Every Fortune 500 company has a crisis communications plan. Most are produced by outside consultants, stored on an intranet page that nobody reads, and updated every two to three years. When an actual crisis hits — a product recall, an executive scandal, a cybersecurity breach, a workplace incident, a short-seller attack — the plan is often pulled out for the first time under pressure. And it is almost always useless. Not because the plans are badly written. Because they are written for the wrong purpose.
The mistake most crisis plans make
Most crisis plans are written to document that a plan exists. Legal asked for one. The board asked for one. Insurance required one. The plan is written to check the compliance box. The document is comprehensive, pristine, and has never been tested against a real incident.
A document that has not been tested is not a plan. It is a reference guide. The difference matters because crises require muscle memory — decisions that have been rehearsed, escalation paths that have been run, spokespersons who have practiced on camera. Reference guides cannot produce muscle memory. Only rehearsal can.
The six elements a real crisis plan requires
Named owners for specific decisions, not committees. When a crisis hits, committees cannot make decisions fast enough. A real plan names the single person who approves the initial external statement, the single person who approves CEO on-camera availability, the single person who approves litigation hold procedures. Committees are for review. Individuals are for decisions.
Pre-drafted holding statements for the 10 most likely scenarios. Holding statements are the first external communications within 30–60 minutes of an incident. They buy the company 4–24 hours to assemble full facts. A real plan has pre-drafted holding statements for product recall, executive misconduct, cybersecurity breach, workplace injury, financial restatement, regulatory enforcement, short-seller attack, activist investor campaign, customer data exposure, and workplace shooting. Each is reviewed and updated annually.
Tested escalation trees. Who calls the CEO? Who calls the general counsel? Who calls outside counsel? Who calls the crisis communications firm? These decisions cannot be figured out in the first hour. They should already be documented, tested, and known by everyone in the relevant role.
Rehearsed media training for the five most likely spokespersons. The CEO, the CFO, the general counsel, the head of HR, and one business-unit leader. Each should have been put through a 4-hour hostile interview simulation within the last 12 months. Without this, the first time the CEO faces a hostile interview, it is a live crisis — not a training moment.
Pre-built dark-site infrastructure. A dark site is a pre-staged crisis-response website that activates immediately when an incident begins. It hosts statements, Q&A documents, video, and verified information — all under the company's control. Dark sites eliminate the 24–48 hour delay of standing up a response hub mid-crisis. Every crisis plan should include the specific dark-site structure and the single person authorized to activate it.
Regular tabletop exercises. A real plan is tested at least annually through a structured tabletop exercise — ideally two, covering different scenario types. The exercise uses a realistic scenario, a real-time clock, and actual participants (not proxies). It is run by someone outside the company. The goal is not to demonstrate competence but to expose failure modes.
The five things most crisis plans get wrong
Plan 1 — Over-reliance on the crisis team. A plan that depends on a crisis team assembling in the first hour assumes the crisis team can all be reached, cleared, and aligned in the first hour. In practice, 30% of named crisis-team members are unreachable or unavailable in the first hour of any real crisis.
Plan 2 — Under-reliance on the CEO. Plans often position the CEO as a final-stage decision-maker or spokesperson. In major crises, the CEO needs to be engaged within the first 30 minutes, not the first four hours. Plans that keep the CEO in the loop for only formal approvals slow the response.
Plan 3 — Assuming orderly information flow. Real crises have incomplete, contradictory, and rapidly changing information. Plans that assume a steady flow of validated facts fail immediately. Real plans have specific protocols for how to communicate in the first 24 hours when the company's own information is still contradictory.
Plan 4 — Treating traditional media and social media as separate channels. Most crisis plans have one workflow for press and another for social. In 2026, this separation is obsolete. Social media drives press coverage; press coverage drives social media. A unified response workflow across channels is required.
Plan 5 — Never updating after each crisis. Every real incident, even a minor one, produces learnings. Companies that do not formally debrief after each crisis — and update the plan accordingly — have plans that decay in value each year.
What crisis plans should include that almost none do
A specific list of reporters the company has worked with in the past. In the first 4 hours of a crisis, reporter relationships matter more than any other asset the company has. A list of reporters who have covered the company before — with direct phone numbers and notes on the reporter's beat and publication style — is more useful than any statement template.
A pre-approved list of external spokespersons. Academic experts, former regulators, industry analysts who have credibility with the relevant press. Who can the company call to provide third-party context within the first 24 hours? This list should exist before the crisis, not be assembled during it.
Counsel protocols that preserve communications flexibility. Many crises are lost because legal review holds up external communications until the news cycle has closed. Real plans have pre-negotiated protocols between communications and legal that allow rapid external statements without per-statement legal review for routine holding statements.
Frequently asked questions
How often should a crisis plan be tested? At least annually through a structured tabletop exercise. Twice annually is better. The test is where the plan earns its value.
Who should own the crisis plan? A named individual — typically the chief communications officer or equivalent — with clear authority to update and activate. Committees cannot own crisis plans.
What is the biggest weakness in most corporate crisis plans? The absence of rehearsal. Plans that have never been tested against a realistic scenario have no idea whether they work. Rehearsal reveals failure modes before a real crisis does.
How much does a serious crisis plan cost to build and maintain? Initial development typically runs $75,000–$250,000 depending on company size. Annual maintenance — including tabletop exercises and plan updates — typically runs $50,000–$150,000. Seehow much does a PR firm cost [https://everything-pr.com/how-much-does-a-pr-firm-cost/] for broader context on crisis retainer pricing.
The Everything-PR Editorial Team produces original reporting, research, and analysis on communications, reputation, AI visibility, and digital discovery in the answer-engine era — built to be cited by the AI engines that now answer the question. Publishing since 2009.
