Business Crisis Drills: When the Team Leader Asks What to Do
The question "Wait, where does it say what I'm supposed to do right now?" sounds harmless. But when a team leader asks it in the middle of a crisis drill, it exposes a fundamental problem: crisis organization on paper is not a real crisis organization. The difference between the two only becomes visible when an actual incident — or its simulation — occurs.
Crisis Drills Reveal What Documents Hide
In crisis drills, what stays invisible during normal operations suddenly comes to light: who actually knows their role? Who makes decisions when the department head is unreachable? In what order does communication flow and to whom? Many mid-sized businesses have emergency plans that were carefully crafted but rarely or never practiced. The result is a security gap that no firewall can close: an absence of operational capability under pressure.
What crisis drills regularly uncover are four recurring weaknesses: roles are vaguely defined, decision paths are undocumented, communication processes are unclear, and the decisive factor — regular practice — is entirely absent. The pattern is recognizable and avoidable.
The Four Most Common Weaknesses in Crisis Organization
Undefined roles: Who is the Incident Commander? Who takes over when the primary person is unavailable? If these questions must be asked during a real incident, valuable time is already lost. An Incident Commander without defined decision-making authority is not an Incident Commander — they are a bottleneck.
Unclear decision paths: In a crisis, every minute counts. Decisions that take hours under normal conditions must be made in minutes during an incident. This requires pre-defined and internalized decision-making structures — not discussions about who is actually responsible.
Missing communication structure: Who informs the board? Who communicates with authorities and data protection regulators? Who speaks with customers and partners, and when? Unresolved communication processes lead to information gaps, contradictory statements, and uncontrolled information leaks.
No practice regime: The only way to validate crisis organization is regular exercise. No document can replace what experience builds. Organizations that have never practiced their crisis response will learn this during a real incident — at a point when there is no second chance.
What Operational Crisis Organization Looks Like
A functioning crisis organization is built on clear role cards that immediately tell each participant what to do. A role card contains at minimum: the role title and area of responsibility, specific decision-making authorities, deputy designation, and escalation paths. Key roles in an incident response team typically include: Incident Commander, IT Operations, Communications (internal/external), Legal and Privacy, and the affected business unit.
Regular crisis drills — at minimum annually, ideally semi-annually — are the prerequisite for crisis organization that actually works when it matters. Every drill reveals new weaknesses: outdated contact details, changed system landscapes, new staff in critical roles. These insights feed directly back into improving the organization.
NIS-2 and the Requirements for Crisis Readiness
For companies subject to NIS-2 obligations, a documented and practiced crisis organization is not optional — it is mandatory. The directive explicitly requires measures for handling security incidents, including clear processes, responsibilities, and response times. An emergency plan that fails in practice because it was never exercised does not satisfy this requirement.
Building an operational crisis organization does not have to take months. With a structured approach, roles, decision paths, communication processes, and escalation paths can be established pragmatically within a few weeks and validated in an initial drill. The decisive step is to begin — before the next crisis drill reveals that no one knows what to do.