The Crisis Communications Playbook: Five Audiences, Five Approval Chains

Technical recovery may be excellent. The IT team brings systems back inside RTO. The vendor fallback works. The BCP fires perfectly. But if the customer-facing narrative is inconsistent — different messages on Twitter, the helpdesk and the press release — the reputational damage outlasts the technical incident by months. Crisis communications is the surface where most crises are won or lost from a stakeholder standpoint.

This article walks through a working comms playbook. The parent topic is our crisis management playbook.

The five audiences

A working crisis-comms function manages five distinct audiences, each with its own approval chain, template set and cadence.

1. Customers. External, public-facing. Highest reputational sensitivity. Approval chain: Comms lead → Legal → CMT chair → publish.

2. Staff. Internal. Highest information-needs gap (staff want to know what to tell customers). Approval chain: Comms lead → HR → cascade through line management.

3. Regulators. External, formal. Highest compliance sensitivity. Approval chain: Compliance / Legal → CMT chair → submit per regulatory protocol.

4. Media and analysts. External, public-facing. Specialist handling required. Approval chain: Comms lead (designated single voice) → Legal → CMT chair → release. Everyone else declines to comment.

5. Internal leadership and board. Internal, cadence-driven updates. Lower approval overhead — primarily about discipline and structure. Approval chain: BCM lead → CMT chair → distribute.

Each audience needs its own pre-approved templates, its own approval chain, and its own update cadence. Trying to use one message for all five is the most common pattern of crisis-comms failure.

Pre-approval — the discipline that matters most

The single biggest predictor of credible crisis comms is whether templates were pre-approved in calm time. Drafting from scratch under time pressure at 2 a.m. is how organisations end up apologising for an apology.

The pre-approval pattern:

1. Identify the five most likely incident types for your organisation — typically a mix of cyber-incident, service outage, vendor failure, regional event, and conduct/compliance event.
2. Draft templates per incident type per audience. Five audiences × five incident types = 25 templates. That sounds like a lot; it's a one-time investment that pays off in every real activation.
3. Run templates through legal and comms review in calm time. Establish the boilerplate (regulatory phrasing, disclaimer language, contact details) that doesn't need re-review in the moment.
4. Pre-approve. Templates are signed off by the CMT chair, with explicit scope (which templates are for which incident class).
5. Store accessibly. The comms team can retrieve templates within 5 minutes of activation. On-call rotation has standing access.
6. Refresh annually as part of the BCM cycle.

Filled-in templates still need final approval at activation time, but the structural review has been done. Approval cycles shrink from hours to minutes.

Customer comms — the patterns that work

The most important audience and the most-scrutinised. The patterns we have seen work:

Acknowledge fast, even before you know. A 30-minute "we're aware of an issue affecting [service]; we're investigating; next update in 30 minutes" is more credible than a 4-hour silence followed by a polished post-mortem. Customers forgive incidents; they punish opaqueness.

Be specific about impact. "Some customers may be affected" tells the affected customer nothing. "Customers using card transactions between 03:00-05:00 UTC may have experienced declined transactions" tells affected customers what to do (check, retry, contact us).

Be honest about uncertainty. "We're still investigating the cause and expect to provide an update by [time]" is better than speculation.

Don't apologise for an apology. If you say "we deeply regret" in every update, the phrase loses meaning. Use apology language once at the closing message, not in every status update.

Channel discipline. Use the same channels in the same order every time — website status page, app notification, Twitter, email if applicable. Don't surprise customers with where to look.

Regulator comms — the timing rules

Regulator notification is governed by formal protocols, not playbook discretion. For SAMA-regulated institutions, notification triggers and timing are defined by SAMA's reporting rules; missing a notification window is a regulatory finding regardless of the underlying incident.

The pre-approved regulator templates should include:

• The initial notification — minimum information SAMA requires within the first notification window
• The status-update template — for ongoing communication during the incident
• The post-incident report — the formal closing communication

The compliance / legal function owns the regulator-comms approval chain, not the comms team. The trigger list — which events require regulator notification, in what window — lives in the BCP itself (referencing the relevant regulatory protocol), not in someone's memory. See our SAMA BCM Framework pillar for the SAMA-specific context.

Staff comms — the cascade pattern

Staff want to know what is happening and what they should tell customers. The cascade pattern that works:

• Manager-level briefing within 30 minutes of activation. Single-page summary: what's happening, what we're doing, what to tell customers and counterparties, where to escalate questions.
• Line manager cascades to teams within the next 30 minutes. Each manager owns ensuring their team has the briefing.
• Update cadence matches customer-comms cadence so staff are not surprised by external messaging.
• Closing communication at incident closure — what happened, what we did, what's changing as a result.

Avoid all-staff blasts to the full distribution list. They reach people who don't need them, miss people who do (because of inbox filtering), and create a sense of crisis disproportionate to the incident.

Media and analyst comms — the single-voice rule

The most-mishandled audience by inexperienced programmes. Three rules:

Single voice. One designated spokesperson per incident — typically the Head of Communications or the CEO for major events. Everyone else, including subject matter experts, declines media inquiries.

Holding statement ready. The pre-approved holding statement is the first response to any media inquiry. Substantive comment waits for verified information.

Don't speculate. "We're investigating the cause" is acceptable. "We believe it may have been caused by..." is not, until verified. Speculative comments quoted in media coverage are very hard to retract.

Internal leadership and board

The cadence-driven update audience. The discipline:

• Update format. Standard structure: current status, actions in progress, next decision point, ETA, escalations needed. Same format every update — readers learn to scan it quickly.
• Cadence. Every 30 minutes for the first 2 hours of a major incident, then hourly. Tighter cadence during decision-rich periods.
• Distribution. Specific named distribution list — CMT members, board chair, board risk-committee chair, any executive whose remit is materially affected.

The internal leadership audience is often the easiest to neglect during a real incident because they don't push the way other audiences do. Discipline the cadence anyway — they need the visibility, and the audit trail matters in the §9.3 management review afterwards.

Comms in the AAR

The crisis-comms surface should be a named section in every AAR. What messaging went out, when, to whom, with what reception? What templates worked and what didn't? What pre-approval gaps surfaced? See our AAR template article for the broader format.

For the broader crisis-management context, return to the crisis management playbook. For the platform surface that captures comms records alongside BCP activations, the BCMStack crisis events module ties the comms timeline to the §8.5 activation log.