PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content

Crisis Communication Plan

Who says what, to whom, and how, when something goes wrong.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

guide
moderate
medium Risk

About this Document

What a crisis communication plan is

A crisis communication plan is an internal document that defines, in advance, how your organisation will talk to the people who matter when something goes seriously wrong. It names who decides, who speaks, what is said first, and through which channels — so that under pressure your team reacts from a prepared playbook instead of improvising while the clock runs.

The point of the plan is speed with control. In a real incident the hardest part is rarely knowing the facts; it is agreeing who is allowed to say them, getting a message approved, and reaching the right audiences before rumour fills the silence. A good plan removes those bottlenecks ahead of time. It sits alongside, but is distinct from, the technical security protocol that prevents and contains incidents and the risk management work that scores the threats in the first place.

A plan is not a script for one event. It is a reusable framework — roles, severity levels, pre-approved holding statements, channel routes, and a review loop — that you adapt to whatever the actual crisis turns out to be.

Crisis types and severity levels

Crises rarely look the same twice, but they cluster into a few recognisable families, and your plan should name the ones your organisation is realistically exposed to:

  • Operational — an outage, a failed release, a supply-chain break, or a service that stops working.
  • Security and data — a breach, ransomware, leaked credentials, or exposed customer records.
  • Safety — anything that puts staff, customers, or the public at physical risk.
  • Reputational — a viral complaint, an executive misstep, or coverage that frames you badly.
  • Financial and legal — fraud, a regulatory action, or a lawsuit that becomes public.
  • People — misconduct, a serious grievance, or the sudden loss of a key person.

What turns a problem into a crisis is not the category but the severity. Most plans use three or four tiers so the response is proportionate:

  • Level 1 — Minor. Contained, low visibility, no external impact. Handled by the duty owner with a log entry; no team activation.
  • Level 2 — Significant. Real customer or partner impact, or media interest is plausible. The core crisis team is alerted and a holding statement is prepared.
  • Level 3 — Major. Wide impact, active media or regulator interest, or a safety dimension. Full team activation, executive sign-off, and continuous communication.

Define the trigger for each level in plain language so that whoever spots the problem first can classify it without waiting for permission. Ambiguity here is the single most common reason a response starts late.

The crisis team and roles

A crisis is no time to work out who is in charge. Name the roles in advance, attach a primary and a backup to each, and make sure everyone knows which role they hold:

  • Crisis lead. Owns the response, declares the severity level, and makes the final call when the team disagrees. Usually a senior operator, not necessarily the CEO.
  • Communications lead. Drafts and coordinates every message, owns the holding statements, and manages the channel plan. The single point of truth for what goes out.
  • Spokesperson. The named human who speaks to media or customers on the record. One voice avoids contradiction; brief everyone else to route enquiries to them.
  • Technical or operations lead. Establishes the facts: what happened, what is affected, what the fix is, and an honest estimate of when it lands.
  • Legal and compliance. Flags notification duties, regulatory deadlines, and language that creates liability — without becoming a veto on speaking at all.
  • Coordinator or scribe. Keeps the timeline, logs every decision and external statement, and tracks who was told what and when. Invaluable for the post-crisis review.

For a small organisation one person may wear two hats — but never let the spokesperson also be the technical lead, or facts and messaging will tangle. Keep an up-to-date contact sheet with mobile numbers and a backup channel that does not depend on the system that might be down.

Message principles

Under scrutiny, the temptation is to say as little as possible. That instinct usually makes things worse. A few principles hold across almost every crisis:

  • Be first, be right, be credible. Acknowledge quickly even if you cannot yet explain. Silence reads as either ignorance or concealment.
  • Lead with people, then facts. Address who is affected and how before you defend the organisation.
  • Say what you know, what you do not, and what you are doing next. A short honest update beats a polished statement that dodges the question.
  • One voice, consistent across channels. The same core facts everywhere, tailored in tone, never contradictory.
  • Never speculate or guess at cause. "We are investigating" is a complete and acceptable answer.
  • Show action and a next-update time. Tell people when they will hear from you again, then keep that promise.
  • Never blame, minimise, or go off the record. Anything you say can become the headline.

Channels and holding statements

The fastest way to lose control of a crisis is to be slow on the channels your audiences are already watching. Map, in advance, which audience you reach where: customers by email and status page, staff by internal chat, partners by direct call, the public by your website and social accounts, and media through the spokesperson. Note who owns each channel and how to publish to it quickly.

A holding statement is a short, pre-approved message you can release within minutes — before you have all the facts — to show you are aware and engaged. Draft a small library of these ahead of time with blanks to fill: an acknowledgement, a service-disruption notice, a we-are-investigating line, and a safety reassurance. The goal is to buy time honestly, not to make promises you cannot keep. A holding statement that says "we are aware, we are investigating, and we will update you by [time]" is almost always enough for the first move.

Keep a single source of truth — usually a status page or pinned post — that you update as facts firm up, and point every channel back to it so people are not chasing scattered versions.

Post-crisis review

The crisis is not over when the immediate pressure lifts; it is over when you have learned from it. Within a week of standing down, run a blameless review with everyone who was involved. Reconstruct the timeline from the coordinator's log, and ask the questions that matter: How quickly did we detect and classify it? Where did approval or information get stuck? Did our holding statements fit, or did we have to write from scratch? Did every audience hear from us in time?

Turn the answers into specific changes — a new holding statement, a clearer trigger for a severity level, an updated contact sheet — and assign each one an owner and a date. Feed material findings back into your risk management register and your operation manual so the lesson outlives the people who lived through it. A plan that is never reviewed quietly rots; the review is what keeps it real.

Common mistakes to avoid

  • No pre-agreed severity triggers, so the first responder waits for permission instead of acting.
  • Too many spokespeople, producing contradictory statements that become the story.
  • Going dark while you "get the facts straight," letting rumour and speculation fill the gap.
  • Treating legal review as a veto on saying anything, rather than a guide to saying it safely.
  • No next-update time, so audiences keep asking and you keep reacting.
  • A contact sheet that lives on the system that just went down, with no offline backup.
  • Writing every statement from scratch in the moment instead of adapting a pre-approved holding line.
  • Skipping the review, so the same gap reopens in the next crisis.

Required Sections

Crisis Levels

Severity tiers and what triggers each level

Required

Response Team

Named roles, owners, and backups on call

Required

Holding Statements

Buy-time language before facts are confirmed

Required

Notification Cascade

Who to alert first, second, and when

Required

Approved Messages

Pre-cleared statements for each crisis tier

Required

Channel Strategy

Which platform carries which audience message

Required

Review and Escalation

Sign-off authority and when to escalate further

Required

Optional Sections

Media Handling

Press contact rules and spokesperson dos and don'ts

Optional

Dark Site

Standby web page ready to activate immediately

Optional

Post-Crisis Review

Debrief process and lessons-learned capture

Optional

Frequently Asked Questions

What is a crisis communication plan?
It is a document that decides, before a crisis happens, how your organisation will communicate when something goes seriously wrong. It names who decides and who speaks, defines severity levels, provides pre-approved holding statements, and maps which audiences you reach through which channels — so the team responds from a playbook instead of improvising under pressure.
Who should be on the crisis team?
At minimum a crisis lead who owns the response, a communications lead who drafts and coordinates messaging, a named spokesperson, a technical or operations lead who establishes the facts, legal or compliance for notification duties, and a coordinator who keeps the timeline. In a small organisation one person can hold two roles, but the spokesperson should never also be the technical lead, or facts and messaging will tangle.
What is a holding statement and when do you use it?
A holding statement is a short, pre-approved message you can release within minutes — before you have all the facts — to show you are aware and engaged. You use it as the very first move in a crisis: acknowledge the issue, say you are investigating, and give a time for the next update. It buys you time honestly without making promises you cannot keep.
How fast should you respond in a crisis?
Acknowledge as quickly as you can, even before you can explain — often within the first hour. Silence reads as either ignorance or concealment and lets rumour fill the gap. You do not need every fact to respond; a holding statement that confirms you are aware, are investigating, and will update by a stated time is enough for the first move.
How is a crisis communication plan different from a security protocol?
A security protocol focuses on preventing and containing incidents — the technical controls, access models, and response steps that keep systems safe. A crisis communication plan focuses on what you say and to whom once an incident has impact: roles, severity levels, holding statements, and channels. The two work together; the security protocol manages the event, the communication plan manages the message.
How often should you update and test the plan?
Review the plan at least once or twice a year, and always after a real incident or a tabletop exercise. Keep the contact sheet, severity triggers, and holding statements current, and run a practice scenario periodically so the team knows their roles before they need them. A plan that is never tested or reviewed quietly goes out of date and fails when it matters.

Ready to create your document?

Use our free template or generate a custom version tailored to your needs.

Use Free Template
Create your custom version — free to start

20 free credits on signup — no card needed

We recommend professional review for your specific situation.

Last reviewed: June 4, 2026