From Crisis Management Plans to Crisis Management Decisions:
The Executive Decision Pipeline in Crisis Management

Dr Danie Adendorff

Introduction

A crisis plan is usually written before the crisis has a face. It assumes that people will recognise the event in time, that information will travel upward, that authority will be clear, and that the organisation will know when routine management has ended. Real crises are less cooperative. They arrive through partial evidence, contradictory reports, technical language, legal anxiety, reputational fear and executive hesitation. The document may be present; the decision system may not be.

This essay reframes crisis management as an executive decision discipline. Its central claim is that the decisive unit of crisis readiness is not the crisis management plan, nor even the crisis management team, but the crisis decision system: the architecture through which an organisation detects signals, validates information, interprets consequence, escalates authority, decides, acts and adapts while the event is still unfolding.

The revision takes seriously a central criticism of earlier versions of this essay: a purely conceptual pipeline can become too tidy for the disorder it seeks to govern. The Executive Decision Pipeline must therefore be tested against cases, not merely explained through theory. Boeing’s 737 MAX crisis shows how weak signals, certification assumptions and fragmented accountability can defeat formal process. The NHS WannaCry attack shows how a distributed cyber crisis can overwhelm central coordination while local actors improvise survival. Deepwater Horizon shows the danger of treating risk as a technical variable when decisions are being shaped by cost, schedule and dispersed contractors. Johnson & Johnson’s Tylenol response, with all the caution due to a classic case, remains useful because it shows a company translating public safety, recall, communication and product redesign into a coherent response.

The argument is not that planning is irrelevant. On the contrary, the problem is often that organisations plan the wrong layer. They prepare procedural choreography but neglect decision architecture. They can say who must attend the crisis meeting, yet struggle to specify who has authority, what evidence is sufficient, when escalation is mandatory, how dissent is protected and how initial decisions will be revised when evidence changes.

Dr Danie Adendorff’s Executive Decision Pipeline provides the organising heuristic for this essay: Signal -> Validation -> Interpretation -> Escalation -> Decision -> Action -> Adaptation. The model is not a mechanical chronology. Crises rarely proceed in that order. It is better understood as a governance discipline: a way of keeping the essential decision functions visible, connected and reviewable under pressure.

The pipeline is also explicitly situated within established scholarship. It draws together Endsley’s situation awareness, Weick’s sensemaking, Boin and colleagues’ crisis leadership, high-reliability organising, Boyd’s OODA tradition as interpreted by Osinga, and the intelligence-cycle logic of converting information into decision-relevant understanding (Endsley, 1995; Weick, 1993; Boin et al., 2016; Weick and Sutcliffe, 2015; Osinga, 2007). Its contribution is not a new theory of crisis cognition. Its contribution is a practitioner-facing crisis decision system that can be rehearsed, audited and improved.

The wrong layer of crisis planning

The conventional crisis plan concentrates on visible artefacts: role cards, contact lists, meeting protocols, holding statements, incident classifications and escalation charts. These artefacts are useful. The weakness appears when the organisation treats their existence as evidence that judgement will follow. A plan can move people into a room without moving truth into authority. It can generate a public statement without establishing what is known. It can activate a crisis team while leaving the real decision rights ambiguous.

ISO 22361:2022 does not reduce crisis management to documentation. It frames crisis management as a strategic capability that must be established, maintained, reviewed and improved (ISO, 2022). ISO 22301:2019 similarly places business continuity within a management-system discipline (ISO, 2019), while ISO 31000:2018 states that risk management should support decision-making and value protection (ISO, 2018). The standards are not the problem. The problem is shallow implementation: evidence of compliance without evidence of executive decision-readiness.

Modern crises also cross boundaries faster than older planning assumptions can accommodate. The OECD notes that contemporary strategic crises can move across sectors, jurisdictions and infrastructures, requiring early warning, sense-making and cross-government or cross-organisational coordination rather than narrow response routines (OECD, 2015). The same logic applies to corporations, universities, hospitals, ports, financial institutions, defence contractors and critical-service providers. A cyber incident can become a patient-safety crisis. A product defect can become a regulatory and reputational crisis. A technical engineering assumption can become a governance failure.

The organisational-failure literature explains why this happens. Turner and Pidgeon show that disasters often incubate through ignored or misread warnings (Turner and Pidgeon, 1997). Reason’s systems approach to human error shifts attention from individual blame to latent conditions and failed barriers (Reason, 1990; Reason, 2000). Perrow’s normal-accident thesis warns that complex, tightly coupled systems can generate interactions that are difficult to foresee and interrupt (Perrow, 1999). Vaughan’s study of Challenger shows how repeated tolerance of risk can normalise deviance until unsafe practice is treated as operationally routine (Vaughan, 1996).

The executive implication is severe. A plan can be visible in the archive while the organisation still lacks the authority, evidence discipline and culture required to decide under stress.

Case one: Boeing 737 MAX and the cost of weak-signal blindness

The Boeing 737 MAX crisis is not a simple story of one technical defect. It is a case of how engineering assumptions, certification practices, commercial pressure, information asymmetry and regulatory delegation can interact inside a high-consequence system. Two crashes, Lion Air Flight 610 in October 2018 and Ethiopian Airlines Flight 302 in March 2019, killed 346 people and led to a worldwide grounding of the aircraft. The U.S. House Committee investigation described the matter in terms of design, development and certification lessons, while the Joint Authorities Technical Review examined the certification of the MAX flight-control system and the surrounding regulatory process (House Committee on Transportation and Infrastructure, 2020; JATR, 2019).

The case matters for crisis management because the crisis did not begin only at the moment of the second crash. Earlier signals existed in engineering assumptions, pilot-training expectations, design changes, certification dependencies and the interpretation of the Maneuvering Characteristics Augmentation System. A decision system should have forced stronger questions: What has changed in the aircraft’s behaviour? Who understands the full operational implication? What information has been distributed to pilots and regulators? What assumptions are embedded in certification? What level of authority must review the risk?

The Boeing case therefore illustrates the first three stages of the pipeline under failure conditions. Signals were present, but their decision relevance was not adequately elevated. Validation was constrained by fragmented knowledge and assumptions about pilot response. Interpretation remained too narrow: a flight-control and training issue was not treated early enough as an enterprise-level governance problem. When interpretation is too technical, executives may miss the point at which a technical issue becomes a legitimacy crisis.

The case also demonstrates why crisis management cannot rely on formal process alone. Certification, documentation and organisational roles existed. What failed was the quality of decision integration across engineering, safety, regulatory and executive domains. The crisis decision system must therefore ask whether the right people possess the whole picture, whether dissent can travel, and whether weak technical signals can pierce commercial and institutional confidence before consequence arrives.

Case two: Deepwater Horizon and risk decisions disguised as operational routine

Deepwater Horizon provides a second empirical anchor, this time from a complex industrial system. The 2010 Macondo well blowout killed eleven workers and produced a major environmental disaster. The National Commission report treated the disaster as the product of systemic failures involving industry practice, regulatory weakness, risk management and multiple companies operating within a complex contractual environment (National Commission, 2011).

The lesson for crisis management is not merely that offshore drilling is dangerous. It is that risk can be progressively converted into routine through a series of local decisions. In such environments, crisis does not arrive as a surprise outside the system. It may be manufactured inside the system by ordinary decisions that are treated as technical, cost, schedule or procedural matters until their cumulative consequence becomes visible.

The pipeline exposes the failure pattern. Signals may appear as test anomalies, unresolved uncertainty, conflicting interpretations or deviations from expected practice. Validation requires asking whether the anomaly is genuinely resolved or merely administratively absorbed. Interpretation must move beyond the immediate technical task to the systemic question: what does this decision do to the safety envelope? Escalation must occur when local teams are making decisions whose consequence exceeds their authority or visibility. Decision must be explicit rather than dispersed across contractors, supervisors and implied assumptions.

Deepwater Horizon also shows why crisis planning must not become liability management. In high-risk sectors, organisations may possess detailed procedures while still lacking an effective decision culture. The problem is not absence of process. The problem is that process may become a way to legitimate continued activity rather than a way to stop, challenge or reframe it.

Case three: NHS WannaCry and the limits of centralised crisis control

The NHS WannaCry cyber attack in May 2017 is a useful stress test because it shows a crisis that was distributed, fast-moving and operationally uneven. The National Audit Office reported that the attack affected NHS services, disrupted appointments and exposed weaknesses in cyber preparedness, including patching, unsupported systems and unclear local readiness (National Audit Office, 2017).

This case complicates any over-centralised reading of the Executive Decision Pipeline. In a distributed cyber crisis, local survival instincts may be faster than central validation. Hospitals and trusts may need to disconnect systems, revert to paper processes, cancel appointments, redirect patients or improvise communication before national-level interpretation has stabilised. If escalation thresholds are too centralised, they can create latency. If local discretion is too unconstrained, the response becomes incoherent.

The pipeline therefore requires subsidiarity: decisions should be made at the lowest level competent to act, but within a framework that preserves common visibility and escalation when consequence widens. Signal and action may begin locally. Validation and interpretation must then connect upward and laterally, so that the organisation as a whole understands whether the event is isolated, spreading or systemic. Adaptation is not an after-action luxury; it is the method by which local improvisation becomes organisational learning while the crisis is still active.

WannaCry also demonstrates that crisis management is inseparable from pre-crisis investment. Local response cannot compensate indefinitely for neglected patching, weak asset visibility, fragmented accountability or underdeveloped cyber resilience. The crisis decision system must therefore extend backwards into preparedness: boards must ask whether the organisation knows its exposure before an attack turns technical debt into patient, customer or service harm.

Case four: Tylenol and adaptive decision discipline

The Tylenol case remains widely taught because it shows a company making an early legitimacy-preserving decision under extreme uncertainty. In 1982, Johnson & Johnson faced a major crisis after deaths were attributed to cyanide-contaminated Tylenol capsules. The Harvard Business School case records the immediate facts as known shortly after the incident and frames the crisis around consumer behaviour, corporate responsibility and competitive reaction (Greyser, 1982). Later scholarship on the second Tylenol tampering episode analysed Johnson & Johnson’s proactive and flexible communication strategies (Benson, 1988).

The case should not be romanticised. Later commentary has raised questions about unresolved investigative issues, and classic business cases can become simplified through repetition. Its value for this essay is narrower: it illustrates what adaptive crisis decision discipline can look like when public safety, communication, recall and product redesign are aligned.

Through the pipeline lens, the company’s response demonstrates rapid interpretation of the event as a public-safety and trust crisis rather than only a product or legal issue. Decision was visible in recall and public warning. Action moved beyond messaging into product withdrawal and later packaging changes. Adaptation occurred when the company recognised that restoring trust required a change in the product-security environment, not simply a return to the previous state.

Tylenol is therefore useful as a contrast to Boeing and Deepwater Horizon. In the latter cases, the decisive weakness lay upstream: signals and decisions did not travel with sufficient force before catastrophe. In Tylenol, the crisis was external and violent, but the response gained legitimacy because the company acted as if public safety outranked short-term product protection. That is the difference between reputation management and legitimacy-preserving action.

The pipeline under fire

The four cases show why the Executive Decision Pipeline must be understood as a set of live governance functions rather than a tidy sequence. In Boeing, signal, validation and interpretation failed to become enterprise-level executive concern in time. In Deepwater Horizon, risk decisions accumulated inside operational routine until disaster revealed the systemic nature of the problem. In NHS WannaCry, action and local adaptation were sometimes required before central interpretation could settle. In Tylenol, early decision and action created the conditions for later recovery because the company interpreted the event as a trust and safety crisis from the outset.

These cases also show where the pipeline can fail. First, it can fail when signals are too technical for executives to understand and too institutionally inconvenient for specialists to escalate. Second, it can fail when validation becomes a brake rather than a discipline, especially in cyber or safety events where local actors must act before central authority has certainty. Third, it can fail when escalation thresholds are too rigid for distributed organisations. Fourth, it can fail when the first public interpretation becomes a trap, making adaptation look like embarrassment rather than responsibility.

For this reason, the pipeline needs three design principles. The first is subsidiarity: authority should sit close enough to the event for timely action, but escalation must occur when consequence exceeds local scope. The second is reversibility: crisis decisions should identify what can be done now, what can be reversed, and what would become irreversible if delayed. The third is protected dissent: decision systems must create routes for technical, legal, operational or ethical disagreement to reach authority without being filtered by hierarchy or reputational anxiety.

Signal, validation and interpretation

The first movement of the crisis decision system is from signal to interpretation. Endsley’s situation-awareness model remains useful because it distinguishes noticing, understanding and projecting (Endsley, 1995). Boeing shows the danger of stopping at noticing. Data, assumptions and concerns may exist across the organisation, but unless they are integrated into decision-relevant comprehension, they remain fragments.

Validation must be strong enough to prevent panic and fast enough to prevent paralysis. Reason’s systems approach helps here because it asks what latent conditions sit behind the immediate event (Reason, 1990; Reason, 2000). In Deepwater Horizon, the critical question was not only whether one test, one decision or one contractor failed. It was whether the system permitted multiple risk-increasing choices to proceed without a decisive stop point. In NHS WannaCry, validation had to occur while services were already adjusting their operating posture. Waiting for complete central knowledge would have been unrealistic; acting without shared situational awareness carried its own risks.

Interpretation is where executive work becomes most visible. A technical issue must be interpreted through consequence. In Boeing, a design and certification issue became a public-trust, regulatory and corporate-governance crisis. In WannaCry, a malware outbreak became a healthcare-delivery problem. In Tylenol, product tampering became a public-safety and legitimacy crisis. Interpretation determines what kind of crisis the organisation believes it is in. That belief shapes everything that follows.

Escalation, decision and action

Escalation moves consequence into authority. It is often the most politically sensitive part of crisis management because it transfers a problem from local control to executive visibility. Janis and Mann’s work on decisional conflict explains why actors may avoid escalation when choices involve loss, blame or uncertainty (Janis and Mann, 1977). Boin et al.’s work on Katrina shows how leadership style, blame management and coordination problems can weaken crisis response when authority fragments (Boin et al., 2010).

The Boeing and Deepwater Horizon cases both show that escalation is not merely a reporting act. It is a judgement that the consequence has outgrown the routine frame. The question is not “Have we followed the process?” but “Has the matter become decision-relevant at a higher level?” Crisis systems need escalation thresholds for life safety, regulatory notification, technical uncertainty, media exposure, stakeholder harm, cyber compromise, financial materiality and evidence of systemic control weakness.

Decision then assigns responsibility to a course of action. Osinga’s reading of Boyd is important because it challenges the simplistic idea that the fastest loop wins. Orientation matters. A rapid decision based on a false frame can deepen crisis (Osinga, 2007). Tylenol’s value as a case lies partly in orientation: the company treated the event as a safety and trust crisis, not merely as a narrow product-defence problem. Boeing and Deepwater Horizon demonstrate the opposite danger: when orientation is too narrow, decision quality deteriorates even if procedures are being followed.

Action is the point at which decisions either become real or disappear into meeting minutes. Coombs’ crisis communication theory is relevant because stakeholder perceptions of responsibility shape appropriate response strategies (Coombs, 2007). Yet communication is only one component of action. The test is whether words, operations, legal duties and corrective measures align. Communication without correction may buy hours; it rarely survives scrutiny.

Adaptation and learning while the crisis is still alive

Adaptation is not the final chapter of crisis management. It begins while the crisis is still alive. Weick and Sutcliffe’s high-reliability principles - preoccupation with failure, reluctance to simplify, sensitivity to operations, commitment to resilience and deference to expertise - are useful precisely because they resist premature closure (Weick and Sutcliffe, 2015).

Staw’s escalation-of-commitment research explains why adaptation is difficult. Once leaders have invested in a course of action, especially publicly, they may continue defending it even when evidence weakens the original premise (Staw, 1976). This is where first-decision lock-in becomes dangerous. A crisis system must make revision legitimate. The decision log should therefore record not only what was decided, but what evidence would require the decision to be revisited.

The case material clarifies the point. Boeing’s first interpretations became harder to sustain after the second crash and worldwide grounding. Deepwater Horizon showed how earlier risk decisions could not be adapted once physical control was lost. NHS WannaCry required ongoing local and national adjustment as the scale of disruption became clearer. Tylenol illustrates a more successful adaptive pattern: immediate public-safety action, followed by product-security redesign rather than a simple attempt to restore the pre-crisis condition.

Learning must also be institutional rather than ceremonial. After-action reviews are weak if they produce recommendations without changing decision rights, escalation thresholds, technical assurance, board oversight or incentives. Boin et al. treat learning as a core crisis-leadership task (Boin et al., 2016). That means the crisis is not finished when public attention moves on. It is finished only when the organisation has changed the conditions that made its earlier vulnerability possible.

Executive and board implications

Boards should stop asking only whether the organisation has a crisis plan. The stronger question is whether it has a crisis decision system that has been tested under pressure. This requires exercises that force judgement rather than merely confirm activation. A useful scenario should compel leaders to choose: stop or continue operations, disclose or wait, centralise or delegate, preserve evidence or restore service, accept financial loss or protect safety, defend publicly or acknowledge uncertainty.

The board should also require decision logs in exercises and real crises. A good log captures evidence, assumptions, dissent, alternatives, authority, action and review triggers. It creates accountability without requiring false certainty. It also helps prevent later reconstruction of events into a cleaner story than the decision-makers actually possessed at the time.

Escalation culture deserves special attention. Organisations that treat false alarms as embarrassment tend to push warnings downward or sideways until evidence is undeniable. Boards should therefore test whether staff can escalate credible but incomplete concerns, whether legal advice assists rather than dominates crisis judgement, and whether executive forums receive bad news in actionable form rather than as softened summaries.

The most resilient organisations build decision architecture before the crisis: clear thresholds, protected dissent routes, authority maps, local discretion within central visibility, cross-functional interpretation, decision logs, adaptation triggers and board-level learning mechanisms. These are planned artefacts, but they are artefacts of judgement rather than choreography.

Conclusion

Crisis management must move from procedural preparedness to decision readiness. The issue is not that organisations plan too much. It is that many plan too narrowly. They prepare people to activate a process without adequately preparing leaders to decide under uncertainty, distributed consequence and public scrutiny.

The Executive Decision Pipeline gives executives a disciplined way to examine whether crisis functions are connected: signal detection, validation, interpretation, escalation, decision, action and adaptation. The case evidence shows that the pipeline is not a clean sequence. It is a stress-tested governance discipline. Sometimes action begins before interpretation settles. Sometimes local adaptation must precede central understanding. Sometimes the first decision becomes the danger. The pipeline’s value is that it keeps those tensions visible.

For the wider management essay collection, the implication is direct. Business continuity, risk management, crisis management and compliance are not separate bureaucratic territories. They are decision disciplines. Continuity protects organisational function. Risk management anticipates exposure. Crisis management governs live disruption. Compliance anchors legality and legitimacy. In each field, the central executive question remains the same: does the organisation merely possess plans, or can it make accountable decisions before consequence arrives?

Sources and Notes

Benson, J.A. (1988) ‘Crisis revisited: An analysis of strategies used by Tylenol in the second tampering episode’, Central States Speech Journal, 39(1), pp. 49-66. doi: 10.1080/10510978809363234.

Boin, A., ’t Hart, P. and McConnell, A. (2009) ‘Crisis exploitation: political and policy impacts of framing contests’, Journal of European Public Policy, 16(1), pp. 81-106. doi: 10.1080/13501760802453221.

Boin, A., ’t Hart, P., McConnell, A. and Preston, T. (2010) ‘Leadership style, crisis response and blame management: The case of Hurricane Katrina’, Public Administration, 88(3), pp. 706-723. doi: 10.1111/j.1467-9299.2010.01836.x.

Boin, A., ’t Hart, P., Stern, E. and Sundelius, B. (2016) The Politics of Crisis Management: Public Leadership under Pressure. 2nd edn. Cambridge: Cambridge University Press.

Coombs, W.T. (2007) ‘Protecting organization reputations during a crisis: The development and application of situational crisis communication theory’, Corporate Reputation Review, 10(3), pp. 163-176. doi: 10.1057/palgrave.crr.1550049.

Endsley, M.R. (1995) ‘Toward a theory of situation awareness in dynamic systems’, Human Factors, 37(1), pp. 32-64. doi: 10.1518/001872095779049543.

Greyser, S.A. (1982) Johnson & Johnson: The Tylenol Tragedy. Harvard Business School Case 583-043. Boston, MA: Harvard Business School Publishing.

House Committee on Transportation and Infrastructure (2020) The Boeing 737 MAX Aircraft: Costs, Consequences, and Lessons from Its Design, Development, and Certification. Washington, DC: U.S. House of Representatives.

Institute of Medicine (2012) Crisis Standards of Care: A Systems Framework for Catastrophic Disaster Response. Washington, DC: National Academies Press. doi: 10.17226/13351.

International Organization for Standardization (ISO) (2018) ISO 31000:2018 Risk management - Guidelines. Geneva: ISO.

International Organization for Standardization (ISO) (2019) ISO 22301:2019 Security and resilience - Business continuity management systems - Requirements. Geneva: ISO.

International Organization for Standardization (ISO) (2022) ISO 22361:2022 Security and resilience - Crisis management - Guidelines. Geneva: ISO.

Janis, I.L. and Mann, L. (1977) Decision Making: A Psychological Analysis of Conflict, Choice, and Commitment. New York: Free Press.

Joint Authorities Technical Review (JATR) (2019) Boeing 737 MAX Flight Control System: Observations, Findings, and Recommendations. Washington, DC: Federal Aviation Administration.

National Audit Office (2017) Investigation: WannaCry Cyber Attack and the NHS. London: National Audit Office.

National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling (2011) Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling. Washington, DC: Government Printing Office.

OECD (2015) The Changing Face of Strategic Crisis Management. Paris: OECD Publishing. doi: 10.1787/9789264249127-en.

Osinga, F.P.B. (2007) Science, Strategy and War: The Strategic Theory of John Boyd. London: Routledge. doi: 10.4324/9780203088869.

Perrow, C. (1999) Normal Accidents: Living with High-Risk Technologies. Updated edn. Princeton, NJ: Princeton University Press.

Reason, J. (1990) Human Error. Cambridge: Cambridge University Press.

Reason, J. (2000) ‘Human error: models and management’, BMJ, 320(7237), pp. 768-770. doi: 10.1136/bmj.320.7237.768.

Staw, B.M. (1976) ‘Knee-deep in the big muddy: A study of escalating commitment to a chosen course of action’, Organizational Behavior and Human Performance, 16(1), pp. 27-44. doi: 10.1016/0030-5073(76)90005-2.

Turner, B.A. and Pidgeon, N.F. (1997) Man-Made Disasters. 2nd edn. Oxford: Butterworth-Heinemann.

Vaughan, D. (1996) The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA. Chicago: University of Chicago Press.

Weick, K.E. (1993) ‘The collapse of sensemaking in organizations: The Mann Gulch disaster’, Administrative Science Quarterly, 38(4), pp. 628-652. doi: 10.2307/2393339.

Weick, K.E. (1995) Sensemaking in Organizations. Thousand Oaks, CA: Sage.

Weick, K.E. and Sutcliffe, K.M. (2015) Managing the Unexpected: Sustained Performance in a Complex World. 3rd edn. Hoboken, NJ: Wiley.

Author workflow disclosure

This article was produced through an AI-assisted but human-directed workflow. AI support was used for accessibility assistance, structuring, language refinement, source-discovery prompts, revision planning and conversion of editorial comments into amendments. Dr Danie Adendorff retained responsibility for the argument, accepted or rejected changes, checked the logic of claims, assessed source credibility and remained accountable for the final text. AI-generated material was not treated as empirical evidence, and synthetic or illustrative examples were not presented as observed data.

contact@rumbls.com

Terms and Conditions

Privacy Policy

Cookie Policy

© 2026 Dr Danie Adendorff. All rights reserved.

Disclaimer