What is a crisis management plan (CMP)?
A crisis management plan (CMP) outlines how to respond to a critical situation that would negatively affect an organization's profitability, reputation or ability to operate. CMPs are used by business continuity teams, emergency management teams, crisis management teams and damage assessment teams to avoid or minimize damage and to provide direction on staffing, resources and communications.
Public relations are often an integral aspect of the crisis management process. An organization might choose to enlist outside public relations help to handle communications aspects, such as dealing with the media. With a public crisis response, an organization can counter any misleading and false information and seek to ease concerns. If an organization resolves a crisis quickly enough, it might not be necessary to make the public aware of the event and bring unwanted attention.
In an age of the coronavirus pandemic and increased cybersecurity attacks, organizations should have a "when, not if" mentality regarding crisis management planning. Organizations should form a plan as if an incident will happen and be proactive, not reactive.
Defining a crisis
A crisis, which can last from a few hours to several days or longer, requires decisions to be made quickly to limit damage to an organization, its key stakeholders and the public. However, there are several different types of crises.
This article is part of
The first step in developing a successful CMP is to recognize the different types of crises an organization might face and plan accordingly. By providing a well-documented set of responses to potential critical situations, a CMP allows an affected organization to act quickly should any serious incident occur.
Types of crises
According to resources such as Ready.gov, an official website of the U.S. Department of Homeland Security, crises include the following:
- Natural disasters and severe weather.
- Biological hazards such as pandemics.
- Accidental events such as fires and building or structure collapses.
- Intentional human-caused events such as robberies, violence and arson.
- Technology issues such as outages and cyber attacks.
Steps to create your crisis management plan
Crisis management planning spans preparation, development of processes, and testing and training.
An effective CMP should tackle the following initiatives:
- Identify crisis management team members.
- Document what criteria will be used to determine if a crisis has occurred.
- Establish monitoring systems and practices to detect early warning signals of any potential crisis situation. Many organizations use crisis management tools.
- Specify who will be the spokesperson(s) in the event of a crisis.
- Provide a list of key emergency contacts.
- Document who will need to be notified in the event of a crisis and how that notification will be made.
- Identify a process to assess the incident, its potential severity, and how it will affect the building and employees.
- Identify procedures to respond to the crisis and emergency assembly points where employees can go.
- Develop a strategy for social media posting and response.
- Provide a process for testing the effectiveness of the CMP and updating it on a regular basis.
There are several key elements to a CMP:
- An outline of the purpose, scope and goals of the plan.
- An evacuation plan.
- A crisis response strategy that develops a framework to manage the crisis.
- Contact information, including lists of staff, vendors and law enforcement.
- Media management.
- Crisis procedures that define specific responses to a variety of possible incidents.
- Integration with other emergency plans.
How to write a crisis management plan
Writing a CMP requires careful consideration and attention to detail. Most successful CMPs follow this sequence of information:
- Introduction and objectives. An overview of the CMP should be provided, clearly outlining its purpose, objectives and scope, as well as how it aligns with the organization's mission and values.
- Risk assessment and identification. The risk assessment process should be detailed, and potential risks identified and prioritized with an evaluation of their likelihood.
- Crisis response team and roles. Key crisis management personnel and their roles and responsibilities should be defined with clear chains of command, communication channels and decision-making processes.
- Crisis scenarios and contingency plans. Specific crisis scenarios and corresponding contingency plans should be outlined, with detailed guidance such as communication strategies, resource allocation and escalation procedures.
- Communication and media relations. Internal and external communication strategies during a crisis should be detailed, including guidelines for communication with employees, customers, media outlets and regulatory agencies. Communication should be transparent and timely.
- Training and drills. Training programs and drills should be described and regularly conducted to simulate and test the effectiveness of the emergency scenarios of the CMP.
- Monitoring and evaluation. Mechanisms for monitoring potential threats and warning signs of a crisis should be established. The CMP should be regularly evaluated to address risks.
- Business continuity integration. Alignment with business continuity plans (BCPs) should be ensured. Coordination between crisis management and business continuity teams should be coordinated and detailed to ensure a seamless response and recovery process.
- Plan maintenance and review. A schedule for CMP maintenance and review should be established. This should outline regular updates made to the CMP to reflect organizational changes, emerging risks and lessons learned from past crises.
- Appendix. Supporting documents such as contact lists, reference materials or templates that stakeholders might need should be included here.
Crisis management plan template
To aid crisis management planning, organizations should use templates, such as business continuity and disaster recovery expert Paul Kirvan's CMP template. This CMP template includes important elements of strategy, communications, media management, procedures and maintenance. The document lays out what an organization needs to effectively manage a crisis.
The importance of a crisis communication strategy
Communication is key to getting through a crisis because it keeps all the necessary players -- ranging from a single office to a global audience -- informed. As the crisis develops and evolves, the organization should update its communications.
During a crisis, employees look to management for leadership and guidance. Without the proper communication, people might speak or act erroneously. Lack of communication could also cause a safety issue.
An organization should designate a crisis communication team. All communication should be clear, concise and truthful. For the sake of speed, an organization could proactively draw up a template with potential scenarios, designate the appropriate channels for communication and then plug in the necessary information if the actual incident occurs.
Methods of communication include the following:
- A call tree, in which a team member calls a designated fellow employee or employees to communicate the message.
- Automated notification, such as a recorded voice message broadcast to employees.
- Posting on social media, such as Twitter -- now called X -- and Facebook.
It's crucial to regularly test the crisis communication plan to ensure it will hold up in the event of an actual incident. For example, an organization could run through its call tree or management could send out an automated messaging test.
Crisis response communications might have to be sent to various people. According to Ready.gov, potential audiences include customers, survivors affected by the incident and their families, employees and their families, media, the community, company management and investors, elected officials and other authorities, and suppliers. Contact information for all these audiences should be updated regularly. During an incident, the message should remain consistent across the different audiences.
Testing and updating your plan
Once completed, the CMP needs to remain a living document. That means distributing it to employees, implementing training and testing, and updating the CMP on a regular basis.
Training sessions should be held so that everyone involved knows their role. Testing ranges from tabletop exercises to full simulations.
After a test or post-crisis, it's important to review the results, discuss what worked and what didn't work, and make any necessary changes to the plan.
Crisis management standards
Standards are good tools for an organization to improve its crisis management planning. They help organizations manage disruptions to the business and enable resiliency.
The British Standards Institution provides the crisis management standard BS EN ISO 22361:2022. The standard offers guidance for establishing, managing, operating, maintaining and improving a crisis management plan for any type and size of organization. It covers core concepts and principles, crisis leadership, crisis decision-making and crisis communications.
In addition, the International Organization for Standardization offers several standards for emergency management in its ISO 223XX series, including ISO 22320:2018, Security and resilience -- Emergency management -- Guidelines for incident management.
Emergency response planning
An emergency response plan details the actions an organization must take immediately following an incident and includes potential interactions with outside help, including public safety responders. Every second counts during an emergency, so it's important for disaster management to have a well-defined emergency response plan.
As part of emergency preparedness, an organization conducts a risk assessment to determine potential threats. The organization then develops an emergency response plan to protect its employees and other affected parties in the event of an incident. Safety and stabilization are keys in an emergency.
Ready.gov suggests 10 steps for developing an emergency response plan:
- Review performance objectives for the program.
- Review threat scenarios identified during the risk assessment.
- Assess the availability and capabilities of resources -- including people and equipment -- for incident stabilization.
- Talk with public safety services to determine their response time, knowledge of the organization's facility and its hazards, and capabilities to stabilize an emergency.
- Determine if there are any emergency planning regulations at the facility and address them.
- Develop protective actions for life safety, such as evacuation, shelter, shelter in place and lockdown.
- Create hazard- and threat-specific emergency procedures.
- Coordinate emergency planning with public safety services.
- Train personnel.
- Test the plan.
Once the emergency response is over, the organization moves on to disaster recovery to restore operations as comprehensively as possible.
Crisis management plan vs. business continuity plan
Depending on the industry, a crisis management plan might also be known as a business continuity plan. Both plans aim to ensure the resilience of an organization but serve different purposes, which is why it is vital to develop separate and comprehensive CMPs and BCPs.
A CMP focuses on the immediate response to a crisis, aiming to minimize damage, protect stakeholders and restore normal operations as quickly as possible. It outlines specific actions, communication strategies and protocols for managing crises effectively.
By contrast, a BCP is a broader plan that ensures the continuity of critical business functions during and after a crisis. It contains strategies and procedures to enable an organization to continue operating, provide products and services to customers, and meet regulatory requirements. BCPs are commonly associated with disaster recovery. A BCP also addresses long-term recovery, including backup systems, alternative facilities and supply chain management to minimize the impact of a crisis on business operations.
Crisis management plans are critical to preserving business continuity. Read this guide to business continuity and pandemic planning.