A Proactive Approach to Manage Crises

Heightened focus on cyber attacks, service outages and supply chain disruptions has made crisis management more important than ever, yet increasingly more complex. With these newfound complexities in the business landscape, there are opportunities for organisations of all sizes to enhance their crisis preparedness.

This document presents a lifecycle approach to uplift organisational resilience and better safeguard employees, customers and assets.

Introduction

Businesses today operate in a digitally interconnected world, providing more opportunities but also introducing greater risks that have the potential to disrupt operations. Organisations are still recovering from the impacts of the global pandemic, trying to navigate through more advanced cyber threats causing data breaches and disruptions, and facing greater scrutiny in how they manage their critical vendors. Recent events serve as a stark reminder of the importance of robust practices to manage crises and strengthen an organisation’s resilience.

From July 2025, regulated entities will be required to comply with Australian Prudential Regulation Authority’s (APRA) new standard for “Operational Risk Management” CPS 230. CPS 230 extends and replaces existing APRA Prudential Standards relating to Outsourcing (CPS/HPS/SPS 231) and Business Continuity Management (CPS/SPS232). Although CPS 230 will apply only to APRA-regulated organisations, the standard provides best practice guidance by attempting to integrate operational risk, business continuity, and third- and fourth-party management principles. The integration emphasises the growing recognition and significance of an organisation’s preparedness in order to effectively steer through the immediate effects arising from a catastrophic event that could put an organisation’s future at risk.

Crisis management involves a structured approach to dealing with disruptive and unexpected events threatening to harm the organisation’s survival.

Prepare

A proactive approach to crisis management can make the difference between a swift recovery and an extended period of damage control. It is in the best interest of any organisation to prepare its senior leadership team for the ‘high intensity’ environment of a crisis. Preparation is critical across the organisation, but particularly relevant for the Crisis Management Team (CMT) and the Board of Directors to not only ensure the crisis is dealt with efficiently, but also that regulatory and societal expectations are met.

Select and clearly define roles and responsibilities of the CMT

Typically, the Executive Leadership Team of the organisation, with additional members included for their subject matter expertise, will step into the role of the CMT to efficiently steer the organisation through a crisis.

Roles and responsibilities will be aligned to the team members’ business units and subject matter expertise.

Establish clear escalation protocols

This includes clear handover points between teams, individuals, and service providers who play a key role in the organisation’s incident management capabilities. Applying an end-to-end view that informs escalation protocols allows organisations to consider up- and downstream impacts where communication could potentially break down, such as unclear notification protocols with service providers. This is also particularly relevant for conveying information to management and the Board and identifying where their input is necessary to navigate the organisation confidently through the crisis. A documented escalation matrix enables prompt action and more efficient decision making throughout the stages of a crisis from initial identification and investigation of an incident, mobilisation of the CMT, response and recovery.

Define communication strategies

Strategies should be readily available and applicable to a variety of crises and business contexts. Identified communication stakeholder groups should be tiered and guidelines established for when to notify them, for example:

• Emergency services, should the safety of individuals be put in question;
• Customers, should they be impacted by e.g. a disruption of services or if their data has been exposed as a result of a potential data breach (as per the Australian Privacy Principles);
• Regulators like APRA, Australian Securities and Investments Commission [ASIC] (e.g. in case of a notifiable breach), or the Office of the Australian Information Commissioner [OAIC] (e.g. if a data breach involving personal information is likely to result in serious harm);
• Shareholders; or
• Media and public.

Set what constitutes a crisis

Defining triggers will enable an organisation to determine whether a crisis response should be mobilised based on the severity of the incident, such as its impact on reputation, operations, compliance, work health and safety, or finances. For financial crises, APRA-regulated entities are required to comply with additional requirements per CPS 190 “Recovery and Exit Planning”, and CPS 900 “Resolution Planning”, which came into effect from 1 January 2024, for resolution planning and recovery, and exit planning. When developing crisis criteria and triggers, it is equally important to consider how early warning signs will be monitored to efficiently alert and trigger the activation of the crisis management plan.

Create a comprehensive Crisis Management Plan

This involves aligning existing practices, including e.g. business continuity, incident management and data breach response plans to ensure a cohesive end-to-end approach and enable coordinated response when addressing identified crisis triggers and scenarios.

Develop supplementary documents

Being prepared also describes the need to develop supporting artefacts like playbooks that provide more detailed response strategies for a given scenario. For example:

• Governance templates to speed up action can assist the CMT in maintaining effective oversight during the activation and response phases of a crisis.
• Tactical procedures and communication templates like press releases or holding statements to control messaging.
• Other relevant playbooks to accelerate decision making such as a ransom payment decision playbook.

Test the crisis response approach

Regular scenario testing ensures that roles, responsibilities, and processes can be followed during an actual event. APRA’s new CPS 230 standard, outlines the importance of testing programs to cover material service providers for scenarios where critical operations are disrupted. This may take the format of a light-touch tabletop exercise or a more complex real-life end-to-end simulation. In most cases, organisations will choose an approach that is somewhere in between, subject to their risk appetite, budget and resource constraints. Regular testing is equally an opportunity for training and awareness of stakeholders that play a key role in the process. Inviting delegates of the CMT to observe can be valuable to ensure their preparedness should they be required to unexpectedly stand in if CMT members are unavailable during an event. Additionally, conducting media training will aid spokespersons in taking some heat off during real media enquiries.

Assess

To enable an efficient crisis response, it is essential that frameworks are in place that allow organisations to promptly assess the impact of an event and therefore determine effective response strategies.

Implement monitoring and incident identification capabilities

Whether through monitoring systems like network monitoring, social media screening, customer complaints or incidents raised via the Helpdesk, it is important to have established capabilities to identify early warning signs that may trigger a potential crisis event. This may also leverage capabilities from third parties or co-sourced arrangements.

Enable prompt assessment of the event

Once the event is identified it is essential to assess and triage the impact to understand the extent of the situation and prioritise actions. This includes:

• Identifying impacted stakeholders, such as staff, customers or regulators;
• Analysing what business functions and systems are disrupted including up- and downstream impacts;
• Assessing the severity of the event guided by the organisation’s risk appetite; and Determining whether the event has caused a potential compliance breach.

Respond

Mobilising the CMT is a critical step to enable a quick and efficient response to a crisis. The CMT takes a key role in ensuring a structured response to recover from the event.

Mobilise the CMT using established notification protocols

This includes planning the resources required to support the CMT, such as organising a crisis room to establish an in-person command centre for the CMT to convene in, or access to systems that will be required to dial in or access relevant information remotely. Once mobilised, the initial briefing of the CMT members is critical to hand over information, including a full timeline of events, activities, and decisions made since the event occurred.

Develop crisis response and actions

Following the analysis of the situation, key priorities and immediate actions must be identified to contain and mitigate the impact, along with strategic response plans to recover.

For example, during a cyber event, immediate actions would be to isolate affected systems from the network to prevent a more widespread attack.

Ensure proactive and transparent communication to stakeholders

A proactive approach to communicate with internal and external stakeholders including staff, customers, media and regulators is crucial to stay in control of the situation.

Following determination of the situation, informing Executives and the Board is a key priority. Staff should be made aware of the situation as soon as feasibly possible to be able to assist in containing the situation.

Monitor the situation closely and be flexible with the crisis response

The CMT should reconvene as required and adapt response strategies based on new information uncovered. This may be from monitoring of social media, press, customer-facing teams or further incident investigation.

A proactive and transparent information flow is important to keep key stakeholders informed. Internally, this may take the form of regular situation reports which summarise key actions and decisions taken.

Recover

To ensure a smooth recovery, organisations need to assess when operational metrics are acceptable, allowing the CMT to stand down and normal operations to resume.

Determine whether the crisis is over

Crisis response is an immediate answer to manage the detrimental effects of a catastrophic event. Some longer term actions to fully recover from the crisis may be monitored via the organisation’s business continuity and operational processes.

Once operational metrics have returned to an acceptable level, the organisation may determine the crisis to be over and normal business operations to be resumed.

Stand down the CMT

Once it is determined that operational thresholds are met and business operations can be resumed, the CMT may be stood down and the crisis is officially declared over.

Improve

Reflecting and determining actionable items is critical to enhancing preparedness, as well as preventing, or mitigating the impact, of future crises.

Identify learnings for the future

Once the crisis is determined to be over, the CMT should debrief on how the organisation responded to the event.

A Post Incident Review (PIR) is an important activity to identify lessons learnt and opportunities for further improvement. Outcomes should be presented to the Board or governance committees.

Determine post crisis actions

Implement the actions identified to support the organisation in recovering from the event and restoring normal business operations.

Uplift crisis management approach

Incorporate lessons learnt from past incidents into the existing crisis management approach to enhance future crisis preparedness and response.

Conclusion

In a hyperconnected world, crisis management has become increasingly important and top of mind. Yet, despite its growing significance, effectively implementing crisis management remains complicated and challenging. Multiple factors contribute to the difficulty, including:

• An evolving and complex regulatory landscape;
• Increased pressures for senior stakeholders to have greater accountability;
• The number of potential templates and plans that can streamline a crisis response;
• Increased reliance on critical vendors and other third parties; and
• Practices like regular testing of plans not yet being common for smaller businesses.

While these elements may appear intimidating, they present opportunities for strengthened resilience. Regulatory bodies offer best practice guidance, distinct roles and responsibilities, and ready-to-use documentation to mobilise teams more efficiently in high-pressure scenarios. Additionally, regular testing helps firms practise and validate their crisis readiness. It is imperative that organisations invest in a comprehensive approach to identify, prepare for, and mitigate the risks that could eventuate in a crisis.

Effective crisis planning enables organisations to mobilise response efforts faster and      more efficiently.

By proactively working through the five stages of preparing, assessing, responding, recovering and improving – organisations are better positioned to protect their employees, customers and assets.

Amstelveen is well positioned to support clients at each stage of the crisis management lifecycle, leveraging our experience and tailored strategies to strengthen organisational preparedness and resilience. Contact us at info@amstelveen.com if you would like to discuss your organisation’s crisis readiness.