What is Crisis Management Planning?
Crisis management planning is a defined process to establish an organization’s structured response to any disruption that could result in unacceptable consequences (e.g., reputational impairment) or threaten its ability to deliver products and services to its customers. The process results in documented information that supports effective response, including:
- Roles and responsibilities associated with the response
- High-level tasks for leadership to respond to an incident
- Key tools and resources required to support the response
- A description of how the organization coordinates and communicates both internally and externally
While the primary artifact of crisis management planning is the organization’s crisis management plan, much of the value of the process is delivered during the execution of the process itself.
What is the Purpose of Crisis Management Planning?
Crisis management planning fulfills a vital role in risk management – and, more specifically, the business continuity process – by establishing and documenting the framework within which the organization makes decisions on how to respond to an incident that impacts (or has the potential to significantly impact) the organization. While the initial development of the crisis management plan can be seen as a single effort, crisis management planning should be viewed as a recurring effort to ensure that the individuals involved, the strategies selected, and the process to implement the strategies align to and support the organization’s priorities and risk tolerance.
The major outcomes of crisis management planning include:
Creation of the Crisis Management Team
Crisis management planning identifies the right people necessary to strategically lead the response to a disruption and make decisions necessary to limit impact and speed the organization toward returning to normal. By identifying the key roles and responsibilities required to implement the strategic response process, organizations can then identify the right people to manage a disruption. Each role within the crisis management team has a list of responsibilities and specific tasks that lead to an effective and timely response.
Defined Timing and Method of Activation
Following the onset of a disruption, one of the most immediate requirements of effective crisis management is to gather the team at the right time and in the right method. Crisis management planning enables an organization’s leadership team to determine the triggers that lead to crisis management team activation, how they are activated, and where they meet (e.g., in-person, on a conference line, or using an incident management software). Defining this process ahead of an incident reduces confusion at the onset of an incident and allows the team to practice and validate the process.
Alignment on the Decision-Making and Coordination Framework
While the specific impacts and procedures associated with the response to an incident will vary based on the nature of the situation, aligning on and documenting the response framework allows the organization to clearly, and nimbly, determine how it will assess impacts, determine or reassess priorities, make decisions, and provide guidance and direction to all stakeholder groups. Defining the framework significantly reduces uncertainty prior to and during an incident. The framework also details the process to coordinate the response and throughout the recovery process by listing key stakeholders and how they are involved in recovery, which significantly reduces the time required to implement resource-specific loss strategies.
Determined Recovery Timing
Crisis management planning also drives the organization toward meeting recovery times, ensuring that the strategies documented within the crisis management and business continuity plans can be implemented effectively at time of disaster. Understanding the specific procedures associated with response, and how they support the overall recovery process, allows the organization to respond and recover based on its priorities and commitments.
Documented Obstacles to a Successful Recovery
Crisis management planning allows organizations to document the way in which it will respond to a disruption and coordinate the recovery process. While crisis management planning provides clarity on how the organization responds, it is also positioned to identify and address potential obstacles that could hinder an effective recovery. Crisis management capabilities can address, mitigate, and actively address roadblocks which significantly reduces unexpected delays in recovery.
List of Tools and Resources Required for Recovery
One of the most valuable aspects of crisis management planning is the determination of the resources and tools that are required to effectively respond to an incident, how they are used, and by whom. These resources often include communication tools, supporting procedures and plans, and sources of critical information. Documenting these required resources before the onset of a disruption allows the list to be agreed upon, resource gaps to be identified and addressed, and the specific method to leverage the resources to be validated.
What is the Difference Between Continuity Planning and Crisis Management Planning?
Continuity planning and crisis management planning are sometimes used interchangeably to refer to any plan that addresses the response to an undesirable situation or event. While both continuity planning and crisis management planning support the organization’s ability to act in other than normal conditions, they each have very specific roles and requirements that address different requirements and situations.
Business continuity planning focuses on the continuation and/or recovery of specific business activities and resources that support the delivery of products and services. These plans typically include procedures, manual workarounds, and alternate procedures addressing the loss of the workplace, equipment, people, technology and suppliers. Typically, continuity planning focuses on developing these procedures within the response framework developed as part of crisis management planning.
Crisis Management Planning
Crisis management planning, on the other hand, determines the organization’s overall process to respond to any eventuality that would have an impact, often ones that cannot be foreseen or where step-by-step procedures have not or cannot be developed. Uncertainty exists in any operational environment and there is always the possibility for an unanticipated event to arise that has a significant impact on the organization. Crisis management planning allows the organization to increase its ability to respond to any eventuality that could impact its operations.
What is the Difference Between Crisis Management and Crisis Communications?
Crisis management and crisis communications are both critical aspects of the organization’s ability to effectively respond to and manage an incident. While crisis management planning defines the framework within which the organization makes and implements decisions, crisis communications is an essential capability that supplements the crisis management plan by coordinating communications with internal and external interested parties. Crisis communications planning provides clarity on the timing, means of delivery, audience, and messaging required to support effective communication before, during, and after an incident.
Effective crisis communications plans should:
- Include people with responsibility for communicating with internal and external stakeholders
- Document the stakeholder groups that will receive communications, such as customers, partners, regulators, suppliers, etc.
- Determine the primary and secondary methods of communicating with the identified stakeholders
- Include default content that will be distributed to each of these different stakeholders
- Determine when and how often different stakeholder groups will be contacted
- Have general guidance for employees and media reminders for those involved with the organization’s response
To ensure the most effective execution of crisis communications, the key participants, strategies, and resources developed as part of the crisis communications plan should be referenced and included in crisis management planning. It is also important to have a representative of the crisis communications apparatus on the crisis management team to coordinate efforts.
What is a Crisis Management Plan?
A crisis management plan documents the outcomes of crisis management planning activities and provides the executive team with the structured response to a disruption that would have a significant impact on the organization and its survivability. Crisis management plans typically do not focus on recovery activities; rather, they provide resources and guidance to drive the organization toward recovery in a timely manner by identifying and eliminating issues that could impact a timely and successful recovery.
Effective crisis management plans:
- Introduce a structure to gather the right people to assess the situation and understand the impact – or potential impact – associated with the disruption
- Define when to activate the Crisis Management Team
- Summarize the desired timing of activity and resource recovery
- Define the roles and responsibilities of those that will lead the response
- Document where the Crisis Management Team will meet
- Provide procedures to work through an incident
- Address roadblocks getting in the way of a successful recovery
Because the crisis management plan guides the organization’s wholistic response to an incident, which includes the coordination of all response and recovery procedures, the process of managing a crisis that is defined within the crisis management plan should focus on the procedures required for the crisis management team to understand the implications of an incident, make decisions, and implement those decisions. Generally, the structure of crisis management procedures documented within the plan should address the following three, recurring aspects of crisis management:
- Assessment: Gathering information on the current situation to compile an accurate view of the incident and the implications on the organization. Typical inputs to the assessment include:
- Overview or updates to the situation
- Potential or realized impacts to the organization
- Escalated or identified issues or obstacles
- Resource requirements to implement the response
- External commitments, obligations, and expectations of the organization
- Decision: Determining the most effective approach to respond to the incident. This often occurs during crisis management team meetings where the assessment is reviewed, options identified, issues resolved, and the decision made.
- Action: the decision is implemented by those responsible for the completion of the underlying tasks. While the response is implemented, issues, resource requests, and situation updates are escalated to inform the next assessment.
Lastly, the crisis management plan describes the process to identify the desired outcomes or intended end-state of crisis management activities. This statement defines the success criteria for the response and allows the crisis management team to focus efforts on achieving what is most important to the organization.
How to Establish a Crisis Management Team?
Establishing an effective crisis management team is one of the most important aspects of crisis management planning and in the development of an actionable crisis management plan. To establish a crisis management team that can successfully lead the organization through an incident, crisis management planners should:
- Determine the key roles required to manage the response and recovery effort, and their respective responsibilities
- Socialize the roles with the executive team or key stakeholders to decide who within the organization is best suited for each, to include alternates
- Review the roles and responsibilities with the entire team to ensure that all critical functions are represented and that expectations are clearly defined
When determining who should be involved in the crisis management team, it is important to ensure that those identified understand their role and responsibilities, have the time and experience necessary to support their role, and are willing to support the organization on the crisis management team.
Common Roles and Responsibilities
While the specific makeup of crisis management teams will vary based on the structure and needs of the organization, crisis management teams should include individuals that can prioritize recovery efforts and make decisions on behalf of the organization and represent key areas of the organization. Some key roles within the crisis management team include:
- The Crisis Management Team Leader is the primary decision-making authority on behalf of the organization during an incident, sets priorities for the team, and leads the team before, during, and after an incident.
- The Crisis Management Coordinator supports the crisis management team by gathering and compiling the information necessary to inform decision-making, facilitating coordination between the crisis management team and other groups involved in recovery, and providing administrative support to the team.
- The Crisis Communications Leader is responsible for internal and external communications on behalf of the organization, in accordance with the crisis management team’s guidance and the crisis communications plan.
- Functional Representatives provide subject matter expertise regarding key functions of the organization and support the implementation of decisions made by the crisis management within their respective function. Common functional representatives considered as part of crisis management planning include (but are not limited to):
- Information Technology Representative
- Facilities and Security Representative
- Financial Representative
- Human Resources Representative
- Operations Representative (or representatives of critical aspects of operations)
- Legal Representative
Many organizations ask if the CEO should be a member of the crisis management team – or even lead it. Castellan recommends that the CEO not be included in the crisis management team as they are responsible for running the rest of the business that isn’t affected and will likely be required for specific stakeholder engagement and key communications. The crisis management plan should have a defined process to keep the CEO informed and solicit input or decisions where necessary. Once the crisis management team has been established, the organization is ready to develop the crisis management plan!
How to Develop a Crisis Management Plan?
At Castellan, we have refined our processes and tools necessary to develop crisis management plans over many years. We have established a process to document clearly defined procedures, strategies, stakeholders, and resources that result in an actionable crisis management plan to support the organization’s response and recovery priorities.
Our process consists of the following four steps:
Step 1: Review the Outcomes of the Business Impact Analysis and Risk Assessment
Crisis management planning relies on data and insights gathered from previous business continuity activities and other inputs. Two key inputs to crisis management planning include:
- The outcomes of the organization-wide business impact analysis and risk assessment, specifically product and service downtime tolerances, requested recovery time objectives for key activities, critical dependencies, and key risks to the organization
- The outcomes of the strategy determination process where the business continuity steering committee, or assigned governance body, selected strategies to address specific risks (or, in some cases accepted those risks)
Before beginning to document the crisis management plan, review the outcomes of these activities in addition to other pertinent information from IT disaster recovery, emergency management, and enterprise risk management activities, to ensure that the crisis management plan addresses the recovery requirements and reflects available response strategies.
Step 2: Select Response Strategies
Based on the outcomes of the business impact analysis and risk assessment, identify and select response strategies that make sense for your organization. Determine the relationship between the crisis management team and the rest of the organization, to include emergency management, IT disaster recovery, business continuity, risk management, and crisis communication groups.
Response strategy selection should include the business continuity program manager (as the meeting facilitator), each member of the crisis management team, and other key stakeholders whose input may be necessary in developing the plan. At a minimum, in meetings to select response strategies, participants should:
- Review strategies selected during the strategy determination meeting and discuss procedures necessary to action those strategies
- Determine the most effective crisis management structure for the organization and how it integrates with the related disciplines
- Review crisis management roles and responsibilities and current team membership to identify any potential gaps in representation
- Define triggers and activation criteria for the team, involving both type of threat and severity
- Confirm approach tools and resources necessary to enact the strategies selected
Step 3: Complete Crisis Communications Planning
Once response strategies have been selected, it is important to review and complete stakeholder communications mapping to inform when, how, and by whom critical messaging is required as part of the response strategies. Crisis communications planning (as part of crisis management planning) consists of two main steps:
- Complete a stakeholder communication map which determines the most effective means to communicate to necessary stakeholders (e.g., press release, email, social media, emergency notification system) and who is responsible for delivering that message
- Develop draft or holding messages that can used immediately upon the onset of a disruption to reduce the time required to inform stakeholders as well as who is responsible for monitoring social media
At a minimum, these should be included as part of the crisis management plan. If a more robust crisis communication apparatus is required (or exists within the organization), the crisis communications leader and team should include additional planning considerations and content.
Step 4: Draft the Crisis Management Plan
Having reviewed the outcomes of previous business continuity activities and solicited input from the crisis management team (and other key stakeholders), the next step is to draft the crisis management plan! The content of the crisis management plan will vary based on the needs and strategies of the organization, but an effective crisis management plan addresses each of the following:
- Purpose and objectives of the plan, as well as any assumptions that were made in development
- The scope of the plan, specifically the product and service-specific downtime tolerances
- The design and structure of crisis management and associated disciplines within the organization
- The crisis management team members as well as roles and responsibilities
- Triggers and activation information to inform the situations in which the plan would be leveraged
- An overview of selected strategies for critical risks as well as additional considerations for each
- Detailed procedures to implement the response and recovery strategies selected
Additional administrative and support information that should be considered include:
- Contact information and methods for crisis management team members and other key stakeholders
- Crisis communications guidance or a summary of communications requirements
- Tools and resources that support activation, such as agendas, quick references, team member guides, and reporting and assessment templates
Step 5: Socialize and Approve the Crisis Management Plan
When the initial draft of the crisis management plan is complete and it is ready for input, socialize the plan with crisis management team members and other key stakeholders to validate that the content and structure of the plan addresses the organization’s priorities and requirements, while adhering to the organization’s planning and reporting culture (i.e., does it make sense to the team).
There are several methods to solicit input from the crisis management team, but we prefer a meeting with the entire team to encourage discussion and more effective engagement with the team on the content of the plan. Regardless of the approach taken to solicit input, once all the crisis management team members have reviewed the plan, provided feedback, and given their support, the crisis management team leader can officially approve the plan and distribute to the necessary audience (Castellan recommends using a business continuity software to track and manage the approval process and provide access to the plan itself).
It is important to note that crisis management is not a “one-and-done” process, but an iterative process that strengthens the organization’s ability to prepare for, respond to, and recover from an incident impacting the delivery of products and services. This means that even after the crisis management plan is approved, it should continue to be updated and refreshed annually (at a minimum) or whenever significant changes to the organization occur.
What are the Common Challenges with Crisis Management Planning?
Organizations often encounter challenges while performing crisis management planning. While the specific challenges vary from organization to organization, the most common challenges we see include the following:
Issue: The Plan Contains an Endless List of Procedures for Every Possible Incident
Root Cause: An unfocused approach to crisis management planning
A key aspect of effective crisis management planning is focusing on the structured response to an incident, specifically around the loss of critical resources that impact the delivery of products and services, rather than threat-based planning focused on a specific type of incident (like a fire or a flood). By taking a resource-based approach and concentrating efforts on the structure of the response (rather than every possible incident), the crisis management plan can better support the organization’s response to any incident that impacts critical resources. In most cases, it is more effective to plan for the loss of a resource (such as an office) than the reason it is lost (e.g., fire, flood, power outage.). Regardless of why, the impact on the organization, and therefore the response, is essentially the same!
Issue: The Plan Needs Updating Too Often and It’s Not Feasible
Root Cause: Lack of effective business continuity management process
As with every other aspect of business continuity, crisis management planning is not a single event – it must be updated as the organization changes. Data that is critical to the effectiveness of the plan, such as contact information, priorities, recovery time objectives, and support resources, often change throughout the course of the year and sometimes with little notice. At Castellan, we leverage our business continuity software platform to automatically pull information from the business impact analysis and a variety of other core lists to significantly reduce (and often eliminate) redundant work required to keep all of the information consistent.
Issue: The Plan Will Never Actually be Used by the Team During an Incident
Root Causes: 1) The plan is too detailed, or 2) it doesn’t address what the crisis management team deems important
Both root causes speak to a common challenge of crisis management planning: documenting procedures without considering the most important information for the crisis management team to have access to in order to effectively manage the organization’s response. While there is not one answer to either the level of detail or the specific procedures to include, it is essential to listen to the crisis management team members and to other stakeholders before documenting the crisis management plan. For some organizations, the critical information is a list of the most up-to-date contacts and the targeted recovery time objectives. For others, a more detailed process description, task dependencies across departments, and decision points are necessary to inform an effective response. When conducting crisis management planning, taking the needs and priorities of those involved into consideration is essential to developing a plan that addresses the specific needs of the crisis management team and the organization.
Issue: Inability to Get the “Right People” Involved in the Process
Root Cause: Business continuity practitioners do not effectively engage top management
It can often be difficult to ensure that the right people, with the right experience, and in the right positions, are effectively involved in the business continuity program and in crisis management planning. To ensure that the organization is providing the right emphasis – and top management engagement – to its response and recovery capabilities, business continuity practitioners should consistently engage with management to increase awareness, solicit endorsement of high-level findings, recommendations, and strategies, as well as strategic risks to the organization.
This specific challenge is not unique to crisis management planning, but is a common challenge faced by many business continuity practitioners seeking engagement and involvement from executive leadership. To address this issue, download our free executive support amplifier.
Frequently Asked Questions
How often do crisis management planning activities take place?
Based on industry standards and best practices, Castellan recommends that crisis management planning activities be performed at least once a year, or after the organization experiences significant change. This includes reviewing updated organizational requirements (from the BIA and strategy determination), updating plan content, and socializing the updated plan with the team. Some organizations may determine the need to conduct a full refresh semi-annually, based on the frequency with which significant changes occur.
Who should be involved in crisis management planning?
Crisis management planning determines the organizations approach to response and, to be effective, should include a variety of individuals and groups. Initially, the Business Continuity Steering Committee, Program Sponsor, and Program Manager, as well as the Crisis Management Team, should determine who will represent (or can provide input from) key areas of the business and related disciplines. Facilities, security, operations, information technology, finance among other are a good group to start with, as well as IT disaster recovery, emergency management, and information security.
Should I use a crisis management plan template?
Using a crisis management plan template is a great way to start and can provide a structure, shared content, and standard roles and responsibilities. However, a plan template is only a means of documenting the outcomes of crisis management planning and will not provide the organization-specific information or how the organization will implement their specific strategies developed during the planning process.
How do I start the crisis management planning process?
The first step to initiating the crisis management planning process is to gather the Business Continuity Steering Committee, Program Sponsor, and Crisis Management Team Leader. This group should review the recovery requirements determined during the business impact analysis and risk assessment and the strategy determination meeting to confirm the organization’s response and recovery strategies.
Do I need software to manage a crisis management plan?
Yes and no. Small programs may find it possible to manage a crisis management plan without software (by small, typically organizations with less than 10 or 15 functions/departments and less than 1,000 employees). However, software makes it significantly easier to manage a program and to automate elements of the analytic effort (and to drive program continual improvement with workflow functionality).
For larger organizations, software is almost essential as the automation alone can replace the costs associated with one or more FTEs. Additionally, software can be used to streamline the response and recovery by providing a “live” version of plans and a single-source repository to provide response updates. With the time savings, the program manager can focus on stakeholder engagement and improving the organization’s ability to respond and recover. Obviously, we’re partial to Castellan Business Continuity Software.
Why is crisis management planning important?
Crisis management planning allows the organization to identify, document, and validate response strategies, resources, and participants prior to a disruption. Preparation and planning for an incident before one occurs reduces the time required to respond and the issues in activating the organization’s response. Crisis management planning also determines the relationship between critical participants, parties, and groups that are involved in crisis management, reducing confusion and providing clarity. Conducting effective crisis management planning as part of an iterative business continuity program is one of the most valuable things an organization can do to prepare for a disruption.