by John Hutton
Could you imagine the nightmare? You’ve been waiting for an operation for over 2-years, when on the morning of the op at 07:09 am, 19th July 2024, a routine software update triggers the largest IT failure in history, within minutes, 8.5 million Windows operating systems crash simultaneously. Airline check-in desks become unresponsive, hospital operating theaters lose access to critical patient data, emergency services switch to good old pen and paper, and payment systems freeze during transactions.
Organisations across the world opened their incident response plans; most proved to be useless, not because they were badly designed, but because they hadn’t factored in that their security provider would be the source of the crisis. Those that responded effectively weren’t those with the most detailed response plans; they were the ones whose teams could adapt quickly, make decisions without complete information, and operate outside normal procedures. The difference wasn’t in documentation, but in culture, leadership, and the ability to think under pressure.
Resilience is not one size fits all, nor is it the size of your document library that matters. It is the speed and quality of judgement, even when events outpace the plan. This article explains how resilience actually works in practice and what leaders can do to ensure their teams can handle something they have never planned or potentially trained for.
What Actually Happens in a Crisis
In many organisations, the first few minutes of a crisis are not spent actioning a prescribed process; they are spent trying to work out who is actually in charge and whether that person has the decision-making authority to make the big decisions. Sometimes, there isn’t even an on-call decision-maker available outside office hours, leading to paralysis right when speed of decision is critical to regaining control of the crisis.
Even where plans exist, the first ten minutes are often spent searching for the right section. By minute fifteen, someone realises the plan does not cover the scenario unfolding in front of them. By minute twenty, the team is improvising, second-guessing, over-consulting, and waiting for clarity that never comes. By minute thirty, the incident has outpaced the decision-making process; the organisation is responding to a problem that has now morphed into something else.
Elsewhere, a leader walks in and asks three questions: What do we know? What matters most? What are we doing about it? The team acts. They make small decisions quickly, adjust as new information arrives, and do not wait for permission. By minute thirty, they are ahead of the crisis, not behind it.
The difference is not the plan. It is the culture, the leadership, and the ability to act when events move beyond the plan.
In crisis management, as in emergency medicine, there is a “golden hour,” the critical window in which early, decisive action can change the entire trajectory of the event. The importance of this first hour is well established in both international standards (such as ISO 22361 and BS 11200) and in lessons from major incidents. These sources consistently highlight that early leadership, clear authority, and rapid decision-making are essential to shaping the outcome and limiting escalation. Case studies from events such as the Grenfell Tower fire, Fukushima nuclear disaster, and 9/11 show that confusion or delay in the first hour often leads to irreversible consequences. The organisations that succeed are those that seize the golden hour: they clarify roles, make rapid decisions, and move resources before the crisis outruns them.
Why Real-World Crises Never Match the Plan
Crises rarely unfold as modeled, due to three key factors: the relentless pace of events, the pressure exerted by uncertainty and risk, and the unpredictability of human behaviour under duress.
Firstly, crises move faster than planning cycles. You might update your plans quarterly. Your crisis will update itself every few minutes. New information arrives unevenly. Early information is often wrong. Key details emerge late. Decisions made with incomplete inputs still need to be made.
Secondly, stress changes behaviour. Even experienced professionals lose cognitive bandwidth when the stakes are high. Short-term memory tightens. Decision-making narrows. Communication becomes clipped. People default to habit. Any plan that relies on perfect cognitive performance is already flawed.
Thirdly, organisational charts are fiction in a crisis. Roles blur. People step into tasks outside their normal function. Leaders jump between strategy and tactics. Informal networks become more powerful than formal lines. Plans that depend on rigid structures fail because rigidity fails under stress.
ISO 22361 (crisis management capability) and BS 11200 (crisis management guidance) both emphasise the need for adaptive capacity, not just documented procedures. Yet most organisations still treat their crisis management plans as if completeness equals readiness.
It is important to recognise that detail and flexibility are not mutually exclusive. The most effective crisis management systems are those that integrate clear, detailed structures, such as defined roles & responsibilities, escalation procedures, and essential checklists, with the flexibility to adapt as the situation evolves. ISO 22361 and 22301 encourage a hybrid approach, requiring both documented procedures and the empowerment of teams to exercise judgment when reality diverges from the plan.
I saw this firsthand during the Arab Spring in 2011, when NATO’s enforcement of a no-fly zone closed Libya’s airspace overnight. Many organisations, regardless of whether they had drafted evacuation plans, found themselves stranded. Most had relied heavily on commercial flights as their primary, and often only, means of evacuation.
When flights were cancelled, many found themselves stuck at Tripoli International Airport, amid scenes of panic and chaos (CBS News). Few were truly prepared for such a rapid escalation, and many were unable to pivot to alternative evacuation options. Some organisations that relied on external support partners soon discovered that, as the situation escalated, capacity was quickly stretched and not everyone could be assisted at once.
Our team was able to fill some of these gaps and help evacuate hundreds of personnel through intelligence-led, agile planning and support, who otherwise would have remained stranded. It was made clear to me that resilience goes beyond documentation; it’s about the ability to adapt, make timely decisions, and trust your team when the plan no longer matches the reality on the ground.
This is why highly detailed inflexible plans often underperform. They work when the event fits the template. They break when they don’t, and most crises don’t. What matters is not predicting every scenario, but building a system that works even when the scenario is wrong. That’s where flexibility, adaptability, and culture come into play.
The Advantage of Flexible Systems: Why the Best are Detailed and Adaptable
The most effective crisis management systems are not just flexible or detailed; they are deliberately designed to combine both. Highly detailed plans provide the structure, clarity, and guidance teams need to operate under duress. But it is flexibility, built into the system, that enables teams to respond effectively when reality diverges from the known.
ISO 22301 (business continuity) and ISO 31000 (risk management) both recognise that resilience depends on organisational capability, not just process documentation. The standards call for competence, awareness, and decision-making ability, qualities that cannot be scripted but can be supported by clear frameworks and empowering policies.
Three qualities differentiate the best systems:
Principles over scripts: While detailed procedures are valuable, plans packed with conditional steps collapse when one assumption fails. A simple set of guiding principles survives disruption. For example: stabilise the situation, build the picture, set priorities, and act. These principles are easy to remember and broad enough to apply anywhere.
Room for Interpretation: Detailed roles and escalation protocols provide clarity, but teams also need discretion. You cannot control every micro-decision during a crisis. Nor should you. People must understand the outcome you need, then adjust their actions as conditions shift. Leaders who encourage interpretation get faster, better decisions from their teams.
Simplicity under cognitive load: People under stress need less, not more. Short checklists beat long manuals. Clear priorities beat nested flowcharts. Simple structures give people mental space to think and act. Complexity pushes them into paralysis.
A flexible system is not vague or unstructured. Instead, it is intentionally designed to combine essential detail, roles, responsibilities, and escalation pathways, with the freedom for teams to adapt when reality does not cooperate. It gives operating freedom within a defined purpose.
Decision-Making During a Crisis: The OODA Loop
High-performing crisis management teams use structured models to support rapid, effective decisions under pressure. One of the most widely used is the OODA Loop:
- Observe: Gather information about what is happening.
- Orient: Assess the context, priorities, and available resources.
- Decide: Choose the best course of action based on current understanding.
- Act: Implement the decision, then repeat the cycle as the situation evolves.
The OODA Loop encourages continuous assessment and action, helping teams move quickly and adapt as new information emerges. This approach is fully aligned with ISO 22361 and BS 11200, which both emphasise systematic, adaptable decision-making in crisis management.
This is what a good crisis response looks like: fast clarity, consistent rhythm, decisive action, simple communication, and the humility to adapt, all anchored by the discipline to answer the five Ws at every step.
Why Resilience Culture Matters More Than Resilience Documents
These behaviours don’t emerge by accident. They grow from culture, and culture is what separates teams that respond well from teams that collapse under pressure.
Documentation supports resilience. Culture delivers it.
Organisational resilience principles (ISO 22316) explicitly identify leadership, culture, and shared information as critical attributes. The standard recognises that resilience is a property of the organisation’s people and behaviours, not its documents. A strong resilience culture changes how people think and act long before a crisis begins. It reduces the fear of reporting problems. It rewards clarity over perfection. It normalises uncertainty. It encourages honest reflection after events instead of blame.
Four features stand out:
- Clarity of mission: People must understand the organisation’s core priorities more clearly. When priorities are clear, people, assets, continuity, and teams can improvise in the right direction without waiting for instructions.
- Psychological safety: Teams need the confidence to speak up when something is wrong. Without this, early warning signs disappear. Leaders who create a safe environment gain better information faster.
- Practice that focuses on judgment: Rehearsals that only test checklists do not build real capability. Rehearsals that force teams to make decisions under stress build judgment. The quality of a team’s judgement matters more than the elegance of its documentation.
- Leaders who model calm, clarity, and curiosity: Teams follow leaders’ cues. Leaders who stay steady, communicate simply, and ask good questions shape the team’s behaviour. When leaders show curiosity, teams adopt it. When leaders slip into panic, teams follow.
Culture isn’t guaranteed, it is something that has to be developed over time, day by day, but when a real crisis hits, it’s the one thing you’ll be glad you invested in.
What Fast, Effective Response Actually Looks Like
There’s often a difference between how organisations envisage their response and what actually unfolds during a crisis. Effective response is not calm heroics; it is about disciplined action under unclear and pressurised conditions.
High-performing teams address the five W’s: Who, What, When, Where, and Why at every stage of their response. This underpins the following elements:
Rapid clarity: The first task is to establish what is happening (What), who is involved or in charge (Who), why it matters (Why), where the impact is being felt (Where), and when key actions need to occur (When). Leaders who clarify these points quickly give their teams direction while the deeper picture develops.
Early resource deployment: The biggest delays come from waiting too long to move assets or people. Teams that act promptly know who needs to be mobilised, what resources are required, where they should be deployed, and when action must be taken, rather than waiting for perfect information.
Decision-making rhythm: Crisis management meetings held at inconsistent intervals create drift. The ideal rhythm, whether every 10 minutes, every hour, or at longer intervals, should match the pace and nature of the crisis. Regular check-ins ensure everyone knows who is responsible for decisions, what the current priorities are, when updates will occur, where efforts are focused, and why adjustments may be needed.
Short, direct communication: Clarity beats detail. High-performing teams communicate the essentials: Who needs to know, What the situation is, Where action is required, When deadlines are, and Why decisions are being made.
Adaptions without ego: As situations change, effective teams adjust quickly and without attachment to previous plans or personal pride. They ensure everyone understands who will execute new actions, what needs to change, where the focus should now be, when to shift course, and why adaptation is required. Leaders who manage their ego make better decisions and foster a culture where learning and agility are valued above being “right.”
This is what a good crisis response looks like: fast clarity, consistent rhythm, decisive action, simple communication, and the humility to adapt, all anchored by the discipline to answer the five Ws at every step.
Building a System That Handles What You Haven’t Trained For
No organisation can predict every crisis, but they can build a system that works across all crises. That system rests on a few principles:
· Keep structures simple enough to use under pressure
· Make sure everyone knows the organisation’s core priorities
· Build behaviours that support adaptation: early reporting, fast decisions, constant questioning (what if)
· Train for judgment, not just procedure
· Use each incident and exercise to refine culture, not just documents
If your crisis management team cannot explain succinctly how they would stabilise an unexpected event, your system needs tightening up!
Resilience isn’t about perfection. It’s about readiness to act when reality outpaces the plan.
If a crisis hit tomorrow that wasn’t in your plan, would your team know what to do? That’s the crisis you’re most likely to face.
About the Author
John Hutton Dip CSMP, M.ISMI, MSyI
Director of Risk Advisory and Training Services, SCS
With nearly 20 years of commercial experience, John is an experienced leader in crisis management, security risk, and operational resilience. He has supported organisations worldwide through complex emergencies and rapid change, specialising in building adaptive systems and delivering hands-on training that achieves measurable, real-world results. John is passionate about helping teams develop the judgment and confidence needed to thrive under pressure.
About SCS
Security Crisis Solutions works with organisations whose people and operations are exposed to uncertainty, pressure, and consequence across different operating environments. Our professional background is in protective security, supporting people and the activities around them, where anticipation, positioning, and judgement shape outcomes. That operational perspective shapes our approach to resilience and crisis response, where structure supports judgment rather than replaces it.
