Under normal circumstances, a company seeks to optimize performance, growth, efficiency, projects and roadmap.
But when a crisis situation arises, priorities change immediately. The goal is no longer to "do more" or "do better," but to protect, stabilize, and maintain the essentials.
The hierarchy of priorities should shift as follows:
Safety of individuals (physical + psychological)
Clarity and coordination (who decides, where to get information, at what pace)
Realistic continuity (prioritize the essential, accept the degraded mode)
Asset protection (data, finances, reputation)
Gradual return to normal (learn, improve, strengthen)
In practice, many organizations switch too quickly to "how to work" (tools, VPN, procedures) without clarifying the framework. However, in a crisis, management communication is not just informative: it becomes an act of leadership.
This is a crucial moment when the company shows, very concretely, its real priorities: safety before performance, transparency before assumptions, coordination before improvisation. It is also an opportunity to demonstrate compassion and support for employees, and to prove its level of preparedness (or, at the very least, its ability to organize quickly). These signals reassure the teams and they are not confined to the internal environment: they are often discussed, compared, and shared in circles of trust, among colleagues, families, partners, and clients.
Here are the messages that make a difference: those that reduce anxiety, avoid rumors, limit mistakes, and allow teams to get through the period without exhausting themselves.
Priority number 1: the safety of individuals
Say it clearly, right from the first line. A credible company in crisis prioritizes safety over productivity.
Messages to convey:
“Your safety comes first.”
“If you feel in danger or in difficulty, inform your manager”
Security is not limited to the physical. In times of crisis, it also includes mental load, fatigue, family pressure, and isolation.
An official source of information for internal and external use
In a crisis, a common mistake is to mix messages: the same text sent to the teams, then "copy-pasted" to the clients. The result: poorly adapted information, inconsistencies, or unintentional promises.
The simple rule: one single "owner" of the truth, but two narratives.
A) Internal communication (teams)
Objective: safety, clarity, coordination.
Messages to convey:
“Here are our official sources: [authorities / internal crisis unit].”
“Here is our unique internal channel: [Teams/Slack/Email].”
“We avoid sharing unverified information (even with good intentions).”
“If you see concerning information: do not spread it, report it here: [channel].”
Internally, we can be more operational: telework rules, escalation, immediate actions, internal constraints.
Good reflex: prepare an "internal message," quickly activatable with all the elements: Security, Work organization, Information & rhythm, IT & cybersecurity, Support / flexibility
B) External communication (clients / partners)
Objective: continuity, trust, commitment, without overexposing the internal.
Messages to convey:
“We remain operational and reachable via: [channels].”
“Here is our current level of service: [normal / degraded mode / adjusted timelines].”
“Here is what changes (if necessary): schedules, deadlines, support, appointments.”
“We will communicate again at [frequency] or in case of significant change.”
Externally, we avoid:
security/threat details,
the hypotheses,
sensitive information (internal organization, location, vulnerabilities),
ambitious promises (“zero impact”) if we are not certain.
Good reflex: prepare a very short "customer message" that can be activated in 10 minutes: operational status, channels, any potential delays, and follow-up commitment.
Transparency: what we know / what we do not know
The teams do not expect a perfect speech. They expect honest, factual, and regular communication.
Recommended structure:
What we know (facts, dated)
What we are doing now
What is being verified
Next point at [time]
To say "we don't know yet" is often more reassuring than vague hypotheses.
Who decides what: governance and escalation
In times of crisis, the absence of governance creates confusion, contradictions, and duplicate decisions.
Messages to convey:
“Here is the person/role that makes the decision (Crisis Lead).”
“Here are the points of contact: security / HR / IT / operations.”
“Here is the esclation rule in case of emergency: contact X.”
And above all: one question = one channel. Otherwise, you will drown in private messages.
Business continuity: we prioritize
"Business as usual" is often unrealistic. Continuity means doing the essentials and accepting that the rest can be put on hold.
Messages to convey:
“Here is what is critical and must continue.”
“Here is what happens in degraded mode.”
“Here is what is reported.”
Stating what is not expected protects teams and avoids the escalation of "presenteeism".
A communication rhythm (and fixed points)
Stress increases when there is no horizon. A solid company creates a rhythm, even a minimal one.
Messages to convey:
“Official update at 9 AM and 5 PM.”
“Point managers 15 minutes before.”
“If nothing changes, we will say so too.”
Remote work: simple, realistic rules, and a backup plan
Yes, there needs to be an IT aspect, but it should be brief, practical, and designed for a stressful context.
To include:
authorized tools
authorized / prohibited devices
privacy rules (screen, documents, public places)
support IT (hours + channel)
plan B if VPN or services unavailable
Objective: to prevent teams from spending 2 hours "struggling with access."
Enhanced IT Security
Crises create opportunities for attacks (phishing, identity theft, fake support, etc.). And when people are stressed, they click faster.
Messages to convey (simple version):
MFA mandatory everywhere
no file transfer to personal email
extreme caution regarding links and attachments
“in case of doubt, we ask — even after clicking”
Human dimension: flexibility & support
The role of management is not just to organize work: it is to keep teams functional.
Messages to convey:
temporary schedule flexibility
support options (HR, hotline, referents)
special attention to isolated / overloaded individuals
After the crisis: debriefing and improvement
Ending with this promise changes the dynamic: you are in control, not in panic.
Messages to convey:
“We will conduct a feedback session (RETEX).”
“The plan is alive: we adjust.”
“Thank you for reporting what is blocking: we will fix it quickly.”
Conclusion
The crisis is a revealer and an opportunity for maturity
The classic trap: confusing "continuity" and "IT": Remote work is a means, not a message.
Of course, IT procedures are necessary (VPN, MFA, tools, support). But a crisis is not primarily a technical problem. It is a moment when uncertainty rises, stress increases, and the organization must avoid improvisation.
A crisis reveals the maturity of an organization: its governance, its sense of priorities, its ability to communicate clearly, and its level of preparedness (continuity, cyber, HR). But it also offers an opportunity: to strengthen what was lacking, formalize a plan, clarify roles, test channels, and improve reflexes.
Because in the end, what keeps a company afloat during a crisis is not just the technology: It is the quality of leadership and the quality of the messages.
Want to know how we can help you? Contact us
Crisis preparation for Managers & Executives
Compact checklist
1) Governance & roles
Crisis Lead appointed + backup (24/7 if needed)
Defined crisis cell (HR, Ops, IT/Sec, Comms, Legal, Finance) + updated contact information
Clear RACI: who decides / who executes / who validates / who communicates
Escalation procedure (criteria, deadlines, single channel)
Documented "crisis" playbook + accessible outside internal network (if unavailable)
2) Ready-to-use communication (internal vs external)
Validated templates: internal message, client/partner message, FAQ, daily update
Defined official channels: Teams/Slack/email/SMS + "Questions" channel
Unique spokesperson (and substitute) + speaking rules (who can say what)
Decided update frequency (e.g. 9am/5pm) + "brief managers" ritual
Transparency Guide: what we know / do not know / next point (anti-rumors)
3) Business priorities & continuity (BCP)
Identified service/process critiques (Top 3–5) + service levels "degraded mode"
List of critical dependencies (key people, suppliers, platforms, sites)
Replacement / rotation plan (bus factor) + signature delegations
Backlog "crisis": what stops, what continues, what is postponed
Priority client list + proactive message ready
4) People & HR
Clear policy: security first, flexibility, right to pause
Contact HR/assistance (EAP/hotline) + support process
Plan for isolated/vulnerable collaborators + 1:1 check-ins
On-site presence / telework rules + exceptions
Emergency contact list + "I am safe" procedure
5) IT & cybersecurity (minimal viable + plan B)
MFA/SSO activated everywhere, access reviewed (least privilege)
Tested VPN/VDI capacity (load) + alternative solution if saturation occurs
Equipment and access: who has what (laptop, tokens), structured BYOD management
Verified backups (tested restoration), known RPO/RTO
Phishing/incident procedure: simple, non-blaming reporting, SOC/IT reachable
List of "must-have" apps + offline procedure (if tool is unavailable)
6) Sites, safety, travel
Site plan: opening/closing, access, badges, security, evacuation
Procedure "shelter / lockdown / evacuation" (depending on context) + assembly points
Travel policy (stop/go) + validation + insurance
Key numbers and security service providers updated
7) Legal, compliance, insurance
Contractual clauses: force majeure, SLA, penalties, client notifications
Regulatory obligations (data, privacy, sensitive sectors) identified
Insurance: cyber coverage / business interruption / liability — contacts & procedures
Decision log process (trace of decisions) for audit/insurer
8) Suppliers & dependency chain
Critical suppliers list + direct contacts + SLA + contingency plans
Identified alternatives (second source) for vital services
Supplier access/support (hours, escalation, accounts)
Concentration risks (one provider / one region / one person)
9) Training & continuous improvement
“Table-top” exercises 1–2 times/year (scenarios: cyber, site unavailability, health crisis, security incident)
Formalized RETEX after incident + playbook update
Periodic audit: access, contacts, templates, IT capacity, backups
“Go-bag digital”: essential documents (contacts, procedures, templates) accessible everywhere