4
© 2020 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with
KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Crisis Management Program
What is Crisis Management?
In an increasingly volatile business environment, organizations not only have to prepare for crises, but
expect them. An organization’s ability to not only detect incidents and crises as they occur, but effectively
respond to and recover from them is increasingly under scrutiny.
An organization’s crisis management framework (CMF) is the foundation which enables escalation,
communication and co-ordination during a crisis. It also provides the structure through which to train
and exercise stakeholders with crisis management responsibilities. Exercises leverage tailored risk-based
scenarios designed to simulate the pressures on and expectations of individuals and the organization,
during a crisis.
Without a thoroughly tested, coordinated response to cyber crisis, no organization can be confident in its
future projections, given the nature of operating as a business is increasingly fraught with cyber peril.
Benefits of a Crisis Management Program
Validate the effectiveness of response
strategies in a safe, simulated
environment
Build capability amongst the individuals
expected to respond to a crisis
Empower key stakeholders to know when
to act and how to act during a crisis
Build comfort around how to respond
to a number of different crises
Identify gaps in business processes
before it is too late
Improved visibility of risks and
mitigating actions taking place
With a wide variety of available exercises, KPMG is perfectly placed not only to prepare an organization
for the worst, but also to ensure confidence amongst shareholders and employees of sufficient
preparation to mitigate the most serious regulatory penalties.
Outcomes from a Crisis Management Program can be used as a guide to future strategy development
to help an organization protect themselves against cyber risks, defend against and limit the severity of
attacks, and ensure its continued survival despite a disruption to critical business processes.
Develop an exercising capability that includes a
governance structure and related processes to
periodically test their cyber incident response;
Design fit for purpose reporting mechanisms for
the business and the board.
Developing a Crisis Management Program
A Crisis Management Program allows an organization to:
Develop a series of independent cyber security
simulations to test their cyber incident response,
business and board crisis management procedures
when faced with a cyber focused attack;
Test the response and recovery capabilities
across multiple business lines and geographies
by conducting several exercises over a number
of predefined months
Why do you need it?
Standardized Table-
top Exercises
Crisis Management Exercise Maturity
The appropriate exercise format is dependent on your maturity as shown below.
Tailored Table-top
Exercise
Time-Sliced Exercise Simulation
Maturity