Crisis Communication: 7 Moves for the First 48 Hours

In March 2023, a mid-size fintech company discovered that a former employee had leaked customer financial data to a competitor. The CEO learned about it at 9:14 AM on a Tuesday. By 11:00 AM, screenshots of the leaked data were circulating on Twitter. By 2:00 PM, three journalists had called the company’s main line asking for comment. The CEO said nothing for 48 hours. By the time the company issued a statement, the story had been shaped entirely by outsiders, and the narrative was “company covers up data breach.” The actual story was far more nuanced, but it didn’t matter. The silence had already told the public everything they needed to believe.

That company didn’t lack good intentions. They lacked a crisis communication guide. And that gap cost them 30% of their enterprise contracts over the following quarter.

Why Every Business Needs a Crisis Communication Plan Before the Crisis

The time to build a fire escape is before the building is on fire. Yet most companies treat crisis communication as something they’ll figure out when the moment arrives. A 2024 PwC survey found that only 38% of mid-market companies (revenue between $10 million and $500 million) had a documented crisis communication guide. Among those that experienced a public crisis in the prior two years, companies without a plan took an average of 3.2 days to issue their first public statement. Companies with a plan responded within 4.7 hours.

That speed gap isn’t just about optics. In the first 24 hours of a crisis, stakeholders form opinions that become resistant to change. Employees decide whether leadership is competent. Customers decide whether the company is trustworthy. Journalists decide the angle of their story. Investors decide whether to hold or sell. Every hour of silence is an hour where someone else writes your narrative.

A crisis communication guide doesn’t prevent crises. It prevents crises from becoming catastrophes.

Assemble Your Crisis Team Before You Need Them

Your crisis response is only as fast as your slowest decision-maker. If you need to figure out who has authority to approve a public statement while reporters are calling, you’ve already lost the first news cycle.

Build a standing crisis team of five to seven people. The CEO or senior executive serves as the ultimate decision-maker and, for major crises, the public spokesperson. The head of communications or marketing owns message development and media relations. Legal counsel reviews all public statements for liability exposure. The operations or product lead provides factual details about what happened and what’s being done. A customer-facing leader (head of sales or customer success) manages direct stakeholder outreach. And one person serves as crisis coordinator, keeping the team aligned and tracking action items.

Each person needs a backup. If your CEO is on a flight when the crisis breaks, who has authority to approve the first statement? If your head of comms is on vacation, who drafts the holding statement? Document these backups and make sure they’ve practiced the role at least once.

Store your crisis team roster, with personal cell numbers and backup designees, somewhere accessible even if your company’s primary systems go down. A printed copy in the CEO’s desk drawer and a shared Google Doc both work. What doesn’t work is a document buried in a Confluence wiki that nobody can find under pressure.

The First Two Hours: Acknowledge, Don’t Explain

When a crisis hits, your instinct will be to gather all the facts before saying anything. Resist that instinct. The goal of the first two hours isn’t to explain what happened. It’s to acknowledge that something happened and that you’re taking it seriously.

Your initial holding statement should accomplish three things: confirm that you’re aware of the situation, express appropriate concern for anyone affected, and commit to a specific timeline for a more detailed update. That’s it. Nothing more.

A strong holding statement sounds like this: “We are aware of reports regarding [specific issue]. We are treating this with the highest priority and are working to understand the full scope of the situation. We will provide a detailed update by [specific time, within 24 hours]. In the meantime, affected [customers/employees/partners] can reach us at [specific contact].”

Notice what’s missing: excuses, blame, speculation, or premature conclusions. You don’t know all the facts yet. Saying “we believe the impact is limited” before you’ve confirmed that is how companies end up issuing embarrassing corrections 48 hours later.

Send this statement to internal audiences first. Your employees should hear from you before they hear from a reporter or a tweet. Then distribute the same message to media contacts, post it on your website, and share it through your social channels.

Investigate Fast, Communicate Faster

Between your initial acknowledgment and your full response (which should come within 24 hours for most crises), your team needs to accomplish two parallel workstreams.

The investigation workstream focuses on facts. What happened? When did it start? How many people are affected? What caused it? What are you doing to stop it? What will prevent it from happening again? Assign your operations or product lead to gather these facts and report to the crisis team every two to four hours.

The communication workstream prepares your full public response. Your comms lead drafts the statement based on confirmed facts (not speculation). Legal reviews for liability issues. The CEO or spokesperson rehearses delivery if there will be a press conference or video statement.

These two workstreams must talk to each other constantly. New facts change the message. A discovered cause changes the tone. An expanding scope of impact changes the urgency. The crisis coordinator’s job is to keep information flowing between the investigation team and the communications team so the public statement reflects reality.

One critical rule: never release information you haven’t verified. If your investigation team thinks 500 customers were affected but hasn’t confirmed the number, say “we are still determining the full scope” rather than citing an unverified number you might need to revise upward later. Revising a number upward looks like you were minimizing the problem. Saying “we’re still investigating” and then providing a confirmed number looks like thoroughness.

Crafting Your Full Response

Your full crisis response, the detailed statement you release within 24 hours, needs to cover five elements.

First, state what happened in plain language. No jargon, no euphemisms. If customer data was exposed, say “customer data was exposed.” If a product caused injuries, say “our product caused injuries.” Audiences detect evasive language instantly, and it erodes trust faster than the crisis itself.

Second, explain what you’ve done so far. Concrete actions, not intentions. “We have shut down the affected system” is stronger than “we are committed to addressing this.” “We have contacted all affected customers by email” beats “we are reaching out to those impacted.”

Third, take responsibility where appropriate. This doesn’t mean accepting legal liability for everything. It means acknowledging that the problem happened on your watch and that you own the response. “This should not have happened, and we take full responsibility for making it right” is a powerful statement that doesn’t create specific legal exposure.

Fourth, outline your plan to prevent recurrence. This is where you show that you’re not just putting out a fire but fixing the system that started it. “We are implementing [specific change] to ensure this cannot happen again” tells stakeholders you’ve moved past reaction into prevention.

Fifth, provide a direct channel for affected parties. A dedicated email address, phone number, or web page where people can get personalized help. Generic “contact us” pages don’t cut it during a crisis. People want to feel like the company is personally responding to their situation.

Managing the Media Without Losing Control

Journalists will call. They will email. They will show up. How you handle media interactions determines whether coverage helps or hurts your recovery.

Designate one spokesperson and route all media inquiries to that person. Mixed messages from multiple spokespeople create contradictions that journalists will highlight. Your spokesperson should be the CEO for existential crises (data breaches affecting thousands, safety incidents, executive misconduct). For operational crises (service outages, product recalls, supply chain disruptions), a senior VP or department head can serve as spokesperson.

Prepare your spokesperson with three to five key messages and practice delivering them. Key messages are the core points you want to appear in every piece of coverage. They should be short enough to fit in a headline and clear enough that a twelve-year-old could understand them. “We discovered the problem, we fixed it within four hours, and we’re compensating every affected customer” is three key messages in one sentence.

When speaking to reporters, answer the question asked, then bridge to your key messages. Don’t speculate about causes you haven’t confirmed. Don’t comment on competitors or other parties. Don’t say “no comment” (it sounds like you’re hiding something). Instead, say “we don’t have that information yet, but here’s what we do know” and return to your key messages.

Record or take notes during every media interaction. This protects you against misquotation and provides a record of exactly what you said, which matters if the crisis leads to legal proceedings.

Internal Communication: Your Employees Are Your First Audience

A crisis communication guide that ignores internal audiences fails at the most basic level. Your employees are the people who answer customer calls, talk to their friends about work, and post on social media. If they don’t know what’s happening and what to say, they’ll fill the void with speculation.

Before your public statement goes out, brief your employees. Tell them what happened, what the company is doing about it, and what they should say if someone asks them about it. Provide a simple script: “We’re aware of the situation and taking it very seriously. For details, I’d point you to our official statement at [URL].” This gives employees a way to respond without freelancing answers.

Continue updating employees throughout the crisis, even when there’s nothing new to report. A daily email or Slack message saying “no new developments, we’ll update you as soon as we have more information” is better than silence that breeds anxiety.

After the crisis resolves, debrief your employees on what happened, why, and what changed. They deserve to understand the full story. This transparency builds the kind of organizational trust that makes the next crisis easier to manage.

The Recovery Phase: Turning Crisis Into Credibility

The acute phase of most crises lasts three to ten days. The recovery phase lasts months. How you handle recovery determines your long-term reputation.

Two weeks after the crisis, publish a detailed post-mortem. Explain what caused the incident, what you’ve changed, and what results those changes have produced. This isn’t a legal document. It’s a trust document. Companies like Cloudflare and GitLab have built enormous credibility by publishing transparent post-mortems after outages. Their customers trust them more after seeing how they handle failure, not less.

Follow up with affected parties individually. If customers lost money, compensate them. If partners lost business, discuss remediation. If employees were harmed, provide support. The follow-through matters more than the initial response because it proves your commitments were genuine.

Monitor public sentiment for three to six months after the crisis. Track media coverage tone, social media mentions, customer satisfaction scores, and employee engagement metrics. These indicators tell you whether recovery is working or whether lingering damage needs additional attention.

Build Your Crisis Communication Guide This Week

You don’t need a 50-page document to be prepared. A functional crisis communication guide fits on three pages and covers: your crisis team roster with roles and contact information, your holding statement template, your full response framework (the five elements above), your media handling protocols, and your internal communication plan.

Print it. Store it in three places. Review it quarterly. Run a tabletop exercise once a year where you simulate a crisis and walk through your response in real time. The first time you do this, you’ll find gaps: the legal contact who moved to a new firm, the holding statement template that references a product you discontinued, the media protocol that assumes you still have a VP of Communications (you don’t, she left in January).

Find those gaps now, while the building isn’t on fire. Your future self, standing in the middle of a crisis with reporters calling and stakeholders panicking, will be grateful you did.