Has senior leadership publicly stated that crisis preparedness is a strategic priority?

Does the board or CEO actively champion crisis and reputation planning and allocate resources?

Is there a designated senior leader or sponsor accountable for crisis readiness?

Does leadership participate in crisis exercises and approve crisis-related policies?

Is the crisis management plan reviewed and updated at least annually?

Does the organization have a documented crisis management plan approved by leadership?

Are escalation protocols and decision authorities clearly documented for crisis situations?

Are there role-based checklists for common crisis scenarios (reputation, safety, cyber, regulatory)?

Do business continuity and rapid recovery plans exist for all critical functions?

Is there an active reputation-monitoring system (media, social, sentiment tracking)?

Are brand and reputation risks included in the enterprise risk register?

Are there predefined thresholds or triggers for when reputation issues escalate to the C-suite?

Has the organization developed messaging frameworks for likely reputation events?

Does the organization have an up-to-date crisis communication plan?

Are trained and media-ready spokespeople formally identified?

Are internal communication and escalation channels clearly established?

Are external communication templates available (press, regulators, partners)?

Are rapid notification systems (SMS, email, phone trees) functional and tested?

Do employees understand their crisis roles and receive role-specific training?

Are cross-functional crisis or incident-response teams established?

Have employees been trained on media and social media do’s and don’ts?

Are key HR policies (safety, reporting, employee support) aligned with crisis requirements?

Is there an updated stakeholder map with clear escalation pathways for priority stakeholders?

Does the organization maintain active relationships with regulators or sector bodies?

Are contact details and engagement protocols maintained for critical external partners?

Are after-action reviews conducted for incidents, with lessons integrated into operations?

Is there a process to track corrective actions and verify closure?

Does the organization conduct periodic drills and measure performance improvement?

Do critical IT systems have documented and tested recovery objectives (RTO/RPO)?

Are cyber incident response plans up to date and role-specific?

Are data privacy and third-party data risks regularly assessed and mitigated?

Are critical suppliers risk-assessed and supported with contingency plans?

Are alternative sourcing and continuity measures documented for critical operations?

Are legal and regulatory requirements integrated into all crisis plans?

Are insurance coverages and indemnities for crisis events reviewed and appropriate?