Crisis Communications Plan: What to Build Before the Phone Rings

ByKeith Lacy
What Does a Crisis Communications Plan Actually Need to Contain?How Do You Map Scenarios That Are Specific to Your Business?Who Should Own the Crisis Communications Plan?What Should a Holding Statement Actually Say?How Do You Sequence Stakeholder Communication?How Do You Train People to Use the Plan?What Role Does Monitoring Play in Crisis Preparedness?How Often Should the Plan Be Reviewed?What Separates Organisations That Recover Quickly From Those That Do Not?

Get sharp marketing thinking, weekly

No fluff. Just clear, commercially grounded insights.

A crisis communications plan is a pre-built framework that tells your organisation who speaks, what they say, and how fast they move when something goes wrong. Without one, you are making those decisions under pressure, with incomplete information, while the situation is already developing without you.

The difference between a crisis that damages a brand for a quarter and one that damages it for a decade is rarely the severity of the incident. It is almost always the quality of the preparation that preceded it.

Key Takeaways

  • A crisis plan is only useful if it exists before the crisis. Building one during an incident is not planning, it is improvisation with a document attached.
  • The three things that collapse fastest in a real crisis are spokesperson clarity, approval chains, and message consistency. Your plan needs to solve all three explicitly.
  • Scenario mapping matters more than generic frameworks. A plan that covers your actual risk profile is worth ten times a generic template pulled from a consultancy deck.
  • Internal communication is not a secondary concern. Your employees will hear about a crisis before most external stakeholders, and how they hear it shapes how they talk about it.
  • Testing the plan through simulation is the only way to know whether it works. A plan that has never been stress-tested is a plan you cannot trust when it counts.

In This Article

  1. What Does a Crisis Communications Plan Actually Need to Contain?
  2. How Do You Map Scenarios That Are Specific to Your Business?
  3. Who Should Own the Crisis Communications Plan?
  4. What Should a Holding Statement Actually Say?
  5. How Do You Sequence Stakeholder Communication?
  6. How Do You Train People to Use the Plan?
  7. What Role Does Monitoring Play in Crisis Preparedness?
  8. How Often Should the Plan Be Reviewed?
  9. What Separates Organisations That Recover Quickly From Those That Do Not?

What Does a Crisis Communications Plan Actually Need to Contain?

Most crisis plans I have seen fall into one of two failure modes. The first is the plan that is too thin: a one-page contact sheet dressed up as a framework. The second is the plan that is too heavy: a 60-page document that nobody has read and nobody could locate under pressure. Neither is useful when the situation demands speed and clarity.

A functional crisis communications plan contains six things. First, a clear definition of what constitutes a crisis at your organisation, because not every bad news story is a crisis and treating it as one wastes resources and amplifies noise. Second, a tiered response structure that matches the level of response to the severity of the situation. Third, a named spokesperson for each scenario type, with a named backup for each. Fourth, pre-approved holding statements for your most likely scenarios. Fifth, a stakeholder map that tells you who needs to hear from you, in what order, and through which channel. Sixth, a post-incident review process, because the learning is part of the plan.

If your plan does not address all six, it is a starting point, not a finished document.

How Do You Map Scenarios That Are Specific to Your Business?

Generic crisis frameworks have their place, but they have a significant limitation: they are built around the average organisation, and your organisation is not average. Your risk profile is shaped by your sector, your size, your supply chain, your workforce, your customer relationships, and the specific history of your brand.

The most useful exercise in building a crisis plan is a structured scenario mapping session. You sit a small cross-functional group in a room, and you ask a simple question: what are the ten things that could go wrong that would require us to communicate publicly within 24 hours? You do not filter for likelihood. You filter for impact. The low-probability, high-impact scenarios are exactly the ones that catch organisations unprepared, because nobody wanted to spend time planning for something unlikely.

this clicked when in a particularly sharp way during a campaign we developed for Vodafone. We had built what I genuinely believed was one of the strongest Christmas campaigns the agency had produced. The work was good. The client was excited. Then, at the eleventh hour, a music licensing issue surfaced that made the entire campaign undeliverable. Despite working with a Sony A&R consultant throughout the process, a rights conflict emerged that nobody had caught. We had to abandon the campaign, rebuild the concept from scratch, get client approval on a compressed timeline, and deliver. The lesson I took from that was not about music licensing. It was about the scenarios you do not plan for because you assume someone else has covered them. In crisis communications, that assumption is where the exposure lives.

Scenario mapping should produce a shortlist of your five to eight highest-impact risk scenarios, each with a named response lead, a draft holding statement, and a stakeholder notification sequence. That is the working core of a plan that is actually calibrated to your business.

Who Should Own the Crisis Communications Plan?

Ownership is one of the most contested questions in crisis preparedness, and the answer matters more than most organisations acknowledge. The plan sits at the intersection of communications, legal, operations, and executive leadership. In practice, that means it often ends up owned by nobody, or owned by a function that lacks the authority to activate it.

The communications function should own the plan. Not because it is a communications problem, but because communications is the function responsible for how the organisation is perceived externally, and perception is what a crisis plan is designed to protect. What communications cannot do is activate a response without executive authority, which is why the plan needs to be explicitly endorsed at board or senior leadership level, with named decision-makers for each tier of response.

Legal should be a standing contributor to the plan, not a gatekeeper of it. One of the most common failure patterns I have seen is legal holding up a response because they are reviewing language, while the story is already running. The solution is to do the legal review before the crisis, not during it. Pre-approved holding statements exist precisely to solve this problem. If your legal team has already signed off on a set of holding statements for your most likely scenarios, you can move fast when you need to without compromising the organisation’s legal position.

If you are working through the broader landscape of PR and communications strategy, the PR and Communications hub at The Marketing Juice covers the full range of disciplines that sit alongside crisis planning, from media relations to reputation management.

What Should a Holding Statement Actually Say?

A holding statement is not a full response. It is the communication that buys you time to prepare a full response without going silent. Silence is interpreted as guilt, evasion, or incompetence. A holding statement tells the world that you are aware, you are taking it seriously, and you will have more to say shortly.

The anatomy of a good holding statement is straightforward. It acknowledges the situation without admitting fault where fault is not yet established. It signals that the organisation is actively engaged. It commits to a timeline for a fuller update. It does not speculate, does not assign blame, and does not make promises the organisation cannot keep.

What it should not do is read like it was written by a committee in a panic, because that is exactly what it will sound like if it was. The best holding statements are drafted in calm conditions, reviewed by legal and communications together, and approved before they are needed. When the incident occurs, the only decision is whether to use the statement as drafted or make minor adjustments for the specific circumstances.

One structural note: different scenarios require different tones. A holding statement for a data breach sounds different from one for a product recall, which sounds different from one for an employee relations incident. Pre-drafting by scenario type is worth the time investment. It is also worth reviewing those statements annually, because your organisation changes and the statements need to reflect who you are now, not who you were when you wrote them.

How Do You Sequence Stakeholder Communication?

One of the most underestimated elements of crisis communication is sequencing. Who hears from you first matters. Get it wrong and you create a secondary crisis on top of the primary one.

The general principle is inside-out, then close-to-far. Your employees should hear from you before they read about it in the press. Your major customers or partners should hear from you before they see a statement on your website. Regulators, where relevant, should be notified according to the legal requirements of your sector, which in many cases means notification within hours rather than days.

I have watched organisations get this sequencing wrong in ways that created entirely avoidable problems. An agency I was familiar with issued a public statement about a client-related incident before the client had been briefed. The client found out through a trade press alert. That relationship did not recover. The incident itself was manageable. The sequencing failure was not.

Your stakeholder map should be a live document, not a static one. It should list every significant stakeholder group, the appropriate communication channel for each, and the sequence in which they are notified. It should be updated whenever your stakeholder landscape changes, which in most organisations is more often than annual reviews would capture.

Digital channels add a layer of complexity here. Social media moves faster than any stakeholder notification sequence you can design. Your plan needs to account for the possibility that the story breaks publicly before you have completed your internal notification, and it needs a protocol for that scenario. That protocol is not silence. It is the holding statement, deployed immediately, while the internal sequence continues in parallel.

How Do You Train People to Use the Plan?

A plan that exists only as a document is not a plan. It is a filing exercise. The only way to know whether your crisis communications plan works is to test it under conditions that approximate the real thing, and the only way to build the muscle memory that makes it work under pressure is to practice.

Tabletop exercises are the standard mechanism for this. You present a scenario, you run the team through the first four hours of response, and you observe where the plan breaks down. It always breaks down somewhere. That is the point of the exercise. The gaps you find in a simulation are the gaps you fix before they matter.

When I was running agencies, we ran a version of this for major client accounts. We called them contingency reviews rather than crisis simulations, but the structure was the same. We would identify the three or four scenarios that could materially damage the client relationship or the campaign, and we would walk through the response. It was uncomfortable. It was also the most useful thing we did to prepare for the inevitable moments when things went wrong.

Spokesperson training is a specific subset of this preparation that deserves its own investment. The person who speaks for your organisation in a crisis is carrying significant responsibility, and the skills required are not intuitive. They need to be able to stay on message under adversarial questioning, to acknowledge without over-disclosing, and to communicate calm authority when they may not feel calm. That is a trained skill, not a natural one. If your designated spokesperson has not done media training in the last two years, that is a gap worth addressing before you need them.

What Role Does Monitoring Play in Crisis Preparedness?

Early detection is the single biggest variable in crisis response. An organisation that identifies a developing situation at hour one has fundamentally different options than one that identifies it at hour twelve. The difference is monitoring infrastructure, and most organisations have less of it than they think.

Brand monitoring tools track mentions across social media, news, and forums. They are not infallible, and they are not a substitute for human judgment, but they are a significant improvement over relying on someone stumbling across a story. The question is not whether to monitor but who is responsible for acting on what the monitoring surfaces.

Your crisis plan should specify a monitoring protocol: what is being monitored, how often alerts are reviewed, and what threshold triggers escalation. A spike in brand mentions is not automatically a crisis. A spike in brand mentions combined with negative sentiment and media pickup is a different conversation. The protocol should define those thresholds explicitly so that the person monitoring is not making judgment calls in isolation.

One area that is consistently undermonitored is employee-generated content. What your employees say on social media about your organisation can become a crisis story faster than almost any other source. That is not an argument for surveillance or suppression. It is an argument for internal communication that is good enough that employees are not filling information vacuums with speculation.

How Often Should the Plan Be Reviewed?

Annual review is the minimum. Quarterly review is better for organisations in sectors with high regulatory exposure or significant public profile. The trigger for an unscheduled review is any material change to the organisation: a significant acquisition, a leadership change, a major product launch, entry into a new market, or a significant incident at a competitor that reveals a risk you had not considered.

The review should cover four things. Whether the contact information and named spokespersons are still current. Whether the holding statements still reflect the organisation’s current situation and values. Whether the stakeholder map still captures the right audiences in the right sequence. And whether the scenarios are still the right ones, given how the organisation and its environment have changed.

Post-incident reviews are a specific category of review that should happen after any significant communications event, including near-misses. The question is not who is to blame. The question is what the plan got right, what it missed, and what needs to change. That learning is only useful if it is documented and incorporated into the next version of the plan.

Organisations that treat crisis planning as a one-time exercise tend to find that their plan is most outdated at exactly the moment they need it most. The plan is not a project with a completion date. It is an ongoing operational responsibility.

What Separates Organisations That Recover Quickly From Those That Do Not?

Having spent time on both sides of this, managing crises for clients and watching organisations handle their own, the differentiator is almost never the quality of the communications in the moment. It is the quality of the relationships and the reputation that existed before the moment.

Organisations with strong pre-existing media relationships get more balanced coverage when something goes wrong. Organisations with genuine customer trust get more benefit of the doubt. Organisations with clear values and a track record of acting on them have a credibility reserve to draw on. Organisations that have built none of those things find that a crisis strips away the surface and reveals what was underneath.

This is why crisis communications planning cannot be separated from reputation management more broadly. The plan is the emergency response. The reputation is the immune system. You need both, and you cannot build the immune system in the middle of an infection.

There is a useful parallel here from the commercial side of agency leadership. When I was running a turnaround at a loss-making agency, the businesses that recovered fastest were the ones that had maintained strong client relationships through the difficult period, not the ones that had the most impressive recovery plan. The plan mattered. But the relationships were the foundation the plan had to stand on. Crisis communications works exactly the same way. For more on building that broader communications foundation, the PR and Communications hub is a useful starting point.

For further reading on organisational resilience and what effective turnarounds actually require, BCG’s research on effective turnarounds is worth your time. The principles that apply to business recovery apply with reasonable accuracy to reputation recovery as well.

The mechanics of crisis communication, the plan, the spokesperson, the holding statement, the stakeholder sequence, matter enormously. But they matter most when they are built on a foundation of genuine credibility. Build the foundation first. Build the plan alongside it. Do not wait for the phone to ring.

For context on how digital channels have changed the speed and spread of reputational risk, Search Engine Land’s coverage of social search behaviour offers a useful perspective on how audiences now find and share information. And if you are thinking about how personal and brand reputation interact in a crisis, MarketingProfs on personal branding mistakes covers some of the same underlying dynamics from a different angle.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions

How long should a crisis communications plan be?
Long enough to be complete, short enough to be usable under pressure. For most organisations, the core plan runs to 10 to 20 pages, with scenario-specific annexes attached. A plan that nobody reads because it is too dense is not a functional plan. Prioritise clarity and navigability over comprehensiveness.
Who should be in the crisis communications team?
At minimum: a communications lead, a legal representative, an operations or subject matter expert relevant to the scenario, and an executive decision-maker with authority to approve and activate the response. For publicly listed companies, investor relations should also be included. The team should be small enough to move quickly and senior enough to make decisions without escalation delays.
What is the difference between a crisis and a communications issue?
A communications issue is a problem that can be managed through normal channels with normal timelines. A crisis is a situation that poses a material threat to your organisation’s reputation, operations, legal standing, or stakeholder relationships, and that requires an accelerated, coordinated response. The distinction matters because treating every issue as a crisis wastes resources and creates noise, while treating a genuine crisis as a routine issue is how manageable situations become catastrophic ones.
How quickly should an organisation respond publicly to a crisis?
A holding statement should be issued within one to two hours of a crisis being identified, in most cases. The goal is not to have all the answers immediately. The goal is to signal that you are aware and engaged before the narrative forms without you. The full response can follow once you have the information needed to make it accurate and credible. Silence in the first hours is rarely interpreted charitably.
Should small businesses have a crisis communications plan?
Yes, though the plan can be proportionally simpler. Small businesses are not immune to reputational crises, and in some ways they are more vulnerable because they have less institutional credibility to draw on when things go wrong. A small business plan might be a single document covering: who speaks publicly, what the holding statement says, which stakeholders need to be notified first, and who makes the final call on communications decisions. That is enough to avoid the most damaging improvisation.

Similar Posts