For corporations involved in international business, in the past 12 months crisis management practices and trends have related to three main topics in particular:

• sanctions and export controls in light of the new geopolitical risks;
• human rights risks in the supply chain; and
• cyber-related incidents and cybercrime.

Sanctions and Export Controls in Light of the New Geopolitical Risks

Since the invasion of Ukraine in 2022, there has been a massive escalation of sanctions which has impacted on businesses worldwide. This has also affected the business community in Norway, both those engaged in international business in general and particularly businesses operating in the northern parts of Norway, due to the geographical proximity to and trade with Russia. In this respect, the authors note that Norway has also implemented particular carve-outs from the EU sanctions in order to allow some continued trade with Russia within the fisheries and aquaculture sectors, including exemptions allowing for Russian fishing vessels to dock at certain Norwegian ports in northern Norway. Against this background, new risks have become relevant for more businesses than previously, in combination with new rules and regulations, making it important for operators to invest significant efforts in order to stay on top of developments. As a result, there have also been issues relating to compliance, which has led to internal investigations and authority investigations into past trades. 

Furthermore, beyond the sanctions against Russia, other important geopolitical developments have created the need for crisis management. This includes the conflict in the Middle East following the 7 October 2023 attack on Israel, and the Houthi attacks in the Red Sea. There is also continuous crisis management preparedness with respect to China, in particular due to China’s co-operation with Russia and tension with respect to Taiwan.

Continued Focus on Human Rights Risks in Supply Chains

A focus on human rights risks continues to be seen, particularly in international supply chains following the Transparency Act of 2021, which poses both legal and reputational risks to Norwegian businesses. As part of the efforts stipulated under the Norwegian Transparency Act, operators are required to conduct comprehensive due diligence in their supply chains to identify, assess and address human rights risks. Following such measures, businesses have in fact discovered risks requiring mitigation – the news community as well as non-governmental organisations have asked questions of businesses, which, under the Norwegian Transparency Act, they are required to answer, addressing potential adverse impacts on human rights.

Cyber-Related Incidents and Cybercrime

The aforementioned increase in international tensions due to the geopolitical environment has led to a heightened focus on national security and geopolitical risks among Norwegian businesses, making the Security Act, export regulations and sanctions assessments key focus areas in M&A transactions, cross-border agreements and investments. Norwegian businesses are also acknowledging the increasing risks of cyber-attacks and intelligence activities by foreign states and companies, as well as by organised criminal groups or private individuals. In recognition of these risks, both the government and companies are increasingly focusing on the importance of a robust digital infrastructure and on crisis management plans in case of cyber-attacks.

The key practice trends and shifts mentioned in 1.1 Market Comparison have meant that all sectors are in fact exposed, except for businesses solely working locally in Norway, where there is still minimal exposure (though such businesses may also fall victim to cybercrime).

With respect to the three main factors and trends highlighted in 1.1 Market Comparison, the most exposed sectors are:

• the maritime sector (including insurers, service providers and vessel owners), due to the massive escalation in sanctions and geopolitical risks;
• businesses handling or owning critical information or digital infrastructure, due to geopolitical and hybrid threats as well as related security and cyber-risks; and
• businesses with international complex supply chains (including the energy sector), due to the related human rights, compliance and sanctions risks.

This topic is not applicable.

Some Norwegian legislation primarily addresses the need to identify risks and vulnerabilities and to prepare for crises accordingly (eg, the Health Emergency Preparedness Act), while other legislation primarily regulates the situation after a crisis has occurred (eg, the Police Act). Certain laws are directed at public authorities (eg, the Civil Protection Act). Further, there is a distinction between laws that are quite general in scope of application (eg, the Police Act) and laws with a sectoral approach (eg, acts within the health sector).

Internal investigations (eg, due to a crisis) are not regulated by special procedural law in Norway. However corporate investigations are governed by various Norwegian laws and regulations – eg:

• the Working Environment Act;
• the Companies Act;
• the Penal Code;
• the Liability Act;
• the Accounting Act; and
• data protection laws.

Also, the Norwegian Bar Association has issued a set of indicative guidelines (the Bar Association Guidelines for Private Investigations, updated in 2023) applicable to lawyers’ work that relates to external independent private investigations.

There are also numerous laws restricting public authorities’ competence if a crisis has occurred, including the Police Act of 1995 and the Constitution of 1814. 

General Regulations Protecting Society and Critical Infrastructure in Times of War and Crises

The Civil Protection Act of 2010 aims to protect society, critical infrastructure and the environment in cases of war, natural disasters and other incidents with adverse impacts on Norway, its citizens and assets. It outlines the role of the government, municipalities and civil society in preparing for and mitigating the consequences of such risks should they occur. The Act on Business and Industry Preparedness of 2011 seeks to alleviate supply chain-related consequences of crises, in particular in times of war, by regulating the collaboration between public authorities and business operators.

Sector-Specific Acts Regulating Crisis Management

Numerous sector-specific acts regulate crisis management, such as the Health Emergency Preparedness Act of 2000 and the Communicable Diseases Control Act of 1994 relating to health crises. The oil emergency system is largely regulated by the Regulation relating to Petroleum Product Storing for Emergency Purposes of 2006, which gives the authorities wide-ranging powers to manage oil supply crises. Nuclear and radiological emergency preparedness is governed by the Act on Radiation Protection of 2000 and its regulations, while environmental emergency responses in the event of acute pollution is regulated by the Pollution Control Act of 1981.

Protection of National Security Interests

The Security Act of 2018 gives Norwegian authorities power to address national security risks by preventing the transfer of critical assets and infrastructure to state and non-state actors that may pose a security risk. Amendments made in 2023 increased the government’s power to address such risks, including by extending the scope of the foreign direct investment (FDI) notification regime. Alongside existing sanctions and export controls, the Security Act provides an important tool for controlling foreign ownership in Norway.

The way in which the aforementioned laws are enforced during crises depends on the crisis in question. Some laws have been enforced quite extensively and have given rise to lawsuits against the government – for instance, the Diseases Control Act during the COVID-19 pandemic. Others are applied on a more regular basis, with less controversial outcomes.

Health-Related Amendments Following COVID-19

Following the COVID-19 pandemic, several amendments were made to laws on crisis management in the case of health crises, including extended powers for the Norwegian government to isolate infected persons (new Section 4-3 a of the Communicable Diseases Control Act).

Increased Number of Private Investigations Leading to Amendments in Guidelines

The Bar Association Guidelines for Private Investigations were also recently amended, warranted by (inter alia) an increased number of private investigations in both the public and private sectors.

Increased Focus on Financial Crimes

The Norwegian Ministry of Justice and Public Security is strengthening the government’s response to financial crime and related crises, through (among others) extending the government’s powers of confiscation.

Increased Government Control of Foreign Investments

In February 2025, a proposed new regulation under the Security Act’s provisions on ownership control was issued. The regulation aims to give Norwegian authorities greater control over investments and M&A deals targeting businesses vital to national security, such as increased restrictions for information sharing prior to a transaction being approved.

New Requirements to Safeguard Critical Digital Infrastructure

A law on digital security is expected to come into force in 2025. The law shall implement the EU NIS-1 Directive and stipulate an obligation for companies providing critical functions (such as energy, transportation, health and financial services) to, among others:

• perform risk assessments;
• have adequate security measures in place; and
• report security breaches.

The government is working on further legislative amendments to increase control over critical digital infrastructure; following the expert committee’s report dated 28 February 2025, legal updates are expected, strengthening the government’s ability to control the influence of foreign countries on such infrastructure.

The expected impacts of these amendments on crisis management remain to be seen. Several amendments are aimed generally at increasing the public authorities’ powers if a crisis occurs, while others are aimed more at preserving and strengthening the rights of private companies and individuals (eg, the revised Bar Association Guidelines for Private Investigations).

The Overall Responsibility for Crisis Management

The overall responsibility for co-ordinating crisis management and preparedness actions lies with the Ministry of Justice and Public Security, as well as with other ministries in relevant sectors (eg, the Ministry of Health and Care Services with regards to pandemic preparedness and response). Additionally, numerous public entities have been established under the responsible ministries, including the Norwegian National Security Authority (NSM), the Norwegian Directorate for Civil Protection (DSB), and three newly established committees for emergency preparedness and crisis management in the health sector.

Sector-Specific Authorities and Agencies

To a large extent, the government monitors and evaluates crisis response efforts on a sectoral basis.

The oil security system is generally governed by the Ministry for Trade, Industry and Fisheries, which is responsible for the security of supply of fuel, emergency preparedness and crisis management within the sector. The Norwegian Radiation and Nuclear Safety Authority (under the Ministry of Health) bears the responsibility of preparedness actions related to nuclear accidents.

There have been suggestions of establishing more cross-sectoral structures to strengthen the co-ordination of preparedness work. Local governments (municipalities and counties) are often consulted in such processes, and also have specific responsibilities in relation to certain aspects of crisis management – for instance, with respect to facilitating the work of the Norwegian Civil Defence. However, since many crisis management questions warrant a State-level approach, the role of local governments may be subordinated in some cases.

There is no independent body that continuously oversees crisis management preparedness by companies or public entities. Nevertheless, in 2022 the government established a provisional commission responsible for the assessment of overall crisis response and preparedness in Norway, which culminated in an Official Norwegian Report (a type of preparatory work) in 2023 (NOU 2023: 17). The government has also signalled that such a commission will be established at regular intervals in the years to come (Meld St 9 (2024–2025) p 43).

The Petroleum Safety Authority (PSA) is an independent government regulator within the Norwegian petroleum industry; it is responsible for safety and emergency preparedness in the industry.

Crisis response actions from public authorities should in many cases be made available to the public under the Public Administration Act and the Freedom of Information Act. In addition, certain laws and regulations require public authorities to make contingency plans available to the public – for instance, Section 15 of the Civil Protection Act.

Crisis response actions from private entities and individuals are generally not subject to reporting and transparency requirements. However, certain aspects of crisis response actions may in some cases follow on from audits or other disclosure or reporting obligations – for instance, under the Transparency Act (see 6.7 Communication With Affected Parties).

In Norway, crisis management efforts and obligations are sectoral-based to a large extent. As outlined in 2.1 Legal Framework, the Health Emergency Preparedness Act and the Communicable Diseases Control Act establish key requirements in the health sector with regards to (inter alia) emergency preparedness plans.

In the finance sector, the Financial Institutions Act of 2015 requires financial institutions to have contingency plans that ensure financial stability during crises. With respect to infrastructure, the Regulation on the Quality of Electricity Supply of 2004 contains specific requirements relating to (inter alia) the resilience of the electricity supply system. Other sector-specific regulations also apply.

Actions required by such sectoral regulations are subject to inspections and audits by responsible authorities – for example, the Financial Supervisory Authority. Reporting obligations for private entities may also apply – for instance, under Section 21-1 of the Financial Institutions Act.

In January 2025, the Ministry of Justice and Public Security submitted an emergency plan to the Norwegian Parliament which (inter alia) includes plans on how to involve the private sector to a greater extent in relation to crisis management response plans. In particular, the Ministry has suggested including private parties (alongside governmental bodies) in a new cross-sectoral structure for assessments and emergency planning in civilian sectors (Meld St 9 (2024–2025) p 44–45). Thus, there are certain pre-structured public-private co-operation frameworks for crisis prevention and response, but the exact execution of such co-operation remains to be seen.

The government has announced that a long-term plan for civil preparedness shall be established, and that the work will commence in 2025 (Meld St 9 (2024–2025) p 40). There are certain sector-specific national crisis management plans and policies – for instance, in the health sector, to ensure energy security and as relate to nuclear accidents. The structure and implementation of existing plans varies from sector to sector – however, the main elements of the plan are to clarify responsibilities in the event of a crisis, establish notification and reporting routines, and facilitate co-operation between relevant stakeholders in the event of an emergency.

During a crisis, different government entities usually co-ordinate efforts based on their respective areas of responsibility. For instance, the Ministry of Finance has an overall responsibility for crisis management in the event of a crisis within the financial sector. However, certain responsibilities may be delegated to subordinated agencies – for example, the Financial Supervisory Authority. The Ministry of Justice and Public Security has a co-ordinating role for preparedness and emergency response in the area of public security; in 2017, the Ministry established an instruction for the ministries’ work on public security in order to ensure effective inter-agency collaboration (FOR-2017-09-09-01-1349).

Large international companies in Norway will commonly have a crisis management set-up and structure similar to international players in the USA, UK and continental Europe. Small to medium-sized companies in Norway will typically have a more narrow set-up tailored to the relevant sector and national regulatory exposure.

In general, the key components of an effective crisis management strategy would include the following.

• A risk assessment, which takes into consideration key risks of whether a crisis would occur and in what areas (including regulatory exposure, where regulated entities would, for instance, require certain types of internal controls and reporting requirements).
• A crisis management strategy and team, including designating roles and responsibilities to follow up on a potential crisis.
• A communication plan, including roles and responsibilities for the various types of crisis situations.
• A contingency plan, setting out a detailed step-by-step plan for the various types of crisis situations.
• External and internal reporting requirements, as well as key stakeholders. In this context, it should be noted that certain types of incidents would have a firm reporting deadline – for instance, with respect to a data breach or potential risks of money laundering for obliged entities.
• Training and awareness in contingency plans to ensure active preparedness.

Nevertheless, the content and scope of crisis management plans naturally vary based on (inter alia) the sector, the size of the company and what types of risks the company is exposed to.

In some cases, public authorities are also authorised to establish crisis management plans for private companies – if so, the content of the plan is usually regulated by law (see, for example, Section 20-6 of the Financial Institutions Act).

It is advisable and common to have committees responsible for certain types of crises. The composition of the committee would depend on the type of crisis. For instance, a regulatory breach would commonly be led by the general counsel or another member of the legal team, while a security breach would commonly be led by the head of security or chief operations officer. The board of directors would have the overall responsibility, and a severe crisis situation should commonly be escalated to the board of directors.

The steering committee would often have the overall responsibility of the prevention and management of crises, reporting to the board of directors. Such committees may have a subordinated crisis management team or task force responsible for the effective implementation of crisis management plans established by the crisis committee. Small and medium-sized companies might not have the same formal governance structures in place, and would therefore tend to handle crisis situations on more of an ad hoc basis (thus relying heavily on external support), while larger corporations could handle more of the key functions internally with external support on the project management and regulatory expertise sides.

Companies may form permanent or ad hoc crisis committees (or both), depending on the size of the company and risks inherent in the business. Such committees typically include senior executives or heads of departments, but may in some cases also include less-senior employees with more hands-on experience from different parts of the corporation. Some companies may also appoint independent members (for instance, external legal counsel), while other companies choose to appoint external members to the crisis management team. Crisis committees usually report directly to the board of directors and/or senior management, but tend to have significant autonomy with regards to crisis prevention and response actions.

Composition of Teams

Crisis management teams may consist of heads of departments and members from senior management, as well as less-senior employees within various areas of the corporation, so that immediate response actions may be more easily implemented across the entire corporation in the event of a crisis. In some cases, the company may also choose to appoint an external member – for instance, legal counsel. The relevant crisis situation would often inform the composition of the committee.

Roles and Positions

Within the committee and team, commonly there should always be one resource with project management responsibility, and with a direct reporting line to the steering committee. This can be the chief compliance officer, general counsel or external counsel. The relevant functions and resources as part of the task force would vary. As mentioned, a regulatory breach would commonly involve significant resources from the legal team, while a security breach would commonly involve significant contributions by the security team. The communications team would also typically be involved in the preparedness of any crisis situation.

Frequency

The frequency of meetings may be daily or weekly, with a report to the steering committee weekly or bi-weekly. The type and urgency of the relevant crisis would naturally inform the frequency of the meetings.

Larger corporations might have experienced internal crisis management teams, but it is common to seek external assistance. Naturally, this is because a company will often not see as many crisis situations as an external crisis management specialist advising many different corporations on various types of crises around the world. External counsel can often be helpful in both setting up and managing a crisis situation, depending on the need for resources and the expertise the relevant company has. The more urgent and complex the crisis situation is, the greater the need for external expertise.

In addition, engaging external experts may be particularly relevant in relation to investigations and evaluations in the aftermath of a crisis – for instance, by appointing an independent commission. When selecting such external experts, the criteria typically include expertise and experience with the type of crisis in question – ie, expertise in data privacy in the event of a cyber-attack. An example is the appointment of an independent commission after a fire on the vessel Scandinavian Star, which culminated in a report to the Norwegian Parliament about the cause of the crisis, responsibilities, etc.

Metrics used by companies to assess the success of crisis management efforts typically include (among others):

• response and recovery time;
• effectiveness of communication;
• financial impacts;
• operational continuity;
• employee and customer safety;
• supply chain stability; and
• feedback from stakeholders.

Continuous improvements to crisis management strategies are typically made by conducting post-crisis reviews and receiving feedback from key stakeholders. A “lessons learned” workshop would often be part of a post-crisis review.

Robust monitoring systems and employee training are examples of key elements for identifying a crisis – and its legal implications – faster.

Some crises are identified immediately due to the nature of the breach, such as a cyber-incident blocking access. Other types of crisis situations develop over time – for instance, where the initial indication is an unclear and unsubstantiated whistle-blowing report alleging potential corrupt practices, this may turn out to be part of a larger-scale corruption matter during the course of the investigation. The pace and urgency will therefore depend on the nature of the crisis.

In certain areas (for instance, data breaches or suspicions of money laundering for obliged entities), clear tools and reporting lines will be set up to deal with the identification and reports of such incidents, and such tools will also be subject to authority-led inspections to check compliance.

The types of frameworks and models used for crisis management would very much depend on the company and exposure to crises; see also 3.1 Crisis Management Plans and 3.2 Internal Governance on the contents of a crisis management plan.

Some companies use NS-EN ISO 22361, which is an international standard for strategic crisis management. Certain guidelines have also been published by public authorities in Norway, which may be used as benchmarks for crisis management practices. For example, the Directorate for Civil Protection (DSB) published guidelines for crisis management following the COVID-19 pandemic, as well as a more general guideline for crisis communication. Additionally, some authorities have established guidelines or benchmarks for certain specific crises – for instance, the Data Protection Authority regarding data privacy breaches. Many companies also engage external expertise (eg, legal counsel) to stay updated on best practices within the relevant industry, from those with experience in managing cross-border investigations and crisis management teams.

Companies typically identify and assess potential risks that could lead to a crisis through analysis of risks related to the sector and jurisdiction(s) in which the company operates, as well as other factors relevant to the company’s risk profile (for more on the type of risk assessment often conducted, see 3.1 Crisis Management Plans). Such analysis could include data analysis of past crises, identifying relevant regulatory exposure as well as key risks and vulnerabilities. In some instances, this may also involve engaging with industry organisations, public authorities and other stakeholders. Relevant risk factors for the preparation for a crisis may consist of (inter alia):

• legal and regulatory risks;
• operational risks; and
• financial and reputational risks.

All of these must be taken into account in the risk identification and assessment process.

Preventative measures commonly implemented to mitigate risks may include:

• robust compliance programmes tailored to the relevant risks and exposure; and
• incident response plans to ensure preparedness for various types of crisis situations.

Simulation exercises are used in employee training, and may include (for instance) practical scenarios where there is a risk of corruption that may lead to a crisis for the company, or simulated phishing emails in order to prevent cybersecurity attacks. There may also be sector-specific simulation exercises within certain sectors – for instance, exercises in the oil and gas sector or pandemic response exercises in the health sector.

Most companies (typically larger companies) promote and organise crisis prevention and response training for employees. Such training may consist of information sharing about crisis prevention, as well as response plans and protocols, discussions and simulation exercises (see 4.4 Crisis Simulation). Training sessions should be tailored such that high-risk functions receive more bespoke training than for all employees. Training is usually held by the chief compliance and risk management officers (or similar), and in some cases by external advisers.

Companies usually adopt crisis management plans and procedures (see 3.1 Crisis Management Plans). Some companies also have risk management policies outlining the company’s approach to risk identification, assessment and mitigation, and such policies are sometimes made publicly available. Such policies and procedures are effectively implemented by (inter alia) communication, training and raising of awareness, and integration with daily operations and tools.

The most critical challenge for a company faced with a crisis is that a lot of important actions must be taken immediately, and a company with no prior experience of a crisis would not know how to prioritise each step in such a context. Therefore, having a decent contingency plan or incident response plan would significantly streamline the process in a crisis situation, and would also reduce the risk of actions being taken that adversely affect the company.

Relevant enforcement authorities that companies and management must deal with in relation to potential legal liability include:

• the Police Force (Politiet), responsible for criminal investigations and enforcement;
• the National Authority for Investigation and Prosecution of Economic and Environmental Crime (Økokrim), responsible for criminal investigations and enforcement related to economic and environmental crime;
• the Labour Inspection Authority (Arbeidstilsynet), responsible for labour rights, health and safety;
• the Data Protection Authority (Datatilsynet), responsible for data protection and privacy;
• the Directorate for Civil Protection (DSB), responsible for civil protection and emergency preparedness;
• the Competition Authority (Konkurransetilsynet), responsible for competition law enforcement;
• the Environment Agency (Miljødirektoratet), responsible for environmental laws and regulations;
• the Financial Supervisory Authority (Finanstilsynet), responsible for banking, insurance and other areas of financial market regulations; and
• the Tax Administration (Skatteetaten), responsible for tax matters.

The frequency and nature of co-operation with enforcement authorities and regulators vary based on the purpose of the contact and applicable laws. In some cases, companies are obliged by law to immediately report certain types of crises to responsible authorities – for instance, in the case of a data privacy breach or a suspicious activities report. In other cases, an internal investigation would often be conducted before informing the authorities. 

A litigation risk assessment would normally be conducted by external legal counsel – for example, a thorough evaluation of legal risks and liabilities may be needed in order to assess potential settlement options.

It is common to engage external legal counsel with experience in managing crisis situations. Some companies do have in-house crisis management teams (mainly larger companies).

The criteria used to select external legal counsel usually include relevant expertise and experience within the legal field the crisis relates to, as well as experience with crisis management in general.

The Norwegian Bar Association has issued guidelines on private investigations – these would not directly apply to all types of fact-finding exercises, though the guidelines do provide a good overview of best practices in investigations.

Further, there are procedural requirements for civil disputes or criminal investigations. In civil litigation procedures, companies also have a general duty of truth and disclosure under Section 21-4 of the Dispute Act, as well as certain more specific disclosure obligations under Sections 21-5 and 26-5 of the Dispute Act (although significantly less far-reaching than discovery obligations in the USA, for example). Thus, a company’s lack of gathering and preservation of relevant documentation and evidence may in some cases violate such procedural obligations, despite the absence of any general statutory obligation with regards to evidence preservation. 

Naturally, internal practical procedures for gathering and preserving documentation and evidence vary based on the company and documentation in question. Many entities have comprehensive documentation and reporting systems with detailed logs and records, while others rely to a greater extent on manual information gathering from employees. 

It is possible to enter into settlement arrangements for litigation proceedings which are derived from a crisis situation.

It is fairly common for insurance policies to be adopted by companies to cover potential civil liability. Such insurance policies may cover (inter alia) the liabilities of the company as a legal entity or of the board of directors, or other types of professional liability. Some insurance policies may also be related to specific sectors or risks – for example, insurance related to environmental damage or insurance for cases where the company has been exposed to financial crime. Some insurance covers legal and litigation costs, while some companies also take out a separate insurance covering legal assistance. Insurance companies are, however, prohibited from providing insurance covering criminal liability (Section 7-1 of the Insurance Business Act and Section 2-6 of the Financial Institutions Act).

The impact of a crisis on a company’s reputation may be measured through (for example):

• media analysis;
• stakeholder surveys and feedback;
• market surveys and analysing stock-market drops; and
• revenue and sales impacts.

Common steps taken to rebuild a company’s reputation post-crisis may include:

• transparent communication (eg, public statements);
• promptly implementing crisis response plans;
• policy revisions and auditing;
• rebranding and marketing; and
• corporate social responsibility initiatives.

However, the most important form of reputational management is to ensure that:

• communication is part of the task force in the crisis management team;
• a communications plan is drafted early on to cater to all possible scenarios; and
• there is clear communications management throughout the crisis situation.

Several sector-specific laws and regulations include mandatory reporting requirements related to incidents. One example is data security breaches, as outlined in 5.3 Co-Operating With Enforcement Authorities. Other examples include a duty to report serious workplace incidents to the Labour Inspection Authority under Section 5-2 of the Labour Act, and a duty to report environmental incidents under the Regulation on Notification of Acute Pollution or Risk of Acute Pollution.

The way in which companies ensure timely and accurate reporting to regulatory bodies varies based on:

• effective implementation of crisis management plans;
• adequate training of employees;
• following internal reporting procedures;
• involving external legal counsel; or
• a combination of such measures.

Communication with stakeholders is definitely an important workstream, and is often handled in-house by the communications team or investor relations team. There are also external communications advisers who assist in advising on communications workstreams in crisis situations. Communication triggers may be legal obligations (see 5.3 Co-Operating With Enforcement Authorities), and outside such obligations may be based on specific assessments of (inter alia) the role of the stakeholder and reputational risks. Many companies have a communications director responsible for co-ordinating stakeholder interactions, but communication regarding larger crises also tends to be anchored in the crisis management task force, as further detailed in 5.9 Reputation Management.

It is very important to control access to communication during a crisis. This means that those who should be given all the details (normally the board of directors and senior management, as well as key functions) would be given access to such information, but that other details would be restricted from unnecessary access. If it is a public matter (for instance, due to a dawn raid by authorities), it is often advisable to send a brief holding statement to let the employees know that the company is aware of the situation.

Which person(s) to contact and in which order would normally be included in a dawn raid manual or incident response plan.

Effective strategies for communicating with the public and media may include:

• a clear communication plan;
• having statements anchored in the relevant members of the crisis management team and/or senior management;
• identifying a single point of contact; and
• media training.

The content of the communication is also crucial for the public’s perception of the situation and the company, and providing an immediate, transparent and facts-based response is often beneficial in that regard. Collaborating with different departments of the company (especially those with expertise within the field that the crisis related to), as well as co-ordinating the communication through the head of communication and/or a centralised communication team, are key factors for ensuring consistency and accuracy of the communication.

Relevant challenges faced by companies in their communication work include:

• balancing accuracy and the need for an immediate response;
• co-ordinating between different departments of the company;
• managing misinformation from individuals or other stakeholders; and
• handling intense media pressure.

A clear communication plan, as well as obtaining external expertise when necessary, are possible key factors for handling such challenges.

Communication with investors should typically be based on the same elements as for effective external communication in general (see 6.3 External Communication). Additional workstreams are also often handled by the investor relations team, to maintain investor confidence. In some cases, providing a stock exchange announcement may be required under the Securities Trading Act.

Addressing customer concerns and maintaining trust during a crisis may be done through effective external communication and co-ordination (see 6.1 Co-Ordination of Communications and 6.3 External Communication). Channels used to communicate with customers may include the media, the company’s website and emails. 

See 6.2 Internal Communication regarding communication to employees. Common steps taken to ensure employee morale and productivity may include effective communication as well as offering various types of assistance, specifically if individuals are affected.

Although companies may be subject to notification requirements (see 5.3 Co-Operating With Enforcement Authorities) for certain crises, there are generally no statutory obligations as to which channels should be used for communication with people affected by the crisis. One exception is stock exchange announcements, which must be made through specific channels (see 6.4 Investor Relations). Some public authorities also have established dedicated notification channels in the event of a crisis – for example, the Norwegian Environment Agency.

However, there are generally no obligations to use specific channels to inform the general public about immediate crises for companies not subject to specialised legislation. Nevertheless, previous crises and risks of future crises may be an integral part of more general reporting obligations, and such reports may be required to be published on the company’s website, for instance – an example of this is reports under the Norwegian Transparency Act.

Regarding which communication channels are typically used outside statutory reporting and notification obligations, see 6.1 Co-Ordination of Communications.

It is generally advisable for lessons to be learned following a crisis situation. The participants in such a process would often be the members of the crisis management team; some learned lessons would be confidential, and typically only be available for this team. Other learned lessons may be more generic and therefore used more widely in compliance training. To ensure that relevant learned lessons are integrated into future crisis management strategies, companies may choose to (inter alia):

• amend crisis management plans and policies;
• revise internal governance structures; or
• enhance training of employees.

If there has been neglect due to lack of policies, such a gap would normally be filled following a crisis. Often, however, a compliance issue and a related crisis may be due to bypassing internal routines, and therefore updates of policies and procedures may not always be necessary.

See 3.6 Assessing Crisis Management Success and 4.2 Planning.