I've sat in 50+ crisis rooms during major ransomware incidents. The organizations that recovered fastest weren't the ones with the best playbooks. They were the ones willing to fail fast, kill bad ideas, and try something else.

Here's why crisis management is closer to startup mode than anyone admits...

Crises are, by definition, “out-of-framework” events. They push us beyond the boundaries of contingency plans. For if there were a plan that could simply be followed to resolve the situation, then strictly speaking we wouldn’t be in a crisis.

An organization that activates a contingency plan is not, in my view, in crisis: it may be operating in a degraded mode, for sure. But it is relying on an existing plan and well-defined steps and resources to return to normal. In that context, the framework still holds—and it is obviously not desirable to “fail fast and often.”

Contingency measures must be applied, and they must work. If they don’t, then the real problem lies elsewhere.

A situation becomes a crisis when there is no plan—or when contingency measures fail. And in such circumstances, clinging to the framework can be dangerous.

A framework limits options; it defines a territory shaped by the pre-crisis state: a state designed for day-to-day operations and long-term stability. Above all, it is a state whose mission is to drive the organization toward its usual objectives… which are not necessarily the objectives that matter during a crisis.

Crisis Organization Is Not Day-to-Day Organization

That is precisely why crisis organization rarely mirrors day-to-day organization. Managing a crisis ultimately means switching into “startup mode”: tapping into the creativity and energy of highly motivated teams operating closely within a very flat structure—namely the crisis cell.

It also means rapidly and efficiently surfacing ideas from the field, and above all maintaining a short feedback loop between observation, analysis, decision, and action (the famous OODA loop developed by Colonel John Boyd). These are things that, in normal operations, either don’t work or require an unsustainable level of energy and micromanagement once an organization reaches a certain size.

Most importantly, startup mode makes it possible to test things—lots of things. Not solutions meant to be permanent, but initiatives that, when they work, help move the organization one step closer to exiting the crisis, or at least keep it afloat long enough to try something else.

This inevitably involves making mistakes. Errors in judgment or assessment are unavoidable when you have to move forward with partial information and a rapidly evolving situation. These mistakes must be identified quickly (thanks to a short OODA loop) and discarded just as quickly, to make room for a better approach. Crisis time is constrained; there is no room for unnecessary wandering. Wasting time on doomed approaches can be fatal.

The goal of crisis management, in my view, is therefore to create the conditions that enable this way of working: allowing rapid, blame-free failure so that good ideas can emerge through iteration. Putting safeguards in place to limit the impact of failed initiatives, while knowing how to capitalize on those that succeed. And ultimately, discovering the path out of the crisis—a path that was not written in advance, that will inevitably be unique, and whose every step must be documented to feed the final lessons-learned process.

A Startup Mindset—But a Responsible One

This does not mean doing just anything. Startup mode, yes—but a responsible startup. An organization cannot simply disregard its legal and contractual obligations because it is in crisis (national public crises are, of course, a different matter). Some things can be renegotiated, but broadly speaking, an organization has very few “jokers” when dealing with third parties—unless it relies on their understanding, which actually does happen more often than one might think (I even saw competitors ready to help a major pig breeder brought to a complete standstill by ransomware).

It is therefore essential that the crisis organization is also capable of ensuring compliance with these obligations, so as not to add a second crisis on top of the first.

Poor decisions can worsen the situation, open a new legal front or trigger a secondary public communications crisis. This is a delicate balancing act: between formalism and openness to all proposals, between controlled chaos and the discipline of proper logging and traceability. In short, it’s a profession in its own right.

Above All, a Matter of Culture

Let me be clear: I am not suggesting that crisis management consists of trying everything at random until something finally works. What I want to emphasize is the importance of agility and humility in steering a crisis—and the need to foster a culture of initiative rather than blame (I will probably write about my worst crises someday… including toxic corporate cultures and a lot of blame being thrown around).

Rapid iteration, killing bad ideas, and keeping only the good ones is only possible within a very specific culture. One where failure is not stigmatized (far from the infamous “career-limiting moves” so dear to the most suffocating organizations), and where everyone—because they are professionals whose expertise is respected—can speak up and make proposals before the crisis cell’s director decides. Crisis time is not the time for blame: neither for the origin of the crisis nor for exit strategies that fail.

Under these conditions, the crisis cell may fail often. But it will fail safely, within a controlled framework—and that is precisely what will allow it to uncover the path out of the crisis.

What about your own experience? Have you ever been in a crisis where blame was flying around and failure was stigmatized—where trying things and failing was discouraged? How did it go?