top of page

Senior judgement

Executive led support delivered with discretion.

Prevention first

Readiness built early, with calm response capability.

Bespoke by design

Tailored around context, priorities and trust.

Coordinated end-to-end

Trusted associates integrated when specialist support is required.

How to reach us

A discreet first step

If you’d like to discuss a situation or assess exposure, we’ll respond  promptly and discreetly.

Risk and Crisis Management: A Complete Guide

  • Jun 7
  • 13 min read

Updated: 21 hours ago

Risk and crisis management is often presented as two separate disciplines. In practice, it is one continuous responsibility: understanding what could harm an organisation or a family, reducing the likelihood of that harm, and responding with control when prevention is no longer enough.

This guide sets out how risk and crisis management works in practice: the relationship between the two disciplines, the full lifecycle from assessment to recovery, the reasons plans fail under pressure, and the role of leadership and governance. It is written from advisory experience, not theory. SJ Group International has supported private clients, family offices, corporates and boards through these situations internationally since 2019, and the patterns described here recur across all of them.

What risk and crisis management means in practice

Beyond the textbook definitions, it is the discipline of protecting what matters before, during and after disruption.

The textbook definitions are straightforward. Risk management is the process of identifying, assessing and treating threats before they materialise. Crisis management is the response when a threat becomes a live event that endangers people, operations, assets or reputation.

In practice, the boundary between the two is rarely clean. A risk that was tolerated quietly for years can become a crisis in an afternoon. A crisis that is handled well often reveals risks that nobody had recorded. The organisations and families that navigate disruption best treat the two as a single capability with different operating modes: a prevention mode, which runs continuously, and a response mode, which activates under pressure.

That capability rests on three things. A realistic understanding of exposure. Structures and people that are genuinely prepared, not just documented. And the judgement to make sound decisions when information is incomplete and time is short. Everything else in this guide is an expansion of those three points. Our Services page sets out how we support each of them.

Risk management vs crisis management

The two disciplines are not rivals or alternatives. One is the condition for the other working at all.

The usual comparison runs: risk management is proactive, crisis management is reactive; one deals with probability, the other with events. That is accurate, but it misses the more useful point. The relationship matters more than the difference.

Good risk management makes crises rarer and smaller. It identifies the exposures most likely to escalate, removes or reduces them where possible, and ensures that what remains is understood and accepted deliberately rather than by default. This is the work of structured risk assessment and prevention: mapping threats, testing assumptions and closing gaps before they are tested by events.

Good crisis management, in turn, depends on the quality of the risk work that preceded it. A crisis team that has never seen a credible threat picture starts from zero when the incident begins. A team that knows its exposures already understands the likely shape of the event, who needs to be informed, and which decisions will arrive first.

The two disciplines also share a failure mode. Both can be reduced to paperwork. A risk register that is updated annually and never discussed is not risk management. A crisis plan that has never been rehearsed is not crisis management. In both cases, the document creates an impression of readiness that the organisation does not actually possess.

The risk and crisis management lifecycle

Assess, prepare, respond, recover: a continuous cycle, not a straight line.

The lifecycle is usually drawn as four phases: assess, prepare, respond, recover. The model is useful as long as it is understood as a cycle. Recovery feeds back into assessment. Every incident, however small, is evidence about where the next one may come from. The sections that follow take each phase in turn.

Phase one: Assess

Understanding exposure honestly is the foundation of everything that follows.

Assessment is where the lifecycle begins, and where many organisations quietly go wrong. The common failure is not the absence of a risk process. It is a risk process that records what is comfortable to record.

A genuine assessment starts with a simple question: what could plausibly cause serious harm to this organisation, this family or this individual? It considers threats across the full range, physical security, personnel, travel, cyber, reputational, financial, legal and operational, and it considers how they interact. A cyber intrusion becomes a reputational event. A personnel issue becomes a legal one. Ransomware, for example, is routinely treated as a technology risk when it is better understood as a whole of business threat, a point we explore in Ransomware Is No Longer an IT Problem.

Useful assessment also distinguishes between likelihood and consequence, and resists the temptation to focus only on what is probable. Low likelihood, high consequence events are precisely the ones that crisis management exists for. Three habits separate strong assessments from weak ones:

  • Testing assumptions rather than recording them

  • Asking who would be affected, not only what would be affected

  • Revisiting the picture when circumstances change, not on a fixed calendar

Assessment is also where senior judgement matters most. Frameworks and matrices structure the conversation, but deciding which risks to treat, tolerate or transfer is a leadership decision. It cannot be delegated to a template.

Phase two: Prepare

Preparedness is the conversion of assessment into capability, and it is where most gaps hide.

Preparation is the phase most organisations believe they have completed and most have not. A plan exists, roles are assigned, contact lists are current. None of that is preparedness. Preparedness is the ability to use those things effectively when conditions are uncertain and the margin for error is narrow.

Real preparation has several layers. Plans and frameworks come first, and they should be short enough to be used under pressure. A two hundred page document is a reference library, not a crisis plan. Clear decision making authority comes next: who can commit the organisation, who can speak for it, and who decides when those people are unreachable. Then come the practical arrangements, communication channels that work when normal systems do not, relationships with external specialists established before they are needed, and a clear understanding of legal and insurance positions.

The final layer is the one most often missing: people who have practised. Plans describe what should happen. Only rehearsal reveals what actually happens: where authority blurs, where information bottlenecks, where individuals revert to their day jobs instead of their crisis roles. This is the focus of our training and preparedness work, and it is the difference between owning a plan and being ready.

Preparedness is also perishable. People move roles, suppliers change, threats evolve. An organisation that exercised thoroughly three years ago and has not touched its arrangements since is, in practical terms, unprepared.

Phase three: Respond

The response phase is where preparation is converted into action, or exposed.

When an incident begins, the quality of everything done beforehand becomes visible within hours. The early period of a crisis is defined by uncertainty rather than control: information is incomplete and often conflicting, expectations for action arrive before the facts do, and pressure builds to be seen to act. We examine this period in detail in First 24 Hours of a Crisis: Why Organisations Often Get It Wrong.

An effective response rests on a small number of disciplines. Establish a single point of decision making authority early, and protect it. Separate confirmed facts from early reporting, and label them accordingly. Control the flow of information so that the crisis team works from one picture rather than several competing ones. Treat communication as a strategic function from the first hour, because in the early stages poorly judged messaging can create new problems as quickly as the incident itself.

Pace matters, but so does discipline. The most damaging early decisions are usually those taken to demonstrate control rather than because they were sound. Equally, indecision carries its own cost. The skill is knowing which decisions must be made now, which can wait, and which should be made provisionally and revisited as the picture improves.

Response is also where structure earns its keep. A clear crisis management framework, team composition, escalation thresholds, meeting rhythm, logging and decision records, does not remove uncertainty. It gives leaders a way to function inside it. Our crisis and incident management support is built around exactly this: calm, executive led structure when conditions are least forgiving.

Phase four: Recover

Recovery is more than restoration. It is where the next crisis is either prevented or rehearsed.

Recovery receives the least attention of the four phases, partly because by the time it begins, everyone is exhausted and the organisation wants to move on. That instinct is understandable and costly.

Recovery has two distinct strands. The first is operational and human: restoring normal activity, supporting the people affected, managing residual legal, regulatory and reputational matters, and rebuilding trust with the stakeholders who watched the crisis unfold. The human strand deserves particular care. Crisis response places sustained strain on senior people, and the effects rarely end when the incident does, a subject we address directly in C-Suite Burnout During a Crisis.

The second strand is learning. A structured, honest review of what happened, covering what the plan assumed, what actually occurred, which decisions held up and which did not, is the single most valuable input into the next assessment cycle. The review must be conducted without blame, or it will produce a sanitised account that protects individuals and misleads the organisation. Done well, it closes the lifecycle loop: recovery becomes assessment, and the organisation enters the next cycle measurably stronger than it entered the last.

Why crisis plans fail under pressure

Most plans do not fail because they are wrong. They fail because they were never tested against reality.

Across sectors and client types, the reasons plans fail are remarkably consistent.

The plan was written for a tidier crisis than the one that arrived. Real incidents are ambiguous, cross cutting and badly timed. Plans built around a single clean scenario tend to break the moment events deviate from it.

Roles that were clear on paper blur in practice. Senior leaders involve themselves more directly than the structure anticipated. Decision making authority becomes contested or unclear. People default to their day to day responsibilities rather than their crisis roles.

The plan assumed information that does not exist. Many plans implicitly assume the team will know what is happening. In the early hours it usually will not, and a plan with no method for operating under uncertainty offers little help.

The plan was never rehearsed. This is the common thread beneath all the others. Documentation can be reviewed at a desk; readiness can only be demonstrated under simulated pressure. Organisations that exercise their plans find these failure points in a controlled environment. Organisations that do not find them live.

The human factors: decision making under pressure

Crises are decided by people, and people under pressure do not think the way plans assume.

Process matters in a crisis, but the decisive variable is human. Stress, fatigue and cognitive overload change how even experienced leaders absorb information and make judgements. Under pressure, people narrow their focus, anchor on early information, seek confirmation of what they already believe, and overweight the most recent or most vivid report. None of this is a character flaw. It is how human cognition behaves under load, and risk and crisis management has to be designed around it rather than in denial of it.

Several practical measures help. Structured decision making, a deliberate rhythm of situation review, options, decision and record, slows thinking just enough to keep it sound. A designated challenge function gives someone explicit licence to question the emerging consensus. Disciplined rotation and rest protect judgement during prolonged incidents; a leader who has been awake for thirty hours is a risk, not an asset. And separating the strategic crisis team from operational incident response keeps senior people from being consumed by detail others should be handling.

Above all, exposure helps. Leaders who have experienced realistic pressure in an exercise environment recognise their own responses when the real event arrives. That self knowledge, knowing how you personally behave under stress, is one of the most underrated assets in crisis leadership, and it is central to what we build at the Leadership Academy.

Crisis simulations and exercising

Exercising is the only reliable way to find out whether preparedness is real.

If preparation is the conversion of assessment into capability, exercising is the audit of that conversion. It is the point at which an organisation discovers whether its arrangements work, before events make the discovery for it.

Exercising exists on a spectrum. Desktop walkthroughs test whether people understand the plan. Scenario discussions test judgement against a developing situation. Full immersive simulations test the whole system, structure, communication, decision making and human response, under realistic pressure, with injects, time compression and incomplete information. Each format has value, but only the immersive end of the spectrum reveals how people genuinely behave when conditions are unforgiving. We set out what separates a meaningful exercise from a box ticking one in What a Good Crisis Simulation Actually Looks Like.

A good exercise has three characteristics. It is built on scenarios drawn from the organisation's actual risk picture, not generic templates. It is allowed to go wrong, an exercise everyone passes comfortably has been designed to flatter, not to test. And it ends with a structured debrief that converts observations into specific changes to plans, structures and training.

SJ Group International delivers immersive simulations at the Academy at Bylaugh, our dedicated environment at Bylaugh Hall, where leadership teams can be tested against realistic, sustained pressure away from the distractions of their own offices. The setting matters less than the principle: rehearsal under conditions that resemble reality is the strongest predictor of performance when reality arrives.

When to bring in external advisers

The right time to involve outside expertise is almost always earlier than organisations think.

Most organisations consider external crisis support only once an incident is underway and internal capacity is visibly overwhelmed. Advisers can still add significant value at that point, but the options are narrower than they would have been a week, or a year, earlier.

There are three natural points to bring in external advice. Before any incident, advisers add independence: an external assessment of risk exposure and crisis arrangements is free of the internal assumptions and politics that quietly shape in house reviews. During an incident, they add capacity and judgement: experienced practitioners who have managed many crises bring pattern recognition that no internal team, however capable, can develop from its own organisation's limited history. They also absorb workload, allowing leaders to lead rather than coordinate. After an incident, they add candour: an external review can say what internal reviewers cannot.

The honest indicators that external support is needed include a crisis plan that has never been independently tested, an incident that touches domains outside the team's experience, a situation with significant legal, regulatory or media exposure, or simply a leadership team stretched past the point of sound judgement. We examine these triggers in more depth in When to Bring in External Crisis Advisers.

Discretion is part of the calculation. For many clients, particularly private clients and family offices, the involvement of advisers must itself remain confidential. executive led, discreet delivery is not a stylistic preference in this field. It is an operational requirement.

Private clients and family offices vs corporates

The principles are identical. The exposures, structures and sensitivities are not.

Risk and crisis management for a listed company and for a private family rest on the same fundamentals: honest assessment, genuine preparation, disciplined response, deliberate recovery. The application differs in important ways.

For corporates and boards, the framework is shaped by governance and obligation. Regulatory duties, disclosure requirements, insurance conditions, employee duty of care and shareholder expectations all constrain and structure the response. The crisis team is usually an established body with defined roles, and the central challenges are speed, coordination across functions, and the quality of decision making under scrutiny.

For private clients and family offices, the picture is different. The "organisation" may be a family, a household staff, a network of advisers and a set of structures across several jurisdictions. Exposures are personal as well as financial: privacy, physical security, travel, reputation, kidnap and extortion risk, and the particular vulnerabilities that come with visible wealth. There is often no formal crisis structure at all, and the people involved did not choose a career that includes incident response. Discretion is paramount, because for a private family, publicity is frequently the crisis. Law firms and insurers, who often sit alongside these clients, face their own version of the same challenge: managing crises on behalf of others while protecting privilege and confidentiality.

These differences change how the work is done. The structures are lighter, the relationships more personal, the confidentiality requirements absolute. But not what the work is. Our client base spans both worlds, and the cross pollination is valuable in both directions: corporate discipline strengthens private arrangements, and the private world's instinct for discretion improves corporate response.

Governance and the board's role

Risk and crisis management is a board responsibility that cannot be delegated away.

In a corporate context, ultimate accountability for risk and crisis management sits with the board. Directors can delegate the execution. They cannot delegate the responsibility. Yet board engagement with risk is often ritualised: a register reviewed annually, a heat map noted, a continuity plan confirmed to exist.

Effective governance asks harder questions. Does the board actually understand the organisation's principal exposures, or does it understand a summary of them? Has the crisis framework been tested under realistic conditions, and what did the test reveal? Who holds decision making authority in an incident, and is the board's own role, support, oversight, or restraint, defined before it is needed? We set out the conversation in detail in The 5 Questions Every Board Should Be Asking About Risk.

The board's role during a live crisis deserves particular attention, because it is where well intentioned governance most often does harm. A board that demands constant briefings, second guesses the crisis team or inserts itself into operational decisions adds load precisely where load is most dangerous. The disciplined model is clear: the executive crisis team manages the incident; the board assures itself that the response is sound, supports the major strategic calls, and holds its scrutiny for the review. Boards that have rehearsed this division of labour in an exercise environment hold to it under pressure. Boards that have not, usually do not.

Frequently asked questions

Short answers to the questions asked most often about risk and crisis management.

What is crisis management? Crisis management is the structured response to an event that threatens an organisation's people, operations, assets or reputation. It covers the activation of a crisis team, decision making under uncertainty, stakeholder communication and the coordination of the response through to recovery. It is the "response mode" of a wider risk and crisis management capability.

What is the difference between risk management and crisis management? Risk management is proactive: it identifies and reduces threats before they materialise. Crisis management is reactive: it responds when a threat becomes a live event. The more useful point is the relationship, strong risk management makes crises rarer and smaller, and gives the crisis team a head start when one occurs.

What are the stages of the crisis management lifecycle? The lifecycle is usually described as four phases: assess (understand exposure), prepare (build plans, structures and trained people), respond (manage the live incident) and recover (restore normality and learn). It is a continuous cycle, lessons from recovery feed the next assessment.

Why do crisis management plans fail? Most plans fail not because they are badly written but because they were never tested under realistic pressure. Common failure points include unclear decision making authority, roles that blur in practice, assumptions of information that does not exist in the early hours, and human factors, stress, fatigue and cognitive overload, that the plan never accounted for.

When should an organisation bring in external crisis advisers? Earlier than most do. External advisers add the most value before an incident, through independent assessment and exercising, and during an incident when the situation exceeds internal experience, carries legal or media exposure, or has stretched the leadership team past sound judgement.

Building genuine readiness

The organisations and families that weather crises well decided to be ready long before they needed to be.

Risk and crisis management is not a document, a department or a course. It is a continuous discipline: assess honestly, prepare properly, respond with control, recover deliberately, and feed every lesson back into the cycle. The work is unglamorous and the return is invisible right up until the day it is decisive.

If you would like to discuss your organisation's exposure, test whether your current arrangements would hold under pressure, or talk through a situation that is already developing, we will respond promptly and discreetly.

 
 
bottom of page