Jessica A.,
Too Long; Didn't Read
In a crisis, an 80% correct decision in 15 minutes is more valuable than a 100% correct decision in 4 hours. However, most companies lack clear decision structures for emergencies. We show you how to eliminate chaos with a RACI matrix, clear time limits, and representation regulations—before it arises. It's 3 a.m. Your monitoring reports anomalies. Who calls whom now? Who is allowed to decide whether to activate the emergency mode? Who communicates with customers? And what if the CEO is currently on a flight and unreachable? If you hesitate with these questions, you have a problem. Not because the incident is severe, but because you lose valuable time while everyone tries to figure out who is actually allowed to make decisions.
The Chaos Pattern
We have supported dozens of incident response engagements. The pattern at unprepared companies is always the same:
Phase 1: Shock paralysis Someone notices the problem. But who informs whom? Is it bad enough to escalate to the CEO? Better wait for now...
Phase 2: Too many cooks Eventually, everyone is informed. Now everyone wants a say. Meetings are convened. Decisions are discussed. And discussed again.
Phase 3: Diffusion of responsibility No one wants to make the decision. "The CEO has to approve this." – "They are not reachable." – "Then we wait."
Phase 4: Frantic improvisation Eventually, someone acts – but without coordination. Action A contradicts action B. Communication to customers is inconsistent.
The result: An incident that could be resolved in 2 hours with clear structures drags on for days.
Why speed matters more than perfection
Here is an uncomfortable truth:
In a crisis, an 80% correct decision in 15 minutes is more valuable than a 100% correct decision in 4 hours.
Why? Because time is working against you.
Every hour of downtime costs revenue
Every hour without communication unsettles customers
Every hour of chaos demotivates your team
Every hour without clarity makes the problem bigger
A fast, imperfect decision gives you the chance to correct course. No decision paralyzes everything.
The RACI framework for crises
RACI stands for:
Responsible – Who carries out the action?
Accountable – Who decides and takes responsibility?
Consulted – Who is asked before the decision is made?
Informed – Who is informed after the decision is made?
For crises, you need a clear RACI matrix. Not for every imaginable case – but for the critical decisions.
Example RACI matrix for crisis decisions:
Decision / Action | Responsible | Accountable | Consulted | Informed | Max. decision time |
|---|---|---|---|---|---|
Activate fallback systems | IT Operations Lead | CTO | - | CEO, CFO | 15 minutes |
Switch to alternative suppliers | Procurement Manager | COO | Production Lead, Finance | CEO, Board | 4 hours |
External communication during an incident | Marketing Lead | CEO | Legal, CISO | Board, all employees | 30 minutes |
Activate emergency budget | CFO | CEO | - | Board | 2 hours |
Decision: ransomware payment | - | CEO + Board | Legal, CISO, Insurance | - | - |
The key point: The "Max. decision time" column. Without a time limit, people keep debating until someone gives up.
More on this in our article Business Impact Analysis: Identifying critical business processes.
The 3 critical elements
1. Clear escalation paths with time limits
For every critical decision, define:
Who is allowed to decide?
How much time does that person have?
Who receives the decision if the time runs out?
Example:
Activate fallback shop: CTO decides within 15 minutes
If the CTO is not reachable: IT Operations Lead decides
If neither is reachable: the CEO must be informed
Automatic escalation prevents someone from waiting on hold while the minutes tick by.
2. Backup arrangements
What happens if the decision-maker is not reachable?
On vacation?
In the hospital?
On a plane?
Themselves affected by the incident?
For every critical role, you need a clearly defined backup – someone who knows they are the backup and has the authority.
(Sounds obvious. But we regularly see that backups exist, while the backups do not know what they are allowed to decide.)
3. Pre-authorization for critical decisions
Some decisions cannot wait until a meeting is convened.
Define in advance:
Which decisions may the CTO make immediately, without CEO approval?
What budget is approved for emergency measures?
Which actions are pre-authorized?
Emergency budget example: "The CTO is authorized to spend up to CHF 50K on emergency measures without further approval. Documentation will follow afterward."
That sounds risky – but it is less risky than hours of coordination loops in a crisis.
Who communicates with whom?
Communication in crises is at least as important as the technical resolution of the problem.
Communication RACI:
Target audience | Responsible | Message Owner | Timing |
|---|---|---|---|
Customers (public) | Marketing Lead | CEO approves | Within 30 min after decision |
Employees | HR / Internal Comms | CEO drafts | Within 15 min after decision |
Press | PR / Comms | CEO approves | Reactive (upon request) |
Authorities (when reporting is required) | CISO / Legal | CEO approves | According to regulatory deadlines |
Suppliers / Partners | Procurement | COO approves | As needed |
Important questions:
Who is allowed to communicate externally? (Not everyone!)
Which messages are pre-approved?
Who speaks to the press?
How do we inform employees so that they communicate consistently?
Training: Drills instead of PowerPoint
A RACI matrix on paper is useless if no one can apply it under stress.
Training formats:
Training type | Target group | Frequency | Duration | Content |
|---|---|---|---|---|
Tabletop exercise | Leadership (CEO, C-Level) | Quarterly | 2 hrs | Walk through scenarios: AWS outage, ransomware, supply chain failure |
Hands-on failover | IT Operations | Quarterly | 3 hrs | Actual failover to backup systems |
Communication drill | Marketing, HR, Support | Semi-annually | 1 hr | Which messages? Which tone? Which channels? |
Full-scale exercise | All relevant teams | Annually | 4-8 hrs | Realistic scenario under time pressure |
Important: Training is not a PowerPoint presentation. It is hands-on, with realistic scenarios and real time pressure.
After each exercise: What worked? What did not? What do we need to change?
A practical example
A retail company (180 employees) is hit by ransomware.
Before (without structure):
03:00: EDR reports encryption
03:30: IT admin calls the IT manager. "What should we do?"
04:00: IT manager tries to reach the CEO. Not reachable.
04:30: Debate about whether they should really wake the CEO
05:00: CEO reachable. Wants to understand the situation. A meeting is convened.
06:30: First meeting. Discussion about the approach.
08:00: First decisions are made.
Result: 5 hours passed before action was taken
Afterwards (with structure):
03:00: EDR reports encryption. Automatic alert activates the on-call team.
03:15: IT Operations Lead classifies it as P1 (critical). According to the RACI: immediate isolation is authorized.
03:30: Infected servers isolated. Crisis team activated via SMS.
03:45: CTO decides: activate degraded operations. No CEO approval needed (pre-authorized).
04:00: Fallback processes are running. Customer hotline informed. Initial external communication prepared.
08:00: Systems are restored from offline backup.
Result: Business operations resumed after 45 minutes (reduced capacity)
The difference: 38 fewer hours of production downtime. Minimal revenue loss instead of CHF 500K+.
Common objections
"We cannot define everything in advance."
True. But you can define the 10 most critical decisions. And basic principles ("When in doubt: isolate systems, analyze later"). That covers 90% of cases.
"That limits flexibility."
No, it creates flexibility. If people know who may decide, they can act faster. Uncertainty is the enemy of speed.
"We are too small for that."
Smaller companies in particular benefit from clear structures. You do not have large teams to absorb chaos. One person with clear authority is more valuable than five people debating.
The short version
Chaos is the default without prepared structures
80% in 15 minutes > 100% in 4 hours – speed beats perfection
Define a RACI matrix for the most critical decisions
Set time limits – without deadlines, people debate endlessly
Clarify backups – even for the CEO
Pre-authorize emergency measures and budgets
Train, train, train – no PowerPoints, real drills
What's next?
Take 30 minutes and answer these questions:
Who may decide at 3 a.m. during a critical IT outage to switch to fallback systems?
Is that person reachable? Even on weekends?
Who is the backup if that person is not reachable?
Does the backup have the same authority?
If you are unsure about any of these questions, you have just identified your first to-do.
(And if you realize you need support to build a complete crisis organization – that's what we do.)
Read more
The 5 dimensions of operational resilience – The complete framework
Minimum Viable Operations – Continuing to work with reduced capacity
Why most risk analyses fail – A pragmatic approach to risk assessment
