Have real people go to the office of the CEO and have the CEO make the reset request in person. Even by phone a reset is harmless if the computer the ceo is using is known to be trusted and company managed. The defense is in depth not circumstantial to one single phone call or method. You can also authenticate the request through other channels.