Question: Are crisis-management and communication plans defined, with clear roles and escalation paths?
Why This Matters
During crises, structured communications reduce panic and maintain stakeholder trust. Defined roles enable swift decisions.
Maturity
No defined crisis process or contacts.
Ad-hoc communications after incidents.
Crisis plan with command structure and contacts.
Regular updates and simulation drills conducted.
Aligned with PR, HR, and incident response playbooks.
Multi-channel alerting and decision dashboards.
How to Level Up
| From → To | Actions | |—|—| | 0 → 1 |List key contacts and backups.| | 1 → 2 |Document roles, responsibilities, and escalation matrix.| | 2 → 3 |Conduct mock drills and review post exercise.| | 3 → 4 |Link plan to incident and media response processes.| | 4 → 5 |Deploy automated notification and dashboard system. |
Enablers
- People: Crisis Manager, Comms Head, CEO
- Process: Detect → Decide → Communicate → Recover
- Technology: Alerting platform, incident dashboard
Evidence
- Crisis plan and contact list
- Drill records
- Post-incident review notes
KPIs
- Number of drills per year
- Average notification time
- Stakeholder communication coverage
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes | |—|—|—| | Alerts | Gotify / ntfy | Simple broadcasts | | Tracking | Airtable | Drill records | | Docs | Nextcloud | Version control |
Common Pitfalls
- Contacts not updated
- Media response not coordinated
- No drill follow-up actions
Compliance Mapping
| Standard | Clauses / Notes | |—|—| | ISO 22301 | 8.4 / 8.5 | | ISO 27001 | A.5.29 | | NIST CSF 2.0 | RS.CO / RC.CO | | NIRMATA Mapping | BC-Q06 builds crisis response and communication resilience. |