The media continue to be filled with stories about companies that fail to manage crisis situations, costing them millions in damage, fines and reparations, lost revenue and lost jobs.

Many of those failures can be tracked to a few common causes: 1) lack of attention to the identification and assessment of risks, 2) weak leadership commitment to effective risk mitigation and crisis management, 3) no crisis communication plan, and 4) no process to assess, investigate and mitigate a crisis.

As part of an effective enterprise risk management program, leaders need to make the right moves when a crisis occurs to resolve the issue and protect the organization. These five steps, when taken with care and commitment from the Board of Directors on down, can help ensure the enterprise is well-prepared to protect itself when a crisis occurs.

Step 1:  Evaluate Corporate Governance, Risk Management and Internal Controls

Organizations must commit to a regular evaluation of their corporate governance and risk management practices and internal controls. When addressed together, these three components provide the pillars for a strong crisis management program.  Through a regular review of these pillars of effective governance, corporations can identify new and emerging risks, assess existing risks and make the policy and process changes needed to address the behaviors that could lead to significant damage to the enterprise—before they evolve into a crisis.

Step 2: Identify the most probable crises and assess their potential impact

There are several kinds of crises that are possible in every organization, including natural disaster, unexpected injury or death of employee or customer, harassment or discrimination, workplace violence, employee malfeasance, cybercrime, white collar crime, litigation or class action, fraud, mismanagement, and product defects/recalls. Other categories may be unique to the business.  An enterprise-wide vulnerability assessment using clearly defined risk indicators will help to uncover the kinds of crises for which the organization needs to plan and prepare. Extra attention should be given to those crises that are deemed either highly likely to occur, or have the highest potential impact on the organization.

Step 3:  Create and train a crisis management team

Arguably the most important step in an effective enterprise risk management and crisis response program is having the crisis team in place.  Internal and external experts should be identified and roles and responsibilities clearly delineated.  Regular training and crisis exercises are vital to assuring that the team is prepared to execute on important response strategies and tasks. Internal expertise should include senior executive management, operations leaders from key areas, and leaders of compliance, internal audit, corporate communications/PR, human resources, legal, sales and marketing, among others.

External expertise may be needed to supplement the internal team, and should include established relationships with outside providers of PR and communications, legal and forensic counsel, among others. By having these key vendors in place well in advance, they can get to know the company and its leaders, facilitating better, faster response when a crisis is declared.

Step 4: Develop and implement a crisis communication plan

Effective communication response to a crisis has never been more important than in this highly charged age of instant communication. Organizations no longer have the luxury of waiting days to respond when an issue arises.  Effective crisis communication plans include details not only on what to do, but how to do it. Policies and processes, chains of command, roles and responsibilities for communication should be detailed. Best-practice plans contain quick response guides for the most probable crises identified in the vulnerability assessment, including initial strategy and messaging that has been vetted and pre-approved by management and legal.

Related:  eLearning – Introduction to Crisis Communications Plans

Spokespersons should be identified and trained. Platforms to monitor media and social media should be implemented well in advance.  Companies with operations in multiple countries should make sure that their communication plans address important cultural differences so that they can respond appropriately. Finally, the plan should be exercised and updated at least annually to assure that it is well integrated with operational response and business continuity and recovery plans.

Step 5: Develop a crisis response plan

The crisis management team needs a written plan to effectively manage the crisis.  The plan should address levels of crisis with thresholds for activating the team and implementing the plan. It should identify who will lead the response for each type of crisis.  Procedures to assess, investigate and mitigate the crisis are vital. Operational roles and responsibilities should be detailed and external support services identified and engaged.

Consider providing NIMS training for the entire crisis management team.  The National Incident Management System – NIMS- provides an excellent framework for crisis response.  This system has been used successfully to manage a variety of disaster responses and other corporate crises.  The first few courses in the NIMS training program are offered online free of charge.

The investment in enterprise risk management and crisis planning is the proverbial ounce of prevention that can shield organizations from the ton of cure that awaits the unprepared. Don’t let your organization be one of those that, by failing to plan for the inevitable, puts its very future in jeopardy.

To learn more about NIMS, visit

Deb Hileman

Deb Hileman

Deborah Hileman, SCMP is President and CEO of the Institute for Crisis Management (ICM), a consulting firm specializing in crisis management and communications planning, training and consulting services. Founded in 1990, ICM clients include public and private companies, non-profit organizations, education and religious institutions, government agencies and other organizations in North America and across the globe.
A certified strategic communication management professional (SCMP), business leader, coach and consultant with more than 30 years’ experience in public and private companies and non-profit organizations, her most significant areas of expertise include strategic communications planning and crisis management, media relations, change management, employee engagement and training. She has taught hundreds of professionals to develop effective crisis strategy and messaging and to handle difficult media interviews with confidence and skill.
Known as a voice of calm amid chaos and crisis, Ms. Hileman has earned a reputation as a trusted communication strategist and advisor to board members and C-suite executives, operations leaders and other organizational stakeholders. She has developed and implemented successful communication strategies for numerous business issues, including natural disasters, labor strikes, workplace violence, wrongful death, food safety concerns, harassment and abuse investigations, social media attacks and cybercrime, mergers and acquisitions, bankruptcies, closures and layoffs, controversial development plans, criminal prosecutions and federal civil investigations, employee malfeasance and investor litigation, among others.
A regular writer and blogger on business communication topics, she is the author of “Attorneys as Allies: Balancing Stakeholder Needs with Legal Concerns During a Crisis”, published in the Writer’s Guidebook, Vol.2, PR News Press; “Building a Crisis Early Warning System by Empowering Employees to Speak Up”, published in The Book of Employee Communications Strategies & Tactics, vol. 5, PR News Press, and “In a Snap: 15 Tips for Faster, More Effective Employee Communications in a Crisis”, published in The Book of Crisis Management Strategies and Tactics, Vol. 8, PR News Press. Contact Deb at [email protected].