Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Small Medium Enterprise
Health
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Crisis management in business continuity: how to respond when systems fail
What crisis management means in the context of business continuity
Crisis management is the discipline that governs decision-making and organisational communications during an active disruption. It operates in the space between detection and recovery: the period in which the business continuity plan (BCP) has been activated, technical teams are working to restore systems, and leadership must make critical decisions with incomplete information and limited time.
■ What distinguishes companies that manage crises effectively from those that do not is rarely the sophistication of their technology. It is almost always the quality of their preparation.
- Who has the authority to declare a business continuity incident?
- How is that declaration communicated?
- Who communicates with customers, regulators, the media and employees, and what do they say?
The most common weak point: crisis communication
The crisis communication plan is one of the most consistently overlooked components of business continuity management (BCM).
Organisations invest in backup infrastructure, replication technology and recovery automation, only to discover, at the moment they need it most, that their crisis communication plan assumes the availability of email systems that are down, contact lists stored in inaccessible systems and communication protocols known only to people who are unavailable.
If crisis communication depends on systems that fail during a crisis, there is no crisis communication plan. There is only a procedure for business as usual.
Effective crisis management therefore requires:
- A pre-designated crisis management team with clearly defined roles.
- A communication channel independent of the systems most likely to be affected.
- Pre-approved messaging frameworks for different types of incidents.
- Regular simulation exercises that test not only technical recovery, but also the human decision-making process under pressure.
⚠️ When was the last time the crisis management team conducted a crisis simulation exercise involving senior executives and key departments (communications, legal, IT...) to assess decision-making and communication under pressure?
Trust and reputation during a crisis
There is a dimension of organisational disruption that does not appear in RTO/RPO calculations, is not reflected in technical recovery metrics and is often absent from BCM programme reviews: the impact on trust.
When an organisation fails to maintain its services, communicate transparently with stakeholders (employees, customers, partners, shareholders, regulators, suppliers...) or recover within the timeframes to which it has implicitly or explicitly committed, the damage becomes reputational as well as operational.
Various studies on corporate communication and reputation management highlight the importance of corporate reputation as a strategic asset with a significant impact on organisational performance.
Subsequent developments in stakeholder theory and crisis communication point to a conclusion that should be fundamental to business continuity management governance: the speed and quality of communication during a crisis determine reputational outcomes as much as, and sometimes more than, the technical facts of the incident itself.
■ Companies that communicate proactively and transparently during a disruption by acknowledging the incident, honestly describing its scope, providing realistic recovery timelines and keeping stakeholders informed as the situation evolves tend to emerge from crises with less reputational damage than organisations that communicate reactively, minimally or inaccurately.
The latter often find that the communication failure becomes the story, overshadowing the original incident.
Reputation and trust in business continuity: critical connections
- Stakeholder trust is eroded more quickly by a communication failure than by a technical failure.
- Transparent and timely communication during a disruption demonstrates organisational competence, not weakness.
- Post-incident communication (what was done, what was learned, what changed) rebuilds trust more effectively than silence.
- Business continuity management (BCM) governance should explicitly include a reputational risk dimension within its business impact analysis (BIA) methodology.
- The CISO, communications director and general counsel (or equivalent roles) must form part of the business continuity management (BCM) governance structure, rather than acting as passive recipients of technical updates.
This has a direct structural implication for how BCM programmes are designed. Reputational risk must be included in the BIA methodology, not as an afterthought but as a primary impact dimension alongside financial and operational impact.
The question is: “What conclusions will our customers, partners and regulators draw about us if we remain unavailable for that long, and how do we manage that?”
■ Organisational resilience, the ability of an organisation to absorb disruptions, adapt and emerge with its strategic position intact, is ultimately a matter of trust.
Trust is built in advance through visible preparation and a competent response, not afterwards through apologies and retrospective analysis.
Backups as a starting point, not a destination
Enterprise backups serve a valuable purpose: they remind organisations of a discipline that, despite decades of promotion, continues to be practised inconsistently.
The 3-2-1 rule (three copies of data, on two different types of media, with one copy stored off-site) is far from universal. Backup tasks still fail silently. Restoration procedures still go untested until the moment they are needed most.
But the deeper contribution of backups, when properly understood, is that they bring to light the conversation that backups begin but do not finish.
- Backup answers one question: can we recover our data?
- Business continuity management answers a different and broader question: can our organisation survive and operate during and after a disruption?
- Cyber resilience answers a third question: do we have the capability to anticipate, absorb and adapt to adverse conditions?
- And corporate resilience, the broadest of these concepts, asks: when the disruption is over, will we be stronger, more reliable and better prepared than we were before it began?
These are therefore nested frameworks:
- Backup supports recovery.
- Recovery is a component of business continuity.
- Business continuity is a dimension of cyber resilience.
- Cyber resilience is a pillar of corporate resilience.
Therefore,
- An organisation that invests only in backups builds only a single pillar.
- An organisation that understands how these layers connect and invests accordingly builds an architecture, and architectures survive what isolated components cannot.
The question is not whether you have a backup. The question is whether the organisation has an architecture for survival, and whether it has been tested.
Continuity as a competitive advantage and strategic capability
There is a moment in every disruption (a power outage, a ransomware attack, a critical system failure) when two types of organisations reveal themselves:
- Those that panic: unclear roles, improvised communications, untested recovery procedures and growing stakeholder anxiety.
- Those that act: predefined activation thresholds, trained crisis teams, tested recovery playbooks and proactive stakeholder communication.
The difference between these two types of organisation lies in governance and preparation.
Organisations that act do not simply survive disruptions. They use them as opportunities to improve. Every incident, exercise and post-incident review contributes to their adaptability and cyber resilience, helping them improve their response capabilities.
Over time, these organisations develop a cumulative advantage: their continuity capabilities become stronger, their teams become more confident, stakeholders place greater trust in them and their recovery becomes faster.
From this perspective, business continuity ceases to be an operational cost or a compliance requirement and becomes a strategic investment in the organisation’s ability to act in the face of adversity while preserving its competitive position, relationships and reputation.
Organisations that understand this do not wait for the next disruption to test their preparedness. They are testing it now, continuously improving and treating resilience as a core organisational capability, not as an insurance policy kept in a drawer until it is needed.
The real question for leadership is not: do we have a business continuity plan? It is: does our organisation have the culture, governance and proven capability to act when it matters most?
