Incident communication plan. A fill-in-the-blank communications cadence for leaders

Why this exists

When an incident hits, two things happen at once. The operational team fights for control. Everyone else fights uncertainty. If you do not manage that uncertainty, it will manage you. Rumors spread, customers lose patience, partners escalate, regulators hear a half-story, and your own team starts freelancing their own narratives.

This incident communication plan gives leaders a fill-in-the-blank cadence, clear ownership, and ready-to-send messages. It is designed for any incident type: outage, security event, safety issue, product defect, data error, AI failure, facilities disruption, third-party failure, or misconduct investigation. Adjust it for your industry obligations and always loop in counsel for legal and regulatory decisions.

Principles. The rules you do not break

1. Speed with humility. Communicate early. Do not guess.

2. One story. Many audiences. Same facts, tailored framing.

3. Time-stamped truth. Always state “as of [time]” to avoid contradictions.

4. No surprises. Customers should not learn from social media. Executives should not learn from customers.

5. Own the next update. If you cannot share more yet, share when you will.

6. Protect the investigation. Preserve evidence. Keep sensitive details tight.

7. Separate empathy from liability. You can care deeply without admitting fault.

8. Document everything. Every message, approval, and change lives in the incident log.

Roles and decision rights

Fill these in before you need them. During an incident, no one should wonder who owns communications.

• Incident Commander (IC): [Name, Title, Mobile]
  Owns the incident timeline, severity, and operational decisions. Approves factual content for updates.

• Comms Lead: [Name, Title, Mobile]
  Owns this incident communication plan execution. Drafts messages, runs cadence, manages versions.

• Executive Sponsor: [Name, Title, Mobile]
  Clears major tradeoffs fast. Owns board-level updates and executive alignment.

• Legal and Compliance Lead: [Name, Title, Mobile]
  Reviews external messaging, notification obligations, and retention. Advises on risk.

• Customer Support Lead: [Name, Title, Mobile]
  Owns customer scripts, frontline routing, and case tracking.

• People Lead (HR): [Name, Title, Mobile]
  Owns employee communications when people impact is involved.

• Security Lead (if applicable): [Name, Title, Mobile]
  Advises on data exposure risk and investigation integrity.

• Scribe: [Name]
  Captures decisions and sends the official notes after each checkpoint.

Single spokesperson rule: External media inquiries go to [Name, Title]. Everyone else routes inquiries to that person. No exceptions.

Severity levels. Pick one fast

You need a shared label so the organization moves at one speed.

• SEV 1: Material safety risk, major customer impact, likely public attention, confirmed or suspected sensitive data exposure, or regulatory clock is running.

• SEV 2: Significant disruption or harm, limited scope, elevated reputational risk, partner escalation likely.

• SEV 3: Contained incident, minimal external impact, internal stakeholders still need awareness.

• SEV 4: Near miss, caught early, document and learn.

Declared severity: [SEV 1 / SEV 2 / SEV 3 / SEV 4]
Incident name: [Short plain name, e.g., “Customer Portal Outage”]
Start time: [Date, Time, Timezone]
IC declared time: [Date, Time, Timezone]

Audiences and what they need

Different groups need different answers. Use this as your message filter.

1) Executives and board

They need: impact, risk, decisions needed, mitigation status, and what could get worse.

2) Employees

They need: what changed, what to say, where to route questions, and what to do now.

3) Customers

They need: what is happening to them, what you are doing, what they should do, and when they will hear from you again.

4) Partners and vendors

They need: whether they are affected, whether they should change behavior, and a reliable point of contact.

5) Regulators and auditors (if applicable)

They need: credible facts, timelines, controls, and notification posture.

6) Media and public (if applicable)

They need: a calm statement, evidence you are in control, and a clear update cadence.

Channels. Decide once, then stick to it

Fill in the channels you will use. Keep it simple.

• Internal updates channel: [Internal channel name]

• Internal leadership updates: [Email group or distribution list]

• Customer updates: [Status page link or email mechanism]

• Partner updates: [Partner email list or account owner process]

• Press inquiries: [Press inbox and spokesperson contact]

• Incident hotline (optional): [Phone]

• Update archive location: [Folder or document location]

Rule: No one creates a second “unofficial” update stream. If it is not in the official cadence, it is noise.

The cadence. A fill-in-the-blank schedule for the first 72 hours

This is the core of the incident communication plan. Use it every time. It prevents drift.

Within 15 minutes of declaration

Audience: Executives, core incident team
Format: Short written update
Owner: IC + Comms Lead
Content:

• Incident declared. [Incident name]

• Severity. [SEV level]

• Known impact. [1–2 sentences]

• Immediate action. [Containment step]

• Next update at. [Time]

Template:
“As of [time], we declared [incident name] as [SEV]. Impact observed: [impact]. We have taken [containment action]. Next update by [time].”

Within 30 minutes

Audience: Customer Support, Sales, Customer Success, frontline managers
Format: Script and routing guidance
Owner: Support Lead + Comms Lead
Content:

• What to say, and what not to say

• How to capture customer reports

• Escalation path for high-risk issues

• Where to find the next update

Within 60 minutes

Audience: All employees, or targeted group if contained
Format: Short internal notice
Owner: Comms Lead, approved by Executive Sponsor
Content:

• Acknowledgment

• Behavior guidance

• Where updates will be posted

• Reminder. Do not speculate externally

Template:
“Team. We are managing [incident name] declared at [time]. As of [time], impact is [impact]. Please route questions to [internal channel]. Do not share details externally. Next internal update by [time].”

90 minutes to 2 hours

Audience: Customers and partners, if external impact exists
Format: Status update or direct outreach
Owner: Comms Lead + Legal as needed
Content:

• What users may be seeing

• Workarounds

• What you are doing now

• Next update time

• How to get help

Customer template:
“As of [time], we are investigating [incident name]. Some customers may see [symptom]. We have [mitigation step]. If you need assistance, contact [support]. Next update by [time].”

Every 60 minutes for SEV 1, every 2 to 4 hours for SEV 2

Audience: Executives, incident team, frontline leads
Format: Brief written update, plus a short leadership call if needed
Owner: IC + Comms Lead
Minimum content each time:

• What changed since last update

• Current impact estimate

• Actions completed

• Actions next

• Risks and unknowns

• Next update time

Every 4 to 6 hours for SEV 1 and SEV 2

Audience: Customers and partners, if ongoing impact
Format: Status update
Owner: Comms Lead
Content:

• Confirm ongoing work

• Share progress without false certainty

• Provide expected next milestone if credible

• Reconfirm support paths

24-hour mark

Audience: Board and executives. Customers and partners as appropriate
Format: One-page summary plus a short briefing
Owner: Executive Sponsor + IC + Legal
Content:

• Timeline

• Impact summary

• What you know, and what you do not know

• Current operating state

• Customer and stakeholder actions taken

• Next 48-hour plan

• Decision requests

Message structure. Use this every time

Every update should follow the same pattern. It reduces confusion.

1. Timestamp: “As of [time] [timezone]”

2. What happened: One sentence

3. Impact: Who, what, where

4. What we did: Actions taken

5. What we are doing next: Next actions

6. What you should do: Guidance for the audience

7. Next update: Time and channel

Approval flow. Keep it fast

During incidents, approval paralysis is common. Pre-define it.

• Internal updates: Comms Lead drafts. IC confirms facts. Executive Sponsor approves if wide distribution.

• Customer updates: Comms Lead drafts. IC confirms facts. Legal reviews if there is any liability or notification angle.

• Partner updates: Same as customer updates. Add Account Owner review for relationship sensitivity.

• Regulator communications: Legal owns. IC provides facts. Executive Sponsor signs.

• Media statements: Comms Lead drafts. Legal reviews. Executive Sponsor approves. Spokesperson delivers.

Time box approvals: If no response within [10] minutes during SEV 1, default approval goes to [Executive Sponsor or IC]. Document the decision.

Content boundaries. What you do not say

These rules prevent self-inflicted damage.

Do not:

• Speculate on cause.

• Offer exact restoration times unless you are highly confident.

• Share sensitive details about systems, internal controls, or vulnerabilities.

• Identify individuals.

• Admit fault or intent.

• Overpromise compensation or remedies.

Do:

• Acknowledge impact and frustration.

• Confirm active response and containment steps.

• Offer clear support paths.

• Commit to follow-up.

Fill-in-the-blank templates you can reuse

Executive update. 6 lines maximum

Subject: [Incident name]. [SEV]. Update [#]. As of [time]

• Status: [Investigating / Mitigating / Recovering / Monitoring]

• Impact: [Customers impacted], [systems], [regions]

• What changed: [New info since last update]

• Actions taken: [Top 2 actions]

• Risks and unknowns: [Top 2]

• Next update: [time]

Employee note

“Team. As of [time], we are responding to [incident name] at [SEV]. If you are asked about it, please say: ‘We are aware and working it. Updates are shared through official channels.’ Route questions to [internal channel]. Next update by [time].”

Customer status update

“As of [time], we are responding to [incident name]. You may experience [symptoms]. We have taken [mitigation action]. Workaround: [if any]. We will provide the next update by [time]. For help, contact [support].”

Partner note

“As of [time], we are responding to [incident name]. This may affect [integration/workflow]. We have taken [mitigation action]. If you observe issues, contact [partner contact]. Next update by [time].”

Regulator notice. Short form

“As of [time], we identified [incident summary]. We are investigating scope and impact. Preliminary containment steps include [actions]. We will provide an update by [time/date]. Point of contact: [Legal lead name, phone, email].”

Media holding statement

“We are investigating an incident affecting [service/system]. We have taken steps to limit impact and are working to restore normal operations. We will share updates as we learn more. Customers can find updates at [location] or contact [support].”

Operating rhythm. The leadership checkpoints

If you do not schedule decision points, you will relive the same debate every hour.

Checkpoint agenda, 15 minutes:

• IC summary. What changed.

• Comms summary. What we said. What we will say next.

• Legal. Any new obligations or red flags.

• Support. Customer temperature and surge levels.

• Decisions. What must be decided in the next hour.

• Confirm next update times.

Checkpoint times:

• SEV 1: Every 60 minutes for the first 6 hours, then every 2 hours

• SEV 2: Every 2 to 4 hours

• SEV 3: Twice daily until resolved

Special situations. Add-on modules

Use these only when they apply.

If sensitive data might be involved

• Tighten message discipline. Limit internal distribution of details.

• Prepare a “possible exposure” posture without stating confirmation.

• Work with Legal on notification thresholds and timing.

• Ensure customer support has an escalation path for identity or fraud concerns.

If physical safety is involved

• Elevate to SEV 1 immediately.

• Provide clear safety instructions.

• Create a rapid escalation path to a safety team or emergency resources.

If a third party is involved

• Avoid blaming them publicly.

• Align facts privately.

• Communicate your actions regardless of their pace.

If the incident is likely to hit social media

• Prepare a short public statement early.

• Monitor for misinformation.

• Do not argue. Correct calmly with facts and direct people to your update channel.

The closeout. Ending communications cleanly

When you are stable, you still need to land the plane.

Resolution update template:
“As of [time], [incident name] is resolved. Root cause is under review. We took [key actions]. If you experienced issues, please contact [support]. We will share a follow-up summary by [date].”

Within 5 business days: publish or distribute a post-incident summary appropriate to your audience. Include what happened, what changed, and what you are doing to reduce recurrence.

Quick-start. Copy this into your incident doc

• Incident name: [ ]

• Severity: [ ]

• IC: [ ]

• Comms Lead: [ ]

• Legal: [ ]

• Executive Sponsor: [ ]

• First executive update sent at: [ ]

• First employee note sent at: [ ]

• First customer update sent at: [ ]

• Next update times: [ ]

• Approved spokesperson: [ ]

• Message archive location: [ ]