Too many companies are underestimating the preparation needed where it matters most—let’s make sure yours isn’t one of them.
Being caught flat footed in the midst of a crisis can compound problems, confuse stakeholders, and damage your company’s reputation. That’s why all business leaders need to be ready to respond to everything from a cyberattack to a natural disaster. But according to Capterra’s 2023 Crisis Communications Survey*, less than half of U.S. businesses can say that they are adequately prepared to communicate during a crisis.
In this report, we’ll explore survey results, define the elements of a crisis communications plan, and explain how you can be better prepared to communicate as a business when the inevitable strikes.
/ Key survey findings
98% of business leaders who have activated their crisis communications plan say it was effective—77% say it was very effective.
Cyberattacks (28%) and technology failures (22%) make up half of all crisis events.
After using it during a crisis, a full 72% of business leaders would broaden the scope of their crisis communications plan—even more would increase practice in advance.
Only 49% of U.S. businesses have a formal crisis communications plan
Crisis communications plans are crucial for disseminating information during a critical situation. In fact, of business leaders who have activated their plan, nearly all (98%) said it was either very (77%) or somewhat (21%) effective.
Unfortunately, fewer than half (49%) of U.S. businesses say they actually have a formal documented plan. Another 28% have an informal (i.e., undocumented) crisis communications plan and nearly a quarter (23%) don’t have (or aren’t sure if they have) one at all.
To be clear, an informal plan is better than no plan at all—but when a crisis hits, you need to know exactly who is in charge of communications for each part of the business and to whom messages should be directed, all of which is much more effective under a comprehensive and well documented plan.
To develop your plan, you must involve leaders from key parts of the business. We asked companies that do have a formal crisis communications plan to indicate which departments are involved. IT management is included most often (91%), followed by business operations (83%) and public relations (81%). Perhaps the most surprising result, human resources trails far behind.
Of course not all organizations will have every one of these groups, so your team should comprise those roles that are relevant to your company and include any others that will maximize the organizational expertise needed during a potential crisis. Keep in mind that each member should have a backup person chosen to ensure coverage in case the primary is absent or otherwise unavailable during the event.
Cyberattacks are the leading cause of crisis events, but not by much
Cyberattacks understandably get a lot of headlines these days so it’s no surprise that they top the list of reasons our survey respondents have activated their crisis communications plan.
But what might be a surprise is that cyberattacks only account for 28% of crisis events while a host of others make up the remaining 72%, including technology failures (22%), workplace violence or threats (19%), health-related crises (16%), natural disasters (9%), and PR crises (6%). This wide spread among disparate crises means you need a dynamic plan that accounts for fundamentally different types of events.
This list is obviously not exhaustive and some businesses are more likely to face one type of crisis over another. Your team should endeavor to narrow down the types of crises that your business is most likely to face and plan accordingly for those scenarios. What’s more, your company might have specific regulatory reporting duties (depending on your industry and the type of security event) that must be incorporated into your crisis planning.
Most businesses vastly underestimate crisis planning
A full 84% of business leaders who have been through a crisis say they would increase practicing in advance—more than half said they’d strongly increase practice. More than three in four (78%) say they’d increase the tools used for communication, and 72% said they’d increase the scope of the plan.
While a not-insignificant portion feel like they’d keep things the same, just 3% or less would actually decrease practice, communication tools, or plan scope after experiencing a crisis. This data suggests that companies by and large underestimate the breadth of planning required to meet the needs of an actual crisis event.
Craft messages in advance to save time when a crisis hits
In the same way you have to prepare for different types of crises, you must also be ready to communicate at various levels of severity and with distinct audiences. These might include:
Customers/clients
Employees
Third parties (e.g., vendors and/or partners)
Regulatory authorities
Insurance companies
General public
Keep in mind that even if you have little information to provide initially for updates, it’s important to stay in regular contact to provide assurance that you are on top of the issue at hand.
A low-severity-impact crisis message directed to clients might look like the following:
[Company name] discovered a security breach involving the unauthorized access of a system hosting an encrypted database using stolen credentials. At this time, we do not have any evidence that data has been compromised. Our investigation is ongoing, and we will provide additional information once it is complete.
A mid-to-high-impact crisis message might look more like the following:
[Company name] regrets to confirm that our security team has discovered a breach affecting all client accounts. We have notified the relevant authorities and are working closely with them to better understand and contain the impact. At this time, it is too early to determine the extent to which, if any, information has been compromised.
We will continue to keep you informed while working vigilantly to minimize any potential customer impact. In the meantime, please contact [name] at [phone or email] with any questions or concerns.
As mentioned, separate messaging might be necessary for employees (ideally in coordination with HR) as well as partners, vendors, and other third-parties. Let’s take a look at what a crisis message directed toward internal staff might look like:
We can confirm that [client database] was breached by unknown attackers using stolen employee credentials. All employee credentials have been locked and will require the creation of a new password. You will soon receive an email with instructions on creating your new password along with how to set up multi-factor authentication which will now be required for all [client database] users. Please reach out to the help desk if you encounter any difficulties.
Our investigation into the breach is ongoing, and we will provide additional information when it is available. For now, if you are contacted by outside parties, please direct them to [name] at [phone or email] who is solely authorized to speak on behalf of the company for any related inquiries.
It’s important to stress that nobody outside of the crisis communications team should be making any statements about the crisis to anyone. Make sure to provide talking points for all staff about whom they should refer outside questions to regarding the incident. It might also be necessary to reinforce social media guidelines.
Lessons learned from those who’ve been through a crisis
We asked survey respondents what they’d do differently after experiencing a crisis event to be better prepared for the next one. Here’s some of what we heard:
“HR and admin need to be aware of principals’ working locations at all times.”
“More practice so people don't panic and are more aware of what to do. Keep contact information updated.”
“We learned the importance of flexibility in communications. It was critical to use all means of communication to reach everyone effectively.”
“Department heads should all have a full roster of staff on duty in the building so everyone can be accounted for. We had a bomb scare and could not find HR with the list of staff, and it was chaos.”
Over and over again, we heard recommendations to know where employees are and how to reach them—an issue that seems to reflect the aforementioned low ranking of HR’s involvement in crisis planning. Clearly, it’s crucial to have an up-to-date contact list for all employees and to know their working location at all times.
To summarize:
Designate leaders from critical departments (as well as their backups) to assist in creating the crisis communications plan, and clearly define who is authorized to speak on behalf of the company during a crisis.
Plan for a wide range of crisis scenarios, and practice them with your team. Consider using tabletop exercises that simulate crisis scenarios. (If you have cyber insurance, your provider might be able to provide crisis simulation materials.)
Create messaging templates with talking points for relevant audiences, different severity levels, and for the most-likely crisis scenarios.
Maintain contact lists for all employees (ideally with multiple touchpoints), and know who is working from where at any given time.
Interested in emergency notification software? Check out our buyers guide, and review our software catalog to find the right tools to help your team through the next crisis.