MHA Consulting Blog | Roadmap to Resiliency

Crisis Response Mistakes: 6 Gaps to Catch

Written by Michael Herrera | Jul 9, 2026 4:48:07 PM

Many crisis response mistakes do not start during the incident. 

They start earlier, when roles are unclear, decisions are untested, plans are too hard to use, or teams assume someone else owns the next step.

During a cyber event, facility disruption, workplace safety issue, severe weather event, or supplier failure, those gaps become visible quickly. The organization may have a plan. It may even have a current plan. But if the response structure has not been exercised, challenged, and understood by the people who will use it, the team can still lose time.

For program owners, the job is not to predict every scenario. The job is to find the response gaps most likely to slow the team down, then fix them before the next incident.

A crisis readiness review should look across the full response process: detection, escalation, activation, situation assessment, decision-making, communication, documentation, recovery, and lessons learned.

This article uses ISO 22361 crisis management guidance as broad crisis management context, NIST SP 800-61 and CISA incident response planning guidance for cyber response context, and Ready.gov and FEMA/NIMS public information guidance as supporting references for preparedness, coordination, and communication structure.

Here are six mistakes to look for.

In short

Crisis response mistakes are often visible before an incident if you know where to look. The most common gaps involve roles, decisions, situation assessment, plan usability, communication, and follow-through.

  • Test how the response works, not just whether a plan exists
  • Clarify decision rights, escalation paths, and backup roles before pressure rises
  • Use exercises and after-action reviews to turn response gaps into program improvements

Why Crisis Response Mistakes Are Hard to See Before an Incident

Crisis plans often look cleaner than real crisis response.

Plans are written in order. Incidents are not.

A facility outage may begin as a maintenance issue, then become a workforce access problem, then turn into a customer service or regulatory issue. A cyber event may start with an IT alert, then require legal review, customer communication, executive decisions, vendor coordination, and business recovery planning.

That is why crisis readiness cannot be judged only by whether a plan exists.

A better question is:

Can the team use the plan when information is incomplete, time is limited, and multiple departments need to act at once?

If the answer is unclear, the plan needs more than an annual review. It needs pressure.

6 Crisis Response Mistakes to Catch Before the Next Incident

Mistake What it looks like Why it matters How to catch it before the next incident
Roles and authority are unclear Teams are unsure who leads, who approves decisions, or who can activate the crisis team Time is lost while people wait for direction Test activation and escalation in a tabletop exercise
Decisions take too long Leaders debate ownership, thresholds, or risk tolerance during the event The response slows while impact grows Define decision rights and escalation triggers
Situation assessment is weak The team cannot quickly explain what happened, what is affected, and what is changing Leaders make decisions from partial or conflicting information Practice incident briefings and status updates
Plans are not usable under pressure The plan is too long, outdated, or written for review rather than response Teams stop using the plan when pressure rises Review plans against realistic scenarios and user needs
Communication is disconnected from response Messages lag behind decisions or move through unclear approval paths Employees, customers, vendors, or leaders get mixed information Link communication roles to the response structure
Lessons learned do not turn into changes After-action items are captured but not owned, funded, or tracked The same gaps return in the next incident Assign owners, due dates, and follow-up reviews

Mistake 1: Roles and Authority Are Unclear

The first failure point is often ownership.

Who leads the response? Who activates the crisis team? Who decides whether to close a facility, notify customers, engage outside counsel, move to alternate operations, or escalate to executive leadership?

These questions should not be answered for the first time during the event.

In a cyber event, IT may own technical containment, but legal, communications, risk, operations, HR, finance, and executives may all have roles. In a facility disruption, site leadership may own the immediate response, but business continuity, safety, operations, security, and customer teams may need to coordinate.

Weak execution sounds like:

  • “I thought your team owned that.”
  • “We are waiting to hear who has authority.”
  • “Let’s get everyone on a call and decide.”

The fix is not a longer contact list. The fix is a clear response structure with decision rights, backups, escalation triggers, and role handoffs.

Mistake 2: Decisions Take Too Long

Slow decision-making is one of the most common crisis management mistakes.

The issue is not that leaders are careless. It is that they are often asked to make decisions without agreed thresholds.

When should the crisis team activate? When should a facility close? When should an executive be notified? When does a cyber incident become a business crisis? When should customer, regulator, or contract notification processes begin?

If every threshold is debated during the incident, the team loses time.

Program owners can reduce this by defining decision points before the event. Not every answer can be prewritten, but the decision process can be clear.

Good crisis response separates facts, assumptions, decisions needed, decision owner, and deadline. That simple discipline helps leaders act without pretending the information is perfect.

The key question is not whether the plan exists. It is whether leaders know how decisions will be made when the facts are incomplete.

Mistake 3: Situation Assessment Is Weak

Many response teams struggle because they do not have a clean picture of the incident.

They know something happened, but they cannot quickly explain:

  • What is affected
  • Who is affected
  • What is still unknown
  • What is getting worse
  • What decisions are needed now
  • What the next response cycle should focus on

This is common during cyber events and facility disruptions because impact changes over time. A system may appear isolated at first, then affect downstream processes. A building issue may begin as a physical access problem, then affect production, patient care, customer commitments, or compliance obligations.

A useful situation assessment does not need to be long. It needs to be consistent.

A basic status briefing should cover current facts, impacts, actions underway, open questions, decisions needed, owners, and next update time.

Without that rhythm, leadership discussions become circular.

Mistake 4: Plans Are Not Usable Under Pressure

Some plans pass review but fail in use.

They are too long. They are stored in the wrong place. They depend on one person’s knowledge. They include outdated contacts. They describe general intent but not actual actions.

A crisis response plan should help people move.

That does not mean every step must be scripted. It means the plan should be easy to use when people are tired, distracted, and working with incomplete information.

Common signs of weak plan usability include:

  • Staff cannot find the plan quickly
  • The plan has not been updated after organizational changes
  • Contact lists are stale
  • Roles do not match current job titles
  • Procedures assume systems or buildings are available
  • The plan has never been used in an exercise

Program owners should review plans with the people who will actually use them. Ask what they would open first, what they would ignore, and what they would need in the first hour.

That feedback is often more useful than a formatting review.

Mistake 5: Communication Is Disconnected from Response

Communication should not sit outside the crisis response structure.

Employees need direction. Executives need consistent status. Customers may need impact updates. Vendors may need access or delivery instructions. Regulators, insurers, or contract partners may need formal notification depending on the incident and industry.

This article is not a full crisis communication guide. That topic deserves its own plan and testing process.

The response-team question is narrower:

Are communication roles, message approvals, audience lists, and update timing connected to the crisis response process?

If the answer is no, the organization may make sound operational decisions and still create confusion.

For deeper guidance, see the related MHA article on crisis communication planning.

Mistake 6: Lessons Learned Do Not Turn into Changes

The final mistake happens after the incident.

The team holds a debrief. People identify gaps. Someone writes a report. Then daily work takes over, and the same issues remain open.

Lessons learned only matter if they change the program.

After an incident or exercise, each finding should have an owner, action, due date, priority, and follow-up review. Some actions may require funding or leadership approval. Some may need a plan update, training change, vendor conversation, tabletop exercise, or technical control improvement.

The most useful after-action question is simple:

What will be different next time?

If the answer is unclear, the organization has captured observations, not improvements.

How to Diagnose These Gaps Before They Show Up in a Real Event

A crisis readiness review should not only ask whether plans exist.

It should test how the response would work.

For an executive and program owner diagnostic, focus on questions like:

  • How does an incident become a crisis?
  • Who can activate the crisis team?
  • What are the first three decisions leaders may need to make?
  • How is the situation assessed and briefed?
  • What happens if the primary decision-maker is unavailable?
  • How are cyber, facility, safety, and operational incidents escalated differently?
  • How are internal and external communications coordinated?
  • How are decisions documented during the event?
  • How are lessons tracked after the event?

These questions expose whether the program is ready to operate, not just whether it is documented.

Crisis Readiness Review

Crisis readiness is part planning, part judgment, and part practice.

MHA Consulting helps organizations review crisis response structures, clarify roles and decision rights, assess plan usability, design exercises, identify escalation gaps, and turn lessons learned into practical program improvements.

The value of the review is not a longer plan. It is a clearer view of where response will slow down, who needs authority, and what should be tested next.

This is especially useful when a plan exists but leaders are not sure it will work under pressure.

A crisis readiness review can help your team see where ownership is unclear, where decision paths are too slow, and what needs to be fixed before the next real event.

Conclusion

Crisis response mistakes are easier to fix before the incident than during it.

The most common gaps are not mysterious. Roles are unclear. Decisions take too long. Situation assessment is weak. Plans are hard to use. Communication is disconnected. Lessons learned do not become changes.

For program owners, the job is to find those gaps while there is still time to correct them.

Review Your Crisis Readiness

If your organization has a crisis plan but has not pressure-tested how the response would actually work, MHA can help you review the structure, test decision paths, and identify the gaps most likely to slow the team down during a real incident.

FAQ

What are common crisis response mistakes?

Common crisis response mistakes include unclear roles, slow decisions, weak situation assessment, plans that are not usable under pressure, disconnected communication, and failure to turn lessons learned into program improvements.

How do you identify incident response gaps before a crisis?

You can identify response gaps through crisis readiness reviews, tabletop exercises, role and decision-rights reviews, scenario testing, plan usability checks, and after-action follow-up reviews.

What should a crisis readiness review include?

A crisis readiness review should examine activation criteria, response roles, decision rights, escalation paths, situation assessment, communication coordination, plan usability, documentation practices, and lessons-learned follow-through.

How often should crisis response plans be tested?

Crisis response plans should be tested on a regular cadence and after major organizational, operational, technology, facility, or leadership changes. The right cadence depends on the organization’s risk profile, regulatory environment, and business complexity.