Crisis communication can and must become professional if organisations are to prevent avoidable damage. This article argues that lasting resilience requires more than technology and process; it demands a culture that is alert, adaptive, and human at its core.
Building the Strategic Foundation
Crisis management does not start at the moment a crisis occurs. Organizations that respond effectively have invested time and resources long before issues arise, focusing on risk infrastructure, planning, and developing human capabilities. The first crucial step is to conduct regular, comprehensive risk assessments that identify potential threats and vulnerabilities before they become reality. This process should adhere to ISO 31000:2018, which offers a systematic framework for identifying, evaluating, and managing risks not as a bureaucratic formality, but as a dynamic discipline integrated into daily management.
Along with risk assessment, every organization should have a documented crisis management plan that clearly defines roles, responsibilities, and escalation paths. However, documentation alone is not enough. The plan must be stress-tested through regular simulations and exercises, as the first time your team navigates a scenario should not be during a real emergency. These exercises highlight gaps, build muscle memory, and, importantly, reveal the human dynamics that no plan can fully anticipate beforehand.
The Organisational Layer
"The difference between organisations that survive crises and those that don't often comes down not to their plans, but to their people, their communication, and their culture."
In a crisis, information asymmetry is dangerous. When teams make decisions on incomplete data, when stakeholders fill silence with speculation, when panic spreads faster than facts outcomes deteriorate rapidly. An efficient communication system with defined channels, clear ownership and a reliable cadence ensures that accurate information reaches the right people at the right time. Staff must not only be informed about these systems; they must be trained to operate them under pressure, in the kinds of conditions where misunderstandings and panic are most likely to take hold.
Leadership and governance structures are equally critical. Effective crisis response demands a framework that enables swift, well-informed decisions not one that requires consensus across multiple approval layers before anything can be actioned. This means establishing clear decision rights, empowering people at appropriate levels, and cultivating a leadership culture that values teamwork and collective intelligence over individual authority. Organisations where leaders are trusted and trust their teams consistently outperform those where command-and-control instincts dominate under stress.
Employee training and commitment round out the organisational picture. Regular training in emergency response, first aid and crisis-specific procedures builds practical competence. But beyond skills, what matters most is culture: an environment where every employee feels genuinely empowered to raise concerns, report potential risks, and suggest improvements not just to attend a mandatory annual briefing and sign a form.
Technology as Enabler, Not Substitute
Technology can amplify crisis response capability dramatically, but only when it supports rather than replaces human judgement. Real-time monitoring platforms, AI-assisted threat detection, and data analytics that surface emerging risks before they escalate are genuine force multipliers. Used well, they give decision-makers the situational awareness to act earlier and with greater confidence than was previously possible.
Resilience engineering is the other side of this coin. Redundancy in critical systems and processes minimises downtime when failure occurs and failure will occur. IT infrastructure should be designed to maintain functionality under extreme conditions, with failover protocols that have actually been tested rather than merely documented. An organisation whose crisis management systems go offline during a crisis has compounded an already serious problem.
Why the Soft Factors Are Decisive
Technical frameworks, documented plans, redundant servers these are necessary conditions for effective crisis management, but they are not sufficient ones. The organisations that perform best in emergencies do so because of factors that rarely appear on risk registers: leadership culture, psychological safety, trust between colleagues, and the organisational will to adapt when circumstances demand it.
Crises are ultimately managed by people. A resilient, engaged workforce responds more effectively to unforeseen circumstances than even the most sophisticated automated system, because people can improvise, exercise judgement, and draw on experience in ways that no process map can fully encode. A strong organisational culture builds the trust and collaborative capability that makes rapid, coordinated action possible when it matters most. Siloed organisations, where information is hoarded and accountability is diffuse, consistently underperform.
Adaptability, finally, may be the most important quality of all. Organisations that cultivate a genuine culture of learning where failure is examined rather than buried, where processes are questioned rather than defended, respond more effectively to fast-changing situations. Rigid playbooks break down when circumstances don't follow the script. The organisations that thrive are those that have built the capacity to change course.
The Five Principles of High Reliability Organisations
- High Reliability Organisations
HROs are entities that operate with exceptional reliability despite complex, inherently risky conditions. Think nuclear power plants, aircraft carriers, air traffic control centres, intensive care units. Weick & Sutcliffe (2015) identified five defining principles that explain how these organisations achieve their remarkable safety records. Applied to corporate risk management, these principles offer a powerful framework for elevating performance.
- Focus on deviations: HROs treat near-misses and anomalies as signals rather than noise. Where other organisations might dismiss a minor irregularity as irrelevant or inconvenient, HROs investigate it, because weak signals of impending failure when caught early can be addressed before they cascade into serious incidents. This requires constant attention and vigilance across daily operations and processes, not just during formal reviews.
- Opposition to simplification: There is always pressure to reduce complex systems to simple, manageable narratives. HROs resist this. They recognise that the full complexity of the risk landscape must be engaged with honestly, because oversimplified models lead to oversimplified responses and oversimplified responses fail when reality turns out to be more complicated than the model assumed.
- Sensitivity to operations: HROs maintain continuous situational awareness at every level of the organisation. What is actually happening on the ground is often different from what is reported upwards, and those differences matter. Decisions made on sanitised, hierarchically filtered information are less reliable than those informed by direct operational reality.
- Commitment to resilience: Rather than assuming that failure can be entirely prevented, HROs invest in the capacity to absorb disruption and recover quickly. Resilience is understood not as a static property but as a dynamic, learned organisational capability one that must be actively developed, exercised, and maintained over time.
- Deference to expertise: In a crisis, decisions should be made by the people with the best knowledge, not necessarily the highest rank. HROs deliberately create structures where expertise, not positional authority, drives action. This requires significant cultural work: leaders must be genuinely willing to cede decision-making to subordinates who know more about a specific situation, and those subordinates must feel safe enough to act.
Integrating HRO into ISO 31000:2018
The HRO methodology is not a standalone framework to be adopted in isolation. It is most powerful when embedded within existing standards specifically the four ISO standards most relevant to organisational risk and crisis management: ISO 31000:2018 (risk management), ISO 22320:2018 (emergency and incident management), ISO 22361:2022 (crisis management), and ISO/IEC 27000 ff. (security management). Together, these standards define the hard architecture of risk governance; HRO principles bring the human intelligence that makes that architecture function as intended.
In practice, this integration operates across three dimensions. First, risk assessment and monitoring: HRO principles are embedded into continuous assessment cycles, using detailed evaluations that account for the full complexity of the organisation's environment rather than relying on simplified risk matrices. Second, culture: the organisation develops a genuine commitment to proactive vigilance, supported by training programmes that build adaptability and resilience rather than merely tick compliance boxes. Third, decision-making: structures are established that place expert knowledge not hierarchical position at the centre of crisis response, enabling faster and better-informed action when the stakes are highest.
The HRO Maturity Model supports this integration by providing a dual-function tool: it diagnoses where an organisation currently sits against HRO principles, and it defines the targets to work towards. Because implementation is tailored to each organisation's specific context and risk profile consistent with the tailoring principle in ISO 31000:2018, Principle 4.e the approach scales from small enterprises to operators of critical national infrastructure. The goal, as Saul, Kuhn, Zipper et al. (2023) describe it, is to enable organisations to get ahead of the situation: to use adaptive, proactive action to prevent damage before it occurs, rather than simply responding after the fact.
Emergency and crisis management capacity is significantly enhanced by a holistic approach that combines robust process and technology with the human and cultural factors that ultimately determine whether organisations succeed or fail under pressure. Implementing the HRO methodology within the framework of ISO 31000:2018 does not simply improve compliance it builds the kind of organisation that can genuinely anticipate crises, adapt to them in real time, and recover from them quickly when they occur.