Boards play a critical role in overseeing an organisation’s readiness for, and response to, critical incidents. While the degree of board involvement will depend on organisational size, risk profile and the board’s terms of reference, several responsibilities are relevant across most critical incident contexts.

​

One such responsibility is major decision making. During a critical incident, the Critical Incident Management Team (CIMT) should be empowered to lead the strategic response and make the majority of time‑critical decisions. However, certain matters carrying significant strategic, financial, reputational or legal implications may require escalation to the board. These should be decisions that allow sufficient time for deliberation and be supported by clear CIMT recommendations. Examples include decisions relating to cyber‑ransom demands, significant unbudgeted expenditure and pausing or ceasing essential operations.

​

Boards also perform an important assurance function. CIMT Leaders should brief the board on critical incidents to maintain transparency and allow board members to satisfy their oversight obligations without disrupting the response effort. Often it is appropriate for the CIMT Leader to brief the Board Chair directly, so that the board remains informed without unnecessarily slowing the CIMT’s response.

​

Finally, boards have a vital governance role in ensuring the organisation is genuinely crisis‑ready. This includes setting expectations for regular critical incident management capability assessments and robust exercises, as well as receiving briefs on how gaps are being addressed. Organisations often assume they are effective at crisis response without a broad, evidence‑based assessment of their capabilities. Boards are uniquely positioned to reinforce accountability and ensure the organisation’s framework, people, and processes are prepared to mitigate against major harm.

​

Board members can consider these prompts when carrying out their assurance responsibilities in the critical incident management context:

​

 -  Communication protocols: Clear rules for board–executive communication help to prevent confusion, duplication, or unhelpful interference in the incident response.

​

 -  Stakeholder expectations: Boards should understand what customers, regulators, partners and the public expect from the organisation in the event of a critical incident and ensure the existing capability reflects these expectations.

​

 -  Readiness: Successful management of a single incident is not evidence of an effective critical incident management capability. Boards should gather evidence of a robust capability.

​

 -  Post‑incident learning: Boards should sponsor thorough post-incident reviews and ensure lessons translate into sustained improvements.