Skip to content
Menu
menu
Illustration of business professionals standing on an orange mechanical cog, signifying how multiple people are needed to make the cogs turn in crisis management

Illustration by iStock; Security Management

How to Create and Support a Crisis Management Team

Throughout the past year, the number of people living through war, inflation, political instability, extreme weather, and natural disasters has increased. Organizations worldwide are feeling the stress.

Businesses face a myriad of potential crises that can disrupt operations, damage reputation, and even threaten their survival. Organizations are facing record losses in class action lawsuits—during 2023, more than $51 billion was awarded to plaintiffs in lawsuits concerning product liability, antitrust, securities fraud, consumer fraud, and privacy, according to Forbes. The need for effective crisis management has never been greater.

Benefits of Crisis Management

Crisis management programs provide structured frameworks and processes for identifying, evaluating, and responding to crises in a timely and coordinated manner. While both are part of your unified command structure, crisis and emergency management programs are very different, reflecting the very differences between crises (instances or events that present great danger or difficulty) and emergencies (unexpected and sometimes dangerous situations that demand an immediate response). Crisis programs are strategic, focused on regional and corporate levels, while emergency programs tend to be tactical and therefore address issues at the level of a site or facility.

The term resilience has enjoyed a renewal in today’s lexicon and there are many definitions for it. The definition I like is, “being stressed beyond current state and returning to it as easily as possible.” This is the fundamental reason for having crisis management programs—to improve our abilities to withstand disruptions (such as near-miss and loss events) and continue operations, while mitigating damage, protecting stakeholders, preserving the organization’s reputation, meeting compliance and legal requirements, and exploiting risk.

Preparedness. By proactively developing and implementing a crisis management program, organizations can better prepare for unforeseen events. This includes conducting risk assessments, establishing response protocols, and conducting regular training and drills to ensure that key personnel are equipped to handle crises when they arise.

Damage minimization. A well-designed crisis management program helps organizations minimize the potential impact of crises by enabling swift and effective responses. By having clear communication channels, decision-making protocols, and contingency plans, organizations can mitigate the damage to their finances, operations, and reputation.

Stakeholder protection. Crises can have significant implications for various stakeholders, including employees, customers, investors, and the community at large. A robust crisis management program prioritizes the safety and well-being of these stakeholders by providing guidance on how to communicate critical information, offer support, and address their concerns during times of crisis.

Reputation management. Investor Warren Buffett is credited with noting that it can take decades to build a reputation, but only five minutes to ruin it. To Buffett’s point, trust and credibility are often the most sought-after traits for people and organizations. In the age of social media and instant news, a mismanaged crisis can greatly tarnish the reputation of an organization. A well-executed crisis management program helps organizations maintain control of the narrative by responding transparently, authentically, and swiftly to emerging issues, thereby safeguarding their reputation and credibility.

Compliance and legal requirements. Many industries are subject to regulatory requirements and legal obligations related to crisis management and emergency preparedness. Implementing a comprehensive crisis management program helps organizations comply with these mandates and reduces the risk of facing fines, litigation, or other legal consequences.

Risk exploitation. With risk comes reward. In the wake of a crisis, there are upsides for the organizations that get it right with robust crisis management programs. The winners will be those organizations which can navigate the greatest challenges and the losers will be those which avoid them or fail. Robust crisis management programs lower risk for organizations and allow for greater rewards.

How to Create a Crisis Management Program

While crisis management has recently evolved as a specialty career, few organizations have the ability or need to hire these resources internally. Further, the security department leader may be the most qualified person to lead such a comprehensive program, and it can be one of the most gratifying parts of a security risk management professional’s career.

The foundation of a crisis management plan relies on understanding and defining what a crisis means to an organization. If an organization asks its employees, customers, and other stakeholders to identify and report crises, a crisis must first be defined. This can vary from one organization or industry to another, but a general definition can be that a crisis is an actual or perceived event that could cause consumers, employees, trade customers, shareholders, the business community, media, government authorities, or others to lose trust and confidence in an organization. This definition is very strategic and does not provide step-by-step or tactical guidance.

A security or risk assessment often judges a crisis’s severity on financial, operational, and reputational impacts and assessment criteria should be assigned along a spectrum. For example, a Level 1 crisis may have a limited impact, and it would be most appropriately managed by a site-level emergency response team. However, the site-level team should still alert the regional crisis management team that an event has occurred that may have broader impacts and require additional resources. A Level 2 crisis could have regional implications and should be managed by the regional crisis management team, but the regional team should inform the corporate crisis management team (CMT) about the incident. A Level 3 crisis is the most impactful and must be managed by the corporate CMT. The goal is to resolve the crisis at the lowest level but, depending on the severity and velocity of a crisis, it’s entirely possible for an incident to escalate across the spectrum.

Assemble the Team

If an organization has multiple sites, it probably already has tactical, site-level emergency management teams and plans to deal with daily issues, such as medical emergencies, extreme weather events, natural disasters, workplace violence, bomb threats, fires, and other common site-specific threats. At the very least, an organization requires another team at the corporate level to manage major crises. Depending on the structure of an organization, there may be a need for regional or area teams between the corporate and site levels.

Experienced crisis managers will often say that a major step of crisis management is simply getting the right people in the room to deal with the crisis. CMTs need to be small enough to work quickly but comprised of the right people who are effective while under duress. While there may be resistance in forming the team at first, the CMT will likely be a popular group once the program is launched. Keep the group agile and resist the urge to let in everyone who expresses an interest.

Successful regional and corporate CMTs often include certain core roles.

Leadership. A CMT leader is the executive leader of the team, charged with handling the coordination of a crisis. He or she reports key information and recommendations to senior leadership and is responsible for coordinating between the functions and ensuring key decisions cascade down to relevant functions.

Project management. A project manager is the operational leader of the team and responsible for providing support and erasing friction by organizing meetings, keeping minutes, establishing cadence, and ensuring tasks are completed.

Communications. The corporate communications point person develops and manages the communications strategy. He or she brings a reputational perspective to the CMT’s decision-making and ensures consistency in messaging across all channels.

HR. Involvement from human resources is necessary because crises heavily impact people, so an HR representative can lead all efforts to support employees during and after the event. He or she should work with the corporate communications teammate to ensure messaging is distributed to employees and family members.

Counsel. Legal counsel can provide guidance and direction regarding liability, lawfulness, prudence, and legal ramifications of a crisis.

Finance. Near-miss and loss events have financial impacts, so the CMT should include someone from the finance department who can work with business units to assess the financial impact resources required for proposed crisis responses.

Regional and local insights. A regional or local lead should be brought in when appropriate. Identified in advance, this will likely be a member of the site or regional emergency response of crisis management team who has tactical or operational credibility with the event. He or she connects the regional or corporate team to the event, providing the latest information from the ground level. This person will also provide guidance on how the situation might escalate and work with other core members to tailor a response, along with possibly serving as a spokesperson for external communications.

Digital risk management. Lastly, there should be a team member who specializes in information systems and is responsible for IT system confidentiality, integrity, and availability. He or she ensures that the CMT considers the potential IT security risks that could arise from the crisis and actions that can be taken to mitigate these risks.

Other functional leaders. Depending on the type of crisis, other organizational leaders can be brought into the CMT, and their roles will differ depending on their functions. However, these additions to the CMT are responsible for leading the team that ensures specific operational or other steps taken to respond to the crisis. Common examples of these additional departments these leaders might come from include global security, real estate, risk management, and environmental health and safety (EHS).

There may even be some events that demand specialized teams to address the situation, such as cybersecurity incidents. In these cases, the specialized incident response team will be alerted and will take lead on managing the incident while informing the relevant CMT.

Bench strength. Crises can occur at any time, crisis fatigue may develop quickly, and primary department leaders may not always be available. For this reason, it’s important to have redundancy within all departments, a group of functional experts who can step in at any moment, which can keep things fresh and build internal resilience.

Establish a Notification Protocol

Crises are managed at the closest level, but the highest level needs to stay informed. Site-level teams of large organizations often forget that organizational stakeholders extend far beyond their facilities’ walls, and even a local crisis can have ripple effects that affect consumers, suppliers, and communities across the organization’s entire footprint. For this reason, as soon as it is reasonable, disruptive events must be communicated to the appropriate crisis management team.

If resources are limited or an organization is small enough, a simple call to the CMT leader may suffice. But if that person leaves the organization, is traveling, or is beyond coverage, this may not work. Therefore, organizations should consider establishing or contracting a dedicated crisis management program phone number that is managed by a 24/7 operations center. This is ideally a team with experience in receiving crisis notifications; providing supportive, empathetic initial guidance; triaging calls; and making notifications to the appropriate team. For this reason, subscribing to a mass notification platform or leveraging something as simple as a dedicated cell phone number connected to an internal operations center is recommended.

Site-level teams often loathe activating a crisis management notification process out of concern that they will unnecessarily draw the attention and scrutiny of higher authorities. To mitigate this anxiety, establish a filter—someone who can determine whether an event truly qualifies as a crisis—between the call intake and team notification steps. This person may determine if the event is truly a crisis or more of a local emergency, which would not require CMT activation.

Decision points may include determining whether the event has the potential to negatively impact the organization’s reputation or operations at the regional or global levels; if additional resources are required to manage the incident; and whether the incident impacts strategy or future planning. By addressing these points, he or she can determine the most appropriate way of informing necessary stakeholders. I’ve found that in most cases, incidents do not rise to the level of CMT activation but do require notifications. This is usually accomplished via emails or phone calls.

Having that filter double-checking a team’s evaluation of an incident means that colleagues are more likely to report events, which will allow the organization to respond to a crisis sooner through the crisis management function.

The CMT Meeting

Once alerted to a crisis, the CMT leader convenes the first meeting of the response team, setting objectives, tone, expectations, and confirming roles and key actions. CMT members, looking at the event through their respective lenses of expertise, should first consider the operational, financial, and reputational impacts the crisis may have on their individual departments. Some basic considerations for the initial and subsequent meetings include establishing known facts, unknown elements, what actions have already been taken, and what still needs to be done. If all else is forgotten, these basic but key elements often suffice to form a framework for the CMT’s actions.

Other considerations should include determining immediate actions for each functional member, determining who will be responsible for each action, which scenarios are likely to occur in both the short and long term, whether the CMT has the appropriate people and functions involved, and establishing a reasonable cadence for future meetings and updates for leadership.

Wind It Down

Serving on a CMT is an auxiliary duty to its members’ primary responsibilities, and crisis fatigue is a real consideration. It is critical for the CMT lead to stand down or scale down the team as soon as practicable. The decision to stand down occurs after the CMT has agreed that the incident has de-escalated to the point that it can be handled through normal business protocols. For example, a highly disruptive extreme weather event may affect an organization with high velocity and impacts, but after it has passed, the local team will likely be best equipped to manage it with minimal regional or corporate guidance.

In making this decision, the CMT lead must be confident that all outstanding actions can be managed by the relevant function under business-as-usual conditions. Similarly, all communications can at that point be managed by the day-to-day communications functions, and there should no longer be any requirement for dedicated resources to manage the situation.

Beyond the Crisis

Having a CMT team is only the first step in building an effective, long-term crisis management program. With a basic organizational crisis management framework established, the real work now begins. Intelligence capabilities need to be established to identify, assess, and communicate threats. Response plans and checklists need to be created to enable teams and departments at all levels to manage the most common emergencies and crises. A training program must be implemented at functional, site, regional, and organizational levels to build resiliency. Governance products must be developed to standardize and measure strategy, policy, and processes. Once these elements are in place, maturity modeling can gauge development over time.

Ultimately, crisis management programs are indispensable tools for navigating the complexities of today’s business environment. By investing in preparedness, mitigation, stakeholder protection, reputation management, and compliance, organizations can enhance their resilience and ensure their long-term viability in the face of unforeseen challenges. 

 

Erik Antons, CPP, PSP, is a physical security risk management executive who has led programs at Whirlpool Corporation, Hyatt Hotels, and Sempra. Antons began his security management career as a special agent with the Diplomatic Security Service with the U.S. Department of State, where he safeguarded the American people, property, and information overseas, often in critical-threat environments.

arrow_upward