The meeting room is tense yet silent. The chief operating officer has just reported the incident. Faces around the table tighten as they try to process the information. The first to speak is the CFO: “But is this really that serious? Let’s wait for more data before making any decision.” The general counsel considers: “We need to understand whether the responsibility is truly ours. It could be the supplier’s, the carrier’s, or a third party’s.” The CEO, under pressure from a results-driven agenda, closes the discussion: “Let’s not rush. It is not time to act yet. Let’s monitor.” Three weeks later, the case is in the press. Six months later, the company is negotiating a multimillion settlement. One year later, it is still trying to rebuild the trust of customers, investors, and regulators. I have seen this scene—across industries, sizes, and contexts—dozens of times over more than two decades working in crisis management, with a recurring pattern: the most common mistake is not the wrong decision, although that can also bring dire consequences, but the non-decision. It is very common to see patterns of denial among decision-makers in this first moment of emergency response. And these are not isolated cases.
According to PwC’s global survey on crises and resilience, 91% of organizations faced at least one significant disruption in the past two years (besides the pandemic), with an average of 3.5 crises per company in the period¹. A Deloitte study reports that 80% of organizations had to mobilize their crisis management teams at least once over the past two years². Crisis, therefore, is not an exception. It is part of corporate reality. The question is how and when you respond to it.
The three faces of denial
Denial rarely shows up as an explicit refusal. It is more subtle and therefore more dangerous. In my experience, it takes three distinct forms that often combine. The first is denial of severity. “This is not that serious.” It is the most common. The company already recognizes it is in the problem but underestimates its scale. There is a natural tendency to believe the situation is under control, that the fallout will be contained, that the worst-case scenario is unlikely. The problem is that crises do not follow the logic of the most likely scenario but rather the logic of the possible scenario. And when the possible materializes, the window for action has already closed. The second is denial of timing. “It is not time to act yet.” It is akin to the first, but with an important nuance: here, severity may even be acknowledged, but there is a belief that waiting will bring more clarity, but it often brings more exposure. In crisis management, there is a maxim that many leaders struggle to internalize: not communicating is already communicating. Silence is read and speaks volumes, inaction is interpreted and reverberates in whatever way it was interpreted, even if mistakenly. While the company waits, the narrative is being constructed by others, without participation.
The third is denial of responsibility. “This is not on us.” It is the most dangerous. When the first reaction is to look for a third party to blame—the supplier, the partner, the regulator, the customer—the company adopts a defensive stance. Depending on the context, a defensive stance can turn an operational problem into a reputational crisis. I have seen companies that, even without clear responsibility, paid a very high price for appearing indifferent. And I have seen companies that, by taking the lead in situations where responsibility was debatable, preserved their reputation precisely because they did not hide behind technicalities. The pattern repeats across sectors: organizations that minimized technical failures and sought external culprits; leaders who treated systemic problems as isolated incidents; companies that waited for public pressure to force a response that could have been voluntary. The script is familiar and so is the ending.
Why we deny
Denial is not a character flaw. It is a cognitive bias—predictable, human, and almost universal. The first people to learn about a problem are usually those closest to it and, therefore, those most exposed: the manager who oversaw the operation, the director who approved of the procedure, the executive who signed the contract. These are people who, in the face of the incident, have something to lose, whether their reputation, position, or career. This personal exposure skews how the situation is read. This does not necessarily happen out of bad faith but through a protection and self-preservation mechanism that operates below the level of consciousness. It is the blind spot. The person driving cannot see what is in the blind angle. In crises, the blind spot is precisely where the risk nobody wants to see resides. That is why governance matters. Although it is often seen as unnecessary, bureaucratic, a mere formality, in fact, when well run, it operates as a mechanism that forces recognition of the situation and places the interests of the company and its continuity above the individual interests of those involved.
Crisis committees with clear triggers exist so that the situation is evaluated by people who are not directly involved with the problem and who, precisely because of that, have the distance needed to ask the hard questions, keeping the lens strategic and aimed at institutional continuity rather than personal, conditioned by the individual exposure of those who may be held liable. The question must stop being “how does this affect me?” and become “how does this affect the organization and what do we need to do about it?” Data, however, reveal a troubling gap between perceived readiness and reality. Deloitte found that although 90% of organizations declare themselves confident in their ability to respond to a corporate crisis, only 17% test this capability³. This gap between confidence and real preparedness is precisely the terrain where denial thrives.
The cost of inertia
Crises have a cruel characteristic: time works against you, and with each hour of inaction, the cost rises. The numbers are eloquent. According to the Crisis Index 300, a comprehensive analysis of 300 reputational crises over four decades, companies’ stocks fall, on average, 35.2% after a crisis and take 425 days to recover to pre-crisis levels⁴. The same study shows that crises result in an average 68.6% drop in earnings per share (EPS), destroying billions in shareholder value. In 121 of the cases analyzed, the share price never recovered, and 33 of those companies ended up leaving the market through bankruptcy, acquisition, or going private⁵. Aon and Oxford Metrica estimate there is an 80% chance a company will lose at least 20% of its market value in any five-year period due to the impact of a crisis on reputation, and in each case researched, the value loss was sustained over time⁶. Deloitte, in turn, notes that companies suffering severe reputational damage can lose as much as 30% of their market value in a matter of days⁷.
The first cost, therefore, is reputational. It is the most intangible, but also the one that unfolds into very concrete consequences. Reputation affects the ability to operate, to finance, to retain talent, to maintain contracts. A company that loses market trust does not lose only image; it also loses business. And rebuilding is slow, uncertain, and expensive. Experience shows that recovering from an ignored or poorly managed crisis is much harder and costlier than confronting it in an organized and structured way. According to Deloitte’s research, 70% of board members said their organizations took up to three years to rebuild their reputation after a crisis; for 10% of companies, recovery took more than four years⁸.
The second cost is direct financial. I have seen situations where the delay in acting resulted in account freezes, suspension of operations, and bans on operating in certain segments. What could have been resolved with a swift and coordinated response turned into prolonged litigation, onerous settlements, and forced restructuring. The third cost is the opportunity cost. When the company does not act, others act for it—regulators, the press, social media, competitors—and, worse, without its ability to participate in constructing that narrative. The narrative will be told, and whoever starts first sets the framing and tone. Those who arrive later chase the story and must adapt to the boundaries that were already set. Here a crucial point emerges: response time matters greatly. Studies indicate that companies that respond within the first 24 hours of a crisis are 40% more likely to minimize reputational damage⁹. IBM’s Cost of a Data Breach Report 2023 showed that data breaches contained in less than 200 days cost, on average, USD 1.26 million less than those that extend beyond that period¹⁰. Deloitte notes that organizations with predefined incident response teams save 35% more in crisis-related costs than those that improvise¹¹. I often use this image to illustrate the point: in certain situations, you need to fight to keep the toothpaste from leaving the tube, because once it is out, it is impossible to put it back in. The moment to act is before. Afterwards, as the data show, all that remains is damage control.
The function of Legal as part of the solution
There is a pattern I observe with concern: Legal is often called to the table when the crisis is already underway. The initial decisions—those that set the tone, posture, and timing—have already been made. Legal is then left to deal with the consequences of choices over which it had no influence. The problem is that once a crisis sets in, every decision has a legal dimension: the company’s liability, the civil and criminal exposure of decision-makers, the risk of actions by regulators, the Public Prosecutor’s Office, and the courts. What is communicated, and how, can be used in proceedings, investigations, and negotiations. Legal that is not in the room from the outset arrives to put out a fire whose scale it did not help define. But Legal can do more than react.
It can lead the construction of a governance system that protects the company, because it ensures coordinated and informed responses; it protects executives, because it creates records of diligence and reasoned decision-making; it protects Legal itself, because it establishes its role from the start—not as a firefighter but as the architect of the response. This means proposing, before the crisis hits, a minimum structure: clear escalation triggers, committees with defined roles, communication protocols, and stakeholder mapping. It does not need to be complex. It needs to exist and be known, because when the incident happens, there is no time to design the process; it must be ready to be activated. There is an additional, less obvious benefit: governance protects Legal from a politically delicate position. Disagreeing with leadership in the middle of a crisis is hard. There is hierarchy, pressure, and urgency. But if there is a previously approved protocol, Legal is not disagreeing, it is applying what was collectively decided. Governance depersonalizes conflict and allows rationality to prevail over reactivity.
One take away question
Every organization has its culture, structure, and risk appetite. There is no single model of crisis governance. But there is one question every leadership team should be able to answer: If a serious incident happens tomorrow, does your organization today have a structure that allows it to recognize the problem and act before it becomes inescapable? If the answer is “I don’t know” or “probably not,” the moment to build that structure is now, not when the crisis arrives. Because when the crisis arrives, the only question that matters is: what to do? Crisis governance is not about predicting the unpredictable. It is about ensuring that, when the unpredictable arrives, there is a path to cross it—with awareness, coordination, and dignity. And that, indeed, can be built.
Notes
1 PwC, Global Crisis and Resilience Survey 2023. Survey of 1,812 executives across 42 countries conducted between September and November 2022.
2 Deloitte, Stronger, Fitter, Better: Crisis Management for the Resilient Enterprise, 2018.
3 Deloitte, A Crisis of Confidence, 2015.
4 SenateSHJ, Crisis Index 300, 2025. Analysis of 300 corporate reputational crises over 40 years.
5 Idem.
6 Aon and Oxford Metrica, Reputation Review, cited in Deloitte, Stronger, Fitter, Better, 2018.
7 Deloitte, study cited in The Cost of a PR Crisis, Sanguine Strategic Advisors, 2023.
8 Deloitte, A Crisis of Confidence, 2015.
9 Harvard Business Review, cited in HubSpot resource on crisis communication plans.
10 IBM Security, Cost of a Data Breach Report 2023.
11 Deloitte, cited in Sanguine Strategic Advisors, Data Breach Crisis Management, 2023.
