Leadership Lessons from Crisis Response: Building a Culture of Accountability

By Chad Robbins, Chief Customer Officer

When a crisis hits, most organizations discover something uncomfortable: their “plan” isn’t the problem. Execution is. And execution is rarely a technology gap. It’s a leadership gap, specifically, a gap in accountability.

In the moment, accountability is not a slogan or a value on a wall. It’s a set of behaviors that determine whether teams act with speed and cohesion, or hesitate and fragment. It shows up in who owns decisions, how information moves, how tradeoffs are made, and whether leaders follow through after the incident ends.

For regulated organizations, especially financial institutions, accountability is also inseparable from operational resilience. Supervisors increasingly evaluate whether firms can prevent, adapt, respond, recover, and learn from disruption, not simply document policies and present evidence after the fact.

So what does a culture of accountability actually look like in crisis response? And how do leaders build it without turning crisis management into bureaucracy?

Accountability isn’t blame. It’s clarity.

In many organizations, accountability gets conflated with blame. In crisis response, that’s a dangerous misunderstanding.

A culture of accountability is built on clarity:

• Clear ownership of critical decisions
• Clear authority to act
• Clear expectations for communication
• Clear follow-through on improvements

Emergency management frameworks have long emphasized “unity of command” for a reason: in high-stress situations, ambiguity multiplies risk. The Incident Command System (ICS), for example, is designed to create clear roles, consistent structure, and coordinated action across teams, because clarity is what enables speed.

In the enterprise, the same principle applies. If everyone is responsible, no one is responsible. Accountability starts by making responsibility visible.

Lesson 1: Define decision rights before the incident

In most crises, the early minutes are lost to one question: Who decides? Not because teams are unmotivated, but because decision rights were never explicit.

High-performing response organizations define decision rights in advance:

• Who can declare an incident?
• Who can approve customer communications?
• Who can authorize a workaround that trades cost for speed?
• Who can escalate to executive leadership?
• Who owns third-party engagement when a supplier is the root cause?

This is not about creating red tape. It’s about preventing confusion when the cost of hesitation is highest.

For financial services, these questions are now tied directly to resilience outcomes and supervisory scrutiny. UK regulators describe operational resilience as the ability to prevent, adapt, respond to, recover from, and learn from disruption, language that implicitly demands decision clarity and governance discipline.

What to do now

• Map your “top 10” response decisions (incident declaration, customer comms, vendor escalation, regulator notification, service restoration priority).
• Assign a primary owner, a backup, and an escalation path for each.
• Make those decision rights part of your incident management and crisis management runbooks, not tribal knowledge.

Lesson 2: Make accountability operational with roles, not heroics

During major incidents, heroics are common and risky. Organizations that “win” crises don’t rely on one expert pulling an all-nighter. They rely on repeatable roles.

Research on leadership during critical incidents emphasizes the importance of approachability, listening, and soliciting feedback, traits that enable teams to surface problems early and coordinate more effectively under pressure.

In enterprise terms: accountability is strengthened when leaders structure response so that people can do their jobs without guessing what others are doing.

What to do now

• Establish role-based response patterns (Incident Commander, Communications Lead, Technology Recovery Lead, Business Service Owner, Third-Party Lead).
• Create “two-in-a-box” coverage for critical roles to prevent single points of failure.
• Train and rehearse roles in tabletop exercises and scenario testing, not just once per year.

This is where business continuity management and disaster recovery stop being documentation exercises and become real capability.

Lesson 3: Replace “status theater” with shared situational awareness

Many crisis calls devolve into status theater: long updates, conflicting narratives, and no shared view of what’s true. Accountability collapses when the facts are unclear.

Leaders can’t drive accountable execution without:

• A single source of truth for incident state
• Clear linkage from incident impacts to business services
• Visible dependencies (systems, suppliers, people)
• Time-stamped actions and decisions

In operational resilience terms, this is the difference between “we think we’re fine” and “we can show what’s impacted, what’s being done, and what success looks like.”

For regulated firms, cross-border ICT dependencies and third-party concentration risk can make situational awareness exponentially harder, especially when vendor data lives in one system, service maps live elsewhere, and evidence is scattered.

What to do now

• Tie incidents to business services and impact tolerances (where relevant).
• Capture decisions as events (who decided, when, based on what information).
• Integrate third-party risk management data so supplier incidents aren’t handled in isolation.

This is also where integrated GRC management software and operational resilience software become a strategic advantage: they reduce fragmentation that otherwise undermines response.

Lesson 4: Institutionalize learning with disciplined after-action reviews

Most organizations do a post-incident review. Fewer do one that actually changes behavior.

The point of an after-action review (AAR) is not a transcript of what happened. It’s to produce:

• A small number of high-confidence lessons
• Clear owners for remediation
• Deadlines and tracking
• Evidence that change occurred

Harvard Business Review has emphasized improving after-action reviews so teams can learn from both failure and unexpected success, because repeating mistakes is often a review quality problem, not a people problem.

In cyber incident response guidance, NIST similarly recommends a lessons-learned process after major incidents to review effectiveness and identify improvements.

Accountability culture is built when AARs are treated as operational work, not optional reflection.

What to do now

• Standardize AARs with a consistent template and meeting cadence.
• Track actions through remediation workflows (not email threads).
• Report closure status to leadership, not just the incident summary.

This is one place where audit management and compliance teams can help: when improvements are tracked with evidence, you reduce both operational risk and audit friction.

Lesson 5: Create “evidence on demand” as a leadership standard

During crises, you’re not only responding to the disruption, you’re responding to scrutiny. Boards, regulators, and customers will ask: What did you know, when did you know it, and what did you do?

A culture of accountability creates evidence as a byproduct of execution:

• Incident timelines
• Decisions and approvals
• Communications
• Vendor engagement records
• Test results and control performance
• Recovery outcomes

That’s essential as supervisors raise expectations around operational resilience and preparedness. For example, the FCA has published observations and insights on firms’ preparations and expectations approaching key operational resilience milestones.

“Evidence on demand” should not require a manual scramble. It should be built into how work gets done.

What to do now

• Design response workflows that capture evidence automatically.
• Link incidents to controls, KRIs, and corrective actions.
• Maintain a searchable, structured incident library to support ongoing assurance and regulatory conversations.

This aligns directly with what many organizations are aiming for: stronger compliance, incident management, operational resilience, and third-party risk management without expanding headcount.

Lesson 6: Accountability is cultural, but it’s enforced through governance

Culture is shaped by what leaders tolerate and what they measure.

In regulated financial services, accountability is also reinforced through governance structures. Industry guidance has noted how senior management accountability frameworks connect operational resilience ownership to executive roles.

Even outside financial services, the principle holds: resilience programs fail when accountability is diffuse.

What to do now

• Assign executive sponsorship for operational resilience and crisis management.
• Require quarterly review of high-impact incidents and remediation progress.
• Tie resilience outcomes to leadership objectives (not just operational teams’ scorecards).

How CLDigital supports a culture of accountability

Accountability requires more than good intentions. It requires an operating model where information, decisions, and actions are connected.

CLDigital helps organizations strengthen accountability by unifying the elements that typically fragment during crises:

• Business continuity and disaster recovery planning
• Incident management and crisis management workflows
• Dependency mapping across business services, systems, and vendors
• Third-party risk management and vendor risk management oversight
• Evidence capture, reporting, and audit readiness

When these capabilities live in one platform, response becomes more disciplined:

• Ownership is explicit
• Decisions are traceable
• Actions are tracked through completion
• Lessons learned flow into measurable improvement

That’s how organizations move from crisis response as improvisation to crisis response as a managed capability.

The standard is rising and accountability is the differentiator

Technology failures, vendor outages, cyber incidents, and operational disruptions will continue. The differentiator is not whether you experience disruption. It’s whether your organization responds with clarity and improves with discipline.

A culture of accountability is the foundation:

• Clear decision rights
• Role-based execution
• Shared situational awareness
• Learning that changes behavior
• Evidence on demand

Resilience is built in what happens after the incident as much as during it. The organizations that lead in resilience don’t just recover. They learn, improve, and demonstrate progress, consistently.

That’s the kind of accountability regulators respect, boards rely on, and customers can feel.