Skip to Content

Crisis Management Planning That Actually Works When a Crisis Arrives

Most crisis management plans are designed for the scenario planners, not for the people who will need to use them under pressure when everything is going wrong.
20 June 2026 by

Crisis management plans fail. Not because they are badly written — most are competently drafted. They fail because they are written for a crisis that does not exist, in conditions that do not resemble the conditions that prevail when a real crisis arrives. The gap between the plan and the crisis is where organisations are destroyed.

Why Plans Fail Under Pressure

Plans assume information that is not available. They assume that by the time the crisis response team convenes, someone will know what has happened, when it happened, how serious it is, and who is affected. Real crises arrive with none of this information confirmed. The first hours of a crisis are characterised by rumour, contradiction, incomplete reporting, and the fog of genuine uncertainty. Plans that assume sequential, information-rich decision-making will break down in this environment.

Plans assume availability of key personnel. Crises arrive at inconvenient times — weekends, public holidays, during other significant events, when key personnel are travelling or unreachable. Plans that depend on specific individuals in specific roles, without clear succession and decision authority, fail when those individuals are not available. This is not an edge case. It is a statistical inevitability for any organisation that operates continuously.

Plans assume the primary scenario. Every crisis management plan has a "primary threat" — a cyberattack, a fire, a safety incident, a reputational event. Real crises are frequently compound. A fire reveals inadequate safety documentation. A cyberattack coincides with a media inquiry. A reputational event triggers regulatory scrutiny. Plans that prepare for single-threat scenarios leave organisations unprepared for the compounding that characterises most significant crises.

What Actually Works

Build for decision-making under uncertainty, not information completeness. The most useful crisis frameworks establish clear decision authority — who can do what without escalation — and defined thresholds for escalation, rather than waiting for complete information before acting. In a crisis, the cost of delayed action frequently exceeds the cost of acting on incomplete information and correcting course.

Establish the team before you need it. Crisis management capability is a team capability, not a plan capability. The people who will manage your crisis need to have worked together before the crisis, know each other's decision styles, and have a shared understanding of how they will function under pressure. A crisis management team that meets for the first time during an actual crisis is not a team. It is a committee with a shared document.

Exercise against stress conditions, not ideal conditions. Tabletop exercises conducted in a boardroom on a Tuesday afternoon with full information and no time pressure do not test crisis management capability. Effective exercises introduce information ambiguity, time pressure, key personnel unavailability, and compound scenarios. The value of the exercise is proportional to the discomfort it creates. If the exercise runs smoothly, you have not learned anything.

Pre-define communication authority. The question of who can speak to media, regulators, employees, and key stakeholders during a crisis needs to be answered before the crisis, not during it. Communication authority — including the authority to say nothing — needs to be explicit. Organisations that improvise their crisis communication because the plan is vague on authority will produce inconsistent, contradictory messaging that amplifies the crisis.

Prioritise life safety before asset protection. This sounds obvious. It is frequently violated in practice. Organisations that focus their early crisis response on protecting reputation, managing media, or securing assets before they have confirmed the safety of all personnel are making a decision they will regret. Life safety is always the first priority. Document it that way. Act that way. It also matters for every subsequent legal, regulatory, and reputational consideration.

The Role of Doctrine

Military and emergency management organisations have addressed the problem of crisis decision-making under uncertainty through the development of doctrine — shared frameworks for how to think about problems and make decisions in complex, high-pressure environments. The incident management system, used by emergency services across Australia and internationally, is doctrine. It works not because it is comprehensive, but because everyone who has trained on it shares a common vocabulary and a common understanding of roles and authority.

Organisations that have the resources should consider adopting similar doctrine-based approaches to crisis management — not just process documents, but trained frameworks that persist regardless of which individuals are in the room. Doctrine survives personnel turnover in a way that plan documents do not.

After the Crisis

The post-incident review is one of the most consistently neglected components of crisis management. Organisations that have managed a significant crisis are frequently so relieved to have survived it that the review is superficial, delayed, or never completed. This is a significant missed opportunity. A well-conducted post-incident review — one that is honest about what failed, not just what worked — is the most effective input to improving crisis management capability. The organisations I have worked with that manage crises most effectively are almost invariably those that have reviewed their previous crises with genuine rigour.

Crisis management planning that actually works begins with honesty about the conditions under which crises actually occur — not the orderly, information-rich scenario the plan was written for, but the uncertain, pressured, compound reality that characterises actual events. Close that gap, and you are building real capability.

Tony Ridley provides crisis management advisory, programme review, and exercise facilitation. Contact us to discuss your requirements.

Australia's SOCI Act: What Critical Infrastructure Operators Need to Understand About CIRMP Compliance
Most organisations subject to the Security of Critical Infrastructure Act are further from compliance than their current programmes suggest.