In a crisis, the worst enemy is rarely the event itself: it's the inability to decide fast and right. You may have a comprehensive Crisis Management Plan (CMP), but if the decision matrix is unclear at the moment of truth, the plan is useless. The RAPID framework (popularized by Bain & Company) addresses this by assigning 5 distinct roles to each decision, instead of a vague ambiguous RACI. This article shows how to apply it in your crisis management plan.
The RAPID framework in 5 letters
Each decision identifies 5 actors (which can be individuals or groups):
| Letter | Role | Question |
|---|---|---|
| R — Recommend | Recommends | Who prepares the recommendation? |
| A — Agree | Agrees | Who must give explicit approval (veto)? |
| P — Perform | Performs | Who implements the decision? |
| I — Input | Inputs | Who provides factual elements? |
| D — Decide | Decides | Who breaks the tie if there's disagreement? |
Key difference vs RACI (Responsible, Accountable, Consulted, Informed): RAPID separates the recommendation from the decision, forcing the decision chain to make explicit who prepares and who decides. In a crisis, this is crucial.
Applying RAPID in a crisis management plan
A CMP aligned with ISO 22361 typically features 8 structuring decisions in crisis mode. Here is a sample RAPID matrix for an industrial SME of 200 staff:
| Decision | R | A | P | I | D |
|---|---|---|---|---|---|
| Activate the crisis cell | BCM Manager | CEO | CIO/CFO/CHRO | Security | CEO |
| Communicate externally | Comms | CEO, GC | Comms + Marketing | All | CEO |
| Notify regulator/CSIRT | CIO/CISO | GC | CISO | Security, BCM | CISO |
| Halt production | Site Mgr | Industrial Director | Site Mgr | Quality, Safety | CEO |
| Activate supplier plan B | Procurement | CFO, CEO | Procurement | CIO, Logistics | CFO |
| Recalibrate RTO/RPO | CIO | BCM Manager | CIO, Cloud | BIA owners | CISO |
| Invoke force majeure to customers | Comms | GC | Comms + Sales | GC, BCM | CEO |
| Close the crisis | BCM Manager | CEO | BCM | All | CEO |
This matrix must live inside your crisis management plan, not in an orphan document. Validate it cold (Executive Committee), review it after each tabletop exercise.
Common mistakes
Mistake 1 — Confusing A (Agree) and D (Decide)
A = veto power. D = power to decide as the final arbiter. If A and D are the same person, you lose the dual-view check. If multiple people have D, you'll deadlock on disagreement.
Mistake 2 — Too many A's
The more A's (Agree) on a decision, the slower it gets. Cap at 1 or 2 maximum. In a crisis, A often shrinks to zero for short-term operational decisions.
Mistake 3 — No explicit R
Without R, the decision arrives "naked" before D. D has no concrete proposal to validate/reject. Debate stalls. R = the person who pre-chews the work.
Mistake 4 — Vague I (Input)
I must list specific people or systems, with response deadlines. "Ask the IT team" is not an I. "On-call IT responds in 15 min on backup status" is a proper I.
Integrating RAPID into the BCMS
A crisis management plan without a RAPID matrix = wishful thinking. To integrate it into your BCMS:
- Map the 8–15 structuring decisions in your CMP.
- Document one RAPID line per decision.
- Test in tabletop exercises: time each decision and verify it was made by the right D.
- Revise after every real crisis in the AAR.
- Store the matrix in a shared 24/7 repository, not in a Word file on a local share.
ResiPlan ships this template in the Crisis Management Plan module (/features/crisis-gaming). The RAPID matrix is versioned, signed by the CEO, and accessible from the crisis cell dashboard.
RAPID vs RACI vs DACI: which to choose?
| Framework | Strength | Weakness | When to use |
|---|---|---|---|
| RACI | Widely known | Conflates C (Consulted) and A (Accountable) | Long projects, low decision stakes |
| DACI | Distinguishes Driver and Approver | Lacks explicit "perform" | Product projects |
| RAPID | Separates R and D, forces decision mechanics | More complex to internalize | Crisis, high governance, M&A |
For a crisis management plan under ISO 22361 or aligned with NIS2, RAPID is our recommendation.
Tabletop exercise example
Scenario: ransomware attack detected at 03:22.
- T+0 (on-call team): I = SOC, BCM, DPO. R = CISO. A = ø. P = IT teams. D = CISO.
- T+15 min (crisis-level escalation): R = CISO + BCM Manager. A = CEO. P = CEO (cell activation decision). I = CIO, GC. D = CEO.
- T+45 min (CSIRT notification): R = CISO. A = GC. P = CISO. I = BCM, Comms. D = CISO (with GC guardrail).
- T+2 h (external communication): R = Comms. A = CEO, GC. P = Comms + Marketing. I = Sales (impacted customers). D = CEO.
This explicit mapping cuts mean decision time by 30–60% in observed exercises. See 10 crisis exercise scenarios.