When a crisis hits, an organization does not rise to the occasion. It drops to the level of preparation it built before the alarm sounded. The teams that hold together during a faulty vendor update, a contaminated product line, or a third-party failure are not braver or smarter in the moment. They rehearsed the moment months earlier, when nothing was on fire.
That gap between a rehearsed response and an unprepared scramble is the whole of the discipline. The rest of this guide walks through what crisis management actually is, how it differs from the adjacent disciplines it gets confused with, the five stages that run as a continuous loop, and the failure modes that surface in nearly every after-action review.
What Is Crisis Management?
Crisis management is the organizational capability to identify, prepare for, respond to, and recover from events that threaten operations, stakeholder safety, or reputation. It operates at the strategic level, coordinating decisions and resources when normal response mechanisms prove insufficient and executive judgment becomes essential.
The dedicated international standard, ISO 22361:2022, defines a crisis as an abnormal and unstable situation that threatens an organization and requires a strategic, adaptive, and timely response. That phrasing carries weight. "Abnormal and unstable" rules out the routine. "Strategic" pulls the decision up to the level of people who can commit the organization. "Adaptive" concedes that the playbook will not fully fit the event in front of you.
What makes a situation a crisis versus a routine incident
Not every bad day is a crisis. A server fails, a courier strikes, a phishing email lands. These are incidents, handled by defined teams using established procedures. A crisis is what happens when the event exceeds that routine response and starts threatening things you cannot delegate the brand, regulatory standing, the safety of people, or the viability of the business itself.
Three features tend to mark the line. The threat reaches strategic objectives rather than a single service. Decisions must be made under genuine uncertainty, often with information that is incomplete and contradictory. And the clock matters in a way it does not for a routine ticket.
ISO 22361 also distinguishes sudden crises from smoldering ones, and the distinction has teeth. A sudden crisis announces itself: the bridge collapses, the system goes down, the headline breaks. A smoldering crisis builds quietly, through warning signs that were visible for weeks and ignored. The two demand different detection and escalation triggers, and organizations that only plan for the sudden variety keep getting ambushed by the slow ones.
7 types of crisis with examples
| Type | Explanation |
|---|---|
| Natural disaster | Events like earthquakes, hurricanes, floods, and wildfires can cause significant damage to infrastructure and pose an immediate threat to employee safety. Having a crisis management plan in place is crucial to ensure rapid response and minimize operational disruption. |
| Financial crises | Sudden financial losses from market crashes, economic downturns, or fraud can threaten an organization's solvency and long-term viability. Effective crisis management plans help leadership make fast, informed decisions that protect the business through periods of severe financial stress. |
| Regulatory changes | Unexpected shifts in laws or regulations can force rapid operational changes while maintaining full compliance under pressure. Organizations that monitor the regulatory horizon and prepare response protocols in advance are far better positioned to adapt without disruption. |
| Criminal activities | Terrorism, extortion, espionage, and other criminal threats can target an organization's people, assets, and data simultaneously. Comprehensive security measures and pre-tested crisis protocols are essential to contain the threat and protect both personnel and operations. |
| Technological failures | IT system outages, data breaches, and cybersecurity attacks can cripple operations and expose sensitive data within minutes. As organizations grow more technology-dependent, robust cybersecurity measures and a tested crisis management strategy are no longer optional. |
| Reputational crises | Public scandals, viral incidents, or executive misconduct can destroy customer trust faster than almost any operational failure. Clear communication protocols and pre-approved response frameworks are essential to control the narrative before it takes on a life of its own. |
| Supply chain disruptions | The collapse of a critical supplier or a geopolitical shock blocking a key trade route can halt operations with little warning. Organizations with mapped dependencies and tested fallback procedures recover significantly faster than those discovering their exposure mid-crisis. |
Why Crisis management matters now
Disruption stopped being episodic a long time ago. For risk and continuity leaders, the question is no longer whether a major event will land this year, but how fast a single fault will cascade across systems, suppliers, and customers before anyone gets a hand on it. The data backs the instinct: business interruption has been the most persistent commercial risk of the decade, and recent incidents show how a narrow technical fault becomes an enterprise-wide crisis in minutes.
The rising frequency and cost of disruption
Business interruption has ranked first or second in every Allianz Risk Barometer for the past decade, a remarkable run of consistency for a risk register that otherwise reshuffles every year. That persistence tells you something. Interruption is not a tail risk you insure and forget. It is the standing condition of operating a complex business.
Cyber sits underneath much of it. In the BCI Horizon Scan Report 2025, cyber security registered as the overwhelming long-term concern, cited by 63.6% of respondents looking five to ten years out. The same report found that 35.8% of disruptions hit staff morale and wellbeing, a reminder that a crisis is not only a systems-and-revenue event. People run the response, and the response degrades when those people are frightened, exhausted, or kept in the dark.
That human dimension is easy to leave out of a plan. It is brutal to discover during a live event.
When a single fault cascades: the CrowdStrike outage
On 19 July 2024, a faulty Channel File 291 content update to CrowdStrike's Falcon sensor pushed at 04:09 UTC sent roughly 8.5 million Windows endpoints into boot loops, displaying the blue screen of death worldwide. Airlines grounded fleets. Hospitals reverted to paper. Banks and emergency lines went dark. CrowdStrike identified and reverted the update within 78 minutes, but that fixed nothing for the machines already bricked, because each one required hands-on, machine-by-machine remediation. The technical root cause was resolved before breakfast. The organizational recovery took days.
The scale was enormous. Estimated direct losses reached $5.4 billion for Fortune 500 companies, with roughly $1.5 billion in insurance payouts, according to a Harvard Business Review analysis. CISA issued guidance within hours, also warning that threat actors were already exploiting the confusion with phishing lures.
The practitioner lesson sits in the gap between two timelines. Engineering said "resolved" by morning. The business was not actually running again for days. That is the territory crisis management governs, and the territory most organizations underprepare for.
Crisis Management vs Business Continuity, Incident Management, and Emergency Management
Practitioners conflate these four disciplines constantly, and the confusion is not academic. When a real event spans all of them, unclear boundaries mean two teams duplicate work while a third assumes someone else has it covered. The cleanest way to hold them apart is to ask what question each one answers.
| Discipline | Core question | Primary scope | Anchoring standard |
|---|---|---|---|
| Crisis management | How do we protect the organization? | Strategic, reputational, decision-making layer | ISO 22361:2022 |
| Business continuity | How do we keep critical operations running? | Process, recovery strategies, dependencies | ISO 22301:2019 |
| Incident management | How do we resolve this defined event? | Technical or operational, procedural response | NIST SP 800-61r3 |
| Emergency management | How do we keep people safe? | On-scene life safety, physical command | FEMA NIMS / ICS |
Crisis management vs business continuity
Business continuity is a holistic process. It begins with a business impact analysis, informs the development of business continuity plans and recovery strategies, and helps an organization maintain critical operations during and after disruption. The BCMS requirements standard frames this as a management system, with Clause 8 covering operational planning and Clause 5.3 fixing roles, responsibilities, and authorities.
Crisis management sits above that execution layer. While continuity teams restore the order-processing system, crisis management handles the strategic and reputational questions the outage raises: what we tell regulators, how we protect the brand, whether we activate a wider response. The two are not rivals. A business impact analysis is foundational and non-negotiable, and crisis management does not replace it. It depends on it, because you cannot make good strategic calls about what to protect first if nobody has mapped what is critical.
Crisis management vs incident management
Incident management handles defined, often technical events with established response procedures. NIST SP 800-61r3, the April 2025 revision aligned to the Cybersecurity Framework 2.0, frames a cyber incident lifecycle of preparation, incident response, and lessons learned. Most incidents start and end there, contained by the people who own the affected system.
A crisis begins where the incident outgrows that routine. The ransomware that locks one workstation is an incident. The same intrusion spreading across the estate, triggering regulatory notification clocks and a press inquiry, is a crisis. The trigger for escalation is not the technical severity alone but whether the event has crossed into strategic, cross-functional territory.
Crisis management vs emergency management
Emergency management centers on life safety and physical incident command. FEMA's National Incident Management System and its Incident Command System structure on-scene response to a fire, a flood, an active threat. Its first question is always whether people are safe.
Crisis management governs the enterprise-level implications of that same event. The two coordinate closely, but they answer different questions: keep people safe versus protect the organization. A manufacturing plant fire needs ICS at the scene and a crisis team in the boardroom, and confusing one for the other leaves a gap somewhere.
Core components of a crisis management capability
An effective capability rests on four interlocking pillars: the team, the plan, the decision structure, and communication. Each fails in a predictable way when it is neglected, and the failures compound. A brilliant plan with no clear decision authority stalls; a clear decision structure with no rehearsed team improvises badly.
The crisis management team and roles
A crisis team needs a defined membership before activation, not a hurried call tree assembled mid-event. At minimum: a crisis lead with authority to commit the organization, function owners for the affected areas, and a communications officer. The BCMS requirements standard, Clause 5.3, sets the expectation that roles, responsibilities, and authorities are assigned and communicated, not improvised.
Name deputies. Crises do not wait for the key person to be reachable, and a capability that collapses because one named individual is on a flight was never a capability. The same logic applies to who chairs, who logs decisions, and who owns each external relationship. True organizational resilience dosen’t rely on a single person also known as single point of failure (SPOF).
Decision authority and escalation criteria
Unclear decision authority is the single most common reason a response stalls. When nobody is certain who can declare a crisis, or who owns a given call, the team burns the most valuable minutes of the event negotiating its own structure while the damage compounds.
Picture a regional payments outage where the operations lead believes the matter sits with IT, IT believes it belongs to the business, and neither feels authorized to invoke the crisis plan or notify the regulator. Two hours pass. The technical fault was containable; the decision vacuum was not. Pre-agreed escalation thresholds and activation triggers remove that hesitation, because the decision to escalate was made in advance, in the calm, by people who could think clearly. ISO 22361 stresses adaptive, strategic decision-making under uncertainty, and adaptation is far easier from a known starting structure than from a standing argument.
The crisis management plan
A usable plan contains activation triggers, roles, contact trees, decision logs, and communication templates. It is short enough to read in one sitting and organised so a stranger to the document can find the right section under pressure. Long binders that nobody can navigate when the room is loud do more harm than good, because they manufacture confidence without supporting decisions.
The usability test is simple. Hand the plan to someone who did not write it. Ask them to locate the escalation criteria. If it takes more than a minute, the plan needs editing, not a bigger appendix.
Crisis communication
Communication is where otherwise competent responses come apart. Messaging to internal and external stakeholders has to be consistent and timely, which means designating accountable communicators in advance and aligning with legal and regulatory disclosure obligations before the event. ISO 22361 dedicates a full section to crisis communications for this reason.
The failure mode is information buried when it matters most. The right facts exist somewhere in the organization, but they are trapped in a silo, or held back pending an approval that nobody is available to give, while the external narrative writes itself without you.
Regulatory requirements and standards for crisis management
A tested crisis capability is increasingly mandated, especially in regulated sectors, where examiners now ask to see evidence rather than intentions. The standards landscape splits into foundational guidance and sector-specific rules. For the wider regulatory map, the regulation and standards hub collects the requirements; this section covers the ones that bear directly on crisis management.
ISO 22361 and ISO 22301: the foundational standards
ISO 22361:2022 is the dedicated international crisis management standard, distinct from the business continuity standard, and its Clauses 6 through 8 cover crisis leadership, decision-making, and communications. It is guidance rather than a certifiable requirements standard, which means it shapes good practice without a tickbox audit.
ISO 22301:2019 covers the business continuity management system that crisis management coordinates with, including Clause 9 on performance evaluation and Clause 10 on improvement. Read together, the two standards span capability, leadership, communication, and the continual improvement loop that keeps the whole thing from decaying.
Financial services: DORA and the UK operational resilience framework
Financial services carries the heaviest obligations. DORA, Regulation (EU) 2022/2554, mandates a crisis management function for non-microenterprise financial entities under Article 11, and Article 14 requires at least one designated person responsible for implementing the communication strategy during ICT-related incidents.
In the UK, FCA PS21/3 and the corresponding PRA supervisory statement require firms to identify important business services, set impact tolerances, and map and test against them, with full compliance required by 31 March 2025.
Manufacturing has no equivalent single mandate, yet faces relentless supply-chain disruption pressure that drives much the same discipline. Energy and critical infrastructure operators sit under their own sectoral regimes. The pattern across industries is the same direction of travel: regulators want evidence that the crisis capability has been tested, not merely documented.
Best practices for effective crisis management
Beyond the components, a handful of practices separate organizations that handle crises from those that scramble. Each one prevents a specific, recurring failure, which is why they are worth the effort to embed rather than treat as aspirational good hygiene.
Make roles, authority, and escalation unambiguous
Document who can declare a crisis and who owns each decision, before you need either answer. Pre-set escalation triggers so activation is automatic rather than debated mid-event. Maintain named deputies so command survives an absence.
This sounds obvious and is routinely neglected, because authority mapping forces uncomfortable conversations about who really decides. Those conversations are far cheaper to have in a planning workshop than in an incident room at 2am.
Prepare communication before you need it
Hold pre-drafted templates and approval pathways for fast, accurate messaging, and align your disclosure approach with regulatory obligations in advance. Under DORA Article 14, affected financial entities must be able to disclose ICT-related incidents responsibly, which is not something you improvise at speed.
Maintain a single source of truth so the organization does not issue conflicting external statements. Two contradictory press lines do more lasting damage than a single slow one.
Plan for supply chain and third-party crises
The modern crisis frequently originates outside your walls. Supply chain disruptions with global effects now occur roughly every 1.4 years and the trend is rising, according to the Allianz Risk Barometer 2025. Yet only 3% of respondents in the 2026 business interruption analysis rate their supply chains as very resilient.
The 2024 Red Sea shipping disruption made the point vividly. Houthi attacks forced container ships to reroute around the Cape of Good Hope, adding weeks and cost to global trade and exposing how concentrated dependency on a single shipping lane converts a regional geopolitical event into a worldwide continuity problem. The practitioner response is to map third-party dependencies and rehearse their failure deliberately, rather than discover the dependency map for the first time during the disruption.
Common crisis management failures and how to avoid them
Most crisis failures are not exotic. They are the same handful of predictable gaps, repeated across industries and incidents, and they show up in after-action reviews so reliably you could print them in advance.
The plan nobody practiced
A documented plan that was never rehearsed collapses under real pressure, because the assumptions baked into it have never been stress-tested. Contact details are stale. The named decision-maker left eighteen months ago. The escalation path assumes a system that was decommissioned.
Tabletop exercises surface these gaps before a real event does, by forcing the team to actually use the plan against a realistic scenario. The CrowdStrike outage underlined the lesson Harvard Business Review post-mortem noted that organizations with rehearsed recovery procedures moved through the days-long manual remediation far faster than those improvising it. Familiarity is speed.
Unclear decision authority and buried information
When nobody is certain who decides, the response stalls while the damage compounds, and the cost of that hesitation rarely shows up in any technical post-mortem. The second failure travels with it: critical information trapped in a silo, known to someone three rungs down who has no channel to surface it to the people making the call.
Both are fixable in advance. Pre-agreed authority removes the first. Designed information flows, with a clear route for frontline knowledge to reach the crisis table, remove the second. Neither fix is technical, which is partly why they get deprioritized in favor of tooling.
Emerging blind spots: cyber and AI governance gaps
Cyber remains the dominant long-term threat, and the cost stays high: the global average cost of a data breach in 2025 was $4.44 million, according to the IBM Cost of a Data Breach Report. The same research surfaced a newer hazard. Among organizations that suffered AI-related security incidents, 97% lacked proper AI access controls.
That number should reframe scenario planning. Ungoverned AI, including shadow tools adopted without oversight, is an emerging crisis vector, and a crisis team that has never gamed an AI-driven incident is preparing for the last decade's events.
Building readiness through exercises and simulations
The difference between a rehearsed response and an unprepared scramble is made in the quiet months beforehand, through exercises realistic enough to break the plan in a controlled setting. Exercising is the highest-return activity in the entire discipline, and it is the first thing budget pressure tends to cut.
Why exercising is the highest-return activity
Exercises validate roles, decision flows, and communications under realistic stress, which is the only condition under which you find out whether they actually work. A plan reads fine on a quiet afternoon. The same plan reveals its gaps the moment a team has to use it against a scenario designed to confound it.
ISO 22301 Clauses 9 and 10 treat evaluation and improvement as continuing obligations rather than one-off events, and the logic carries straight into crisis management. The teams that perform during real events are the ones who built the reflexes in advance, when the cost of getting it wrong was a debrief rather than a regulatory finding.
See our software on how to simulate and exercise programs to prepare your teams for any disruption
How to build an exercise program: a practical sequence
Different formats surface different gaps. A practical program climbs in realism over a year or two:
- Walk the plan. Take the crisis team through the plan in a quiet room. The goal is shared understanding of roles, triggers, and where each section lives.
- Run a tabletop exercise. Present a realistic scenario in discussion form and force the team to make decisions against it. Surface flawed assumptions and unclear roles cheaply.
- Inject pressure. Add time constraints, conflicting information, and stakeholders pushing for answers. This exposes the gap between discussing a decision and making one.
- Simulate live. Move from discussion to action. Test the communication chains, the technical handoffs, and the coordination across functions in something close to real conditions.
- Drill end-to-end. Run a full exercise that tests execution under realistic conditions, including the seams where crisis management hands off to business continuity and incident response.
- Debrief honestly and update. The exercise is wasted if its findings do not change the plan, the roster, or the next exercise's design.
Running well-designed scenario-based exercises over time is what converts a documented plan into a practiced capability, and it is the single clearest predictor of how a team will perform when the scenario is real.
How crisis management fits within enterprise resilience
Crisis management is one discipline inside a broader ecosystem, not a standalone function. It interlocks with business continuity, incident response, disaster recovery, and risk management, and it works best when those connections are deliberate rather than accidental.
The resilience ecosystem
A mature enterprise resilience capability encompasses crisis management, business continuity, and risk management without retiring any of them. The business impact analysis and the business continuity plan remain foundational inputs to crisis decision-making, because the strategic calls a crisis team makes about what to protect first depend entirely on the prioritization that continuity work produced.
The ISO 22301 management system provides the backbone that holds these disciplines in relation to one another. Crisis management is the strategic layer; business continuity is the operational engine; risk management feeds the prevention stage. None of them substitutes for the others. The organizations that handle crises well are the ones that built every layer before they needed any of them, and rehearsed the seams where the layers meet.
