CEN/TS 17091:2018

SLOVENSKI STANDARD
01-december-2018
Krizno vodenje - Navodilo za razvoj strateške zmogljivosti
Crisis management - Guidance for developing a strategic capability
Krisenmanagement - Strategische Lösung
Gestion de crise - Recommandations pour le développement d’une capacité stratégique
Ta slovenski standard je istoveten z: CEN/TS 17091:2018
ICS:
03.100.01 Organizacija in vodenje Company organization and
podjetja na splošno management in general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN/TS 17091
TECHNICAL SPECIFICATION
SPÉCIFICATION TECHNIQUE
October 2018
TECHNISCHE SPEZIFIKATION
ICS 03.100.01
English Version
Crisis management - Guidance for developing a strategic
capability
Gestion de crise - Recommandations pour le Krisenmanagement - Strategische Lösung
développement d'une capacité stratégique
This Technical Specification (CEN/TS) was approved by CEN on 20 May 2018 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to
submit their comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS
available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in
parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 17091:2018 E
worldwide for CEN national Members.

Contents Page
European foreword . 4
Introduction. 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions. 6
4 Crisis management: Core concepts and principles . 9
4.1 Understanding crises and how best to manage them. 9
4.2 The potential origins of crises . 10
4.3 Implications of the nature of crises . 11
4.4 Readiness to respond and recover . 12
4.5 Principles for crisis management . 12
5 Building a crisis management capability . 13
5.1 Introduction . 13
5.2 Setting the crisis management framework . 13
5.3 General framework . 14
5.4 Anticipate and assess . 14
5.5 Prepare . 15
5.5.1 General . 15
5.5.2 The crisis management plan . 15
5.5.3 Information management and situational awareness . 16
5.6 Response (the CMT in action) . 19
5.7 Recover . 20
5.8 Review and learn . 20
6 Crisis leadership . 21
6.1 Core leadership functions . 21
6.2 Resilient crisis response . 23
7 Strategic crisis decision-making . 23
7.1 Decision-making . 23
7.2 Why decision-making can be challenging . 24
7.3 Dilemmas, decision delay and decision avoidance . 25
7.4 Decision-making problems . 25
7.5 Effective crisis decision-making . 25
8 Crisis communication . 26
8.1 Introduction . 26
8.2 Pre-crisis preparation . 26
8.3 Management of reputation and interested parties . 26
8.4 Key roles . 26
8.4.1 General . 26
8.4.2 The spokesperson . 27
8.4.3 Media monitoring . 27
8.5 Developing a crisis communication strategy . 27
8.6 Key principles of crisis communication response . 27
8.7 Consistency of message . 28
8.8 Barriers to effective communication . 29
8.9 Social media: the opportunities and risks . 29
9 Training, validation and learning from crises . 30
9.1 General . 30
9.2 Developing people and assuring crisis management arrangements . 30
9.3 Training . 31
9.4 Exercising . 32
9.5 Validation . 32
9.6 Learning . 33
Bibliography . 34

European foreword
This document (CEN/TS 17091:2018) has been prepared by Technical Committee CEN/TC 391
“Societal and Citizen Security”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN/CENELEC Internal Regulations, the national standards organisations of the
following countries are bound to announce this Technical Specification: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
Introduction
Crises are the most serious challenge facing any organization. A crisis is an inherently abnormal,
unstable and complex situation that represents a threat to the strategic objectives, reputation and,
ultimately, the existence of an organization.
Crises present organizations with complex and difficult challenges that may have profound and far-
reaching consequences. These consequences can be very damaging, especially where it is perceived that
the organization failed to prepare for, manage or recover from a crisis. There is a risk of significant
damage to reputation, and possibly of the collapse of the business and its operations. In short, crises are
of potentially existential significance to an organization.
This technical specification sets out the principles and good practice for the provision of a crisis
management response, delivered by strategic decision makers of any organization of any size in the
public or private sector. The intention of this technical specification is to aid the design and ongoing
development of an organization’s crisis management capability.
In a general sense, a capability is a demonstrable ability to perform a function, under specified
conditions, to defined levels. Capability is bounded by assumptions and expectations, and an
organization should be able to ensure its capability within those parameters. In this technical
specification, a crisis management capability should include the following aspects:
— physical (e.g. equipment, facilities and logistics);
— intellectual (e.g. doctrine, concepts and procedures);
— structural (e.g. organization, relationships and linkages); and
— human (e.g. selection, training and education).
This technical specification has close links with other disciplines such as organizational resilience,
information security, emergency management, incident management, risk management, business
continuity management, and security. Recognizing that crisis management varies from organization to
organization and sector to sector, this technical specification provides the principles behind crisis
management and the development of the necessary capabilities that are applicable to any size of
organization.
The ability to manage crises is one aspect of a more resilient organization - where resilience is the
ability of the organization to endure and continue through all manner of disruptive challenges, and to
adapt as required to a changing operating environment. Resilience requires effective crisis
management, which needs to be understood, developed, applied and validated in the context of the
range of other relevant disciplines that include, amongst others, risk management, business continuity
management, security management and crisis communication.
The ability to manage crises cannot simply be deferred until an organization is hit by a crisis. An
organization should take every opportunity to practice their crisis response protocols in order to
ensure the most effective transition to crisis management status in the event that an actual crisis
situation is triggered. It requires a forward-looking, systematic approach that creates a structure and
processes, trains people to work within them, and is evaluated and developed in a continuous,
purposeful and rigorous way. The development of a crisis management capability needs to be a regular
activity that is proportionate to an organization’s size and capacity.
1 Scope
This document provides guidance on good practice for crisis management to help the strategic decision
makers of an organization to plan, implement, establish, operate, monitor, review, maintain and
continually improve a crisis management capability. It is intended for any organization regardless of
location, size, type, industry, structure, or sector. While it is important to be aware of human and
cultural factors as they can cause stress when working as individuals and as part of groups, it is not the
purpose of this document to examine aspects of these areas in detail.
This document provides guidance for:
— understanding the context and challenges of crisis management;
— developing an organization’s crisis management capability through preparedness (see 5.5);
— recognizing the complexities facing a crisis team in action;
— communicating successfully during a crisis; and
— reviewing and learning.
NOTE 1 For further information on organizational resilience, see ISO 22316.
This technical specification is intended for management with strategic responsibilities for the delivery
of a crisis management capability. It is for those who operate under the direction and within policy of
top management in:
— implementing the crisis plans and structures; and
— maintaining and assuring the procedures associated with the capability.
It is not intended for emergency and incident response - these require the application of operational
procedures whereas crisis management relies on an adaptive, agile, and flexible strategic response (see
4.3).
It does not cover interoperability or command and control or business continuity management systems.
NOTE 2 For more information on interoperability and command and control, see ISO 22320. For more
information on business continuity management systems, please see EN ISO 22301.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1
crisis
unprecedented or extraordinary event or situation that threatens an organization and requires a
strategic, adaptive, and timely response in order to preserve its viability and integrity
Note 1 to entry: The event might include a high degree of uncertainty.
Note 2 to entry: The event might exceed the response capacity or capability of the organization.
Note 3 to entry: There is no adequate or appropriate plan to deal with the event such that a flexible and dynamic
approach is needed.
3.2
crisis management team
CMT
group of individuals functionally responsible for the direction and implementation of the organization’s
crisis management capabilities
Note 1 to entry: The crisis management team can include individuals from the organization as well as immediate
and first responders, stakeholders, and other interested parties.
3.3
monitoring
determining of the status of a system, a process or an activity
Note 1 to entry: To determine the status there may be a need to check, supervise or critically observe.
[SOURCE: Annex SL of ISO/IEC Directives, Part 1: Consolidated ISO Supplement – Procedures specific to
ISO]
Note 2 to entry: Monitoring in a flexible way changes that might occur in the near future and will require a
response. It includes forward looking for symptoms of change, updating the situation picture as the situation
evolves, and identifying emerging opportunities or threats that demand a crisis response from the organization.
3.4
crisis management plan
document specifying which procedures and associated resources should be applied by whom and
where to a particular type of crisis
[SOURCE: ISO 24518:2015]
3.5
business continuity
capability of the organization to continue delivery of products or services at acceptable predefined
levels following a disruptive incident
[SOURCE: ISO 22301]
3.6
business continuity management
holistic management process that identifies potential threats to an organization and the impacts to
business operations those threats, if realized, might cause, and which provides a framework for building
organizational resilience with the capability of an effective response that safeguards the interests of its
key stakeholders, reputation, brand and value-creating activities
[SOURCE: ISO 22301]
3.7
media communications management
pro-active engagement with the media to ensure that accurate information is provided
Note 1 to entry: Coverage in the media, including social media, is monitored to improve situational awareness.
Note 2 to entry: An important aspect of effective media communications management action is providing accurate
counterbalancing information where the organization’s reputation is being damaged.
3.8
crisis management
development and application of the process, systems, and organizational capability to deal with crises
3.9
incident
adverse event that might be, or could lead to, a disruption, loss, emergency or crisis
3.10
interested party (preferred term)
stakeholder (admitted term)
person or organization that can affect, be affected by, or perceive themselves to be affected by a
decision or activity
[SOURCE: Annex SL of ISO/IEC Directives, Part 1: Consolidated ISO Supplement – Procedures specific to
ISO]
3.11
risk management
coordinated activities to direct and control an organization with regard to risk
[SOURCE: ISO Guide 73]
3.12
situation report
summary, either verbal or written, produced by an officer or body, outlining the current state and
potential development of an incident or crisis and the response to it
[SOURCE: BS 65000]
3.13
situational awareness
state of individual and/or collective knowledge relating to past and current events, their implications
and potential future development
Note 1 to entry: “Knowledge” can include human aspects including perceptions and sentiments.
3.14
top management
person or group of people who directs and controls an organization at the highest level
[SOURCE: Annex SL of ISO/IEC Directives, Part 1: Consolidated ISO Supplement – Procedures specific to
ISO]
4 Crisis management: Core concepts and principles
4.1 Understanding crises and how best to manage them
The definition of crisis (see 3.1) captures the essence of crises, notably their extraordinary nature and
strategic implications for an organization. An organization might have established processes for
managing routine disruptions. However, crises can be dynamic and unpredictable, and become difficult
to manage. These crises challenge organizations, their people, functions and processes, and require a
dedicated and dynamic management and response.
Crisis management is the developed capability of an organization to prepare for, anticipate, respond to
and recover from crises. This capability is not normally part of routine organizational management, and
should be consciously and deliberately built and sustained through capital, resource and time
investment throughout the organization.
Understanding the conceptual and practical relationship between incidents and crises is important, and
Table 1 summarizes the key distinctions.
Table 1 — Distinctions between incidents and crises
Characteristics Incidents Crises
Predictability Incidents are generally foreseeable Crises are unique, rare, unforeseen or
and amenable to pre-planned poorly managed events, or
response measures, although their combinations of such events, that can
specific timing, nature and spread create exceptional challenges for an
of implications are variable and organization and are not well served by
therefore unpredictable in detail. prescriptive, pre-planned responses.
Onset Incidents can be no-notice or short Crises can be sudden onset or no-notice,
notice disruptive events, or they or emerge from an incident that has not
can emerge through a gradual been contained or has escalated with
failure or loss of control of some immediate strategic implications, or
type. Recognizing the warning arise when latent problems within an
signs of potential, actual or organization are exposed, with
impending problems is a critical profound reputational consequences.
element of incident management.
Urgency and pressure Incident response usually spans a Crises have a sense of urgency and
short time frame of activity and is might require the response to run over
resolved before exposure to longer periods of time to ensure that
longer-term or permanent impacts are minimized.
significant impacts on the
organization.
Characteristics Incidents Crises
Impacts Incidents are adverse events that Due to their strategic nature, crises can
are reasonably well understood disrupt or affect the entire organization,

and are therefore amenable to a and transcend organizational,
predefined response. Their geographical and sectoral boundaries.
impacts are potentially Because crises tend to be complex and
widespread. inherently uncertain, e.g. because a
decision needs to be made with
Minimal to minor impact, but
incomplete, ambiguous information, the
manageable impact for interested
spread of impacts is difficult to assess
parties/stakeholders, that will not
and appreciate.
lead to unmanageable collateral
damage. Impact, especially when not managed
properly, to stakeholders/interested

parties that will lead to damage for
those involved.
Media scrutiny Effective incident management Crises are events that cause significant
attracts little, but positive, media public and media interest, with the

attention where adverse events are potential to negatively affect an
intercepted, impacts rapidly organization’s reputation. Coverage in
mitigated and business-as-usual the media and on social networks might
quickly restored. However, this is be inaccurate in damaging ways, with
not always the case and negative the potential to rapidly and
media attention, even when the unnecessarily escalate a crisis.
incident response is effective and
within agreed parameters, has the
potential to escalate an incident
into a crisis.
Manageability through Incidents can be resolved by Crises, through a combination of their
established plans and applying appropriate, predefined novelty, inherent uncertainty and
procedures procedures, available adequate potential scale and duration of impact,
resources, and plans to intercept are rarely resolvable through the
adverse events, mitigate their application of predefined procedures
impacts and recover to normal and plans. They demand a flexible,
operations. creative, strategic and sustained
response that is rooted in the values of

the organization and sound crisis
management structures and planning.
4.2 The potential origins of crises
It is important for people at all levels of an organization to recognize the warning signs and understand
that crises can be initiated in a number of different ways, summarized in the following three groups.
1) Extreme disruptive incidents that have immediately obvious strategic implications. These can arise,
for example, from serious acts of malice, misconduct or negligence, or a failure (perceived or actual)
to deliver products or services that meet the expected standards of quality or safety.
2) Those stemming from poorly-managed incidents and business fluctuations that are allowed to
escalate to the point at which they create a crisis.
3) The emergence of latent problems with serious consequences for trust in an organization’s brand
and reputation. Such problems can “incubate” over time, typically as a result of:
i) a lack of governance allowing gradual and incremental slippages in quality, safety or
management control standards to go unchecked and become accepted as a normal way of
working;
ii) convenient, but unofficial, “workaround” strategies becoming the normal routine due, for
example, to overcomplicated processes, unrealistic schedules, chronic personnel shortages and
relaxed supervision;
iii) flaws in supervision and process monitoring, which promote an expectation of “getting away
with” undesirable behaviours or being able to survive minor failures without reporting them,
or over-reliance on controls to catch all errors, rather than an expectation of quality checks
that catch only occasional problems;
iv) blame cultures that encourage risk and issue cover-ups and the lack of a shared sense of
mission and purpose, which generates a defensive (if not actually hostile) “them and us”
attitude between staff and management, between different parts of the organization and
between the organization and external interested parties; and
v) poor training and development of staff and managers, or incremental loss of skills and
knowledge.
Many crises have characteristics of more than one type. For example, an extreme disruptive event might
appear to have a relatively simple immediate cause, but further enquiries might expose systemic
weaknesses in how the organization is managed, for example, relating to health and safety, exacerbating
the initial crisis and further damaging the organization’s reputation. Alternatively, attempting to
manage an extreme disruptive event as an incident rather than a crisis can introduce a delay before the
crisis is given meaningful strategic attention.
Crisis management strategies and actions should reflect the organization’s objectives and values. The
organization’s failure to adhere to its core values (for example, a commitment to workforce and product
safety) or meet the expectations of interested parties could make the situation worse.
4.3 Implications of the nature of crises
Crises can be associated with highly complex problems, the full implications and nature of which might
be unclear at the time. Possible solutions can have severe negative consequences, and decision makers
at all levels might have to choose the “least bad” solution (see 7.4) and resolve (or at least recognize and
accept) fundamental strategic dilemmas. These might mean that every choice comes with a penalty of
some kind and there is no ideal solution.
Crises do not always involve direct threats to life or tangible assets, such as property. However, they
frequently challenge organizations’ intangible assets, for example, reputation, image and brand, so
strategic leadership is particularly important during a crisis.
The inherent uncertainty of crisis situations demands that the expectations of staff at all levels are made
clear, and actions clearly and authoritatively directed. These should demonstrate a clear relationship to
the core values of the organization (which define what the organization exists for and how others
expect it to behave), give clear direction on how to make difficult decisions and emphasize the
importance of clear and coherent actions and communications during the crisis.
A crisis can force an organization to review, adjust or defend its choices, policies, culture and strategies,
possibly under public and media scrutiny. However, it can bring new opportunities and benefits to the
organization if handled successfully. Even if an organization is perceived to be at fault or blameworthy,
the demonstration of integrity and compassion can offset, to some extent, the damage to its reputation
and standing, particularly when the expectations of interested parties are not met.
A well-managed crisis can demonstrate the positive qualities of an organization and enhance its general
reputation.
A timely response to a crisis is critical. The organization should consider how it might mobilize its crisis
arrangements at an early stage as a precautionary measure. Conversely, denial and complacency or
delay amongst strategic decision makers can increase the organization’s vulnerability, hamper its
response and degrade its capacity to recover from a crisis. Crises can be so extraordinarily demanding
that no assumptions should be made about the ability of staff (of any seniority, grade or experience) to
manage them and steer the organization out of crisis.
Successful crisis management requires flexibility and creativity, and might involve stepping outside the
normal “rules” of the organization or its business environment and being prepared to defend or justify
this. For the organization’s leaders this requires clarity of thought, strategic vision, decisiveness and the
ability to act in ways that reflect the core values of the organization. In particular, leaders should behave
with compassion toward those affected by the crisis, and expect and encourage the same across the
organization as a whole.
4.4 Readiness to respond and recover
Managing a crisis typically requires a sustained effort. A failure to give the recovery effort adequate
strategic attention can mean that good work during the response is undone, critical relationships with
interested parties are neglected and potential opportunities are not grasped. Such lost opportunities
might, for instance, include a failure to:
• regenerate the organization;
• cease problematic activities; or
• bring forward long-term development plans.
The organization should:
• have a strategic direction for recovery from the outset;
• start recovery as early as possible; and
• create strategic opportunities from recovery.
4.5 Principles for crisis management
The organization’s preparation for, response to and recovery from a crisis should always be consistent
with the following principles:
a) seek understanding of the situation;
b) achieve control as soon as possible;
c) communicate effectively, both internally and externally;
d) be prepared with clear, universally understood structures, roles and responsibilities;
e) build situational awareness by good information management and coordinated working;
f) have a clear and well-rehearsed decision-making and action driving process in line with the core
values and objectives of the organization;
g) implement effective leadership at all levels of the organization;
h) ensure people with specific crisis management roles are competent through appropriate training,
exercising and evaluation of their knowledge, skills and experience;
i) maintain a comprehensive record and policy log of all decisions taken, including the facts known at
the time, any assumptions made, and the basis for those assumptions; and
j) learn and evolve from experience of actual events, successes and failures and make changes to
prevent their recurrence.
5 Building a crisis management capability
5.1 Introduction
Even a well-prepared organization can find crises challenging. Although successful outcomes can never
be guaranteed, having a well-developed and embedded crisis management capability enables the
organization to avert crises where possible, respond to crises that do occur in a manner that protects its
assets, goals, and objectives, and learn from experience, exercising and validation outcome (see
Clause 9) to improve practices over time.
5.2 Setting the crisis management framework
The development of a crisis management capability needs to be strategically directed from the top of an
organization and implemented through a crisis management framework. One aspect of this is that top
management should establish, define and document a policy for crisis management that:
• clearly and concisely outlines their objectives in managing a crisis;
• describes in broad terms how they intend to realize these; and
• makes plain their commitment to high standards in crisis management.
The policy should serve as the basis and business case for the further activities related to the planning
and implementation of crisis management procedures.
The policy statement should:
• identify those responsible for its different elements, overall coordination and embedding crisis
management as a mainstream activity.
• establish priorities, timelines and standards for the delivery of key elements of the organization’s
crisis management capability, as well as resources as appropriate.
• include mechanisms to review and ensure that the policy continues to be supported and remains
consistent with the overall strategic objectives of the organization, and that progress is monitored
and evaluated against the agreed deliverables.
Roles and responsibilities required to implement all crisis management capabilities should be
identified, documented and communicated. Consideration should be given to people’s knowledge, skills
and experience.
The organization should consider the resources needed for each element of the capability and the
associated requirements for training. It should also appoint a person(s) with appropriate authority to
be accountable for the development and implementation of the crisis management capability, and its
ongoing maintenance and management, across the whole organization.
This crisis management policy is not an “off the shelf” or “cut and paste” document: the vision and scope
of the organization’s intentions should be appropriate to its size, business activities and overall
strategic objectives, maintaining consistency with the legal or regulatory environment within which it
operates.
5.3 General framework
The organization should have the following for an effective crisis management capability:
a) people who are able to quickly analyse situations, set strategy, determine options, make decisions
and evaluate their impact;
b) a common understanding of the concepts that underpin crisis management;
c) structures and business processes to translate decisions into actions, evaluate those actions and
follow them up;
d) staff who are able to share, support and implement top management’s vision, intentions and
policies;
e) the ability to support solutions by applying the right resources in the right place, at the right time;
and
f) a structure that supports and maintains the ongoing crisis response capability. This structure
should be supported by an appropriate monitoring arrangement.
Different organizations meet these needs in different ways. Notably, size and resource availability shape
how capability can be developed. For example, in a small organization, a number of roles and
requirements are likely to be met by just one or two people in a crisis, whereas a larger organization
with geographical diversity and greater numbers of available staff is likely to structure and resource
itself in a different way.
Figure 1 sets out a general framework for crisis management, identifying the steps necessary to create a
crisis management capability, organized around anticipation and assessment, preparation, response,
recovery, and review and learning, which are discussed further in 5.4 to 5.8. Additional factors relevant
to the response, in particular leadership, decision-making and crisis communication are detailed in
Clauses 6 to 9.
Figure 1 — A framework for crisis management
5.4 Anticipate and assess
Crisis management is inextricably related to the management of risks and issues (real or perceived) of
potential significance to the organization. For example, the failure of an organization to respond to what
ought to have been a foreseeable risk is likely to call into question its competence, with strong potential
for a crisis to emerge.
An organization should have:
a) systems to provide early warning of potential crises in the physical or virtual sphere;
b) horizon scanning processes to identify potential crises that might emerge in both the medium to
long term, and those which might emerge with very little warning;
c) a well understood relationship between internal risk management activities, the management of
issues, business continuity management, and communications and crisis management
arrangements; and
d) a recognition that crises can develop regardless of the effectiveness of existing controls and that the
organization needs to be prepared to manage these effectively.
To achieve this, the organization needs to consider not just the processes by which it will identify
potential crises, escalate them to the appropriate level and inform the crisis response, but also how to
foster the kinds of behaviours that enable effective individual and team-working under conditions of
uncertainty and intense pressure.
5.5 Prepare
5.5.1 General
The emphasis in preparing for crises should be on the development of the generic capabilities that will
enable the organization to deliver an appropriate response in any situation.
Four specific elements are key to this:
a) the crisis management plan;
b) information management and situational awareness;
c) structure, composition, authority and expectations of the crisis management team (CMT), with
appropriate oversight and sense checking for the CMT activities and relevant checks and balances;
and
d) building resilience into the CMT structure [(see c) above]) by appointing primary and alternate
delegates for each CMT function and ensuring that all CMT members are suitably trained,
competent and adequately resourced to perform their duties.
5.5.2 The crisis management plan
The organization should develop a crisis management plan (CMP) that includes the following key
information:
a) who has authority and responsibility for key decisions and actions in a crisis;
b) key contact details: how staff are to be contacted in the event of a crisis;
c) crisis communication (internal and external);
d) the activation mechanism for a crisis and how it works in practice;
e) details of levels of response across the organization (i.e. who is to be contacted for what level of
problem) and a flow chart showing the sequence of actions;
f) the structure and role of the CMT and what is expected of it;
g) where the CMT is to meet (with alternative locations) and what equipment and support are
required;
h) key templates (such as CMT meeting agenda and logbook);
i) log-keeping guidance; and
j) a situation report template which is to be used across the organization.
The CMP should be as concise as possible to ensure that it’s read and exercised before it is needed, and
that it can be understood and actually used when a crisis occurs. If required, the plan can be developed
to set out the policy and more procedural elements about how the CMT works and the necessary
training and evaluation arrangements, but this should not clutter the plan itself.
The CMP should be focused on the provision of a generic response capability. It should not be scenario-
specific, as a plan for every possible contingency would be unwieldy, or potentially suppress flexible
thinking and action, and miss the point that many crises are essentially unforeseeable and impossible to
plan for in precise detail. There should be room in the CMP for surprises and events not covered by
existing procedures and practices.
The CMP should support the need for a timely response, the capability to “think outside the box”,
flexibility and improvisation, and come with viable responses using the available multidisciplinary
expertise. It needs to consider formal and informal sources of information at hand about how the crisis
unfolds under real constraints.
The following tools and templates can support the crisis management plan:
a) identification of current and potential new sources of relevant information;
b) aides-memoire, standard agendas, and checklists of key decision points and required actions;
c) defined roles and responsibilities;
d) draft holding statements;
e) guidance for call takers and switchboards;
f) up-to-date fact sheets and press kits;
g) a list of items necessary for a practical response;
h) tools and systems to help manage social media monitoring and engagement;
i) a list of inte
...