Crisis Communication
Stakeholder notification, regulatory reporting, and keeping trust when things go wrong.
Overview
The technical recovery and the communication response to a crisis are equally important — and organisations that are technically prepared but communicatively unprepared will still suffer lasting damage to trust, reputation, and regulatory standing. Answer the five questions below with the precision and legal awareness that crisis communication requires.
Read before you answer
Crisis communication is the discipline of managing information flow to internal and external stakeholders during a disruptive event in a way that maintains trust, satisfies regulatory obligations, and supports the recovery effort rather than impeding it. It is the element of BCP most frequently underprepared, because it requires coordination across functions — legal, communications, HR, IT, senior leadership — and depends on decisions that cannot be fully pre-scripted. What can be pre-scripted are the processes: who activates the communication plan, who approves external statements, what the notification hierarchy is, what the regulatory reporting obligations are and when they are triggered, and what channels are used when primary communication tools (email, internal chat) may themselves be unavailable.
Stakeholder notification hierarchies define who is told what, in what order, and through what channel. Internal notification typically follows an inverted funnel: the incident commander or crisis team is notified first, followed by the executive team, followed by affected business units, followed by all staff. External notification follows a different logic governed by legal and regulatory obligation: regulators with mandatory breach notification windows (GDPR's 72 hours to the supervisory authority; HIPAA's 60-day notification requirement; SEC's 4-business-day material cybersecurity incident disclosure for public companies) are notified according to the applicable deadline regardless of whether the incident is fully understood. This creates a significant governance challenge: mandatory notifications must often be made before the full scope of an incident is known, and the content of early notifications must be carefully drafted to be accurate without creating liability from later contradictions. Legal counsel is a required participant in external regulatory notifications, not an optional escalation.
Post-incident review is the final and frequently skipped stage of the crisis communication process. A post-incident review examines not just what happened technically but how the communication plan performed: were the right people notified in the right order? Did the regulatory notification meet the deadline? Were public statements accurate and did they need to be retracted or corrected? Were customers or partners notified in a timely and appropriate manner? What did the communication plan assume that turned out not to be true? The outputs of a post-incident review feed directly back into the BCP: updated contact lists, revised escalation paths, corrected regulatory notification procedures, and lessons learned that improve the next response. Organisations that complete post-incident reviews consistently have demonstrably better crisis responses over time than those that consider the incident closed when systems are restored.