How to handle crisis communication like a pro

April 10, 2022

3 min read

How to handle crisis communication like a pro

Sometimes, 💩 happens. It’s okay, it happens to all of us. You can’t avoid it, but you can do damage control with a clear process to deal with a crisis. Here’s the process I created for the SaaS I currently work for, I hope it’ll inspire you.

First, some communication guidelines

So your team knows how to effectively communicate to your organization and to your users, let them know the best practices for communicating during a crisis. These guidelines are valid all the time as well, so it never hurts to publish them on your organization’s internal documentation.

Internally	Externally
Commit to transparency.	Practice empathy - put yourself in the user’s shoes.
Provide details, be extensive.	Remain transparent and remember who you’re talking to, depending on their level of technical knwoledge, users can easily detect 💩
Provide rough time estimates.	Give a realistic timeline whenever possible.
On major outages, share worst-case and best-case scenarios.	Provide regular updates.
Post an extensive postmortem.	Post an extensive postmortem.

Create a RACI matrix

A RACI matrix is a responsibility chart, it provides a clear vision of the responsibilities of the people assigned. You need it for your crisis communication to optimize the distribution of tasks to the team members and avoid wasting time.

This method is an organizational design tool that maps activities and defines the roles and responsibilities of stakeholders by:

visually synthesizing “who does what”,
setting the perimeter of the project,
defining the field of action to structure it.

What does RACI stand for?

Responsible,
Accountable,
Consulted,
Informed.

As a crisis can happen at any time, don’t forget to add the responsible people in case the 1st one is absent, for more time-sensitive or highly technical tasks, you can even put in a 3rd person in case the first two are absent.

Typical tasks to include in your RACI chart might be:

Task	CPO	SRE	PM	Customer Support	Marketing	Content
Create, confirm with the team, and update the status page updates	C	A	R	I	I	NA
Decide to cut off sign-ups	A	I	R	I	C	NA
Update social media accounts	NA	C	C	I	R	R
Reply to customer messages	NA	C	C	R	NA	C
Decide to communicate further	A	C	R	C	C	I
Compare outage downtime to SLAs	C	C	R	I	I	NA
Reply to customer inquiries about credit requests	NA	NA	C	R	I	C
Decide to stop ad campaigns	NA	NA	NA	NA	R	NA

In case of shortages < 3h

🔥 Someone finds a global issue, affecting at least one of the core components (API, servers, admin dashboard)

🚨 That person should inform all relevant teams via the appropriate channels (some relevant chats could be the customer-support channel, the emergency channel or the product team) and should specify:

Which areas of the product seem to be down
Impact it can have on the end-users and support team
How many affected accounts/users or how many errors there are
If they found the source of the issue or have a lead

🚧 Declare an incident on your Status page


Incident name	Technical issue impacting {component}
Affected components	Create a list of your core components and choose those that were affected for more than 10 minutes.
Notify users	If your core feature is impaired, send a notification to your users.
Status	Identified - when the problem is identified. Monitoring (optional) - use this status when a big change is applied or when you are not 100% confident if you’re stable Resolved - The message should explain what happened and what actions were applied.
Description	Provide a template and adapt the messaging examples. All messaging, especially choosing how many details you want to disclose, should be confirmed by the teams involved before posting on your Status Page and social media accounts.

📢 When the issue has been resolved:

Update the status page.
Update waiting tickets via your customer support tool.
Update social media (if anything was posted).
Write a postmortem about the incident and its root causes (can be done within 24h after the incident).

After long global outages, more communication is necessary:

Send out an email to your users if you deemed it necessary.

For longer shortages > 3h

All steps listed above, plus regular updates:

Update Twitter every 2 hours.
Update StatusPage every 2 hours.

For very long shortages > 24h

All of the above, plus when the outage is finished:

Compare the downtime to your SLAs and check which incidents are covered by your SLA:
- If the outage is out of your control?
- If the outage occurs during scheduled maintenance?
Send out service credits to affected users.

What to do in case of a security breach?

Security breaches are trickier as they have requirements from the GDPR in Europe. Enterprises must comply and notify impacted users of personal data breaches with timely notice in less than 72 hours after having become aware of it. Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Task	Lead dev	Legal	Marketing	PM
Inform the team of a security breach	R	I	I	C
Share list of affected accounts	R	I	NA	NA
Approve the communication to affected users	C	R	C	I
Send notification & resolution emails	NA	NA	R	A

🔥 Someone finds a security breach issue, affecting at least one of your users.

🚨 That person should inform the relevant channel, tag the product, customer support and legal teams and specify:

Which accounts are affected by the security breach (give a list of emails when available)
Impact it can have on the end-users and support team
If it’s safe to communicate about it or not
If they found the source of the issue or have a lead
If the dev team can work on a bugfix

🚧 Decide if it’s safe enough to communicate the breach to customers or not before the bugfix is released.

If it’s safe, engage with the legal team for an announcement, to be sent via email to the affected accounts.
If it’s not safe, wait for the bugfix before doing any communication.

📢 Communicate a resolution notification when the bug fix has been released on prod.