Many organisations invest in risk readiness and incident management but still find themselves underprepared when disruption strikes. A 2025 World Economic Forum and McKinsey survey put a number on it: 84% of executives feel underprepared for future disruption, particularly in crisis response capability and strategic reorientation under pressure.

Two examples illustrate this, one from the public sector and one from the private.

First, the Hawaii Attorney General’s investigation into the 2023 Lahaina wildfires — 102 dead, $6 billion in damages — found a siloed command structure, fragmented situational awareness, and coordination infrastructure that was not in place when it was needed. The head of the Maui Emergency Management Agency resigned.

Two examples illustrate this, one from the public sector and one from the private.

Take the 7-question assessment to receive:

A personalised gap analysis of your current governance and preparedness
Clear insights into your organisation’s strengths and vulnerabilities
Actionable recommendations to strengthen crisis leadership and response capability

To the quiz

Second, when South Korea’s largest-ever data breach exposed 33 million Coupang customer accounts, the CEO resigned and said so directly: “I am deeply sorry for disappointing the public [...]. I feel a deep sense of responsibility for the outbreak and the subsequent recovery process."

The consequences for leadership personally are no longer abstract. Across Europe, NIS2 Article 20 makes management bodies personally liable for infringements, with fines reaching €10 million or two percent of global turnover and the possibility of temporary bans from management roles. DORA, in force since January 2025, imposes equivalent obligations on financial services. The UK’s Senior Managers and Certification Regime reverses the burden of proof: named individuals must demonstrate they took reasonable steps.

Enforcement has moved beyond directive language. Germany’s BSI issued formal notices to 47 entities in Q4 2025 under its national NIS2 implementation. The question leadership teams are now being asked is not whether decisions were made. It is whether they were informed, timely, and defensible — and whether the record proves it.

Understanding the gaps in preparedness

Many organisations invest in preparedness but struggle to manage incidents effectively when they arise. In 2026, the FCA reported that some firms’ communications plans “existed on paper but had not been tested,” limiting confidence they would mitigate harm during a real incident. A 2026 survey of senior US business leaders found the same pattern: respondents described their organisation’s crisis planning as proactive — yet also reported financial impacts from a recent disruption.

Strikingly, a Q4 2025 Deloitte survey of governance professionals found that only 15% of public company boards had participated in scenario planning or tabletop exercises, and nearly a third had no formally defined board role in crisis management preparation.

Effective preparedness demands more than plans and frameworks. The current regulatory standard — approve, oversee, be accountable for the outcome — requires leadership to govern preparedness as an ongoing organisational capability, not a function delegated until something goes wrong.

Governance: the role of leadership in preparedness today

Preparedness is an ongoing governance practice — one that requires leadership to maintain coordination and accountability across the entire emergency response network. The framework below identifies how that governance is changing, and what it means for leaders.

Dimension

Legacy governance model

Current governance requirement

Accountability

Responsibility sits primarily with the organisation.

Named executives must demonstrate informed and defensible decisions.

Preparedness logic

Preparedness is evidenced through plans, frameworks, and compliance activity.

Preparedness is evidenced through exercised capability and measurable organisational performance.

Crisis visibility

Leadership receives summarised updates through operational layers.

Leadership requires direct, role-appropriate situational awareness within the decision window.

Decision infrastructure

Executive coordination relies on calls, briefings, and fragmented reporting.

Exercises

Exercises validate plans periodically.

Exercises continuously expose governance gaps and improve organisational capability.

Audit trail

Records are reconstructed after the event.

Governance records are generated automatically during the event itself.

Risk environment

Incidents are treated as isolated operational events.

Multiple concurrent disruptions create organisation-wide governance challenges.

The gaps that matter most are rarely the ones organisations expect. A self-assessment can help determine any gaps to be closed as well as areas for improvement.

Preparedness as best practice

When LockerGoga ransomware struck Norsk Hydro in March 2019, the scale was unprecedented — 170 sites, 35,000 employees, operations across 40 countries. What distinguished Hydro’s response was not the speed of technical recovery but the quality of its governance. Leadership had defined roles and responsibilities before the crisis arrived. Decision-making was clear. And from the first hours, the executive team chose full transparency — with employees, investors, customers, and the public — over the instinct to contain and control the narrative.

As Halvor Molland, SVP Communication and Public Affairs, reflected at the RAYVN Symposium in October 2023: “Transparency is core to the Norsk Hydro culture. We wanted to help other industries learn from our experience.” The lessons he identified were practical:

contingency plans that kept operations running
a communication infrastructure that held under sustained pressure
and the discipline to maintain accountability throughout

The company’s reputation emerged stronger.

How governance and preparedness interact

Organisations that perform well under pressure treat preparedness as a continuous cycle: planning and preparation, response, recovery, and post-incident assessment that drives genuine improvement.

The C-suite’s role across that cycle is not operational — it is accountability, oversight, and intervention when the situation demands it. That requires genuine visibility at each stage:

enough familiarity with the exercise programme to know whether it is building real capability;
enough situational awareness during a live event to act within the decision window rather than after it;
enough engagement with post-incident assessment to ensure lessons actually close the loop into the next planning cycle rather than sitting in a report that no one acts on.

PwC’s Global Crisis and Resilience Survey identified C-suite sponsorship as the first structural requirement for a successful resilience programme — yet only a third of enterprise resilience programmes are sponsored by the CEO. The governance table above helps explain why. A leadership role defined as re-entering during escalation is not a sponsorship role. It is a response role. The two are not the same, and conflating them is how organisations end up with preparedness programmes that are nominally supported at the top and genuinely owned by no one.

For the C-suite, the infrastructure that closes that gap means:

instant notification when an incident is declared
immediate situational awareness without waiting for a filtered briefing,
a time-stamped log of every decision and action taken as it happens.
custom reports for governance, regulatory, and board audiences are generated from the live record rather than reconstructed afterward.
a hierarchical view of all active incidents, with the ability to toggle between them, means oversight across the full response network is immediate.
and when the incident closes, the complete record feeds directly into post-incident review — the foundation for the next cycle of planning and preparation.

As the governance and accountability demands on the C-suite continue to grow, the organisations that build resilience will be the ones that build the infrastructure and drive best practices through their own initiatives.

Because each and every decision matters.

Sources

Resilience Pulse Check — World Economic Forum & McKinsey, January 2025
Senior US Business Leader Crisis Preparedness Survey — Crisis24/Harris Poll, April 2026
Operational Resilience Insights — Financial Conduct Authority, March 2026
Board Practices Quarterly: Crisis Management and the Board — Deloitte & Society for Corporate Governance, March 2026
Lahaina Fire Incident Analysis Report (Phase Two) — Fire Safety Research Institute / Hawaii Attorney General, September 2024
Maui Wildfires After-Action Report — Western Fire Chiefs Association, April 2024
Coupang CEO resignation statement — CNBC, 10 December 2025
NIS2 Directive (EU) 2022/2555, Article 20: Management bodies
Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. In force January 2025
Senior Managers and Certification Regime — Financial Conduct Authority
Germany BSI. NIS2UmsuCG enforcement notices, Q4 2025
Global Crisis and Resilience Survey — PwC, 2023
Halvor Molland, SVP Communication and Public Affairs, Norsk Hydro ASA. Presentation at RAYVN Symposium, October 2023

Take the quiz

Leadership Governance Gap Assessment

Seven questions that surface where your organisation's governance and preparedness are most exposed — across board engagement, situational awareness, and accountability.

Question 1 of 7 1 / 7