What is a crisis management plan (CMP)?
What is a crisis management plan (CMP)?
A crisis management plan (CMP) outlines how an organization should respond to a critical situation that if left unaddressed, could negatively affect its profitability, reputation or ability to operate. A CMP focuses on the immediate response to a crisis, aiming to minimize damage, protect stakeholders and restore normal operations as quickly as possible. It outlines specific actions, communication strategies and protocols for managing crises effectively.
Why organizations need a crisis management plan
Modern organizations might face many kinds of crises, including the following:
- Natural disasters.
- Severe weather.
- Biological hazards.
- Accidental events.
- Human-caused events such as robberies or arson.
- Technology issues such as outages and cyberattacks.
Any of these crises can last from a few hours to several days or longer, and when one occurs, decisions must be made quickly to limit damage to the organization, its key stakeholders and, in some cases, the general public. Early and proactive crisis management planning is essential.
By providing a well-documented set of responses to potential critical situations, a CMP allows an affected organization to act quickly when a serious incident occurs. Public relations are often an integral aspect of the crisis management process. With a public crisis communication response, an organization can counter any misleading or false information and seek to ease concerns. If an organization resolves a crisis quickly enough, it might not be necessary to make the public aware of the event and bring unwanted attention.
Who uses crisis management plans?
CMPs are used by business continuity teams, emergency management teams, crisis management teams and damage assessment teams to avoid or minimize damage and to provide direction on responses, staffing, resources and communications.
Key elements of a crisis management plan
A comprehensive, up-to-date CMP includes all (or most) of these elements:
- An outline of the plan’s purpose, scope and goals.
- An evacuation plan.
- A crisis response strategy and procedures to manage the crisis.
- List of people who will take action in a crisis and what actions they will take (action plan).
- Contact information for staff, emergency staff, vendors and law enforcement agencies.
- Media management strategy.
- Internal and external communication strategy.
- Crisis procedures defining specific responses to a variety of possible incidents.
- Management responsibilities.
- Integration with other emergency plans, such as business continuity plans (BCPs) and data recovery plans.
A CMP should also include a list of possible future crises as well as information about the potential impact of those crises. A risk assessment of each of the threats can help with the formulation of the response strategy. The assessment should include an analysis of both threat probability (likelihood) and expected impact — information (placed in a risk register) that will help with crisis response planning.
In addition, an effective CMP will:
- Identify crisis management team members and their specific roles.
- Document the criteria to be used to determine if a crisis has occurred.
- Establish monitoring systems and practices to detect potential crisis situations as early as possible.
- Specify who will be the spokesperson(s) in the event of a crisis.
- Document who will be notified in the event of a crisis and how.
- Identify emergency assembly points where employees can go once a crisis situation develops.
- Outline specific crisis scenarios and corresponding contingency plans.
Supporting information like contact lists, reference materials or templates for stakeholders can be included in appendices to the above.
Steps to create your crisis management plan
In an age of pandemics and increased cybersecurity attacks, organizations should be proactive about crisis management planning. In addition, they should adopt a “when, not if” mentality, meaning they should assume that an incident will happen and plan accordingly. And during planning, they should follow these steps:
- Identify the threats that might result in a crisis.
- Assess each threat in terms of likelihood of occurrence and possible impact.
- Identify responses to each identified threat.
- Develop response procedures and action plans for each threat.
- Form a crisis management and leadership team.
- Establish communications workflows (internal and external) and methods, such as call trees, automated notifications, social media posts, etc.
- Select a CMP template or create one from scratch; CMP templates are now available and can be easily adapted to the needs of most organizations.
- Document the plan, get management sign-off and publish it to all key stakeholders, including company leadership and the crisis management team.
Once completed, the CMP must remain a living document that is distributed to employees, reviewed regularly and updated as the organization’s threat/risk landscape changes. A schedule for CMP maintenance and review should be established. After a test or post-crisis, it’s important to review the results, discuss what worked and what didn’t, as well as make any necessary changes to the plan.
Other important actions to be taken during crisis management planning:
- Establish mechanisms to monitor potential threats and warning signs of a crisis.
- Set up training programs and exercises (e.g., tabletop exercises) and drills to simulate emergency scenarios and test the effectiveness of identified response procedures.
- Regularly test the crisis communication plan to ensure it will hold up in the event of an actual incident.
How to write a crisis management plan
Writing a CMP requires careful consideration and attention to detail. Most successful CMPs follow this sequence of information:
- Introduction and objectives. An overview of the CMP should be provided, clearly outlining its purpose, objectives and scope, as well as how it aligns with the organization’s mission and values.
- Risk assessment and identification. The risk assessment process should be detailed, and potential risks identified and prioritized with an evaluation of their likelihood.
- Crisis response team and roles. Key crisis management personnel and their roles and responsibilities should be defined with clear chains of command, communication channels and decision-making processes.
- Crisis scenarios and contingency plans. Specific crisis scenarios and corresponding contingency plans should be outlined, with detailed guidance such as communication strategies, resource allocation and escalation procedures.
- Communication and media relations. Internal and external communication strategies during a crisis should be detailed, including guidelines for communication with employees, customers, media outlets and regulatory agencies. Communication should be transparent and timely.
- Training and drills. Training programs and drills should be described and regularly conducted to simulate and test the effectiveness of the emergency scenarios of the CMP.
- Monitoring and evaluation. Mechanisms for monitoring potential threats and warning signs of a crisis should be established. The CMP should be regularly evaluated to address risks.
- Business continuity integration. Alignment with business continuity plans (BCPs) should be ensured. Coordination between crisis management and business continuity teams should be coordinated and detailed to ensure a seamless response and recovery process.
- Plan maintenance and review. A schedule for CMP maintenance and review should be established. This should outline regular updates made to the CMP to reflect organizational changes, emerging risks and lessons learned from past crises.
- Appendix. Supporting documents such as contact lists, reference materials or templates that stakeholders might need should be included here.
Crisis management plan template
To aid crisis management planning, organizations should use templates, such as business continuity and disaster recovery expert Paul Kirvan’s CMP template. This CMP template includes important elements of strategy, communications, media management, procedures and maintenance. The document lays out what an organization needs to effectively manage a crisis.
The importance of a crisis communication strategy
Communication is key to getting through a crisis because it keeps all the necessary players — ranging from a single office to a global audience — informed. As the crisis develops and evolves, the organization should update its communications.
During a crisis, employees look to management for leadership and guidance. Without the proper communication, people might speak or act erroneously. Lack of communication could also cause a safety issue.
An organization should designate a crisis communication team. All communication should be clear, concise and truthful. For the sake of speed, an organization could proactively draw up a template with potential scenarios, designate the appropriate channels for communication and then plug in the necessary information if the actual incident occurs.
Methods of communication include the following:
- A call tree, in which a team member calls a designated fellow employee or employees to communicate the message.
- Automated notification, such as a recorded voice message broadcast to employees.
- Posting on social media, such as Twitter — now called X — and Facebook.
It’s crucial to regularly test the crisis communication plan to ensure it will hold up in the event of an actual incident. For example, an organization could run through its call tree or management could send out an automated messaging test.
Crisis response communications might have to be sent to various people. According to Ready.gov, potential audiences include customers, survivors affected by the incident and their families, employees and their families, media, the community, company management and investors, elected officials and other authorities, and suppliers. Contact information for all these audiences should be updated regularly. During an incident, the message should remain consistent across different audiences.
Testing and updating your plan
Once completed, the CMP needs to remain a living document. That means distributing it to employees, implementing training and testing, and updating the CMP on a regular basis.
Training sessions should be held so that everyone involved knows their role. Testing ranges from tabletop exercises to full simulations.
After a test or post-crisis, it’s important to review the results, discuss what worked and what didn’t work, and make any necessary changes to the plan.
Crisis management standards
Standards are good tools for an organization to improve its crisis management planning. They help organizations manage disruptions to the business and enable resiliency.
The British Standards Institution provides the crisis management standard BS EN ISO 22361:2022. The standard offers guidance for establishing, managing, operating, maintaining and improving a crisis management plan for any type and size of organization. It covers core concepts and principles, crisis leadership, crisis decision-making and crisis communications.
In addition, the International Organization for Standardization offers several standards for emergency management in its ISO 223XX series, including ISO 22320:2018, Security and resilience — Emergency management — Guidelines for incident management.
Emergency response planning
An emergency response plan details the actions an organization must take immediately following an incident and includes potential interactions with outside help, including public safety responders. Every second counts during an emergency, so it’s important for disaster management to have a well-defined emergency response plan.
As part of emergency preparedness, an organization conducts a risk assessment to determine potential threats. The organization then develops an emergency response plan to protect its employees and other affected parties in the event of an incident. Safety and stabilization are key in an emergency.
Ready.gov suggests 10 steps for developing an emergency response plan:
- Review performance objectives for the program.
- Review threat scenarios identified during the risk assessment.
- Assess the availability and capabilities of resources — including people and equipment — for incident stabilization.
- Talk with public safety services to determine their response time, knowledge of the organization’s facility and its hazards, and capabilities to stabilize an emergency.
- Determine if there are any emergency planning regulations at the facility and address them.
- Develop protective actions for life safety, such as evacuation, shelter, shelter in place and lockdown.
- Create hazard- and threat-specific emergency procedures.
- Coordinate emergency planning with public safety services.
- Train personnel.
- Test the plan.
Once the emergency response is over, the organization moves on to disaster recovery to restore operations as comprehensively as possible.
Crisis management plan vs. business continuity plan
A crisis management plan might also be known as a business continuity plan. Both plans aim to ensure an organization’s resilience but serve different purposes. While a CMP outlines how to respond to a critical situation, a BCP is a broader plan that ensures the continuity of critical business functions during and after a crisis.
A BCP also addresses long-term recovery, including backup systems, alternative facilities and supply chain management to minimize the impact of a crisis on business operations — aspects that are not usually covered in a CMP. For these reasons, it’s important to develop separate and comprehensive CMPs and BCPs.
Crisis management plans are critical to preserving business continuity. Read this guide to business continuity and pandemic planning.