The email lands at 7.12am. A regulator wants answers. A customer has posted screenshots on LinkedIn. Staff are messaging each other on WhatsApp. A journalist has left a voicemail asking for comment by 9am.

This is the point where legal advice and PR stop being separate workstreams. In a real SME crisis, they have to operate as one response. Every statement has legal consequences. Every legal decision has reputational consequences. Delay the lawyers and you create exposure. Let messaging drift and you give customers, staff and reporters a version of events you may not be able to correct.

I have seen this pattern from both sides, in newsrooms and in crisis response. Reporters move fast, but they do not create the story on their own. They work with what a company gives them: silence, confusion, partial facts, defensive wording, or a clear line that stands up to scrutiny. That is why legal crisis management has to be practical under pressure, not theoretical on paper.

For an SME owner, the answer is rarely a large corporate process with layers of sign-off. It is a tighter system built for speed. One legal lead. One communications lead. One verified set of facts. One line on what can be said now, what cannot be said yet, and what must be preserved for the record. If you need a model for the wider discipline involved, Lighthouse Consultants' crisis management shows how legal, operational and reputational pressure have to be handled together.

That same joined-up approach sits behind a practical crisis communications plan for SMEs. The point is simple. A legal crisis is also a media crisis the moment other people start filling gaps in public. The businesses that handle it best are the ones that respond with legal discipline, newsroom instincts and a single command structure from the first call.

Preparing for a Crisis You Hope Never Comes

A concerned woman sits at her desk, reviewing news of global supply chain disruptions on her tablet.

It is 7:12am. A customer has posted an allegation on LinkedIn, a reporter has emailed for comment, and your operations lead is calling to say staff are already discussing it on WhatsApp. If you are deciding your process at that moment, you are late.

Preparation gives you control before the noise starts. For an SME, that usually means a lean system. Clear authority, a fast route to legal advice, a set method for checking facts, and one approved line for anyone speaking outside the business. If you want a useful benchmark for disciplined coordination under pressure, Lighthouse Consultants' crisis management shows how legal, operational and reputational issues have to be handled together.

What preparedness looks like in practice

A usable plan answers the questions people ask under stress, not the ones that sound good in a board pack.

  • Who is in charge: Name the person who can make decisions if the founder is unreachable.
  • What triggers escalation: Spell out the incidents that move straight to the crisis team, such as a data breach, product safety issue, fraud allegation, employee death, regulatory contact, or serious service failure.
  • How facts are checked: Set one route for gathering and confirming information before anyone comments internally or externally.
  • How staff are told what to do: Use one internal channel, one instruction, and one rule against speculation.
  • Where records are held: Know where to find contracts, emails, CCTV, logs, complaints, access records, and insurance details.
  • Who speaks outside the business: Usually one trained spokesperson, backed by legal review and a clear approval process.

One rule matters more than the rest. A plan that depends on everyone staying calm and saying the right thing from memory will fail.

The best SME plans are short because they have to work at speed. In practice, a one-page escalation grid, a current call list, draft holding lines, and agreed sign-off rules will beat a long policy document every time. I have seen companies with thick manuals freeze, while smaller firms with three pages of clear instructions kept control because nobody had to guess.

Why legal and PR planning should be one system

Legal crisis management breaks down when counsel and communications work in parallel but not together. One protects privilege and liability. The other shapes what customers, staff, regulators and journalists hear first. In a real incident, those decisions collide within minutes.

That is where newsroom judgement changes the quality of the response. A former journalist will test your version of events the way a reporter will. What is missing. What sounds evasive. What headline your wording invites. That perspective helps legal advice land in language the outside world can accept, instead of producing a statement that is technically safe but reputationally damaging.

For SMEs, that joined-up model matters because there is rarely time for long chains of approval. You need one response team, not two separate camps. Build that structure now, then tailor it to your own risks with this guide to developing a crisis communications plan.

The First Hour Your Immediate Action Plan

The first hour decides whether you gain control or lose it. In legal crisis management, speed matters, but sequence matters more. If people start talking before counsel is involved, you can create damage that no statement will later tidy up.

A six-step infographic detailing an immediate action plan to manage a company's first hour of legal crisis.

The order that works

Follow this sequence.

  1. Identify the core team
    Keep it tight. Usually that means the owner or managing director, legal counsel, operations lead, HR lead if staff are involved, and one communications lead. Don't drag in people because they're senior. Bring in people because they're necessary.

  2. Secure communications
    Move the crisis team onto a controlled channel immediately. That may be a dedicated call, a secure Teams group, or another approved internal system. What matters is discipline. No side chats, no speculation, no screenshots shared casually.

  3. Get a fast factual read
    You're not trying to solve the whole issue in ten minutes. You're trying to establish what has happened, what is alleged, who knows, what evidence exists, whether anyone is at risk, and whether a regulator, customer or journalist is already involved.

The step you cannot delay

  1. Call legal counsel at once
    In UK legal crisis management, the immediate activation of legal privilege over internal communications is a critical milestone that must occur within the first hours. Organisations that engage legal counsel immediately to advise on regulatory exposure are significantly more likely to manage investigations effectively, preventing them from escalating into more serious criminal matters like corporate manslaughter or health and safety offences, as outlined in this UK practical guide on legal risk in crisis management.

That point gets missed constantly by smaller businesses. Someone thinks they'll “gather the facts first” and call the lawyer later. That's backwards. Counsel helps define how facts should be gathered, by whom, and how internal reviews are separated from operational chatter.

Get the lawyer in before the organisation starts narrating the incident to itself.

  1. Issue a stop instruction on external comment
    Tell staff, in plain language, that nobody comments externally. Not to customers, not on social media, not “off the record”, not to a friendly trade journalist. A loose message from one employee can become the line everybody is forced to defend.

  2. Start a written incident log
    Record decisions, times, instructions, external contacts, known facts and open questions. This log will help legal review, regulator engagement and message consistency later.

What not to do in that first hour

A lot of damage is self-inflicted. Avoid these common mistakes:

  • Don't speculate: “We think” and “it looks like” are dangerous phrases when facts are still emerging.
  • Don't apologise for something you haven't established: Empathy is fine. Admissions made too early are not.
  • Don't send a company-wide essay: Staff need a short instruction, not a nervous leadership memo.
  • Don't let marketing take over: This isn't a brand campaign. It's a legally sensitive response.

A simple first-hour instruction to staff often works best:

We're aware of the issue and are reviewing it urgently with the appropriate advisers. Please don't comment externally or share internal information. Direct all enquiries to the nominated lead.

That's calm, protective and usable.

Defining Roles Legal Counsel vs PR Team

One of the most common failures in legal crisis management is confusion about who owns what. Legal wants to reduce liability, preserve privilege and meet regulatory duties. PR wants to maintain trust, limit misinformation and keep stakeholders informed. Both are right. Both can also frustrate each other if they work in parallel instead of together.

The tension is predictable. Lawyers often prefer narrow, careful wording. Communications teams know that if you say too little for too long, others will fill the gap for you. The answer isn't to let one side win. It's to make each side do the job it's best placed to do.

Legal vs PR responsibilities in a crisis

Area of Focus Legal Team's Priority PR Team's Priority
Incident assessment Establish legal exposure, preserve privilege, define reporting duties Turn verified facts into clear internal and external briefings
Evidence handling Protect documents, control interviews, manage legal hold Prevent leaks, ensure one source of truth, stop contradictory messaging
Regulators Decide notification requirements and response approach Support tone, clarity and consistency in written communications
Media enquiries Avoid prejudicial or inaccurate comment Provide a holding line, manage timing, reduce vacuum
Employees Limit risky internal commentary and protect process Reassure staff, maintain order, reduce rumour
Customers and partners Avoid misleading statements or admissions Protect confidence, explain practical impact and next steps
Spokesperson preparation Set legal boundaries for what can be said Shape delivery, Q&A handling and message discipline

Where the friction usually appears

The hardest conversations happen around timing and wording.

  • Legal concern: “Don't say anything we can't prove.”
  • PR concern: “If we say nothing, the allegation becomes the accepted version.”
  • Legal concern: “That phrase sounds like an admission.”
  • PR concern: “That draft sounds evasive and cold.”

Both concerns are legitimate. The best responses use legally safe language that still sounds human. “We're investigating the matter urgently” is usually safer than guessing. “Our priority is the welfare of those affected” shows seriousness without inventing facts. “We'll provide further updates when we can do so responsibly” buys time if used sparingly and followed up.

Newsroom view: Reporters notice when a company hides behind jargon. They also notice when a company is disciplined, factual and available.

What integration looks like in practice

A sound model is simple. Legal approves the risk boundaries. Communications shapes the language inside those boundaries. The spokesperson only uses approved lines. Internal, regulator and media messaging are aligned, but not identical. That last point matters. A regulator needs precision. Staff need instruction. Customers need clarity about service impact. Journalists need a statement that answers the obvious first question.

Specialist judgment is vital. Carlos Alba Media's expertise is rooted in people who understand both sides of the exchange because everyone who works for Carlos Alba Media is a former national news journalist or has agency experience of working with international brands. That kind of background helps translate legal necessity into wording that can survive public scrutiny.

Managing Information and Preserving Evidence

When a crisis breaks, many SMEs focus on the outward response and neglect the internal evidence trail. That's a mistake. Regulators, litigants, insurers and journalists all care about records. So does your own legal team. If documents disappear, messages conflict, or staff start “tidying up” email threads, the problem gets harder to manage.

A professional lawyer managing a legal hold and document preservation process at her organized office desk.

What a legal hold means in plain English

A legal hold means the business stops routine deletion or alteration of potentially relevant information. That can include email, chat messages, CCTV, contracts, access logs, customer service notes, HR files, delivery records, expense claims, incident reports and device data.

This isn't only about formal systems. It includes the messy places where real crises unfold. Teams chats. WhatsApp messages. Personal notes. Shared drives with vague file names. A founder's phone full of screenshots.

The practical checklist

Use a short operational instruction set:

  • Pause deletion: Stop automatic document destruction, mailbox cleanup and file overwriting where relevant.
  • Identify custodians: List the people likely to hold useful information.
  • Lock down versions: Keep one authoritative incident timeline and update it centrally.
  • Preserve raw materials: Don't crop images, rewrite notes or summarise away detail.
  • Channel internal questions: Send them to the named incident lead, not around the office.

A common issue now is visual misinformation. Old photos get recycled. Images from another site or another year get attached to your incident. If your crisis includes disputed imagery online, a practical reverse image search guide can help teams verify whether a picture is original, repurposed or taken from somewhere else.

Internal communication rules that reduce damage

Employees don't need a legal lecture. They need firm instructions.

Do:

  • Use approved internal channels.
  • Stick to facts you personally know.
  • Forward external enquiries to the nominated contact.
  • Keep records of decisions and actions.

Don't:

  • Guess motive, blame or cause.
  • Joke about the incident in chat.
  • Copy large groups “for awareness”.
  • Move sensitive discussion into informal apps because it feels quicker.

Write every internal message on the assumption that it may later be read by people outside the company.

That doesn't mean staff should say nothing. Silence creates anxiety and rumour. It means updates should be short, factual and controlled. A useful internal note might say the incident is under active review, who is handling queries, what immediate operational changes apply, and when the next update will come.

One source of truth beats ten half-truths

You need one live incident document. Not five competing timelines. Not separate versions held by operations, HR and sales. One record, controlled by the crisis team, with timestamps and ownership.

That single source of truth does three jobs. It helps legal review. It stops contradictions. It gives your spokesperson something solid to work from when the outside world starts asking hard questions.

Controlling the Narrative With Stakeholders and Media

At 8:12am, a customer emails your sales inbox asking if their data is safe. By 8:19am, a staff member has posted in a private WhatsApp group. By 8:27am, a reporter is on the phone asking for comment. That is how the narrative starts. If you have not set it, someone else already has.

This stage is where legal judgement and communications discipline have to work as one response, not as two separate functions taking turns. Legal protects your position. PR protects your credibility. From a newsroom perspective, those aims are closely linked. A vague line invites harder questions. An overconfident line creates legal risk. The job is to produce a statement that can survive both scrutiny and follow-up.

An infographic titled Controlling the Narrative outlining six essential tips for effective stakeholder and media communication.

Start with a holding statement

Your first public line has one job. Hold the ground until verified facts are ready.

A useful holding statement does four things:

  1. acknowledges the issue
  2. shows the matter is being taken seriously
  3. avoids speculation
  4. explains what happens next

A basic version might read:

We're aware of the incident and are investigating it urgently with the appropriate advisers. Our immediate focus is on establishing the facts and supporting those affected. We'll provide further information as soon as we're in a position to do so.

That works because it is controlled. It gives enough information to show command of the situation without filling gaps with guesswork. I have seen businesses create days of avoidable trouble by trying to sound reassuring before they know enough to be accurate.

Tailor the message without changing the facts

Different audiences need different levels of detail, but the underlying facts must stay aligned. If your regulator hears one version, staff hear another, and customers hear something softer, the contradiction becomes the story.

For regulators

Regulators want chronology, scope and evidence that someone competent is in charge. Keep the language precise. Confirm what is known, what is still being checked, what containment steps have been taken, and who is responsible for updates.

A regulator-facing note should cover:

  • what happened, based on verified information
  • when you became aware of it
  • what action has already been taken
  • who the named contact is

For employees

Staff need direction they can use straight away. Give them the approved line, tell them where external enquiries go, and tell them when the next update is due. That reduces rumour and stops well-meaning people from filling the silence.

If senior leaders are likely to face internal briefings, customer calls or press questions, proper media training for business spokespeople helps them stay clear, calm and legally safe under pressure.

For customers and partners

Customers care about impact before process. Tell them what has changed for them, whether they need to act, and what you still do not know. If services will be delayed, say that plainly. If there is no confirmed impact on a particular group at this stage, say so carefully and keep reviewing the position.

Deal with journalists as if every answer will be tested

It will be.

Newsrooms do not stop at your first sentence. They compare it with earlier statements, Companies House records, social posts, customer complaints and anything a former employee is willing to say on background. That is why legal review and media judgement must sit in the same room. A statement can be technically defensible and still read as evasive. Reporters will push on that gap.

Use these rules:

  • Answer what you know, not what is being alleged.
  • Replace "no comment" with a short, credible holding line where possible.
  • Assume any informal chat can shape the story.
  • Prepare the answer after the next question, not just the first one.

A weak first answer usually creates the hardest second call.

For broadcast or live interviews, keep to two or three messages and repeat them in plain English. If a fact is still being checked, say that. If legal limits what can be discussed, say that plainly. Clear constraint sounds better than slippery wording.

Social media needs control, not impulse

Speed matters less than consistency. A rushed post that later needs correction will do more harm than a short delay to verify wording.

In practice, that means one approved response for frontline teams, active monitoring for false claims, and a clear trigger for escalating serious posts to legal and communications leads. It also means resisting the urge to argue in public, especially with anonymous accounts or people posting for reaction.

The aim is steady credibility. Calm language, accurate facts and repeated discipline usually beat a louder response.

After the Storm Review and Reputation Recovery

The calls have stopped. The reporter has filed. Your lawyer has gone quiet for the first time in days. This is the point where many owners relax too early and create a second problem. If you do not review what happened and explain what changes now, the market fills the gap with its own version of events.

Recovery starts with an honest debrief. Do it while timelines are clear, inboxes are searchable and people still remember who approved what. I advise clients to bring legal and communications into the same room for this session, because key failures usually sit in the gap between what was defensible and what was credible. A statement can clear legal risk and still leave customers, staff or suppliers thinking you dodged the issue.

The review process that actually helps

Run a structured review with one aim. Find the decisions, delays and process failures that made the crisis harder to contain.

Use questions that produce changes, not vague promises:

  • Which decisions took too long, and who had authority to make them?
  • Where did facts get stuck or change between teams?
  • Were key records preserved quickly enough to support legal advice and public statements?
  • Which stakeholder groups were left with too little information?
  • What did journalists, customers or regulators ask that the business was not ready to answer?

Then turn the answers into specific fixes. Change approval routes. Rewrite escalation triggers. Update contact lists. Remove duplicate sign-off steps that slowed response time. If one team worked from a different fact base, fix that first. In my experience, that single issue causes more reputational harm than any polished statement can repair.

Keep the policy current

A crisis plan has a short shelf life. People leave, suppliers change, new risks appear and old assumptions stop matching reality.

The legal team's role in post-crisis review includes keeping policies, reporting lines and risk assessments under regular review, as set out in Legal Leadership's guidance on crisis and post-crisis management. For an SME, the lesson is simple. Set a review cycle, test the plan, and check that names, numbers, delegated authority and evidence-preservation steps still work in real life.

Rebuilding trust in public

Reputation recovery is not a branding exercise. It is proof.

Say what changed. Explain what you reviewed. Tell people what is different in the business now, especially if the original response was slow, defensive or confused. Stakeholders do not expect perfection after a crisis. They do expect candour, correction and signs that the business has learned something expensive.

That public explanation needs the same joined-up judgement you needed on day one. Legal wording protects the business. Journalistic instinct tells you what sounds evasive, what will become the headline, and what a sceptical reader will question next. Treated separately, those disciplines often pull against each other. Used together, they give you a recovery message that is accurate, credible and far more likely to hold.

If you need a practical framework for the next stage, read this guide on how to rebuild trust after a business crisis. The goal is a business that has corrected the weakness, regained confidence and is better prepared for the next hard call.