Respond Swiftly and Effectively to Crises With a Crisis Management Plan

A crisis management plan is essential for responding swiftly and effectively to various crises, including IT and non-IT events. Use this brief primer to understand why it's essential to have a crisis management in place, and the steps necessary to navigate through and recover from a current crisis as well as better prepare your organization for future crises as an IT leader.

Crises – such as the 2025 wildfires in California – are rarely unprecedented. Security breaches, natural disasters, active shooters, and pandemics have all, unfortunately, happened before, often with similar patterns and challenges. While it’s impossible to predict every specific crisis or its full impact, effective planning lays the framework to respond to a wide range of crises, so you’re prepared when one does occur.

While many crises are IT events (e.g. a security breach), IT also has a critical role in non-IT crises that impact the organization. In non-IT events, IT leaders’ experience in assessing and managing incidents, from security breaches to IT failures, can be transferred to crisis assessment and management. In addition, IT is critical to supporting crisis communication and the organization’s operational response.

But it’s not enough for IT to have a solid disaster recovery or business continuity plan in place, which mainly focus on how to resume normal operations following an incident. A crisis management plan, on the other hand, guides the organization’s initial response, assessment, and action to manage and minimize the impact of the incident as best as possible.

Crises can hit any organization at any time. Ideally you already have a crisis management plan in place in the event you need it, but if not, there are still actions you can take to lessen the repercussions. This note aims to guide IT leaders through Info-Tech’s research on preparing for, navigating through, and recovering from crises.

Dealing with a current crisis:

If you’re expecting or in the midst of a crisis already, use this checklist to navigate IT’s role:

1. Swiftly identify, escalate, and assess the crisis
   • Escalate the incident to appropriate first responder teams.
   • Execute any evacuation or emergency response plans as appropriate.
   • Determine whether to call a meeting of the full crisis management team (CMT).
   • Establish a command center and emergency communication channels.
   • Assess the current and potential impact of the crisis with the CMT (estimated duration as well as financial, customer, legal, and goodwill impact).
   • Decide whether you need to invoke your BCP or DRP as part of your response.
   • Identify initial incident response actions.

For more guidance, see Example Crisis Management Process Flowcharts (PDF).

2. Initiate and coordinate your crisis response
   • Ensure health and safety remain a priority throughout the response.
   • Decide on communication strategy and implement your crisis communication plan (see Step 3).
   • If BC/DR declaration criteria were met, declare a disaster, then:
     • Invoke business continuity plans to recover business processes.
     • Invoke IT disaster recovery plans to recover IT applications and systems.
   • Launch an operational response team to address the specific requirements of this crisis (e.g. similar to what leadership teams did to address the specific requirements of the COVID-19 pandemic beyond business continuity actions).

For more guidance, see Emergency Response Plan Checklist.

For more guidance, see Emergency Response Plan Staff Instructions.

3. Effectively communicate with all relevant parties
   • Conduct baseline communications with key stakeholders: tell them what happened and what is being done about it, provide any relevant instructions to protect themselves, and express concern for any victims of the crisis.
   • Develop additional messaging based on the type of crisis and crisis response.
   • Internal communications must be sent to Crisis Communications Lead for review and approval before distribution.
   • External communications must be sent to Lead and CMT before distribution
   • Distribute communications through multiple channels.
   • Ensure that internal employees are kept up to date and provide guidelines for media inquiries and other external communications.

For more guidance, see Crisis Communication Guidelines and Templates.

4. Continuously manage and evaluate the ongoing crisis
   • Continuously evaluate the effectiveness of the crisis response based on updates from the teams implementing the response and adjust the response accordingly.
   • Maintain communication with all stakeholders.
   • Document all actions taken during the crisis – this will be important for post-crisis lessons learned and potentially any official reviews of actions taken.

5. Structure organizational learning
   • Review lessons learned from the crisis and your response and use that to update your crisis management (and BC/DR) plans accordingly.
   • Summarize to stakeholders the resolution and steps taken to prevent future occurrences (or improve your response to them).
   • Plan and conduct exercises, testing, awareness campaigns, and training to help ensure crisis management capabilities are maintained and participants understand and can fulfill their roles in the future.

For more guidance, see Organizational Learning Guide.

Preparing for the next crisis:

1. Identify potential crises relevant to your organization
   • Anticipation is a prerequisite for preparation: you’ll have a higher chance of mitigating or preventing the impact of a possible event if you’ve previously anticipated and planned for it.

Leverage Step 1.1 of Implement Crisis Management Best Practices.

2. Form a crisis management team
   • During a crisis, the CMT will manage the incident with all teams reporting to them. Clearly establish the roles and responsibilities of that team (and specialist sub-teams) and ensure everyone understands and can fulfill their role.
   • Create local teams if you have multiple locations to ensure the most timely response.
   • Select and train your designated spokesperson for media communications.

Leverage Step 1.2 of Implement Crisis Management Best Practices.

3. Develop crisis management plans and communication strategy
   • Leverage Info-Tech’s resources to define and document your emergency and crisis response plans and communication guidelines so you’re well-prepared for the next crisis.

For more guidance, see Emergency Response Plan Summary.

For more guidance, see Crisis Management Plan Summary Example.

4. Conduct training and promote awareness
   • Educate the organization’s users on their role in key aspects of the crisis management plan, including emergency response plans. This may include training for high-risk scenarios, identifying local emergency coordinators, and using awareness weeks (e.g. hurricane awareness) to remind staff of emergency procedures.

5. Establish monitoring and early warning systems
   • Don’t wait to be notified that a crisis is already happening – do what you can to prevent them or be alerted early to potential threats. Implement monitoring tools and technology (e.g. AI wildfire monitoring platforms) and set up alert systems to ensure you can act as rapidly as possible.

6. Review and update regularly
   • While we hope your crisis management plan will never need to be used, don’t let it collect dust either. Periodically review, test, and update your plans to ensure they remain relevant and effective.
   • If your BC and DR plans aren’t up to date, now’s the time to review and update those too to ensure critical business functions can continue and IT services can be restored in a timely manner.

For more guidance, see Implement Crisis Management Best Practices.

Key takeaways

• Be prepared: Anticipate potential crises that could impact your organization, and build a solid crisis management plan that can adapt to various types of crises and allow you to respond to them swiftly and effectively – whether they are IT-related or not.
• Crisis communication is a science: Crisis communication is about more than being a good writer or having a social media presence. There are specific messages that must be included, and specific audiences to target, to get the results you need.
• Don’t assume lightning can’t strike twice: Nobody is immune to disasters and crises, and if it happened before it could happen again. Take the lessons learned from your response to improve your plan for next time, and invest in training and awareness for the rest of the organization so they’re also prepared.

Relevant Resources

Implement Crisis Management Best Practices