A crisis communications plan is the document your team reaches for when a BBC News alert lands with your brand name in the headline. If it is longer than ten pages, it will not get read under pressure. If it does not exist, your response will be improvised, slow, and inconsistent. This template is built for UK comms teams and covers structure, roles, statements, channels, and testing.
Plan Structure: Keep It to Seven Sections
Section 1: Scope and Activation
Define what counts as a crisis for your organisation. Not every negative article is a crisis. A useful threshold:
A crisis is an event or issue that poses material risk to the organisation's reputation, operations, regulatory standing, or stakeholder trust, and requires coordinated response beyond routine comms.
List activation triggers specific to your business:
- Regulatory enforcement by the FCA, CMA, ICO, Ofcom, or ASA
- Safety incident involving employees, customers, or the public
- Data breach requiring ICO notification (within 72 hours under UK GDPR)
- Negative investigation by a Tier 1 outlet (BBC Panorama, Guardian, Times, Channel 4 Dispatches)
- Executive misconduct allegation
- Significant operational failure affecting customers
The plan is activated when any trigger is confirmed. Activation means the crisis team assembles and all external communications are paused pending review.
Section 2: Crisis Team Roles
Name specific people, not job titles. Job titles create ambiguity when two people think they are in charge.
| Role | Named person | Backup | Mobile | |---|---|---|---| | Crisis lead (final decision on all comms) | | | | | Spokesperson (media-facing) | | | | | Legal advisor | | | | | HR lead (if employee-related) | | | | | Operations / business unit lead | | | | | Social media lead | | | | | Internal comms lead | | | | | Monitoring lead (Signal AI / Meltwater / Cision operator) | | | |
Update this table every quarter. When someone leaves or changes role, the plan must be updated within one week.
Section 3: Holding Statements
Draft holding statements for your five most likely crisis scenarios. Each statement should be three to four sentences: acknowledge the issue, state what you are doing, commit to transparency.
Template:
We are aware of [issue]. We are taking this seriously and [action being taken]. We will provide further updates as more information becomes available. [Optional: contact details for media / stakeholders.]
Example -- Data Breach:
We are aware of a data security incident affecting some customer accounts. We have notified the ICO and are working with our security team to understand the scope and impact. Affected customers will be contacted directly. We will provide further updates as our investigation progresses.
Example -- Regulatory Action:
We have received [notice/fine/finding] from the [FCA/CMA/ICO]. We are reviewing the details carefully and take our regulatory obligations seriously. We will cooperate fully with the [regulator] and provide an update once we have completed our review.
Example -- Safety Incident:
We can confirm an incident at [location] on [date]. The safety of our employees and customers is our highest priority. We are working closely with [emergency services / HSE] and will share further information as it becomes available.
Do not try to write perfect statements in advance. The goal is to have a skeleton that can be adapted in minutes, not hours.
Section 4: Approval Workflow
Under pressure, the biggest delay is not writing the statement -- it is getting it approved. Define the approval chain before the crisis:
- Level 1 (routine reactive): Head of comms can approve
- Level 2 (significant issue): CCO or Director of comms approves, legal reviews
- Level 3 (material crisis): CEO approves all external statements, legal and board chair consulted
Set a time limit for each approval step. If the approver does not respond within 30 minutes, authority passes to the backup. Write this rule down explicitly -- it is the clause that prevents paralysis at 10pm on a Sunday.
Section 5: Channel Plan
Different audiences need to hear from you through different channels, in a specific order:
1. Internal first: Employees should hear about the crisis from you before they see it on the BBC. Use an all-staff email or intranet alert. 2. Regulators: If a regulatory notification is required (e.g., ICO breach notification), this runs in parallel with internal. 3. Key stakeholders: Investors, partners, and major customers get a direct communication -- not a press release. 4. Media: Reactive statement issued to enquiring journalists. If the story is already running, consider a proactive statement to PA Media, BBC, Sky News, and the outlet that broke it. 5. Social media: Post a short statement on your owned channels. Turn off scheduled marketing posts immediately. 6. Website: Publish a statement on your newsroom or corporate site with a clear timestamp.
Section 6: Monitoring During the Crisis
Your monitoring setup needs to shift during a crisis:
- Switch from daily digest to real-time alerts on the crisis topic
- Set up a dedicated search query for the issue (your Meltwater, Signal AI, or Cision account manager can help with this within hours)
- Monitor broadcast -- BBC News, Sky News, LBC, and Times Radio can drive rapid pickup
- Track social media volume and sentiment separately -- a social spike often precedes the next wave of press coverage
- Assign one person to produce a situation update every two hours summarising new coverage, tone shifts, and stakeholder reactions
Section 7: Post-Crisis Review
Within 48 hours of the crisis being resolved or stabilised, run a structured debrief:
- Timeline: What happened, when, and what was our response at each stage?
- Speed: How quickly did we detect, escalate, and respond? Where were the delays?
- Accuracy: Were our statements factually correct and consistent?
- Gaps: What did the plan not cover that we needed?
- Updates: What changes to the plan, team, or monitoring setup are needed?
Document the findings and update the plan within two weeks.
Common Mistake: The Plan That Lives in a Drawer
A UK financial services firm had a 42-page crisis communications plan created by an external consultancy. It included detailed flowcharts, RACI matrices, and scenario trees. When the FCA publicly censured the firm, the comms team could not find the document (it was in a SharePoint folder three levels deep), and even when they did, it took 20 minutes to work out who was supposed to approve the first statement. The firm went five hours without a public response while the story ran on the FT, BBC, and Sky News.
The fix: a one-page quick-reference card with five phone numbers, three holding statements, and the approval chain. The full plan sits behind it for reference, but the one-pager is what people use in the first 30 minutes.
Quarterly Testing
Run a 45-minute tabletop drill each quarter. Pick a scenario, simulate a media enquiry, and walk through the plan in real time. Rotate scenarios between regulatory, safety, data, and reputational crises. After each drill, update the plan. A plan that is tested and updated quarterly is the only kind that works.