---
name: crisis-management
description: Respond to crises using incident command structure, stakeholder communication, and recovery planning. Use during security breaches, PR disasters, or operational failures.
domain: mindset
---

# Crisis Management

Framework for managing crises: incident command, stakeholder communication, decision-making under pressure, and post-crisis recovery.

## When to Use

- Security breaches or data leaks
- PR disasters or reputation threats
- Operational failures (outages, product defects)
- Financial crises (runway, fraud)
- Legal or regulatory incidents
- **When NOT to use**: Routine issues (use standard processes), or strategic pivots (use change management)

## Crisis Phases

### 1. Detection & Assessment (0-30 minutes)

**Goal**: Confirm crisis, assess severity, activate response.

**Steps**:
1. **Verify**: Is this real? (not false alarm)
2. **Classify severity**: P0 (critical) / P1 (high) / P2 (medium)
3. **Activate incident command**: Who leads? Who's on the team?

**Severity Matrix**:

| Impact | Examples | Response Time |
|--------|----------|---------------|
| **P0** | Data breach, site down, safety threat | Immediate (all-hands) |
| **P1** | Major bug, PR crisis, key customer issue | <1 hour |
| **P2** | Minor bug, isolated complaint | <4 hours |

---

### 2. Containment (30 min - 2 hours)

**Goal**: Stop the bleeding.

**Steps**:
1. **Isolate**: Shut down affected systems, quarantine breach
2. **Communicate internally**: Brief leadership, activate war room
3. **External holding statement**: "We're aware, investigating, will update in X hours"

**Example** (security breach):
- Isolate compromised servers
- Revoke access tokens
- Notify security team + legal
- Draft holding statement: "We detected unauthorized access. Investigation underway. Customer data encryption confirmed. Update in 4 hours."

---

### 3. Response & Mitigation (2-24 hours)

**Goal**: Fix the issue, communicate clearly.

**Incident Command Structure**:

| Role | Responsibility |
|------|----------------|
| **Incident Commander (IC)** | Owns decisions, coordinates teams |
| **Technical Lead** | Diagnoses root cause, implements fix |
| **Communications Lead** | Manages internal/external comms |
| **Legal/Compliance** | Advises on regulatory obligations |
| **Customer Support Lead** | Handles customer inquiries |

**Decision Framework** (when under pressure):
1. **Gather facts** (what do we know for certain?)
2. **Identify options** (2-3 paths, not 10)
3. **Assess risks** (what's the downside of each?)
4. **Decide fast** (IC makes call, team executes)
5. **Communicate decision** (explain rationale)

**Example**:
- **Option A**: Shut down service (safe, but loses revenue)
- **Option B**: Patch live (risky, keeps revenue)
- **Decision**: Shut down for 2 hours (safety > revenue in crisis)

---

### 4. Communication (Ongoing)

**Stakeholder Map**:

| Stakeholder | Message | Channel | Frequency |
|-------------|---------|---------|-----------|
| **Customers** | Impact, timeline, mitigation | Email, status page | Every 2-4 hours |
| **Employees** | Situation, their role, updates | Slack, all-hands | Hourly |
| **Investors** | Business impact, recovery plan | Email, call | Daily |
| **Press/Public** | Official statement, facts only | Blog, Twitter | As needed |
| **Regulators** | Compliance, breach notification | Official channels | Per legal guidance |

**Communication Template**:

> **[Timestamp]**  
> **What happened**: [Brief description of incident]  
> **Impact**: [Who/what is affected]  
> **Current status**: [What we've done so far]  
> **Next steps**: [What we're doing next]  
> **ETA for update**: [Next communication in X hours]

**Key principles**:
- **Over-communicate**: Silence breeds panic
- **Be honest**: Don't minimize or hide
- **Own it**: Take responsibility (no blame-shifting)
- **Show action**: Demonstrate you're fixing it

---

### 5. Recovery (24 hours - 1 week)

**Goal**: Restore normal operations, prevent recurrence.

**Steps**:
1. **Root cause analysis (RCA)**: What broke? Why?
2. **Fix implementation**: Deploy permanent solution
3. **Validation**: Test thoroughly before declaring "fixed"
4. **Post-mortem**: Blameless review (what went wrong, what to improve)

**Post-Mortem Template**:
1. **Timeline**: Incident start → detection → containment → resolution
2. **Root cause**: Technical/process/human factors
3. **Impact**: Customers affected, revenue lost, reputation damage
4. **What went well**: Fast detection, clear comms, team coordination
5. **What went wrong**: Late escalation, missing runbook, unclear ownership
6. **Action items**: Prevent recurrence (with owners + deadlines)

---

### 6. Learning (1-2 weeks post-crisis)

**Goal**: Embed lessons, improve resilience.

**Actions**:
1. **Update runbooks**: Document crisis response (so next time is faster)
2. **Train team**: Simulate crisis (tabletop exercises)
3. **Strengthen systems**: Add monitoring, alerts, redundancy
4. **Rebuild trust**: Customer outreach, transparency report

**Example**: After outage, publish transparency report (what happened, what we learned, what we fixed).

---

## Crisis Communication Principles

### 1. Speed Matters

- **First statement in <1 hour** (even if incomplete: "We're investigating")
- Updates every 2-4 hours (consistent cadence)

### 2. Control the Narrative

- **Proactive > Reactive**: Announce before press finds out
- **One voice**: All comms go through Communications Lead (no rogue statements)

### 3. Show Empathy

- Acknowledge impact: "We know this disrupted your work. We're sorry."
- Avoid legal-speak ("We regret any inconvenience" feels cold)

### 4. Be Transparent

- Share what you know (and what you don't know yet)
- Admit mistakes ("We should have caught this sooner")

---

## Common Rationalizations

| Rationalization | Reality |
|-----------------|---------|
| "It's not that bad, let's not panic customers" | Transparency builds trust. Hiding makes it worse. |
| "We'll figure it out, no need for incident command" | Chaos without clear ownership. Designate IC immediately. |
| "Let's wait until we have all the facts" | You'll never have perfect info. Communicate with what you know. |
| "This will blow over" | Crises compound if ignored. Act fast. |

## Red Flags

- No incident command structure (who's in charge?)
- Delayed communication (>2 hours silence after detection)
- Blame culture (post-mortem points fingers, not systems)
- No runbook (team improvises every crisis)
- Leadership absent (executives MIA during crisis)

## Verification

- [ ] Incident severity classified (P0/P1/P2)
- [ ] Incident Commander designated (owns decisions)
- [ ] War room activated (team assembled, roles clear)
- [ ] Holding statement published (<1 hour from detection)
- [ ] Stakeholders mapped (customers, employees, investors, press)
- [ ] Communication cadence set (every 2-4 hours)
- [ ] Root cause identified (RCA completed)
- [ ] Post-mortem held (blameless, action items with owners)
- [ ] Runbook updated (document what worked, what didn't)
