The Template Trap

The organizations that communicate best during incidents built for it. Pre-established relationships, clear decision authority, and pre-negotiated boundaries. Authentic responses don't happen by accident.

Share
The Template Trap
Photo by @carlaquario31 on Unsplash

You can’t adequately demonstrate empathy and competency when your communications look like form letters.

The details matter. The context matters. The specific circumstances of this particular incident, affecting these particular people, at this particular moment in time – all of it matters. And none of it can be captured in a template written six months ago by people who had no idea what would actually go wrong.

The appeal of templates is obvious. They promise that during the chaos of an incident, you'll have something ready to go. Just fill in the blanks, get quick approval, and hit send. Fast, efficient, predictable.

But this approach fundamentally misunderstands what incident communication needs to accomplish. You're not merely transmitting information – you're preserving trust, demonstrating competence, and maintaining relationships during a moment of vulnerability. None of these objectives can be achieved through standardized messaging that could apply to any incident at any company.

When stakeholders receive templated communications, they can tell. The generic language, the obvious placeholders, the carefully hedged statements that avoid saying anything specific – all of it signals that you're going through the motions rather than actually engaging with the reality of what happened. It communicates that this incident isn't important enough to warrant special attention, or, worse, that you don't understand it well enough to discuss it specifically.

What Actually Prepares You for Incidents

If templates aren't the answer, what is? The truth is harder but far more effective: infrastructure, relationships, and pre-negotiated decision frameworks.

These are the things that actually enable rapid, effective, authentic incident communications. They're more difficult to build than templates, and they require ongoing investment rather than a one-time document creation. But they're what separates organizations that handle incidents well from those that don't.

1. Build Relationships Before You Need Them

Effective incident response requires pre-established relationships. You cannot cold-call volunteer maintainers, community members, regulatory contacts, or media representatives during an incident and expect effective coordination. These relationships need continuous ownership and cultivation.

This means:

  • Identifying who you might need to coordinate with during various incident types.
  • Establishing regular touchpoints before incidents occur.
  • Understanding their communication preferences, decision-making processes, and constraints.
  • Building mutual trust and credibility through ongoing, non-incident interactions.

When an incident hits, you need to be able to reach someone who already knows you, understands your organization, and has context for why you're reaching out. That person should already trust that when you say something is urgent, it actually is. It’s exponentially harder to build that in the middle of a fire – and with some folks it’s downright impossible.

2. Establish Channel Access and Infrastructure

Channel access and infrastructure must be in place before incidents occur. Requesting GitHub security advisory permissions, setting up email distribution systems, configuring Discord moderator roles, or getting approval for social media access during an incident wastes critical time when every minute counts.

This infrastructure includes:

  • Pre-approved access to all channels where you might need to communicate.
  • Technical setup for email campaigns, blog posts, or social media announcements.
  • Tested systems for reaching different stakeholder groups quickly.
  • Backup communication methods if primary channels fail.

The difference between communicating in the first hour versus the first six hours of an incident often comes down to whether this infrastructure was in place. Templates don't solve this problem – proper preparation does.

3. Map Decision Authority in Advance

Decision authority must be clear and mapped in advance. Six-hour debates about what information to disclose happen when nobody knows who has the authority to decide. These delays don't occur because people are indecisive, but because the organization never clarified who gets to make which calls.

Before any incident, you need to be crystal clear on:

  • Who can authorize different categories of disclosures.
  • What types of incidents require executive involvement versus team-level decisions.
  • How to escalate when the mapped decision-maker is unavailable.
  • What boundaries exist around legal, compliance, and business risk.

The point is to eliminate organizational confusion that paralyzes response efforts. When the decision-maker is clear, even difficult decisions can move quickly. And if you’re like me and don’t think litigation should drive every business decision, then you need to negotiate that in advance during quieter, less emotional times. 

4. Know Where Your Stakeholders Actually Communicate

Different stakeholder groups consume information through various channels, and your carefully crafted corporate communications are worthless if they never reach the people who need them. Customers, partners, employees, regulators, media, and community members all have different communication preferences and habits. You need to meet each group where they actually are, not where it's convenient for you to communicate with them.

This means:

  • Understanding which channels each stakeholder group actually monitors and trusts.
  • Having established a presence and credibility in those spaces before incidents.
  • Knowing the norms and expectations for communication in each channel.
  • Recognizing that different audiences require different approaches and even different information.

For customers, this might mean an email, in-app notifications, or your status page. For technical users, it could be GitHub, community forums, or Discord. For partners, it might be dedicated Slack channels or direct contact with the account manager. For employees, it might include internal chat platforms or all-hands meetings. For media and investors, it might be your corporate blog or social media. For regulators, it often requires direct, formal communication through established reporting channels specified by law.

A beautifully written statement posted only to your corporate blog is far less valuable than targeted communications delivered through the channels your specific stakeholders actually use – even if those communications are less polished. And keep in mind that some people will see your message across channels, so even if different, they should never contradict each other. Effective incident communications is about strategic coordination just as much as wordsmithing. 

Speed requires pre-negotiated values and priorities, not case-by-case debate. Ninety-minute legal reviews happen when boundaries are unclear. When you're arguing about whether you can disclose specific technical details while the clock is ticking, you're too late.

Instead, establish ahead of time:

  • Which company values matter more than litigation risk (if any). Lawsuits are coming no matter what — the question is what kind of company do you want to be when you face them?
  • Categories of information that are generally acceptable to disclose.
  • What requires additional legal review, and what doesn't, and what the acceptable SLA will be for these reviews. 
  • How to handle edge cases that don't fit neat categories.
  • What the escalation path looks like when quick decisions are needed.

This doesn't mean eliminating legal review – it means making that review faster and more focused by doing the foundational work in advance.

6. Assign Explicit Ownership for Monitoring and Engagement

Monitoring and engagement require dedicated ownership. If nobody is explicitly responsible for monitoring Hacker News, Reddit, Twitter/X, and other community channels during incidents, it won't happen. And when it doesn't, you miss critical community intelligence on how your incident is being perceived and discussed.

This ownership includes:

  • Designated people to monitor specific channels during incidents.
  • Clear escalation procedures for concerning developments.
  • Authority to engage directly or pull in additional support.
  • Tools and access to track conversations across multiple platforms.

The alternative is discovering three days later that a significant misunderstanding has taken root in your community, or that someone else has filled your communication vacuum with inaccurate information.

Moving Beyond the Mad Libs Mentality

The goal isn't to communicate faster during incidents—it's to communicate more effectively. Sometimes that means speed. Sometimes it means accuracy. Sometimes it means empathy. It always means demonstrating that you understand what happened and care about the people affected.

You can't demonstrate understanding and care through fill-in-the-blank templates. You can only do it through communications that are genuinely responsive to the specific situation you're facing. And the only way to create those communications quickly during an incident is to have built the infrastructure, relationships, and frameworks that make rapid, authentic response possible.

Stop preparing templates. Start building infrastructure.

The next time your team sits down to "improve incident readiness," resist the urge to waste cycles creating communication templates. Instead, ask:

  • Who do we need relationships with before incidents occur, and who owns those relationships?
  • What channels and infrastructure must be in place now to enable fast communication later?
  • Have we clearly mapped decision authority so people won't waste hours debating who can approve what? (Anlikelyt likey, whose approval outweighs someone else’s?)
  • Do we know where our communities actually communicate, and do we have an established presence there?
  • Have we pre-negotiated frameworks with legal so reviews can move quickly and deliver helpful outcomes?
  • Have we assigned explicit ownership for monitoring and engagement during incidents?

Answer these questions well, and you'll be infinitely better prepared than any template could ever make you.