The development of an effective Crisis Management Plan begins long before the organisation writes procedures, appoints a Crisis Management Team or prepares communication templates.
It begins with a clear understanding of the organisation, the nature of crisis management and the purpose of the plan being developed.
Many Crisis Management Plans are created too quickly. Organisations may begin by listing emergency contacts, defining crisis team members or documenting response steps without first agreeing on what constitutes a crisis, what the plan is intended to achieve and which parts of the organisation it should cover.
The resulting document may appear complete but may not provide effective guidance when senior leaders are faced with uncertainty, time pressure and incomplete information.
Establishing the Crisis Management context provides the foundation for all subsequent planning activities.
It ensures that the plan reflects the organisation’s operating environment, strategic priorities, stakeholder expectations, decision-making structure and exposure to potential crises.
This chapter explains how an organisation should establish that foundation.
It introduces the nature of crisis management, distinguishes a crisis from an operational incident, explains the purpose and limitations of a Crisis Management Plan, and provides a structured approach for defining the organisation’s planning context, scope and objectives.
Crisis management is the coordinated capability of an organisation to prepare for, recognise, respond to and recover from situations that may threaten its people, operations, reputation, obligations or long-term interests.
A crisis is rarely managed by one department acting alone. It may require coordinated involvement from senior management, operations, human resources, technology, legal, compliance, communications, finance, security and other specialist functions.
External parties such as regulators, government agencies, emergency services, suppliers, professional advisers and the media may also become involved.
The central purpose of crisis management is to enable the organisation to maintain strategic control during a difficult and uncertain situation.
This requires the organisation to:
Crisis management is therefore more than emergency response. Emergency and incident teams may manage the immediate operational problem, while the Crisis Management Team addresses the wider strategic consequences for the organisation.
For example, an information technology team may respond to a cyberattack by isolating affected systems, investigating malicious activity and restoring data.
However, senior management may still need to determine whether customer services should be suspended, whether regulators should be informed, what should be communicated publicly, how affected customers should be supported, and which services should be restored first.
The technical incident and the organisational crisis are related, but they are not the same.
Not every incident becomes a crisis.
Organisations experience operational problems every day. Equipment fails, employees make errors, suppliers miss deadlines, systems become unavailable and customer complaints arise. Most of these situations can be managed through established procedures and normal lines of authority.
A situation may become a crisis when its actual or potential consequences exceed the capability, authority or coordination arrangements of routine management.
A crisis often includes several of the following characteristics:
Information may be incomplete, inaccurate or contradictory. The organisation may not fully understand what has happened, who is affected or how the situation may develop.
Senior leaders may be required to make important decisions before all relevant facts are available. Delaying a decision may create additional harm.
The situation may affect people, critical services, customers, financial performance, legal obligations, regulatory compliance or organisational reputation.
Employees, customers, regulators, suppliers, government agencies, shareholders, the media and the public may require information or action.
A localised incident may quickly spread across business functions, locations, technologies or stakeholder groups.
The organisation’s decisions and conduct may be closely examined by regulators, the media, employees, customers or the public.
Senior management may need to approve actions that fall outside normal operating procedures, such as closing a facility, suspending a service, issuing a public statement, committing emergency expenditure or accepting significant operational trade-offs.
The situation may require multiple departments to act together under a common set of priorities.
The event itself does not always determine whether a crisis exists. The organisational consequences and the management challenge are equally important.
The same event may be handled as an operational incident by one organisation but may become a crisis for another. This difference may be influenced by the organisation’s size, industry, stakeholder expectations, regulatory obligations, level of preparedness and available response capability.
Clear terminology helps an organisation determine which management structure and plan should be activated.
An incident is an event that affects normal operations but can generally be managed through established procedures and existing authority.
Examples include:
An emergency is a situation requiring immediate action to protect life, safety, property or the environment.
Examples include:
Emergency response is often led by trained operational teams and public emergency services.
A disruption affects the organisation’s ability to deliver products, services or normal operations.
Examples include:
Business continuity arrangements may be activated to maintain or restore priority activities.
A crisis is a difficult situation that creates significant strategic consequences and requires senior management direction, cross-functional coordination and stakeholder management.
Examples include:
These categories may overlap. An emergency may create a disruption. A disruption may escalate into a crisis. A crisis may include several incidents occurring simultaneously.
The Crisis Management Plan should therefore define how the organisation identifies escalation and when responsibility moves from routine operational management to strategic crisis management.
One of the most important distinctions in crisis planning is the difference between operational response and strategic Crisis Management.
Operational teams focus on controlling the immediate event.
Their responsibilities may include:
Examples of operational teams include:
The Crisis Management Team focuses on the wider organisational consequences.
Its responsibilities may include:
The Crisis Management Team should not take over every operational activity. It should provide direction and ensure that operational teams are working towards common organisational objectives.
When this distinction is unclear, two problems frequently arise.
First, senior leaders may become drawn into technical discussions and lose focus on strategic decisions.
Second, operational teams may make decisions with wider legal, regulatory, or reputational consequences without appropriate executive oversight.
An effective Crisis Management Plan should establish a clear command relationship between strategic and operational response teams.
Crisis Management planning should follow a structured and progressive methodology.
A practical sequence is:
Understand → Identify → Assess → Strategise → Plan → Exercise → Improve
The organisation establishes its operating context, stakeholder expectations, structure, objectives and planning scope.
Potential threats and crisis scenarios are identified.
The organisation evaluates the potential consequences, likelihood, existing controls and planning priorities.
Appropriate crisis management approaches are selected for priority scenarios.
The organisation documents governance, activation, communication, response, recovery and supporting procedures.
The Crisis Management Plan is validated through walkthroughs, tabletop exercises, simulations and other testing activities.
Lessons from exercises, actual incidents, audits and organisational changes are used to update the plan and strengthen capability.
This methodology prevents the organisation from developing procedures without first understanding the crisis risks and strategic objectives those procedures must address.
The sequence also reinforces an important principle:
The plan is an output of the planning process. It is not the entire Crisis Management capability.
A capable organisation requires trained leaders, clear authority, tested communication arrangements, reliable supporting plans, current information and a culture that supports timely escalation.
Before developing the Crisis Management Plan, the planning team should establish a clear understanding of the organisation.
This understanding should include:
The Crisis Management Plan should reflect how the organisation actually operates. A generic plan copied from another organisation may omit important decision structures, stakeholder obligations or operational dependencies.
For example, a financial institution may place significant emphasis on regulatory notification, transaction continuity, customer data protection and market confidence.
A hospital may place greater emphasis on patient safety, clinical operations, public health coordination, and the availability of medical supplies.
A university may focus on student safety, campus operations, academic continuity and communication with families.
The organisation’s operating environment determines what may escalate into a crisis and how the Crisis Management Team should respond.
A crisis creates expectations that must be actively managed.
Stakeholders may require information, decisions, reassurance, support or regulatory action. The organisation should therefore identify its key stakeholders before a crisis occurs.
Typical stakeholders include:
Stakeholders do not all require the same information.
Employees may need instructions about safety, work arrangements and communication channels. Customers may require information about service availability and protective action. Regulators may require verified facts, impact assessments, notification of control failures and regular progress updates. The media may require timely statements to prevent speculation and misinformation.
The planning team should consider:
Stakeholder considerations should influence the organisation’s crisis objectives, team composition and communication procedures.
The scope defines the boundaries of the Crisis Management Plan.
A clearly defined scope helps prevent confusion about which parts of the organisation, locations, services and situations are covered.
The scope may include:
The plan should also clarify what it does not replace.
A Crisis Management Plan does not normally replace:
These plans may continue to operate under the strategic oversight of the Crisis Management Team.
A suitable scope statement may read:
This Crisis Management Plan applies to significant events that may threaten the organisation’s people, critical services, legal or regulatory obligations, reputation or long-term interests and which require coordinated strategic direction by senior management.
The plan supports but does not replace operational emergency, incident response, business continuity, and technology recovery procedures.
The scope should be approved by senior management because it determines when the plan may be activated and who is expected to participate.
Crisis Management objectives provide the basis for decision-making.
During a severe crisis, the organisation may be unable to protect every interest equally. Leaders may need to balance safety, service delivery, compliance, financial exposure, stakeholder expectations and recovery priorities.
Pre-agreed objectives help the Crisis Management Team establish priorities.
Typical objectives include:
The objectives should be relevant to the organisation and written in a way that supports practical decisions.
For example, if customer protection is an agreed objective, the CMT may prioritise customer notification, fraud prevention and restoration of account access.
If regulatory compliance is an objective, the CMT should ensure that notification responsibilities, reporting deadlines, and approval authority are clear.
The objectives should not be treated as promotional statements. They should guide actual choices during a crisis.
A Crisis Management Plan is a controlled document that provides the governance, authority, structure, procedures and supporting tools required to manage a crisis.
It should enable the Crisis Management Team to answer the following questions:
The plan should provide sufficient structure to support disciplined action without becoming overly prescriptive.
Crises develop in unpredictable ways. The plan cannot provide a detailed answer for every possible situation. It should instead provide a consistent management framework that leaders can apply to different scenarios.
An effective Crisis Management Plan should not be misunderstood as any of the following.
The organisation cannot anticipate every event or consequence. The plan should therefore support adaptable decision-making.
Technical and operational teams require their own procedures. The Crisis Management Plan focuses on strategic leadership and organisational coordination.
A Business Continuity Plan focuses on maintaining or recovering priority activities. The Crisis Management Plan coordinates the wider strategic response.
Contact information is necessary, but it does not provide governance, priorities, decision authority or response procedures.
A policy establishes organisational intent and principles. The Crisis Management Plan provides the operational structure for managing a crisis.
A plan cannot make decisions. It supports leaders in making informed and timely decisions.
A crisis rarely follows a fixed sequence. The plan should guide judgement rather than restrict it.
When organisations misunderstand the plan's purpose, they often create detailed but difficult-to-use documents.
A plan should be concise enough to navigate under pressure and detailed enough to support action.
Although the structure may vary by organisation, a practical Crisis Management Plan should normally include the following sections.
Explains why the plan exists, what it covers and what the organisation seeks to achieve.
Defines incident levels and the conditions under which a situation becomes a crisis.
Sets out activation criteria, authority and escalation procedures.
Defines the team structure, membership and alternates.
Clarifies leadership, coordination, communication and specialist responsibilities.
Identifies who can approve exceptional actions.
Explains how CMT members are contacted and assembled.
Provides the meeting structure, reporting arrangements and decision process.
Provides methods for recording facts, assumptions, unknowns, impacts and forecasts.
Guides the CMT through activation, assessment, stabilisation, decision-making, communication and monitoring.
Defines stakeholder, media, employee and regulatory communication arrangements.
Explains how the organisation transitions from crisis response to recovery and normal management.
Provides additional guidance for selected priority crisis scenarios.
May include action logs, decision logs, situation reports, meeting agendas and communication records.
Defines how the plan is exercised, updated and controlled.
The structure should be adapted to the organisation’s complexity and needs.
The Crisis Management Plan should have a clearly identified owner.
The plan owner is normally responsible for:
Ownership may sit with:
Senior management should approve the plan.
Approval demonstrates that:
The plan should also have a defined review cycle. It should be reviewed following:
Several weaknesses frequently reduce the effectiveness of Crisis Management planning.
Without a clear definition, operational teams may delay escalation or activate the CMT unnecessarily.
A plan that attempts to cover every operational detail may become too large and difficult to use.
Different teams may assume another group is responsible, leading to gaps or duplication.
Objectives that are too broad may not help the CMT prioritise decisions.
Important communication or regulatory requirements may be missed.
A plan developed without executive participation may contain unrealistic assumptions about authority or decision-making.
The organisation may produce a plan without establishing the supporting capability, training and exercises.
The plan may be stored only on systems that become unavailable during a crisis.
These weaknesses should be addressed before the organisation proceeds to detailed scenario planning and procedure development.
The planning team should complete a structured Crisis Management Planning Context exercise.
Document:
For each stakeholder, record:
Confirm:
Develop a set of clear objectives to guide priorities and decisions.
Confirm:
The output of this exercise should be reviewed with senior management before detailed planning continues.
Senior management should be able to answer the following questions:
If these questions cannot be answered clearly, the planning context requires further development.
Establishing the Crisis Management context is the first and most important stage in developing a practical Crisis Management Plan.
The organisation must understand its operating environment, stakeholders, critical interests and governance structure before it can design effective crisis procedures. It must also distinguish strategic Crisis Management from routine incident response, define what constitutes a crisis and establish clear objectives for the organisational response.
A Crisis Management Plan should provide structure without restricting judgement. It should define authority without drawing senior leaders into operational detail. It should support communication, coordination and decision-making while remaining flexible enough to address different crisis scenarios.
Once the context, scope and objectives have been agreed, the organisation can proceed to the next stage: identifying relevant threats and developing realistic crisis scenarios for assessment and planning.
The strength of the final Crisis Management Plan will depend heavily on the quality of this foundation.
To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].
|
Please feel free to send us a note if you have any questions. |
||