Crisis Management Consulting: What It Is, Who Provides It, and When You Need One

The call comes in late. Leadership is in a room asking who they should actually call. Counsel is on speakerphone. The communications lead is searching firm names. Somebody mentions the insurer’s broker. This is the moment most companies first encounter crisis management consulting as a category they need to understand quickly.

The discipline is broader than most people think and split across firm types most readers do not know how to distinguish. NFPA 1660, the current ANSI standard, treats emergency, continuity, and crisis management as one integrated lifecycle. Marketing pages from the largest firms treat it primarily as a communications and reputation problem. Both views are partly right. Neither is the whole picture.

This article explains what crisis management consulting actually covers, when mid-market companies need it, how to tell the four firm types apart, the protective dimension competitors routinely miss, what an engagement looks like, and what it costs.

What Crisis Management Consulting Actually Covers

Crisis management consulting is the work of building the decisions an organization will make under stress before stress arrives. The deliverables are documents, exercises, and a command structure. The result, when the discipline works, is that the first hour of an incident is spent executing rather than arguing.

The current authoritative reference is NFPA 1660 (2024), the ANSI standard that consolidates three earlier documents — NFPA 1600 on continuity and crisis management, NFPA 1616 on mass evacuation and re-entry, and NFPA 1620 on pre-incident planning — into a single framework covering preparedness, response, and recovery. ASIS International’s Enterprise Security Risk Management guideline places crisis management in the same lens as threat management, business continuity, and workplace violence prevention. The signal in both standards is the same: crisis management is not a standalone communications function. It is one node in a connected risk discipline.

The lifecycle has three operational phases.

Phase	What It Covers	Typical Deliverables
Preparedness	Risk and impact assessment, Crisis Management Team (CMT) charter, scenario playbooks, exercises	Assessment report, CMT charter, 3-5 playbooks, tabletop findings
Response	Active incident command, decisions under stress, stakeholder communication, workforce safety	Real-time decision support, situation reports, executive briefings, after-action raw notes
Recovery	After-action review, plan revision, organizational repair, litigation support	After-action document, revised plan, integration with HR and security, ongoing monitoring

FEMA draws a useful distinction the consulting industry tends to blur: emergency management focuses on life safety and physical response. Crisis management adds strategic decisions, stakeholder trust, and reputational impact. In practice the two overlap heavily, particularly in the kinds of incidents mid-market companies actually face — workplace violence, executive threats, facility events, cyber breaches with physical implications.

Most consulting engagements live in preparedness. Active-response and recovery are separate scope and pricing, which we cover later in this article.

Note: NFPA 1660 (2024) is the current ANSI standard. It replaces NFPA 1600, 1616, and 1620. Worth referencing if a board or insurer asks what framework your program is built on.

When Mid-Market Companies Actually Need a Crisis Management Consultant

Most mid-market companies do not have a Chief Security Officer or a dedicated crisis function. The decision to bring in outside help is usually made under pressure, after one of a few specific triggers. Recognizing the trigger early shortens the engagement and lowers the cost.

Eight conditions signal that internal resources have reached their limit.

1. Active or recent incident with no playbook. A workplace violence event, a cyber breach with physical implications, a credible threat, or a facility incident has occurred. The team is responding from instinct, not from a plan.

2. Credible threat to a senior executive. Doxxing, an explicit threat, or an escalating online campaign against a CEO, CFO, or other public-facing leader. The protective response runs in parallel with the communications response.

3. Insurer or regulator asking for documented program. The carrier wants evidence of a crisis management framework before renewal. The board’s risk committee wants a readiness assessment. Counsel wants something to point to.

4. Board-level risk committee request. A new directive: tabletop the top three scenarios, or produce a readiness review. Internal teams have not been asked to do this before and do not have the bench depth.

5. Acquisition or new facility. The crisis posture of the acquired entity is unknown. Inheriting someone else’s plan binder is not the same as having a working program.

6. Leadership change. A new CEO or COO wants to understand exposure. The questions being asked do not have ready answers.

7. Industry-wide event. A peer company has an incident. The board calls and asks whether the company is prepared for the same scenario. The honest answer is uncertain.

8. Litigation discovery. Counsel asks for a documented crisis management program in support of a defense. The absence of one becomes its own legal exposure.

The stakes are not abstract. A single workplace violence incident costs $250,000 to $1 million in workers’ compensation, medical, lost time, legal fees, and reduced productivity. The aggregate U.S. annual figure approaches $56 billion. Publicly traded companies experience an average 7.5% drop in stock value and approximately $5.4 billion average loss in market capitalization following a major cyber breach. Workplace violence lawsuits increase roughly 15% per year.

If three or more of the trigger conditions apply, the cost of waiting exceeds the cost of the engagement.

Warning: If your insurer or counsel has asked for a documented crisis program and you do not have one, you are already on a clock. Discovery in litigation will surface the gap.

Crisis Management Firms vs. PR Firms vs. Management Consultants — Know What You Are Buying

The phrase crisis management consulting covers four very different types of firm. Hiring the wrong one is the most common and most expensive mistake we see in the mid-market. Each type is competent at its core function and structurally weak outside of it.

Firm Type	Examples	Core Strength	Where They Are Thin
Management consulting	Deloitte, McKinsey, BCG, BDO, PwC	Strategic advisory, board credibility, cross-industry benchmarks, after-action analysis	Limited physical or protective response, slow to mobilize on-site, high day rates
Crisis communications / PR	FTI, Teneo, Edelman, ICM	Media handling, executive coaching, statement drafting, 24/7 stakeholder messaging	No physical or protective capability, no facility or workforce response
Specialty risk consultancies	Control Risks, Kroll, Bryghtpath	Kidnap-and-ransom response, evacuation, threat assessment, integration with insurance triggers	Enterprise-priced, often retainer-only, mid-market access can be limited
Protective crisis consulting	Our practice, and a small number of peer firms	Executive incident response, post-workplace-violence recovery, threat-to-facility scenarios, workforce protection	Narrow scope by design — pairs with PR, legal, and management; not a fit for pure reputational crises with no physical dimension

A real crisis program is documents, exercises, and a command structure — not a single binder.

A workplace violence incident triggers all four. The PR firm drafts the statement and coaches the executive who has to face the press. Counsel handles litigation exposure and regulatory notifications. The management consultancy runs the after-action review and integrates findings into governance reporting. The protective consultant does the part that often gets dropped — protecting the targeted employee, designing the workforce return-to-work, and adjusting the executive’s exposure if leadership received threats during the event.

Most mid-market companies do not need one firm pretending to do everything. They need a quarterback plus specialists. The structural mistake is hiring a generalist firm to lead and then discovering, mid-incident, that the firm has no capability in the dimension that actually matters.

A second structural point worth naming. PR firms are trained to control narrative. Protective consultants are trained to control risk. Both are valid disciplines. They are different jobs, and the instincts conflict at predictable moments — most often around what to disclose, when to disclose it, and how to balance the targeted employee’s safety against organizational transparency. Knowing the difference before the incident lets you assemble the right bench.

Tip: Ask any prospective firm what they will not do. A firm that lists every capability is selling a brochure, not a program.

This is the part of the work we focus on. Start a conversation about your crisis program.

The Protective Dimension of Crisis: The Part Most Consultants Miss

Most crisis management content treats the discipline as a communications and reputation problem. A meaningful share of real corporate crises have a physical dimension — a person at risk, a facility under threat, a workforce that needs protection — and that dimension is where consulting help is hardest to find. The competitors at the top of the search results for this keyword do not address it.

Three scenarios show up repeatedly.

Credible threat to a senior executive

Doxxing, an explicit threat, or an escalating online campaign. The first hours look like this: protective intelligence triage to assess credibility and escalation indicators; law enforcement notification, with local PD as the floor and FBI or Joint Terrorism Task Force engagement appropriate when firearms, interstate movement, or radicalization indicators are present; residential and travel adjustments for the executive; a family awareness brief so household members are not blindsided; and an internal communications protocol so the executive’s direct team can do their job without inadvertently confirming details to the wrong audience.

The digital-to-physical pipeline matters. Threat intelligence research consistently shows that doxxing, online harassment, and coordinated disinformation precede a high share of physical-threat escalations against executives. Crisis preparedness now includes digital threat monitoring as an early-warning input — at least monthly for any C-suite member with a meaningful public profile, daily for executives facing sustained targeting.

This is where crisis management consulting overlaps with executive protection consulting. The principal’s exposure is now the organization’s exposure.

Workplace violence aftermath

The targeted employee often needs more protection after the incident than before — the grievance dynamic that produced the event has not necessarily resolved. The workforce needs a return-to-work protocol that is more substantive than an email. Any executive named in the event’s grievance pathway needs threat assessment.

The aftermath statistics are unforgiving. Stabbing and shooting victims average five to six weeks out of work. Turnover rates rise roughly 15% in workplaces with frequent violence. Workplace violence lawsuits increase roughly 15% annually. The 30-90 days after an incident is when most of the organizational damage actually accumulates, and it is the period in which most plans go quiet.

This work overlaps directly with workplace violence prevention. The prevention program is what reduces incidents. The crisis program is what determines how much damage one does.

Active threat or evacuation event at a facility

Bomb threat, hostage scenario, severe weather, civil unrest. The crisis consulting role at the moment of the event is command-structure activation, workforce safety messaging that is accurate without being alarming, and decision support for facility re-entry. After the event: an after-action review with security findings folded back into the physical security program and the broader crisis plan.

The PR firm cannot protect a person. The management consultant cannot evacuate a facility. The protective dimension is its own scope, and it shows up in roughly every other meaningful corporate crisis.

Note: Doxxing is not a communications problem. By the time an executive’s home address is circulating online, the response is protective, not reputational.

What an Engagement Looks Like — Scope, Deliverables, Timeline, and Cost

Pricing transparency is unusual in this industry. It does not need to be. Three engagement archetypes cover roughly 90% of mid-market work.

Preparedness build

The most common engagement and the lowest-stakes way to bring in outside help. Scope: risk and impact assessment, CMT charter, scenario playbooks for the top three to five threats specific to the company, a tabletop exercise, and finalized program documentation aligned to NFPA 1660.

• Timeline: 6 to 12 weeks
• Cost: $25,000 to $75,000 as a fixed-scope project, or $5,000 to $15,000 per month as a retainer
• Deliverables: Assessment report, CMT charter, 3-5 scenario-specific playbooks, tabletop exercise findings document, executive briefing

Active-response retainer

The “two a.m. number.” A defined response window during an active incident, often paired with the company’s PR firm and legal counsel as a coordinated bench.

• Structure: Five-figure non-refundable engagement fee plus elevated hourly billing during incident
• Hourly: $300 to $600+ per hour for senior consulting time
• Activation: Defined response within hours of activation; on-site presence within 24 to 48 hours when needed

Post-incident recovery

The after-action and rebuild work that follows a real event. Scope: structured after-action review, plan revision, workforce protection design, and integration with HR, security, and legal.

• Timeline: 4 to 8 weeks
• Cost: $20,000 to $50,000

Tabletop exercise frequency

Leading organizations run tabletop exercises at least twice yearly, with full-scale scenarios annually. The debrief is where the value lives. Many organizations skip it, which makes the exercise a one-off rather than a learning system. Tabletops consistently expose confusion around who can authorize action during a real incident — which is itself the highest-value finding most exercises produce.

Crisis Management Team composition

The CMT is role-based, not name-based. That is what makes the team durable through executive turnover.

Role	What They Own
Incident Commander	Most senior available executive. Decision authority during the incident.
Operations / Impact Lead	Assesses operational consequences, manages business continuity decisions
HR Lead	Workforce safety, communication, return-to-work design
Legal / Compliance Lead	Reporting obligations, regulatory notifications, litigation exposure
Communications Lead	Internal and external messaging, executive coaching, media coordination
Security / Safety Lead	Physical posture, facility decisions, protective response coordination
Finance Lead	Cost tracking, insurance triggers, claims preparation
External counsel	Outside law firm, crisis consultant, PR firm — attached during active incidents

The CMT is a role-based structure, not a room. The room helps.

Tip: Scope the preparedness build before discussing the active-response retainer. Companies that try to buy active-response coverage without a plan in place pay more for less.

Building or fixing a crisis program — or working through one right now? Let’s talk about where you are.

Frequently Asked Questions

What is the difference between crisis management consulting and crisis communications?

Crisis communications is a subset focused on stakeholder messaging, media handling, and reputation. Crisis management is the broader discipline — operational decisions, command structure, workforce safety, and recovery. Consulting at the management level often coordinates the communications function rather than performing it directly.

When should a company retain a crisis management consultant?

Before something happens, for plan-building, tabletop exercises, and CMT design. After an incident, for active response and after-action review. Preparedness work is the cheapest and most useful. Active-crisis retainers are billed at a premium because the firm is mobilizing under deadline.

How much does crisis management consulting cost?

Hourly rates run $300 to $600+ for senior consultants. Retainers range from $2,000 to $25,000+ per month depending on firm size and scope. Active-crisis engagements typically include a five-figure non-refundable engagement fee plus elevated hourly billing. A mid-market preparedness build is generally $25,000 to $75,000.

What is NFPA 1660?

NFPA 1660 is the 2024 ANSI standard for Emergency, Continuity, and Crisis Management. It consolidates the prior NFPA 1600, 1616, and 1620 standards into a single framework covering preparedness, response, and recovery. It is the current authoritative reference for U.S. corporate crisis programs.

Who should be on a crisis management team?

An incident commander (the most senior available executive), plus leads from operations, HR, legal, communications, security, and finance. External counsel and a crisis consultant attach to the team during active incidents. Roles are role-based, not name-based, which makes the team durable through turnover.

How is crisis management different from emergency management or business continuity?

Emergency management focuses on life safety and immediate physical response. Business continuity focuses on keeping critical processes running. Crisis management adds strategic decisions, stakeholder trust, and reputational impact. NFPA 1660 (2024) treats all three as one lifecycle, which is how they actually function in a real incident.