How to Build a Crisis Management Plan That Actually Works
- Jun 22
- 6 min read
Updated: 21 hours ago
Most organisations have a crisis management plan. Far fewer have one that would hold up on the day it is needed. The gap between the two is rarely a question of effort or intention. It is a question of design: a plan written to be filed and audited behaves very differently from a plan written to be used under pressure.
This article sets out how to build a crisis management plan that works in real conditions. It draws on advisory experience across private clients, family offices, corporates and boards, and on a pattern we see repeatedly, plans that read well in the boardroom and fail in the first hour of a live event. SJ Group International has supported clients through these situations internationally since 2019.
Start with what a plan is actually for
A crisis plan is not a document. It is a way for people to make good decisions when conditions are bad.
It is tempting to treat the plan as the deliverable. The real deliverable is the organisation's ability to lead through a serious event, and the document is only one input into that. A plan that runs to two hundred pages, covers every conceivable scenario and is never opened again has produced an impression of readiness without the substance of it.
The most useful plans are short, clear and built around decisions rather than descriptions. They assume the people using them are tired, working from incomplete information and under scrutiny, because that is the environment a crisis creates. Everything that follows is an expansion of that single design principle. Our wider view of how this fits together is set out in our complete guide to risk and crisis management.
Build the plan on your real risk picture
Generic plans break the moment events deviate from the template.
A crisis plan is only as good as the assessment beneath it. A plan assembled from a generic template will be structured around a generic crisis, and real incidents are never generic. They are ambiguous, cross-cutting and badly timed.
Effective planning begins with an honest understanding of exposure: what could plausibly cause serious harm to this organisation or this family, how those threats interact, and which of them carry consequences severe enough to demand a coordinated response. This is the work of structured risk assessment and prevention, and it is what allows a plan to anticipate the likely shape of an event rather than reacting to it from zero. A plan that is not anchored in the organisation's actual risk picture is a plan for somebody else's crisis.
Define decision-making authority before you need it
The single most valuable line in any crisis plan names who decides.
When an incident begins, the questions that arrive first are not operational. They are questions of authority: who can commit the organisation, who can speak for it, and who decides when those people are unreachable. A plan that does not answer these clearly invites the most damaging failure mode of all, a contested or unclear chain of command at the exact moment speed matters most.
A working plan names a single point of decision-making authority and protects it. It defines deputies for when key people are travelling, unwell or compromised by the incident itself. And it draws a deliberate line between the strategic crisis team, which sets direction and manages stakeholders, and the operational teams handling the detail. Where that line is blurred, senior people are pulled into operational minutiae and stop doing the job only they can do.
Keep the structure simple and the triggers clear
People can follow a simple structure under pressure. They abandon a complex one.
A crisis plan needs a small number of moving parts that everyone understands. At minimum: who is on the crisis team and what each person owns, how an incident is escalated and on what trigger, where and how the team convenes, and how decisions and information are logged.
Escalation deserves particular care, because this is where incidents are most often mishandled. The wrong test is whether operational systems are coping. The right test is whether the event carries strategic consequence, for people, reputation, clients or regulators. An incident can leave every system running and still be the most serious event the organisation faces. Escalation triggers should therefore be defined by consequence, not by operational severity alone. We explore the related boundary in business continuity vs crisis management.
Treat communication as part of the plan, not an annex
In the early stages, poorly judged messaging can create new problems as fast as the incident itself.
Communication is not the final step of crisis management. It is a strategic function from the first hour. A plan should set out who holds communications authority, how confirmed facts are separated from early reporting, and how the organisation avoids the two most common errors: saying too much before the facts are known, and saying nothing while a narrative forms in the absence of one.
This does not require pre-written statements for every scenario, which rarely survive contact with a real event. It requires clarity about principles, channels and authority, so that measured communication is possible at speed. The early hours are where this is tested hardest, a subject we examine in the first 24 hours of a crisis.
Plan for human factors, not just process
People under pressure do not think the way plans assume.
Stress, fatigue and cognitive overload change how even experienced leaders absorb information and make judgements. Under load, people narrow their focus, anchor on early information and overweight the most recent or most vivid report. A plan that ignores this is planning for people who do not exist.
Three measures help. Build in a deliberate decision rhythm, a repeating cycle of situation review, options, decision and record, that slows thinking just enough to keep it sound. Give someone explicit licence to challenge the emerging consensus. And plan for rest and rotation during prolonged incidents, because a leader who has been awake for thirty hours is a risk, not an asset. The strain on senior people is real and lasting, as we discuss in C-suite burnout during a crisis.
Rehearse it, or you do not have a plan
Documentation can be reviewed at a desk. Readiness can only be demonstrated under pressure.
This is the step most organisations skip, and it is the one that separates a real plan from a paper one. A plan that has never been rehearsed is a set of assumptions. Rehearsal is how you discover where authority blurs, where information bottlenecks form and where people revert to their day jobs instead of their crisis roles, while those discoveries are still cheap to make.
Exercising exists on a spectrum, from desktop walk-throughs that test whether people understand the plan, to immersive simulations that test the whole system under realistic, sustained pressure. The immersive end is where genuine readiness is proven; we set out what separates a meaningful exercise from a box-ticking one in what a good crisis simulation actually looks like. SJ Group International delivers these simulations at the Academy at Bylaugh, and our wider approach is set out on our training and preparedness page.
Keep the plan alive
Preparedness is perishable. A plan that is not maintained is quietly expiring.
People change roles, suppliers change, threats evolve. A plan that was thorough three years ago and has not been touched since is, in practical terms, out of date. A working plan is reviewed on a sensible cycle, updated after every incident and exercise, and re-tested when the organisation or its risk picture changes materially. The recovery and review phase of any incident is the single most valuable input into the next version of the plan.
Frequently asked questions
Short answers to the questions asked most often about crisis management plans.
What should a crisis management plan include? At minimum: a clear statement of decision-making authority and deputies, the crisis team's composition and roles, escalation triggers defined by consequence, a communication framework, a decision and information logging method, and a schedule for review and rehearsal. It should be short enough to use under pressure.
How long should a crisis management plan be? Short enough to be opened and used in the first hour. A concise, usable core document supported by a small number of annexes is far more effective than a single exhaustive volume that no one reads during an incident.
How often should a crisis management plan be tested? At least annually, and after any material change to the organisation, its people or its risk picture. Testing should range from desktop walk-throughs to immersive simulations, because each format reveals different weaknesses.
Who should own the crisis management plan? Accountability sits with senior leadership and, in a corporate context, ultimately with the board. Execution can be delegated, but the responsibility cannot. The board's role in risk is to assure itself the plan is sound and tested, not to write it.
About SJ Group International
SJ Group International is a discreet, executive led consultancy supporting clients through security, risk and crisis matters.
SJ Group International advises private clients, family offices, corporates and advisers on security, risk, crisis management and preparedness. The firm is known for calm, senior-level support, discreet delivery, and a practical approach shaped by real-world experience, serving clients internationally since 2019.
If you would like an independent view of whether your crisis management plan would hold under pressure, or help building one that will, we will respond promptly and discreetly.