Crisis Organization When It Counts: When No One Knows What to Do Now
In a crisis exercise last week, the responsible team lead's very first words were: "Wait, where does it say what I'm supposed to do right now?" He meant it seriously. And he was not alone in that.
This situation is not an isolated case. It is a pattern. Crisis organization is not a PDF that you write once and then lock away. Either it functions when it counts – or it does not exist in any meaningful sense.
What Really Goes Wrong in Crises
What I repeatedly see in crises and exercises is not the absence of documents. It is the absence of clear mandates. In the moment when things get serious, almost the same thing always happens: decisions are suddenly discussed rather than made. Responsibilities get renegotiated. Managers want to be involved – out of a sense of responsibility or desire for visibility. And that is precisely what costs time, focus, and effectiveness.
The difference between a crisis exercise that builds confidence and one that reveals weaknesses does not lie in the richness of the documentation. It lies in whether those involved know what they need to do – and whether they have the mandate to do it.
Crisis Organization: More Than Naming Roles
A functioning crisis organization means more than naming roles and defining procedures. Those are necessary steps, but not sufficient. What goes beyond that is clarifying mandates and holding to them – even under stress, even when someone else has a different opinion.
Concretely this means: Who makes the final decision, even if others disagree? Who is explicitly not involved, to preserve decision speed? Which decisions are pre-delegated so that no one needs to escalate at 3am? And: this must be accepted in advance – not for the first time during an incident.
The Role Card as a Practical Instrument
A proven tool for crisis organization is the role card. It contains the relevant information for each crisis role at a glance: decision authority, deputy, communication channels, initial action steps.
Such a card for the typical roles might look like this: Incident Commander (overall responsibility, shutdown decisions, external communication), IT Ops (technical isolation and recovery), Communications (internal and external communication, customer contact), Legal and Data Protection (reporting obligations, legal protection), and Business Unit (subject matter assessment, business continuity).
For each role, decision authority and deputization are clearly defined. That is the difference between a list of roles and a genuine crisis organization.
Practice, Not Just Document
The best crisis organization on paper has limited effect if it is never practiced. Crisis exercises are not a luxury – they are an investment in the company's ability to act when it matters. And they reveal gaps that are not visible in the documentation.
An exercise does not need to be large. Even a two-hour tabletop run-through with the relevant people shows whether the crisis organization holds or not. The most important insights do not emerge in the preparation, but in the moment when decisions must be made under time pressure.
Conclusion: A Crisis Is Not a Place for Consensus
A crisis is not a place for consensus. It is a place for clear leadership under uncertainty. When that clarity is missing, incident response quickly becomes incident discussion. And that is when it becomes clear whether the organization was truly prepared – or whether it had merely documented.
Under NIS-2, a functioning crisis organization is not an optional extra but a mandatory requirement. The question is not whether a crisis will occur. The question is whether the company will be able to act when that moment arrives. That requires mandates, practice – and the willingness to ask uncomfortable questions well before an emergency strikes.