Crisis Management Plan: Build It Before You Need It

ByKeith Lacy
Why Most Crisis Plans Fail Before the Crisis StartsWhat a Crisis Management Plan Actually Needs to ContainThe Scenario Planning ProblemThe Communication Sequencing ProblemTesting the Plan: Why Tabletop Exercises Are Not OptionalThe Digital Dimension: Social Media and Real-Time PressureWhen the Plan Meets Reality

Get sharp marketing thinking, weekly

No fluff. Just clear, commercially grounded insights.

A crisis management plan is a documented framework that defines how an organisation identifies, responds to, and recovers from reputational or operational threats. Done properly, it assigns clear roles, sets communication protocols, and establishes decision-making authority before a crisis occurs, not during it.

Most organisations discover they don’t have one when they need it most. That’s not a coincidence. It’s a planning failure dressed up as bad luck.

Key Takeaways

  • A crisis management plan only works if it exists before the crisis. Plans written under pressure are reactive documents, not strategic ones.
  • The most common failure point isn’t communication strategy, it’s decision-making authority. If no one knows who can approve the response, everything stalls.
  • Scenario planning is the engine of the plan. Generic frameworks collapse under specific pressure. You need named scenarios, named owners, and named escalation paths.
  • Silence during a crisis is a communication decision. It sends a message. Your plan needs to account for what you say when you have nothing definitive to say yet.
  • Testing the plan matters as much as writing it. A plan that has never been stress-tested is a plan that will fail at the worst possible moment.

In This Article

  1. Why Most Crisis Plans Fail Before the Crisis Starts
  2. What a Crisis Management Plan Actually Needs to Contain
  3. The Scenario Planning Problem
  4. The Communication Sequencing Problem
  5. Testing the Plan: Why Tabletop Exercises Are Not Optional
  6. The Digital Dimension: Social Media and Real-Time Pressure
  7. When the Plan Meets Reality

Crisis communications sits within a broader discipline that most marketing teams underinvest in until they’re forced to pay attention. If you want to understand how PR and communications strategy fits into the wider picture, the PR & Communications hub at The Marketing Juice covers the full landscape, from reputation management to media relations and beyond.

Why Most Crisis Plans Fail Before the Crisis Starts

I’ve seen crisis plans that were 40-page documents with elaborate flowcharts, laminated covers, and a shelf life of about six months before they became completely irrelevant. The team had changed, the agency relationships had changed, the social media landscape had changed, and nobody had updated the plan to reflect any of it.

The problem with most crisis plans isn’t that they’re poorly written. It’s that they’re written as a compliance exercise rather than an operational one. Someone in legal or comms is asked to produce a document, they produce it, it gets signed off, and it sits in a shared drive folder that nobody can find when the phone starts ringing.

Three structural failures show up repeatedly in organisations that get crisis response wrong.

First, the plan is built around the org chart that existed when it was written, not the one that exists now. People leave. Responsibilities shift. The crisis team listed in the document may no longer include the people who actually hold the authority or the relationships to manage the situation.

Second, the plan assumes information will be clear and complete when the crisis breaks. It almost never is. Good plans are built for ambiguity. They define what you do when you don’t yet know what’s happened, not just what you do once you have the full picture.

Third, and most critically, the plan doesn’t answer the question of who can actually say yes. Communication strategies, holding statements, media responses, these all require approval. If your plan doesn’t specify exactly who has sign-off authority at each stage, and what happens if that person is unavailable, you will lose hours at the worst possible time.

What a Crisis Management Plan Actually Needs to Contain

Strip away the theory and a working crisis management plan has six functional components. Each one needs to be specific enough to be actionable under pressure.

1. A Defined Crisis Threshold

Not everything is a crisis. One of the most valuable things a plan can do is define what actually constitutes a crisis versus a problem that can be handled through normal channels. Without this, you either over-escalate routine issues and exhaust your crisis infrastructure, or you under-escalate genuine threats and lose the window for early containment.

A useful threshold framework categorises situations by potential impact: reputational, financial, legal, and operational. Each category gets a severity level, and each severity level triggers a different response protocol. A customer complaint that goes viral on social media is not the same category of event as a product safety issue or a data breach, and your plan should treat them differently.

2. Named Roles With Named Backups

Your crisis team needs to be named individuals, not job titles. “The Head of Communications” is not a crisis contact. Sarah Mitchell, mobile number, home number, and the name of her backup when she’s unreachable, that’s a crisis contact.

Every role in the plan needs a primary and a secondary. The crisis lead, the media spokesperson, the legal sign-off authority, the social media owner, the client or board liaison. Each one needs a backup who has been briefed on what the role requires.

3. Pre-Approved Communication Templates

The most time-consuming part of any crisis response is getting language approved. The solution is to draft and approve language before you need it. Holding statements for the most likely scenarios, social media response templates for common situations, internal communications for staff, and media Q&As for foreseeable questions.

These don’t need to be final communications. They need to be approved starting points that can be adapted quickly. The difference between having a pre-approved template and starting from scratch in a crisis is often the difference between responding in two hours and responding in eight.

Managing your public-facing response extends to every channel, including review platforms. Semrush’s guide to replying to Google reviews is a useful reference for how to handle public feedback in a measured, professional way, which applies directly to crisis-adjacent situations where customers are venting publicly.

4. A Stakeholder Map With Contact Priorities

During a crisis, you will need to communicate with multiple audiences simultaneously, and the order in which you communicate matters enormously. Staff before press. Board before public. Affected customers before unaffected ones.

Your plan needs a stakeholder map that identifies every group who needs to be informed, in what order, through what channel, and with what message. This isn’t just a communications nicety. Getting the sequencing wrong, letting staff find out from a news article, or letting a client hear from a journalist before they hear from you, creates secondary crises that compound the original one.

5. A Monitoring and Early Warning Protocol

The best crisis management is crisis prevention. Your plan should define what you’re monitoring, how often, and who is responsible for flagging signals that something is building. Social sentiment, media mentions, customer complaint volume, internal near-misses. The earlier you catch a developing situation, the more options you have.

This is where technology earns its keep. Monitoring tools that track brand mentions across channels give you visibility before a situation becomes a headline. But the tool is only as useful as the protocol around it. Someone needs to own the monitoring, set the alert thresholds, and know what to do when something crosses them.

6. A Recovery and Review Process

Most crisis plans end at the point of resolution. That’s a mistake. The recovery phase, rebuilding trust, restoring normal operations, and reviewing what happened, is where organisations either learn and improve or repeat the same failures.

Build a post-crisis review into the plan itself. What happened, how was it detected, how was it handled, what worked, what didn’t, and what needs to change in the plan as a result. This turns a crisis from a pure cost into a source of institutional knowledge.

The Scenario Planning Problem

Generic crisis plans are almost useless. A plan that says “respond promptly and transparently” tells you nothing about what to do when a licensing issue surfaces 72 hours before a major campaign goes live, or when a supplier’s data breach exposes your customer records, or when a senior executive is named in a media investigation.

Years ago, I was running an agency that had developed what I genuinely believed was one of the best Christmas campaigns we’d ever made. A major telecoms client, a beautifully crafted piece of work, months of development. We’d brought in a Sony A&R consultant to handle the music rights. Everything had been checked. Then, at the eleventh hour, a licensing issue surfaced that made the campaign undeliverable. Not a small tweak, a complete restart. We had to go back to the drawing board, develop an entirely new concept, get client approval, and deliver it in a fraction of the original timeline.

What saved us wasn’t a crisis plan. It was the fact that we’d built a team culture where people knew how to escalate fast, how to make decisions without full information, and how to keep the client relationship intact while everything was on fire internally. That’s what scenario planning tries to codify. The instincts that good teams develop over years of pressure, turned into a repeatable process.

Effective scenario planning means identifying the five to ten most plausible crisis scenarios for your specific organisation, not generic ones, and building specific response playbooks for each. A product recall is a different playbook from a social media controversy. A data breach is a different playbook from an executive misconduct allegation. Each one has different legal implications, different stakeholder priorities, different communication windows, and different recovery paths.

BCG’s work on always-on strategy makes a relevant point about organisational readiness: companies that build adaptive capacity into their operating model before they need it consistently outperform those that try to build it in response to disruption. Crisis planning is exactly this kind of adaptive capacity. It’s not reactive preparation, it’s structural resilience.

The Communication Sequencing Problem

One of the most consistent mistakes I’ve seen organisations make during a crisis is treating communication as a single broadcast event rather than a sequenced series of conversations with different audiences.

When something goes wrong, the instinct is often to say nothing until you know everything. That instinct is understandable and almost always wrong. Silence doesn’t buy you time. It fills with speculation, and speculation is almost always worse than an honest acknowledgement that you’re aware of the situation and are working on it.

The phrase “we are aware of the situation and are working to understand the full picture” is not a weak statement. It is a clear signal that you are in control of your own communication, that you know something is happening, and that you are taking it seriously. It closes the vacuum that speculation fills.

What your plan needs to define is the communication rhythm: what you say in the first hour, the first four hours, the first 24 hours, and beyond. Each interval has a different purpose. The first communication acknowledges the situation. The second provides initial facts. The third provides fuller context. The fourth describes actions taken and next steps. This rhythm keeps stakeholders informed without forcing you to commit to information you don’t yet have.

I spent several years managing agency relationships with Fortune 500 clients across more than 30 industries. The clients who handled crises well had one thing in common: they had pre-established communication rhythms with their agencies, their boards, and their key stakeholders. When something broke, everyone knew their role without needing to be told. The clients who struggled were the ones who had to figure out the process while also managing the situation. You cannot do both simultaneously without losing ground on at least one.

Testing the Plan: Why Tabletop Exercises Are Not Optional

A crisis plan that has never been tested is a document. It is not a plan.

Tabletop exercises, where the crisis team works through a simulated scenario in real time, are the most reliable way to find the gaps in a plan before a real crisis finds them for you. They reveal which decision-making paths are unclear, which stakeholder communications are missing, which team members don’t know their role, and which scenarios the plan simply doesn’t cover.

A good tabletop exercise runs for two to four hours, uses a realistic scenario specific to your organisation, and involves everyone who would have a role in an actual crisis response. It should feel uncomfortable. If it doesn’t, the scenario isn’t realistic enough or the participants aren’t engaging honestly with the gaps.

Run one annually at minimum. Run one whenever there is significant organisational change: a merger, a leadership transition, a major product launch, an expansion into a new market. Each of these changes the risk profile of the organisation and may invalidate assumptions the plan was built on.

The output of a tabletop exercise should be a specific list of plan amendments, not a general sense that things went reasonably well. If the exercise doesn’t produce concrete changes to the plan, it wasn’t challenging enough.

The Digital Dimension: Social Media and Real-Time Pressure

Social media has fundamentally changed the timeline of a crisis. A situation that would have given organisations 24 to 48 hours to formulate a response in the pre-social era now demands visible action within hours, sometimes within minutes of public awareness.

This compression of the response window is one of the most significant practical challenges a crisis plan has to address. Your plan needs to account for the fact that your social media channels are always on, always public, and always being watched by people who will screenshot anything and everything.

Specific protocols for social media during a crisis should include: who has posting authority, what the approval chain looks like for crisis-related content, whether scheduled posts should be paused and who makes that call, how to handle direct messages and comments from affected parties, and what the escalation path looks like if a post generates significant negative response.

The social media dimension also creates a monitoring obligation. You need to know what is being said about you, in real time, across platforms. This isn’t just about brand mentions. It’s about sentiment shifts, emerging narratives, and whether your response is landing the way you intended or being reframed by others.

I’ve judged the Effie Awards and seen behind the curtain of marketing effectiveness at scale. One pattern that consistently distinguished effective from ineffective crisis responses was the presence or absence of real-time social intelligence. The organisations that managed crises well had people watching the conversation and feeding intelligence back to the decision-makers. The ones that struggled were responding to what they assumed was being said rather than what was actually being said.

When the Plan Meets Reality

No plan survives contact with an actual crisis entirely intact. The value of a well-built plan isn’t that it tells you exactly what to do in every situation. It’s that it reduces the number of decisions you need to make under pressure, and it ensures that the decisions you do need to make are being made by the right people with the right information.

When I was scaling an agency from around 20 people to over 100, we went through several situations that tested our operational resilience. What I learned was that the organisations that handled pressure well weren’t the ones with the most elaborate contingency plans. They were the ones with the clearest decision-making structures and the most honest internal communication. People knew who to call, knew what they were authorised to do without escalation, and knew that escalating early was rewarded rather than penalised.

That cultural dimension of crisis readiness is the hardest thing to document and the most important thing to build. A plan can tell people what to do. It can’t make them willing to escalate bad news fast, or to say “I don’t know” when they don’t know, or to prioritise the organisation’s reputation over their own comfort in a difficult moment. That comes from leadership culture, and it has to be built long before any crisis arrives.

BCG’s research on organisational decision-making under pressure reinforces this point: the quality of decisions made in high-stakes situations is directly related to the clarity of the decision-making structure and the psychological safety of the people within it. Neither of those things can be created in the moment. They have to be built in advance.

The PR and communications function carries more strategic weight than most organisations give it credit for, especially when things go wrong. If you want to go deeper on how communications strategy connects to brand protection, stakeholder management, and long-term reputation, the PR & Communications section at The Marketing Juice covers the full range of disciplines that sit beneath this work.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions

What should a crisis management plan include?
A working crisis management plan should include a defined crisis threshold that distinguishes genuine crises from routine problems, named team members with backups for every key role, pre-approved communication templates for likely scenarios, a stakeholder map with communication sequencing, a monitoring protocol for early warning signals, and a post-crisis review process. Generic frameworks are not enough. The plan needs to be specific to your organisation, your risk profile, and your actual team structure.
How often should a crisis management plan be updated?
At minimum, annually. Beyond that, a plan should be reviewed and updated whenever there is significant organisational change: a leadership transition, a merger or acquisition, a major product launch, or an expansion into a new market. Any of these can change your risk profile and invalidate assumptions the plan was built on. The plan should also be updated after every real crisis or tabletop exercise, based on what was learned.
What is a tabletop exercise in crisis management?
A tabletop exercise is a structured simulation where the crisis team works through a realistic scenario in real time, without the pressure of an actual event. The goal is to identify gaps in the plan, clarify decision-making authority, and ensure everyone knows their role before a real crisis requires them to perform it. A good tabletop exercise runs two to four hours, uses a scenario specific to your organisation, and produces a concrete list of plan amendments as output.
Who should be on a crisis management team?
The core crisis team typically includes a crisis lead with overall decision-making authority, a communications or PR lead responsible for external messaging, a legal representative with sign-off authority on public statements, a social media owner, and a senior executive or board liaison. For larger organisations, an HR representative and an operations lead are often added. Every role needs a named primary and a named backup. Job titles are not sufficient. The plan needs to name actual individuals and their contact details.
What is the difference between a crisis management plan and a business continuity plan?
A crisis management plan focuses on protecting and managing the organisation’s reputation, stakeholder relationships, and communications during a significant event. A business continuity plan focuses on maintaining or restoring operational functions during and after a disruption. The two are related but distinct. A data breach, for example, would trigger both: the crisis management plan governs how you communicate with affected customers, regulators, and the media, while the business continuity plan governs how you restore systems and resume normal operations. Organisations need both, and they should be designed to work together.

Similar Posts