crisis-communications-coach

Coach an executive team through a corporate crisis communications event. The first 24 hours determine 80% of the outcome; bad early decisions compound for months. Most crises are survivable; mishandled crises become the defining story of the company.

This is not general PR / brand work. This is real-time response under pressure with legal, regulatory, and reputational stakes.

When to engage

Trigger when:

• "We have a crisis right now"
• "Data breach disclosed; customers asking questions"
• "Major outage hour 4 — customers raging on Twitter"
• "Press just contacted us about [allegation]"
• "Executive misconduct claim from former employee"
• "Regulator has opened an inquiry"
• "Customer made viral negative post — what do we do?"
• "We're about to disclose [bad thing]; how do we frame it?"

Do not engage for: routine PR messaging, brand-building, product launches, typical media-relations work (use a different framework).

Step 0: First-hour response

The first hour after a crisis emerges sets the tone. Treat it with extreme discipline.

Activate incident command

• CEO + General Counsel + Head of Comms + relevant function head (CISO for breach, CTO for outage, CHRO for personnel issues) form the crisis team.
• One designated decision-maker (usually CEO or COO).
• One designated comms lead (Head of Comms or external crisis-comms firm).
• One designated note-taker; everything is logged with timestamps.

Suspend routine comms

• Pause scheduled marketing emails, social posts, PR pushes.
• All inbound press goes through one funnel.
• All employee communications go through one channel.
• Hold non-essential meetings / customer calls until you have your bearings.

Gather facts

• What happened? (Confirmed facts only.)
• What's the scope? (Who's affected? How many?)
• What's known vs unknown?
• What's the timeline?
• Who else knows internally?
• Has it leaked publicly? (Search Twitter, Reddit, Google Alerts.)

Issue a holding statement (within 1-2 hours, sometimes faster)

Even before full investigation, acknowledge:

• "We're aware of [event]"
• "We're investigating"
• "We will provide an update by [time]"
• "Our priority is [customers / safety / etc.]"

Don't speculate. Don't deny. Don't apologize for things you don't know happened. Acknowledge that you're aware and you're acting.

Priority stack

Crises involve trade-offs. The standard priority order:

1. Legal exposure / liability — Counsel reviews every external statement. If counsel says "do not say X", don't say X without escalation.
2. Customer safety — If customers are at physical or financial risk, communication moves faster than perfect.
3. Customer information / consent — Privacy, breach notifications, transparency obligations.
4. Employee morale — Internal communication usually beats external; employees should hear from the company before they hear from CNN.
5. Press narrative — Shape the story rather than letting it be shaped for you.
6. Investor relations — Major financial / reputation events affect stock or fundraising.
7. Regulatory posture — Pre-empt regulator inquiries with proactive disclosure when appropriate.
8. Partner relationships — Channel partners, vendors, customers' customers.

Re-prioritize for context. A breach inverts to: customers > regulators > legal > employees > press > investors. An executive-misconduct case inverts to: legal > employees > board > customers > press.

Truth, positioning, and the balance

Don't lie

• The internet remembers. Lies surface within days; the second story (the cover-up) is always worse than the first.
• "We have no evidence of X" can be honest if true; "X did not happen" without certainty is reckless.

Don't speculate

• "We're investigating" is fine.
• "We don't yet know whether [X]" is fine.
• "It's likely caused by [Y]" — only if you're 95%+ certain.

Do over-communicate when facts are clear

• Once you have facts, share them faster than competitors / press / customers expect.
• Silence becomes the story.

Don't apologize for unproven harm

• "I'm sorry this happened" — fine.
• "We acknowledge harm and accept responsibility for X" — only when verified.
• Premature accountability can create legal exposure on harm you didn't actually cause.

Don't make promises you can't keep

• "We will refund every affected customer" — only if you've actually committed and budgeted.
• "We will fix this within X days" — only if you have a real plan.

Audience-specific messaging

Each audience requires tailored communication. Don't blast one statement everywhere.

Customers

• Email or in-app message, not just blog post.
• Direct: what happened, what it means for them, what to do, what we're doing.
• Affected vs unaffected: explicitly tell affected customers; don't make them dig.
• Tone: empathetic, factual, action-oriented.
• Channel: their primary contact channel + secondary backup.

Employees

• All-hands or mass-email, before external announcements when possible.
• Internal-only details (more candid than public).
• "Here's what we're saying externally" — give them the public messaging so they don't get caught off-guard.
• Q&A session if scope is significant.
• Manager toolkit for handling team-level questions.

Press

• Designated spokesperson (not multiple; voices align).
• Holding statement → full statement → Q&A as fact pattern develops.
• Decisions:
  • Proactive press release vs respond-to-inquiries-only.
  • Exclusive to one outlet vs broad embargo vs press conference.
  • On-record vs background vs off-record.
• "No comment" is sometimes correct but rarely; usually a brief acknowledgment is better.

Regulators

• Often required by law (breach notifications: 72 hours in EU GDPR, varying in US states).
• Counsel-led, with regulatory affairs.
• Tone: transparent, complete, cooperative.
• What you say to regulators may become public via FOIA / disclosure.

Investors

• Schedule call within 24-72 hours of major event.
• Brief written statement (1-2 pages).
• Honest assessment of impact.
• Forward look on remediation, financial impact, narrative.
• For public companies: 8-K filing if material.

Partners (vendors, channel partners, customers-of-customers)

• Direct outreach to top-tier partners.
• Standard messaging: facts, actions, partner-relevant impact, your support commitment.

Social media (broader audience)

• Initial brief acknowledgment (matches holding statement).
• Don't engage in arguments.
• Don't delete negative comments (escalates).
• Don't auto-respond with stock messaging.
• Update post with edits as situation develops, with timestamps.

Holding-statement design

Standard holding statement (60-150 words):

We're aware of [event] that occurred [time] and affected [scope, if known].
Our team is actively investigating and we are taking immediate action to [stated priority — e.g., contain, secure, support customers].
We will provide an update by [time, typically 4-12 hours].
Affected customers can reach us at [contact].
Our priority is [customer safety / data protection / restoring service].

Key elements:

• Acknowledge.
• Commit to investigate / act.
• Set next-update timeline.
• Provide affected-party support channel.
• State priority.

Avoid: speculation, premature apology, blame, evasion.

Full-statement design

Once facts are clear (typically 12-72 hours):

What happened: [factual summary, scope, timeline]
Who's affected: [specific groups with numbers if known]
What we're doing: [containment, remediation, support actions]
What we're not certain about yet: [honest acknowledgment of unknowns]
Our accountability: [what went wrong, what we're changing]
Our commitments: [specific actions, with timelines]
How affected parties can get support: [channels, escalation path]
Next update: [if more is forthcoming]

Format depends on channel: blog post + email + press release + investor brief, often coordinated.

The legal-comms tension

Counsel and comms have different priorities:

• Counsel: minimize legal exposure → say less, qualify everything.
• Comms: protect narrative and trust → say more, be human.

Common conflicts:

• "I'm sorry" — counsel often blocks (admission of fault).
• "We will refund" — counsel may block (precommitment).
• "It was caused by [vendor]" — counsel almost always blocks (litigation risk).
• Apologies in user-facing statements vs legal-defensive language.

Resolution:

• Empathy without admission: "We deeply regret the impact this has had" (regret ≠ legal admission of fault).
• Action without precommitment: "We are working with affected customers individually."
• Accountability without naming: "We are reviewing our processes" rather than "the third-party vendor caused this."

When to push back on counsel:

• When silence creates worse legal/reputational exposure than action.
• When the legal-conservative language is so empty it damages credibility.
• When the public has clear evidence already; denial isn't credible.
• Always with the General Counsel personally, never around them.

Press strategy

Proactive vs reactive

• Proactive (announce before press finds out): when scope will become public anyway, proactive shapes narrative.
• Reactive (respond when asked): when scope is contained and proactive raises more questions than it answers.

Exclusive interview

• Sometimes effective: gives one outlet depth, treats them as partner, controls narrative.
• Risk: alienates other outlets; can backfire if interview goes poorly.
• Use when: you have a complex story to tell, the outlet is sympathetic / serious, there's no time pressure for broad communication.

Public statement only (no interviews)

• Written statement covering essential information.
• No follow-up interviews.
• Best when: facts are still developing, legal exposure is high, executive isn't available / prepared.

Press conference

• High-stakes, broadcast simultaneously.
• Reserve for: major reputational events, regulatory announcements, strong executive presence required.
• Risk: questions can derail; requires extensive preparation.

"No comment"

• Rarely the right answer publicly.
• Better: brief acknowledgment + reason for limited info ("We're in active investigation and can't share details at this time").

Social media response

What to post

• Match the holding statement; brief acknowledgment + commitment + update timeline.
• Pin to top of profile.
• Update as facts develop.

What not to do

• Argue with commenters.
• Delete negative comments (becomes the story).
• Auto-respond with templated messaging.
• Joke or post unrelated content during active crisis.
• Post during the crisis from accounts unrelated to the issue.

Executive personal posts

• Sometimes effective (CEO personally addresses customers).
• Risk: every personal post becomes part of the story.
• Coordinate with comms team; never freelance during crisis.

Specific crisis types

Data breach / security incident

• Required disclosures: GDPR 72 hours, US state laws vary (typically 30-60 days).
• Customer notification: required for affected individuals.
• Regulator notification: often required.
• Credit monitoring offer: standard for material breaches.
• Avoid: minimizing scope, hiding "low-impact" details that turn out to be high-impact.

Product outage

• Status page: real-time updates.
• Incident commander identified publicly.
• Post-mortem within 5 business days (technical + accountability).
• Customer compensation: SLA credits, sometimes additional good-faith credits.
• Avoid: blaming third parties (cloud provider, etc.) — they may be the root cause but the customer relationship is yours.

Executive misconduct allegation

• Legal team and HR lead.
• Independent investigation typically required.
• Suspension during investigation often necessary.
• Public statement usually delayed pending investigation.
• Avoid: defending without facts, attacking accuser (universally backfires), blocking media access.

Customer-harm incident

• Immediate care for affected customer (medical, financial, etc.).
• Investigation of root cause.
• Communication to affected + similar customers.
• Compensation framework.
• Product changes if needed.
• Avoid: treating one customer's case in isolation when others may be similarly affected.

Regulatory action

• Counsel-led entirely.
• Public statement typically minimal: "We are cooperating with [regulator] on [topic]."
• Disclosure obligations: 8-K for material public-company actions.
• Avoid: speculation about outcome, public attacks on regulator.

Hostile media coverage

• Distinguish: factually wrong vs unflattering-but-true.
• Wrong: request correction; provide evidence.
• Unflattering-but-true: respond with context, not denial.
• Don't sue for press coverage unless coverage is defamatory and damages are significant — lawsuits become bigger story than the original.

Viral social-media incident

• Within hours: brief acknowledgment.
• Within 24 hours: action + statement.
• Don't fight virality; address substance.
• Single individuals (employee misbehaving on video, etc.): address individual + structural response.

Founder is the cause

• Hardest scenario. Requires founder + board alignment.
• Possible outcomes: founder steps back / steps down / takes leave / receives counseling / continues with corrective action.
• Often pairs with founder-CEO-firing-coach scenarios.

Post-crisis recovery

Root-cause communication

• 30-60 days post-crisis: comprehensive analysis + corrective actions.
• Builds credibility for future trust.
• Includes: what went wrong, why it went wrong, what's changing, what to expect from us going forward.

Customer reassurance

• Direct outreach to affected customers.
• Refunds / credits / extended trials as appropriate.
• Executive 1:1s with major affected customers.

Employee retention

• Active conversations with at-risk talent.
• Manager training on handling external questions.
• Anniversary / refresh grants if needed.
• Honesty in town halls about lessons learned.

Investor confidence rebuild

• Quarterly progress reports on remediation.
• Consistent metrics demonstrating recovery.
• Don't oversell; let actions accumulate.

Narrative reset

• Wait until recovery is real (typically 6-12 months).
• Then: signal a new chapter (new product launch, new exec hire, strategic milestone).
• Don't pretend the crisis didn't happen; integrate the lesson into the company's story.

Anti-patterns

• Silence in the first hours. Becomes the story.
• Over-promising. Walking back commitments later is its own crisis.
• Apologizing for unproven harm. Creates legal exposure.
• Lying or shading the truth. Always surfaces; second story worse than first.
• Multiple spokespeople. Different voices say different things; trust erodes.
• Attacking accuser / press. Universally backfires.
• Deleting evidence. Tweets, comments, posts. Becomes obstruction.
• Skipping employee comms. Employees become the leak.
• Hiding behind PR statements. Customers see through.
• Crisis fatigue / autopilot. Treating each new crisis like the last; each is unique.

Workflow

Pre-crisis (preparation)

• Crisis-comms playbook documented.
• Crisis team identified; roles defined.
• Templates pre-drafted (holding statements, press releases by category).
• Scenario tabletop exercises (annual minimum).
• Spokesperson media training.
• External crisis-comms firm on retainer (optional but recommended for high-risk industries).

During crisis (active)

• Hour 1: assemble team, gather facts, holding statement.
• Hour 2-12: investigation, audience-specific drafts, legal review.
• Hour 12-72: full statement, audience-specific rollout, media engagement.
• Days 3-7: ongoing updates, customer support, employee communication.
• Days 7-30: action implementation, narrative monitoring.

Post-crisis (recovery)

• Day 30-60: root-cause communication.
• Day 60-180: relationship rebuild.
• Month 6-12: narrative reset.
• Annual: lessons-learned exercise, playbook update.

Integration with other coaches

• founder-CEO-firing-coach: when crisis triggers leadership transition.
• board-meeting-prep-coach: crises always involve board; prep is critical.
• enterprise-sales-coach: customer-facing impact during crisis.
• nrr-recovery-coach: crisis-driven churn requires recovery work.
• chief-of-staff-onboarding-coach: CoS often coordinates crisis response.

A crisis tests the entire company. The communications function is the most-visible, most-time-sensitive part. Get the first 24 hours right; everything else gets easier.