Leaders LoopEvery organisation eventually meets a problem its ordinary playbook cannot solve: a data breach, a product recall, a safety incident, a senior figure caught doing something indefensible. That is a crisis, a low-probability, high-impact event that threatens the organisation and forces decisions under time pressure and incomplete information. The hard truth is that most of crisis management is done before the crisis, and most of what wins or loses public trust is decided in the first hours, not the eventual fix.
The quick version
- Crisis management is the discipline of preparing for, responding to and learning from events that overwhelm normal operations, not just firefighting on the day.
- A crisis moves through five phases: spotting the warning signals, preventing what you can, containing the damage, recovering operations, and learning. The first two happen long before anything goes wrong.
- What you should say depends on the type of crisis: whether the public sees you as a victim, as the cause of an accident, or as having brought it on yourself. Responsibility, not severity, drives the response.
- The move that decides reputation is almost always the same: respond fast and tell the truth. Silence and spin are read as guilt, and they cost more than the original problem.
A crisis has a lifecycle, and most of it is quiet
The instinct is to treat a crisis as a single dramatic event. The research treats it as a process with a beginning long before the headline. The most widely taught map is the five-phase model from Christine Pearson and Ian Mitroff, set out in "From Crisis Prone to Crisis Prepared: A Framework for Crisis Management" (Academy of Management Executive, 1993). Their phases: signal detection (the early warnings a crisis sends before it breaks), preparation and prevention (probing for risks and removing them), damage containment (stopping the harm from spreading once it hits), business recovery (restoring operations), and learning (the honest post-mortem). Mitroff, often called the father of modern crisis management, argued that crises broadcast a "persistent trail" of early warning signals that can be caught while there is still time to prevent them.
So the move is to put your effort where the model says the leverage is: the front two phases, not the dramatic middle. Most organisations are good at containment under adrenaline and weak at the boring prevention work that would have made containment unnecessary. Run a simple crisis audit, list the handful of scenarios that could genuinely overwhelm you, ask who would notice the first warning sign of each, and ask whether that person has any route to raise the alarm. If the answer is "nobody is watching" or "they'd have nobody to tell," you have found your real vulnerability before it finds you.
flowchart LR A(["1 · Signal detection
catch the early warnings"]) --> B(["2 · Prevention
probe for risk, remove it"]) B --> C(["3 · Containment
stop the harm spreading"]) C --> D(["4 · Recovery
restore operations"]) D --> E(["5 · Learning
honest post-mortem"]) E -.->|"feeds back into"| A
An honest limitation. A neat five-phase loop is a teaching device, not a description of how a real crisis feels. On the day, the phases blur: you are containing, recovering and learning at once, while new signals keep arriving. The model also assumes warning signals are detectable, and some crises (a sudden external shock, a malicious act) genuinely are not. Use the lifecycle to organise your preparation, not as a checklist you expect events to follow politely.
The type of crisis decides what you say
Once a crisis is public, the central question is what to communicate, and the most rigorous answer comes from Situational Crisis Communication Theory (SCCT), developed by W. Timothy Coombs in "Protecting Organization Reputations During a Crisis" (Corporate Reputation Review, 2007). Coombs' insight is that audiences assign blame, and how much they blame you decides which response will actually protect your reputation. He sorts crises into three clusters by how much responsibility the public attributes: the victim cluster (natural disasters, rumours, tampering, workplace violence, you are seen as a victim too), the accidental cluster (technical failures and unforeseen mishaps, minimal blame), and the preventable cluster (human error, misconduct, knowingly cutting corners, strong blame).
The matching response strategies run from deny (it isn't true, or it isn't us) through diminish (it's real but not as bad as it looks, and we didn't intend it) to rebuild (full apology, compensation, asking forgiveness). Coombs' point, and the move, is to match the strategy to the attributed responsibility. So the move is a practical one: before you draft a word, decide honestly which cluster you are in. If you caused it, denial and minimising will be read as the second offence; the only response that rebuilds trust is to own it and make amends. If you are genuinely a victim, a grovelling apology wrongly concedes fault you don't owe. A central finding of SCCT is that preventable crises do the most reputational damage, which is why pretending a preventable crisis was an accident tends to make things worse, not better.
Audiences forgive the crisis far more readily than they forgive the cover-up. Responsibility, not severity, decides what you should say.
An honest limitation. SCCT was built and tested largely through controlled experiments, and the real world is messier: the "cluster" of a crisis is often contested in public, shifting as facts emerge, and a "rebuild" strategy only works if the apology is believed, a hollow one accelerates the damage. The framework tells you what kind of response fits; it cannot supply the sincerity that makes the response land. Treat it as a compass for your stance, not a script for your sentences.
Speed and honesty beat a perfect statement
If the lifecycle tells you when and SCCT tells you what stance, the practice of crisis leadership tells you how, and the consistent lesson is that the first hours are decisive. In "How to Lead in a Crisis" (TED, 2020), Harvard's Amy Edmondson distils crisis leadership to three behaviours: humility about what you don't yet know, transparency about what you do, and urgency in acting before you have certainty. The temptation is the opposite, wait until you have all the facts and a polished line. But a vacuum gets filled by rumour, and a leader who goes quiet is presumed to be hiding something.
So the move is to communicate early even when the picture is incomplete, and to say plainly what you know, what you don't, and what you are doing to find out. That is not a licence to speculate; it is a discipline of frequent, honest updates over one perfect statement that arrives too late. Name a single spokesperson so the organisation speaks with one voice, brief them on the SCCT stance, and let them keep talking as the facts move. The obvious objection, "but our lawyers will never allow it", is real: legal caution and reputational survival genuinely pull against each other. The answer isn't to ignore counsel but to get legal and communications in the same room early, so the cautious version is still fast and human rather than silent.
A worked example
Take a mid-sized online retailer, call it Harbour & Co. (Illustrative scenario; not a real company or incident.) On a Friday evening, a security researcher emails support to say customer email addresses and order histories appear to be exposed through a misconfigured server. By Saturday morning it is circulating on social media. The instinct in the room is to wait for the forensic report before saying anything.
Run it through the toolkit. Which phase? Containment, the leak must be plugged first, so the immediate technical job is to take the exposed service offline. Which cluster? A misconfiguration the company should have caught is the preventable cluster, even if no one acted maliciously, so denial and "no evidence of misuse" hedging will read as evasion. The honest stance is rebuild: acknowledge, apologise, and tell affected customers exactly what was exposed and what to do. Speed and honesty? Harbour publishes a short, plain statement on Saturday afternoon, what happened, what data was involved, that no payment details were exposed, what they have done, and where to get help, naming one spokesperson and promising the next update by a stated time. They keep that promise even when the update is only "still investigating."
flowchart TD A(["Breach surfaces
Saturday morning"]) --> B{"Wait for the
full forensic report?"} B -->|"Wait & stay silent"| C(["Rumour fills the gap
silence read as guilt"]) B -->|"Contain, then tell the truth fast"| D(["Plug the leak ·
one spokesperson"]) D --> E(["Preventable cluster
→ rebuild: own it, apologise"]) E --> F(["Frequent honest updates
trust preserved, then rebuilt"])
The breach still cost Harbour money and a hard week. But the version of events the public remembers is "they told us quickly and straight," not "they hid it and got caught." Reverse the order, wait, minimise, blame the researcher, and the same technical incident becomes a reputation crisis that outlives the bug by years. The fix was always going to be the same patch; the difference was made entirely by the response.
Frequently asked questions
What's the difference between an incident, an emergency and a crisis?
Roughly: an incident is handled by normal procedures, an emergency is urgent but still within your playbook, and a crisis is the point where the playbook itself stops working, it threatens the whole organisation, demands decisions under uncertainty, and pulls in leadership rather than just the on-call team. The practical signal that you've crossed into a crisis is when "follow the process" is no longer a sufficient answer.
How is crisis management different from business continuity or risk management?
They overlap and feed each other. Risk management identifies and reduces threats before they materialise; business continuity is the operational plan for keeping critical functions running when something disrupts them; crisis management is the broader leadership and communication response when an event overwhelms normal operations, including the reputational dimension that continuity plans often skip. You want all three, and you want them to know about each other.
Do we really need a crisis plan if a real crisis never goes to plan?
Yes, but the value is in the preparation, not the document. No plan survives contact with the actual event, yet the act of planning builds the muscle that matters on the day: knowing who decides, who speaks, and where the warning signals would come from. A rehearsed team improvising beats an unprepared team reading a binder. Run a tabletop exercise once a year and the plan earns its keep even when reality ignores it.
Should we apologise if our lawyers are worried about admitting liability?
This is a genuine tension, not a false one, and the specifics are jurisdiction-dependent, take qualified legal advice for your situation. As a general principle, expressing concern, care for those affected and a commitment to put things right is not the same as a legal admission of fault, and many organisations find a human, early acknowledgement reduces both reputational and legal exposure. The failure mode is letting "say nothing" win by default; get legal and communications working together early rather than in opposition.
When is the crisis actually over?
Not when operations resume, when you've learned. Pearson and Mitroff's fifth phase exists because the most expensive crises are the ones an organisation survives without changing anything, only to repeat. Treat the post-incident review as a blameless examination of how the warning signals were missed and what would catch them next time. A crisis you learn nothing from is a down-payment on the next one.
Related in the Toolkit
Crisis management is where risk work is tested under fire, the threats you mapped in risk identification & assessment are the warning signals Pearson and Mitroff want you to catch early, and the appetite you set in enterprise risk management decides which crises you've chosen to prevent versus accept.
- Enterprise risk management & risk appetite, crisis management is what happens when a risk you accepted (or missed) actually lands.
- Risk identification & assessment (likelihood x impact), the discipline that surfaces the scenarios your crisis audit should rehearse.
- Risk registers & mitigation strategies, where the prevention work from phase two gets recorded and owned.
- Operational, financial, strategic & reputational risk, a crisis usually hits several of these at once; SCCT speaks to the reputational one.
- Quantitative risk & scenario / stress testing, the analytical version of the tabletop exercise crisis teams rehearse.
- Board roles, committees & responsibilities, who is accountable for crisis oversight before the crisis arrives.
- Employment law basics, many crises involve people decisions where the legal and human responses must align.
- Insurance & risk transfer, the financial backstop for the crises you can't fully prevent.
Where to go next
- "From Crisis Prone to Crisis Prepared", Pearson & Mitroff (1993), the source paper for the five-phase model; the academic spine of the whole field.
- "Protecting Organization Reputations During a Crisis", W. Timothy Coombs (2007), the foundational SCCT paper on matching your response to the type of crisis.
- "How to Lead in a Crisis", Amy Edmondson (TED, 2020), a sharp five-minute talk on humility, transparency and urgency when you don't yet have the facts.
- Situational Crisis Communication Theory, overview (Wikipedia), a referenced summary of the crisis clusters and response strategies, with links to the primary literature.