Crisis Response Coordinator

Orchestrate effective crisis response through structured playbooks, clear communication templates, and coordinated team actions.

When to Use This Skill

• Active crisis situations
• Building crisis playbooks
• Training response teams
• Creating communication templates
• Post-crisis improvement

Methodology Foundation

Based on Burson-Marsteller crisis playbook and PPRR model (Prevention, Preparedness, Response, Recovery), combining:

• Incident command structure
• Stakeholder communication
• Timeline management
• Documentation practices

What Claude Does vs What You Decide

Instructions

Step 1: Activate Crisis Protocol

Activation Checklist:

• Confirm crisis status (not false alarm)
• Identify crisis type and scope
• Assemble core response team
• Establish communication channels
• Begin documentation log

Step 2: Establish Command Structure

Crisis Team Roles:

Step 3: Execute Response

Response Phases:

Step 4: Manage Communications

Stakeholder Priority:

Step 5: Document Everything

Crisis Log Template:

TIME | ACTION | OWNER | OUTCOME
-----|--------|-------|--------
10:00 | Alert received | [Name] | Verified
10:15 | Team assembled | [Name] | 5/6 present
10:30 | Root cause identified | [Name] | DB issue
...

Examples

Example 1: Crisis Response Playbook

Input:

Create a crisis response playbook for a data breach scenario.

Output:

## Crisis Playbook: Data Breach

### Severity Classification

| Level | Criteria | Response |
|-------|----------|----------|
| **Critical** | PII exposed, >10K records | Full activation |
| **High** | PII exposed, <10K records | Partial activation |
| **Medium** | Non-PII data exposed | Contained response |
| **Low** | Attempted breach, blocked | Monitor and report |

---

### Activation Trigger

**Automatic activation when:**
- Confirmed unauthorized data access
- Evidence of data exfiltration
- Regulatory notification required
- Media awareness possible

---

## Phase 1: CONTAIN (0-2 Hours)

### Immediate Actions

| Time | Action | Owner | Checklist |
|------|--------|-------|-----------|
| +0 min | Isolate affected systems | IT Security | [ ] |
| +0 min | Preserve forensic evidence | IT Security | [ ] |
| +15 min | Assemble crisis team | Crisis Lead | [ ] |
| +30 min | Brief team on situation | IT Security | [ ] |
| +30 min | Legal notification | Legal | [ ] |
| +1 hr | Scope assessment complete | IT Security | [ ] |
| +1 hr | Impact assessment complete | Ops Lead | [ ] |

### Crisis Team Assembly

**Mandatory Attendees:**
- [ ] CEO (Crisis Lead)
- [ ] CTO (Technical Lead)
- [ ] CISO (Security Lead)
- [ ] General Counsel (Legal Lead)
- [ ] CMO (Communications Lead)
- [ ] VP Customer Success (Customer Lead)

**Optional (as needed):**
- [ ] CHRO (if employee data)
- [ ] CFO (if financial impact)
- [ ] Board liaison

### Initial Assessment Template

BREACH ASSESSMENT

Discovery Time: [TIME] Breach Window: [START] to [END]

Data Involved:

• Names
• Email addresses
• Phone numbers
• Passwords
• Payment data
• SSN/Government ID
• Health information
• Other: ___________

Records Affected: [NUMBER] Customers Affected: [NUMBER]

Attack Vector: [DESCRIPTION] Current Status: [CONTAINED/ONGOING] Confidence Level: [HIGH/MEDIUM/LOW]

---

## Phase 2: COMMUNICATE (2-4 Hours)

### Communication Sequence

| Priority | Stakeholder | When | Channel | Owner |
|----------|-------------|------|---------|-------|
| 1 | Board/Investors | +2hr | Call | CEO |
| 2 | Regulators | +2hr | Formal notice | Legal |
| 3 | Affected customers | +3hr | Email | CX Lead |
| 4 | All employees | +3hr | All-hands | HR |
| 5 | Media (if inquiries) | +4hr | Statement | Comms |
| 6 | Public | +4hr | Website | Comms |

---

### Communication Templates

#### Customer Notification (Direct Victims)

Subject: Important Security Notice – Action Required

Dear [Name],

We’re writing to inform you about a security incident that may have involved your personal information.

WHAT HAPPENED On [DATE], we discovered unauthorized access to [SYSTEM]. The incident occurred between [DATE] and [DATE].

WHAT INFORMATION WAS INVOLVED Based on our investigation, the following information may have been accessed:

• [List specific data types]

WHAT WE’RE DOING

• We immediately secured our systems
• We engaged cybersecurity experts to investigate
• We notified law enforcement
• We are providing [credit monitoring/identity protection]

WHAT YOU CAN DO

1. [Specific action 1]
2. [Specific action 2]
3. [Specific action 3]

CONTACT US If you have questions, please contact our dedicated support line:

• Phone: [NUMBER] (24/7 for next 30 days)
• Email: [EMAIL]
• FAQ: [URL]

We sincerely apologize for this incident and any concern it causes.

[Signature]

#### All-Customer Notification

Subject: Security Update from [Company]

Dear [Customer],

We’re writing with an important security update.

On [DATE], we discovered a security incident affecting some customer accounts. We want to be transparent about what happened and what we’re doing.

THE INCIDENT [2-3 sentence summary of what happened]

YOUR ACCOUNT Based on our investigation, your account [was / was not] affected. [If affected: See separate email with specific details]

OUR RESPONSE

• [Action taken 1]
• [Action taken 2]
• [Action taken 3]

GOING FORWARD [Steps being taken to prevent future incidents]

We’re deeply sorry this occurred and are committed to earning back your trust.

[Signature]

#### Media Statement

STATEMENT FROM [COMPANY] REGARDING SECURITY INCIDENT

[DATE]

[Company] recently discovered unauthorized access to certain company systems. Upon discovery, we immediately took steps to secure our systems and engaged leading cybersecurity experts to investigate.

Based on our investigation:

• [Key fact 1]
• [Key fact 2]
• [Key fact 3]

We have notified the appropriate authorities and are working closely with law enforcement.

Affected individuals are being notified directly and we are providing [specific remediation].

We take the security of our customers’ information extremely seriously. We apologize for this incident and are taking steps to prevent similar incidents in the future.

For more information, please visit: [URL]

Media Contact: [Name], [Email]

---

## Phase 3: RESOLVE (4-24 Hours)

### Technical Remediation

| Action | Owner | Deadline | Status |
|--------|-------|----------|--------|
| Patch vulnerability | Security | +6hr | [ ] |
| Reset affected credentials | IT | +8hr | [ ] |
| Deploy additional monitoring | Security | +12hr | [ ] |
| Third-party security audit | Security | +7 days | [ ] |

### Customer Remediation

| Action | Owner | Deadline | Status |
|--------|-------|----------|--------|
| Credit monitoring enrollment | CX | +24hr | [ ] |
| Password reset flow | Product | +24hr | [ ] |
| Support surge staffing | CX | +24hr | [ ] |
| FAQ page live | Marketing | +6hr | [ ] |

---

## Phase 4: RECOVER (1-7 Days)

### Operational Recovery

| Milestone | Target | Owner |
|-----------|--------|-------|
| Normal operations | +24hr | Ops |
| Support queue normal | +72hr | CX |
| Security audit complete | +7 days | Security |
| All notifications sent | +72hr | Legal |

### Communication Recovery

| Activity | Timing | Owner |
|----------|--------|-------|
| Progress update #1 | +24hr | Comms |
| Progress update #2 | +72hr | Comms |
| Final resolution notice | +7 days | Comms |
| Thank you to customers | +14 days | CEO |

---

## Phase 5: LEARN (7-30 Days)

### Post-Incident Review

**Schedule within 7 days of resolution**

Agenda:
1. Timeline reconstruction
2. What worked well
3. What needs improvement
4. Action items for prevention
5. Communication effectiveness
6. Documentation updates

### Playbook Updates

Based on learnings, update:
- [ ] Detection capabilities
- [ ] Response procedures
- [ ] Communication templates
- [ ] Team training
- [ ] Vendor relationships

Example 2: Real-Time Response Coordination

Input:

We're in the middle of a crisis - product recall needed.
Contaminated ingredient found in batch.
What do we do now?

Output:

## ACTIVE CRISIS: Product Recall

### STATUS: PHASE 1 - CONTAIN

---

### IMMEDIATE ACTIONS (Next 60 Minutes)

| # | Action | Owner | Done |
|---|--------|-------|------|
| 1 | STOP all shipments of affected batch | Operations | [ ] |
| 2 | Identify batch numbers affected | QC | [ ] |
| 3 | Pull from retail shelves (notify partners) | Sales | [ ] |
| 4 | Count units sold vs. in inventory | Operations | [ ] |
| 5 | Assemble full crisis team | CEO | [ ] |
| 6 | Contact legal counsel | CEO | [ ] |
| 7 | Notify regulatory authority (FDA/etc) | Legal | [ ] |

---

### INFORMATION NEEDED NOW

Fill in as you gather:

AFFECTED BATCH:

• Batch number(s): _______________
• Production date(s): _______________
• Contamination type: _______________
• Health risk level: [ ] Low [ ] Medium [ ] High [ ] Critical

DISTRIBUTION:

• Units produced: _______________
• Units shipped: _______________
• Units in warehouse: _______________
• Retailers received: _______________
• Units sold to consumers (est): _______________

CUSTOMERS AT RISK:

• Can you identify purchasers? [ ] Yes [ ] No
• Geographic distribution: _______________

---

### COMMUNICATION PRIORITY

| Priority | Who | When | Message |
|----------|-----|------|---------|
| 1 | Retail partners | NOW | Stop sales, pull from shelves |
| 2 | Regulatory body | Within 1hr | Formal notification |
| 3 | Identified customers | Within 2hr | Direct recall notice |
| 4 | All customers | Within 4hr | Public recall announcement |
| 5 | Media | As needed | Press statement ready |

---

### HOLDING STATEMENT (Use if media calls NOW)

“We are aware of an issue with [product] and are taking immediate action. Customer safety is our top priority. We will have a full statement within [X] hours.

In the meantime, customers who have purchased [product] should [specific action].

Questions: [contact]”

---

### CUSTOMER COMMUNICATION TEMPLATE

URGENT PRODUCT RECALL NOTICE

[Company] is voluntarily recalling [Product Name] due to potential contamination with [substance].

AFFECTED PRODUCTS:

• Product: [Name]
• Batch #: [Numbers]
• Expiration dates: [Dates]
• Sold at: [Retailers]

WHAT TO DO:

1. STOP using the product immediately
2. [Disposal instructions OR return instructions]
3. Contact us for full refund: [phone/email/url]

IF YOU’VE CONSUMED THE PRODUCT:

• [Symptoms to watch for]
• [When to seek medical attention]
• [Who to call]

We sincerely apologize for this situation and are taking all steps to ensure this doesn’t happen again.

Questions: [24/7 Hotline Number]

---

### NEXT CHECK-IN: 30 MINUTES

At that time, confirm:
- [ ] All shipments stopped
- [ ] Batch scope finalized
- [ ] Retail partners notified
- [ ] Regulatory notification sent
- [ ] Customer communication ready

Skill Boundaries

What This Skill Does Well

• Structuring response playbooks
• Creating communication templates
• Coordinating response timelines
• Organizing team actions

What This Skill Cannot Do

• Make legal determinations
• Access your systems
• Speak on your behalf
• Know regulatory requirements

Iteration Guide

Follow-up Prompts:

• “Create a playbook for [crisis type]”
• “Draft communication for [stakeholder]”
• “What should our next 30 minutes look like?”
• “How do we communicate [specific development]?”

References

• Burson Crisis Communications
• PPRR Crisis Management Model
• FEMA Incident Command System
• Harvard Business Review Crisis Response

Related Skills

• crisis-detector – Early warning
• social-listening – Monitoring
• reputation-recovery – Post-crisis

Skill Metadata

• Domain: Crisis
• Complexity: Advanced
• Mode: centaur
• Time to Value: Immediate in crisis
• Prerequisites: Stakeholder alignment, authority to act