This section captures basic identifiers so the plan can be tied to the right entity and reviewed periodically.
Registered legal name of the organisation
Primary industry / sector
Approximate number of full-time equivalent (FTE) employees worldwide
Head-office city / region
Understanding what you fear most guides every later decision—from budget to recovery sequence.
Which broad threat categories are most relevant to your operations? (select all that apply)
Natural hazards (earthquake, flood, storm)
Health emergencies (pandemic, epidemic)
Technology/cyber events
Supply-chain disruption
Regulatory or political change
Utilities outage (power, water, telecom)
Reputation incident
Terrorism/sabotage
Other
What is the organisation’s official maximum tolerable period of disruption (MTPD) for critical activities?
Less than 1 hour
1 – 4 hours
4 – 24 hours
1 – 3 days
3 – 7 days
More than 7 days
Not yet defined
Has the board or governing body formally approved a risk appetite statement that includes crisis scenarios?
Do you maintain a documented crisis management policy endorsed by top management?
Title / role of the single person who acts as Crisis Management Lead (or equivalent)
Title / role of the alternate if the primary lead is unavailable
Which internal committees or functions have a standing seat in the Crisis Management Team? (select all that apply)
Executive/C-suite
Security
IT/Cyber
Communications
Human Resources
Legal & Compliance
Operations
Finance
Health & Safety
Other
Is there a formal escalation path that front-line staff can trigger without supervisor approval?
Is your Business Continuity Plan (BCP) integrated with the Crisis Management Plan rather than stored as a separate document?
How often is the core BCP reviewed at minimum?
Quarterly
Semi-annually
Annually
Every 2–3 years
Ad-hoc/no set frequency
Are department-level contingency plans (work-area recovery plans) linked to central plan version control?
Do you maintain pre-drafted communication templates (holding statements, social posts, customer emails) for different stakeholder groups?
Check the media in which your crisis plans are stored.
Have you translated key procedures into additional languages spoken by front-line staff?
Under stress, people only perform what they have rehearsed. Honest answers here will expose your true readiness gaps.
How many organisation-wide crisis simulation exercises have you run in the past 12 months?
0
1
2
3
4 or more
Do you run different exercise types (discussion-based, tabletop, functional, full-scale) to align with your current organizational maturity?
Are exercise findings formally logged with owners, deadlines and evidence of closure?
Rate the average staff confidence level in knowing what to do during a major incident (1 = very low, 5 = very high)
Is crisis management included in the onboarding programme for new executives?
Is your Recovery Time Objective (RTO) for critical IT services formally agreed and documented?
What best describes your current data-backup approach?
Daily on-site backups only
Daily on-site plus weekly off-site
Near-real-time replication to secondary data centre
Cloud-native immutable backups with versioning
Hybrid strategy depending on data class
No formalised approach
Have you tested restore from backup within the last 6 months?
Do you maintain an up-to-date asset inventory that includes inter-dependencies between applications?
Which cyber-incident response teams or retainers do you have? (select all that apply)
Internal CERT/CSIRT
External incident-response retainer
Threat-intelligence subscription
None
Other
Can more than 40% of knowledge-worker roles work remotely with no loss of productivity?
How would you describe cross-training depth for mission-critical roles?
No formal cross-training
Informal buddy system
Documented succession chart with 1-deep backup
2-deep backup for ≥ 80% of critical roles
Full redundancy with skills matrix verified quarterly
Do you provide psychosocial support (EAP, counselling hotlines) for staff after traumatic events?
Is absence management tracked in real time to ensure labor shortage triggers are immediately visible to leadership?
Have you pre-identified essential vs non-essential workers for partial shutdown scenarios?
Third-party failure is a leading cause of prolonged outages. Probe depth here.
Do you maintain a critical-supplier register that is risk-scored and reviewed at least annually?
What tier of supply-chain mapping have you achieved?
Tier 0 (direct suppliers only)
Tier 1 (direct suppliers’ sites)
Tier 2 (sub-suppliers)
Tier 3 or deeper
No mapping performed
Are contractual Business Continuity requirements (RTO, evidence of testing) enforced with key suppliers?
Do you hold safety stock, dual-source, or near-shore for any critical components?
Have any critical suppliers been replaced or renegotiated because of BC risk in the past 24 months?
Do you have an alternate site or flexible workspace arrangement that can be activated within your required RTO?
Are fire-suppression, UPS, and HVAC systems inspected by third parties at legally required intervals?
Is there a pandemic/infectious-disease response plan that addresses social-distancing, PPE and hygiene?
Have you conducted a post-incident debrief or after-action review for any real event in the past 2 years?
Do you carry business-interruption (BI) insurance that covers loss of gross profit due to disruption?
Is your declared sum insured or BI indemnity period adjusted annually based on growth or inflation?
Have you stress-tested cash-flow forecasts under prolonged (3-month+) revenue-loss scenarios?
How quickly can you access contingency credit or emergency funds?
Same day
Within 3 days
Within 1 week
Within 1 month
No formal contingency line
Are insurance policy numbers and broker contacts embedded in the crisis-management contact tree?
Which best describes your certification status for Business Continuity?
ISO 22301 certified (independent accredited body)
ISO 22301 compliant but not certified
Certified to national standard only
Self-declared adherence
No formal alignment
Do you track leading indicators (e.g. number of unpatched systems, supplier risk score) as well as lagging indicators (MTTR, downtime minutes)?
Is your BCM programme subjected to independent internal audit at least every 2 years?
Do you benchmark your programme against peers or industry averages?
Have you integrated climate-related physical-risk scenarios into continuity planning?
A crisis plan is never finished; it only reflects the last best guess. Commit to iteration.
List the top three actions you will prioritise in the next 90 days to strengthen resilience:
Target date for next organisation-wide exercise
Form completed by (Signature)
Analysis for Crisis Management & Business Continuity Form
Important Note: This analysis provides strategic insights to help you get the most from your form's submission data for powerful follow-up actions and better outcomes. Please remove this content before publishing the form to the public.
This concise crisis-management & business-continuity template brilliantly balances breadth with brevity. It walks the user through the entire resilience life-cycle—risk identification, governance, plans, technology, people, suppliers, facilities, finance and continuous improvement—without overwhelming length. The logical flow lets even small or mid-size organisations obtain a 360° maturity snapshot in a single sitting, while still signalling to larger enterprises where deeper documentation is expected.
The form’s strength lies in its conditional logic: every “Yes/No” gate branches into a short follow-up that collects just-enough detail to turn a tick-box into actionable intelligence. Placeholder examples, numeric-only fields and pre-defined choice lists reduce ambiguity, while the final “next-90-day” commitment converts assessment into an improvement roadmap. Overall, it is an exemplary short-form design that meets the stated goal of rapid yet meaningful data capture.
Registered legal name of the organisation
This single identifier anchors every downstream record—plans, insurance, audits—so it rightfully sits as the only mandatory field. Capturing it up-front prevents anonymous or duplicate submissions and enables cross-referencing with external registries for validation.
The field’s open-ended format accommodates any jurisdiction’s naming conventions, while the single-line constraint keeps entries concise for later sorting or mail-merge operations. From a privacy standpoint, a legal name is already public record, so no new sensitive data is introduced.
Because the remainder of the section is optional, smaller entities can still complete the assessment quickly, while larger organisations can voluntarily append industry, size and location context to enrich benchmarking.
Which broad threat categories are most relevant…
Offering nine pre-categorised threats plus an “Other” checkbox accelerates selection and normalises responses for analytics. The plural wording “select all that apply” signals that multi-hazard environments are expected, reducing under-reporting.
This question directly feeds prioritisation matrices and budget allocations, so the inclusive list is both comprehensive and mutually exclusive enough to avoid confusion. The absence of a compulsory setting respects that some startups may still be mapping their risk universe, thereby lowering abandonment.
Title/role of the single person who acts as Crisis Management Lead
By asking for a position title rather than a personal name the form future-proofs the plan against staff turnover and avoids privacy identifiers. The free-text box accommodates non-traditional structures (e.g., “VP Resilience & Security”) while still producing structured data if titles are later harmonised.
Collecting an alternate role immediately after enforces the “two-deep” leadership principle central to continuity doctrine. Together, these two lightweight fields give a clear accountability map without lengthy org-chart uploads.
Is your Recovery Time Objective (RTO) for critical IT services formally agreed…
This Yes/No gate is pivotal: if the respondent answers “No”, every subsequent technology investment or insurer discussion lacks a time-based target. The follow-up field to capture the shortest RTO quantifies the current ambition and exposes gaps versus the previously stated MTPD.
By expressing the follow-up in free-text hours/minutes the form remains technology-agnostic, whether the critical system is a cloud SaaS or an on-prem SCADA controller. This flexibility improves data quality across industries.
Can more than 40% of knowledge-worker roles work remotely…
The 40% threshold is a statistically meaningful cut-off used by many insurers and regulators to indicate mass-remote viability. Framing it as a Yes/No keeps the form short, while the conditional barrier question invites narrative detail only when the answer is negative, thus reducing respondent burden.
This design surfaces cultural, regulatory or technical obstacles that a simple percentage field might miss, and it signals to reviewers where quick wins (VPN licences, laptop pools) could improve resilience within weeks.
Do you maintain a critical-supplier register that is risk-scored…
Third-party failure is a leading cause of prolonged outages, so this Yes/No acts as a maturity litmus test. The follow-up cascade (mapping depth, contractual BC clauses, evidence of testing) progressively probes depth without asking for lengthy appendices.
The numeric percentage field for suppliers providing evidence introduces quantified self-attestation, enabling benchmarking and year-over-year improvement tracking. Keeping it optional respects that some firms are still building procurement governance, thus encouraging participation rather than deterring it.
Mandatory Question Analysis for Crisis Management & Business Continuity Form
Important Note: This analysis provides strategic insights to help you get the most from your form's submission data for powerful follow-up actions and better outcomes. Please remove this content before publishing the form to the public.
Registered legal name of the organisation
Justification: This is the sole anchor field that links the completed assessment to a verifiable legal entity, enabling audit trails, insurance validation and regulatory reporting. Without it, duplicate or spoof submissions cannot be filtered out, undermining data integrity and follow-up actions.
Keeping only one mandatory field is a savvy design choice for a short-form template: it removes friction for small businesses or NGOs that may still be maturing their BCM programmes, thereby maximising response rates. At the same time, the form’s conditional follow-ups ensure that when a respondent claims capability (e.g., “Yes, we test backups”), extra detail is captured, so data richness scales with organisational maturity rather than with mandatory burden.
Going forward, consider making two additional fields conditionally mandatory: (1) the MTPD single-choice question if any critical process is selected in the threat checklist, and (2) the top-three future-action list in the Continuous-Improvement section. Both drive users to translate the assessment into concrete next steps, greatly increasing the form’s practical value without harming completion rates for first-time users.