Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Crisis Communication and Media Relations Policy is an internal governance document that defines how an organization identifies crises, activates a response team, controls public messaging, and manages media relationships during high-stakes incidents. It establishes severity classification tiers, an escalation chain, spokesperson authority, pre-approved holding statements, social media pause protocols, and a post-crisis review process β replacing improvised decision-making with a documented, repeatable framework. Unlike a full crisis management plan, which covers operational continuity and resource allocation, this policy focuses specifically on who speaks, what they say, when they say it, and through which channels.
Organizations without a crisis communication policy do not stay silent during a crisis β they speak inconsistently. Different employees give contradictory information to different journalists, social media managers post scheduled promotional content while an incident unfolds, and the first public statement takes four hours to draft because nobody pre-approved a holding statement. Each of these failures is documented in media coverage and cited by competitors, regulators, and customers for years. A formalized policy eliminates the most damaging improvisation: it designates spokespeople before anyone needs to know who to call, provides a holding statement employees can issue in 15 minutes, and gives the social media team an explicit rule to pause content without waiting for executive approval. For regulated industries β healthcare, financial services, food and beverage β the policy also ensures public statements are cleared by legal before they create admissions of liability or contradict required regulatory disclosures. This template gives you the complete structure in a single Word document you can customize to your organization, distribute to leadership, and rehearse in a tabletop exercise before the next incident makes it necessary.
| If your situation is⦠| Use this template |
|---|---|
| Building a full operational playbook with response timelines and checklists | Crisis Management Plan |
| Communicating with employees only during an internal incident | Internal Communications Plan |
| Responding specifically to a data breach or cybersecurity incident | Data Breach Response Plan |
| Managing communications during a product recall | Product Recall Communication Plan |
| Outlining day-to-day media and PR engagement outside of a crisis | Media Relations Policy |
| Establishing overall business continuity and recovery priorities | Business Continuity Plan |
| Documenting social media governance rules separately from crisis response | Social Media Policy |
Why it matters: When a named individual leaves or changes roles, the chain breaks silently. The gap only surfaces during an actual crisis, when there is no time to find replacements.
Fix: Write every escalation step as a job title. Maintain a separate, regularly updated appendix with the current name, direct mobile, and backup contact for each role.
Why it matters: Drafting the first public statement from scratch during a fast-moving crisis routinely takes 2β4 hours β a window during which speculation and misinformation fill the void.
Fix: Pre-approve holding statements for your five highest-probability crisis scenarios and store them in a location accessible to the CCT from any device.
Why it matters: Automated promotional posts published during an active reputational incident have repeatedly turned a manageable story into a trending one, adding days to recovery time.
Fix: Build an explicit social media pause step β triggered by any Level 2 or above classification β into the policy and assign a named person with admin access responsible for executing it within 15 minutes.
Why it matters: Without a specific, word-for-word response to give journalists, employees either refuse comment awkwardly (which looks evasive) or share unvetted information (which creates liability).
Fix: Include a two-sentence redirect script in the policy and repeat it in the employee communications template: acknowledge the inquiry, decline to comment personally, and provide the spokesperson's contact.
Why it matters: Organizations that do not debrief after a crisis repeat the same coordination failures β late escalation, contradictory statements, missed social monitoring β in subsequent incidents.
Fix: Mandate a written after-action report within 20 business days of every Level 2 or above crisis and assign a named owner responsible for submitting findings to senior leadership.
Why it matters: Employees who learn about a company crisis from a news alert before their employer tells them lose confidence in leadership and are more likely to speak to journalists without authorization.
Fix: Build an employee notification step into the policy that fires in parallel with β or ahead of β the first external statement, using a pre-approved internal message template.
Replace the generic Level 1β3 descriptions with criteria specific to your industry β e.g., 'Level 3 includes any incident involving a fatality, regulatory enforcement action, or coverage by a national news outlet.' Calibrate thresholds so the right level triggers without over-escalation.
π‘ Run three real past incidents through your draft levels to test whether each would have been classified correctly.
Fill in each escalation step using job titles as the primary identifier. Create a separate named appendix β updated quarterly β with the current person in each role, their mobile number, and a backup contact.
π‘ Test the chain with a tabletop exercise before finalizing. It nearly always reveals a gap β typically missing after-hours contacts or undefined backup for the CEO.
Assign a primary and backup spokesperson for each level. For Level 3 incidents, assign topic-specific spokespeople β e.g., the CFO for financial matters, the Head of Operations for safety incidents β rather than routing everything through one person.
π‘ Media-train every designated spokesperson before they need it. An untrained spokesperson performing for the first time under real pressure is a significant liability.
Identify the five crisis types most likely to affect your business (data breach, product defect, workplace injury, executive misconduct, regulatory action) and write a two-to-three sentence holding statement for each. Get legal and communications sign-off before filing.
π‘ Store approved holding statements in a shared folder accessible to the CCT from any device β crises rarely happen when everyone is at their desk.
Insert your organization's specific acknowledgment and response windows β typically 2 hours to acknowledge, 4 hours for a substantive response during business hours, and a defined on-call protocol for after-hours inquiries during active crises.
π‘ Journalists operating on tight deadlines will go to other sources if you don't acknowledge within two hours. Acknowledgment does not require a full answer β it buys time and signals professionalism.
List every managed social account, name the person with admin access, and write a one-sentence decision rule for when scheduled content is paused. Set a monitoring cadence for the crisis period (every 30 minutes is standard for Level 2+).
π‘ Audit who has login credentials to each social account now β shared passwords and departed employees with active access are a crisis-within-a-crisis.
Circulate the completed policy to all CCT members, department heads, and executive leadership. Require each to sign an acknowledgment of receipt. Set a calendar reminder for an annual policy review and schedule a tabletop exercise within 60 days of adoption.
π‘ A policy nobody has read before the crisis is nearly as useless as no policy at all. Build a 30-minute policy walkthrough into your next all-hands or leadership offsite.
A crisis communication and media relations policy is an internal governance document that defines how an organization responds to crises that affect its reputation, operations, or safety β and who is authorized to communicate with media, regulators, and the public. It establishes escalation chains, spokesperson rules, holding-statement templates, and social media protocols so the team can respond consistently and quickly without improvising under pressure.
All employees, contractors, agency partners, and third-party representatives who could plausibly receive a media inquiry or speak publicly on behalf of the organization should be covered. Most policies explicitly prohibit unauthorized employees from speaking to media and provide a redirect script for handling inbound journalist inquiries.
A holding statement is a brief, pre-approved message issued within the first 60 minutes of a crisis to acknowledge awareness of the situation while the organization gathers facts and prepares a full response. It matters because silence in the early stages of a crisis is consistently interpreted by media and the public as evasion or indifference. A well-written holding statement buys time without creating new liability.
A crisis communication policy governs who speaks, what they say, and through which channels during an incident. A crisis management plan is broader β it covers operational response, business continuity, resource allocation, and recovery steps in addition to communications. The two documents are complementary; the communication policy is often an appendix or companion document to the full crisis management plan.
Most organizations use three levels: Level 1 for contained internal incidents with no anticipated external attention, Level 2 for incidents with potential local or industry media coverage, and Level 3 for severe incidents with national exposure, regulatory involvement, or threats to human safety. The thresholds should be calibrated to your specific industry and risk profile β what qualifies as Level 3 in healthcare differs significantly from retail.
At minimum once a year, and immediately after any Level 2 or Level 3 crisis produces an after-action finding that reveals a policy gap. The escalation chain appendix β which contains individual names and contact numbers β should be reviewed every quarter given typical staff turnover rates.
Yes β disproportionately so. Small businesses typically have fewer people who can respond, less institutional muscle memory for handling media pressure, and less margin for the revenue and reputational damage a poorly managed crisis causes. A one-page policy covering spokesperson rules, a holding statement, and an escalation chain is achievable in an afternoon and provides meaningful protection against improvised responses.
Legal counsel reviews public statements to ensure they do not create admissions of liability, contradict regulatory disclosures, or violate confidentiality obligations. The tension between legal caution and communications urgency is real β the policy should specify that legal sign-off on a holding statement must happen within 30 minutes to prevent legal review from becoming an indefinite veto on any response.
A crisis management plan is an operational playbook covering the full incident-response lifecycle β resource mobilization, decision authority, business continuity, and recovery β in addition to communications. A crisis communication policy focuses specifically on messaging governance: who speaks, what they say, and through which channels. Most organizations need both; the communication policy is typically an appendix or companion to the larger plan.
A business continuity plan addresses how operations are maintained or restored after a disruption β covering IT recovery, supply chain redundancy, and staffing. It does not define who speaks to the media or how public statements are approved. A crisis communication policy fills that gap by governing the reputational and stakeholder-communication dimensions of the same incident.
A social media policy governs day-to-day employee behavior on social platforms β personal use, brand voice, disclosure rules, and content approval. A crisis communication policy activates a separate, elevated set of social media protocols specifically during an active incident, including content pausing and accelerated approval workflows that override normal procedures.
A communications strategy defines long-term goals, audience segmentation, channel mix, and messaging frameworks for proactive PR and stakeholder engagement. A crisis communication policy is reactive and procedural β it defines what to do when normal communications processes break down under the pressure of an unexpected incident. Both documents are needed; they serve entirely different operating conditions.
Patient safety incidents, data breaches involving protected health information, and regulatory investigations require HIPAA-compliant communication protocols and coordination with risk management before any public statement.
Statements made during regulatory investigations or market incidents must be cleared with compliance and legal to avoid creating securities liability or contradicting required regulatory disclosures.
Product safety recalls, payment data breaches, and viral customer-service incidents demand rapid social media response protocols and pre-approved messaging for consumer-facing channels.
Workplace accidents, environmental incidents, and supply chain failures require coordination between operations, safety officers, and communications to align public statements with internal incident reports and regulatory notifications.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small to mid-sized businesses building their first formal crisis communication policy without a dedicated PR team | Free | 3β6 hours to customize and distribute |
| Template + professional review | Organizations in regulated industries or those with significant reputational exposure who want a PR professional or communications consultant to validate protocols | $500β$2,000 for a consultant review and tabletop exercise facilitation | 1β2 weeks including review and a tabletop drill |
| Custom drafted | Large enterprises, publicly traded companies, or organizations with complex multi-jurisdiction operations requiring fully bespoke protocols integrated with legal and regulatory frameworks | $5,000β$25,000+ for a crisis communications firm engagement | 4β10 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
