Blog

Calm Before the Storm: Building Crisis Resilience for Boards and Management Teams

Management Liability

Lenin Lopez, Esq.

Jan 15, 2025

12 minutes

Corporate crises happen—and that means we have to plan for them. While it isn’t practical to prepare for every possible corporate crisis, there are steps that boards and management teams can take to be better prepared. In this week’s blog, my colleague Lenin Lopez shares insights and a few strategic considerations to help boards and management teams create a level of crisis resilience at their respective companies. – Priya Huskins

Corporate crises for public companies come in several different flavors. While significant cybersecurity breaches, accounting fraud, and product safety issues tend to dominate the headlines, others may have an even greater likelihood of blindsiding organizations. Think the sudden death of a key executive, sexual harassment claims made against individuals in the C-suite, or natural disasters. In any of these examples, preparation is the key to effectively managing through the crisis and helping limit corporate and individual exposure to liability.

This article will:

Briefly outline common types of corporate crises

Share an example of a company that effectively managed through a corporate crisis

Offer actionable strategies for boards and management teams to build crisis resilience before trouble strikes

Understanding Corporate Crises

Of course, boards and management teams will want to start by analyzing industry-specific corporate crises since these are more likely to impact their affiliated companies. For instance, a life science company could face a failed drug trial for its only drug, a tech company might struggle with antitrust violations, and a retail company could suffer from supply chain disruptions.

A number of corporate crises are not industry-specific. What follows is a breakdown of some of the more common industry-agnostic crises that may impact companies, with the promise of a later discussion of actionable strategies for boards and management teams to build crisis resilience.

Financial/Accounting Scandals: At the extreme are those instances involving fraud, where there is a deliberate misrepresentation or concealment of financial information. FTX comes to mind here.

Then there are financial snafus and/or breakdowns, like the one Macy’s had, that create a significant amount of noise. In Macy’s case, an employee intentionally made erroneous accounting accrual entries totaling up to $154 million.

Unexpected Executive Leadership Changes: Within this category come sudden and unexpected departures or deaths of a member of the executive leadership team.

Examples are the murder of UnitedHealthcare’s CEO and the untimely death of Bed Bath & Beyond’s CFO.
Executive Leadership Misconduct: This typically involves allegations that an executive has engaged in unethical behavior, like fraud or harassment.

Examples include Luckin Coffee’s firing of its CEO and COO as part of an internal investigation into sales fraud; the embarrassing resume-inflating scandal involving Yahoo’s former CEO that resulted in his quitting; and Orthofix Medical’s termination of its CEO, CFO, and chief legal officer after an independent investigation revealed that they engaged in “repeated inappropriate and offensive conduct” that violated the company’s code of conduct.
Operational Failures/Product Safety Issues: Included here are breakdowns in company processes, controls, or systems that have a detrimental impact on the company, as well as defects or product safety issues that harm consumers and lead to recalls, lawsuits, and reputational damage.

Boeing and its issues involving its 737 MAX aircraft are an obvious example. There is also McDonald’s with its recent challenges managing through an e-coli issue and software flaws involving Becton Dickinson’s infusion pumps. With Becton Dickinson, it’s important to note that the software flaws and related disclosures resulted in a $175 million civil penalty to settle charges the Securities and Exchange Commission (SEC) brought against the company for misleading investors.
Shareholder Activism: This typically takes the form of an investor and/or group of investors taking a large position in a public company only to push for changes in governance, strategy, or leadership. Shareholder activism can ultimately lead to significant management and board changes, as well as changes in strategy. It’s worth noting that while shareholder activism involving large market cap companies gets the majority of the headlines, the majority of activist campaigns involve small cap and microcap companies.

In 2024, we saw a record number of shareholder activist campaigns. One example that grabbed headlines involved Disney, which prevailed in one sense by keeping its board intact despite the activists pushing for the ousting of two directors. On the other hand, Disney did adopt many of the activist’s suggested strategic changes.

Now in 2025, we have Costco, which recently announced that it was choosing to maintain its diversity, equity, and inclusion (DEI) initiatives, bucking the trend of the likes of Walmart, Ford, Home Depot…the list goes on. As a result, shareholders filed a proposal asking Costco to end its DEI initiatives.
Cybersecurity Breaches: There are so many types to choose from, from significant data breaches, ransomware attacks, phishing, and social engineering to password attacks. When threat actors are successful, customer data, company data, and general business operations may be significantly compromised. Then there are the follow-on regulatory fines, lawsuits, and the loss of goodwill and trust from customers and other stakeholders.

For a list of recent companies that have reported cybersecurity breaches with the SEC on a Form 8-K under Item 1.05, see this resource from Debevoise & Plimpton. And for insights into cybersecurity-related issues, including insurance considerations, read our Cyber Notebook.

Interestingly, an event that becomes one company’s corporate crisis may be of less significance to another company that becomes subject to the same set of circumstances. The reason for the disparity? Many crises escalate due to delayed or inadequate communication, failure to meet stakeholder expectations, lapses in oversight, or a lack of preparation.

On the point about a lack of preparation in the context of shareholder activist campaigns last year, as noted above, 2024 was a record year. While it’s unclear whether every company that was the subject of a campaign was ready to manage through it, it’s unlikely that every company was buttoned up. Layer onto this that 27 CEOs resigned at companies that were targeted by activists and a question that comes to mind is if the company wasn’t prepared, why not?

Managing Through a Corporate Crisis

Examining how companies have managed through their corporate crises can provide crucial insights for preparing one’s own company to handle similar disruptions. Sometimes the lesson is what not to do. What follows is a discussion of a notable example involving Orthofix Medical, a company that got several things right.

Orthofix Medical: Ethical Misconduct and Executive Terminations

In September 2023, Orthofix Medical announced that it terminated its CEO, CFO, and CLO for cause. The company’s board made this decision following an investigation that revealed that “each of the executives engaged in repeated inappropriate and offensive conduct that violated multiple code of conduct requirements and was inconsistent with the [c]ompany’s values and culture.”

In response to the news, the market reacted; the company’s shares fell nearly 25%. A primary driver was likely the sudden change in leadership and concerns regarding company stability. This is despite the company having named interim leadership.

The nearly 25% drop in stock price was like blood in the water for plaintiffs’ firms. It didn’t take much more than a month from Orthofix’s announcement for the company to get hit with a class-action lawsuit alleging securities fraud and deceptive business practices, further impacting investor confidence.

From what we can glean from publicly available information, Orthofix did several things right:

Investigation Led by Outside Counsel: Likely intended to ensure a level of independence and protect the investigation under the auspices of attorney-client privilege, having outside counsel lead investigations relating to concerns of this magnitude can help protect the company should it become the subject of litigation.
Decisive Action by the Board: The seemingly immediate removal of the CEO, CFO, and CLO following the investigation demonstrated a commitment to upholding their corporate values and ethical standards.
Transparency: The board most likely publicly disclosed the reasons for the terminations and the steps taken, in part, to maintain investor and other stakeholder trust.
Immediate Announcement of Interim Leadership: Appointing experienced internal executives to interim positions helped ensure business continuity during the transition in finding permanent replacements.

One aspect some may take issue with was that the company provided limited details about the specific reasons for the terminations. This led to a significant amount of speculation in the press. To this day, there continue to be articles written about what these executives may have been terminated for.

As the company noted in its press release announcing the terminations, they were “unrelated to and do not impact the [c]ompany’s strategy, results of operations or previously filed financial statements.” From a strictly business and operational perspective, that’s all that needs to be said. Besides, Orthofix likely expected the executives to challenge this in court. Sure enough, they did.

Orthofix’s handling of the executive misconduct crisis highlights the importance of decisive action, transparency, and forethought in terms of what would likely materialize into future litigation.

Preparation Considerations for Boards and Management Teams

Corporate crisis resilience is built on effective preparation. Ideally, boards and management work together to anticipate risks, establish response plans, and foster a culture of resilience. That said, the roles of each are distinct. Below are steps boards and management teams can take to lay the groundwork for effective crisis preparedness and/or pressure test what they currently have in place.

Action Items for Boards: Oversight of Crisis Preparedness

Remain Informed of Risk Assessments and Mitigation Efforts. To help effectively carry out their fiduciary duty of oversight, boards or standing committees with oversight responsibility for risk, like the Audit Committee, will ideally receive periodic updates about company-specific risks and emerging risks that could lead to corporate crises.

These briefings allow boards to ask their management teams which risks are more likely to materialize than others. Identifying vulnerabilities and evaluating their likelihood and impact can help when determining where a company may want to dedicate effort and expense in risk mitigation—including what risks may require building out specific crisis response plans.
Evaluate the Company’s Crisis Response Capabilities. Again, while companies should not be expected to have a crisis response plan for every potential corporate crisis, it’s a good idea for them to have gone through the effort of creating at least one plan or simulating a crisis to see how they might fare.

A simple way to inspire the need to develop a crisis response plan where none exists is for the board to ask management how it would respond to the company’s more significant risks if they were to materialize.

A good crisis response plan isn’t one developed on the fly when the board makes an inquiry—or as an actual crisis unfolds. A good crisis response plan includes prescribed steps and procedures the company should follow, including escalation procedures and clear roles for both the board and management.
Participate in Tabletop Exercises. There is no replacement for scenario-based tabletop exercises when it comes to stress-testing a company’s crisis response plans. These are typically led by a law firm or other outside service provider. The exercise can be eye-opening in terms of how well prepared (or not) a company is at effectively responding to a crisis. While many companies are now doing these routinely for cyberattacks, it would be imprudent to limit your tabletop exercises to just this one corporate risk.

Boards would be well served to participate in at least one tabletop exercise. By participating, the board can refine the cadence at which it is brought into situations. Moreover, this can further enhance overall preparedness and help identify gaps in decision-making processes, both at the management and board levels.

Action Items for Management: Building and Maintaining Organizational Crisis Preparedness and Resilience

Develop and Regularly Update Crisis Response Plans. As noted above, developing crisis response plans is a critical element to effectively responding to crises. While a company may only have a need and/or time to maintain a handful of different crisis response plans or just a framework that includes a response team to help oversee a crisis response, companies should periodically revisit these plans to ensure that they remain appropriate for the current state of the business and associated risks.
Establish Crisis Response Teams. Dedicated crisis response teams, or at least one team, should be identified and trained to handle corporate crises. These teams typically include senior members of management, representatives from Legal, Investor Relations, Communications, Human Resources, and external consultants and advisors. Notably, these teams may potentially include members of the board, especially if the topic relates to members of management (e.g., ethical conflicts and/or breaches).

With respect to external consultants and outside advisors, those you work with on day-to-day business activities may not have the capabilities you need to address a particular crisis. Think of bet-the-company-type crises, like when a company becomes the focus of an activist investor campaign or becomes the victim of a major cybersecurity breach. Interviewing and vetting of consultants and outside advisors is best reserved for when a company isn’t in the midst of a crisis.
Test Crisis Response Plans. The testing of crisis response plans doesn’t necessarily need to be performed via a tabletop exercise led by a law firm or other outside service provider. This testing can also be done by methods involving less pomp and circumstance, like conducting structured interviews of members of the crisis response team to measure their readiness and understanding of the plans.

Resources for Corporate Crisis Management Preparation

For boards and management teams in search of resources to help in their corporate crisis management preparation journey, here are two:

Wachtell, Lipton, Rosen & Katz offers strategic insights for companies in a set of corporate crisis management-related documents.
Cleary Gottlieb publishes a global crises management handbook, which is designed as a reference to help in preparing for a crisis, spotting issues, and avoiding common mistakes at the outset of a crisis.

Parting Thoughts

Effective crisis management begins well in advance of an actual crisis. As noted above, a key to creating corporate crisis resilience is preparation by a company’s board and management team. With the considerations outlined above, as well as the noted resources, boards and management teams have a great place to start or continue corporate crisis resilience conversations within their organizations.