2025: A Year Full of Crisis Preparedness and Response
The World Economic Forum’s Global Risks Report 2025 described an “increasingly fractured” world, with state-based conflict, climate disruption, political polarization and technological risks all intensifying at the same time. Geopolitical and international risk dashboards from 2Secure, BlackRock, KPMG and others show the same picture: conflicts are reshaping trade, energy and supply chains; national security concerns are now driving industrial and technology policy.
On the cyber side, we all know that attacks are growing in frequency and sophistication, with ransomware and AI-enhanced tactics now standard.Supply chain attacks in particular have exploded, with our datasets showing incidents more than doubling in 2025 compared to the previous baseline.
At the same time, CEO sentiment has been oscillating between cautious optimism and deep anxiety. Surveys from EY, JPMorgan, and others show leaders slightly more confident in their own earnings but still deeply unsure about the macro environment, geopolitical shocks, and international risks of a permacrisis. The leaders I work with talk openly about opportunity, but they also acknowledge the increasingly risk-on landscape.
In 2025, I facilitated crisis preparedness activities for more than twenty companies across Europe: listed industrials, fast-growing tech, media groups, health and life sciences, and the usual spread of “too-busy-to-fail” firms. Different sectors, different boards, different cultures. When I reflect on patterns this year, one is very clear: the absence of serious reflection from many serious companies.
“We don’t lack incidents,” I said last week to an executive team. “We lack the discipline to extract the full value from them.” Too often clients are busy running from one fire to another, and never taking the time to build systems that prevent the proverbial fire, or build the capacity to respond better when fires occur. Crisis, whilst painful, are an immense opportunity to build back even better, and the same is true for crisis preparedness activities – they are not a sunk cost at all – crisis preparedness strengthens capacity, confidence, and ability to steer confidently into risk.
That has become my biggest lesson from 2025: in a world of accelerating geopolitical, technological and environmental shocks, structured reflection is not a “soft skill”; it is a hard capability. This article is about why that matters, what I have seen inside boardrooms and within executive teams this year, and why a simple reflective framework, for example Rolfe’s “What? So what? Now what?”, has become one of the most powerful tools in my crisis preparedness work.
Macro volatility showed up in every crisis exercise I facilitated this year. We simulated ransomware that hit through a supplier. We ran scenarios where a regional conflict closed key logistics routes. We modelled regulatory investigations, activist campaigns, and deepfake-driven reputation crises. And underneath the specific scenarios, the same realities kept reappearing:
- Information moves faster than governance.
- Dependencies are more complex than boards realise.
- People default to habit under pressure, not to the glossy crisis plan.
The real differentiator between companies wasn’t the quality of their plan on paper. It was whether they had built a culture of disciplined reflection through systematic and regular crisis management exercises, and whether they had advisors that could support them turning experience into capability.
The problem: exercises without reflection are just expensive role plays
Most organisations are not doing anywhere near enough to build resilience and strengthen risk management programs. And those that are doing above average, are still often running crisis simulations as box-ticking exercises. A typical pattern in 2025 looked like this. The company spends weeks planning a large exercise. There are beautifully formatted injects, slick slides and the scenario runs. At the end, there is a quick “how did that feel?” conversation, everyone agrees it was “really valuable”, and then people go back to their inboxes. Three weeks later, nothing has changed. The same decision bottlenecks, the same information gaps, the same misplaced assumptions are waiting for the next crisis. Don’t be that company. When you schedule the simulation, also schedule the lessons learning debrief a week later, and then have regular check ins to make sure progress is actually being made. Without this, you are bound to relive the same failures in slightly different outfits again and again.
Why Rolfe’s model mattered
This is where Rolfe’s model became unexpectedly powerful this year. On paper, it’s almost insultingly simple:
- What?
- So what?
- Now what?
There are more elaborate reflective frameworks out there. But in the intensity of a debrief, simplicity usually wins. In my 25 years of risk-management experience, if you cannot explain the model in one minute and write it on a flipchart, it will not survive contact with reality.
The origin of the framework is in nursing and healthcare education, where practitioners had to make sense of messy, emotionally loaded situations quickly and translate them into better practice. That is remarkably similar to what senior leaders are dealing with in a crisis: incomplete information, emotional stakes, political noise and serious real-world consequences.
In my work this year, the breakthrough was using Rolfe’s questions and turning them into a disciplined habit baked into every exercise and incident review.
“What?” – getting honest about the reality you just lived through
Most organisations are good at telling a story about what happened. Very few are good at describing it precisely enough that you can learn from it. In exercises this year, I was able to use the “What?” stage consistently to unearth great insights, and I regularly surfaced three recurring patterns.
The first was information fog. In nearly every scenario, leadership teams overestimated how much reliable information would be available in the first hour and underestimated the noise. Social media rumours outran internal reporting. Suppliers knew more than the company. In one media group exercise, an entire thread of decision-making was based on a single unverified screenshot forwarded on WhatsApp. Fail.
The second was structural bottlenecks. Time and again, decision rights were unclear. Does the crisis management team have decision rights, or in practice does every material decision still get escalated to the CEO or even the Board? What about who owns customer communications? Under stress, hierarchy and habit reassert themselves unless you have rehearsed alternative patterns.
The third was external dependency. Several clients discovered, in the course of an exercise, that critical elements of their response relied on third parties: cloud providers, logistics partners, payment processors, niche software vendors, legal and PR firms. In a year when supply chain cyber attacks doubled and geopolitical tensions disrupted transport corridors, that blind spot can be critical.
In each case, forcing the room to answer, in writing, a sharpened version of “What?” changed the discussion:
- What exactly happened, minute by minute?
- Who made which decision, based on what information?
- Where did we rely on luck?
By stripping away the comforting narrative and focusing on observable behaviour, you create the raw material for real learning.
“So what?” – connecting incidents to strategy, not just operations
The “So what?” stage is where most organisations go quiet. This is where you hear phrases like “we need to communicate better” or “we should collaborate more”. True, but not very useful. In 2025, I started insisting that every “So what?” discussion connected the incident to a strategic risk.
The questions took us straight into board-level territory: contractual risk, regulatory exposure, key-person risk, and M&A implications. It is so much better to explore these questions during an exercise than a real crisis. (Yet another great reason for regular and systematic exercises that are facilitated by an external expert.)
As I told one executive team: “If your lessons learned don’t make anyone in this room uncomfortable, they’re probably not lessons.” The “So what?” phase is where you decide whether your crisis activity is just operational training, or whether it is actually shaping strategy, risk appetite and culture. Use your crisis exercises not just to practice crisis management, but to also build stronger companies!
“Now what?” – turning reflection into concrete change
The final question in Rolfe’s model, the “Now what?”, has been the hardest for many of the organisations I’ve worked with. Because “Now what?” is where reflection collides with resource allocation, power and incentives. In practice, I’ve found three conditions make the difference.
First, specificity. “We should improve cross-functional collaboration” is not a “Now what?”. “By 30 March, Group Legal and Group Communications will co-author a three-page brief on regulatory communications in data breaches, to be approved by the CEO and used in the next exercise” is a “Now what?”.
Second, ownership. Every meaningful change identified in the debrief must have a single accountable owner. When “Now what?” items advance, organisations strengthen and build resilience.
Third, testability. One of the most useful habits I have practiced with clients this year is treating the next exercise as an explicit test of the previous “Now what?” commitments. What I have done is to build a feedback loop: simulate, reflect, change something, simulate again to see if the change holds under stress.
The tangible value of reflection is not a nicer debrief report, but reduced time-to-decision when the stakes are real, and an increasingly capable and resilient organisation.
Reflection as a strategic capability in an increasingly volatile international risk environment
In many leadership cultures, “reflection” is still treated as something soft; like an individual mindfulness practice, a coaching topic, or, at best, a HR-driven leadership program. That framing is obsolete. In a year where state-based armed conflict is again rated as one of the most severe global risks, where climate and environmental degradation are compounding supply chain and political shocks, where more and more companies are victims of sabotage and espionage, and where AI and cyber threats are eroding trust in information itself, the ability of an organisation to learn faster than its environment is a hard strategic advantage.
From what I have seen in 2025, the companies that are pulling ahead on crisis preparedness share a few things in common:
They run regular, shorter, and better exercises, that invest heavily in the reflection phase. They treat after-action reviews as an essential task. They expect senior leaders to engage deeply with “What? So what? Now what?”, and to use external experts to push them. They link the outputs directly to risk appetite, capital allocation, M&A integration, and supply chain design.
“Your crisis exercises are not about proving you are ready. Crisis exercises are about discovering where you are not strong, and having the courage to act on it.”
Dominic Bowen
Three practical shifts leaders can make now
If you are a CEO, board member, or senior executive reading this and wondering what to do differently in 2026, my advice is straightforward. First, elevate the debrief. Insist that every major incident or exercise ends with a structured reflection session . Make sure the “So what?” explicitly connects to strategic risks and board-level concerns, not just operational fixes.
Second, hard-wire “Now what?” into governance. Require that material “Now what?” actions are tracked like audit findings or regulatory commitments: with clear owners, deadlines, and periodic reporting back to the board or a designated committee.
Third, model reflection yourself. The most powerful moment is when reflection become instinctive. None of this is complicated. But it does require intent and deliberateness.
Volatility is now a permanent feature of the operating environment. The question is not whether your organisation will face crises, but whether you will use them to become an even better company.
I enjoy supporting companies trying to turn messy, stressful, ambiguous crisis into genuine capability. I help leaders reflect honesty about what really happened, how operational events connect to strategic risk, and how we can achieve positive change. Reflection will not stop wars, rewrite regulations or prevent the next zero-day exploit. But in 2025, working with more than twenty organisations across sectors, I have seen that those who reflect well, do move faster, decide more clearly, and recover with less damage when the inevitable crisis happens.
As I often say on The International Risk Podcast: “You can’t buy resilience off the shelf. You build it, one hard conversation at a time.” I suggest that some hard conversations can start with three deceptively simple questions. What? So what? Now what?
Dominic Bowen is the host of The International Risk Podcast and Europe’s leading expert on international risk and crisis management. As Head of Strategic Advisory and Partner at one of Europe’s leading risk management consulting firms, Dominic advises CEOs, boards, and senior executives across the continent on how to prepare for uncertainty and act with intent. He has spent decades working in war zones, advising multinational companies, and supporting Europe’s business leaders. Dominic is the go-to business advisor for leaders navigating risk, crisis, and strategy; trusted for his clarity, calmness under pressure, and ability to turn volatility into competitive advantage. Dominic equips today’s business leaders with the insight and confidence to lead through disruption and deliver sustained strategic advantage.
