The Role of the Board in a Crisis
The frequency and scale of recent cyber security breaches have raised questions about the role of the board before and during a crisis.
Many boards and executives are navigating uncharted waters in responding to the increased threats and impacts of cyber security risks. The Australian Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, includes penalties of $50 million or up to 30% of domestic revenue for serious or repeated interferences with privacy, which has put a spotlight on the role of the board during a cyber related crisis.
The board’s main role, prior to a crisis occurring, is ensuring the organisation is effectively prepared to respond to a range of risks, threats and disruptive events. During a crisis, the board may need to enter the decision-making process as well as provide oversight and governance.
During a crisis the board may be called on to:
- Become a ‘sounding board’ to the crisis management team for significant strategic decisions that need to be made. This may be crucial to the effectiveness of the crisis chair and the crisis management team, depending on the size, complexity and scale of the crisis.
- Challenge and endorse the key strategic decisions and actions of the crisis management team and provide board level oversight regarding these key decisions.
- Enter into the decision-making process and make decisions with the crisis management team where there may be incomplete or conflicting information and significant impacts.
- Liaise with key external stakeholders including the regulators, shareholders and the media, only as agreed by the crisis management communications team.
Assurance needs to be provided to the board so they trust in the capabilities of the executive leadership team and the crisis management team. Members of the board need to be confident the crisis management team can manage the strategic requirements of a crisis.
Clear expectations are critical in this relationship
The crisis management team needs to understand before the crisis event, what the board members require during the crisis response, and how they will support the associated organisational response. Conversely, the board needs to understand the needs of the executive during a crisis.
Board members should resist the urge to make too many demands on management’s time during a crisis. The crisis management team members will have established relationships and processes and be best placed to understand the impacts across the organisation and to mobilise the appropriate resources.
An effective crisis management team should provide assurance and demonstrate critical thinking capabilities by: separating facts and assumptions; identifying what is unknown; understanding the impacts across the organisation; considering most likely outcomes and worst case scenarios; identifying key stakeholders impacted and developing and communicating critical decisions.
This process will often take place with incomplete information and under immense time pressure. The crisis management team will ideally focus on managing the crisis rather than managing the board requirements.
In what situations would the board need to operate as a crisis team?
The role of the board may change from a role of oversight to one of leadership where the crisis has a direct impact on the chief executive and/or their leadership team. Questions board members should be asking at this time are:
- Are any members of the crisis management team implicated or impacted by the crisis?
- Does the crisis management team have the skills and capability required to respond to this event?
- Does the crisis management team need additional support?
If the entire crisis management team and their alternates are unable to lead a crisis, the strategic decisions will lie with the board, and they will need to assemble and direct a new crisis management team.
What can the board do to prepare for a crisis event?
Members of the board have a highly influential role in crisis management preparedness. They should be asking executive leaders targeted questions to ensure that an adequate level of preparedness has occurred and that capability exists at all levels within the organisation.
Key actions for the board are to ensure that:
- Emerging risks are monitored effectively and contingency plans are developed for significant emerging threats, as they are identified.
- The organisation has the demonstrated capability to respond to a range of strategic, operational, financial and environmental threats.
- There is a robust and strategic exercising program with scenario-based activities that develop critical thinking capabilities at multiple levels within the organisation including the incident, emergency and crisis level.
- The organisation has access to crisis, emergency and incident management tools to enable them to respond in a co-ordinated way that facilitates critical thinking.
- Members of the board understand how the organisation would respond to a crisis event, including key roles and responsibilities.
- Board members have access to crisis management tools should they be required to lead a crisis event.
Responding to cyber security threats
Many boards and executives are navigating uncharted waters in responding to the increased threats and impacts of cyber security risks. The evolving nature, potential severity and velocity of cyber risks requires organisations to take a more targeted and focused approach to assess, build and maintain cyber resilience capability.
Boards can uplift Cyber Resilience Capability by:
- Implementing a Cyber Resilience Framework that incorporates key areas such as Risk, Readiness, Response and Assurance.
- Utilising a Cyber Resilience Scorecard to identify gaps that need immediate attention, areas of excellence to be applied more broadly and provide assurance to key stakeholders.
- Elevating high-quality and transparent decision-making to ‘business critical’ and identifying a Critical Thinking Framework that can be used at all levels of the organisation to review and build capability and provide assurance.
- Facilitating board and executive level discussions on complex or technical cyber security decisions, such as paying a ransom and reaching consensus on the way in which decisions will be made, utilising a transparent and defendable decision-making process.
- Conducting board or executive War Rooms to create awareness, uncover areas of concern or build assurance for cyber security events.
What is ‘better practice’ in board level crisis management?
Better practice crisis management at the board level is evident when critical thinking and high-quality decision-making are occurring at all levels of the organisation in the prevention, preparation, and response to a crisis.
Board members should ensure their organisations have a transparent and robust decision-making process and that decisions reached are both discoverable and defendable. A pre-defined and consistent decision-making framework will allow board members to seamlessly enter into the decision-making process, as required, drawing upon their diverse expertise.
Organisations with high levels of trust between board members and the executive team can work together to build and maintain a mature cyber resilience capability.
Board members have a highly influential role in crisis management readiness by ensuring an adequate level of preparedness has occurred and that capability exists at all levels within the organisation. Where the crisis has a direct impact on the chief executive or their leadership team, the role of the board may change from oversight to leadership.
Scenario-based planning activities can be used to clarify roles and responsibilities, ensure decision-making is transparent, robust and defendable and communications strategies are effective in managing all key stakeholders.
To learn more, visit:
Why is Critical Thinking Important?
“Team-based critical thinking allows us to be both agile and robust in our decision making, drawing upon the brains trust of the organisation”
“By developing our critical thinking capabilities our teams can manage cyber crises more effectively. The tool also enables us to see the opportunities to execute strategy more efficiently”
Our Upcoming Events
Click on any of the below events to find out more details
 ASIC. 2022. Cyber risk: Be prepared. [ONLINE] Available at: https://asic.gov.au [Accessed 13.06.2023]
 The Business Continuity Institute. 2023. BCI Cyber Resilience Report 2023. [ONLINE] Available at www.thebci.org [Accessed on 07.03.23]