Why does IHS not publish fixed pricing for post-incident recovery?

The C3 engagement is bespoke by design. Five variables determine actual scope: event type (sentinel patient-safety event, cybersecurity incident, or workplace-violence episode), organization size and geographic footprint, second-victim cohort size and existing support-structure adequacy, just-culture infrastructure gap, and the degree to which regulatory response intersects with recovery (OCR breach notification, Joint Commission sentinel event follow-up, CMS Conditions of Participation). A published rate card would be inaccurate for most buyers. Contact IHS for a scoped proposal.

How does C3 cost compare to Mandiant or CrowdStrike incident response?

Mandiant and CrowdStrike technical incident-response retainers typically run $1,500-$3,000 per day or $50,000-$250,000+ per engagement for the forensic and technical recovery layer. The Change Healthcare 2024 ransomware response involved a $22 million ransom payment and months of operational disruption (ITIF, March 2026). C3 does not compete with or replace technical incident response — it addresses the organizational nervous-system layer that technical response does not see: second-victim cohort support, leadership-team autonomic regulation, cross-functional trust rupture repair, and meaning-and-purpose recovery. These two tracks should run in coordination, not competition.

What is the cost of NOT engaging in post-incident organizational recovery?

The FBI IC3 recorded 460 healthcare ransomware attacks in 2023 — more than any other critical infrastructure sector. The Change Healthcare breach exposed 193 million individuals' records (ITIF, March 2026). Healthcare worker exposure to workplace violence runs at 61.9% any-form and 24.4% physical in the past year (NCBI). Sentinel event organizational costs include second-victim attrition, governance dysfunction, and reduced post-incident learning capacity — each carrying measurable cost. Leadership replacement runs 1.5-2x annual salary for executive positions. Organizations that address only the technical and legal layers and leave the human layer to self-correct pay those costs on a 6-18 month delay.

What factors drive the cost of post-incident organizational recovery?

Five primary factors determine engagement scope and cost: (1) Event type — cybersecurity incidents require CISO and IT second-victim work that sentinel-event engagements do not; workplace-violence episodes require safety-infrastructure assessment alongside human-layer recovery. (2) Organization size — larger organizations have larger second-victim cohorts, more complex cross-functional trust ruptures, and more governance layers requiring attention. (3) Second-victim cohort size — the number of staff directly affected determines the scope of the support architecture. (4) Just-culture infrastructure gap — organizations without existing just-culture infrastructure require either a full B3 Just-Culture Infrastructure Build or foundational just-culture work within the C3 scope. (5) Regulatory-response intersection — OCR breach notification, CMS CoP quality assurance requirements, and Joint Commission sentinel event follow-up create a compliance layer that must be coordinated with recovery work.

Can the engagement be structured for budget phasing?

Yes. Phase 1 (stabilization) can be scoped and contracted independently, with Phases 2 and 3 priced after Phase 1 findings establish the actual depth of recovery work required. Contact IHS to discuss phased engagement structures.

How Much Does Post-Incident Organizational Recovery Cost?

Q: How much does post-incident organizational recovery cost?

IHS does not publish fixed pricing for the C3 Integral Post-Incident Organizational Recovery engagement because scope is bespoke to the event type, organization size, second-victim cohort size, and existing just-culture infrastructure. The engagement runs 6-18 months across three phases: stabilization (months 0-3), recovery (months 3-12), and institutionalization (months 12-18). For comparison, Mandiant and CrowdStrike incident-response retainers run $1,500-$3,000 per day for the technical layer alone; CISD-vendor critical-incident stress debriefing typically costs $2,000-$8,000 per session for individual-level acute response. C3 addresses the organizational human layer those services do not reach. Contact IHS for a scoped proposal.

Last updated: May 2026

Post-incident organizational recovery engagements are bespoke — IHS does not publish fixed pricing because scope is determined by five variables: event type, organization size, second-victim cohort size, just-culture infrastructure gap, and regulatory-response intersection. For comparison context: Mandiant and CrowdStrike technical incident-response retainers run $1,500-$3,000 per day for the forensic layer; CISD-vendor critical-incident stress debriefing runs $2,000-$8,000 per session for acute individual-level response. The C3 Integral Post-Incident Organizational Recovery engagement addresses the organizational human layer neither track reaches — the 6-18 month arc of leadership-team stabilization, second-victim support, cross-functional trust repair, and institutional learning capacity that determines whether recovery is real. Contact IHS for a scoped proposal based on your organization's specific situation. Delivered by Thomas G. Goddard, JD, PhD, CCEP.

Why IHS Does Not Publish Fixed Pricing

No elite firm operating in bespoke organizational recovery publishes a rate card — because the same structure that works for a 200-person specialty pharmacy after a ransomware attack does not work for a 4,000-person hospital system after a sentinel patient-safety event. The variables that determine scope are structural, not stylistic.

Five factors determine what this engagement costs:

Event type. Cybersecurity incidents require CISO and IT second-victim work most organizational support structures do not reach. Sentinel patient-safety events require clinical moral-injury attention and clinical-administrative trust-rupture repair. Workplace-violence episodes require safety-infrastructure assessment alongside human-layer recovery. Each event type has a different second-victim profile and regulatory intersection.
Organization size and complexity. A 300-person behavioral health organization and a 15,000-member health plan are categorically different engagements in second-victim cohort size, trust-rupture complexity, and governance layers requiring attention.
Second-victim cohort size and existing support-structure reach. An organization with an active peer-support program, functioning Schwartz Center Rounds, and a utilized EAP needs structural additions. An organization with none requires architecture and activation. The scope delta is substantial.
Just-culture infrastructure gap. Where just-culture infrastructure is absent, post-incident learning is structurally blocked — the engagement incorporates foundational just-culture work or scopes a parallel B3 Just-Culture Infrastructure Build.
Regulatory-response intersection. OCR breach notification, CMS Conditions of Participation, Joint Commission sentinel event follow-up, and state health department responses run simultaneously with recovery need. The principal's JD background allows recovery work to be structured in coordination with legal strategy — a structural advantage, not a stylistic one.

How C3 Cost Compares to Acute-Phase and Technical Recovery Vendors

C3 occupies a distinct position in the post-incident response landscape — not because it is cheaper or more expensive than other services, but because it addresses a layer those services structurally cannot reach. Understanding the comparison requires understanding what each track actually does.

Technical Incident Response — Mandiant, CrowdStrike, and Equivalents

Technical incident-response retainers from Mandiant, CrowdStrike, and equivalent firms address forensic investigation, containment, eradication, and technical remediation. Published day rates run $1,500-$3,000 per day for senior consultants; full engagement costs range from $50,000 to $250,000+ depending on scope, duration, and breach complexity. The Change Healthcare 2024 ransomware attack involved a reported $22 million ransom payment and months of operational disruption affecting 15 billion annual transactions (ITIF, March 2026). These firms are essential for the technical layer. They do not measure the autonomic state of the CISO team that lived through the attack, do not identify the second-victim cohort, and do not assess the trust rupture between IT and clinical and compliance leadership. That is not a design failure — it is outside their scope.

CISD Vendors and EAP

CISD and Psychological First Aid interventions address individuals in the acute phase, typically days following an incident — session rates run $2,000-$8,000 per group session. EAP services ($1-$30 PEPM) provide individual clinical referral pathways. C3 assesses whether the EAP is functioning and reaching the second-victim cohort, and builds the support architecture that supplements it where reach is insufficient. Neither CISD nor EAP is a sustained organizational-level instrument operating on the 6-18 month arc that organizational nervous-system recovery requires. Technical IR, CISD, and EAP each address one layer of post-incident response; C3 fills the organizational layer that completes the response.

Track	Phase	Level	Duration	Representative Cost Range
Technical IR (Mandiant, CrowdStrike)	Acute	Systems & process	Weeks-months	$50K-$250K+ per engagement
CISD / Psychological First Aid	Acute	Individual	Days-weeks	$2K-$8K per session
EAP (standard coverage)	Ongoing	Individual clinical referral	Ongoing	$1-$30 PEPM
C3 — IHS (organizational recovery)	Post-acute	Organizational	6-18 months	Scoped per engagement

Factors That Affect Cost

The following factors directly determine engagement scope and, therefore, cost. Organizations that can characterize their situation against these factors will receive the most accurate scoped proposal from IHS.

Factor	Lower Scope	Higher Scope
Event type	Single event type, well-defined second-victim cohort	Multiple event types or compounding incidents; diffuse second-victim cohort
Organization size	Under 500 staff in affected functions	500+ staff; multi-site; health system scale
Second-victim cohort size	Under 50 directly affected staff	50+ directly affected staff; organization-wide secondary exposure
Existing support infrastructure	Active peer-support program, functioning EAP reach, Schwartz Rounds	No peer-support program, EAP with low utilization, no Schwartz Rounds
Just-culture infrastructure	Functioning just-culture infrastructure in place	Just-culture infrastructure absent — requires B3 build or integration
Regulatory intersection	Single regulatory response track (e.g., OCR only)	Multiple simultaneous regulatory responses (OCR + CMS + Joint Commission + state)
Pre-incident organizational state	Resting baseline — no pre-existing allostatic load	Elevated pre-incident load (reimbursement adversity, workforce crisis, CMS scrutiny)
Time since incident	4-16 weeks post-incident — patterns not yet entrenched	12-18+ months post-incident — patterns entrenched; deeper recovery arc required

What You Receive

The C3 engagement delivers structured work products and sustained advisory access across all three phases. Every engagement includes the following.

Phase 1 Stabilization Package (months 0-3): Leadership-team autonomic regulation sessions and between-session protocol; second-victim cohort support architecture (structural design and activation — peer-support, adapted Schwartz Rounds, EAP coordination, formal referral pathway clarification); immediate trust-rupture stabilization facilitation; recovery measurement baseline across all four quadrants (body, heart, mind, meaning-and-purpose).
Phase 2 Recovery Work (months 3-12): Organizational meaning-and-purpose sessions with affected cohorts; cross-functional trust-rebuilding cadence with the leadership team; post-incident learning infrastructure (standing debrief cadence, near-miss reporting structure, cross-functional learning forum, governance protocols); just-culture infrastructure connection where indicated; quarterly 90-minute structured leadership team sessions throughout.
Phase 3 Institutionalization Package (months 12-18): Sustainability assessment and recalibration of learning infrastructure; leadership-team behavioral anchors documentation; organizational narrative reconstruction; transition plan with internal ownership designations; final cross-quadrant recovery measurement report suitable for board reporting and regulatory documentation where applicable.
Recovery Measurement Framework: Tracked quarterly across the full engagement — ProQOL-5 secondary traumatic stress and compassion satisfaction tracking at 90-day intervals for the second-victim cohort; Edmondson psychological safety scale at team and leadership-cohort level; post-incident learning capacity indicators including near-miss reporting rates and debrief quality; staff engagement and retention signal in incident-affected functions.

The Cost of NOT Engaging

The cost of leaving organizational nervous-system recovery unaddressed is measurable — it arrives 6-18 months after the incident, when the technical and legal tracks have long since closed and the human-layer costs have become leadership turnover, governance dysfunction, and the next incident the depleted workforce could not prevent.

Healthcare ransomware scale: The FBI IC3 recorded 460 healthcare ransomware attacks in 2023 — more than any other critical infrastructure sector (FBI IC3 2023 Annual Report). The Change Healthcare 2024 attack compromised 193 million records, required a $22 million ransom payment, and disrupted 15 billion annual transactions (ITIF, March 2026). The organizational human-layer costs are structurally predictable from the literature and are not captured in any public breach disclosure.
Workplace violence exposure: 61.9% of healthcare workers experience any-form workplace violence; 24.4% experience physical violence in the past year (NCBI workplace violence meta-analysis). Each episode that goes without organizational-level recovery support depletes the workforce that faces the next one.
Attrition and replacement cost: Second-victim attrition following a serious adverse event carries a replacement cost of 1.5-2x annual salary for clinical positions. Executive replacement runs $300,000-$750,000+ including search, onboarding, and productivity loss. Average healthcare liability verdicts have exceeded $40 million; verdicts above $10 million have more than doubled since 2015 (Insurance Journal, 2024).
Post-incident learning failure: Edmondson's learning-climate research (Administrative Science Quarterly, 1999) establishes that the psychological safety conditions enabling post-incident learning are disrupted by significant incidents and do not self-restore without structural intervention. Organizations that do not rebuild those conditions are structurally more likely to experience repeat incidents.

How the Engagement Is Structured

C3 runs in three phases across 6-18 months. Each phase has a distinct focus, distinct deliverables, and a distinct measurement cadence. Quarterly leadership team work runs throughout all three phases as the sustained governance anchor.

Phase 1: Stabilization — Months 0-3

Addresses the acute organizational nervous-system state persisting after technical and legal stabilization. Deliverables: leadership-team autonomic regulation work (polyvagal-theory-grounded somatic regulation in the service of governance capacity); second-victim cohort support architecture; immediate trust-rupture stabilization; recovery measurement baseline across all four quadrants.

Phase 2: Recovery — Months 3-12

Addresses the deeper organizational recovery work Phase 1 stabilization makes possible. Structured cadence covers organizational meaning-and-purpose damage; cross-functional trust rebuilding between IT, clinical, compliance, and executive leadership; post-incident learning infrastructure construction; just-culture infrastructure connection where warranted. Quarterly 90-minute leadership team sessions run throughout as the governance anchor.

Phase 3: Institutionalization — Months 12-18

Ensures patterns from Phases 1 and 2 survive the engagement. Principal's role decreases as internal ownership increases. Deliverables: sustainability assessment; leadership-team behavioral anchors documentation; organizational narrative reconstruction; transition plan with internal ownership designations; final cross-quadrant recovery measurement report. The engagement ends with a documented transition, not an open-ended retainer.

Budget Planning by Phase

IHS consulting fees are scoped per engagement. Budget categories by phase:

Phase 1 (months 0-3): IHS Phase 1 consulting; A6 Diagnostic if not yet completed (scoped separately); EAP reach assessment (typically staff-time cost if EAP is in place); peer-support activation or design if infrastructure is absent.
Phase 2 (months 3-12): IHS Phase 2 consulting; just-culture infrastructure — foundational work within C3 scope or a parallel B3 build if absent; ProQOL-5 administration (included in IHS scope); near-miss reporting platform if required (vendor-dependent).
Phase 3 (months 12-18): IHS Phase 3 consulting; internal staff time for designated ownership transition receiving learning architecture, governance protocols, and behavioral anchors.

Phase 1 can be scoped and contracted independently. Phases 2 and 3 are priced after Phase 1 findings establish actual scope — no upfront commitment to a fixed total required.

Frequently Asked Questions

How much does post-incident organizational recovery cost?

IHS does not publish fixed pricing because scope is bespoke to event type, organization size, second-victim cohort size, just-culture infrastructure gap, and regulatory-response intersection. For market context: Mandiant and CrowdStrike technical IR retainers run $1,500-$3,000 per day; CISD-vendor acute debriefing runs $2,000-$8,000 per session. C3 addresses the organizational human layer neither track reaches across a 6-18 month engagement arc. Contact IHS for a scoped proposal.

Is the A6 diagnostic required before commissioning C3?

No. The A6 Post-Incident Organizational-Recovery Readiness Diagnostic is the 4-6 week structured assessment that maps the organizational nervous-system state and scopes C3. It is separable: organizations that have completed equivalent diagnostic work can commission C3 directly. Organizations without existing organizational diagnostics of post-incident state will find C3 more accurately scoped following the A6. The diagnostic produces a second-victim cohort map, intervention priority stack, and measurement baseline that prevents Phase 1 scope drift.

Can this engagement be structured under attorney-client privilege?

That determination belongs to the organization's General Counsel based on specific facts and jurisdiction — IHS does not provide legal advice. Organizations that want to structure the recovery engagement under privilege protection should discuss the option with General Counsel before engaging. The principal's JD background means that privilege structuring is a conversation he can have directly with General Counsel rather than one requiring translation.

What is the ideal timing for engagement — how soon after an incident?

The engagement is most productive when the acute technical and legal response has stabilized — typically 4-16 weeks post-incident — and before the organization has declared itself recovered without having addressed the organizational nervous-system layer. Engagements beginning within six months of the incident have the strongest recovery trajectory. Those beginning twelve to eighteen months out are addressing patterns that have become more entrenched but are still recoverable. Earlier is consistently better for both trajectory and cost efficiency.

How does this engagement interact with the organization's existing EAP?

C3 does not replace the EAP — it assesses whether the EAP is functioning and actually reaching the second-victim cohort, and builds the support architecture that supplements it where reach is insufficient. Phase 1 includes an EAP reach assessment and formal referral pathway clarification. The EAP handles individual clinical referral; C3 handles the organizational conditions that determine whether individuals can reach and use it.

Does the engagement apply to all three incident types — cyber, patient safety, workplace violence?

Yes. The Phase 1 stabilization work, second-victim support architecture, and meaning-and-purpose recovery work are common across all three event types. What calibrates to the event: who constitutes the second-victim cohort, what the moral injury looks like, what the trust rupture is between which functions, and what the regulatory-response intersection requires. For cybersecurity incidents specifically, the CISO and IT security team carry a second-victim burden that most organizational recovery frameworks do not recognize — this engagement addresses it explicitly.

How is recovery measured, and what does that cost?

Measurement is included in the IHS engagement scope — not a separate line item. Instruments: ProQOL-5 (secondary traumatic stress and compassion satisfaction, 90-day intervals); Edmondson psychological safety scale (team and leadership-cohort level); near-miss reporting rates and debrief quality indicators; staff engagement and retention signal in incident-affected functions. Reporting is quarterly; the final cross-quadrant report is delivered at Phase 3 completion.

What happens at the end of the engagement — is there an ongoing retainer?

Phase 3 (months 12-18) is designed for institutionalization — building the patterns from Phases 1 and 2 into standing governance, leadership practices, and support structures that do not require the principal's ongoing presence. The engagement ends with a documented transition plan that names internal owners, standing governance structures, and recalibration triggers that would indicate a return to engagement-level support. C3 is not structured as an open-ended retainer.

Related Resources

C3 Integral Post-Incident Organizational Recovery — Service Page — full engagement description, phase structure, and evidence base
C3 Comparison — How This Engagement Differs from Technical IR, CISD, and EAP
A6 Post-Incident Organizational-Recovery Readiness Diagnostic — the 4-6 week diagnostic that maps organizational nervous-system state and scopes C3
B3 Just-Culture Infrastructure Build — bespoke engagement building the accountability and behavioral infrastructure for post-incident learning
B1 Embodied Leadership Cohort — sustained leadership development for the senior team carrying the recovery arc
D1 Board Human Capital Advisory — board-level engagement on workforce and governance risk
Integral Workforce & Leadership Sciences — practice line overview

Ready to Get Started?

Schedule a no-obligation consultation with IHS. We will discuss where your organization is in its post-incident recovery, assess the five scope factors that determine engagement structure, and provide a tailored proposal for the C3 Integral Post-Incident Organizational Recovery engagement.

Schedule a Free Discovery Session