The first 24 hours of a crisis should do five things: establish control, clarify facts, protect people and essential operations, control communications, and document decisions. That is the practical answer.
In short
A strong first day is not about having every answer. It is about giving the organization enough structure to make faster, cleaner decisions under pressure.
- Confirm who is leading and who has authority to decide
- Build one trusted picture of what is known, unknown, and changing
- Prioritize people safety, essential operations, communications, and a usable decision record
That five-part structure is experienced guidance, not a single formal standard, but it lines up closely with public emergency planning and incident response guidance from FEMA, CISA, and NIST, which consistently emphasize clear direction, role definition, information flow, stakeholder coordination, and response logging. FEMA emergency planning guidance is especially useful for the leadership side of this problem.
For executive teams, this matters because the first day is rarely lost because no one is working. It is lost because too many things are moving at once and the organization has not yet imposed enough structure on the event. In a cyberattack, that can mean containment decisions before business impact is understood. In an operational outage, it can mean restoring the wrong service first. In a facility disruption, it can mean uncertainty over closures, workforce instructions, or alternate operating arrangements. FEMA’s senior-official materials are useful here because they treat early crisis leadership as a decision and coordination problem, not just a technical one. FEMA senior official checklists
1. Establish Control and Decision Rights Early
The first leadership task is deciding who is in charge of what, in practice, not in theory.
That means confirming whether the organization is managing an incident, a broader crisis, or both. It also means identifying who owns operational coordination, executive decisions, legal review, communications, workforce direction, and external notifications. CISA’s incident response planning basics says an incident response plan should be a written document approved by senior leadership and used before, during, and after an incident. NIST incident handling guidance also stresses the need for policy, procedures, communication guidelines, and relationships with internal and external groups that become important during response.
This is where many teams lose time. The room fills up, but decision rights stay fuzzy. Operations assumes it is leading. Legal assumes it will review later. Communications starts drafting before the facts are stable. Security assumes every decision in a cyber event belongs to them. None of that is unusual. It is just expensive.
A better first-day move is narrower and calmer: name the crisis lead, define which issues get escalated to the executive team, set a cadence for decision updates, and make explicit who can approve major calls.
2. Build One Trusted Picture of the Situation
The second leadership job is not to know everything. It is to know what is known, what is assumed, and what is still unverified.
NIST incident response guidance is especially useful on this point. It emphasizes collecting and analyzing incident-related data, determining the appropriate response, and maintaining communication with management and other relevant parties. More recent NIST examples also point to regular leadership updates and distinguishing preliminary information from confirmed facts as investigations evolve. NIST SP 800-61 Rev. 2
A workable executive checklist here is simple:
- What happened?
- What is affected right now?
- What is at risk if the situation worsens?
- What is the current business impact?
- What do we still not know?
- When will the next fact update be issued?
That structure helps across scenarios. In a cyber incident, the question is not only whether systems are down, but which essential services are affected and whether containment is creating wider disruption. In a facility event, the question is not only whether the site is unavailable, but how long alternate operations can hold. In a reputational event, the question is often whether the organization is facing a communications crisis, an operational crisis, or both.
3. Protect People and Essential Operations First
Early executive decisions should favor life safety, legal duty, and continuity of the most important services, not the loudest issue in the room.
FEMA planning guidance consistently points leaders toward priorities, objectives, and feasible courses of action rather than trying to solve everything at once. CISA’s incident response material, while cyber-focused, follows the same logic by separating preparation, analysis, containment, recovery, and post-incident learning. That is useful because it helps executives avoid jumping to restoration before they have agreed on what needs protecting first. FEMA CPG 101
In practice, leaders should ask:
- Are people safe?
- Which essential operations must be protected in the next few hours?
- Which decisions cannot wait for perfect information?
- What can be paused without creating larger harm?
That is often where a crisis team gets unstuck. The goal in the first day is not full stabilization. It is making the first few high-value decisions that reduce exposure fastest.
4. Control Communications Before Rumors Fill the Gap
The first-day communications problem is usually not lack of activity. It is lack of control.
NIST’s incident handling guidance says organizations should establish communication procedures, including coordination with outside parties such as law enforcement, the media, and other stakeholders when needed. CISA’s guidance also underscores that incident response plans should clarify communication paths and responsibilities before an event occurs. NIST incident handling guidance and CISA incident response basics
For executive teams, that means three things.
First, communicate early enough to reduce speculation, but not so fast that messaging outruns facts.
Second, decide who owns internal workforce communication, customer or partner communication, regulator or law-enforcement engagement if required, and media handling if relevant.
Third, use one update path. A weak first-day pattern is multiple leaders speaking from different assumptions. A stronger pattern is one approved message path, one cadence for updates, and one owner for stakeholder coordination.
This is especially important because silence creates its own version of confusion. If leadership is not filling the gap, someone else will.
5. Create a Record and Prepare for the Next Operational Period
Documentation is not an afterthought in the first 24 hours. It is what keeps day two from starting over.
NIST guidance supports logging incident response activities and maintaining records that help teams analyze what happened and coordinate the next steps. FEMA planning guidance also emphasizes continuing coordination, assignments, and decision support over time rather than treating response as a one-time conversation. NIST SP 800-61 Rev. 2
For leaders, the minimum record should show:
- major decisions made
- who made them
- what assumptions they relied on
- what actions were assigned
- what external obligations were triggered
- when the next leadership review will happen
That is where organizations often discover whether they are genuinely ready. Not because they have a plan, but because they can turn a fast-moving day into a usable command record.
Common First-Day Mistakes That Slow Decisions
A few mistakes show up repeatedly.
The first is overstaffing the room and understaffing decision rights.
The second is treating all information as equally reliable.
The third is communicating too broadly before leadership agrees on the operating picture.
The fourth is delaying action until every fact is known.
The fifth is failing to document decisions, which forces the team to reconstruct the day later.
These are not theoretical problems. They are the usual reasons first-day response feels chaotic even when capable people are involved.
Conclusion
The first 24 hours of a crisis should not try to solve the whole event.
They should create enough structure that the organization can make faster, cleaner decisions under pressure.
That means clear authority, one trusted picture of the situation, focused protection of people and essential operations, controlled communications, and a visible record of what happened and what comes next.
If your executive team is not confident about how those first-day decisions would actually work under pressure, that is where MHA Consulting can help. We work with organizations on crisis management readiness, leadership decision structure, and practical response planning so the first day is less reactive and more controlled.
FAQ
What should leaders do in the first 24 hours of a crisis?
Leaders should confirm decision rights, build a trusted picture of the situation, prioritize people and essential operations, control communications, and document major decisions and actions.
Who should be involved in first-day crisis decisions?
That depends on the event, but it usually includes the executive crisis lead, operations, legal, communications, HR, security or IT as relevant, and anyone responsible for essential business services affected by the disruption.
What communications should happen in the first day of a crisis?
The organization should establish one approved path for internal and external updates, clarify who owns employee, customer, regulator, partner, and media communications, and communicate early enough to reduce speculation without outrunning the facts.
Why does documentation matter in the first 24 hours?
Because without a clear record of decisions, assumptions, actions, and owners, teams often lose accountability, repeat discussions, and waste time reconstructing what happened when the next operational period begins.
