JOnline: An Introduction to Crisis Management 

Download Article

“Businesses operate in an increasingly risky environment.”1 As an illustration, research shows that more than 60 percent of small and medium-sized enterprises (SMEs) in Switzerland and in the European Union (EU) experience some form of disaster.2

Creating and maintaining a business continuity plan increases awareness of threats, prepares the organization for potential disruption and helps ensure that the organization has the resources and information needed to deal with such emergencies.3

For setting up and managing an effective business continuity management system, an organization needs to define a risk assessment process that will enable it to understand the threats and vulnerabilities of its critical activities and supporting resources. It is necessary to assess the impact that would arise if an identified threat became an incident and caused a business disruption.4

For each of its critical activities, an organization should determine potential loss mitigation and risk treatments that:5

  • Reduce the likelihood of a disruption
  • Shorten the period of disruption
  • Limit the impact of a disruption on its key products and services

Nevertheless, one should bear in mind that risk events are about the future, which cannot be predicted. Regardless of the time spent, one simply cannot identify all risk in advance. The best one can do is to make educated guesses preparing for the most likely happenings that will make the biggest impact on the organization.6

Risk that is not identified, or at least not identified with the scale and intensity it presents, can produce a crisis. Crises may also be the product of an unforeseen combination of interdependent risk. They develop in unpredictable ways, and the response usually requires genuinely creative, as opposed to prepared, solutions.7

The roles of strategic management are amplified during a crisis. They are likely to include direct intervention and decisive strategic leadership that cannot be preconceived. They may even include strategic repositioning of the organization as a whole, and for that reason, crisis management is the domain of top management.8 Organizational change is about making alterations to the organization’s purpose, culture, structure and processes in response to seen or anticipated changes in the environment, which can be especially significant during a crisis. Strategic management of change is all about identifying and embedding in the organization those changes that will ensure the long-term survival of the organization.9

Publicly Available Specification (PAS) 200:2011 Crisis management. Guidance and good practice, recently published by the British Standards Institution, is a practical guide to establishing good practice on crisis management. It provides guidance to help organizations of any size or sector develop and implement a crisis management capability. This article introduces some of this guide’s recommendations.

Defining Crises

PAS 200:2011 defines a crisis as an “inherently abnormal, unstable and complex situation that represents a threat to the strategic objectives, reputation or existence of an organization.”10

“Crises are not synonymous with incidents, and it is argued that their management presents special challenges that require different approaches.” PAS 200:2011 clarifies that “incidents are said to have ‘structure’ because they are produced by identifiable and assessable risks and present themselves in fairly predictable ways.” Furthermore, “as with the majority of risks that concern business continuity management (BCM) planning, even the most challenging and serious incidents generally lend themselves to preprepared responses.”11

Figure 1Crises could stem from an incident, but not necessarily.12 Some suggest that one can “assume that a crisis is reached when the organization moves beyond its abilities to contain the task demands of the ‘event’ and it escalates still further beyond the limits of contingency plans.”13 (See figure 1).

Because crises are not synonymous with incidents, PAS 200:2011 explains that crisis management is very different from incident management: “[Crises] develop in unpredictable ways, and the response usually requires genuinely creative, as opposed to preprepared solutions. Indeed, it is argued that preprepared solutions (of the sort designed to deal with more predictable and structured incidents) are unlikely to work in complex and ill-structured crises. They may, in fact, be counterproductive.”14

As crisis management is about making major strategic decisions in abnormal, unstable and complex situations, a lengthy and complicated manual of the sort familiar to incident managers would be more of a hindrance than a help. The crisis management plan “is not a guide as to what to do next in a given situation” but rather a framework in which good decisions can be taken.15

Crisis Typology

Due to the limitless types of crises,16 for better analysis, these can be divided into two main categories: industrial and natural crises. “It is necessity to make this distinction as natural crises are created by acts of nature, whereas industrial crises are situations in which organized industrial activities are the source of major damage to human life and natural and social environments.”17

From a different perspective, PAS 200:2011 suggests a crisis typology of sudden and smoldering crises. Sudden crises “are characterized by their immediate onset. They tend to be unanticipated and escalate very quickly, often as a result of a severe triggering event or incident that may be out of the organization’s control,”18 while smoldering crises are those for which the “common feature is that impact on the organization and its stakeholders grows, sometimes undetected, over a period of time, whilst indicators of potential crisis are possibly missed, denied, ignored or misunderstood.”19

It is generally accepted in the literature of crisis management that most crises are of the smoldering type. This makes a good case for developing a facility for systematic examination of potential threats, opportunities and future developments, which may have the potential to create new risk or change the character of risk already identified, so that potential and emerging threats may be identified, assessed and mitigated as early as possible.20

Crisis Management Capability

PAS 200:2011 is very clear that it is not prescriptive about solutions. There are no checklists and nor should there be, as good practice in crisis preparedness is something that each organization needs to develop within the unique context of that organization. PAS 200:2011 provides a framework within which a company can do this thinking. In particular, PAS 200:2011 provides “the four basic requirements of capability:”21

  • An intellectual requirement, which includes the ability to analyze situations, set strategy, determine options, make decisions and evaluate their impact. It also includes the shared concepts that underpin the discipline of crisis management.
  • An organizational requirement, which includes the structures and processes needed to translate decisions into action and review their impact
  • A cultural requirement, which reflects the willingness of staff to share and support the top managers’ intentions and policies
  • A logistic requirement, which reflects the ability to support solutions by applying the right resources in the right place, at the right time

Crisis Warnings

Before they occur, the majority of crises sends a trail of early warning signals, which announce the possibility that a crisis will take place;22 these signals are sometimes very weak or hard to detect. The following are some limitations of the crisis warnings:23

  • Weak or subtle signals
  • Sources of crisis signals not viewed as credible
  • Signals or threats embedded in routine messages
  • Risk/threat messages systematically distorted
  • Signals not reaching the appropriate persons

Companies, similar to individuals, try to deny their weaknesses. The reasons why organizations do not engage in a proper crisis management are often:24

  • Denial—Organizations deny that they might be vulnerable to threats of imminent crisis and, thus, decide that no measure is to be taken.
  • Disavowal—Organizations recognize that a crisis will affect the organization, but its impact is considered to be too small to be taken into consideration; in other words, the magnitude and importance of the crisis are significantly diminished.
  • Grandiosity—Organizations presume that “we are so big and powerful that we will be protected from the crisis.”
  • Idealization—Organizations consider that crises do not happen to good organizations, thus ignoring all existing signals of crisis.
  • Intellectualization—Organizations minimize the probability of occurrence of a crisis.
  • Compartmentalization—The organization believes that if a crisis should affect the company, it will affect only some departments.


Too few organizations take crisis management into account. The capability to manage crises should not be seen as something that can simply be developed as and when needed. The development of the crisis management capability requires a systematic approach.

In developing the crisis management capability, there will be many opportunities for synergy with ordinary business management processes, business continuity arrangements, information security and incident management activities.

Organizations should actively learn from crises that affected the organization or other organizations.

Furthermore, recovery from crisis should be seen as an opportunity to regenerate, restructure or realign an organization. The essence of recovery should not be necessarily a return to previous normality. It may mean moving toward a model of business and organizational structures that represent a new normality.


1 British Standards Institution, Business continuity management and risk management. The role of standards, 2011
2 Dawes, Terry; Wolfgang Mahr; Business Continuity for SMEs, BRaC-2020/Terry Dawes Consulting, 2011
3 Ibid.
4 British Standards Institution, BS 25999-2:2007 Specification for business continuity management, 2007
5 Ibid.
6 Hubbard, Larry; “Skip the Numbers: Assessing Risk Is Not a Math Game!,” New Perspective, February 2009
7 British Standards Institution, PAS 200:2011 Crisis management. Guidance and good practice, 2011
8 Ibid.
9 National Defense University, “Strategic Leadership and Decision Making,”
10 Op cit, British Standards Institution, PAS 200:2011
11 Ibid.
12 The potential origins of crises are diverse. For example, they may be externally generated by changes in the business, political or social environment within which the organization operates, or derived from breaches (perceived or actual) of standards of probity, ethics or corporate responsibility. (PAS 200:2011)
13 Smith, D.; D. Elliot; Key Readings in Crisis Management, Routledge Publishers, USA, 2006, referenced in Yap, Kwong Weng, “Managing Ahead of Crises: Rising Towards a Model of Adaptability,” Pointer Monograph No. 7, 2009
14 Regester Larkin; RL Assessment of PAS 200, 2011
15 Ibid.
16 Cretu, Paula Madalina; Jonathan Puentes Alvarez; Managing Organizational Crises in the Light of Political Unrest, Linköping University, 2010
17 Smith, D.; D. Elliot; Key Readings in Crisis Management: Systems and Structures for Prevention and Recovery, 1st Edition, Routledge Publishers, 2006, referenced in Cretu, Paula Madalina; Jonathan Puentes Alvarez; Managing Organizational Crises in the Light of Political Unrest, Linköping University, 2010
18 Op cit, British Standards Institution, PAS 200:2011
19 Ibid.
20 Ibid.
21 Ibid.
22 Mitroff, I. I.; G. Anagnos; Managing Crises Before They Happen: What Every Executive and Manager Needs to Know About Crisis Management, American Management Association, 2001, referenced in Cretu, Paula Madalina; Jonathan Puentes Alvarez; Managing Organizational Crises in the Light of Political Unrest, Linköping University, 2010
23 Seeger, M. W.; T. L. Sellnow; R. R. Ulmer; Communication and Organizational Crisis, Preager Publishers, 2003, referenced in Cretu, Paula Madalina; Jonathan Puentes Alvarez, Managing Organizational Crises in the Light of Political Unrest, Linköping University, 2010
24 Op cit, Mitroff

Haris Hamidovic, CIA, ISMS IA, ITIL, IT Project+, is chief information security officer at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic served as IT specialist in the North Atlantic Treaty Organization-led Stabilization Force in Bosnia and Herzegovina. He is the author of five books and more than 70 articles for business and IT-related publications. Hamidovic is a certified IT expert appointed by the Federal Ministry of Justice of Bosnia and Herzegovina and the Federal Ministry of Physical Planning of Bosnia and Herzegovina. He is a doctoral candidate in critical information infrastructure protection at the Dzemal Bijedic University, in Mostar, Bosnia and Herzegovina.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.