Without a communication plan during a crisis, your customers panic and assume the worst, employees spread false information internally and externally, and business partners stop trusting you—leading to lost orders and damaged relationships that take months to rebuild. For example, if a manufacturing business in Bengaluru gets ransomware-locked and doesn't tell customers for 3 days, those customers move their orders to competitors permanently. If your bank doesn't hear from you about a data breach until regulators contact them, they may freeze your account or reduce credit lines. Regulatory bodies like RBI (if you're financial services) or data authorities expect documented, timely breach notifications; silence or delays can result in compliance penalties.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no written plan for communicating during disruptions. When something breaks, people call or text randomly, and the owner figures out what to say as the crisis unfolds.
Initial
You've listed contact details of key people (owner, manager, tech person) in a document or group chat, but there's no structured message template or decision about who should speak to customers versus media.
Developing
You have a one-page communication plan naming the crisis communication lead, listing who to contact internally, and a few message templates for different scenarios—but it's not tested and most staff don't know it exists.
Defined
Your communication plan covers internal notification (staff alerts), customer notification (email, SMS, website banner), and partner notification (dedicated contacts); it's stored where key people can access it and was updated in the last 12 months.
Managed
You run tabletop drills (practice scenarios) annually, communication templates are stored on a secure shared drive with version control, response times are documented (e.g., internal alert within 30 minutes, customer notification within 2 hours), and staff roles are clear.
Optimised
Communication plan is integrated into your business continuity plan with real-time monitoring; you track message delivery rates, conduct quarterly drills, maintain a secure backup communication channel (e.g., secondary email domain, backup phone tree), and post-incident reviews update templates based on lessons learned.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a one-page document listing the name, phone, and email of 5-7 key people (owner, operations manager, IT person, HR, accounts) who need to know about disruptions immediately. Share it in a group chat or printed card. | Business owner or Operations manager | 2-3 hours |
| 1 → 2 | Write a 2-page Crisis Communication Plan with sections: (1) Who is the crisis lead? (2) Who do we tell first (internal chain)? (3) What do we tell customers and when? (4) What do we tell partners? (5) Are there media/regulator contacts? Add 2-3 sample message templates for common scenarios (data breach, server down, natural disaster). | Business owner with input from Operations and Finance heads | 1 week |
| 2 → 3 | Conduct a one-hour tabletop walk-through: simulate a ransomware incident and run through the plan with key staff. Document what worked and what didn't. Update contact numbers, email addresses, and message templates based on feedback. Store the final plan on a shared drive with a 'Last Updated' date visible to all. | Crisis lead (usually Operations or IT manager) with all key personnel | 2-3 weeks |
| 3 → 4 | Define and document response time SLAs (e.g., internal team notified within 30 minutes, customers within 2 hours, regulators within 24 hours). Assign backup roles so if the crisis lead is unavailable, someone else takes over. Create a secure, offline copy of critical contact numbers (printed sealed envelope in safe). | Business owner and Crisis lead | 2-4 weeks |
| 4 → 5 | Schedule quarterly communication drills (one per quarter) with different scenarios, track message delivery success rates, and maintain a secondary communication channel (e.g., backup email account with a different provider, or a WhatsApp group for emergency-only contact). After each incident or drill, hold a review meeting and update templates within 48 hours. | Crisis lead with support from all key roles | Ongoing (4-6 hours per quarter) |
Documents and records that prove your maturity level.
- Written Crisis Communication Plan document (Word, PDF, or Google Doc) signed and dated by owner, with version control
- Contact list spreadsheet with names, roles, phone, email, and alternative contact methods for internal stakeholders and key external partners
- Sample message templates for at least 3 scenarios (data breach/security incident, IT system down, natural disaster/office inaccessible, supply chain disruption)
- Record of at least one tabletop drill or communication test in the past 12 months, including date, participants, scenario, and lessons learned
- Backup communication method documented (e.g., secondary email account, phone tree, offline printed contact list in secure location, website or social media account management plan)
Prepare for these questions from customers or third-party reviewers.
- "Show me your Crisis Communication Plan. When was it last updated, and who approved it?"
- "Walk me through what happens in the first hour if you discover a data breach affecting customer records. Who calls whom, in what order, and using which method?"
- "How do you notify customers and business partners if your main email server is down? What's your backup communication method?"
- "Have you tested this plan in the last 12 months? Show me the records of the test, participants, and what you learned."
- "If your Crisis Lead is unavailable (sick, traveling, resigned), who takes their place? Is that person trained?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and store communication plan document with version history and access control | Google Docs (free tier with sharing controls) or LibreOffice Writer (offline, no cost) | Microsoft Office 365 (₹5,000–15,000/year per user) or Notion (₹0–2,000/year depending on plan) |
| Maintain organized contact list and quick reference for crisis team | Google Sheets or Microsoft Excel online (free tier) or Airtable free plan | Airtable paid (₹1,200–3,600/month) or spreadsheet add-ons like Sheet2Site (₹500–2,000/month) |
| Broadcast emergency alerts and notifications to staff and customers quickly | WhatsApp groups (zero cost but not formal), free tier of Twilio (limited SMS), Google Alerts setup | Twilio (SMS/WhatsApp: ₹0.50–2 per message), Alertify or Everbridge (₹50,000–2,00,000/year depending on users and features) |
| Schedule and track tabletop drills and store records for audit | Google Calendar + Google Forms for post-drill feedback | Continuity Central or similar BC software (₹100,000+/year) or Project Management tool like Asana/Monday.com |
| Secure offline backup of critical contact information and plan | Printed document in locked safe, or password-protected PDF on USB drive stored offline | Hardware security key (₹2,000–5,000 one-time) or encrypted external drive (₹3,000–8,000) |
- Plan exists but is outdated: Contact numbers and email addresses are 6+ months old because staff changed roles or left; when crisis hits, messages go to wrong people or bounced emails cause delays.
- No backup communication method: Entire plan relies on email and office network, but in a server breach or ransomware attack, email is compromised and staff can't coordinate—leading to hours of silence while customers panic.
- Plan not shared or trained: The plan sits on owner's laptop or in a drawer; frontline staff and new hires don't know it exists, so when crisis hits, they either ignore the plan or make ad-hoc decisions that contradict official messages.
- No distinction between scenarios: Single generic message template used for all incidents (ransomware, data breach, weather, supplier failure), leading to confusing or inappropriate messages that damage credibility.
- Regulators and compliance bodies not included: Plan only addresses employees and customers; no protocol for notifying RBI (if financial), CERT-In, or data protection authorities, risking penalties for late or missed notifications.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 4(1)(e) and Section 6 – requirement to notify individuals and regulators of personal data breach without unreasonable delay, implying need for a documented notification process |
| RBI Guidelines 2016 (for financial services) | Para 4.2 – requirement to have a documented incident response plan including communication to depositors and regulators |
| ISO 27001:2022 | Clause 8.4 (Communication) and Annex A 5.3 (Incident management with communication) |
| NIST CSF 2.0 | Function: Respond (RS) – specifically RS.CO-2 (Response activities are communicated to internal and external stakeholders) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →