Relevant Contents
Need Tailored Business Continuity Insights?
Contact Us Now for Personalized Guidance!
Crisis communication is the process of giving the right people clear, accurate, and timely information during a disruption. A good crisis communications plan does not need to predict every possible incident. It needs to help the team answer practical questions under pressure.
A practical crisis communications plan should help the team answer four questions:
- What do we know?
- Who needs to know it?
- Who is allowed to say it?
- How fast can the message be approved and sent?
That is where many organizations struggle. Not because they lack good intentions, but because the communication process has not been built or tested before the event.
For program owners, crisis communication is not just a public relations issue. It affects response quality, leadership alignment, employee confidence, customer trust, and the organization’s ability to make decisions while facts are still developing.
The practical guidance below aligns with widely used crisis and emergency communication principles, including CDC Crisis and Emergency Risk Communication, ISO 22361 crisis management guidance, and FEMA/NIMS public information guidance. For a mixed business audience, those references are best used as supporting context, not as a one-size-fits-all checklist.
In short
Crisis communication works when teams know what to say, who approves it, who needs to hear it, and how quickly the message can move.
- Say what you know, what you do not know, and what happens next
- Decide who speaks before the crisis
- Match the message to the audience
- Test the approval path before you need it
What Crisis Communication Needs to Do Under Pressure
Crisis communication has to help people act.
Employees may need safety instructions or work guidance. Customers may need service-impact updates. Vendors may need delivery or access changes. Executives may need decision points. Regulators, contract partners, or customers may need formal notifications.
Not every incident requires a public or media response. Some events stay internal. Some are customer-specific. Some require regulatory notification. Some eventually become public because employees, customers, or outside observers start asking questions.
A practical plan should define:
- Who needs to be notified
- What each audience needs to know
- Who drafts the message
- Who approves it
- Which channels will be used
- When the next update will be sent
- How sent messages will be tracked
The first message may not have every answer. That is normal. The mistake is pretending certainty exists when it does not.
Rule 1: Say What You Know, What You Do Not Know, and What Happens Next
Early crisis messages should be clear about three things:
- What is known
- What is not yet confirmed
- What the organization is doing next
Teams often delay communication because they are waiting for perfect information. That delay creates a vacuum. Employees, customers, and outside audiences may fill that gap with guesses or incomplete information.
That does not mean the team should rush out unverified claims. It means the first message can be limited and still useful.
For example:
We are aware of the system outage affecting customer access. Our IT and operations teams are investigating the issue. We will provide another update by 2:00 p.m.
That message does not explain a root cause before it is confirmed. It does not assign blame. It tells people the organization is aware, working the issue, and committed to another update.
Weak execution looks like this:
- Waiting too long for complete certainty
- Saying “no impact” before impact is confirmed
- Sharing detail the audience cannot use
- Failing to give a next-update time
- Changing the message without explaining what changed
A practical rule: every crisis message should include a known fact, a current action, and a next update.
Rule 2: Decide Who Speaks Before the Crisis
Crisis communication slows down when no one knows who is allowed to speak.
The spokesperson may be the CEO, communications lead, incident commander, HR leader, legal counsel, site leader, or another executive. The right person depends on the incident type, audience, and severity.
A workplace safety incident may need a different voice than a cyber event. A local facility disruption may not need the CEO. A major customer-impacting event might.
The plan should define spokesperson roles before the crisis. It should also name backups.
This is where many plans look good on paper but fail in practice. They name a primary spokesperson but do not define:
- Who writes the message
- Who approves it
- Who posts it
- Who answers employee questions
- Who handles customer or media questions
- Who coordinates with legal, HR, security, IT, and operations
For program owners, this is response governance. If ownership is unclear, different leaders may issue different messages. Even when everyone means well, conflicting messages make the response harder to manage.
A practical rule: create a spokesperson and approval matrix by incident type, audience, severity, and backup owner.
Rule 3: Match the Message to the Audience
The same incident can require several messages.
Employees may need to know whether to report to a facility, work remotely, avoid a system, or wait for instructions.
Customers may need to know whether service is affected, what alternatives exist, and when the next update will come.
Vendors may need delivery changes, access changes, or security instructions.
Regulators, contract partners, or customer compliance teams may need notification through a defined channel.
The media or public may need a short statement only if the incident becomes public-facing or requires external response.
The mistake is trying to write one message for everyone.
A better approach is to build message templates around audience needs. Use the same core facts, but adjust the action.
For internal audiences, answer: “What should I do now?”
For customers, answer: “What does this mean for me?”
For executives, answer: “What is the impact, what is the response, and what decisions are needed?”
For regulators or contractual stakeholders, answer: “What notification is required, when, and through which channel?”
Crisis messaging is not only about tone. It is about usefulness. A message can be accurate and still fail if it does not tell the audience what they need to do.
A practical rule: write crisis messages by audience, not by department preference.
Rule 4: Test the Approval Path Before You Need It
Many crisis communication problems come from slow approvals.
The draft is ready, but legal has not reviewed it. Communications is waiting for operations. Operations is waiting for IT. IT is still validating the root cause. Executives want changes. Meanwhile, employees and customers are asking for updates.
Legal and compliance review matters. The issue is whether the review path is clear enough to support timely holding statements and updates.
A crisis communications plan should define approval levels by severity and message type. Not every update needs the same review. A safety instruction, customer-impacting statement, regulatory notice, and holding statement may require different approval paths.
This should be tested in tabletop exercises or other realistic response exercises.
During the exercise, do not only ask, “What would we say?”
Ask:
- Who drafts the first message?
- Who approves it?
- What if the approver is unavailable?
- How long does approval take?
- Which channels are used first?
- How are internal and external messages aligned?
- What happens if legal, HR, IT, operations, and leadership disagree?
- Who tracks what was sent and when?
Test internal and external messages separately. They may share facts, but they often require different timing, tone, approvals, and distribution channels.
A practical rule: test the approval path, not just the message template.
Quick Reference: The 4 Rules
| Rule | What it means | What weak execution looks like | What to do before a crisis |
|---|---|---|---|
| Say what you know, do not know, and what happens next | Communicate clearly without pretending to have every answer | Delayed messages, overconfident claims, no next update | Build holding statements and update intervals |
| Decide who speaks before the crisis | Define spokespersons, backups, and message owners | Competing leaders or departments issue different messages | Create a spokesperson and approval matrix |
| Match the message to the audience | Adjust the action and detail by stakeholder group | One generic message that helps no one act | Build audience-specific templates |
| Test the approval path | Practice how messages move from draft to release | Messages get stuck in legal, executive, or operational review | Include communication injects in tabletop exercises |
Common Crisis Communication Weak Spots
The first weak spot is unclear stakeholder lists. Many teams know their major audiences, but not where the contact lists live, who maintains them, or whether they are current.
The second is weak employee communication. Organizations often focus on external statements and forget that employees are also messengers. If employees are confused, that confusion can spread quickly.
The third is an unclear legal and compliance review process. Review is necessary, but the team needs a path for timely holding statements and updates.
The fourth is poor social media readiness. Even if the organization does not plan to lead with social media, customers, employees, or the public may use it to ask questions or share concerns.
The fifth is message drift. The first message says one thing, the second says another, and no one explains why the information changed.
Most of these issues can be reduced before a crisis. That is the point of planning and testing.
Crisis Communication Help
Crisis communication planning is part structure, part judgment.
Templates help. So do call trees, stakeholder lists, message maps, and approval workflows. But the real test is whether the plan works when the situation is unclear and leaders are under pressure.
MHA Consulting helps organizations review crisis communication plans, clarify spokesperson and backup roles, map internal and external stakeholder groups, define approval paths by incident severity, and build communication injects into tabletop exercises.
That outside view can also help identify where legal, HR, IT, operations, communications, and leadership reviews may slow the response.
This is especially useful when a plan exists, but the team has not tested whether messages can move from draft to approval to release under realistic conditions.
Conclusion
Crisis communication is not about having the perfect statement ready for every possible event.
It is about having a disciplined way to communicate when facts are incomplete, pressure is high, and different audiences need different things.
The four rules are simple:
- Say what you know, what you do not know, and what happens next
- Decide who speaks before the crisis
- Match the message to the audience
- Test the approval path before you need it
If your team can do those four things, the response will usually be clearer, faster, and easier to manage.
Review Your Crisis Communication Plan
If your crisis communications plan has not been reviewed or tested recently, MHA can help you pressure-test the plan, clarify roles, map audiences, and build practical messaging guidance your team can use during a real event.
Use the review to answer the questions that usually matter most under pressure: who speaks, who approves, who needs the message, which channels are used, and how quickly the update can go out.
FAQ
What is crisis communication?
Crisis communication is the process of sharing clear, accurate, timely information during a disruption so employees, customers, leaders, regulators, vendors, and other stakeholders understand what is happening and what actions they should take.
What should a crisis communications plan include?
A crisis communications plan should include stakeholder groups, message owners, spokespersons and backups, approval paths, communication channels, message templates, update intervals, and a process for tracking what was sent and when.
Who should approve crisis messaging?
Approval should depend on the incident type, severity, audience, and message type. Some messages may need legal, compliance, executive, HR, IT, operations, or communications review. The important point is to define the approval path before the incident.
How do you test crisis communication before an incident?
Crisis communication can be tested through tabletop exercises and communication injects that require the team to draft, approve, revise, and distribute internal and external messages under realistic time pressure.
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.