Crisis management in Brazil has been shifting from a merely contingency-based logic, focused on companies’ reaction (not rarely improvised) in the face of a crisis already triggered, to a model of permanent readiness, incorporated into the company’s very governance structure. Companies, as well as areas particularly sensitive to the topic, such as the legal and compliance departments, have come to understand more forcefully that crisis, in complex and highly exposed environments, should not be treated as a remote hypothesis, but as a potential event whose occurrence, sooner or later, needs to be considered with the due institutional seriousness.

In this context, there is consolidated, in an increasingly clear manner, the managers’ understanding that investment in preventative crisis management does not constitute a peripheral expense, but a true measure of business preservation. Prior preparation – translated into the acculturation of risks by senior management, into the clear definition of protocols, of attributions, of decision-making flows and of articulated response capacity – comes to be recognised as an essential component of the protection of the company’s institutional integrity and of its administrators in the face of future critical events, fundamental to the containment of damages and to the continuity of business.

It is precisely in this environment that the centrality of the crisis manager’s role and the degree of sophistication today demanded of this activity in Brazil become more evident. Fragmented performance is no longer enough, limited to a single dimension of the problem: the contemporary crisis calls for professionals capable of moving through, with security and an integrative vision, the legal, reputational, strategic, technical, communication and economic fronts, harmonising them in a coherent, adaptable and institutionally consistent response. It is a function that requires effective experience in situations of high complexity, the capacity to foresee derived risks, discernment to recalibrate the strategy as the facts evolve and maturity to prevent the company from dispersing into parallel, contradictory or precipitated initiatives.

In matters of crisis, this capacity to understand the whole, adapt to the movement of events and preserve unity of direction is not improvised: it results, to a large extent, from the accumulated lived experience in the major crises, from familiarity with high-pressure environments and from the concrete experience of those who have already had to decide under scrutiny, urgency and multiple fronts of exposure.

Naturally, no sector is immune to crises – which today may emerge, for example, from operational failures, cyber-incidents, internal fraud or sabotage, or even extreme climate events – but recent Brazilian experience reveals particular vulnerability in segments exposed to relevant environmental damage and to accidents with victims. In this category, the mining, energy, oil and gas, infrastructure, transport, sanitation, civil construction and other industrial activities marked by greater operational risk and high potential for institutional repercussions stand out above all.

Previous crises in these sectors have produced effects that go far beyond the initial fact. In addition to human, environmental and patrimonial damage, such episodes usually trigger, simultaneously, administrative, regulatory, civil and criminal investigations, as well as operational shutdowns, intensification of public scrutiny and reputational impairment capable of enduring over time, if poorly managed. In the Brazilian case, there is also an additional factor of sensitivity: environmental matters remain the field in which the criminal liability of the legal entity finds express constitutional provision and specific legal regulation, which naturally increases the institutional concern of companies subject to greater socio-environmental risk.

In this context, measures aimed at mitigating future crises are not exhausted in the structuring of preventative crisis management programmes – indispensable to ensure that, once the critical event has been triggered, the corporate reaction develops in an organised, timely and effective manner. They also require the revisiting of internal rules, controls and procedures from the perspective of criminal compliance (still little explored), so as to reduce vulnerabilities that, in scenarios of maximum institutional pressure, may serve as a trigger for the escalation of the crisis into the criminal sphere.

When well designed, criminal compliance adds a qualified layer of protection to the company and its administrators, not only by strengthening the prevention of unlawful acts, but also by broadening the capacity for contemporaneous demonstration of diligence, seriousness of controls and integrity of decision-making, creating, in favour of executives and board members, concrete elements of defence against personal imputations founded solely on the position held or on the mere supervening occurrence of the harmful result (which, unfortunately, has increasingly strongly marked the sanctioning and prosecutorial appetite of the Brazilian authorities).

In Brazil, crisis management is not governed by a general and unitary law. It is, rather, a transversal discipline (which goes beyond the legal sphere), which requires the articulated reading of different disciplines and different normative regimes according to the nature of the critical event and the corporate flanks of exposure that it activates. In practical terms, the crisis does not fit into a single framework, whether technical, reputational or legal: on the contrary, it tends to mobilise simultaneously norms and guidelines of environmental, criminal, labour, sanitary, data protection, capital markets, consumer relations, civil defence and sectoral regulation law, among others.

There is, moreover, an important feature of the Brazilian experience: crises of great impact frequently produce casuistic legislative repercussions, enacted by legislators under the impulse of the event and the subsequent commotion. The hardening of the dam safety regime by Law 14,066/2020 and the strengthening of disaster prevention instruments by Law 14,750/2023 illustrate this movement well. These normative responses may be justifiable in part, but they also tend, at times, to rigidify systems, expand formal duties and create new zones of risk for future events of the same nature. For this reason, managing crisis in Brazil also requires attention to the subsequent legislative effects that it may radiate over the sector involved.

See 2.1 Primary Laws.

Crises with numerous victims, especially when they affect entire communities or produce large-scale socio-environmental damage, have also come to generate legal actions abroad, brought or structured with the support of foreign law firms that structure, finance and judicially drive large-scale compensatory claims. The litigation related to the collapse of the Mariana dam, which culminated in a decision of the English High Court in November 2025 recognising BHP’s liability in an action involving more than 600,000 claimants, and the continuation of the litigation in Munich, Germany, against Tüv Süd in the case of the rupture of the Brumadinho tailings dam, clearly illustrate this expansion of risk beyond Brazilian borders.

This movement creates a new flank of exposure for crisis management: the company no longer deals only with public civil actions, investigations and domestic litigation, but with the possibility of facing, in parallel, foreign jurisdictions, new procedural rules, different judicial cultures, distinct evidentiary regimes and expanded reputational pressures. As a consequence, the crisis strategy needs to be conceived in a globally co-ordinated manner, from a legal centre capable of harmonising narratives, preserving defensive coherence across jurisdictions and preventing solutions, settlements or statements adopted in Brazil from compromising the company’s position abroad (or, conversely, preventing external initiatives from producing adverse effects on the domestic legal strategy).

There is not, in Brazil, a single authority entrusted with centralising the entire response to the crisis. Institutional co-ordination tends to be shared among the union, the states and the municipalities, varying according to the nature of the event, its magnitude and the sectoral repercussions triggered by it.

In practice, however, crises of greater impact usually produce an even more complex picture: the overlap of multiple parallel fronts of action, investigation and control, each with its own language, temporality and purpose. It is precisely at this point that crisis management assumes particular sensitivity. Even though the formation of task forces among public prosecution bodies – such as the Public Prosecutor’s Office and the civil and federal police – is relatively common, the company comes to receive, simultaneously, demands originating from different authorities and stakeholders, including civil defence, the fire brigade and regulatory entities. The challenge, then, no longer consists merely in responding, but in doing so with rigorous informational symmetry. Preserving coherence among the pieces of information provided, without loss of technical precision or narrative contradictions, constitutes a central element of proper crisis conduct, since discrepancies, in environments of high institutional pressure, tend to be interpreted as insufficiency of co-operation, deficiency of governance or even an attempt to mislead.

In matters of disasters, the formal backbone of state co-ordination is provided by the National Policy on Protection and Civil Defence. In this arrangement, it is incumbent upon the union to issue general rules and co-ordinate the National System of Protection and Civil Defence (SINPDEC); upon the states, to implement the policy in their respective territories and co-ordinate actions at state level; and upon the municipalities, to implement and co-ordinate measures at local level, which frequently places them on the front line of the immediate response, of direct contact with the affected population and of the adoption of emergency field measures. In specific sectoral crises, there are added to this framework the competent regulatory and supervisory bodies, as well as operational structures such as civil defence authorities, fire brigades and public security authorities.

The monitoring and assessment of response efforts usually occur through institutional mechanisms of follow-up, alert and provision of information. In the field of disasters, the alerts and technical reports produced by the National Centre for Monitoring and Early Warning of Natural Disasters (Cemaden), the action of the National Centre for Risk and Disaster Management (Cenad), linked to the National Civil Defence, and the use of the Integrated Disaster Information System (S2iD), through which municipalities register occurrences, request federal recognition, seek resources and submit work plans subject to technical analysis, assume particular relevance. In the health area, the Health Surveillance Programme for Risks Associated with Disasters (Vigidesastres) structures actions of preparation, monitoring, alert, communication, response and rehabilitation, in co-ordination with states and municipalities.

See 2.5 Local vs National Regulations.

In general terms, there is not, in Brazil, a single independent body specifically tasked with supervising preparedness for the crisis management of companies or public entities. The Brazilian model is fragmented and sectoral: supervision of crisis readiness appears diluted across structures of external control, sectoral regulation, thematic inspection and internal governance mechanisms. In the public sector, the Courts of Accounts play a relevant role in assessing governance, risk management and high-risk areas of the administration; on the broader institutional plane, the Public Prosecutor’s Office also acts when the crisis affects diffuse or collective interests, the environment, public assets or services of public relevance.

For private companies, the logic is likewise not that of a general supervisor, but rather of independent or autonomous authorities depending on the sector and the type of risk. In publicly traded companies, the Securities and Exchange Commission of Brazil (CVM) is a special-regime autarchy, with independent administrative authority; in data protection, the National Data Protection Authority (ANPD) has functional, technical and decision-making autonomy and supervises even prevention and response to incidents; in mining, the National Mining Agency (ANM) regulates and supervises the sector, including in sensitive matters such as dams and their emergency action plans. In public entities, besides this external control, there are also internal structures of integrity, audit and internal affairs – encouraged, for example, by the Office of the Comptroller General (CGU) – but they are not “independent” in the same institutional sense.

In summary, there are not, therefore, independent bodies dedicated exclusively to crisis preparedness in a broad sense; what exists is a diffuse supervisory network, in which different institutions control portions of institutional readiness – governance, risks, integrity, disclosure to the market, data protection, operational safety or regulatory compliance – according to the nature of the activity and of the potential crisis. This fragmentation, indeed, is one of the reasons why crisis management, in Brazil, requires particularly sophisticated legal and strategic co-ordination.

Although Brazilian legislation does not provide for a single transparency regime applicable to each and every crisis, certain events impose specific duties of public disclosure. In the context of publicly traded companies, for example, this duty assumes particular relevance when the facts are capable of materially influencing the decision of investors or the quotation of securities, as was observed, in a paradigmatic manner, in the Americanas case, in which the disclosure of the accounting inconsistencies required prompt and transparent communication to the market. In parallel, the legal system also establishes informational obligations on other sensitive fronts, such as incidents involving personal data, fatalities occurring in the workplace and environmental emergencies, which shows that, in critical contexts, transparency ceases to be a mere managerial choice and comes to assert itself as a true legal and institutional requirement.

These duties, however, are not exhausted in a merely formal or bureaucratic function. Public disclosure and transparency constitute relevant instruments for the management of the crisis itself, in so far as they allow the authorities to ascertain the facts with greater speed and precision and, when there are victims or affected communities, ensure access to concrete information on contact channels, emergency support measures, possibility of accommodation, medical or psychological care and procedures aimed at the formulation of complaints or compensatory claims. In crises of this nature, clear, timely and organised information performs an operational and humanitarian function, in addition to enabling adequate institutional interlocution with the various publics affected.

There is, moreover, an unavoidable strategic dimension in this process. Good communication, when technically calibrated and legally co-ordinated, contributes to reducing noise, discouraging speculation, preventing the informational space from being occupied by partial or hostile versions and conferring greater legitimacy on the organisation’s response. In other words, transparency, in matters of crisis, must be understood, simultaneously, as a legal duty, an instrument of support to those affected and a central element of stabilisation of the critical environment (especially before the “court of the media” and the authorities moved by prosecutorial interest), always with the care that informational openness does not imply renunciation of the technical construction of the company’s defence.

In sensitive sectors, Brazil does not operate with a uniform regime of crisis prevention and response, but rather with sectoral regulatory requirements shaped by the nature of the risk involved. In the financial system, for example, regulation imposes formal structures of risk management, business continuity, tests, periodic reviews and direct participation of senior management, including in matters of cybersecurity and incident response. In health, the same occurs through contingency plans and specific mechanisms of surveillance and response to emergencies; and, in critical infrastructure (such as mining, energy and civil aviation), crisis prevention and response capacity are already incorporated into ordinary regulatory discipline, through emergency action plans, reporting obligations, continuous monitoring, drills, audits and permanent supervision by the competent authorities.

These requirements, however, are not exhausted in their administrative or regulatory dimension. In the event of a critical event, they frequently become an important flank of exposure for criminal prosecution, in so far as the authorities begin to investigate not only whether all applicable obligations were formally observed, but, above all, whether their proper implementation would have avoided or mitigated the harmful result. It is precisely at this point that, in Brazil, a logic of imputation by omission aimed at reaching senior management gains strength, with the purpose of personalising responsibility and expanding the institutional focus on the company. In practical terms, this means that, in key sectors, crisis prevention, regulatory compliance and the criminal protection of administrators have ceased to be parallel themes and have come to form, in an increasingly clear manner, the same equation of risk.

Although there are pre-established structures of public-private co-operation in Brazil for the prevention of and response to crises, they do not present themselves in the form of a single, general model applicable to each and every crisis.

Where this co-operation reveals itself most clearly, for example, is in sectors subject to specific risks and more intensely regulated. An expressive case is the National Plan for the Prevention, Preparedness and Rapid Response to Environmental Emergencies with Hazardous Chemical Products, created by Decree No 5,098/2004, precisely with the objective of preventing accidents involving hazardous chemical products and improving the country’s capacity for preparedness and response to emergencies of this nature. In the chemical sector, this co-operative logic has already proved concrete in episodes in which companies’ mutual aid teams, together with Civil Defence and the Fire Brigade, acted in a co-ordinated manner with 35 emergency vehicles to confront a critical event, as occurred in the city of Cubatão, State of São Paulo, in a case involving a large-scale warehouse fire of ammonium nitrate at a fertiliser company.

That is to say: there are, indeed, prior arrangements of public-private co-operation, especially in areas of greater regulated risk, but not yet a mature and uniform framework for all typologies of crisis. In many cases, the institutional architecture already exists and facilitates prevention and response; in others, co-ordination continues to depend, to a large extent, on inter-institutional construction under the pressure of the event itself. For the company, this means that serious preparedness should not start from the assumption that the state will always operate through a single and stable mechanism, but from the prior identification, sector by sector, of the channels of public-private articulation effectively actionable in a critical scenario.

There is not, in Brazil, a structured national crisis management plan in a broad sense. What exists are specific instruments of risk and disaster management, developed above all in the field of protection and civil defence, such as the National Policy on Protection and Civil Defence, established by Law No 12,608/2012, which organises the National System of Protection and Civil Defence and distributes competences among the union, the states and the municipalities, as well as the National Plan on Protection and Civil Defence 2025–2035, with a ten-year term, aimed at prevention, preparedness, response and recovery in matters of disasters. In practical terms, therefore, this is a relevant arrangement for the public management of risks and disasters, but it is not to be confused with a general, unitary and comprehensive crisis management regime in a broader sense, especially in the corporate environment.

In the corporate sphere, in turn, there is no legally standardised model for the preventive and reactive structuring of crisis, which is why it falls to each company to define, according to its sector, risk profile and degree of exposure, the governance architecture, the protocols and the mechanisms by which it intends to prepare itself for critical events and respond to them.

See 2.4 Government Role.

In crises that project themselves across multiple jurisdictions, experience reveals that the co-ordination of the response must gravitate around a single legal centre of command, preferably based at the headquarters or in the country of origin of the event. It falls to this core, in close articulation with the crisis manager (whose familiarity with the company, strategic reading of the global scenario and accumulated experience in episodes of high complexity are decisive), to consolidate the factual basis, organise the institutional narrative, structure the preservation of evidence and harmonise the action of specialist local law firms in each country. In practice, this presupposes a common informational basis, rigorous protocols for the validation of communications and a decision-making flow capable of adapting the same strategy to the particular requirements of each forum, without loss of global coherence.

The greatest challenges reside, therefore, in reconciling strategic unity with regulatory diversity. A statement addressed to the market, to a regulator, to a criminal authority or to a foreign court may radiate unexpected effects in another jurisdiction; the same occurs with settlements, disclosure policies, document collection, data protection, legal privilege and evidentiary regimes. It is at this point that the action of the experienced crisis manager assumes particular relevance: it falls to that individual to perceive, as far in advance as possible, the zones of friction between different normative systems, calibrate the language of each move and prevent the company from fragmenting itself into responses that are locally adequate, but globally irreconcilable. In practical terms, good international legal crisis management depends less on the reproduction of identical responses in all countries than on the preservation, under distinct procedural languages, of the same factual and argumentative backbone.

The cross-border character of the crisis does not, in itself, create an autonomous category of reporting obligation, but it expands the normative regimes potentially applicable and intensifies the company’s duties of transparency towards the multiple stakeholders distributed across the affected jurisdictions. The same occurrence may thus require simultaneous communications to Brazilian authorities, to the market, to investors, affected communities and, depending on the international connection of the case, also to foreign regulators, parent companies, stock exchanges, data protection authorities abroad or even to agents subject to international sanctions and economic control regimes.

The central challenge there lies not only in the formal identification of the duties to inform, but in the construction of timely, technically consistent and materially harmonious communications among themselves, capable of preserving the company’s institutional credibility and preventing the initial crisis from being aggravated by informational asymmetries or contradictions.

A crisis management plan must be conceived as a true instrument of organisational rationality, capable of guiding decisions under pressure and preserving unity of direction among the sensitive areas of the company.

This is revealed with particular clarity in the relationship with authorities in on-site measures, including in situations of search and seizure, for example: the company needs to know, in advance, who will be the focal point for the assistance, who will call external counsel, who will accompany the acts carried out, how employees will be instructed and in what manner the company’s rights and the duty of co-operation within legal limits will simultaneously be safeguarded. Without this preparation, improvisation tends to occupy the space of method and, in a crisis context, to improvise usually means to increase exposure.

Another essential component lies in the existence of specific protocols for the preservation of physical and digital evidence, one of the most sensitive points of any corporate crisis. Initial failures of organisation, technical lack of knowledge or absence of traceable formalities may compromise the integrity of the investigation, weaken the credibility of the response and increase the company’s exposure on several fronts, especially in the legal and communicational spheres. The preservation of evidence requires co-ordination among legal, technology, technical areas and external specialists, with prior definition of procedures for data retention, access control, custody of documents, traceability of the handling of information, delimitation of the scope of collection and protection against loss or alteration of relevant content.

The integrated management of information, in turn, constitutes a third structuring axis. Relevant crises produce, almost inevitably, a significant and simultaneous volume of demands: letters from authorities, document requests, investor enquiries, insurers’ requests, audits, press enquiries and internal communications, almost always accompanied by tight deadlines and strong informational overlap. If each area responds on the basis of its own documentary base and in its own language, the company ends up producing a plurality of narratives, and, in matters of crisis, informational contradictions tend to be read as lack of credibility. Hence the importance of a central repository of information, co-ordinated by its own team or specialised advisers, capable of consolidating data, controlling versions, monitoring deadlines and ensuring symmetry in responses across all fronts of interlocution.

In this scenario, internal communication requires specific treatment. Not infrequently, the first vector of disorder arises within the organisation itself: uninformed employees, anxious employees or employees exposed to rumours tend to multiply partial interpretations, which compromises operational cohesion and response discipline. It is therefore indispensable that the company have protocols capable of clarifying with precision what is already confirmed, what remains under investigation, which are the official channels of guidance and who is authorised to speak on behalf of the company. Also for this reason, institutional channels must maintain organised and updated information, so that the search for clarification – including by authorities – produces answers, and not new sources of questioning.

In Brazil, the best structured companies tend to organise their crisis governance on the basis of a prior and unequivocal architecture of command, conceived precisely to prevent the company, at the critical moment, from having to discover, in real time, who decides, who executes and who speaks.

In this sense, it is increasingly common, especially in sectors of greater exposure, for specific crisis committees to be established in advance, with lean composition, clearly delimited attributions and effective authority to deliberate and help co-ordinate the institutional response. This is explained by the fact that excessively broad committees, devoid of clear functional hierarchy and lacking professionals effectively accustomed to crisis management, tend to convert themselves into a mere instance of continuous updating, yet with reduced capacity for resolution.

As a rule, such committees bring together executive leadership, legal, compliance, operations, communication and, according to the nature of the risk involved, areas such as technology, health, safety, environment and institutional relations. The truly decisive aspect, however, does not reside in the quantity of areas formally represented, but in the technical quality of their members and, above all, in the degree of substantial integration among the different fronts involved.

Finally, a particularly relevant aspect – and one still sometimes neglected – consists in the need for the company to foresee how its regular operation will continue to function while its principal executives and managers are absorbed by the administration of the crisis. For this reason, more mature companies not only define, in advance, the composition and functioning of the committee, but also establish mechanisms for temporary replacement and operational continuity. In practical terms, good crisis governance presupposes not only the formal existence of a committee, but an effective, functional and sufficiently robust decision-making structure to avoid improvisations, internal contradictions and loss of control over day-to-day operations precisely at the moment of greatest criticality.

Directors and executives face personal risks in crisis contexts from two distinct perspectives, although intimately intertwined. The first stems from the very triggering fact of the crisis and goes back, as a rule, to the period prior to its outbreak. In events of greater gravity, such as socio-environmental accidents, incidents with victims or more significant corporate fraud, senior management tends to become the preferred addressee of multiple investigations, especially in the criminal sphere, while at the same time being called upon to manage the crisis, co-operate with the authorities, organise the internal investigation and, in parallel, structure its own defence.

The second perspective refers to the risks that emerge in the course of the conduct of the crisis itself. Here, the danger is no longer linked only to the originating event, but to the manner in which it is managed. Disorganisation, informational asymmetry vis-à-vis important stakeholders such as authorities and the press, the absence of timely response to official letters and requisitions, the inadequate preservation of evidence, as well as poorly calibrated public statements or interviews from which elements of liability – of oneself or of third parties – may be extracted, can open new and, at times, unnecessary flanks of exposure.

Added to this is the media exploitation of poorly formulated statements and press releases or those lacking strategic rigour, whose effects frequently go beyond the strictly legal plane and come to affect directly, with intensity, the reputation of the company and of its administrators. Cases are not rare in which the permanence of the manager in office becomes unviable less by reason of the critical fact itself than by the perception that the manager lacked consistency, prudence and authority in the conduct of the crisis.

It is precisely for this reason that the role of the crisis manager, once the event has been triggered, cannot be reduced to the mere containment of damage already consummated. The crisis manager’s most relevant mission consists in anticipating secondary threats, identifying potential vectors of imputation and preventing new exposures from materialising throughout the institutional response. The mechanisms for mitigating individual liability thus pass through a combination of prior preparation and method:

• clear architecture of command;
• protocols for interaction with authorities;
• rigorous discipline in the preservation of evidence;
• centralisation and symmetry of information;
• legal co-ordination from the very first hours;
• training of spokespersons; and
• criminal compliance structures capable of producing consistent records of diligence, seriousness of controls and integrity of decision-making.

In an environment marked by increasing interpretative rigour, retrospective readings of the facts and a tendency towards imputation founded more on the position held than on concretely demonstrable conduct, this capacity has ceased to be a merely accessory attribute of good governance. It has become, in the proper sense, a requirement of institutional protection for administrators and for the company itself.

From the preventative perspective of crisis management, it is recommended that the company establish, from the outset, at least the essential core of the crisis committee, to which other members previously mapped according to the different areas of the company potentially affected may be added, depending on the characteristics of the critical event. This minimum core must meet periodically, not only for the carrying out of drills, but also to revisit procedures, test decision-making flows, improve protocols and identify organisational vulnerabilities before they are converted into concrete exposure. As for the common attributes of crisis committees, the importance of lean composition, decision-making authority, functional integration, technical specialisation and co-ordinated response capacity has already been highlighted.

With regard to independence, whether from the standpoint of its members or in relation to senior management, a relevant conceptual distinction must be made. Any independent member of the crisis committee is not to be confused with the figure of the independent board member within the board of directors. It is, rather, the possibility of incorporating into the committee an external professional, without an organic link to the company’s administrative structure, called upon to contribute specific experience and a view less captured by the organisation’s internal dynamics. This participation is neither mandatory nor constitutes universal practice, but it may prove especially valuable when it concerns a professional with notorious experience in complex crises, capable of bringing composure, the ability to read the problem transversally and to foresee its developments.

As for the degree of independence of the committee in relation to the executive board and the board of directors, the more precise formulation is perhaps that of functional autonomy, and not that of absolute independence. The crisis committee does not act as a structure separate from senior management, nor as a body free to follow its own guidance dissociated from the company’s institutional strategy. It is expected, however, that it be ensured sufficient autonomy to deliberate, with agility and coherence, on the direction of the critical response, without decision-making paralysis or disorderly subjection to sectoral or contingent pressures. Ultimately, the quality of the committee depends less on formal labels of independence than on the technical density of its members, the clarity of their attributions and the effective authority conferred upon them to conduct, with security, the management of the crisis.

As aforementioned, the typical members of a crisis management team vary according to the nature of the risk and the company’s profile, but, as a rule, comprise representatives of senior management, legal, compliance, operations, communication and, as the case may be, the areas of technology, health, safety, environment and institutional relations. More than the simple formal presence of these areas, however, what matters is that their members bring together technical capacity, a transversal view of the problem and an aptitude to act in a co-ordinated manner under pressure. As for the leadership of the committee, the most common is that it be exercised by a member of senior management endowed with institutional authority and real capacity to bring people together, someone who inspires respect and is able to articulate the different fronts involved without converting the internal dynamic into a relationship of mere submission. In matters of crisis, respect is not to be confused with subservience: the quality of the response depends, to a large extent, on an environment in which the members of the committee have the technical freedom to disagree, weigh risks and contribute frankly to decision-making.

With regard to the frequency of meetings, there is no uniform periodicity, as it must be calibrated according to the gravity of the event and the speed of its developments. In times of normality, it is recommended that the essential core of the committee meet periodically for drills, review of protocols, testing of flows and improvement of procedures, preferably with the support of external specialists, whose accumulated experience in multiple crises usually far exceeds the experience of the company’s internal staff. Once the crisis has been triggered, however, the routine of meetings tends to intensify markedly, and may require daily meetings – not rarely even more frequent – according to the criticality of the case.

Communications between the crisis management team, the company and management must observe a clear logic of escalation and informational symmetry. Each area leader who is part of the committee must function as a link between it and their respective team, being responsible for internally triggering requests for information, technical support or execution of measures. The interlocution between the committee and senior management, in turn, must occur, preferably, through a periodic agenda of updates and active listening, capable of ensuring strategic alignment without compromising the committee’s functional autonomy. Ultimately, the good circulation of information, in crisis, depends less on spontaneity and more on discipline: well-defined flows, identified focal points and centralised communications are what prevent the company from fragmenting itself into parallel narratives precisely when it most needs unity.

In crises of greater complexity, it is quite common and even natural for companies to resort to external specialists, both for the structuring of prevention programmes and for the conduct of the response, above all because these professionals bring something that the internal structure, however qualified it may be, does not always possess: accumulated experience in multiple critical events, capacity for multifrontal strategic reading under pressure and greater aptitude to identify, in advance, risks that have not yet materialised. In matters of crisis, this external lived experience may be decisive in placing the company ahead of events, and not in a merely reactive position before them.

In the selection of these specialists, some criteria reveal themselves as particularly relevant: effective availability and full dedication to the case, a deep strategic bias, communicational ability, capacity to foresee risks and, above all, aptitude to integrate themselves into the company’s structure without intending to overlap with it or replace it. The best external specialists do not impose a logic parallel to the organisation; on the contrary, they know how to insert themselves intelligently into the corporate dynamic, strengthen the capacities already existing and contribute to their improvement. It is precisely this combination of experience, vision, presence and adaptability that usually marks the most successful external collaborations in crisis contexts.

Risks related to third parties and the supply chain also form, in an inseparable manner, part of crisis management and must be addressed with the same seriousness dedicated to the other flanks of exposure. This involves verifying, from the very first hours, which contracts contain rights of intervention, audit, access to information, notification obligations, termination triggers or contingency mechanisms that may be activated or that impose immediate measures upon the company. In practical terms, the proper management of these risks requires a rapid and co-ordinated reading of the critical contractual network, so that the principal crisis is not aggravated by reflex breaches, loss of control over strategic suppliers or non-compliance with informational duties towards relevant partners.

In matters of crisis, the success of the response is rarely measured by the unrealistic pretension of complete neutralisation of the damage. Every relevant crisis leaves marks. The most significant metrics usually lie, rather, in the capacity to contain the disorderly expansion of the problem and to prevent tendentious narratives, hasty conjectures or distorted readings from artificially aggravating the company’s exposure. Also relevant indicators are the preservation of the institutional reputation at the end of the process, the maintenance of the confidence of strategic stakeholders, the contemporaneous demonstration of diligence on the part of the administrators – so as to ward off imputations founded on omission or insufficiency of controls – as well as the recognition, by the authorities themselves, of a co-operative posture, technically serious and solution-oriented. In many cases, added to this is the capacity to structure effective interlocution with public bodies and affected parties in order to make possible agreements, compensation or remedial measures in the swiftest manner.

Continuous improvements, in turn, must be incorporated on the basis of a critical review of the event and of the manner in which it was managed, for every critical or undesirable event also carries, to some extent, an opportunity for institutional improvement. Mature companies are precisely those capable of correcting flows, refining protocols, eliminating decision-making bottlenecks, improving reporting mechanisms and strengthening their routines of prevention and response. This movement, however, requires special caution: not infrequently, authorities inclined to retrospective readings or animated by excessive accusatory zeal seek to convert subsequent improvement into an alleged recognition that there had previously not been sufficient diligence. Hence the importance of separating, with rigour, what constitutes legitimate organisational learning from that which could be artificially presented as an admission of prior failure – a distinction that demands technical reading, strategic prudence and, many times, the support of specialists capable of conducting this process without unduly increasing the company’s exposure.

In practical terms, ESG has ceased to be merely the language of commitment and has come to function as a criterion of accountability in crisis. The company that does not integrate these dimensions into its planning tends to face greater legal, regulatory and reputational vulnerability; the one that integrates them seriously improves its capacity to prevent damage, respond with legitimacy and demonstrate that its governance mechanisms were not merely declaratory. The crucial point, however, is that this integration needs to be real: in matters of crisis, abstract promises of sustainability usually count for much less than concrete evidence of diligence.

In crises, especially in global operations, more mature companies tend to treat human rights concerns not as a peripheral matter of reputation, but as a material axis of the response itself. This means prioritising, above all, the protection of the life, physical integrity and dignity of the affected persons – employees, third parties, communities and family members – with concrete measures of medical, psychological, material and informational support, in addition to clear channels for reception and referral.

The identification of the crisis, as a rule, does not occur through a single and instantaneous act, but through the company’s ability to perceive, as quickly as possible, the transition between an isolated event and a process of expanding institutional, reputational and legal pressure. Corporate crises rarely arise, from the outset, with the conceptual clarity of a “crisis”: they frequently begin as an operational accident, a cyber-incident, an internal fraud, an investigative report or a business dispute. What converts this fact into a crisis is not only its intrinsic gravity, but the speed with which it begins to attract multiple centres of pressure – authorities, the press, social media, investors, employees, communities and other stakeholders – each with its own timing and assumptions of interpretation. The company’s institutional maturity lies precisely in recognising this inflection with sufficient advance notice to abandon the routine treatment of the event and adopt, from the outset, a logic of critical response.

See 3.1 Crisis Management Plans.

Companies identify and assess potential crisis risks, first of all, through the proper understanding of the fact, the event or the warning sign and of its possible developments. It is this initial reading – technical, legal and strategic – that makes it possible to perceive whether one is faced with a specific problem or with a vector capable of evolving into a crisis. The relevant risk factors usually lie precisely at the points of greatest sensitivity of the operation:

• safety of persons;
• integrity of structures;
• environmental impacts;
• failures of internal control;
• data incidents;
• regulatory exposure;
• weaknesses in the supply chain; and
• reputational risks associated with the way in which the event may be perceived by authorities, the press and other stakeholders.

The most common preventative measures consist in addressing the identified risk immediately, before it is converted into consummated damage. If, for example, the company detects a weakness in an industrial structure and its technicians point to a serious risk to persons or to the environment, a diligent response requires not only deepening the investigation with specialists, but also implementing without delay the technical measures recommended for containment, correction or mitigation. In scenarios of crisis in formation, the co-ordinated support of technical, legal, communicational and operational specialists is frequently decisive in allowing the company to act before the materialisation of the worst-case scenario, reducing exposure and preserving its response capacity.

There are still relatively few companies in Brazil that carry out truly robust crisis preparedness drills. In many cases, the exercises remain excessively theoretical or formal, precisely because an effective simulation presupposes real interference in the company’s routine:

• mobilisation of the crisis committee;
• activation of internal flows;
• involvement of sensitive areas; and
• not rarely, the temporary activation of substitutes for those who come to dedicate themselves fully to the training.

It is, to a certain extent, a discomfort similar to that observed in evacuation drills: few appreciate them while everything appears normal, but their absence is usually felt clearly when the critical event actually occurs.

See 4.4 Crisis Simulation.

More structured companies tend to adopt specific policies and procedures aimed both at preparedness for crises and at their management properly so called. These instruments must be designed in advance, based on the company’s risk profile, discussed with specialists and structured in such a way as to reflect, realistically, the operational, legal and communicational needs that may arise in a critical event. In matters of crisis, it is not enough for the policy to exist on paper: it is precisely its practical usefulness that will determine its value.

For this reason, the effective implementation of these policies and processes depends less on their abstract formulation and more on their concrete testing. The adherence between what is provided for in theory and what will be required in practice can only be assessed by means of drills, periodic reviews, training of those involved and the continuous improvement of decision-making and informational flows. To leave it to the moment of the crisis to “test” the policy is, to a large extent, equivalent to transferring to the critical event itself the cost of improvisation.

The most relevant legal challenges faced by companies involved in a crisis tend to be concentrated, above all, on two fronts: the civil-compensatory and the criminal. On the first, the pressure usually falls on the prompt containment of the damage, material remediation, negotiation with authorities and affected parties, and the management of public civil actions and large-scale compensatory claims, a field in which the Brazilian system offers robust instruments of collective protection. On the second, the risk of personalisation of liability gains prominence, with investigations directed at administrators and executives, especially in contexts of great repercussion or socio-environmental damage, a field in which the Constitution expressly admits the criminal liability of the legal entity and the Environmental Crimes Law provides it with specific regulation. The real challenge, however, lies not only in facing these two fronts in parallel, but in doing so without the action on one compromising the other: to co-operate, remediate and communicate without sacrificing defensive coherence, preservation of evidence and the protection of administrators against imputations founded more on the harmful result and the position held than on concretely demonstrable conduct.

Without doubt, the criminal prosecution authorities – especially the Public Prosecutor’s Office and the judicial police forces (the Federal Police, where there is a federal interest or interstate/international repercussions, and the Civil Police forces, in the other cases) – usually represent the front of greatest exposure for companies and administrators, because the criminal investigation may radiate immediate and deeply disruptive precautionary effects, such as searches and seizures, preventative arrests and asset-freezing measures, in addition to producing particularly severe reputational impact on executives.

Co-operation with supervisory authorities and regulators usually constitutes a central front of crisis management, especially in events of greater gravity or repercussion. In practical terms, the company is expected to co-operate in a timely and technical manner, providing information, enabling access to documents, complying with requests and adopting concrete measures to ascertain causes, contain damage and remedy consequences. Many times, the company is even expected to bear the costs of the emergency response. This co-operation, however, is not to be confused with waiver of the defence: it must proceed in parallel with a competent internal investigation, legally guided and capable of preserving the coherence of the company’s institutional position. As for the measures normally adopted, the following stand out:

• the internal investigation of the facts;
• the engagement of external specialists;
• the implementation of immediate corrective measures;
• the strengthening of controls;
• the review of procedures;
• the preservation of evidence;
• structured interlocution with authorities; and
• where applicable, the negotiation of consensual solutions for remediation, reparation or adjustment of conduct.

Companies normally assess potential risks and legal liabilities on the basis of an initial, technically guided fact-finding effort, promptly supported by the mobilisation of the necessary resources, precisely in order to determine what occurred, how it occurred and what the degree of involvement was – by action or omission – of employees, executives and third parties.

Legal teams must be involved from the very first signs of criticality, and not only when the crisis is already in full development, and the engagement of specialised legal counsel effectively familiar with crisis management is highly recommended. This contributes to the harmonisation of theses and strategies, avoiding the formation of silos of action which, not rarely, compromise the global coherence of the response and end up increasing the company’s exposure. In terms of structure, the most efficient model is usually one in which the crisis manager, in close articulation with the internal legal department, leads and co-ordinates the work of external law firms, ensuring strategic unity, informational symmetry and defensive coherence across the multiple fronts of the response.

Companies usually gather and preserve relevant documentation and evidence through the immediate adoption of measures for informational containment and formal preservation of evidence as soon as the crisis is triggered. Among the most important measures are the issuance of hold notices to employees potentially involved or in possession of relevant information, the immediate instruction of information technology teams for the retention and preservation of data, the definition of protocols for the collection of physical and digital evidence and the secure and traceable storage of this material, including on media suitable for future presentation to the authorities, when necessary. Compliance with the legal requirements for the preservation of evidence depends, to a large extent, on the existence of clear procedures regarding the chain of custody, access control, the integrity of files, the delimitation of the scope of collection and the documentation of all stages of handling, so as to enable the company to demonstrate, consistently, that it acted with seriousness, method and preservation of the reliability of the material gathered.

The possible consensual arrangements depend, to a large extent, on the nature of the crisis itself and on the spheres of liability triggered by it. Depending on the case, they may involve:

• judicial or extrajudicial reparation agreements;
• terms of adjustment of conduct;
• compensation programmes;
• regulatory agreements; and
• where legally permissible, negotiated instruments in the criminal sphere.

In practical terms, it is the concrete configuration of the event that will determine which consensual solutions are possible and strategically appropriate.

It is not uncommon for companies to maintain policies aimed at covering their principal risks, including litigation and crisis-related costs, such as directors’ and officers’ liability insurance (D&O), general civil liability, operational risks, environmental and cyber-insurance. The sensitive point, however, lies less in the formal existence of the policy than in the effective obtaining of coverage: in events of greater magnitude, not infrequently there arise relevant resistances on the part of insurers, which prolong the adjustment of the loss, discuss exclusions, conditions or nexus of coverage and, in some cases, take the controversy to litigation. For this reason, the relationship with insurers must be treated as a front of crisis management in its own right, with prior attention to the drafting of the clauses, the proper and timely notice of loss, the organisation of the supporting documentation and the co-ordination among legal, crisis management and brokers, in order to reduce the risk that the expected coverage may be converted into a new source of exposure.

The reputational impact of a crisis is usually measured, to a large extent, by the degree of preservation – or of erosion – of the trust and credibility of the company and of its administrators during and after the event. The repercussion in the press, the tone adopted by the authorities, the confidence maintained or shaken among controlling shareholders, investors, partners and other stakeholders, as well as the company’s capacity to sustain a coherent institutional narrative throughout the crisis, are particularly relevant indicators of this reputational thermometer.

See 2.8 Transparency Requirements and 5.3 Co-Operating With Enforcement Authorities.

All crisis communication must be centralised in the crisis committee, with the support of the communications area and, when necessary, of external specialists with experience in crisis management. The existence of unified and co-ordinated channels is highly recommended, and it falls to the committee itself to define the triggers, the content and the timing of interactions with authorities, the market, the press and other stakeholders.

See 3.1 Crisis Management Plans, 3.5 Crisis Management Team and 6.1 Co-Ordination of Communications.

Effective communication strategies with the public, the press, social media and digital platforms start from the recognition that, in highly exposed crises, the fact is no longer merely ascertained: it is narrated, reframed and reinterpreted in real time. In this environment, the company must act swiftly, but without haste; with transparency, but without improvisation; and with firmness, but without losing adherence to the real stage of the investigation. This requires:

• previously defined spokespersons;
• technically validated messages;
• communication proportionate to what is actually already known; and
• discipline to avoid unfeasible promises or hasty statements.

The consistency and precision of communication depend, above all, on centralisation and method. The company needs a single centre of informational validation – normally the crisis committee, with the support of communications, legal and the technical areas – capable of consolidating facts, controlling versions of documents, standardising language and ensuring that the company’s different statements do not contradict one another. In matters of crisis, divergences of narrative, even when resulting merely from internal disorganisation, tend to be read as lack of transparency, attempt at concealment or deficiency of governance.

See 2.8 Transparency Requirements, 2.14 Communication of Cross-Border Crisis and 6.3 External Communication.

See 2.8 Transparency Requirements and 6.3 External Communication.

See 3.1 Crisis Management Plans, 3.10 Human Rights and Labour Issues and 4.1 Identifying a Crisis.

See 2.8 Transparency Requirements, 2.14 Communication of Cross-Border Crisis, 3.10 Human Rights and Labour Issues and 6.3 External Communication.

See 6.3 External Communication.

Companies have been incorporating technologies such as artificial intelligence, the analysis of large volumes of data and, in some cases, blockchain mainly as support instruments for crisis management, and not as substitutes for human judgement. These tools may contribute to:

• accelerating the detection of incidents;
• organising documentary bases;
• cross-checking information;
• structuring preliminary responses;
• supporting the assessment of scenarios; and
• facilitating the monitoring of critical flows in real time.

In a crisis environment, in which time, informational volume and multiplicity of fronts impose high decision-making pressure, this gain in speed and analytical capacity may be quite relevant.

This, however, does not eliminate the centrality of the crisis committee and, above all, of the experienced crisis manager. Technology may support decision-making, but it does not replace strategic reading, institutional sensitivity, legal weighing nor the capacity to calibrate responses in the face of reputational, regulatory, criminal and transactional risks that transform rapidly. In other words, AI and related tools may help to illuminate paths, but they should not purport to decide on their own which path the company should follow.

There is, moreover, a decisive premise: every tool of this nature depends, to a large extent, on the quality of the base on which it operates. If the company does not have organised data, reliable informational flows, defined protocols, validation criteria and a minimally solid repository of information, technology tends only to reproduce disorder at greater speed.

See 7.1 Technology.

Every relevant crisis must be followed by a structured review of the response adopted, normally with the participation of the members of the crisis committee, legal, compliance, the operational areas involved, communications and, when necessary, external specialists. The objective is not merely to reconstruct what occurred, but to identify any flow failures, decision-making bottlenecks, informational noise, insufficiencies of co-ordination and points of vulnerability that the event may have revealed. In more organised companies, these lessons are consolidated into internal reports, action plans, revision of protocols, updating of policies and new simulated exercises, so as to incorporate the learning into future preparedness.

The updating process requires caution and sophistication. Every crisis produces an opportunity for improvement, but subsequent improvement cannot be conducted in a naïve manner. Separating legitimate institutional learning from the risk of interpretative self-incrimination is a task that demands method and experienced judgement. The company must review and strengthen its structure without allowing subsequent changes to be artificially presented as proof of prior insufficiency.

The effectiveness of crisis management may be measured by:

• the containment of the damage;
• the preservation of institutional credibility;
• the quality of interlocution with authorities;
• operational continuity; and
• the capacity for remediation.

Benchmarks among companies may be useful, but the accumulated experience of specialists usually offers the most qualified parameter.