Crisis is no longer a rare event. From ransomware attacks and regulatory shocks to activist investors and CEO departures, boards today operate in an environment defined by volatility and disruption. PwC’s recent memorandum, “Being Prepared for the Next Crisis,” highlights the importance of boards adopting a proactive approach to resilience and oversight. However, while directors bear the primary responsibility for governance, a Chief Compliance Officer (CCO) plays a distinct role: ensuring that the board is informed, equipped, and prepared to respond effectively.
The CCO is often the organization’s “early warning system,” translating risks from the operating level into insights for the board. In a crisis, this role becomes magnified. The CCO must help the board anticipate threats, stress-test plans, and avoid the common pitfalls that derail effective responses. Today, we will explore how CCOs can adapt the PwC framework into a playbook to guide the board through the crisis preparedness lifecycle.
1. Before the Crisis: Embedding Compliance into Resilience Planning
The best crisis plans are living documents that are constantly updated, tested, and integrated across all functions. For CCOs, the challenge is to ensure compliance and ethics considerations are built into those plans from the start.
The CCO’s Role:
- Cross-functional integration. Ensure that the compliance function sits at the crisis planning table alongside risk, legal, and operations. Issues such as bribery, data privacy breaches, or third-party misconduct can escalate into crises if left unaddressed.
- Scenario planning. Push for tabletop exercises that include compliance scenarios—not just cyber breaches. A dawn raid by regulators, whistleblower allegations, or sanctions violations should all be tested with the board. Most boards are fixated on cyber exercises (81%) while under-testing activist campaigns, fraud investigations, and geopolitical risks. The CCO can broaden that scope.
- Defining escalation triggers. Collaborate with management and the board to define when compliance issues rise to the level of a board crisis. For example, a government subpoena, a major third-party red flag, or media exposure of misconduct should be predefined as triggers for immediate notification to the board.
By embedding compliance into resilience planning, the CCO ensures that ethical and regulatory risks are not afterthoughts but central to the crisis playbook.
2. During the Crisis: Supporting the Board’s Oversight and Communications
Once a crisis hits, speed and clarity are critical. Work to avoid pitfalls such as “leaping before looking,” minimizing the problem, or losing credibility with stakeholders. Here, the CCO becomes the board’s translator and truth-teller.
The CCO’s Role:
- Facts over speculation. Ensure that communications to the board are grounded in verified information. If facts are incomplete, emphasize transparency about what is known and what remains to be investigated.
- Maintaining authenticity. Compliance leaders are custodians of corporate values. During crisis communications, the CCO should challenge management if the messaging strays from the organization’s ethical commitments. As PwC notes, stakeholder trust depends on alignment with company values.
- Stakeholder inclusivity. Understand the importance of addressing all stakeholders, not just the loudest. The CCO should ensure employees are included in the communication strategy. In many crises, employees are both victims and messengers. If left uninformed, they can become sources of rumor or disengagement.
The CCO also helps the board resist the temptation to downplay severity. Regulators and investors are unforgiving of minimization. Credibility, once lost, is difficult to recover.
3. After the Crisis: Driving Root Cause Analysis and Continuous Improvement
The PwC framework underscores the importance of post-event reviews, root cause analysis, and continuous improvement. For CCOs, this is where compliance expertise shines.
The CCO’s Role:
- Independent assessment. If misconduct or governance failures triggered the crisis, the CCO should advocate for independent investigations to determine the cause. This not only ensures credibility but also demonstrates the board’s seriousness in remediating gaps.
- Root cause focus. Compliance officers are trained to ask “how and why.” A surface-level review, examining what happened and the actions taken, overlooks the deeper cultural or control weaknesses that enabled the crisis to occur. Without addressing these, organizations remain vulnerable.
- Policy and training updates. Post-crisis reviews should feed directly into compliance programs. If a whistleblower report was ignored, revise reporting protocols. If a sanctions violation occurred, strengthen third-party screening.
- Board education. Provide directors with debriefs on regulatory trends that emerged during the crisis. For example, if a DOJ enforcement action shaped the company’s response, explain the broader implications for future oversight.
By institutionalizing lessons learned, the CCO helps the board convert a painful episode into a competitive advantage.
4. The CCO as the Board’s Crisis Sherpa
PwC notes that boards must balance guiding management while not being overwhelmed themselves. In practice, this requires a trusted advisor who can translate complexity, cut through the noise, and flag issues that rise to governance levels. That advisor is often the CCO.
The CCO’s Role:
- Regular briefings. Establish quarterly “crisis readiness” updates for the board, led by compliance. These sessions review recent regulatory developments, whistleblower trends, and geopolitical risks.
- Committee alignment. Work closely with the audit or risk committee to ensure that crisis oversight responsibilities are clearly defined and understood. In some cases, a compliance liaison may be designated to report directly to the board during a crisis.
- Tone from the top. Model ethical courage in board communications. If executives resist disclosure or push spin, the CCO must be willing to articulate the risks of opacity. The board relies on the unvarnished truth, even when it is uncomfortable to hear.
The CCO, in essence, becomes the board’s crisis sherpa: guiding directors through treacherous terrain with foresight, facts, and fidelity to values.
5. A CCO’s Checklist for Board Crisis Preparedness
To translate this into action, here’s a compliance-focused checklist adapted from PwC’s recommendations:
- Ensure crisis plans are compliance-inclusive. Integrate regulatory, ethical, and third-party risks into enterprise crisis planning.
- Broaden board exercises. Advocate for tabletop simulations that extend beyond cyber—encompassing fraud, sanctions, whistleblower events, and activist campaigns.
- Define escalation triggers. Codify the process for escalating compliance issues to the board.
- Champion transparent communication. Push for fact-based, values-aligned messaging during crises.
- Include employees. Make internal communications as robust as external messaging.
- Drive post-crisis reviews. Lead root cause analysis and ensure findings inform compliance program updates.
- Educate directors. Keep the board informed about current regulatory expectations and cultural red flags.
Preparing the Board for the Crisis That Hasn’t Happened Yet
As PwC observes, a crisis is no longer hypothetical; it is cyclical. Boards that prepare systematically will emerge stronger. But preparation is not solely the task of directors or management. The Chief Compliance Officer must bridge the gap by embedding compliance into resilience plans, guiding directors during responses, and ensuring that lessons are institutionalized after the fact.
The next crisis will come. We don’t know whether it will be a cyber, regulatory, or reputational issue. But we do know this: the boards that succeed will have a compliance leader at their side, someone who combines regulatory expertise with cultural insight, and who can guide directors through the storm with clarity and integrity.
That is the CCO’s role. And it may be the most important contribution compliance makes to long-term corporate resilience.
