What is crisis management? learning how to manage during a crisis.

crisis-management-คือ
crisis-management-คือ

What is crisis management? Learn how to manage during a crisis to ensure business continuity.

Crisis Management refers to handling crises that may occur at any time within an organization. In today’s fast-changing and uncertain business world, understanding how to manage crises is essential. In the previous article, we explored the concept of business continuity. What BCMS is and what a BCP entails. This article will help us understand what crisis management is, why it is important for organizations, and how it relates to emergency plans and business continuity.

What is Crisis Management ?

Crisis Management, according to the ISO 22361 definition, is coordinated activities to lead, direct, and control an organization during a crisis. A crisis is defined as unstable condition involving an impending abrupt or significant change that requires urgent attention and action from the organization to protect lives, property, resources, or the environment.

Crisis vs Incident What are the differences?

The term “crisis” is often mistakenly used to refer to events that are merely incidents. Many organizations may still be confused between these two terms, which can affect planning and the appropriate use of response strategies. An incident, as defined by ISO 22361, is an event that can be, or could lead to a disruption, loss, emergency, or crisis. As you can see, this definition is clearly different from that of a crisis mentioned earlier. You can refer to the table below for a summary of the differences between a crisis and an incident.

crisis-vs-incident

Where does the "Crisis" come from? Origin of the crisis

Many people may have wondered: How does a crisis occur? So, we’ve summarized the initial causes that can lead to a crisis below:

  1. An unexpected disruption with potentially severe consequences that requires the involvement of the strategic team.
  2. Mismanagement and business volatility that escalate incidents into full-blown crises.
  3. The surfacing of deep-rooted, overlooked issues within the organization that pose a direct threat to brand integrity and corporate reputation.

Minor incidents can rapidly evolve into organizational crises if there is a lack of proactive planning and robust business continuity strategies.

response continum EN
An image showing business impact and response continuum.

7 key principles of crisis management

Effective crisis management relies on seven key principles, as recommended by ISO 22361, to establish a strong foundation for organizational crisis preparedness and response, as follows:

1. Governance

To ensure the organization has a well-structured response system and employees clearly understand their roles and responsibilities during a crisis.

2. Strategy

Crisis management requires commitment and leadership from top management, including setting objectives, allocating resources, and ensuring that response strategies align with the nature of the crisis and the organization’s prioritized activities.

3. Risk Management

Effective crisis management is built upon a strong foundation of risk management, including continuous monitoring and assessment of risks and incidents, and timely responses before they escalate into full-blown crises.

4. Decision-Making

Effective decision-making requires proper information management, a clear understanding of the situation, and consideration of stakeholder needs.

5. Communication

Crisis management requires clear and timely communication with both internal and external stakeholders.

6. Ethics

Organizational values and ethical principles should guide crisis response efforts to build stakeholder trust and protect brand reputation.

7. Learning

Training, drills, and continuous learning help strengthen an organization’s crisis management capabilities.

Crisis Management in 7 steps What are they?

ISO 22361 defines the crisis management process into seven steps as follows:

1. Anticipation

This step aims to identify potential threats or risks that could lead to emergencies within the organization. Examples of activities that organizations can undertake include:

  • Monitoring risks both inside and outside the organization.
  • Risk Assessment
  • Tracking news updates or relying on an Emergency Warning System.

2. Assessment

After identifying potential threats and risks, the next step is to assess the likelihood and impact in order to

  • Evaluate the level of risk based on impact and likelihood.
  • Understand the situation and the impacts of various threats.
  • Prioritize risks.

3. Prevention & Mitigation

This step focuses on preventing threats in order to reduce the likelihood of emergencies and minimize their impact on the organization. Examples include:

  • Implementing control, prevention, and risk reduction measures.
  • Developing policies and procedures for crisis prevention.
  • Mitigating the severity of a crisis through effective communication and stakeholder management.

4. Preparedness

Prepare to respond effectively when a crisis occurs. For example:

  • Develop a crisis response plan.
  • Conduct exercises and simulations.
  • Establish a task force and set up a decision-making system.

5. Response

In the event of a real crisis, it is necessary to

  • Proceed according to the established plan.
  • Communicate clearly with all stakeholders.
  • Make decisions quickly and efficiently.

6. Recovery

Once the crisis is under control, it is necessary to

  • Restore business operations back to normal.
  • Provide support to impacted individuals.
  • Assess the damage and plan for recovery.

7. Continual Improvement

Gain insights from previous crises to

  • Improve plans and processes.
  • Develop the skills of the team.
  • Build an organizational culture that is prepared to handle future crises.
crisis-management-process
7 ขั้นตอนการจัดการภาวะวิกฤต, ISO 22361

Real-world Crisis Management Case Study: The CrowdStrike Incident

If you can recall, around this time last year, a major crisis occurred involving CrowdStrike, a cybersecurity service provider. They released a faulty update to their Falcon software, which caused Windows-based systems to crash and display the Blue Screen of Death (BSOD), or enter an endless reboot loop. This incident disrupted operations across various sectors—including banks, hospitals, media, and airlines—resulting in millions of dollars in damages.

What crisis management lessons have we learned from CrowdStrike?

This incident is considered a significant case study that has attracted widespread attention. We have summarized three key lessons from this event below.

  1. Risk prediction is becoming increasingly difficult in today’s world, where services and solutions are highly complex. Many organizations may have the illusion that they have strong control over their IT systems, but in reality, they often overlook the risks associated with relying on software providers—who can become bottlenecks and single point of failure in the system.
  2. Crisis communication: Although CrowdStrike was able to promptly fix the bug and quickly implement support measures for affected customers, the company still faced heavy criticism. For example, Forbes criticized the crisis communication of the leadership, pointing out a lack of empathy toward those affected and a failure to properly review the software before the update. As a result, the company’s stock dropped by more than 11%.
  3. Reviewing private sector resilience: This incident prompted many sectors in the private sector to reassess the level of dependency their critical operations have on their suppliers. It also led to improvements and the development of new crisis response plans aimed at enhancing recovery capabilities—shifting the focus from merely preventing increasingly unpredictable risks to being able to recover quickly and effectively.
crowdstrike-crisis

Consult on crisis management with InterRisk Asia

From this article, we’ve learned the concept of crisis management—including relevant definitions, principles, and key steps to ensure effective crisis handling. We also explored the CrowdStrike case study, which highlighted the importance of having a Crisis Management Plan, as well as the need to reassess organizational resilience and the level of dependency on critical activities and supply chains. If you’re looking for a consultant in resilience and business continuity—including crisis management—contact the advisory team at InterRisk today, and you’ll be confident that ‘even in a crisis, your organization won’t stumble.

InterRisk Asia is a leading business continuity consulting firm in Thailand, operates under the MS&AD Group from Japan.

Our Services
Business Continuity Consulting
End-to-end consulting for the development of a robust BCMS, with pathways to ISO 22301 certification
Business Continuity Training
Specialized training programs designed for both management and staff to enhance awareness and competency in BCMS practices.
Business Impact Analysis
Analysis of operational risks and disruption impacts to inform the development of targeted continuity strategies.
Business Continuity Plan Exercise
Structured exercises to validate your BCP and strengthen organizational preparedness and response capabilities.
Business Continuity Assessment
Comprehensive review of your existing continuity framework, including performance analysis and improvement recommendations.
Why Choose InterRisk:

Experienced consultants with hands-on BCMS expertise

Customized planning tailored to your business context.

Practical tools and templates, with expert support for testing and improvement.

Whether you're a large corporation seeking assurance or an SME building a foundation, InterRisk is your trusted partner in developing a complete BCP for Turning Risks To Resilience together.

Share:

Let us help you ensure business continuity

Talk to InterRisk and take the first step toward a safer, risk-free business