The recent commercial uncertainty in the UK due to shifts in the government and fast-moving geopolitical developments has resulted in a dynamic crisis management environment. The private sector has had to respond under pressure, originally in light of COVID-19, then in response to major state conflicts and currently the frequent changes to international trade, regulation and enforcement approaches. The fact that uncertainty has become “business as usual” has resulted in businesses coupling crisis management with crisis preparedness, dealing with immediate issues as they arise but also looking in the longer term at securing operational resilience in uncertain times. The focus of organisations is increasingly on prevention, as much as remediation following a crisis.

Given the significant impact that crises can have on the performance of businesses and on their stakeholders, senior management has been under pressure to lead the way in ensuring they can manage risks to business continuity effectively. This is partly evident from the UK Corporate Governance Code placing greater emphasis on the importance of boards managing material business risk, including by extending the disclosure requirements in respect of these issues in annual reports.

The existing public laws governing the response of public agencies to a crisis are primarily contained in the Civil Contingencies Act, which provides a single framework for civil protection in the UK, setting out how the public sector should respond to a crisis. The legislation includes provisions giving the government broad discretion to introduce temporary special legislation under emergency powers. This could be used to require private companies to comply with necessary risk-mitigation steps to address a crisis.

The pandemic resulted in both the private and public sectors assessing existing crisis management frameworks. As a result, the government overhauled its resilience and emergency response structures to establish a new unit, the Resilience Directorate, to work closely alongside the Cabinet Office Briefing Rooms Unit (COBR), to improve the response of the public sector to a crisis. In light of this, the previous government published a series of strategies, including the Net Zero Strategy, the National Cyber Strategy and the British Energy Security Strategy, followed by the Resilience Framework in 2022.

Looking ahead to future developments, the legal structure governing crisis management is expected to continue to progress in light of lessons from high-profile cybersecurity and data breach incidents, as well as the COVID-19 pandemic. There have been several reports and proposals published recently, which have advised the government on how it should shape future crisis management regulatory and legal requirements; these include the reports by the National Infrastructure Commission and the COVID-19 Public Inquiry. The government has indicated that it will respond to proposals by publishing its Resilience Strategy in late 2025.

Regulators are also updating and publishing requirements and guidance on resilience frameworks targeted at the private sector. By way of example, in September 2024, Ofcom (the communications regulator) published guidance for communications providers on resilience-related security duties under the Communications Act 2003. The guidance provides suggested examples of best practice on the architecture, design and operational models that underpin resilient telecommunications networks and services. It is intended to be used as a reference in information gathering and the monitoring of network and service resilience when engaging with communications providers and the wider industry, and as a starting point for illustrating compliance as part of any enforcement activities.

An issue arising from crisis management that is likely to become progressively relevant is managing misconduct risk during a crisis, or a crisis arising from misconduct. Two pivotal reforms under the Economic Crime and Transparency Act 2023 (the Act) have driven this issue to the top of the lists of potential risks. As a result, businesses are overhauling their systems and controls to manage misconduct risk.

• First, the announcement of a new Failure to Prevent Fraud (FTPF) offence that will come into force on 1 September 2025. To address the threat of fraud enabled by or on behalf of businesses, the FTPF offence will hold “large organisations” to account where associated persons commit a fraud offence intending to benefit (whether directly or indirectly) the organisation, any subsidiary and/or the organisation’s client. It is a strict liability offence but there is a defence to show that there were reasonable prevention procedures in place to prevent fraud, or that it was not reasonable in the circumstances to have such procedures. Given the importance of prevention procedures to provide a defence, including in an emergency, organisations are now updating their fraud prevention strategies to ensure adequate safeguards exist to tackle fraud.
• Secondly, the Act has extended the attribution doctrine to allow corporations to be held liable for the conduct of senior managers in a wider range of circumstances. Consequently, corporations are more closely examining the corporate crime risks posed by the actions of senior management, especially during a crisis.

The publication of further guidance, the work of the government units and the responses to recent reform proposals will likely bring the issue of crisis management to the forefront of the agendas of public and private bodies. The practical experience gained in the forthcoming years is expected to provide greater clarity on the likely direction of travel of the legal landscape governing crisis management – is it proving fit for purpose, or will the government favour more robust regulation?

The government annually reviews serious risks facing the UK, to develop its National Risk Register report. The most recent reviews have concluded there are nine overarching areas of risk, which include cyber, natural and environmental hazards, and societal risks. These areas are expected to be at the heart of anticipated proposals to address crisis management in the future, and there will be prescriptive requirements for addressing crisis management in key sectors providing essential public services.

Several disruptive IT incidents in the financial sector have led to a raft of requirements aimed at improving technological and operational resilience within the sector. The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have developed requirements on how financial services firms can improve operational resilience and protect the wider sector from disruption. Under the rules, firms are required to:

• carry out regular mapping and testing;
• identify important business services;
• set impact tolerances for maximum tolerable disruption; and
• continually review response and recovery plans.

There are also strict requirements that apply to many firms that outsource critical functions, including agreeing contractual frameworks with Critical Third Parties (CTP), and preparing business continuity plans in the case of disruption and exit plans where necessary to remove a CTP to ensure an adequate crisis response. The requirement for mandatory contractual arrangements with CTPs has had a knock-on effect for the communications and technology sectors, which have been required to implement the measures indirectly via pressure from financial institutions to agree to the new conditions. The FCA is also consulting on proposals for new incident and third-party reporting and contractual requirements for firms.

There may also be greater regulation of other entities outside the traditional financial services sector by the FCA. The regulator has recently announced plans to address operational resilience and systemic risk issues of crypto-assets by bringing these types of financial arrangements into its regulatory perimeter. This means that operational resilience requirements will apply directly to further companies.

A crisis arising from the supply of dangerous products will likely engage companies that manufacture, supply and offer any affected products. Many of the regulations in this area arise from EU law and post-Brexit measures, and the newly formed Office for Product Safety and Standards (OPSS) has started to develop policies and introduce new laws governing how companies supply and offer products safely. Steps taken by the OPSS include the publication of its Incident Management Plan, which addresses identifying and managing product safety risks and learning lessons from incidents. This guidance has continued to be updated since publication, with last year’s updates covering how incidents ought to be escalated and guidance on command and control arrangements. The OPSS is also working closely with the Competition and Markets Authority (CMA) to overhaul consumer safety laws, with the product safety regulations currently passing through parliament set to prompt dramatic changes to the product safety landscape.

As noted above, several regulators and government departments have also issued soft guidance.

A crisis (including geo-political uncertainty) can present opportunities for M&A activity, such as where businesses suffer temporary share price reduction, or where fluctuations in currency exchanges make international businesses good value. For example, following the global financial crisis, there was a wholesale restructuring of the ownership of UK banks arising from the merging of some of the most distressed banks into the most established players. Similarly, the UK retail sector underwent a significant restructuring during and following the COVID-19 pandemic as weaker high-street retailers were acquired by opportunistic competitors looking to profit from the crisis.

There can also be consequences for transactions at the time of a disruption. Issues related to purchasers exiting the transaction during a crisis can raise complex issues around the extent to which a purchaser is obliged to complete a transaction when the seller and/or the acquired asset is subject to a crisis situation and/or there is an external crisis affecting the transaction. This can trigger litigation on the rights and duties of purchasers and the potential application of relevant contractual rights such as Material Adverse Effect (MAE) clauses.

By way of example, in 2020, WEX Inc. entered into a share purchase agreement to acquire eNett International (Jersey) Limited (eNett) and Optal Limited (Optal), two business-to-business (B2B) payments technology providers, which derived the vast majority of profits from providing B2B services to customers who operated in the travel industry. As a result of the COVID-19 pandemic and its extraordinary impact on travel, WEX declared an MAE and there then followed landmark litigation proceedings – commenced by the sellers of eNett and Optal – which raised questions concerning the proper interpretation of the MAE clause. Ultimately, the case was settled, with WEX securing the purchase for USD1.1 billion less than the original price.

The legal overlay to any crisis tends to be one that invokes existing regulatory requirements designed to respond to operational and business disruption, as opposed to legislation that specifically addresses a crisis situation. The main risk for businesses amidst a crisis is the potential to fall foul of those requirements when battling to contain and resolve an emergency situation.

However, there are specific regulations that will be relevant, depending on the type of crisis. For example, in the data and cyber space, there are currently strict requirements for ensuring data protection, particularly in response to a crisis where the security of data may be comprised. The UK’s Information Commissioner’s Office (ICO) has led the way in acting both independently and jointly with other regulators to take enforcement action in response to data security breaches threatening data security during a crisis. This has resulted in fines of more than GBP15 million against leading corporations, such as airlines and hotel providers, for failing to have adequate security measures in place to ensure personal data security. There are also regulatory requirements applicable to the regulated sectors; for example, financial services firms are subject to wide-ranging requirements on responding to operational disruption associated with a crisis.

One notable development is the FTPF offence (see 1.1 Market Comparison), which will come into force on 1 September 2025 and will result in widespread mandatory requirements to ensure the risk of fraud is addressed (including in a crisis scenario).

On 6 November 2024, the UK government published final guidance on what constitutes reasonable prevention procedures (the “FTPF Guidance”), organisations can seek to base a defence to the FTPF offence on this guidance. The FTPF Guidance explains that fraud risks may increase during emergencies, and warns that failing to undertake any risk assessment for emergencies may mean that the organisation is not considered to have “reasonable fraud prevention measures” in place. As such, it is important for companies to identify steps that may need to be taken in risk assessments, including identifying the way to transition smoothly from emergency measures to business-as-usual once the emergency has passed.

Given the importance of the financial services sector, it is no surprise that UK Finance was the first body to publish sector-specific guidance on the FTPF offence. In addition to UK Finance’s guidance on FTPF, further sector-specific guidance is anticipated in forthcoming years.

COBR co-ordinates government departments in response to matters of major disruption or national emergency. The composition of the committee will depend on the nature of the emergency in question. In 2022, the UK government introduced a Resilience Framework (the Framework) in the wake of the pandemic. The Framework is led by the Resilience Directorate in the Cabinet Office and aims to build structures across government that can:

• create a shared understanding of the risks;
• develop contingency plans; and
• run exercises to ensure central government departments are prepared for possible crisis situations.

The Framework confirms an intention to draw upon expertise and data within the private sector in return for providing better guidance and information on resilience and risks. This may lead to legal reforms to provide for greater data and information sharing between the private and public sector to improve responses to crisis situations.

The entities responsible for oversight of crisis management primarily exist within the public sector, but trade and industry bodies have made recommendations on how particular sectors can improve their crisis management plans in the form of guidance. For example, the International Organization for Standardization has published Security and resilience – Crisis management – Guidelines (ISO 22361:2022) and UK Finance has published guidance on incident response plans, called “Incident Management – Cyber Incident Response – Is Your Firm Ready?”.

Businesses are under increasing scrutiny from stakeholders to report on risks to business continuity and the steps that are being taken to address potential threats. As noted in 1.1 Market Comparison, the Financial Report Council’s UK Corporate Governance Code requires businesses to report on the effectiveness of controls to address material risks, and now requires boards to make a declaration in relation to the effectiveness of their material internal controls. A new Principle has also been included to encourage companies to report on outcomes and activities in these areas.

Organisations that are subject to direct regulatory oversight, typically by a specific agency (such as the regulated communications, financial services and energy sectors), are subject to strict reporting requirements in different types of emergencies. For example, in the financial services sector, under Principle 11 of the FCA’s Principles for Businesses, firms are required to co-operate with and report on any material operational incidents to the FCA. There are also wide-ranging notification requirements in relation to data breaches that can occur during a crisis, which apply across the private sector. Organisations may also need to notify individuals affected by an incident to limit potential further damage and/or offer remediation, and listed companies affected by a crisis will always have to consider their disclosure obligations if the issue has the potential to affect investors.

Regulated organisations may be subject to mandatory requirements relating to crisis incidents, depending on the nature of a crisis. The particular regulatory agency for the sector will monitor and evaluate compliance with requirements and initiate investigations and/or enforcement action where necessary to address potential shortcomings. For example, the FCA oversaw the crisis management response of a major retail bank to a crisis arising from widespread disruption during a planned IT migration. The regulator subsequently initiated enforcement action against the bank for breaches of financial services regulations arising from the mismanagement of the crisis. The Water Services Regulator, Ofwat, has also imposed major fines against water suppliers for breaching regulations governing the safe supply of water.

Co-operation frameworks may emerge from the Resilience Strategy that the government has indicated it will announce later in 2025. In the regulated sector, there are pre-existing frameworks in place for information sharing. For example, in the financial services sector, there are mandatory registration and reporting requirements applicable to all regulated firms. The PRA uses this information to develop information on risk areas and in turn shape regulatory policy and publish useful information for financial services firms.

See 2.3 Government Role regarding the UK government's Resilience Framework.

COBR will oversee the co-ordination of efforts during a public crisis, with the support of the Resilience Directorate and in line with the Resilience Framework, which has been developed with input from various public agencies. For example, members of the Cyber Security Information Sharing Partnership, which has now been subsumed into the National Cyber Security Centre (NCSC), share information relating to incidents, threats and vulnerabilities to promote best practice, as well as offering guidance on managing cyber threats. There has been an expansion in the extent to which authorities are sharing information (both domestically and internationally) as part of investigations arising from a crisis, with there being examples of co-ordination between the ICO, FCA and PRA, between HMRC and the National Crime Agency (NCA), and between the Serious Fraud Office (SFO) and the US Department of Justice.

The structure of companies’ crisis management plans and strategy will depend on the particular organisation and the challenges it faces. There are, nonetheless, accepted common approaches.

The widely utilised “three lines of defence” risk governance model, which splits responsibility for operational risk management across three functions, can apply a useful structure for crisis management strategy. Individuals in the first line own and manage risk directly. The second line oversees the first line, setting policies and defining risk tolerances, and ensuring they are met. The third line consists of an internal audit, and provides independent assurance of the first two lines.

There have also been examples of a “four lines of defence” model, which incorporates the additional use of external oversight as a feedback mechanism. In this respect, plans can be further improved via engagement with regulators and external advisers, including auditors and lawyers.

Irrespective of whether or not it may wish to have the support of an external party, it is prudent for an organisation to follow these steps, amongst others, when developing its strategy and plans:

• seek internal feedback from staff members;
• examine any relevant whistle-blowing cases and the subsequent action taken;
• assess the effectiveness of pre-existing risk prevention procedures;
• conduct formalised periodic review, with documented findings;
• collaborate, where useful, with other organisations, such as trade bodies or other organisations facing similar risks;
• follow advice from professional organisations (for example, accountancy or legal bodies) where appropriate; and
• consider any relevant enforcement examples in the sector and Deferred Prosecution Agreements (DPAs).

This is not an exhaustive list, and it is expected that organisations will choose the approach most suited to their needs. Organisations may change their review process in light of developments. For example, an organisation may need to take a more formalised and detailed approach to reviewing its crisis management procedures following an incident within the organisation or other entities operating within the same sector.

The FTPF Guidance sets out six general principles for organisations to bear in mind when developing fraud risk prevention procedures, alongside illustrative case studies, which can be useful to assess current government expectations when exploring crisis management plans more generally. The framework mirrors the well-established UK Bribery Act Guidance and Failure to Prevent the Facilitation of Tax Evasion Guidance, which have been in force for several years. These principles can accordingly provide a useful methodology for addressing the risk of a crisis.

The principles are as follows.

• Top-level commitment: senior level engagement is essential, and this includes communicating and endorsing the company’s risk prevention measures, committing resources to crisis management, and leading by example in fostering an open culture that empowers staff to speak up to identify relevant risks to business stability.
• Risk assessment: organisations should conduct regular risk assessments to address problem areas and implement remedial and prevention measures.
• Robust but proportionate risk-based prevention procedures: measures should be introduced and adapted that aim to reduce the risk of a crisis. Most companies should be able to build on existing processes, but additional measures may be required, depending on the outcome of the risk assessment exercise and existing safeguards.
• Due diligence: due diligence on third parties who provide essential services is an important element of prevention, as is appropriate due diligence in the M&A context to ensure newly acquired business units are also compliant with company policies.
• Communication (including training): training can help employees understand the steps to respond to a crisis, with communications to reinforce why this is important. The FTPF Guidance emphasises the need to ensure training is monitored for effectiveness and kept updated, and that training includes references to the company’s whistle-blowing policies and procedures.
• Monitoring and review: effective review comprises detection, investigation and ongoing review/monitoring. An important part of this process is learning from experiences of previous incidents.

For cyber incidents, the NCSC has designed a Cyber Assessment Framework, by which companies can manage cyber risks voluntarily and which provides a useful way to prepare for cybersecurity breaches.

Prior to a crisis, it is helpful for organisations to identify specific personnel with adequate technical knowledge of operations, who can form a crisis committee. The committee should include members of business departments such as legal, public relations, IT and compliance. Each member of the team should be assigned a specific area to oversee as part of the crisis response, and there should be a protocol for agreeing measures designed to allow the team to work effectively.

It can also be useful to have specific teams for particular crisis situations and to include external experts where necessary. The crisis management team(s)/committee(s) will have a pivotal role in risk assessment exercises and in adapting prevention procedures to prepare for crisis situations. They should meet regularly, with the frequency of meetings depending on several factors, with quarterly engagement generally required as a minimum.

When a crisis does occur, organisations should ensure that the crisis management team is brought together quickly. Whilst organisations can identify the individuals who should form part of the crisis team, it is important to remain flexible and tailor crisis management team members to the relevant risks faced.

Crisis committees should be formed from an early stage of crisis preparation and include relevant internal and external personnel who will analyse the situation and determine the company’s strategic response. Best practice dictates that the committee should meet regularly and engage prior to a crisis developing to check and fine-tune crisis management plans and procedures. Test run exercises to check on the performance of a plan before it is required in earnest are also worthwhile. The policies of the committee should be communicated regularly to internal and external stakeholders.

It is important for senior management to ensure adequate measures are in place to respond to a crisis, particularly within the regulated sector. As a result, some members of senior management should be part of the crisis management committees, although the extent of involvement will depend on the situation. Generally, all members of senior management should support the work of the crisis committees/teams and give the members the independence to make recommendations that are embedded into the business with adequate resource support. Nonetheless, they should also understand and scrutinise the work of crisis committees/teams and, where necessary, intervene to facilitate suggestions for improvements to act as a check on the feasibility of plans and procedures.

See 3.2 Internal Governance and 3.3 Crisis Committees: Composition and Attributes.

Crisis teams can be created to have more first-hand involvement in crisis management beneath the governance structure of a crisis committee. Internal stakeholders that form part of a crisis management team can include board and leadership teams, IT and cybersecurity, legal, forensics, investor relations, insurance, public relations, and counterparty relationship holders. Organisations may also seek to include external advisers such as legal advisers, forensic experts and other specialists, depending on the nature of the crisis.

It is vital that the team comprises some members of senior management. They should assess plans for identifying and preventing a crisis (and record such discussions) and implement any necessary changes to systems and controls in advance of a crisis. Senior personnel should also:

• communicate and endorse the organisation’s crisis prevention stance;
• implement clear governance structures for crisis response;
• commit to training and adequate resourcing; and
• foster an open culture that encourages staff to identify and prepare effectively for crisis situations.

Best practice supports the use of external advisers to prepare for and respond to a crisis where the scale and potential impact of the situation so warrants. When assessing appropriate advisers to consult, organisations should consider several factors, including:

• whether the adviser has adequate expertise and experience of the subject matter of the issue that has arisen and of any relevant regulators or prosecutors;
• the scope and nature of the adviser’s engagement;
• the capacity of the team that the adviser can field to keep up with the demands of the crisis;
• who in the company will be the adviser's primary contact and provide oversight;
• what information the adviser may need; and
• whether there are any confidentiality and privilege concerns.

Privilege is especially challenging to tackle, and merits the support of expert legal advisers. The pressure of a crisis can frequently lead to less attention being given in the moment to managing privilege, with the loss of the important confidentiality rights as a result. The preparation and ready application of strict protocols for managing privileged communications and documents should be part of crisis management plans, to help reduce risks in this area.

Organisations should not assume that the absence of a crisis illustrates the effectiveness of procedures. Best practice merits vigorously assessing whether pre-existing procedures are adequate and drawing on learnings from internal incidents, whistle-blower reports and incidents within the same sector, as well as wider societal and geopolitical developments. Crisis simulation exercises can be used to assess the robustness of procedures. When a crisis does occur, it is vital that organisations conduct a review into the causes and handling of the incident to learn how to improve existing plans and procedures.

Companies should immediately assess the risks arising from a crisis, including any potential liability that may arise, as well as identifying any steps that can be taken to mitigate the consequences of the incident. Whilst time is of the essence, companies should take care to ensure that actions follow a consistent and well-considered approach, which will be enabled by advance crisis scenario planning. The first 24–48 hours following a crisis can be critical for a business: this is when the business sets the tone of its response, manages relationships with authorities and stakeholders, and prepares for the investigations and potential litigation that may follow.

The step that must be taken at the critical aftermath time will be unique to the relevant crisis but the main considerations will include:

• bringing together the crisis management team to assess the immediate steps to follow;
• identifying the extent of the crisis using any mapped information obtained as part of crisis preparation plans and using the support of specialist forensic experts where necessary;
• making considered and consistent communications to the main stakeholders via agreed channels;
• notifying and co-ordinating with the relevant regulatory agencies;
• implementing agreed amelioration measures, including security controls; and
• engaging specialist advisers to assess difficult issues, including legal and public relations matters.

During the course of the crisis, the company should continue to review and address risks that are arising. Engaging forensic experts can allow the use of specialist tools to identify and respond to a crisis – for example, cybersecurity experts can help respond to ransomware attacks. Public relations firms can also be employed to provide independent oversight of communications, albeit ideally with legal input to ensure relevant legal risks are also ameliorated. Lawyers can assess the follow-on regulatory and litigation exposure, and determine ways to manage privilege and ensure the correct operation of the contractual environment governing the business’s ongoing operations, despite the extreme circumstances it is encountering.

See 3.1 Crisis Management Plan.

Businesses should assess the nature and extent of exposure to the crisis risk both internally and externally. This will be an important initial step in the process of preparing for a crisis, and organisations ought to ensure their risk assessment is dynamic, documented and reviewed, and that it covers a wide range of emergency situations. It may be helpful to classify each risk into two components of likelihood and impact, and to provide a description of why a classification has been chosen under each of these headings.

Areas of potential exposure to crisis should face close scrutiny, including:

• cybersecurity;
• data breaches;
• fraudulent activity, including in public statements (especially those that might influence investors or customers), representations to counterparties (eg, in a trading context), and where an organisation has obligations to disclose (eg, to auditors or a regulated market);
• misconduct by employees or agents that could create criminal or regulatory liability for the company, such as bribery and corruption;
• negative environmental impacts or human rights-related concerns in the supply chain;
• exposure to major incidents; and
• potential consumer or product-related crises.

Once the mapping and metrics of risk are identified, the next step is to assess prevention procedures. It is likely that a wide spectrum of risks will be identified during the course of an organisation’s risk assessment, and each should be targeted in a reasonable and proportionate manner, with the highest risk areas requiring the most rigorous levels of oversight and immediate attention, followed by areas of lesser concern, but all risks should merit some consideration even if to conclude that it is not appropriate to have prevention measures in place for a particular reason. Organisations might wish to focus initially on a limited selection of test scenarios to assess how they can tackle critical incidences, which can then be systematically applied across the business and/or to other types of emergency situations.

There will also need to be clear training and communication to equip colleagues and third parties with the knowledge to respond to a crisis.

Ideally, organisations should ensure that simulation exercises are embedded within crisis management plans. By way of example, the National Protective Security Authority has published two crisis simulation scenarios for a fictional private sector tech company relating to sabotage and unauthorised disclosure. In the financial services sector, there have been centrally organised crisis stimulation exercises conducted by the FCA, the PRA and other agencies as part of the Cross Market Operational Resilience Group, established in 2015. In October 2024, the Bank of England undertook a market-wide simulation exercise, known as SIMEX24, in collaboration with UK Finance, HM Treasury, the FCA and the wider financial sector. The exercise assessed the financial sector’s response to a major infrastructure failure that would require a total shut down and restart of the sector.

Such steps can be useful illustrations of attempts by an organisation to ensure effective risk prevention and response procedures in the aftermath of a crisis, particularly if there are subsequent regulatory investigations and/or enforcement action. Recent years have seen an uptick in dawn raids as part of regulatory investigations, which can add to or trigger a crisis. To prepare, in-house counsel and external dawn raid advisers need to know the rights of the company and individuals, and need to be aware of the precise data/document collection powers of each authority and appreciate what the limits are, especially when it comes to accessing personal data. Now is the time for companies to ensure that their dawn raid training and guidelines are fit for purpose as part of crisis management.

A further part of crisis management is the regular updating of relevant personnel and related parties. As policies and procedures are amended, these should also be communicated, embedded and understood through internal and external communications. This will likely require training (proportionate to the risk to which the organisation assesses that it is exposed) and carefully considered communications.

Companies should promote and organise tailored training for employees that is proportionate to the crisis risks faced and aligned with any crisis management plan. Training should cover any new or updated crisis risks identified and the procedures put in place to manage these risks. As crisis risks develop over time, training should be reviewed and updated accordingly. Tailored training can be overseen by in-house legal teams and/or external legal advisers or specialists. Organisations may also wish to assess the training protocols of external suppliers that provide critical services to the organisation to ensure fitness for purpose and to integrate with the business’ own plans.

There are useful existing frameworks for developing risk prevention procedures (see 3.1 Crisis Management Plans).

There are a wide spectrum of legal risks arising from a crisis, and the relevant challenges will be dictated by the particular incident. Fundamentally, businesses need to be able to continue to operate as normally as possible, while identifying and controlling the threats that a crisis spins off. Typically, incidents involve the assessment of risks related to confidentiality and privilege, related litigation, reporting requirements and internal and external investigations and potential enforcement action. A crisis can often extend across borders, thereby requiring engagement with colleagues, enforcement agencies and/or advisers from other jurisdictions on legal issues. These legal risks cannot be assessed in a vacuum, and commercial and reputational risks that may arise must also be taken into account.

Senior managers and directors may face potential personal liability for actions or omissions in response to incidents. As such, generally, top-level (and, increasingly importantly, middle) management should be committed to improving crisis management plans, with a view to preventing and reducing the risks related to a crisis. The level and nature of the involvement of senior management will vary depending on the size and structure of an organisation, but their role is likely to include:

• communication and endorsement of the organisation’s stance on crisis management;
• ensuring there is a clear governance hierarchy;
• involvement in the development and review of prevention procedures;
• discussion and understanding of relevant policies and their implementation at board or senior executive level;
• the endorsement of codes of practice and policies to address crisis management;
• integrating plans and any incidents critically to address any gaps in existing safeguards; and
• fostering a “speak up” culture.

The relevant enforcement agency that may intervene will depend on the particular sector, the nature of the incident and the jurisdictions engaged as part of a crisis. For example, where criminal misconduct arises, the SFO and Crown Prosecution Office (CPS) may be involved; data breaches typically see the intervention of the ICO; and incidents in the financial services sector will likely involve investigation by the FCA or the PRA. The SFO has continued its practice of entering into DPAs where serious misconduct has taken place and pursuing successful prosecutions over the last five years, securing a total of GBP1.7 billion in fines, penalties and awarded costs from DPAs alone. Since the first DPA in 2015, the SFO has since secured 11 additional DPAs; however, arguably more notably, the CPS followed suit and agreed its first DPA in 2023.

The CMA may intervene where there are anti-competitive practices in a crisis situation. The agency clarified its approach to enforcement action in emergency situations following the pandemic to explain that it will balance business co-operation and the adverse impact caused to consumers when assessing whether actions taken to address an emergency were reasonable. It also clarified that co-ordination between businesses that is solely in response to the crisis may not result in enforcement action being taken, unless there is clear detriment to consumers.

Enforcement agencies are increasingly working together to tackle incidents such as cybersecurity breaches and economic crime, which has resulted in memoranda of understandings between different public bodies. These collaboration exercises have resulted in information-sharing arrangements, which may lead to further knock-on investigations by other domestic or international agencies that have an interest in the incident.

Enforcement authorities are paying increasing attention to whether companies are self-reporting wrongdoing voluntarily and in a timely manner. It is also increasingly important for companies to co-operate when subject to an investigation and/or enforcement action. In many cases, the traditional adversarial nature of enforcement action is being replaced with one of co-operation, to reach a mutually acceptable compromise for both sides. The US has led in delineating clear standards on how companies can co-operate with enforcement agencies and the amelioration of potential penalties that can be offered in response. This approach is also reflected in other jurisdictions, including the UK.

DPAs are the new normal for companies that co-operate with the SFO. The agency can enter into a DPA with even the most serious corporate offenders, so long as they co-operate in an investigation. Companies that co-operate can receive up to a 50% reduction in a penalty, whilst those who do not co-operate receive the most punitive sanction available under the Sentencing Council's Guidelines if they are convicted after trial. Most of the 12 UK DPAs published to date illustrate this range of reduction. For example, in the Rolls-Royce case, the SFO offered, and the court approved, a DPA with a one-third discount, which is the equivalent of what is usually available for an early guilty plea plus an additional 16.7% discount in recognition of Rolls-Royce’s “extraordinary co-operation” (SFO v Rolls-Royce (Case No U20170036) [2017] Lloyd’s Rep FC 249, para 19).

A DPA can sometimes entail the waiver of privilege and confidentiality of business-sensitive information but the extensive reduction in penalties and the avoidance of reputational damage from a trial are sometimes seen as a worthwhile trade off. Since 2020, all DPAs entered into by the SFO have received significant discounts on penalties of at least 40%, based on accepting liability and providing sufficient co-operation.

The SFO is currently updating its Corporate Co-operation Guidance, which encourages companies to enter into dialogue with the agency and provide full transparency with a view to achieving a DPA. It builds on the extensive list of “indicators of good practice” contained in the 2019 version of the Guidance, which the SFO may take into account when assessing whether a company is genuinely co-operative. The kinds of behaviour in question are varied and include:

• providing material to the SFO in a useful, structured way;
• assisting in identifying material that might reasonably be considered capable of assisting any accused or potential accused or undermining the case of the prosecution;
• creating and maintaining an audit trail of the acquisition and handling of hard copy and physical material, and identifying a person to provide a witness statement covering continuity;
• providing records that show relevant money flows;
• identifying potential witnesses, including third parties; and
• making employees and (where possible) agents available for SFO interviews, including arranging for them to return to the UK if necessary.

The list is neither exhaustive nor prescriptive; the SFO acknowledges that each case will be different, and a co-operating company will not necessarily display all of the enumerated behaviours nor achieve a particular outcome even if it does. Based on the Guidance, the main hallmarks indicating co-operation are likely to include:

• preserving and producing data in a forensically sound manner;
• providing information to the SFO in a useful, structured way;
• briefing the SFO on the relevant background, including on the industry, the facts at issue, other actors in the market and other potentially interested authorities;
• taking care to protect the reliability of witness accounts;
• not asserting privilege “lightly” – this is an especially important issue that businesses have to manage carefully, as the language of the Guidance is particularly strong on this point, signalling that the SFO is continuing its robust stance and willingness to test claims of privilege over internal investigation materials; and
• providing the SFO with witness accounts and related materials – if doing so involves the waiver of privilege, that will also be an indicator of co-operation.

The draft revisions to the Guidance are currently subject to review, with final updated Guidance expected later in 2025.

Although the SFO has led the way in providing clarity on the meaning and outcome of co-operating with enforcement agencies, there are numerous other agencies in the UK with which a company may need to co-operate, depending on the sector in which they operate and the issues at hand, and these agencies all typically have informal or formal means to co-operate to achieve a reduction in penalties. These agencies include HMRC, the FCA, the CMA, the NCA, the CPS, the ICO and more. The level and type of co-operation expected from each of these agencies is not standardised. While it is likely that similar principles will apply, if a company finds itself dealing with a new government agency, identifying those with direct experience of the expectations and real-life practice of that agency will be essential.

There has been some clarification on the potential approach of the courts when considering co-operation with these authorities, with a recent criminal fine imposed on a leading retail bank for anti-money laundering (AML) failings being reduced due to the bank self-reporting and co-operating. Nonetheless, the reduction was not as significant as could have been achieved if the prosecuting authority, the FCA, had not needed to obtain certain information by compulsion.

Companies should assess the potential for claims by stakeholders and third parties at an early stage. There are risks of mass claims where large classes of individuals and/or businesses are affected during a crisis. Listed companies are particularly susceptible to such claims from shareholder and investor groups bringing class actions under specific provisions of the Financial Services and Markets Act 2000. Non-governmental organisations (NGOs) and individual claimants are also increasingly relying on derivative actions and company legislation to establish liability for failure to comply with regulatory obligations. For example, the climate crisis has resulted in several claims being brought in English courts, such as ClientEarth’s application to bring a derivative action against directors of Shell Plc for failure to address climate change risks; however, these claims have been unsuccessful to date.

If any litigation risk arises, organisations should consider a wide range of factors in consultation with legal advisers, including any stay of proceedings pending regulatory investigations, settlement offers and remedial measures, the application of privilege, the preservation of potential evidence and third-party contribution claims.

Legal teams should be involved from the outset of pre-crisis planning to implement measures that minimise risks and provide an independent perspective on crisis planning and response. Where an incident is international in nature, a lead counsel team of one firm and/or in one jurisdiction may co-ordinate all legal teams to avoid potentially conflicting approaches, especially in relation to communications with regulators, confidentiality, privilege and litigation risks (see 3.5 External Advisory regarding privilege).

Pre-crisis risk assessments should consist of mapping the location and storage architecture of critical information that may need to be preserved during a crisis, as well as identifying risks to the preservation of information. Risk prevention measures should in turn facilitate the security of data, which can be achieved by consulting with legal counsel and data/cybersecurity experts. The required steps may include:

• implementing security safeguards to preserve data;
• contacting individuals that control data with appropriate document preservation warnings;
• ensuring a central log of communications and documentation related to the crisis is immediately captured and continually updated; and
• providing guidance on appropriate document creation and communications during the crisis.

Cross-border disputes raise additional issues of complexity and will likely require input from counsel and/or experts in other jurisdictions on document preservation.

There may be an opportunity to settle litigation at an early stage to limit the negative consequences of a crisis. The shape of settlement arrangements will depend on the nature of the crisis, including the volume of claimants, the potential level of damages, the strength of defences and the legal costs. Where there are related regulatory investigations and/or enforcement action, organisations often reach more favourable resolutions with enforcement agency investigations if they have co-operated voluntarily, and sector-specific regulators can enter into consensual arrangements to resolve enforcement action through amicable resolutions (see also 5.3 Co-Operating With Enforcement Authorities).

Companies should ensure that insurance policies are regularly reviewed to identify potential areas of further cover and so that relevant members of the crisis management team can notify insurers of any incidents that occur in line with terms of agreements. Insurance law is nuanced and will often require the input of specialist advisers on the issue to ensure adequate coverage and appropriate notification/claims where necessary.

Companies may measure an incident’s impact on reputation based on several factors, including market value, media reports (positive or negative), the consequences on profits and/or the number of clients/customers, and/or customer and/or employee surveys.

See 2.5 Transparency Requirements.

Ideally, companies should have a crisis communications team to develop a communication strategy plan that can be implemented in a crisis. The team can consist of specialist internal and external public relations advisers to identify risks faced with communications (such as reputational, legal or other), as well as legal counsel.

When a crisis does develop, key stakeholders such as shareholders, regulators and public authorities may need to be consulted at an early stage to mitigate any adverse consequences, such as enforcement action and potential litigation. Existing plans should be implemented and adapted where necessary to reflect the particular incident, with a dedicated spokesperson and a clearing process in place for internal and external communications. Senior members of organisations should lead communications to provide consistent messaging and exemplify the company’s approach to crisis management. Failure to communicate in a timely, adequate and co-ordinated manner may result in further reputational damage, misinformation and potential criminal investigations and litigation.

Companies should address concerns from internal stakeholders such as employees, whilst avoiding the disclosure of potentially confidential or privileged information. Internal communications should be consistent with external messaging, whilst being tailored to the relevant audience.

It should be noted that there are additional issues applicable to whistle-blower reports, which may need to be addressed with specialist legal counsel. Organisations should ensure there are robust mechanisms in place to support and protect whistle-blowers and, in turn, should encourage the reporting of suspected areas of crisis risk. To implement whistle-blowing procedures that are effective in facilitating the identification of crisis risks, the following measures should be considered:

• having a responsible individual at board level for overseeing whistle-blowing procedures;
• adopting a culture where employees feel comfortable to speak up about concerns;
• signposting internal and external whistle-blowing arrangements;
• training staff on the portals for whistle-blowing and protection offered to whistle-blowers;
• investigating and responding to concerns promptly and fairly;
• conducting victimisation risk assessments and protecting whistle-blowers;
• providing feedback and learning from concerns raised; and
• keeping systems under review.

Public relations teams should work closely with legal counsel to ensure that external communications are managed with care and are consistent and accurate. Given the fast-paced nature of media coverage, organisations should install processes prior to a crisis to facilitate prompt communications that are nonetheless carefully considered.

Organisations may need to notify those affected by an incident and provide ways for individuals to learn whether they may be affected (eg, helplines, complaints procedures and guidance websites). Caution should be taken with communications to affected consumers to avoid unnecessary distress, which can subsequently be criticised by regulators. Adequate recompense to individuals who are harmed by a crisis ought to be considered where an organisation identifies the need for remediation; typically, the reasonableness of such payments can be agreed with regulators as part of investigations and/or enforcement action. This can provide helpful evidence of co-operation to reach an amicable resolution to regulatory intervention.

During a crisis, companies should communicate clearly to investors in compliance with relevant statutory and regulatory requirements, and also maintaining confidence and trust with stakeholders. Organisations should nonetheless maintain caution with external communications to mitigate risks of damaging messages, especially in relation to follow-on investigations, enforcement action and/or litigation.

See 5.10 Mandatory Report and 6.3 External Communication.

As part of preparing for a crisis, companies should be mindful that an incident may result in increased complaints and data requests from customers. To manage this, companies should have clear plans to implement appropriate vehicles for affected individuals to request information (such as helplines, websites and the use of social media). These measures can be developed by consulting with specialist public relations and legal teams, and in consultation with regulators where necessary.

During and following a crisis, companies may face difficulties rebuilding trust with customers, especially when a crisis incident goes against public commitments and/or the values of the company. External communications to customers should align with actions taken to remedy the incident with regulators and internal communications. Companies should use established communication channels and, where possible, be transparent on the incident, its impact and the remedial steps that will be taken.

See 6.2 Internal Communication.

See 6.5 Customer Relations.

Following an incident, companies should complete an internal investigation to understand the causes of the crisis and assess how it was handled. The extent of the internal review will depend on the severity of the incident, but it will typically necessitate:

• gathering essential information on the incident;
• identifying causes, areas of weaknesses and improvement; and
• suggesting steps to improve future crisis response measures.

It may be necessary to engage external advisers and legal counsel to support an internal review or conduct an independent external review. On occasion, regulatory agencies will insist that an independent review of an incident is completed. Such an exercise can assist in illustrating co-operation with regulators and the willingness of an organisation to improve, and may potentially result in a reduction in penalties.

Depending on the lessons learned from the incident, the company should assess the recommendations and then implement any accepted findings within a reasonable timeframe. The recommendations should be monitored and reviewed periodically, and steps taken to recognise the consequences of any new measures should be clearly documented in order to provide a clear evidential trail. Documentation will be important to provide a clear evidential trail, particularly if it may be necessary to produce evidence to prosecutors and/or enforcement agencies.

A further immediate step is to update the relevant people and entities. As policies and procedures are amended, these should also be communicated, embedded and understood through internal and external communications. This will likely require training (proportionate to the risk to which the organisation assesses that it is exposed) and carefully considered communications. Lessons can also be learned from recent enforcement activities, litigation and similar incidents.

Recommendations on improvements following an incident typically include suggestions for improving existing policies and procedures, as well as identifying new measures, ideally to prevent a recurrence of a problem, but also to demonstrate the effort that has been taken to avoid an incident if it nevertheless does happen. Where a business identifies serious failings, it will likely be insufficient merely to refine existing policies; instead, systems, teams and procedures may need to be overhauled.

To test the effectiveness of policies, it can be helpful to benchmark internal policies against guidance from trade and industry bodies and public agencies, which can provide an outline for best practice to adopt. It can also be useful to assess learnings from incidences arising in similar sectors to the business and look for opportunities to exchange helpful information via trade bodies or committees. Consulting with specialist experts and/or legal counsel can also assist to improve policies. It is important to note that maintaining operational resilience and crisis preparedness is not a tick box exercise, and should be embedded fully within an organisation’s policies, procedures and culture.