Effective crisis management requires leadership. Crisis Leadership underlines how your leaders apply your organization's values to all stages of a crisis.
Why is Crisis Leadership important for your organization#
With every crisis, there is danger and opportunity. The right kind of leadership is vital in the critical moments of your company's history. The right kind of crisis leadership is values-driven and maintains the balancing act between carefully and thoughtfully responding to what went wrong and deliberately capturing mindshare or new business based on the effectiveness of your response.
When your company's values are at the forefront, your stakeholder communications and public statements remain consistent. Your audience can always tell when you're backpedaling from established viewpoints or bandwagoning. You avoid compounding the situation by being consistent. No two crises are alike just as no two organizations are alike. Crisis Leadership centers on you — not others — telling your constituents your organization's story from one crisis to the next.
Considerations for Crisis Leaders#
The unpredictable and fluid nature of a crisis requires situational awareness. Being aware of what you know and don't know is crucial. Continually monitoring the situation, predicting statuses, and being prepared to roll with the changing environment makes your company adept at crisis response and provides your team with purpose — everyone is in sync and working towards the same goal.
An increasingly important aspect of Crisis Leadership is taking care of yourself and your team. Members of your crisis response team may have been impacted by the events but are still working to resolve it. Some of your team may have been awake for 24 hours needing someone to give them permission to step away. Fatigue may be setting in. Leveraging incident.io's on-call scheduling, hand-offs, and integrations with Slack and Google Meet can help create a safe and healthy on-call culture for your teams while responding to what could be a protracted situation.
Do's and Don'ts when Leading A Crisis#
Successful and unsuccessful corporate responses to crises are all around us. In fact, the chances are high that there's one of each happening in the news at the time you're reading this guide. What's important is that you learn from the very public mistakes of others and develop your core principles in the form of a do's and don'ts list. Some of them may be obvious but they're still worth documenting. Here are a few common examples:
-
DO have a set of generic holding statements ready to go that can be easily customized for specific situations (e.g., smart contract exploit, chain halt, bridge vulnerability, key personnel departure, regulatory action, etc.)
-
DO be cautious about when and how you respond, as there is always a risk that the news could break before you've commented
-
DO be measured in your response and avoid playing whack-a-mole trying to respond to every negative post, inquiry, or attack
-
DON'T assume multiple crises or incidents happening at the same time are related
-
DON'T copy and paste — take actions that are unique to your organization's values, history, and risk profile, and within your capabilities, or you'll risk greater exposure
-
DON'T assume that making proactive non-obligatory public statements are not without great risk — you need to carefully weigh your decision with your Legal team in this regard
-
DON'T assume that what you've said internally or to a subset of partners or investors won't go public
Crisis Scenario Planning#
Crisis Leaders should always plan for the company's worst day before it becomes a reality. It's likely you'll experience multiple crises during your tenure at an organization. Referencing your company's historical crises while planning is one piece of the puzzle. However, scenario planning is forward-looking and hones in on the most likely and most damaging crisis scenarios for your organization to proactively develop teams, plans, and playbooks. Here are some examples relevant to a blockchain infrastructure company:
- Smart contract exploit or vulnerability (e.g., bridge drain, token mint bug)
- Chain halt or consensus failure (e.g., validator set unable to produce blocks)
- Critical infrastructure attack (e.g., cloud provider compromise, DDoS on RPC nodes)
- Cyber incident (e.g., ransomware, data breach, key compromise)
- Regulatory or legal crisis (e.g., enforcement action, compliance violation)
- Economic / market crisis (e.g., token price crash, depegging event, liquidity crisis)
- Ecosystem partner failure (e.g., major dApp exploit that reflects on the chain)
- Environmental disaster (e.g., data center outage from natural disaster)
- Reputational crisis (e.g., social media controversy, misinformation campaign)
If time was infinite and the world was static, you could plan for all of the scenarios in the world. However, the goal is to select a handful of scenarios from your list and build transferable principles and skills that prepare you for a wider range of crises. Another way to do that is by focusing on the consequences across your scenarios and solving for those capability gaps by adding controls such as playbooks, runbooks, or predefined tactical response teams. You may also find that the order of criticality changes as the operating environment changes, so periodic review of your top scenarios and the associated plans and teams is important.
Assembling An Executive Crisis Leadership Team#
Developing an Executive Crisis Leadership Team is a good starting point when considering the scope, scale, and role of your Crisis Response team. This group will consist of functional business owners from all areas of your organization from Communications to Legal to Human Resources and so on. Consider starting with some or all of the following functional roles:
- Chief Executive Officer
- Chief Legal Officer
- Chief Communications Officer
- Chief Financial Officer
- Chief Information Security Officer
- Chief Human Resource Officer
- Chief Operating Officer
- Chief Information Officer
- Chief Technology Officer
- Chief Revenue Officer
- Chief Marketing Officer
There's no one size fits all and you may not need all of these roles in your Executive Crisis Leadership Team. External resources like Public Relations/Crisis Management firms, Disaster Recovery services, insurance providers, Digital Forensic Specialists, or Local/Federal authorities should not be overlooked as essential contacts to document.
Crisis Team Leaders#
It's important to put a face and single voice to a crisis. A Crisis Team Leader is the individual responsible for leading the organization through a crisis having overall responsibility based on their area(s) of expertise. They're similar to an Incident Commander for a crisis situation. However, a Crisis Team Leader may function more as an Area Commander if there are multiple Incident Commanders to oversee in a complex situation.
Once you've built your handful of scenarios, assigning members of your organization as the team leader along with their backup is the next step. See the below table as an example:
| Crisis Scenario | Scenario Examples | Crisis Team Leader | Potential Backup |
|---|---|---|---|
| Smart contract exploit | Bridge drain, token mint bug | Chief Technology Officer | Head of Security |
| Chain halt / consensus failure | Validator set stalled, fork | Head of Protocol Engineering | Senior Protocol Engineer |
| Cyber incident | Ransomware, key compromise | Chief Information Security Officer | SecOps Lead |
| Regulatory / legal crisis | Enforcement action, compliance | Chief Legal Officer | General Counsel |
| Reputational crisis | Social media, misinformation | Chief Communications Officer | Marketing Lead |
Using incident.io, you can build your on-call schedules providing visibility and accountability about who's on call for what area of the business if a crisis situation takes place. You can also add backups using escalation policies that alert the next person up after a custom time delay.
Succession planning#
As you examine the makeup of your Executive Crisis Leadership Team, Crisis Team Leaders, and their backups, you should view it through the lens of succession planning or failover mapping. Depending on the makeup of your organization and geographical concentrations, you may want to further diversify your members to spread the risk. If everyone is positioned close together, an impact to that region will lead to failure and extended MTTRs. Your on-call rotations and escalation policies should reflect this strategy.