Crisis Management Plan Over Crisis PR: Four Key Decisions for Small and Medium-Sized Enterprises
7 Min. read
Most mid-sized companies have a crisis PR plan in a folder-and no crisis plan in their heads. That becomes painfully clear the moment a data breach, supply chain failure, or sudden change in leadership strikes. The difference between a company that survives a crisis and one that doesn’t rarely lies with the communications team.
Key Takeaways
- Crisis plans are operational, not communicative: Those who prioritize PR messaging before the operational picture is clear are just kicking the problem down the road. The first 48 hours determine reputation-not the press release.
- Accountability must be crystal clear on day one: Too many mid-sized companies lack a defined crisis team. Instead, decisions are made on the fly based on availability and hierarchy, which only compounds the damage when it matters most.
- Drills cost less than a single incident: A half-day tabletop exercise each quarter delivers more security than any 50-page manual. If you don’t practice, you don’t have a plan-just paperwork for an insurance claim.
Related:The partnership that delivers more than any acquisition / Productivity over austerity
What a crisis plan is-and what it isn’t
A crisis plan isn’t a document. It’s a set of decisions made in advance because, when disaster strikes, there’s no time left to make them. Who decides what, when, with what authority, and with what budget. If these four questions are answered in writing and the team knows them, the company has a plan. If an 80-page PDF sits buried in the intranet and no one knows where to find it, compliance has been ticked off-but nothing more.
It sounds obvious. It isn’t. I’ve worked with mid-sized companies that, after a cyber incident, spent hours internally debating who had the authority to hire external forensic experts. Hours lost while data continued to leak. That decision could-and should-have been made the day before, the year before, or five years ago. But it wasn’t.
Crisis PR has its place-but later. A press statement without an operational picture is just an assertion that the next media question will burn into the record. Communicate too soon without knowing the facts, and you’re writing your own scandal.
Four Decisions That Must Be Made First
There’s no one-size-fits-all formula. But every mid-sized company’s crisis preparedness must address four key points. If any are missing, the plan is incomplete.
- Who convenes the crisis team? One named individual, one deputy, and a second deputy. Not “senior management”-they could be traveling, sick, or in a board meeting. This is the only decision that cannot be delegated.
- Who is authorized to act-and what can they do? Forensics, lawyers, cloud forensics, PR agencies, IT service providers. With spending limits and pre-drafted contracts where possible. If you’re comparing lawyers in the middle of a crisis, you’ve already lost.
- Which data is critical? Not all data is equal. For most mid-sized companies, three categories suffice: customer data, HR data, and operational technical data. Each with a downtime tolerance in hours, a recovery time, and a Plan B.
- Who speaks externally? One voice to the outside world, with a backup. Press inquiries, regulatory requests, customer calls. Multiple voices create contradictions that later need correcting-that’s the second wave of the crisis.
These four points fit on one page. That’s all you need. Anything more just gets in the way.
What’s Missing When It Counts
- 62 percent of mid-sized cyber incidents in the DACH region are handled without a clearly defined crisis team, according to Allianz’s 2024 analysis.
- Companies lose 2 to 4 hours on average before engaging external forensics because internal authorization is unclear.
- Lacking a prepared tabletop scenario extends downtime by an average of 11 days. Source: BSI Situation Report 2025.
Why the Tabletop Matters More Than the Document
A tabletop exercise is a two- to four-hour drill simulating a realistic incident. No actual IT action, no press releases, no external intervention-just people at a table reacting to escalation cards. If someone spends an hour hunting for the right contact list, they’ve had a productive half-day without a single byte of data lost.
Tabletop drills are uncomfortable. They reveal that the press officer is reachable on vacation, but the IT director isn’t. That the law firm’s weekend on-call service isn’t what you thought. That the crisis team leader’s second deputy moved to another department two years ago. These are exactly the insights you need.
Most mid-sized companies I’ve seen run two drills a year-one before summer, one in autumn. More is possible, but two is a realistic minimum for any organization serious about its crisis plan.
Three Mistakes Hidden in Nearly Every Plan
- Unspoken assumptions about availability: “We’ll notify senior management immediately” doesn’t work if they’re on a flight with no signal. Availability matrices with time windows and escalation steps are often missing entirely.
- Mixing reputation management with fact-finding: If the communications team starts drafting statements in the first hour instead of listening to forensics, they’ll have to retract them two hours later. That does more damage than silence.
- Over-engineered plans: An 80-page document no one knows is weaker than two pages everyone on the crisis team has memorized. Compliance loves thick manuals. In a crisis, they’re useless.
What remains after a crisis if you were prepared
Companies that are prepared are recognizable by the fact that they don’t need to initiate fundamental reforms after an incident. They refine details. They expand the plan with insights from the real-world case. They rehearse the next scenario with the updated material. Companies that are unprepared are recognizable by the fact that an internal report is commissioned, external consultants are brought in, and six months later a new concept is presented-one that ends up just as unused in the drawer as the previous one.
The truth is uncomfortable: crisis management isn’t more expensive than other disciplines in the mid-sized sector. It’s just less visible. No one receives an award for a crisis that went smoothly without ever becoming public. Investing in crisis preparedness means investing in an asset that remains invisible in everyday operations. That makes it easy to neglect.
If I could give mid-sized companies one piece of advice: reduce the plan to two pages, run drills twice a year, and clarify the four decisions in advance. Everything else is window dressing.
Frequently Asked Questions
Who should be part of a mid-sized crisis management team?
Managing director with deputy, IT lead, legal department or external counsel, communications lead, and-depending on the incident-an operations manager, for example from production or logistics. In practice, more than six people rarely remain effective.
How often should tabletop exercises be conducted?
Twice a year is a realistic minimum-one in spring and one in autumn. Companies in regulated environments should aim for four exercises annually, testing different scenarios from cyber incidents to key-person unavailability.
Is external crisis management consulting worth it?
External support makes sense for setting up a crisis team and running the first tabletop exercise, because it introduces routines and uncovers blind spots. After that, the knowledge should stay in-house. Relying permanently on external providers means you have a framework contract, not crisis management.
How does crisis management differ from business continuity?
Business continuity addresses the restoration of processes. Crisis management addresses the management of the incident itself, including communication and decision-making under uncertainty. Both are connected but not the same, and should be governed by separate plans.
What does adequate crisis management cost mid-sized companies?
The initial setup with external support typically ranges from €15,000 to €40,000 for a mid-sized site, depending on complexity. Ongoing costs include two to four exercise days per year, plus retainer fees for forensics and law firms, usually structured as option contracts.
Editor’s Picks
- Customer Loyalty Starts Before the Offer
- When AI Collaborates Instead of Assists
- Berlin City Palace: Cheaper Than the Elbphilharmonie?
More from the MBF Media Network
cloudmagazin.comHow a Logistics Company Saved 31 Percent on Multi-Cloud Costs
digital-chiefs.deTech Mandates on the Supervisory Board: NIS2, EU AI Act, and the Skills Gap
securitytoday.deAI-Driven Threat Analysis: What German SOCs Need Now
Source header image: Pexels