Pro-Owner perspective: This document frames your systems as a technical estate — an asset to be stewarded, documented, and bequeathed. Treat these steps as craftsmanship: protect the continuity, auditability, and transferability of your digital legacy.

What it is

A templated communication framework for incident response, specifying what to say, to whom, and when, based on incident severity and timeline. Covers: initial detection (T+0), first update (T+15), ongoing updates (T+60), resolution (T+24h), and post-mortem (T+1 week).

Messages are pre-drafted for common scenarios (outage, data breach, degraded performance, third-party failure) and tailored by audience (internal team, customers, compliance/legal). No improvisation under pressure—follow templates, adapt specifics.

Why it matters

Incident communication failures amplify incident damage. Silence creates panic. Vague updates ("we're investigating") erode trust. Inconsistent messages (internal says "minor issue," customers see "total outage") destroy credibility.

Templates eliminate decision paralysis: you're not composing messages from scratch while systems are on fire. Templates also prevent legal exposure: vetted language reduces liability (e.g., "service interruption" vs "data breach" has legal implications).

How we do it

1. Incident severity classification (triggers communication urgency):
   • SEV-1 (Critical): Total outage, data breach, security incident. Updates every 15 min until resolved.
   • SEV-2 (High): Partial outage, degraded performance. Updates every 60 min.
   • SEV-3 (Medium): Minor degradation, non-customer-facing. Internal-only updates.
2. Timeline-based templates:
   • T+0 (Detection): Internal team notification. "Incident detected. Investigating. Next update T+15."
   • T+15 (First update): Internal + customer notification (if SEV-1/2). "We've identified [issue]. Impact: [scope]. ETA: [best guess or 'investigating']."
   • T+60 (Ongoing): Progress update. "Mitigation in progress. Current status: [details]. Next update T+120."
   • T+24h (Resolution): Resolution announcement. "Incident resolved. Root cause: [summary]. Preventive measures: [actions taken]."
   • T+1 week (Post-mortem): Public post-mortem (if customer-facing). "Detailed timeline, root cause, action items. No corporate spin."
3. Audience segmentation:
   • Internal team: Full technical detail. No sugar-coating. Include what's tried, what failed, current theories.
   • Customers: Impact-focused. What they can't do, when it'll be fixed, what to expect next.
   • Compliance/legal: Breach notification language (if applicable). Meets regulatory requirements (GDPR, SOC2, HIPAA).
4. Message library: 15 pre-drafted scenarios (outage, breach, degraded perf, third-party failure, planned maintenance gone wrong). Copy, adapt, send.

What you receive

• Communication timeline: What to send, when, to whom, for each severity level.
• Draft message library: 15 scenario-based templates (internal + customer variants).
• Audience segmentation guide: Decision tree for who gets what information at what time.
• Communication log: Timestamp, recipient, message sent (for audit trail and post-mortem).

All templates stored in incident runbook (wiki, Notion, Git repo) with version control.

Evidence

Interactive incident timeline:

• Timeline visualization: T+0, T+15, T+60, T+24h, T+1 week markers.
• Expandable checkpoints: Click each marker to see draft messages for that timeline point.
• Audience toggle: Switch between internal vs customer view. See how messages differ.
• Scenario picker: Choose incident type (outage, breach, degraded perf). Timeline adapts to show relevant templates.
• Sample messages: Real-world examples (redacted) showing tone, detail level, call-to-action.

Download incident communication package (templates + tone guide + legal review checklist): [Link]

Failure modes & guardrails

Failure mode: Templates used verbatim without adaptation
Guardrail: Templates are starting points. Always customize with specific incident details (systems affected, ETA, workarounds).

Failure mode: Over-communication (message fatigue)
Guardrail: SEV-3 incidents: internal-only, no customer notification unless they ask. Don't create alarm where none exists.

Failure mode: Under-communication (silence)
Guardrail: SEV-1/2 incidents require updates every 15/60 min respectively. Silence is not an option. If no progress, say "Still investigating. No new information."

Failure mode: Legal review delays critical updates
Guardrail: Pre-approved template language vetted by legal. No legal review required for templated messages. Only custom language needs review.