Crisis plans don’t always cover all your bases

white paper on a vintage typewriter

A few years ago, I was asked to examine and comment on an organization’s crisis plan that was very good—for as far as it went. The charity provided goods and services to other charities, for distribution to people in need. The crisis plan covered what would happen in an earthquake, volcanic eruption or similar large-scale natural disaster. I covered these potential crises quite well.

In each of these crises, the crisis plan assumed the charity would be one of the heroes, able to dispense its services to the other charities and therefore to the people who would need them.

The plan failed to plan for at least two crucial crises: One where it was the villain, not the hero; and one where the people in need would demand the charity’s services directly, not through a third party. The charity never envisioned having to deliver its services from its front door. Nor did they even consider that their building could collapse, or that one of their executives might take some personal action that would cast a shadow on the institution—and raise questions about how it was being run.

In other words, the charity’s crisis plan failed to cover any of the nine most common threats American businesses have identified as their top worries (The Crisis Manager, Otto Lerbinger, 2nd ed., 2012):

  1. Cyber breach
  2. Workplace violence/harassment
  3. Government investigation
  4. Environmental damage
  5. Corruption/bribery
  6. Intellectual property theft
  7. Terrorism
  8. Litigation
  9. Product recall

Crisis plans are hard to create and just as hard to keep relevant. A particularly difficult part is creating and then prioritizing a list of possible threats your organization could face. How can we make this part easier?

Metaphorically: By slicing your bread many different ways using many different knives.

When you buy bread or dough, it comes to you either whole, or pre-sliced based on how you’re expected to use it. Wheat bread? Sliced one way, in thin, toastable slabs. Round loaf? Pie slices. Dough for baked rolls? Pull-apart lumps.

Now imagine your organization. Analyze it—perhaps using SWOT—one way, for one set of parameters, such as external threats, perhaps further subdivided by categories such as natural and human-caused disasters. You get one view of possible threats to add to your list.

Now metaphorically slice your bread in a different direction, using a different knife—analyze your organization yet another way. What about internal threats? Corporate malfeasance? Building collapse? Employee harassment? Contagious disease outbreak in the office?

Each different view you take provides more threats—real, credible dangers—you should add to your list.

Here are categorized lists I created in 2016 for the Oregon Department of Transportation:

Mother Nature

  1. Avalanches
  2. Droughts
  3. Dust/wind storms
  4. Earthquakes
  5. Electrical storms
  6. Epidemics
  7. Floods
  8. High winds
  9. Hurricanes
  10. Ice storms
  11. Landslides
  12. Road failures
  13. Snowstorms/blizzards
  14. Tornadoes
  15. Tropical storms
  16. Tsunamis
  17. Volcano eruptions
  18. Wildfires


  1. Bomb threats
  2. Disruption of supply
  3. Fire/arson
  4. Fraud/embezzlement
  5. Labor disputes/strikes
  6. Misuse of resources
  7. Riot/civil disorder
  8. Sabotage
  9. Security breaches
  10. Terrorism/chemical, biological, nuclear
  11. Terrorism/conventional weapons
  12. Theft
  13. Vandalism
  14. War
  15. Workplace violence


  1. Destruction of buildings
  2. Gas outages
  3. Hazardous materials spills
  4. Human errors
  5. Power outages
  6. Software/hardware failures
  7. Telecom failures
  8. Train derailments
  9. Water outages

Seem a little excessive? Then you’ll be surprised to find out that almost half of these threats occurred in 2016 in Oregon, involving ODOT!

The next difficult step is analyzing the risk of each threat. These terms are often confused. A threat is an event or circumstance that could imperil your organization or one or more of the audiences your organization supports, serves or depends on. Your crisis planning effort estimates the impact this threat could cause, given your current vulnerability, and the probability of the threat actually occurring. The risk posed by a particular threat is a combination of the impact and the probability. You end up with a table looking something like this.

Once you’ve prioritized your risks, writing action plans for specific threat scenarios becomes much easier. But don’t think you can do it without the active involvement of all levels of your organization. Unless all teams own pieces of the plan, it won’t be used—might not even be opened—when the crisis erupts.

It’s not just “All hands on deck!” when the crisis hits; All those hands are also needed to prepare for the crisis before it hits.

Dave will show you how to break your crisis planning and initial response into discrete actionable steps, and explain many more gaps in typical crisis plans, in a PRSA-Oregon professional development seminar “Plugging the gaps in your crisis plan” on Friday, April 23, 2021, at noon Pacific time.

Dave has spent more than 40 years responding to crises of all kinds. As a reporter, he reported from Bosnia during Yugoslavia’s civil war in the 1990s, and covered school shootings, school bombings and mine collapses in America. As a public relations professional, he responded to winter storms that shut down the state, wildfires, train derailments, a global pandemic, more wildfires and even a total eclipse.

Leave a Reply