Jessica A.,
Too Long; Didn't Read
In a crisis, an 80% correct decision in 15 minutes is more valuable than a 100% correct decision in 4 hours. However, most companies lack clear decision structures for emergencies. We show you how to eliminate chaos with a RACI matrix, clear time limits, and representation regulations—before it arises. It's 3 a.m. Your monitoring reports anomalies. Who calls whom now? Who is allowed to decide whether to activate the emergency mode? Who communicates with customers? And what if the CEO is currently on a flight and unreachable? If you hesitate with these questions, you have a problem. Not because the incident is severe, but because you lose valuable time while everyone tries to figure out who is actually allowed to make decisions.
The Chaos Pattern
We have supported dozens of incident response engagements. The pattern in unprepared companies is always the same:
Phase 1: Paralysis Someone notices the problem. But who informs whom? Is it serious enough for the CEO? Better wait and see first...
Phase 2: Too many cooks At some point, everyone is informed. Now everyone wants a say. Meetings are called. Decisions are discussed. And discussed again.
Phase 3: Diffusion of responsibility No one wants to make the decision. "The CEO has to sign off on this." – "They’re not reachable." – "Then we wait."
Phase 4: Frantic improvisation Eventually, someone acts—but without coordination. Action A contradicts Action B. Communication to customers is inconsistent.
The result: An incident that could be resolved in 2 hours with clear structures drags on for days.
Why Speed Matters More Than Perfection
Here is an uncomfortable truth:
In a crisis, an 80%-correct decision in 15 minutes is more valuable than a 100%-correct decision in 4 hours.
Why? Because time is working against you.
Every hour of downtime costs revenue
Every hour without communication unsettles customers
Every hour of chaos demotivates your team
Every hour without clarity makes the problem bigger
A quick, imperfect decision gives you the chance to course-correct. No decision paralyzes everything.
The RACI Framework for Crises
RACI stands for:
Responsible – Who executes the action?
Accountable – Who decides and holds responsibility?
Consulted – Who is consulted before the decision?
Informed – Who is informed after the decision?
For crises, you need a clear RACI matrix. Not for every conceivable case—but for the critical decisions.
Example RACI matrix for crisis decisions:
Decision / Action | Responsible | Accountable | Consulted | Informed | Max. decision time |
|---|---|---|---|---|---|
Activate fallback systems | IT Operations Lead | CTO | - | CEO, CFO | 15 minutes |
Switch to alternative supplier | Procurement Manager | COO | Production Lead, Finance | CEO, Board | 4 hours |
External communication during incident | Marketing Lead | CEO | Legal, CISO | Board, all employees | 30 minutes |
Activate emergency budget | CFO | CEO | - | Board | 2 hours |
Decision: ransomware payment | - | CEO + Board | Legal, CISO, Insurance | - | - |
The key point: The "Max. decision time" column. Without a time limit, discussion continues until someone gives up.
More on this in our article Business Impact Analysis: Identifying Critical Business Processes.
The 3 Critical Elements
1. Clear escalation paths with time limits
For each critical decision, define:
Who is allowed to decide?
How much time does this person have?
To whom does the decision escalate if time runs out?
Example:
Fallback shop activation: CTO decides within 15 minutes
If CTO is unreachable: IT Operations Lead decides
If both are unreachable: CEO must be informed
Automatic escalation prevents someone from waiting on the line while the minutes tick by.
2. Delegation rules
What happens if the decision-maker is unreachable?
On vacation?
In the hospital?
On a plane?
Personally affected by the incident?
For every critical role, you need a clearly defined deputy—who knows they are the deputy and has the authority.
(Sounds obvious. But we regularly see deputies exist, yet the deputies do not know what they are allowed to decide.)
3. Pre-authorization for critical decisions
Some decisions cannot wait until a meeting is convened.
Define in advance:
Which decisions may the CTO make immediately, without CEO approval?
What budget is approved for emergency measures?
Which actions are pre-authorized?
Example emergency budget: "The CTO is authorized to spend up to CHF 50K on emergency measures without further approval. Documentation will be completed afterward."
That sounds risky—but it is less risky than hours of alignment loops during a crisis.
Who communicates with whom?
Communication in crises is at least as important as technical problem-solving.
Communication RACI:
Target group | Responsible | Message Owner | Timing |
|---|---|---|---|
Customers (public) | Marketing Lead | CEO approves | Within 30 min of decision |
Employees | HR / Internal Comms | CEO drafts | Within 15 min of decision |
Press | PR / Comms | CEO approves | Reactive (upon request) |
Authorities (if reporting is mandatory) | CISO / Legal | CEO approves | According to regulatory deadlines |
Suppliers / Partners | Procurement | COO approves | As needed |
Important questions:
Who is allowed to communicate externally? (Not everyone!)
Which messages are pre-approved?
Who speaks to the press?
How do we inform employees so they communicate consistently?
Training: Drills instead of PowerPoint
A RACI matrix on paper is worthless if no one can apply it under stress.
Training formats:
Training type | Target group | Frequency | Duration | Content |
|---|---|---|---|---|
Tabletop exercise | Leadership (CEO, C-level) | Quarterly | 2 hrs | Walk through scenario: AWS outage, ransomware, supply chain disruption |
Hands-on failover | IT Operations | Quarterly | 3 hrs | Actual failover to backup systems |
Communication drill | Marketing, HR, Support | Semi-annually | 1 hr | Which messages? Which tone? Which channels? |
Full-scale exercise | All relevant teams | Annually | 4-8 hrs | Realistic scenario under time pressure |
Important: Training is not a PowerPoint presentation. It is hands-on, with realistic scenarios and real time pressure.
After each exercise: What worked? What didn’t? What do we need to change?
A Practical Example
A trading company (180 employees) is hit by ransomware.
Before (without structure):
03:00: EDR reports encryption
03:30: IT admin calls IT manager. "What should we do?"
04:00: IT manager tries to reach CEO. Unreachable.
04:30: Discussion about whether to really wake the CEO
05:00: CEO reachable. Wants to understand the situation. Meeting is convened.
06:30: First meeting. Discussion about approach.
08:00: First decisions are made.
Result: 5 hours passed before action is taken
After (with structure):
03:00: EDR reports encryption. Automatic alert activates on-call team.
03:15: IT Operations Lead classifies as P1 (critical). According to RACI: immediate isolation authorized.
03:30: Infected servers isolated. Crisis team activated via SMS.
03:45: CTO decides: activate degraded operations. No CEO approval required (pre-authorized).
04:00: Fallback processes running. Customer hotline informed. Initial external communication prepared.
08:00: Systems restored from offline backup.
Result: business operations resumed after 45 minutes (reduced capacity)
The difference: 38 fewer hours of production downtime. Minimal revenue loss instead of CHF 500K+.
Common Objections
"We can’t define everything in advance."
True. But you can define the 10 most critical decisions. And core principles ("When in doubt: isolate systems, analyze later"). That covers 90% of cases.
"That limits flexibility."
No, it creates flexibility. If you know who is allowed to decide, you can act faster. Uncertainty is the enemy of speed.
"We’re too small for this."
Smaller companies especially benefit from clear structures. You don’t have large teams to absorb chaos. One person with clear authority is more valuable than five people debating.
The Short Version
Chaos is the default without prepared structures
80% in 15 minutes > 100% in 4 hours – speed beats perfection
Define a RACI matrix for the most critical decisions
Set time limits – without a deadline, discussion is endless
Clarify deputies – including for the CEO
Pre-authorization for emergency measures and budgets
Train, train, train – no PowerPoints, real drills
What now?
Take 30 minutes and answer these questions:
Who is allowed to decide at 3:00 a.m. during a critical IT outage to switch to fallback systems?
Is this person reachable? Even on weekends?
Who is the deputy if this person is unreachable?
Does the deputy have the same authority?
If you are unsure about any of these questions, you have just identified your first to-do.
(And if you realize you need support building a complete crisis organization—this is exactly what we do.)
Further Reading
The 5 Dimensions of Operational Resilience – The complete framework
Minimum Viable Operations – Continue operating with reduced capacity
Why Most Risk Analyses Fail – A pragmatic approach to risk assessment
