Advertisement

A crisis monitoring runbook is the operational document that sits between your monitoring platform and your crisis communications plan. The crisis plan says who does what and what you say. The runbook says how you detect the signal, how fast you escalate, and who is watching at 2am on a Saturday. This guide is built for UK comms teams and covers risk themes, trigger rules, escalation paths, cross-channel monitoring, and after-action reviews.

Step 1: Define Your Risk Themes

List the five to eight risk themes most likely to generate a crisis for your organisation. These should be specific to your sector and business, not generic.

Example risk register for a UK financial services company:

| Risk theme | Owner | Example scenario | |---|---|---| | Regulatory action | Head of comms | FCA issues public censure or fine | | Data breach | CISO + comms lead | Customer data exposed; ICO notification required within 72 hours | | Executive conduct | CCO | CEO named in misconduct allegation; Times or BBC publishes | | Product failure | Head of product comms | Systemic claims handling failure; consumer complaints spike | | Employee safety | HR director + comms | Workplace incident requiring HSE reporting | | Market event | Investor relations + comms | Share price drop of 5%+; analyst downgrades | | Political/policy | Public affairs | MP or minister publicly criticises the company; select committee inquiry | | ESG/sustainability | Sustainability lead + comms | Greenwashing allegation in Guardian or BBC investigation |

Each theme needs a named owner who is responsible for escalation decisions. If no one owns it, no one will escalate.

Step 2: Write Trigger Rules

For each risk theme, define the monitoring triggers that move it from background tracking to active alert.

Regulatory Action Triggers

  • FCA, CMA, ICO, Ofcom, or ASA publishes a statement, fine, or enforcement notice naming your organisation
  • Regulator announces a sector-wide review that covers your business category
  • Industry peer receives enforcement action in a risk area where you have similar exposure

Monitoring setup: Signal AI has the strongest regulatory content feeds for UK regulators. Set up entity-level alerts for your organisation name in FCA, CMA, ICO, and Ofcom publications. In Meltwater or Cision, create separate alert queries that combine regulator names with your brand and sector terms.

Negative Media Coverage Triggers

  • Story in a Tier 1 outlet (BBC, Sky News, FT, Guardian, Times, Telegraph) with negative framing about your brand, CEO, or a core business area
  • Multiple Tier 2 outlets (trade press, major regionals) covering the same negative story within 24 hours
  • Broadcast pickup: story runs on BBC News, Sky News, or LBC after first appearing in print or online

Monitoring setup: Create a separate "negative Tier 1" alert in your platform. In Meltwater, use sentiment filters combined with source tier tags. In Signal AI, use risk-level classification. Most platforms let you set alerts to fire only when negative sentiment is detected in high-tier sources.

Social Media Triggers

  • Volume spike exceeding 3x daily baseline within a two-hour window
  • Individual post or thread exceeding 500 engagements with negative sentiment
  • Journalist, MP, or account with 50,000+ followers sharing or amplifying a complaint
  • Coordinated activity: multiple accounts posting similar content simultaneously (potential campaign or bot activity)

Monitoring setup: Brandwatch or Meltwater social module. Set threshold alerts based on your 90-day baseline volume. Maintain a watchlist of high-influence accounts (key journalists, relevant MPs, sector commentators, consumer advocates).

Cross-Channel Confirmation

The strongest early warnings appear across multiple channels. A story that surfaces simultaneously on social media and in a trade publication is more likely to escalate than one appearing in either channel alone.

Build a cross-channel confirmation rule: when the same topic triggers alerts on two or more channels within six hours, escalate automatically to the next level regardless of severity scoring.

Step 3: Build the Escalation Path

Use four levels with explicit response time targets:

| Level | Condition | Response time | Decision owner | |---|---|---|---| | Watch | Single signal, low reach, no immediate action needed | Log within 4 hours | Monitoring analyst | | Review | Tier 1 coverage, regulator activity, or cross-channel confirmation | Brief comms lead within 2 hours | Head of comms | | Escalate | Confirmed reputational risk, regulatory enforcement, safety incident | Assemble crisis team within 1 hour | CCO / Director of comms | | Crisis | Material harm occurring or imminent, multi-outlet coverage, regulatory enforcement | CEO briefed and public statement within 1 hour | CEO + CCO |

Out-of-Hours Coverage

UK news does not take weekends or bank holidays off. The BBC and Sky News run 24/7, and social media crises routinely start on Friday evenings.

Set up a duty rota:

  • One comms officer on call for out-of-hours coverage, rotating weekly
  • The duty officer has authority to escalate to Level 2 and to call the head of comms regardless of time
  • Level 3 and Level 4 require the CCO or equivalent, day or night
  • Store key phone numbers, the escalation matrix, and pre-approved holding statements in a mobile-accessible location (not just the office intranet or VPN-locked SharePoint)

Common Mistake: The Friday Night Gap

A UK consumer brand had no out-of-hours monitoring coverage. A product safety complaint went viral on TikTok at 7pm on a Friday, was picked up by the Daily Mail's digital team on Saturday morning, and ran on BBC Breakfast by Sunday. The comms team did not see it until Monday at 9am, by which point the story had been running for 62 hours. Customer complaints had spiked, the CEO had been called by a board member, and the brand had zero public response. The fix: a simple duty rota with one person checking alerts three times per day on weekends (8am, 2pm, 8pm), with the authority to escalate. Cost: nil. Impact: the difference between a managed response and a reputation crisis.

Step 4: Prepare Holding Statements

Draft short holding statements for each risk theme. These should be pre-approved by legal so they can be issued within 30 minutes of a Level 3 escalation.

Each statement follows the same structure:

1. Acknowledge the issue 2. State what you are doing 3. Commit to further updates 4. Provide a contact point

Tailor the language to the risk theme. A data breach statement needs to reference the ICO. A safety incident statement needs to reference the HSE or emergency services. A regulatory statement needs to reference cooperation with the relevant body.

Review and refresh holding statements quarterly.

Step 5: Monitor During the Crisis

Once a crisis is active, monitoring shifts from detection to tracking:

  • Frequency: Check monitoring output every 30-60 minutes during an active crisis, not just at scheduled alert times
  • Dedicated query: Set up a crisis-specific search query in your platform covering the issue topic, key names, and relevant terms. Your Meltwater, Signal AI, or Cision account manager can help with this within hours.
  • Broadcast tracking: BBC News, Sky News, LBC, and Times Radio can drive rapid pickup. Monitor broadcast transcripts and flag any new programme segments.
  • Social tracking: Track volume, sentiment, and key influencer activity on the crisis topic as a separate stream from your routine monitoring.
  • Situation updates: One designated person produces a written situation update every two hours summarising new coverage, tone shifts, stakeholder reactions, and any new outlets covering the story.

Step 6: After-Action Review

Within 48 hours of the crisis being resolved or stabilised, run a structured review covering:

  • Detection: How quickly did the monitoring system flag the first signal? Was it faster or slower than other channels (journalist call, employee tip-off, board member text)?
  • Escalation: Did the escalation path work as documented? Where were the delays?
  • Response: Was the holding statement issued within the target time? Was it accurate and appropriate?
  • Monitoring during crisis: Did the dedicated query capture the full picture? Were there false negatives (stories missed)?
  • Outcome: What was the total coverage volume, sentiment breakdown, and stakeholder impact?

Document findings and update the runbook. Every crisis is an opportunity to improve detection speed and response quality.

Quarterly Testing

Run a 45-minute tabletop drill each quarter. Simulate a monitoring alert and walk through the escalation path in real time. Rotate scenarios:

  • Q1: Regulatory enforcement (FCA fine; BBC and FT request comment)
  • Q2: Social media crisis (TikTok complaint goes viral; Daily Mail picks up)
  • Q3: Data breach (ICO notification required; Guardian publishes)
  • Q4: Executive conduct (CEO allegation; Times investigation)

After each drill, update contact details, trigger rules, and holding statements. A runbook that is tested and updated quarterly is the only kind that works when the alert fires at 11pm.

FAQ

What should trigger a real-time alert?

Safety issues, regulatory action, or high-reach coverage that could harm reputation.

How fast should escalation happen?

Minutes to hours depending on severity; define targets per risk level.

Who should own crisis monitoring?

A comms lead with a documented backup for out-of-hours coverage.

How often should crisis drills run?

Quarterly tabletop drills are a strong baseline.

Advertisement

Related reading

Crisis Escalation Matrix Template for Comms Teams

Crisis Monitoring

Early Warning Indicators for Crisis Monitoring

Crisis Monitoring

Media Monitoring Vendor Contract Checklist

Tooling and Vendors

The UK Media Monitoring Playbook (2026)

Media Monitoring Basics