Draft Crisis Communications Response Plan

This was prepared for a client that needed a quick idea of how to respond to a crisis.

"Never guess what happened in a PR Crisis"

"Crisis training requires spokespersons to be certain of the facts before commenting on what happened. This does not mean that the spokesperson cannot be sympathetic to any anguish or suffering, but until the facts are clear about responsibility, it is critical to state that the organization seeks the facts."

- Quote as seen in Forbes Magazine from Jim Caruso, CEO of M1PR, Inc.

To: Client Communications Team Management

Crisis Communications + Incident Response Plan

We drafted this Plan Template to better prepare staff to respond. Better responses require a coordinated response by responsible management along with appropriate public statements prepared by a communications team, often led by public relations or marketing, approved by executive management, and delivered by an approved spokesperson.

The short playbook:

1.) During an emergency call 911 first

2.) Activate this plan, as follows

3) Notify affected department management, such as: physical security, IT / information security, CFO / risk management, and Marketing.

4.) Respond internally, such as a lockdown of facilities, canceling incoming shifts, shutting down compromised IT system

5.) Assume you do not know all the facts, go collect information on the incident without endangering staff, do not comment publicly, and forward information to the Incident & Communications Response Team.

6.) If the facts are uncertain, do not comment publicly. It is appropriate for the approved spokesperson to acknowledge an incident (or accusation) without further comment while stating an intent to fully understand the situation before any public comment.

Attached is a more comprehensive treatment of the issues, responsible parties, and potential response process for incidents.

Good Luck,

Jim Caruso

CEO, MediaFirst PR - Atlanta

Incident Response Team & Incident Communications Response

This Plan Template document is primarily intended for use by a company's management as a basis for responding to a crisis or incident that negatively portray the company and/or its staff, products, services, customers, or customer's staff. 

This is a communications response plan, which should evolve with best practices and technology to better respond. cyber incident. We hope to add practical checklists.

Examples of a Crisis or Incident

Examples are drawn from the many types of incidents and affected departments.

Cybersecurity incidents, such as cyberattack, hacking, data breach, or ransomware

  • Terrorism  or active shooter
  • Misquote or error in press reporting
  • An accusation of sexual harassment
  • Lost work-time accidents
  • Death


  • Determine internal roles and responsibilities. Make sure there is a clear escalation process within the company and the right teams are talking to one another in the event of a cyber incident. Designate an individual to be responsible for ensuring that this process is established and updated.
  • Plan your response to a crisis in advance with a
    communications plan, including a decision-making protocol and communications materials.
  • Ensure-incident response is part of the operational continuity plan. Make sure there is a communications plan and process in place.
  • Conduct crisis simulation and table-top exercises, coordinated with legal, technical, and outside advisors, including key senior leaders across the company.
  • Conduct stakeholder mapping and a reputation risk analysis to understand your cyber risks, priority stakeholders, and how to reach them to address key concerns.
  • Be transparent but careful. Transparent communication builds trust, but in an incident, you may have few facts at hand, especially at the outset. Public comments should demonstrate that you are taking the issue seriously but avoid providing any details that may change as the investigation progresses, so you don’t have to correct yourself down the line. Avoid speculation on the incident or persons involved.
  • Focus on actions you are taking to address the issue. To demonstrate that you are taking the issue seriously, you should talk about the steps you are taking to protect your staff, customers, and the public and address any broader risks.

Developing a Response Process

The following steps will guide you as you start up an Incident Communications Response Team and develop a process for drafting and approving messages.

  • Step 1: Decide on the team. Select the individuals who will fill roles. Outline their roles and identify the decisions around messaging and communication that they can make in real-time.
  • Step 2: Security alignment. With executive management, operational management, IT, information security, security, or public relations team, take inventory of your potential risks (like a compromised data set), and conduct an impact assessment. You should understand the incidents (like cyberattack) to which you might be vulnerable. You should also understand how security tactics are tied to risk mitigation. For example, the IT team’s early monitoring and detection functions should be aligned to the company's most critical assets. Establish who will be the liaison from an affected department to the Incident Response Team and Communications Team.
  • Step 3: Disclosure alignment. Determine and document exactly what you are obligated to disclose. Develop a decision-making process to assess the public posture—proactive or reactive—you will take in a given situation. Take into account both legal implications and public opinion.
  • Step 4: Stakeholder analysis. Assess and prioritize your key stakeholders, based on their influence, because public opinion can turn very quickly during a crisis. Establish ongoing relationships with these stakeholders BEFORE a crisis hits. Your stakeholders may include:
  • The public
  • Federal, state, and local regulators
  • Law enforcement
  • State and federal lawmakers
  • Media (such as a local cybersecurity beat reporter)
  • Third-Party advocacy groups
  • Vendors
  • Customers
  • Step 5: Select a spokesperson or spokespeople. Establish ahead of time who will speak for the company in an incident, and make sure that they have received media training. You may choose different spokespeople for different audiences. Your department head might be best equipped to post a response (such as an IT department writing a response about a data loss), while the CFO or head of risk management might be the best person to speak to the media. Consider factors such as who has the best communication skills, prior experience with the media, authority to speak, and relationships with stakeholders.
  • Step 6: Establish a drafting and approval process for key messages and include diagrams of this process in your communications plan. This process will be specific to the company's Incident Response & Communications Response teams and team structure but may look like this:
  • Step 7: Decide what baseline information you can communicate now. Establish a baseline understanding among key stakeholders of the company’s work to implement safety, security, or information security best practices in advance of any incident. In the event of an incident, this effort will position the spokesperson to make the case that the company has been implementing best practices, but unfortunately, an accident or incident still sometimes occur.
  • Step 8: Establish a feedback loop. Establish a means—both during and after an incident—to incorporate feedback from stakeholders into your response. During an incident, this work could take the form of media and social media monitoring as well as polling. After an incident, you should conduct an after-action report and ensure that lessons learned are incorporated into this Incident Communications Plan Template Your after-action report should include:
  • A summary of the incident (keeping in mind it could be subject to public disclosure);
  • an overview of the operational response;
  • the communications objectives;
  • and by phase, with specificity:
  • concern
  • outcome
  • recommendations

Incident Background & Verification

There are elements of an incident that require additional attention and preparation because a crisis is different from other situations in key ways:

  • High Degree of Uncertainty: You will know very few facts when you first have to communicate about an incident, and you will need to demonstrate you are confidently and competently managing the incident with relatively little information.
  • Well-Sourced Journalism: The journalists covering beats, such as cyber-security, know technical and policy issues and are well-sourced, so they may learn about details before you do.
  • Cross-Functional Impact: Incidents may require coordination across a range of internal the company's departments that may not normally work together.
  • Cross-Boundary Implications: Incidents can have effects that cascade across national jurisdictional boundaries. This may require management in another country to be the response team’s local eyes and ears.
  • Potential to Undermine Trust: An incident has the potential to undermine customer, media, government, or public trust in the company, so communicating in a way that avoids creating undue alarm is critical.

Communications Coordination

Set guidelines for communicating with outside parties in an incident.

  • Management should create a communications plan that provides escalation thresholds for reporting an incident internally and publicly. The guidelines should address who is responsible for communicating with key external stakeholders, such as the media and law enforcement. It should also spell out the timeframe for these communications and key individuals involved in communications response from the incident response team, such as public relations, legal, or company management. 

Establish connections between the incident response team and communications officers.

  • Every situation will require collaboration and cooperation of multiple team members and groups. The relationships between, and credibility of, each player is vital to a successful post-incident recovery.

Best Practices for Countering Misinformation

  • Establish the facts, and double-check them. You need to ensure you are operating from a factual position before countering misinformation, so check your facts with multiple sources before citing them publicly. Ask all appropriate questions and put in the work before you speak to ensure that you do not accidentally provide misleading information.
  • Develop a simple, accurate, short counter-message. Develop a clear statement that contains only the facts. Avoid complex messages. You can provide additional nuance later.
  • Respond quickly. Misinformation can spread rapidly through social media and broadcast commentary. Your counter-message should be ready to disseminate as soon as possible.
  • Be transparent. Hedged, incomplete, or “no comment” responses can fuel conspiracy theories by making it appear your organization has something to hide. Demonstrating transparency can help counter false claims.
  • Engage on all platforms. Misinformation can spread across multiple platforms, including social media and traditional media. To counter misinformation, deliver a clear, factual message on all available platforms.
  • Avoid repeating misinformation. Focus on providing accurate facts and do not repeat the false messages. For example, if rumors circulate, avoid repeating that rumor. Instead, your message should be a clear statement of what you know to be true.


P.S. Do you see a way to make this crisis communications process better? Are there new technologies or vulnerabilities we should address? Please provide your feedback by emailing Jim Caruso, jim@mediafirst.net, to help improve this resource.