Death Star close mesh sphere AdobeStock_83781931.jpeg

Crisis Communications Plan Draft for a Client

"Never guess what happened in a PR Crisis"

"Crisis training requires spokespersons to be certain of the facts before commenting on what happened. This does not mean that the spokesperson cannot be sympathetic to any anguish or suffering, but until the facts are clear about responsibility, it is critical to state that the organization seeks the facts."

- Quote as seen in Forbes Magazine from Jim Caruso, CEO of M1PR, Inc.


Draft Crisis Communications Response Plan

This plan draft provides a quick idea of how to respond to a crisis.


To: Client Communications Team Management

Crisis Communications + Incident Response Plan

We drafted this Plan Template to better prepare staff to respond. Better responses require a coordinated response by responsible management along with appropriate public statements prepared by a communications team, often led by public relations or marketing, approved by executive management, and delivered by an authorized spokesperson.

The short playbook:

1.) During an emergency call 911 first

2.) Activate this plan, as follows

3) Notify affected department management, such as physical security, IT/ information security, CFO / risk management, and Marketing.

4.) Respond internally, such as a lockdown of facilities, canceling incoming shifts, shutting down compromised IT system

5.) Assume you do not know all the facts, go collect information on the incident without endangering staff, do not comment publicly, and forward everything we know (any data) to the Incident & Communications Response Team.

6.) If the facts are uncertain, do not comment publicly. It is appropriate for the approved spokesperson to acknowledge an incident (or accusation) without further comment while stating an intent to understand the situation in full before any public comment.

Attached is a more comprehensive treatment of the issues, responsible parties, and potential response process for incidents.

Good Luck,

Jim Caruso

CEO, MediaFirst PR - Atlanta

Incident Response Team & Incident Communications Response

This Plan Template document is intended for use by a company’s management as a basis for responding to a crisis or incident that negatively portrays the company hand/or its staff, products, services, customers, or customer’s staff. 

This document is a communications response plan, which should evolve with best practices and technology to better respond to a crisis incident. We hope to add practical checklists.

Examples of a Crisis or Incident

These examples represent the many types of incidents and affected departments.

  • Cybersecurity incidents, such as cyberattack, hacking, data breach, or ransomware
  • Terrorism or active shooter
  • Misquote or error in press reporting
  • An accusation of sexual harassment
  • Lost work-time accidents
  • Death

INCIDENT & CRISIS RESPONSE TEAM

  • Determine internal roles and responsibilities. Make sure there is a clear path in the escalation process within the company. Confirm that the right teams talk in the event of a cyber incident. Designate an individual to be responsible for ensuring that you establish a process and that it is enforced and updated.
  • Plan your response to a crisis with a communications plan, including a decision-making protocol and communications materials.
  • Ensure that incident response is part of the operational continuity plan. Make sure there is a communications plan and process in place.
  • Conduct a crisis simulation and trial exercise. Prepare for various potential issues. Coordinate the activities with legal, technical, and outside advisors. Include senior leaders across the company.
  • Conduct a stakeholder mapping exercise and a reputation risk analysis. These help you understand your cyber risks, priority stakeholders, and how to reach them to address critical concerns.
  • Be transparent but careful. Open communication builds trust. However, during a crisis, few facts are available, especially immediately after the crisis. Your public comments should demonstrate that the corporation takes the issue seriously. However, avoid providing any speculation. Your understanding of the incident may change as the investigation progresses. If you do not speculate, you will not be forced to correct yourself down the line. Avoid any speculation on the incident or persons involved.
  • Focus on the specific actions you take to address the issue. To demonstrate that you are taking the issue seriously, you should talk about the steps you take to protect your staff, customers, and the public and address any broader risks.

Develop a Response Process

The following steps will guide you as you start up an Incident Communications Response Team. The team will create the process for drafting, approving, and sending out messages. The message might be sent to the authorized spokesperson to directly to the public in a statement, press release, or social media post.

  • Step 1: Decide on the team. Select the individuals who will fill roles. Outline their tasks and identify the decisions around messaging and communication that they can make in real-time.
  • Step 2: Security alignment: With executive management, operational management, IT, information security, security, or public relations team, take inventory of your potential risks (like a compromised data set), and conduct an impact assessment. You should understand the incidents (like cyberattacks) to which you might be vulnerable. Responsible team members need to understand how security tactics are tied to risk mitigation. For example, the IT team’s monitoring and detection functions should align with the company’s most critical assets. Establish who will be the liaison from an affected department to the Incident Response Team and Communications Team.
  • Step 3: Disclosure alignment: Determine and document what information you are obligated to disclose, what regulations require this disclosure, and what entity wants it. Develop a decision-making process to assess the public posture—proactive or reactive—you will take in a given situation. Take into account both legal implications and public opinion.
  • Step 4: Stakeholder analysis: Assess and prioritize your key stakeholders, based on their influence, because public opinion can turn very quickly during a crisis. Establish ongoing relationships with these stakeholders BEFORE an emergency. Your stakeholders may include:
  • The public
  • Federal, state, and local regulators
  • Law enforcement
  • State and federal lawmakers
  • Media (such as a local cybersecurity beat reporter)
  • Third-Party advocacy groups
  • Vendors
  • Customers
  • Step 5: Select an authorized corporate incident spokesperson or spokespeople based upon the issue. Establish who speaks for the company and make sure that they have media training or experience. Some incidents may place your spokesperson under tremendous emotional strain and public pressure. You may choose different spokespeople for different audiences. Consider who is best to respond. For example, your IT department head might be best for a response about a data loss. The CFO or head of risk management might best for losses about assets, finances, or security if security reports to them via risk management. Consider factors such as who has the best communication skills, prior experience with the media, authority to speak, and relationships with key stakeholders.
  • Step 6: Establish a drafting and approval process for key messages and include diagrams of this process in your communications plan. This process will be specific to the company’s Incident Response & Communications Response teams and team structure but may look like this:
  • Step 7: Decide what information you have and can confirm. Is it possible to make a statement in the short term given this baseline information? In advance of any incident, establish an understanding among key stakeholders of the company’s work to implement safety, security, or information security best practices. In the event of a crisis, this effort will position the spokesperson to make the case that the company has been implementing best practices. However, unfortunately, an accident or incident still sometimes occur.
  • Step 8: Establish a feedback loop. Establish a means—both during and after an incident—to incorporate feedback. You may wish to consider immediate feedback or queries from stakeholders into the public response. During an incident, work might include media and social media monitoring as well as polling. After an incident, conduct an after-action report and ensure that lessons learned are incorporated into this Incident Communications Plan Template Your after-action report should include:
  • A summary of the incident (keep in your mind that it could be subject to public disclosure);
  • an overview of the operational response;
  • the communications objectives;
  • and by phase, with specificity:
  • concern
  • outcome
  • recommendations

Incident Background & Verification

There are elements of a crisis incident that may require additional attention and preparation. A crisis can be different from other situations in key ways:

  • High Degree of Uncertainty: You will know very few facts when you first have to communicate about an incident, and you will need to demonstrate you are confidently and competently managing the incident with relatively little information.
  • Well-Sourced Journalism: The journalists covering beats, such as cyber-security, know technical and policy issues and are well-sourced, so they may learn about details before you do.
  • Cross-Functional Impact: Incidents may require coordination across a range of internal the company’s departments that often may not work together.
  • Cross-Boundary Implications: Incidents can have effects that cascade across national or other jurisdictional boundaries. These might require management in another country to be the response team’s local eyes and ears.
  • Potential to Undermine Trust: An incident has the potential to undermine customer, media, government, or public trust in the company, so communicating in a way that avoids creating undue alarm is critical.

Coordinate Communications

Set guidelines for communicating with outside parties in an incident.

  • Management needs a communications plan that provides escalation thresholds for reporting an incident internally and publicly. The guidelines should address who is responsible for communicating with external stakeholders, such as the media and law enforcement. The plan might recommend the timeframe for these communications and key individuals involved in communications response from the incident response team, such as public relations, legal, or company management. 

Maintain connections between the incident response team, the communications team, and possible spokespersons.

  • Every situation will require collaboration and cooperation of multiple team members and groups. The relationships between, and credibility of, each player is vital to a successful post-incident recovery.

Establish Procedures for Countering Misinformation

  • Establish the facts and double-check them. You need to ensure you are operating from a factual position before countering misinformation, so check and double-check the facts. Go to multiple sources for confirmation before citing fact publicly. Ask all appropriate questions and put in the work before you speak to ensure that you do not accidentally provide misleading information.
  • Develop a simple, accurate, short counter-message. Your clear statement should contain only the facts. Avoid complexity in your message. You can elaborate or provide nuance later.
  • Respond quickly. Misinformation can spread rapidly through social media and broadcast commentary. Your counter-message should be ready to disseminate as soon as possible.
  • Be transparent. Hedged, incomplete, or “no comment” responses can fuel conspiracy theories by making it appear your organization has something to hide. Demonstrating transparency can help counter false claims.
  • Engage across platforms. Misinformation can spread across multiple platforms, including social media and traditional media. To counter misinformation, deliver a clear, factual message on all available platforms.
  • Avoid repeating misinformation. Focus on providing accurate facts and do not repeat the false messages. For example, if rumors circulate, avoid repeating that rumor. Instead, your message should be a clear statement of what you know to be true.

NOTE: Do you see a way to make this crisis communications process better? Are there new technologies that might help? Are there other risks or vulnerabilities we should address? Please provide your feedback by emailing Jim Caruso, jim@mediafirst.net, to help improve this resource.