A ransomware strike. A snap in your supply chain. A severe weather event hitting without warning. A protest escalating into civil unrest. In those first moments after a major event, you’ll discover whether your crisis management plan was good in theory or great in practice.
Your business may face multiple threats unlikely to unfold in sequence but in messy, simultaneous and cascading waves. These can ripple out in unpredictable ways across operations, supply chains and the communication channels between you, your employees, partners and customers.
That’s why high stake situations can cause even well designed crisis management plans to unravel. How confident are you that your people will make the right decisions and escalate appropriately when facing extreme pressure, competing priorities, and incomplete or fragmented information?
In this insight, we offer practical, best practice perspectives to both strengthen your crisis management plan and close the potential gaps between planning and performance in a crisis.
Crisis management is the coordinated leadership and control of your organisation’s response to a disruptive event. Who gets to make what decisions and at what point, when a crisis strikes? What are the structured procedures that define how, when and to whom crisis incidents are first raised?
These so-called ‘escalation paths’ are about making sure the appropriate decision-makers are able to manage your crisis and incident responses so the business impact is minimised.
ISO 22361 is the international standard for crisis management, providing a framework for organisations to prepare for major disruptions, effectively manage their impacts and continually improve readiness through training and exercising.
Key requirements of ISO 22361 include building a suitable response structure for your organisation and understanding core communication requirements during a crisis.
ISO 22361 stipulates how organisations should conduct regular, structured and documented testing and exercising of crisis management plans to ensure they’re effective and are tested based on appropriate scenarios, resulting in post-exercise reports that drive continuous improvement.
The options for testing your crisis management plan can include desktop exercises to rehearse and refine your plan. Desktop exercises can help your organisation ‘walk through’ how policies and procedures would be triggered and executed in a crisis incident.
We’d argue the modern ‘gold standard’ goes further by testing teams’ crisis management response in the face of real-world disruption. Your people can be steered through scenarios that both reflect the crises most likely to hit your business and, in realistic ways, are best able to reveal those moments of friction, confusion and cascading impacts.
Realistic simulations, enhanced by multi-media and AI-generated materials, can closely mimic the realities of a crisis hitting your business. They can give you and your people a truer sense of what it feels like to be in the eye of the storm, how you’d respond and how you can improve ahead of real crises.
The insight and outputs you can take away from realistic crisis simulations can also offer your board, investors and other stakeholders assurance on your organisation’s crisis-readiness.
You can validate your plan or show gaps and weaknesses. For example, your escalation authority may be clear on paper, but is it ambiguous in practice? Are you expecting too much from your cyber insurer if you face a data breach?
Realistic testing can reveal what static reviews miss.
Let’s answer this by imagining a hypothetical UK-based manufacturing company seeking to validate its crisis management plan. In response to recent sector wide incidents, the organisation opts to run a ransomware exercise that simulates encryption of its production scheduling and inventory management systems.
The crisis simulation sees the team respond to realistic emails, news reports and urgent customer calls, forcing leadership to consider ransom decisions, communications with clients and suppliers, as well as how they would coordinate with IT vendors, insurers and the police.
The exercise mirrors the pace and complexity of a genuine cyber incident, rigorously testing escalation pathways, communication flows, technical recovery options, and stakeholder engagement.
The simulation ultimately exposes some critical resilience vulnerabilities, including unclear escalation protocols and fragmented communication frameworks that could result in inconsistent customer updates and long term reputational harm.
The lessons learned prompt the manufacturer to clarify escalation authority and decision pathways, strengthen its communication framework, and ensure that, in the event of a real ransomware attack, customers would receive timely, accurate, and consistent information.
To discuss how immersive, AI enhanced exercises could strengthen your crisis management planning, contact our Risk & Resilience Advisory specialists.
