Crisis Response Coordinator
Orchestrate effective crisis response through structured playbooks, clear communication templates, and coordinated team actions.
When to Use This Skill
- Active crisis situations
- Building crisis playbooks
- Training response teams
- Creating communication templates
- Post-crisis improvement
Methodology Foundation
Based on Burson-Marsteller crisis playbook and PPRR model (Prevention, Preparedness, Response, Recovery), combining:
- Incident command structure
- Stakeholder communication
- Timeline management
- Documentation practices
What Claude Does vs What You Decide
| Claude Does | You Decide |
|---|---|
| Structures response playbook | Go/no-go decisions |
| Drafts communications | Approval authority |
| Coordinates timelines | Resource deployment |
| Documents actions | Spokesperson selection |
| Suggests escalation paths | Legal implications |
Instructions
Step 1: Activate Crisis Protocol
Activation Checklist:
- Confirm crisis status (not false alarm)
- Identify crisis type and scope
- Assemble core response team
- Establish communication channels
- Begin documentation log
Step 2: Establish Command Structure
Crisis Team Roles:
| Role | Responsibility | Typical Owner |
|---|---|---|
| Crisis Lead | Overall coordination | CEO/COO |
| Comms Lead | External messaging | CMO/PR Head |
| Operations Lead | Fix the problem | CTO/VP Ops |
| Legal Counsel | Legal guidance | General Counsel |
| Customer Lead | Customer communication | VP CX |
| HR Lead | Internal/employee | CHRO |
Step 3: Execute Response
Response Phases:
| Phase | Duration | Focus |
|---|---|---|
| Contain | 0-2 hours | Stop bleeding, assess scope |
| Communicate | 2-4 hours | Stakeholder notifications |
| Resolve | 4-24 hours | Fix root cause |
| Recover | 1-7 days | Return to normal |
| Learn | 7-30 days | Post-mortem, improvements |
Step 4: Manage Communications
Stakeholder Priority:
| Stakeholder | When to Notify | Channel |
|---|---|---|
| Internal team | Immediately | Slack/Teams |
| Board/Investors | Within 1 hour | Call/Email |
| Affected customers | Within 2 hours | Direct |
| All customers | Within 4 hours | Email/Social |
| Media | Reactive | Press statement |
| Public | As needed | Website/Social |
Step 5: Document Everything
Crisis Log Template:
TIME | ACTION | OWNER | OUTCOME
-----|--------|-------|--------
10:00 | Alert received | [Name] | Verified
10:15 | Team assembled | [Name] | 5/6 present
10:30 | Root cause identified | [Name] | DB issue
...
Examples
Example 1: Crisis Response Playbook
Input:
Create a crisis response playbook for a data breach scenario.
Output:
## Crisis Playbook: Data Breach
### Severity Classification
| Level | Criteria | Response |
|-------|----------|----------|
| **Critical** | PII exposed, >10K records | Full activation |
| **High** | PII exposed, <10K records | Partial activation |
| **Medium** | Non-PII data exposed | Contained response |
| **Low** | Attempted breach, blocked | Monitor and report |
---
### Activation Trigger
**Automatic activation when:**
- Confirmed unauthorized data access
- Evidence of data exfiltration
- Regulatory notification required
- Media awareness possible
---
## Phase 1: CONTAIN (0-2 Hours)
### Immediate Actions
| Time | Action | Owner | Checklist |
|------|--------|-------|-----------|
| +0 min | Isolate affected systems | IT Security | [ ] |
| +0 min | Preserve forensic evidence | IT Security | [ ] |
| +15 min | Assemble crisis team | Crisis Lead | [ ] |
| +30 min | Brief team on situation | IT Security | [ ] |
| +30 min | Legal notification | Legal | [ ] |
| +1 hr | Scope assessment complete | IT Security | [ ] |
| +1 hr | Impact assessment complete | Ops Lead | [ ] |
### Crisis Team Assembly
**Mandatory Attendees:**
- [ ] CEO (Crisis Lead)
- [ ] CTO (Technical Lead)
- [ ] CISO (Security Lead)
- [ ] General Counsel (Legal Lead)
- [ ] CMO (Communications Lead)
- [ ] VP Customer Success (Customer Lead)
**Optional (as needed):**
- [ ] CHRO (if employee data)
- [ ] CFO (if financial impact)
- [ ] Board liaison
### Initial Assessment Template
BREACH ASSESSMENT
Discovery Time: [TIME] Breach Window: [START] to [END]
Data Involved:
- Names
- Email addresses
- Phone numbers
- Passwords
- Payment data
- SSN/Government ID
- Health information
- Other: ___________
Records Affected: [NUMBER] Customers Affected: [NUMBER]
Attack Vector: [DESCRIPTION] Current Status: [CONTAINED/ONGOING] Confidence Level: [HIGH/MEDIUM/LOW]
---
## Phase 2: COMMUNICATE (2-4 Hours)
### Communication Sequence
| Priority | Stakeholder | When | Channel | Owner |
|----------|-------------|------|---------|-------|
| 1 | Board/Investors | +2hr | Call | CEO |
| 2 | Regulators | +2hr | Formal notice | Legal |
| 3 | Affected customers | +3hr | Email | CX Lead |
| 4 | All employees | +3hr | All-hands | HR |
| 5 | Media (if inquiries) | +4hr | Statement | Comms |
| 6 | Public | +4hr | Website | Comms |
---
### Communication Templates
#### Customer Notification (Direct Victims)
Subject: Important Security Notice - Action Required
Dear [Name],
We're writing to inform you about a security incident that may have involved your personal information.
WHAT HAPPENED On [DATE], we discovered unauthorized access to [SYSTEM]. The incident occurred between [DATE] and [DATE].
WHAT INFORMATION WAS INVOLVED Based on our investigation, the following information may have been accessed:
- [List specific data types]
WHAT WE'RE DOING
- We immediately secured our systems
- We engaged cybersecurity experts to investigate
- We notified law enforcement
- We are providing [credit monitoring/identity protection]
WHAT YOU CAN DO
- [Specific action 1]
- [Specific action 2]
- [Specific action 3]
CONTACT US If you have questions, please contact our dedicated support line:
- Phone: [NUMBER] (24/7 for next 30 days)
- Email: [EMAIL]
- FAQ: [URL]
We sincerely apologize for this incident and any concern it causes.
[Signature]
#### All-Customer Notification
Subject: Security Update from [Company]
Dear [Customer],
We're writing with an important security update.
On [DATE], we discovered a security incident affecting some customer accounts. We want to be transparent about what happened and what we're doing.
THE INCIDENT [2-3 sentence summary of what happened]
YOUR ACCOUNT Based on our investigation, your account [was / was not] affected. [If affected: See separate email with specific details]
OUR RESPONSE
- [Action taken 1]
- [Action taken 2]
- [Action taken 3]
GOING FORWARD [Steps being taken to prevent future incidents]
We're deeply sorry this occurred and are committed to earning back your trust.
[Signature]
#### Media Statement
STATEMENT FROM [COMPANY] REGARDING SECURITY INCIDENT
[DATE]
[Company] recently discovered unauthorized access to certain company systems. Upon discovery, we immediately took steps to secure our systems and engaged leading cybersecurity experts to investigate.
Based on our investigation:
- [Key fact 1]
- [Key fact 2]
- [Key fact 3]
We have notified the appropriate authorities and are working closely with law enforcement.
Affected individuals are being notified directly and we are providing [specific remediation].
We take the security of our customers' information extremely seriously. We apologize for this incident and are taking steps to prevent similar incidents in the future.
For more information, please visit: [URL]
Media Contact: [Name], [Email]
---
## Phase 3: RESOLVE (4-24 Hours)
### Technical Remediation
| Action | Owner | Deadline | Status |
|--------|-------|----------|--------|
| Patch vulnerability | Security | +6hr