensure preparedness and compliance with regulatory requirements. It allows companies to practise their crisis response procedures and ensure that all team members involved are familiar with their responsibilities in the event of a crisis.

Common scenarios in simulation exercises include the following.

• Cybersecurity breaches – reviews and tests of cybersecurity during a crisis can be conducted through “ethical hacking”. This involves authorised examinations of computer systems, networks or web applications to identify and fix security vulnerabilities. Ethical hackers simulate cyber-attacks, using techniques similar to malicious hackers, but aim to improve system protection and prevent breaches. Best practices include partnering with certified ethical hackers, clearly defining the scope and objectives, and thoroughly documenting findings.
• Natural disasters – exercises for events such as earthquakes, floods or fires test the company’s emergency response, evacuation procedures and business continuity plans.
• Supply chain disruptions – companies simulate disruptions due to supplier failures or transportation issues to assess and improve their supply chain resilience.
• Operational failures – scenarios may involve key equipment or system failures, testing maintenance and back-up processes.
• Regulatory challenges – developments under public law often pose a challenge. Investigations are carried out and audits are conducted to ensure compliance with public law regulations.
• Investigations – when investigating, authorities carry out dawn raids on a company’s premises if there is reasonable suspicion of an offence by the company, its management or one of its employees. Training on the “dos and don’ts” in the event of such a dawn raid and simulation of dawn raids (“mock dawn raid”) have proven useful.

By conducting these exercises regularly, companies aim to refine their crisis management strategies, improve team co-ordination and ensure that employees are well prepared to handle real-life crises effectively.

Companies provide training programmes to ensure employees understand best practices for crisis prevention and response. The training covers the crisis response plan, individual responsibilities and communication procedures. Employees also engage in simulations of critical scenarios to reinforce their roles.

Regular updates and refresher courses are recommended to keep staff informed about crisis management practices, and companies offer handbooks and online resources for easy access to protocols. Co-ordination with legal and compliance teams is essential to ensure awareness of operational and regulatory considerations.

Training initiatives are typically managed by crisis management teams or departments such as HR, with support from senior management to encourage participation.

Many companies implement specific policies for crisis preparation and prevention, establishing a crisis management framework that includes response procedures, communication plans, risk assessments and training for employees. These policies are formally documented and include procedures and measures for activation and communication.

To ensure that the crisis management plan remains effective, companies must regularly review and update their policies to reflect changes in their operational landscape and emerging risks.

When in crisis, companies face a plethora of legal challenges in Germany, not only caused by the crisis itself but by subsequent events such as internal investigations, criminal charges or third-party actions. The scope of potential legal challenges depends heavily on the nature and extent of the crisis.

Overall, the following (potential) legal challenges can be identified.

• Building trust – the management of a company is obliged to build and protect the reputation of a company. This comprises the building of trust with relevant stakeholders. In crises, this might help to establish trust, which is relevant to overcome critical situations.
• Regulatory compliance and evolving legal frameworks – compliance with evolving laws, such as the LkSG, requires close monitoring to ensure compliance in complex supply chains. This is particularly important as German and European regulations might be applicable. Non-compliance may lead to fines, sanctions or business interruptions.
• Civil liability and contractual obligations – defending against third-party legal actions, including collective redress, can lead to costly and time-consuming litigation.
• Labour relations – facing issues in the workforce, including high absenteeism and union negotiations, can lead to litigation.
• Financial distress – economic downturns increase the risk of insolvency, so companies must deal with German insolvency laws to avoid excessive debt and financial instability.
• Data protection – compliance with strict data protection laws, such as the GDPR, is crucial, especially in the event of a crisis when data breaches or increased data processing may occur.

Addressing these challenges requires proactive and proper legal risk management, continuous monitoring of regulatory changes, and effective communication with stakeholders to mitigate potential legal impacts during a crisis.

Companies must ensure that they comply with all relevant regulations in order to minimise liability risks. This often requires close co-operation with compliance and legal departments. The following main authorities can represent significant exposure to legal liability for companies and management:

• the Public Prosecutor’s Office in the case of criminal offences, including corporate crimes;
• civil courts in civil proceedings due to contractual breaches;
• the Federal Environment Agency (UBA) or state environmental agencies in the case of violations of environmental law;
• the BaFin in the event of breaches against financial laws and regulations;
• the Federal Cartel Office in the event of breaches of competition law;
• the BSI in the case of violations related to information security and critical infrastructure; and
• the BfDI in the case of data breaches or non-compliance with data protection obligations.

For internationally active companies, foreign or European enforcement authorities can also pose a risk. These can include the following:

• the European Public Prosecutor’s Office – an independent and decentralised prosecution office of the EU, which has the competence to investigate and prosecute crimes against the EU budget, such as fraud, corruption or serious cross-border VAT fraud;
• the EC – investigates a suspected breach of EU competition law;
• the US Federal Trade Commission (FTC), which co-operates with foreign counterparts to enforce US consumer protection and privacy laws; and
• other foreign authorities might investigate/enforce through administrative assistance from German authorities.

During a crisis, companies need to co-operate with enforcement and supervisory authorities – particularly on regulatory and legal matters, which may include regular reporting and (at times) appointing an external monitor to ensure compliance. Companies typically provide updates to authorities, with the frequency depending on the crisis’s nature and legal requirements.

German companies assess potential legal risks and liabilities through risk management frameworks, internal audits and legal compliance reviews. This process includes identifying regulatory obligations, evaluating contractual risks and analysing past legal issues to prevent future liabilities. Legal teams, often in collaboration with compliance officers and external counsel, conduct due diligence, monitor legislative changes and review industry-specific risks.

Regulatory compliance is a key factor to be considered in the assessment of potential legal risks and liabilities for companies in Germany. This includes adherence to significant regulations.

Contractual obligations are another critical factor. Companies must ensure that all contractual agreements are clear and enforceable to minimise the risk of breaches or misunderstandings. Data protection risks are also a primary focus, especially given the stringent requirements of the GDPR.

Compliance with labour laws is highly relevant, as breaches of employment regulations can result in significant penalties and legal disputes. This includes maintaining fair employment practices and adhering to health and safety regulations.

Potential litigation risks are carefully analysed and re-evaluated on an ongoing basis to prepare companies for possible legal challenges and to develop appropriate risk mitigation strategies.

Additionally, companies assess financial risks and potential reputational damage, which could occur in the event of negative publicity.

In-house teams play a crucial role in crisis management, ensuring compliance with laws and industry-specific regulations while mitigating legal and reputational risks. They support developing crisis management policies and procedures, and handle regulatory reporting, crisis communication oversight, contract disputes and potential litigation. Legal teams handle communication with regulatory authorities and participate in after-action reviews to assess the company’s response, identify any legal weakness and improve risk management.

The legal team’s structure depends on the company’s size, the industry in which it operates and the specific nature of possible crises. Typically, it includes in-house counsel familiar with the company, compliance officers ensuring regulatory adherence and regulatory experts knowledgeable about complex legal frameworks. The legal team collaborates closely with executives to align legal and business strategies.

Many companies, especially in regulated sectors, engage external legal counsel for specialised expertise. External legal counsel is selected based on:

• expertise;
• industry and regulatory experience;
• a strong crisis management track record;
• availability and responsiveness; and
• the ability to communicate complex legal concepts and strategies.

In complex cases, companies and their boards may even retain multiple law firms to cover different aspects of legal defence and reputation management.

In Germany, companies are subject to retention obligations under commercial law. For example, the German Commercial Code (Handelsgesetzbuch, or HGB) requires that consolidated financial statements, management reports and group management reports – as well as related work instructions – be retained for a period of ten years. Even if not required by German law, companies may consider implementing document holds as part of their due diligence, especially if they operate internationally and may face foreign investigations.

Document preservation should start early in a crisis, suspending deletion protocols to avoid losing relevant information. Close collaboration with the IT department is vital for identifying custodians and determining the preservation scope. Organisations must therefore establish and actively manage clear policies to ensure that all relevant information is properly captured, secured and retained to meet legal requirements.

Methods for capturing and storing relevant documents and evidence include:

• document management systems;
• action protocols if a crisis is identified;
• data back-up solutions; and
• e-discovery tools.

These methods also help the company to ensure compliance with legal requirements for evidence preservation.

Settlement arrangements for consensual resolution of litigation derived from the crisis is typically based on the nature of the dispute, the parties involved and the specific circumstances. The following are suitable methods for resolving legal disputes in connection with a crisis:

• settlement payment;
• contract amendment;
• injunctive relief;
• non-monetary settlements; and
• mediation or arbitration.

Non-monetary agreements may include agreements to implement changes in procedures and policies to address the issue that led to the crisis or litigation.

Settlement agreements must comply with the applicable laws and may require approval from authorities.

Common types of insurance include:

• public liability insurance;
• D&O liability insurance;
• cyber liability insurance; and
• legal expenses insurance.

Further, the scope of insurances may include:

• environmental liability insurance;
• business interruption insurance; and
• specialised crisis management insurance.

To manage claims and obtain insurance cover, companies in Germany generally work closely with insurers or insurance brokers. This includes the following.

• Immediate notification – companies must notify insurers immediately of any incidents or claims that could trigger insurance cover and ensure compliance with the terms and conditions of the policy.
• Documentation and reporting – detailed documentation and reporting of the incident or claim so that insurers can properly assess the situation.
• Collaborative claims management – continuous communication with insurers to efficiently manage claims and develop resolution strategies. This involves responding to any requests for additional information or clarification as well as co-operation in any investigation of the insurer.
• Risk mitigation and compliance – demonstrating adherence to risk management practices and regulatory requirements, which can enable smoother claims handling. By demonstrating a proactive approach to risk management, companies can assure insurers that they have taken steps to minimise potential claims risks.

Through clear communication and compliance, companies can effectively use their insurance cover to manage crisis-related costs and litigation.

The term “reputation” refers to the perception and credibility of a company among its stakeholders – ie, shareholders, customers, employees and the public. Reputation can significantly influence the success and sustainability of a company. Proactive reputational management strategies – such as a functional compliance management system – foster stakeholder trust and ensure transparent communication.

After a crisis, companies must assess the impact on their reputation. Indicators are media analysis, customer feedback, stakeholder interviews and financial performance. Tools such as social media monitoring, brand perception surveys and analysis software aid in assessing public opinion. Additionally, share prices, customer retention rates and regulatory audits are key indicators of reputational damage.

To restore reputation after a crisis, companies take several steps:

• transparent communication and accountability – taking responsibility, issuing public statements, openness, apologies and updates to rebuild trust with stakeholders and the public, to demonstrate commitment to solving the issues;
• corrective action and monitoring progress – evaluating and implementing policy changes, compliance measures and training of employees;
• stakeholder engagement – rebuilding relationships with employees, customers, investors and regulators through proactive dialogue, as well as providing updates on recovery efforts and ongoing improvements;
• corporate social responsibility (CSR) initiatives – investing in CSR initiatives and launching sustainability projects, ethical business practices or community engagement programmes to improve public perception; and
• rebranding and marketing initiatives – running PR campaigns, adapting brand messaging or emphasising corporate values to restore credibility.

There are various crisis reporting requirements in Germany – in particular, including the following.

• Listed companies must promptly disclose price-sensitive information to meet ad hoc publicity obligations, especially during crises that could impact on the company’s value.
• In accordance with Article 33 of the GDPR, data breaches must be reported to the relevant data protection authority within 72 hours.
• Financial institutions are subject to supervision by the BaFin and must report significant risks and changes in their financial situation. This includes crises such as fraud, money-laundering incidents or other regulatory breaches.
• Operators of critical infrastructures must report IT security incidents to the BSI.
• Companies are often obliged to report environmental damages (Section 4 of the USchadG).
• Management boards of stock corporations and limited liability companies are obliged to call for a shareholders’ meeting when half the capital stock is consumed through losses (Section 93 of the AktG, Section 49, paragraph 3 of the GmbHG).
• Insurance policies may also require that the company notify its insurers immediately upon becoming aware of a potential claim, which may arise from a crisis.

Establishing crisis management teams and collaborating with legal and compliance departments is essential for companies to effectively navigate crises and meet regulatory requirements. Legal teams ensure compliance with regulations to avoid penalties, while crisis management teams handle the operational response. This collaboration minimises the risk of legal repercussions (such as fines for data breaches), protects the company’s reputation and ensures that communications with stakeholders are legally sound, helping to maintain trust among customers and investors.

Organisations co-ordinate communication between different stakeholders through well-structured communication strategies and clearly defined responsibilities. Typically, a centralised communications team or crisis communications department ensures consistent messaging. In addition to the crisis management team, the public relations officer is involved in drafting and disseminating messages. Companies can use centralised platforms, ensuring consistent updates across multiple channels, such as emails, newsletters and websites, to provide real-time updates.

Common triggers for communicating crises to stakeholders include:

• regulatory requirements;
• operational disruptions;
• negative media coverage;
• significant events that can have an impact on the business; or
• incidents that attract public or media attention.

Effective internal communication during a crisis is essential for aligning employee responses and fostering trust. The crisis communication plan should outline how and when to convey information, using centralised channels and intranet updates. Companies must provide ongoing updates and a contact point for employee inquiries. Additionally, debriefing sessions are important for improving responses to future crises.

The first key stakeholders to be informed include:

• executive leadership (CEO, board members, crisis management team) to make strategic decisions and co-ordinate responses (however, if the executive leadership has caused the crisis, the supervisory board may also be involved in making the strategic decisions);
• legal and compliance teams, investor relations, communication teams and the supervisory board to assess risks, regulatory obligations and potential liabilities;
• HR and employee representatives to handle workforce concerns, well-being and internal morale;
• IT and security teams if the crisis involves cybersecurity threats or operational disruptions; and
• department heads and team leaders to disseminate information effectively to employees.

Informing the supervisory board is essential as it oversees management’s actions during a crisis, provides strategic guidance, and ensures compliance with legal and regulatory requirements. It may also need to engage with stakeholders in alignment with management’s communications.

An effective public and media communication strategy involves prompt and transparent messaging following a crisis to build credibility and trust with stakeholders.

Timing and the extent of the first communication depend on the unique circumstances of the crisis, as the origin and extent of the crisis might still be unknown. Companies must balance the benefits of timely communication with the risks of sharing incomplete or inaccurate information. The initial message sets the tone for future communications, and overpromising can lead to reputational damage. Therefore, it is crucial to avoid definitive commitments that may need to be retracted later.

Furthermore, all communications should deliver consistent messages. After a crisis is resolved, companies provide follow-up communication outlining what has been learned, changes that will be made and how future incidents will be prevented.

Another key strategy for effective crisis communication is proactive media engagement. This enables the company to have established points of contact and trusted sources when a crisis arises, helping to ensure that information is communicated quickly and accurately. Proactive engagement includes providing regular updates to the media, holding press conferences when necessary and giving interviews. This approach helps companies control the narrative, reduce speculation and prevent misinformation.

Main challenges faced by companies include the rapidly changing situation during a crisis. Therefore, a challenge for companies is keeping pace with new information or changing circumstances while deciding on the proper extent and timing of communication. Companies must filter through an overwhelming amount of information, making it difficult to provide a clear response. Successful crisis communication should explain the incident, simplify complex issues and point out possible solutions.

Companies communicate with investors and shareholders about crises and potential legal disputes through official channels such as ad hoc announcements, corporate news, quarterly reports and investor conferences/calls. They aim to communicate clearly and transparently about the nature of the crisis, potential impacts, and the steps being taken to mitigate risks. Transparency and immediate communication are crucial to maintain investor confidence. After the crisis, companies often provide follow-up reports to investors.

In addition, companies engage in direct communication with key institutional investors and major shareholders. This personalised approach helps address any specific concerns and provides a more detailed understanding of the company’s crisis management.

The supervisory board – in particular, the chair – needs to be addressed in a timely manner, as it ensures that the company’s response complies with legal and regulatory requirements. This is sometimes delayed due to reliance on management or lack of established protocols for escalation in critical situations.

During a crisis, addressing customer concerns and maintaining trust is critical for companies. The following strategies are commonly used.

• Transparent communication – companies should be open and honest about the situation, providing clear and accurate information. This includes acknowledging the issue, detailing the steps being taken to resolve it, and setting realistic expectations for resolution.
• Timely updates – frequent updates help reassure customers that the company is actively managing the crisis. Timing is crucial to prevent misinformation and to keep customers informed of new developments.
• Empathy and support – demonstrating an understanding of customers’ concerns helps maintain trust. Companies should offer support and solutions tailored to customers’ needs, such as refunds, replacements or additional services.
• Dedicated crisis teams and hotlines – establishing crisis response teams and dedicated customer support hotlines can provide direct assistance and ensure that customer enquiries are addressed quickly and consistently.
• Accountability – taking responsibility for the crisis can help restore confidence, especially when coupled with actions to prevent future occurrences.

Companies use various channels to communicate with customers, including email, social media, the company website (eg, FAQs and guidance), customer service lines and press releases.

During a crisis, German companies ensure that employees are informed and supported through transparent communication, dedicated support programmes, and leadership engagement. They can use regular updates via email, intranet portals, meetings and crisis hotlines to keep employees informed.

To maintain morale and productivity, companies rely on leadership visibility to foster a sense of stability. Managers are trained to offer reassurance, recognise employee contributions and encourage collaboration.

Companies often establish specific communication channels for those affected by a crisis, sometimes as a requirement based on the crisis’s nature.

For example, data privacy laws mandate notifying affected individuals in the event of a data breach. In addition, product safety and consumer laws require companies to communicate in crisis situations. According to the German Product Safety Act (Produktsicherheitsgesetz, or ProdSG), companies must immediately recall products that pose a risk to the health and safety of consumers and inform the affected consumers. This also requires specific communication measures to reach the affected persons quickly. In connection with the German Act for the Better Protection of Whistle-Blowers (Hinweisgeberschutzgesetz, or HinSchG), companies are required to establish and maintain internal reporting channels to allow employees to report violations.

Clear communication with affected parties is crucial for transparency, trust and damage control. Common communication channels ensure effective two-way communication, ensuring timely updates while offering opportunities for feedback and questions.

Companies carry out the “lessons learned” process after a crisis, conducting analysis workshops to assess the strengths and weaknesses of the crisis management system. This includes stakeholders, the crisis management team, managers and leaders from affected departments. Companies may involve external experts to provide an objective evaluation and specialised insights. Results are documented and reported.

The post-crisis reviews should include answers to the following questions.

• Assessment of response:
1. Was the response effective?
2. What could have been improved?
• Identification of root causes:
1. What caused the crisis?
2. Has this issue been resolved?
• Reputation:
1. Was the company’s reputation harmed?
2. Which measures will rebuild the public’s trust?
• Implementation of changes:
1. How will changes be implemented in the crisis management system?

All findings need to be documented thoroughly.

Companies update their strategies and procedures after a crisis by transforming the “lessons learned” into concrete measures, which might include updating the crisis management plan, communicating any changes in the crisis management to employees and organising training. Companies establish mechanisms to monitor the effectiveness of updated policies and procedures. Implementing feedback systems also allows for continuous input after updating the policies. The approach outlined in 7.1 Post-Crisis Review: Learning Lessons is an iterative process that ensures that companies continuously learn from past experiences and strengthen their resilience to future crises.

Companies can measure the effectiveness of their crisis management strategies using various methods, such as:

• assessing response time;
• analysing the financial impact, and customer and employee satisfaction;
• conducting debriefings to evaluate the implementation of crisis plans; and
• post-crisis surveys or feedback.

Comparing performance in crisis situations with predefined key performance indicators (KPIs) helps to identify weaknesses and strengths.

There are several public sources for benchmarks, industry standards and best practices in the field of crisis management in Germany, which also help companies to stay updated. Organisations such as the BBK offer guidelines and resources related to crisis management and civil protection. International standards, such as ISO 22301 for business continuity management, also serve as a reference for best practice for companies. IDW standards, such as IDW S6, help enhance risk management by providing a structured and consistent framework that facilitates comprehensive risk assessment and accountability. This standardised approach promotes best practices, ensures regulatory compliance and supports continuous improvement in risk management processes.