No longer a ‘nice to have’

When a crisis strikes, business leaders rarely have the luxury of complete information or perfect timing. Decisions must be made quickly, often under intense scrutiny, guided not only by operational priorities but by an organisation’s values, principles and appetite for risk.

Whether triggered by a cyber attack, regulatory issue or reputational challenge, such moments test not only an organisation’s preparedness but the quality of the leadership and experience brought together to shape its response.

While timing of these events may be unpredictable, effective crisis leadership rarely is, and increasingly that depends not only on technical expertise but on bringing together a breadth of experience to guide decision-making under pressure.

As Soteria founder Lynne Capie points out, there is never a good time for a crisis, “crises always happen at the most inconvenient time.” But this, she quickly adds, is no coincidence. How businesses respond in those moments, she says, depends as much on who is around the decision-making table as on the plans themselves.“Cyber criminals, in particular, will always target businesses when they think people’s attention will be focused elsewhere,” said Lynne, whose business specialises in incident and crisis planning and communications across a range of high-risk scenarios, from cyber attacks to regulatory, reputational and operational incidents.

“They may strike during a particularly busy trading period or on a bank holiday or while a major event is taking place, and they expect the business to be operating with a skeleton team,” she said. That, combined with the evolving sophistication and ever-increasing frequency of attacks makes it, she adds, even more important that businesses not have not only robust and tested incident response plans in place but, also have a crisis management team made up of diverse expertise, whose members are able not just to recover the systems but also to deliver an instant, well thought out, people-focused response.

While crisis management teams may traditionally have comprised a certain set of roles, Lynne, who is also a partner at Switch Digital and founding partner of strategy company Alchemy, says that diversity is essential.

“Some people may still regard a cyber attack as a technical issue but ultimately they are managed by people, just like regulatory breaches, reputational issues or leadership crises and they impact people even before they impact profits,” she said. That human impact, she explains, is precisely why crisis response cannot sit solely with technical specialists.”It’s vital, in the context of risk and decision making when it comes to crisis management, that businesses have diversity of expertise around the table, and alongside people who can manage the technical side we also have people experienced in understanding how the incident will affect the company’s markets, who know the voice of the client and how to communicate with their audiences.

“To manage risk effectively, you have to be able to see and understand the full picture and that only comes through diversity of experience. When you prepare for a crisis or incident, if you are not thinking about having that plurality of thought around the table, then you are setting yourself up to fail.”

Stressing that crisis management is the responsibility of everyone within that leadership group, Lynne adds that to ensure an effective response, planning and training is essential. Crucially, that preparation must involve more than operational planning, it requires input from across a businesses leadership to reflect how a crisis will affect customers, employees and stakeholders alike.

“Having a plan to mitigate the impact of a crisis is no longer ‘nice to have’,” she said. “It is critical to the stability and success of the business. Companies have to assume that they will be attacked, or affected by an incident, at some point and therefore they have to be equipped to deal with that eventuality.”

Underlining this point, Lynne highlights the direct costs incurred by some high-profile businesses which suffered cyber attacks last year. “To put the cost of these risks into context, the attack on Marks & Spencer last Easter is reported to have cost the business around £136m in incident response, system restoration and legal and professional fees,” she said. “That doesn’t take into account the loss of sales experienced as a result of the incident. Similarly, the cyber attack on Jaguar Land Rover in September cost the business approximately £196m.”

Incidents of this scale demonstrate not only the financial risks organisations face, but the breadth of expertise required to simultaneously manage the operational, regulatory and reputational risks.

Overall, she adds, the Cyber Monitoring Centre in the UK has estimated that the cost of cyber attacks to the country’s economy was £1.9bn last year. “And that’s just cyber,” she said. “The geopolitical and global financial environment are constantly creating new challenges, and as incidents are becoming more prolific, more ferocious and having greater financial impacts on businesses, it is even more incumbent on leaders to know how to respond in a crisis situation.”

This, Lynne adds, comes back to having a rehearsed plan in place.Those plans are most effective, she notes, when shaped by people who understand different parts of the organisation and its audiences.

“If people know there is a plan and understand their role, they will feel more comfortable responding to a situation, whether that is a cyber attack, a regulatory breach or the behaviour of a senior staff member which might cause reputational damage to the company,” she said. “That is why we work with teams to help them draw up incident response plans and attend simulations, so that when a crisis happens, they are ready and understand not just what they have to do from a technical perspective but also who to bring in to ensure that the right expertise is around the table and understand how to communicate with client groups, communities and the media.

“Ultimately, whatever the crisis is, the leadership team should be able to refer to the company’s incident response plan and communication playbook, make a quick judgment about whether the plan might need to be adapted in response to the specific scenario, make sure the right, diverse, group of people is around the table and ensure that the planned response aligns with the company’s risk tolerance and governance principles. Then it is a case of communicating and implementing the plan quickly and effectively.”

In the absence of such a plan, Lynne says businesses need to “get the experts” into the room really quickly. “That doesn’t just apply to people from within the organisation,” she warned. “At Soteria, every time we respond to an incident, we learn something new. That could be different tactics deployed by the perpetrator, new technology or a new approach, so we bring that evolving knowledge and insight to every response.

“But effective crisis leadership relies on a broader ecosystem of expertise capable of responding to the wide range of incidents organisations now face. You also need technical experts who can look, from a forensic perspective, at what has happened, you need regulatory experts who can advise on the regulatory implications of a decision, you need legal experts who understand the laws within the relevant jurisdictions and you need communications experts who understand how an audience will respond to the messages you are putting out.”

While acknowledging that crises can take many different forms, from cyber incidents to regulatory investigations, operational failures or reputational challenges Lynne says that having an incident response plan is a “good place to start”. Preparation is not simply about systems and processes; it is about ensuring the right mix of experience and perspectives is involved from the outset.

“Organisations such as the Jersey Office of the Information Commissioner and the Jersey Cyber Security Centre provide lots of free, practical advice and have teams of experts ready to answer questions,” she said.

“The first thing any business that doesn’t already have an incident response plan in place should do is make one and make sure that people understand their roles and responsibilities and are skilled to execute that plan.

“Rehearse those plans and make sure that when building your incident response team, you have different experiences, skills and thinking around the table. This isn’t about having gender representation but about having diversity across the board. Once that team has agreed what good would look like, the objectives the company wants to achieve and the principles to which it will work, that diverse thinking will be invaluable in reaching the best possible outcome.”

Ultimately, resilience comes not just from having a plan, but from ensuring the right voices and expertise are present to interpret, adapt and deliver it when it matters most.

Originally published in The Jersey Evening Post 10 March 2026.