SJUK hears exclusively from Neil Shanks, Director of Corps Security about why crisis management must be understood as converged enterprise discipline.
Crisis management is too often assigned rather than designed.
Organisations tend to allocate it to whichever function is most closely associated with emergencies, incidents or disruptions.
This makes it a security or health-and-safety-led activity by default, particularly where threats involve safety, malicious acts or physical harm.
While this association is understandable, it fundamentally misunderstands the nature of organisational crises.
A crisis is not defined by the discipline that detects it, nor by the function that responds first.
It is defined by its impact on organisational objectives, decision-making and stakeholder confidence.
Crisis management is best understood not as a specialist function, but as a converged enterprise capability, rooted in risk management, business continuity and organisational resilience.
This approach finds its proper home within Enterprise Risk Management (ERM), the governance framework through which interconnected organisational risks are identified, escalated and managed.
Reframing crisis management in this way is essential if organisations are to respond effectively to increasingly complex and interdependent risks.
In crisis management, what is considered a risk?
The term refers to the uncertainty of future outcomes and how that uncertainty could affect the achievement of objectives.
This is how it is framed at an enterprise level, reflected in international risk management standards such as ISO 31000.
Risk considers both the likelihood of events occurring and the nature of their potential impacts, whether harmful or beneficial.
It exists wherever there is a possibility of results differing from what was anticipated, including the potential for loss, damage or injury.
At an enterprise level, its framing deliberately moves risk away from narrow threat categories and towards strategic outcomes.
Major incidents and crises develop when uncertainty manifests at a pace, scale or complexity that overwhelms normal governance and decision-making structures.
Examples of this range from natural disasters to major market disruption and can be caused by things as simple as a system failure or human error.
These crises rarely sit neatly within a single discipline.
An event might originate as a cyber-incident or a supply chain failure, but escalation is driven by secondary and tertiary impacts, which could include reputational damage, legal exposure, loss of workforce confidence, operational paralysis or erosion of trust among customers and regulators.
Crisis management, therefore, exists at the point where multiple risks converge and where leadership judgement becomes as important as technical response.
ERM provides the governance context within which effective crisis management should operate.
At its core, ERM recognises that risks are interconnected, dynamic and rarely confined to a single function or discipline.
Strategic, operational, financial, legal, reputational and external risks interact in ways that can amplify impact during periods of disruption, particularly where uncertainty is high and time for decision‑making is limited.
A distinguishing feature of mature ERM is the recognition that risk ownership changes as situations escalate.
Function or service teams may manage risk day‑to‑day, but when unforeseen circumstances threaten organisational objectives, senior leaders must be engaged.
ERM therefore ensures that escalation is not reactive or personality‑led, but governed by agreed thresholds, decision-making processes and accountability.
As a result, leadership engagement is proactive rather than reactive, informed by known risk exposure rather than unfolding events.
ERM is effective where escalation pathways are clear, authority transfers are understood and decision‑making responsibilities are well-established.
Senior leaders should have visibility of the organisation’s risk profile, including emerging and converging risks, to enable informed judgement under pressure.
This clarity reduces delay and limits internal friction to support proportionate, timely responses.
Importantly, ERM allows different disciplines, including operations, IT, legal, HR, communications and security, to contribute risk insight without assuming crisis ownership.
Each function provides expertise relevant to its domain, contributing to the overall crisis leadership, which remains an enterprise responsibility.
This separation between risk expertise and crisis decision-making authority is a hallmark of resilient organisations, ensuring that no single function is over-extended or required to resolve enterprise-level trade-offs beyond its remit.
Research from the Business Continuity Institute consistently supports this, showing that organisations with centralised or hybrid crisis management structures – balancing clear authority with specialist expertise – perform more effectively during complex events.
Crisis management maturity, the evidence suggests, is less about the sophistication of individual functions and more about how effectively the organisation brings them together under pressure.
By embedding crisis management within an ERM framework, organisations move away from function-led response models and towards a converged risk approach.
Crises are understood not as isolated events, but as manifestations of accumulated and interacting risks.
This comprehensive approach reinforces the importance of governance, leadership and coordination, making it essential to organisational resilience.
Business continuity management provides a practical bridge between risk identification and crisis response.
ISO 22301 positions business continuity not as a static set of recovery plans, but as a management system designed to safeguard critical activities, maintain organisational viability and support effective response during disruption.
Critically, ISO 22301 recognises that technical recovery is insufficient on its own.
Leadership, communication, defined roles and decision-making structures are integral components of continuity capability.
In this sense, business continuity and crisis management are inseparable disciplines.
Business continuity provides the prioritisation logic, while crisis management provides the decision-making mechanism.
When properly aligned, crisis management becomes the means through which business continuity strategies are enacted under real-world pressure, rather than theoretical assumptions.
Effective crisis management demands enterprise ownership.
Security may provide threat intelligence, incident control, liaison with emergency services or advice on protective measures.
IT may manage system recovery.
HR may address workforce welfare.
Communications may shape stakeholder messaging.
None of these functions, however, should be expected to “own” the crisis in isolation.
Crisis leadership belongs at the executive level.
That is where strategic trade-offs get resolved, where risk acceptance decisions carry real authority and where reputational consequences are ultimately owned.
