Free Word download β’ Edit online β’ Save & share with Drive β’ Export to PDF
A Crisis Communication Policy is a formal operational document that defines how an organization identifies, escalates, and communicates during a disruptive event β whether that event is a data breach, product safety recall, executive misconduct allegation, workplace injury, or natural disaster. It establishes a clear hierarchy of decision-making authority, designates who may speak to media and under what conditions, sets the approval chain for public statements, and specifies how employees and external stakeholders are notified. Unlike a general communications policy, it is written specifically for time-sensitive situations where ambiguity in roles or messaging causes measurable, lasting reputational harm.
Organizations that enter a crisis without a written policy spend the first critical hour β when narrative is formed β debating who should speak and what to say. That delay is what turns a manageable incident into a headline. Without a defined spokesperson and pre-approved holding statements, individual employees fill the communication vacuum with well-intentioned but inconsistent responses that contradict each other and undermine confidence. Without a formal internal notification protocol, staff learn about a company crisis from a news alert before they hear from leadership β a signal of dysfunction that accelerates attrition and deepens reputational damage. This template gives your Crisis Response Team a clear, tested framework to activate within minutes of a threshold event, so the first hour of a crisis is spent managing the situation rather than improvising the response.
| If your situation is⦠| Use this template |
|---|---|
| Broad-scope planning covering all emergency types including evacuation | Business Continuity Plan |
| Responding specifically to a cybersecurity breach or data incident | Data Breach Response Plan |
| Managing external media and press relations during a crisis | Media Relations Policy |
| Addressing a product defect or safety recall publicly | Product Recall Communication Plan |
| Communicating with employees about a workplace incident or restructuring | Internal Communications Plan |
| Documenting risk scenarios and mitigation strategies at the enterprise level | Risk Management Plan |
| Providing quick reference cards for crisis team members during an event | Crisis Response Checklist |
Why it matters: Subjective criteria like 'significant impact' lead to inconsistent classification across teams, causing some events to be over-managed and others to go unaddressed until they become public.
Fix: Replace every qualitative descriptor with a measurable trigger β number of affected customers, dollar exposure, media mentions per hour, or regulatory notification windows β so any team member can classify an event without a judgment call.
Why it matters: Staff change through resignation, promotion, and leave. A policy that names a person who no longer holds the role creates a gap that only surfaces at the worst possible moment.
Fix: Use job titles throughout the policy and maintain a separate, privately circulated contact sheet with current names and numbers that is updated quarterly.
Why it matters: A five-person approval chain adds 60β90 minutes to statement issuance. In a fast-moving media cycle, that delay allows misinformation to establish itself as the dominant narrative.
Fix: Cap external statement approvals at three people β Communications Director, CEO, and Legal if required β and pre-delegate authority to two of the three for Level 1 events.
Why it matters: A promotional post or lighthearted content published while an incident is unfolding signals to the public that the organization is either unaware of or indifferent to the situation, compounding reputational damage.
Fix: Include an immediate social media pause as the first action item in the CRT activation checklist, assign a single owner responsible for executing it, and verify that remote access to the scheduler exists before finalizing the policy.
Why it matters: Corporate boilerplate does not tell employees what they should say when a customer or neighbor asks. Staff who feel like outsiders fill the gap with speculation, which leaks externally.
Fix: Maintain a separate internal communication template that answers three questions in plain language: what happened, what the company is doing about it, and what employees should say if asked.
Why it matters: A policy written in calm conditions contains assumptions that only fail under time pressure β systems that require VPN, contacts who have changed roles, approval chains that stall at a single unavailable person.
Fix: Run a 90-minute tabletop exercise annually using a realistic scenario. Document every point where the team improvised around the written policy β each improvisation is a gap that needs to be closed before a real event.
Choose two to four severity levels and assign specific, quantified criteria to each β number of customers affected, media mentions per hour, regulatory triggers, or financial exposure. Document the criteria in a table for easy reference.
π‘ Pilot the thresholds by walking two or three past incidents through the classification framework before finalizing β if reasonable people disagree on the level, the criteria need more specificity.
List every CRT position by title rather than by individual name. For each role, document their authority level at each classification tier, their primary contact number, and the name and contact of their designated backup.
π‘ Store the completed roster in a location accessible outside your primary systems β a shared drive that requires VPN access is useless if the crisis is a network outage.
Draw a linear flow from initial detection through CRT activation, including every handoff point, the responsible role, the maximum time allowed at each step, and the parallel escalation bypass path.
π‘ Build the flow chart in a one-page visual as an appendix β during an active crisis, a dense paragraph is slower to read than a diagram.
Name the primary and backup spokesperson by title, specify the approval chain required before any statement is issued, and document the redirect instruction all other employees will use when approached by media.
π‘ Run at least one mock media briefing with the spokesperson annually β reading the policy is not a substitute for practiced delivery under pressure.
Draft pre-approved holding statements for your four to six most probable crisis scenarios β data breach, workplace injury, executive misconduct, supply chain failure, product defect, and natural disaster. Store them in a system accessible to the CRT without an internet dependency.
π‘ Each holding statement should be under 75 words, factually neutral, and contain a named contact for further inquiries. Wordier statements invite more questions, not fewer.
Specify the exact channel, timing (relative to external statement issuance), responsible role, and required content elements for internal staff communications at each classification level.
π‘ Draft a plain-language employee notification template alongside the holding statement library β the format, not just the policy, saves time under pressure.
List every owned social account, confirm who holds login access during a crisis, document the content-pause trigger, and define the approval chain required before any crisis-related post is published.
π‘ Verify that your social media scheduler can be paused remotely and without requiring access to the primary office network before you finalize this section.
Set a fixed annual review date in the calendar, assign the owner responsible for coordinating the tabletop exercise, and add the post-crisis review trigger to the CRT activation checklist.
π‘ Treat the annual drill date as non-negotiable β a policy that has never been practiced is untested, and most weaknesses only surface under simulated time pressure.
A crisis communication policy is a formal organizational document that defines how a company detects, classifies, and responds to disruptive events through coordinated internal and external messaging. It designates who speaks on behalf of the organization, how messages are approved, how employees are notified, and how social media is managed during an incident. Unlike a general communications policy, it is specifically designed for time-sensitive, high-stakes situations where the cost of silence or inconsistency is reputational damage.
A policy sets the rules, roles, and authority structure β it answers who is authorized to do what and under which conditions. A plan translates those rules into operational sequences for specific scenarios β step-by-step actions for a data breach, product recall, or executive misconduct situation. Most organizations need both: the policy as the governing framework and scenario-specific plans as operational checklists. This template covers the policy layer; scenario plans are built as appendices or companion documents.
Ownership typically sits with the Communications Director or VP of Communications, with a co-owner in Risk, Legal, or Operations depending on the organization's structure. HR should be a required reviewer for any employee-facing provisions, and Legal should sign off on any sections touching regulatory notification obligations. In smaller organizations without a dedicated communications function, the CEO or COO typically owns the policy directly.
Annual review is the standard minimum. The policy should also be reviewed immediately after any real crisis event, after any significant organizational restructuring, after a merger or acquisition, and after any incident that required improvising around the written protocol. A policy that has not been reviewed in more than 18 months should be treated as untested regardless of its original quality.
At minimum: a purpose and scope statement, crisis classification levels with measurable thresholds, a Crisis Response Team roster with decision-making authority, an escalation and notification sequence, spokesperson designation and media rules, a message approval workflow with a holding statement library, internal employee communication requirements, social media protocols, external stakeholder notification procedures, and a post-crisis review requirement. Missing any of these creates a gap that will be exposed under real conditions.
A holding statement should be issued within 60 minutes of a crisis being declared, in most scenarios. The holding statement does not need to contain all the facts β it acknowledges that the organization is aware of the situation and is actively responding. Silence for more than 60β90 minutes in a publicly visible incident allows external narratives to establish themselves and signals either ignorance or indifference. The final, detailed statement follows once facts are confirmed.
Yes β in fact, small businesses are often more vulnerable to reputational crises because they have fewer resources to recover from one. A single negative viral post, a workplace injury, or a data breach can be existential for a business with a small customer base and no PR budget. A three-to-five page crisis communication policy covering the basics β who speaks, how employees respond, and how to notify key stakeholders β is achievable for any business size and requires no outside consultant to produce using a structured template.
A holding statement is a brief, pre-approved response β typically under 75 words β issued within the first hour of a crisis to acknowledge the situation without committing to unverified facts. It prevents the vacuum that forms when an organization says nothing, which media and social audiences fill with speculation. A good holding statement confirms the organization is aware, states what is being done at a high level, and provides a point of contact for further inquiries. Having these pre-approved for likely scenarios is what allows a 60-minute response time to be achievable.
A business continuity plan covers how an organization maintains operations during a disruptive event β technology failover, supply chain alternatives, remote work activation. A crisis communication policy governs how the organization communicates about that disruption to internal and external audiences. The two documents should cross-reference each other: the business continuity plan triggers the crisis classification level, and the communication policy governs everything said publicly and internally from that point forward.
A business continuity plan defines how operations are maintained or restored during a disruption β covering technology recovery, alternate suppliers, and remote-work activation. A crisis communication policy governs how the organization communicates about that disruption. The two documents are complementary: the continuity plan handles operational recovery while the communication policy manages the narrative. Organizations need both.
A risk management plan identifies potential threats, assesses their likelihood and impact, and defines mitigation strategies before an event occurs. A crisis communication policy is activated after a threshold event has occurred and governs real-time response. The risk plan feeds the communication policy by defining which scenarios are most probable and therefore warrant pre-approved holding statements and message maps.
A media relations policy covers day-to-day rules for how the organization interacts with press β interview approval, embargo management, and spokesperson authorization for routine matters. A crisis communication policy covers the elevated protocols that take effect when a situation reaches a defined severity threshold. The media relations policy handles normal conditions; the crisis policy overrides it under emergency conditions.
An internal communications plan governs ongoing employee communication β newsletters, town halls, change announcements, and organizational updates. A crisis communication policy defines the emergency-specific subset of internal communication: who notifies employees, in what timeframe, through which channels, and with what mandatory content elements when a crisis event is declared. The internal comms plan governs normal operations; the crisis policy takes over for high-stakes events.
Data breach notification timelines under GDPR and state breach laws create hard external deadlines; the policy must integrate legal counsel into the CRT activation chain from the outset.
Patient safety incidents and HIPAA breach notifications require near-simultaneous regulatory and public communication; spokesperson protocols must account for clinical staff who are frequently approached by media.
Product safety recalls, payment data breaches, and viral customer service failures each require distinct message maps; social media monitoring is critical given the volume and speed of consumer-generated content.
Workplace safety incidents, environmental releases, and supply chain failures each have regulatory notification requirements that must be baked into the escalation sequence with explicit timeframes.
| Path | Best for | Cost | Time |
|---|---|---|---|
| Use the template | Small to mid-size businesses building a first crisis communication policy without a dedicated PR or communications team | Free | 4β8 hours |
| Template + professional review | Organizations in regulated industries, companies that have experienced a real crisis, or businesses whose scenario library needs a communications professional's input | $500β$2,000 for a PR consultant review and tabletop facilitation | 1β2 weeks |
| Custom drafted | Enterprise organizations, publicly traded companies, or businesses in high-exposure sectors (healthcare, finance, energy) requiring integrated legal and communications review | $5,000β$20,000+ for agency or specialist firm | 4β8 weeks |
This document is one of 3,000+ business & legal templates included in Business in a Box.
Access over 3,000+ business and legal templates for any business task, project or initiative.
Customize your ready-made business document template and save it in the cloud.
Share your files and folders with your team. Create a space of seamless collaboration.
"Fantastic value! I'm not sure how I'd do without it. It's worth its weight in gold and paid back for itself many times."
"I have been using Business in a Box for years. It has been the most useful source of templates I have encountered. I recommend it to anyone."
"It has been a life saver so many times I have lost count. Business in a Box has saved me so much time and as you know, time is money."
Stop downloading documents. Start operating with clarity. Business in a Box gives you the Business Operating System used by over 250,000 companies worldwide to structure, run, and grow their business.
Start freeΒ Β·Β No credit card required
