What Is Crisis Management?

Crisis management refers to the identification of a threat to an organization and its stakeholders in order to mount an effective response to it.

Key Takeaways

  • Even the best-managed businesses may be hit by a crisis caused by external or internal events.
  • Crisis management is the strategy of anticipating crises at the corporate level and planning how to deal with them effectively.
  • Crisis management begins with risk analysis, however, it should not be confused with risk management.

Understanding Crisis Management

Due to the unpredictability of global events, many modern organizations attempt to identify potential crises before they occur in order to sketch out plans to deal with them. When and if a crisis occurs, the organization must be able to drastically change course in order to survive.

The COVID-19 crisis that began in early 2020 can be expected to become a textbook example of crisis management. Businesses around the world were forced to shut their doors. Millions of employees were sent home. Essential services struggled to function. History will judge how effective the powers-that-be were in their crisis management skills.

Any business, large or small, may run into problems that negatively impact its normal operations. A crisis can take many forms — an office fire, the death of a CEO, a terrorist attack, a data breach, or a natural disaster can lead to tangible and intangible costs to a company in terms of lost sales, damage to its reputation, and a decrease in income.

Businesses that put a continuity plan in place in case of unforeseen contingencies can mitigate the effects of a negative event. The process of having a business continuity plan in place in the event of a crisis is known as crisis management.

Most firms start by conducting risk analysis on their operations. Risk analysis is the process of identifying adverse events that may occur and estimating their likelihood of occurring. By running simulations and random variables with risk models, such as scenario tables, a risk manager can assess the probability of a threat occurring in the future, the best- and worst-case outcome, and the damage the company would incur should this threat come to fruition.

For example, a risk manager may estimate that the probability of a flood occurring within a company's area of operation is very high. The worst-case scenario would be the destruction of the company’s computer systems, thereby, losing pertinent data on customers, suppliers, and ongoing projects.

Once the risk manager knows what they are dealing with in terms of possible risks and impacts, a plan is developed by the crisis management team to contain any emergency should it become reality. For example, the company facing flood risk might create a back-up system for all computer systems. This way, the company would still have a record of its data and work processes.

Although the business might slow down for a short period while the company purchases new computer equipment, operations would not be completely halted. By having a crisis resolution in place, a company and its stakeholders can prepare and adapt to unexpected and adverse developments.

Crisis Management Vs. Risk Management

Crisis management is not necessarily the same thing as risk management. Risk management involves planning for events that might occur in the future, crisis management involves reacting to negative events during and after they have occurred.

An oil company, for example, may have a plan in place to deal with the possibility of an oil spill. If such a disaster actually occurs, the magnitude of the spill, the backlash of public opinion, and the cost of cleanup can vary greatly and may exceed expectations. The scale makes it a crisis.

Types of Crises

A crisis can either be self-inflicted or caused by external forces. Examples of external forces that could affect an organization’s operations include natural disasters, security breaches, or false rumors that hurt a business's reputation.

Self-inflicted crises are caused within the organization, such as when an employee smokes in an environment that contains hazardous chemicals, downloads questionable computer files, offers poor customer service that goes viral online. An internal crisis can be managed, mitigated, or avoided if a company enforces strict compliance guidelines and protocols regarding ethics, policies, rules, and regulations among employees.

Crisis Management Coverage

Crisis management coverage is designed to help a business limit the negative impact of events on its reputation. It is an insurance agreement usually made as part of a policy covering technology errors and omissions and Internet property and liability insurance policies.

Previously concerned with reputation management, crisis management coverage is increasingly used to cover expenses incurred to restore confidence in the security of the insured's computer systems in the event of a cybersecurity or data breach. It also covers reputational threats such as product contamination or recall, terrorism, political violence, natural disasters, workplace violence, and adverse media exposure.

Large corporations are the most frequent buyers of crisis management coverage, but any business whose profitability is closely linked to its reputation is a potential customer.