Crisis Management Guidance Lists Every Risk Except the Board’s Role in Creating Them

Harvard Law Forum’s latest crisis management framework catalogs financial instability, cyber threats, operational breakdowns, and reputational harm as external factors requiring board oversight. Absent from this comprehensive list: how boards themselves generate the conditions for organizational crisis.

The guidance positions directors as strategic overseers managing disruptive events. Financial distress gets framed as market volatility rather than capital allocation failures. Cyber incidents are treated as technology problems rather than governance gaps in digital oversight. Operational breakdowns appear as process failures rather than strategic miscalculations.

This framing protects a particular view of board accountability. Crisis management becomes risk mitigation rather than risk creation analysis.

Consider the pattern. Financial crises often trace back to boards approving excessive leverage, inadequate stress testing, or management incentives misaligned with long-term stability. Cyber incidents frequently follow from boards treating digital security as an IT issue rather than an enterprise risk. Operational failures commonly stem from boards accepting management’s rosy operational assessments without independent verification.

The Harvard framework acknowledges that boards must prepare for crisis response. Fair enough. But preparation without causation analysis misses half the governance equation.

Regulatory filings reveal this gap consistently. Crisis disclosures describe external shocks and management responses. Board minutes reflect oversight activities and the diligence of the committee. Rarely do either document how board decisions contributed to organizational vulnerability.

The legal protection makes sense. Admitting causation invites litigation. But governance effectiveness requires an honest assessment of decision quality, especially decisions that amplify rather than mitigate enterprise risk.

Crisis management guidance typically emphasizes communication protocols, stakeholder management, and operational continuity. These are necessary capabilities. They’re also reactive measures that assume crisis inevitability rather than crisis prevention through better board practices.

My Boardroom Takeaway: Directors evaluating crisis preparedness frameworks should examine their own decision patterns for risk amplification. A useful exercise: review the last three significant industry crises and trace backward to board-level decisions that increased organizational exposure. Crisis management begins with crisis prevention, which begins with acknowledging boards’ role in creating organizational fragility alongside their role in managing external shocks.