This week, Charlie looks at key considerations in your communications response to an incident, and highlights the importance of including all staff in the communication.

I have been delivering some crisis training this week to a client in the South of England, and I thought I would share some thoughts from that training. Typically when we mention communications in the context of a crisis/gold/strategic team, we think about the professional communications people advising the team and developing communications for the media and social media. We think about the CEO being interviewed and hopefully not getting savaged by the interviewer, and we think of general guidance put out to all members of staff not to speak to the press. This is often how organisations starting their incident management journey think communications are managed during an incident; it is a crisis management team activity, and they would not communicate in an incident.

In training the crisis management team earlier in the week, I was very much making the point that communications happens at all levels within an organisation. This could be the CEO talking to the media, but it could also be the security guard talking to their family after work and explaining what is going on at the company they work for. We also have to remember that during an incident, the conversations which take place at all levels with external stakeholders do not stop, and these conversations play a very important part in an organisation’s response.

When teaching crisis management or communications, I always say that your communications and the perception from your stakeholders will determine the success or failure of your response. Making sure that the right stakeholder gets the appropriate information is key. We therefore need to teach that communications goes on at all levels within the organisation. One of the keys to successful external communications is ensuring consistency of message — as soon as an organisation sends out mixed messages, then it begins to look incompetent, disorganised, and, at worst-case, dishonest. So what are the key considerations when organisations respond and communicate?

1. Messages which are sent externally must be consistent but must also be tailored to the requirements and needs of the audience. All those responding should be aware of the organisation’s media strategy and their overall message. This needs to be taken into account when individuals craft their own external messages.
2. In crafting their messages, individuals and departments will have external messages they want to give out, and they may want the organisation’s view on the messages and lines to take on a particular aspect of the incident. In a cyber incident, a line to take may be around have we lost data or how long will it take before x service is available? The answers to these questions need to be agreed centrally and then the agreed lines sent out to all who might want to communicate it externally. All lines to take should be stored and made available to all staff.
3. There should be a process for agreeing lines to take and this should be documented within plans. In a dynamic situation, these need to be turned around quickly and then existing lines changed as the situation changes.
4. Where there may be specialist advice in developing lines to take, this should be identified in advance. If your factory catches fire and there is a plume of black smoke, those in the surrounding area may want to know how dangerous the smoke is, and what precautions they should take to protect themselves. Clear and comprehensive guidance should be provided to ensure that people do not panic or take inappropriate actions to safeguard themselves. Perhaps these communications could be agreed upon in advance, or at least suitable individuals could be identified to provide appropriate advice.
5. Agreed lines to take can be incorporated into questions and answers which can then be made available on the organisation’s website, to customer-facing staff and, if appropriate, all staff so they can answer questions if asked. How the questions and answers are produced, who signs them off, and where they are hosted, should be agreed and documented.
6. I think it needs to be made clear to all those responding at whatever level they are operating — operational, tactical or strategic — that they will be expected to communicate with their normal stakeholders in an incident. They should also include a list of possible stakeholders within their plans, how they will contact them, when they should be contacted, and what their information requirements are.

Coming back to the iceberg analogy, it is not just the tip of the iceberg, the communication team and CEO who are delivering the main communications will be from ‘under the water’, and involve people at all levels throughout the organisation. 

If communications are key to the success of our incident management, then we need to make sure that all people within the organisation know their role, and they can use the guidance from the top of the organisation and tailor it to their stakeholders’ requirements.