Back to Blog
Crisis Management

How to build a crisis management plan

How to build a crisis management plan

When a crisis hits, the plan that fails is almost never the one that was missing. It's the one that existed but couldn't be found, understood, or acted on fast enough, because nobody in the room knew who had the authority to decide. That gap, not the absence of a document, is what turns a bad day into a reputational event.

The rest of this guide walks through what a crisis management plan actually is, the five components every workable plan shares, a repeatable build sequence, a section-by-section template you can adapt, and the failure modes that surface in nearly every post-incident review.

What is a crisis management plan?

A crisis management plan is a documented framework that defines the roles, decision authority, and communication protocols an organization uses to coordinate its response to abnormal, high-impact events. Its purpose is coordinated strategic decision-making under uncertainty, not step-by-step technical repair. It orchestrates leadership when an event exceeds normal operational response.

ISO 22361:2022 defines a crisis as an abnormal or extraordinary event that threatens an organization and demands a strategic, adaptive, and timely response. That framing matters. A crisis is not a large incident handled by the usual on-call rota. It's an event where the standard playbook has run out of road and senior leaders have to make consequential calls with incomplete information.

The stakes are not theoretical. The Business Continuity Institute found that 75.1% of organizations activated their crisis management plans over the previous twelve months. Activation is now routine. Whether the plan holds up when it's activated is the real question.

How it differs from a BCP and an incident response plan

People conflate three distinct documents, and the confusion shows up in the incident room when nobody's sure which plan they're running. Getting the boundaries clear before you build saves you from writing a crisis plan that duplicates your continuity procedures or, worse, contradicts them.

Business continuity is a holistic process that begins with a Business Impact Analysis (BIA), informs the development of business continuity plans and recovery strategies, and helps the organization maintain critical operations during and after disruption. ISO 22301:2019 Clause 8 covers those operational plans and procedures. The crisis management plan sits above that continuity layer, handling strategic leadership and stakeholder-facing decisions.

Incident response is the technical detect, respond, and recover layer, most often for cyber events. NIST SP 800-61r3 aligns incident response with the CSF 2.0 functions. The crisis plan coordinates all three when an event escalates beyond what any single team can handle. It does not retire the BIA or replace the continuity playbooks. It coordinates them.

DimensionCrisis Management PlanBusiness Continuity PlanIncident Response Plan
Primary focusStrategic leadership and stakeholder decisionsMaintaining critical operationsDetecting and containing technical events
Who runs itCrisis team / senior leadersBCM coordinators, function ownersSecurity / IT operations
TriggerEvent exceeds normal operational responseDisruption to a critical functionA detected incident
ReferenceISO 22361ISO 22301NIST CSF 2.0

Why crisis management plans fail when it matters most

Most organizations have a plan on paper. The failures don't come from the absence of a document. They come from people not being able to find the right information, or not knowing who has the authority to act, in the first thirty minutes when the outcome is still moveable. Before we build, it's worth grounding the stakes in what recent incidents actually exposed.

The buried-information problem

Contact trees go stale between the day they're written and the day they're needed. Authority is left ambiguous because nobody wanted the awkward conversation about who overrules whom. Protocols exist, but they've never been rehearsed, so under pressure people default to improvisation.

Ticketmaster's 2024 breach is a study in how communication delay compounds a technical problem. The UNC5537 threat actor used infostealer-harvested credentials to reach Snowflake environments lacking multi-factor authentication, and Ticketmaster was among the customers hit. The company was then criticized for taking weeks to confirm the breach, and in that silence rumors and negative coverage spiraled. The offer of free credit monitoring landed as inadequate for the scale involved. The lesson is not the absence of a plan. It's that the plan's communication arm couldn't move at the speed the incident demanded.

When speed and coordination decide the outcome

A faulty Channel File 291 content update to CrowdStrike's Falcon sensor, pushed early on 19 July 2024, sent Windows endpoints into boot loops around the world. CrowdStrike reverted the update within roughly 78 minutes, but that didn't help, because recovery required manual intervention on each of the 8.5 million affected devices. Airlines grounded thousands of flights, hospitals reverted to paper, and Fortune 500 losses were estimated at $5.4 billion. The organizations that fared best were the ones whose crisis teams already knew the escalation path and the internal notification order. The rest spent the first hours deciding who was in charge.

This is not a fringe risk category. Cyber incidents ranked as the top global business risk for 2025, the fourth consecutive year at the top, with 38% of responses in the Allianz Risk Barometer. When the risk is this concentrated and this fast-moving, the gap between a rehearsed plan and a shelf document is measured in millions.

Core components of an effective crisis management plan

Every plan that survives contact with a real incident shares the same five building blocks, regardless of industry. A bank and a food manufacturer will populate them differently, but the skeleton is identical. This section defines each and shows how they connect.

Crisis team roles and responsibilities

Name the roles, not the people alone. A crisis team typically needs a crisis lead who owns overall command, a communications lead for internal and external messaging, an operations lead who coordinates the functional response, and a legal or regulatory lead who tracks notification obligations. Each needs a named deputy, because the crisis lead may be on a plane when the plane is the crisis.

Use a RACI so every consequential decision has exactly one accountable owner. DRI International's Professional Practices, specifically PP5 on incident preparedness and response, frame this structure well. Ambiguity in the org chart is ambiguity in the incident room.

Decision authority and activation criteria

Spell out who can declare a crisis and who can commit resources without waiting for sign-off. This is the single most-skipped element and the one most likely to cost you an hour you don't have.

Activation thresholds convert a routine incident into a declared crisis at defined trigger points. Useful examples:

  • Any safety-of-life exposure to staff, customers, or the public.
  • Any event crossing a regulatory notification threshold (breach disclosure, safety reporting).
  • A multi-site or multi-service outage lasting beyond a set duration.
  • Active or imminent media exposure of a material issue.

An escalation matrix maps each threshold to who's notified and who's convened. CISA's Cyber Essentials Toolkit, Essential Element 6, covers building an internal reporting structure to detect, communicate, and contain. Nobody has to invent the escalation path mid-event.

Communication protocols and recovery coordination

The plan needs internal and external protocols, pre-approved holding statements, and stakeholder notification scripts drafted before you need them. Regulatory notification timelines belong here, alongside a contact directory that is version-controlled and dated, not last touched two reorganizations ago. DRI's PP9 on crisis communications sets out the discipline.

Recovery coordination is where the crisis plan hands off. Once the situation stabilizes, control passes back to the BCP and incident response teams for restoration. Don't forget people: the BCI found that 35.8% of disruptions negatively impact staff morale, wellbeing, and mental health. A recovery section that ignores the human toll is one that gets criticized in the post-incident review.

How to build your crisis management plan: step by step

Here is the repeatable sequence for building a plan from scratch, or rebuilding one that failed. Each step produces an artifact you fold into the template that follows.

  1. Assemble the crisis team and assign decision authority.
  2. Assess risks and define activation thresholds against your BIA.
  3. Write response and communication procedures per scenario.
  4. Make the plan findable, then rehearse the roles until they're automatic.

Step 1: assemble the crisis team and assign authority

Start with the roster. Name the crisis lead, the communications lead, the operations lead, the legal lead, and their deputies. Then name the single person who has the authority to declare a crisis, because a plan where three people all think someone else pulls the trigger is a plan that stalls at the starting line.

Map the RACI before you write a single procedure. The structure has to exist before the workflow, or the workflow will keep tripping over unassigned decisions.

Step 2: assess risks and define activation thresholds

Run a crisis risk assessment aligned to your BIA outputs so the scenarios you plan for are the ones that actually threaten critical functions. FEMA's Comprehensive Preparedness Guide (CPG) 101 sets out a risk-informed planning approach worth borrowing, and Ready.gov's continuity planning process covers the BIA-to-strategy steps that feed it.

The threat picture justifies the effort. Business interruption has ranked #1 or #2 in every Allianz Risk Barometer for the past decade, sitting at #2 in 2025 with 31% of responses. Set your incident-to-crisis thresholds and escalation triggers here, in writing, so the judgment call is pre-made.

Step 3: write response and communication procedures

Draft response playbooks per scenario and holding-statement templates you can populate in minutes. Define the notification order plainly: internal first, then customers, then regulators, then media, with the sequence adjusted for any statutory reporting clock.

For multi-party events involving suppliers, mutual-aid partners, or authorities, a shared vocabulary keeps coordination clean. FEMA's National Incident Management System (NIMS) exists for exactly this reason. When two organizations use the same words for the same roles, handoffs don't get lost in translation.

Step 4: make it findable and rehearse it

Store the plan where responders can reach it during an outage, not solely on the intranet that the outage just took down. A crisis plan accessible only through the system that's failing is worse than no plan, because it costs time to discover it's unreachable.

Then rehearse until authority is muscle memory rather than a reference lookup. The check phase of the ISO 22301 PDCA cycle applies as much to crisis capability as to continuity. A plan read once at approval and never exercised is a document, not a capability.

Crisis management plan template: section-by-section breakdown

This template turns the components and build steps above into a fillable structure you can adapt to your organization. Each section maps to a decision someone will need to make under pressure, which is the test any section has to pass to earn its place.

The template sections explained

Structure the document so a responder can navigate it in the first few minutes. ISO 22361 offers plan-structure guidance; the layout below is a practical rendering of it.

  • Purpose and scope. What the plan covers, what it doesn't, and how it relates to your BCP and incident response plan.
  • Activation criteria. The thresholds that convert an incident into a declared crisis, and who declares it.
  • Crisis team and RACI. Named roles, deputies, and the accountable owner for each decision type.
  • Escalation matrix. Thresholds mapped to notifications and convening actions.
  • Communication protocols and holding statements. Internal and external messaging, pre-approved statements, notification scripts.
  • Regulatory notification log. Applicable timelines and a record of notifications made.
  • Recovery coordination and handoff. How and when control passes to BCP and IR teams, including staff wellbeing.
  • Post-incident review. The structure for capturing what happened and what changes.
  • Contact directory. Version-controlled, dated, and reviewed on a cadence.

Keep the whole thing short enough to use. A 200-page binder that no one can search in the first half hour of an incident is a liability wearing the costume of thoroughness.

Common mistakes that make plans fail during a real incident

The same failure modes recur across post-incident reviews, year after year, industry after industry. Naming them and tying each to the plan element that prevents it is more useful than another generic checklist.

Stale contacts, unclear authority, unrehearsed protocols

Outdated contact trees are the most common and the most avoidable. The fix is a version-controlled directory reviewed on a set cadence, not a spreadsheet someone updated for an audit and forgot.

Ambiguous authority is subtler and more damaging. When the accountable owner isn't named in a RACI, decisions queue behind consensus, and consensus is slow. Boeing's 737 MAX 9 door-plug blowout in January 2024 traces, per the NTSB findings reported by NPR, to four bolts left out after a repair, with inadequate training and documentation cited as contributing factors. The FAA grounded 171 aircraft and required corrective action. It's a process-discipline failure upstream of the crisis, and it shows how a gap in rehearsed procedure surfaces at the worst moment.

Unrehearsed protocols are the third failure. Slow disclosure, as Ticketmaster demonstrated, lets a story write itself. Pre-approved holding statements let you say something true and calm inside the hour, which is often what determines whether coverage frames you as a victim or as negligent.

Keeping the plan alive: testing, exercises, and updates

A plan that isn't exercised is a document that will fail on first contact. This section covers the maintenance cadence that keeps roles rehearsed and information current, which is where most programs quietly fall behind.

Tabletop exercises and update cadence

Run scenario-based tabletop exercises at least annually, and test the two things most likely to be broken: the contact tree and the authority handoffs. An exercise that only rehearses the technical response while assuming everyone knows who decides is measuring the wrong thing.

Drive corrective action through the check-and-act phases of the PDCA cycle. Every exercise should produce a short list of fixes with owners and dates, or it was theatre. Update triggers should include organizational change, a newly identified risk, and any post-incident review.

The maintenance case is stark when you look at how few organizations trust their own resilience. Allianz reports that only 3% of respondents rate their supply chains as "very resilient". If the interconnections you depend on aren't resilient, your crisis plan will be activated more often than you'd like. Keeping it current is a recurring obligation, not a one-off project. This whole discipline sits inside broader crisis management, and the stages of a crisis map neatly onto when each part of the plan carries the load.

One more industry note. In financial services, notification clocks are tight and examiner scrutiny is constant, so the regulatory notification log is not optional documentation. In manufacturing and energy, physical safety-of-life and environmental thresholds usually dominate your activation criteria over reputational ones. Design the thresholds for the risks your sector actually runs, not a generic template's defaults.

Frequently asked questions

Learn more

See first-hand what AI-native resilience looks like

Fortiv
© Fortiv 2026Legal and Privacy