Assessing Organization Vulnerability

As with most every aspect of running a healthcare organization, preplanning, documentation and training of staff and related parties will significantly mitigate the challenges of any crisis a healthcare organization may face.


Conducting a comprehensive vulnerability assessment before developing a crisis preparedness plan allows the healthcare organization to identify probable and predictable crises and, in some cases, avoid them.(1,2)

Knowing how to plan for and navigate through a crisis is a large part of the solution. Focusing on the realities of a crisis and the healthcare entity’s vulnerabilities are therefore an essential part of the preplanning and overall management process.

Assessing Vulnerabilities

Healthcare organizations can use the following steps to assess their vulnerability to an organizational crisis and develop a crisis communication plan(3):

  1. Designate a crisis team.

  2. Create a vulnerability assessment tool.

  3. Analyze results and develop scenarios.

  4. Develop a comprehensive crisis communications plan.

Designate a Crisis Team

A well-organized crisis management team will help limit the severity of the crisis and its effects on the organization. The team should include individuals who have both experience and maturity within the organization and within their profession, if possible. They should be able to maintain a calm demeanor in crisis situations.

A clear chain of command and well-defined roles within the team are essential, beginning with the CEO, who should be at the head of the crisis team. Other members should include a communications coordinator, spokesperson, and perhaps a safety and security coordinator. A legal representative also may need to be a part of the group. The size of the organization will dictate the size of the crisis team and its overall make-up.

Create a Vulnerability Assessment Tool

The organization’s ability to evaluate the level of severity of a crisis — in other words, its ability to “anticipate, cope with, resist and recover from the impact of a hazardous event”(4) — is critical to crisis prevention and management. Thus, healthcare organizations should develop an assessment tool that measures their vulnerability before a crisis happens, such as questionnaires, surveys, interviews, and location inspections. Assessing vulnerability falls under the purview of the crisis management team. The assessment may uncover such vulnerabilities as possible data breaches, inadequate backup systems, or even reputational damage.

Analyze Results and Develop Scenarios

Accountability is an essential aspect of any assessment and preparedness process. The organization must analyze the results of the vulnerability assessment, identify those areas most in need of attention, and develop response plans around scenarios in those critical areas. It is essential to continually analyze the vulnerabilities based on the results of subsequent surveys, interviews, and other input, and thus be better prepared for a crisis.

Develop a Comprehensive Crisis Communications Plan

Being able to communicate internally and externally with all stakeholders during a crisis is critical. Without strong and defined communications plans, some people will be uninformed about how the organization is addressing the crisis and may assume the worst.

A comprehensive communications plan addresses the scenarios identified in the vulnerability assessment by providing messaging for each situation, including messages tailored for each audience — internal employees, external stakeholders, the news media, and social media audiences.

Developing a Preparedness Plan

Healthcare organizations typically have three types of emergencies to consider: medical, environmental, and violence-related. Having a preparedness plan for each is imperative, as is a response plan that includes action plans, emergency protocols, staff training, and equipment and supply back-up.

Medical Emergencies

When creating an emergency plan and responding to medical events, healthcare organizations should focus on such areas as transporting staff and patients to medical offices, transporting patients to the emergency department, and training staff and providers in the emergency response plan so they are ready to swing into action when necessary. While periodic training and retraining may seem like a somewhat extraneous exercise, it’s necessary to ensure an efficient and effective response.

Environmental Emergencies

Environmental emergencies can range from hurricanes to chemical spills. Some emergencies can be forecast, such as hurricanes; others offer no advanced notice, such as industrial accidents. Contingency plans should be a part of the overall preplanning process. Knowing what options and alternatives exist due to power outages and lack of other resources are essential to have in place.

Violence-Related Emergencies

These types of crises are unpredictable at best. They may emanate from a disgruntled or disruptive employee or an employee who has personal issues that spill over into the work environment. A disgruntled patient could also be a source of such a crisis.

The unpredictability of these emergencies makes them difficult to plan for, but organizations can be vigilant to some warning signs. For example, a disgruntled employee usually is vocal about his or her unhappiness; employees should be encouraged to confidentially inform the leadership of the organization if they believe the employee may be dangerous to themselves or others. Encouraging open dialogue and educating employees about the code of conduct and disciplinary actions that reinforce the organization’s commitment to a safe workplace are suitable ways to start addressing these issues.

With certain open-door policies, employees can disclose personal difficulties in confidence. Modifications to that employee’s working conditions could be a way to proactively avert a greater crisis for the whole organization.

Disgruntled patients or their family members may be difficult to identify; therefore, the organization’s entire staff should be aware and have their guard up for warning signs. Unfortunately, sometimes these situations can turn violent, and the employer should be ready to contact law enforcement, isolate the aggressor, and evacuate the premises as quickly as possible.

Usually, however, disgruntled patients and/or their family members can be spoken with in private and given added time to vent (even with the physician). Still, pre-planning for such crises is in order.

It is the responsibility of the owner of the healthcare organization to put emergency response plans in place and include them in the policies and procedures manual of the organization. Leadership is also responsible for training and keeping employees informed of potential crisis situations and how to react to them.


As with most every aspect of running a healthcare organization, preplanning, documentation and training of staff and related parties will significantly mitigate the challenges of any crisis a healthcare organization may face.

A master checklist is available at The toolkit and forms are at Forms are available for reprint.


  1. Haniya R. How to Survive a Prolonged Power Outage. Consumer Reports. February 16, 2021. Accessed April 16, 2021.

  2. Homeland Security and Emergency Management. Personal and Family Preparedness. Minnesota Department of Public Safety. Accessed April 16, 2021.

  3. Deuber KM. Assessing Your Vulnerability: Predict and Prepare for Your Healthcare Organization’s Next Crisis. Becker’s Hospital Review. February 12, 2018. Accessed April 16, 2021.

  4. Du Y, Ding, Y, Li Z, et al. The Role of Hazard Vulnerability Assessments in Disaster Preparedness and Prevention in China. Military Med Res. 2015;2(27). Accessed April 16, 2021.




Join AAPL today






How Abortion Bans Will Stifle Health Care Innovation
The Mission of the American Medical Student Association (AMSA) with Dr. Michael Walls