
Jessica A.,
Feb 9, 2026
Too Long; Didn't Read
In a crisis, an 80% correct decision in 15 minutes is more valuable than a 100% correct decision in 4 hours. However, most companies lack clear decision structures for emergencies. We show you how to eliminate chaos with a RACI matrix, clear time limits, and representation regulations—before it arises. It's 3 a.m. Your monitoring reports anomalies. Who calls whom now? Who is allowed to decide whether to activate the emergency mode? Who communicates with customers? And what if the CEO is currently on a flight and unreachable? If you hesitate with these questions, you have a problem. Not because the incident is severe, but because you lose valuable time while everyone tries to figure out who is actually allowed to make decisions.
The Chaos Pattern
We have accompanied dozens of incident response deployments. The pattern for unprepared companies is always the same:
Phase 1: State of Shock Someone notices the problem. But who informs whom? Is it severe enough for the CEO? Better to wait for now...
Phase 2: Too Many Cooks Eventually, everyone is informed. Now everyone wants to have a say. Meetings are convened. Decisions are discussed. And discussed again.
Phase 3: Diffusion of Responsibility No one wants to make the decision. "The CEO has to approve." - "He's not reachable." - "Then we'll wait."
Phase 4: Hectic Improvisation Eventually, someone acts – but without coordination. Action A contradicts action B. Communication with customers is inconsistent.
The result: An incident that could be resolved in 2 hours with clear structures drags on for days.
Why Speed Is More Important Than Perfection
Here is an uncomfortable truth:
In a crisis, a 80%-correct decision in 15 minutes is more valuable than a 100%-correct decision in 4 hours.
Why? Because time works against you.
Every hour of downtime costs revenue
Every hour without communication unsettles customers
Every hour of chaos demotivates your team
Every hour without clarity makes the problem larger
A quick, imperfect decision gives you the opportunity to correct. No decision paralyzes everything.
The RACI Framework for Crises
RACI stands for:
Responsible – Who performs the action?
Accountable – Who decides and bears the responsibility?
Consulted – Who is asked before the decision?
Informed – Who is informed after the decision?
For crises, you need a clear RACI matrix. Not for every conceivable case – but for the critical decisions.
Example RACI Matrix for Crisis Decisions:
Decision / Action | Responsible | Accountable | Consulted | Informed | Max Decision Time |
|---|---|---|---|---|---|
Activation of Fallback Systems | IT Operations Lead | CTO | - | CEO, CFO | 15 Minutes |
Switch to Alternative Supplier | Procurement Manager | COO | Production Lead, Finance | CEO, Board | 4 Hours |
External Communication in Incident | Marketing Lead | CEO | Legal, CISO | Board, all employees | 30 Minutes |
Activation of Emergency Budget | CFO | CEO | - | Board | 2 Hours |
Decision: Ransomware Payment | - | CEO + Board | Legal, CISO, Insurance | - | - |
The Key Point: The column "Max Decision Time." Without a time limit, discussions go on until someone gives up.
The 3 Critical Elements
1. Clear Escalation Paths with Time Limits
For each critical decision, you define:
Who may decide?
How much time does this person have?
To whom does the decision go when time runs out?
Example:
Activation of Fallback Shop: CTO decides in 15 minutes
If CTO is not reachable: IT Operations Lead decides
If both are not reachable: CEO must be informed
Automatic escalation prevents someone from waiting on the line while the minutes tick away.
2. Proxy Rules
What happens if the decision-maker is not reachable?
On vacation?
In the hospital?
On a plane?
Personally affected by the incident?
For every critical role, you need a clearly defined proxy – who knows they are the proxy and has the authority.
(Sounds obvious. But we regularly experience that proxies exist, yet the proxies don't know what they can decide.)
3. Pre-Authorization for Critical Decisions
Some decisions can't wait until a meeting is convened.
Define in advance:
Which decisions may the CTO make immediately without CEO approval?
What budget is authorized for emergency measures?
Which actions are pre-authorized?
Example Emergency Budget: "The CTO is authorized to spend up to CHF 50K on emergency measures without further approval. Documentation will be provided afterwards."
This sounds risky – but it's less risky than hours of coordination loops in a crisis.
Who Communicates with Whom?
Communication in crises is at least as important as technical problem-solving.
Communication RACI:
Target Audience | Responsible | Message Owner | Timing |
|---|---|---|---|
Customers (public) | Marketing Lead | CEO approves | Within 30 Min after decision |
Employees | HR / Internal Comms | CEO drafts | Within 15 Min after decision |
Press | PR / Comms | CEO approves | Reactive (on request) |
Authorities (on notification obligation) | CISO / Legal | CEO approves | According to regulatory deadlines |
Suppliers / Partners | Procurement | COO approves | As needed |
Important Questions:
Who may communicate externally? (Not everyone!)
Which messages are pre-approved?
Who talks to the press?
How do we inform employees to ensure consistent communication?
Training: Drills Instead of PowerPoint
A RACI matrix on paper is worthless if no one can apply it under stress.
Training Formats:
Training Type | Target Group | Frequency | Duration | Content |
|---|---|---|---|---|
Tabletop Exercise | Leadership (CEO, C-Level) | Quarterly | 2 hours | Discussing scenarios: AWS outage, ransomware, supply chain failure |
Hands-on Failover | IT Operations | Quarterly | 3 hours | Actual failover to backup systems |
Communication Drill | Marketing, HR, Support | Semi-annually | 1 hour | Which messages? What tone? Which channels? |
Full-Scale Exercise | All relevant teams | Annually | 4-8 hours | Realistic scenario under time pressure |
Important: Training is not a PowerPoint presentation. It is hands-on, with realistic scenarios and real time pressure.
After each exercise: What worked? What didn't? What do we need to change?
A Practical Example
A trading company (180 employees) is hit by ransomware.
Before (without structure):
03:00: EDR reports encryption
03:30: IT admin calls IT lead. "What should we do?"
04:00: IT lead tries to reach CEO. Not reachable.
04:30: Discussion on whether to really wake up the CEO
05:00: CEO reachable. Wants to understand situation. Meeting convened.
06:30: First meeting. Discussion on course of action.
08:00: First decisions are made.
Result: 5 hours passed before action is taken
After (with structure):
03:00: EDR reports encryption. Automatic alert activates on-call team.
03:15: IT Operations Lead classifies as P1 (critical). According to RACI: Immediate isolation authorized.
03:30: Infected servers isolated. Crisis team activated via SMS.
03:45: CTO decides: Activate degraded operations. No CEO approval needed (pre-authorized).
04:00: Fallback processes running. Customer hotline informed. First external communication prepared.
08:00: Systems restored from offline backup.
Result: Business operations resumed after 45 minutes (reduced capacity)
The difference: 38 fewer hours of production downtime. Minimal revenue loss instead of CHF 500K+.
Common Objections
"We can't define everything in advance."
True. But you can define the 10 most critical decisions. And fundamental principles ("If in doubt: isolate systems, analyze later"). This covers 90% of cases.
"This restricts flexibility."
No, it creates flexibility. Those who know who may decide can act faster. Uncertainty is the enemy of speed.
"We're too small for this."
Smaller companies especially benefit from clear structures. You don't have large teams to catch chaos. One person with clear authority is more valuable than five people discussing.
The Short Version
Chaos is the norm without prepared structures
80% in 15 minutes > 100% in 4 hours – Speed beats perfection
Define RACI matrix for the most critical decisions
Set time limits – without deadlines, endless discussions occur
Clarify proxies – even for the CEO
Pre-authorize emergency measures and budgets
Train, train, train – no PowerPoints, real drills
What Now?
Take 30 minutes and answer these questions:
Who may decide to switch to fallback systems in the event of a critical IT outage at 3:00 a.m.?
Is this person reachable? Even on weekends?
Who is the proxy if the person is not reachable?
Does the proxy have the same authority?
If you're unsure about any of these questions, you've just identified your first to-do.
(And if you realize you need support to build a complete crisis organization – that's what we do.)
Further Reading
The 5 Dimensions of Operational Resilience – The Complete Framework
Minimum Viable Operations – Continue Working with Reduced Capacity
Why Most Risk Analyses Fail – A Pragmatic Approach to Risk Assessment



