OpenSkillIndex← back to search
claude-code

Clawfu-skills response-coordinator

Coordinate crisis response through structured playbooks, communication templates, and team orchestration

install
source · Clone the upstream repo
git clone https://github.com/guia-matthieu/clawfu-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/guia-matthieu/clawfu-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/crisis/response-coordinator" ~/.claude/skills/guia-matthieu-clawfu-skills-response-coordinator && rm -rf "$T"
manifest: skills/crisis/response-coordinator/SKILL.md
source content

Crisis Response Coordinator

Orchestrate effective crisis response through structured playbooks, clear communication templates, and coordinated team actions.

When to Use This Skill

  • Active crisis situations
  • Building crisis playbooks
  • Training response teams
  • Creating communication templates
  • Post-crisis improvement

Methodology Foundation

Based on Burson-Marsteller crisis playbook and PPRR model (Prevention, Preparedness, Response, Recovery), combining:

  • Incident command structure
  • Stakeholder communication
  • Timeline management
  • Documentation practices

What Claude Does vs What You Decide

Claude DoesYou Decide
Structures response playbookGo/no-go decisions
Drafts communicationsApproval authority
Coordinates timelinesResource deployment
Documents actionsSpokesperson selection
Suggests escalation pathsLegal implications

Instructions

Step 1: Activate Crisis Protocol

Activation Checklist:

  • Confirm crisis status (not false alarm)
  • Identify crisis type and scope
  • Assemble core response team
  • Establish communication channels
  • Begin documentation log

Step 2: Establish Command Structure

Crisis Team Roles:

RoleResponsibilityTypical Owner
Crisis LeadOverall coordinationCEO/COO
Comms LeadExternal messagingCMO/PR Head
Operations LeadFix the problemCTO/VP Ops
Legal CounselLegal guidanceGeneral Counsel
Customer LeadCustomer communicationVP CX
HR LeadInternal/employeeCHRO

Step 3: Execute Response

Response Phases:

PhaseDurationFocus
Contain0-2 hoursStop bleeding, assess scope
Communicate2-4 hoursStakeholder notifications
Resolve4-24 hoursFix root cause
Recover1-7 daysReturn to normal
Learn7-30 daysPost-mortem, improvements

Step 4: Manage Communications

Stakeholder Priority:

StakeholderWhen to NotifyChannel
Internal teamImmediatelySlack/Teams
Board/InvestorsWithin 1 hourCall/Email
Affected customersWithin 2 hoursDirect
All customersWithin 4 hoursEmail/Social
MediaReactivePress statement
PublicAs neededWebsite/Social

Step 5: Document Everything

Crisis Log Template:

TIME | ACTION | OWNER | OUTCOME
-----|--------|-------|--------
10:00 | Alert received | [Name] | Verified
10:15 | Team assembled | [Name] | 5/6 present
10:30 | Root cause identified | [Name] | DB issue
...

Examples

Example 1: Crisis Response Playbook

Input:

Create a crisis response playbook for a data breach scenario.

Output:

## Crisis Playbook: Data Breach

### Severity Classification

| Level | Criteria | Response |
|-------|----------|----------|
| **Critical** | PII exposed, >10K records | Full activation |
| **High** | PII exposed, <10K records | Partial activation |
| **Medium** | Non-PII data exposed | Contained response |
| **Low** | Attempted breach, blocked | Monitor and report |

---

### Activation Trigger

**Automatic activation when:**
- Confirmed unauthorized data access
- Evidence of data exfiltration
- Regulatory notification required
- Media awareness possible

---

## Phase 1: CONTAIN (0-2 Hours)

### Immediate Actions

| Time | Action | Owner | Checklist |
|------|--------|-------|-----------|
| +0 min | Isolate affected systems | IT Security | [ ] |
| +0 min | Preserve forensic evidence | IT Security | [ ] |
| +15 min | Assemble crisis team | Crisis Lead | [ ] |
| +30 min | Brief team on situation | IT Security | [ ] |
| +30 min | Legal notification | Legal | [ ] |
| +1 hr | Scope assessment complete | IT Security | [ ] |
| +1 hr | Impact assessment complete | Ops Lead | [ ] |

### Crisis Team Assembly

**Mandatory Attendees:**
- [ ] CEO (Crisis Lead)
- [ ] CTO (Technical Lead)
- [ ] CISO (Security Lead)
- [ ] General Counsel (Legal Lead)
- [ ] CMO (Communications Lead)
- [ ] VP Customer Success (Customer Lead)

**Optional (as needed):**
- [ ] CHRO (if employee data)
- [ ] CFO (if financial impact)
- [ ] Board liaison

### Initial Assessment Template

BREACH ASSESSMENT

Discovery Time: [TIME] Breach Window: [START] to [END]

Data Involved:

  • Names
  • Email addresses
  • Phone numbers
  • Passwords
  • Payment data
  • SSN/Government ID
  • Health information
  • Other: ___________

Records Affected: [NUMBER] Customers Affected: [NUMBER]

Attack Vector: [DESCRIPTION] Current Status: [CONTAINED/ONGOING] Confidence Level: [HIGH/MEDIUM/LOW]


---

## Phase 2: COMMUNICATE (2-4 Hours)

### Communication Sequence

| Priority | Stakeholder | When | Channel | Owner |
|----------|-------------|------|---------|-------|
| 1 | Board/Investors | +2hr | Call | CEO |
| 2 | Regulators | +2hr | Formal notice | Legal |
| 3 | Affected customers | +3hr | Email | CX Lead |
| 4 | All employees | +3hr | All-hands | HR |
| 5 | Media (if inquiries) | +4hr | Statement | Comms |
| 6 | Public | +4hr | Website | Comms |

---

### Communication Templates

#### Customer Notification (Direct Victims)

Subject: Important Security Notice - Action Required

Dear [Name],

We're writing to inform you about a security incident that may have involved your personal information.

WHAT HAPPENED On [DATE], we discovered unauthorized access to [SYSTEM]. The incident occurred between [DATE] and [DATE].

WHAT INFORMATION WAS INVOLVED Based on our investigation, the following information may have been accessed:

  • [List specific data types]

WHAT WE'RE DOING

  • We immediately secured our systems
  • We engaged cybersecurity experts to investigate
  • We notified law enforcement
  • We are providing [credit monitoring/identity protection]

WHAT YOU CAN DO

  1. [Specific action 1]
  2. [Specific action 2]
  3. [Specific action 3]

CONTACT US If you have questions, please contact our dedicated support line:

  • Phone: [NUMBER] (24/7 for next 30 days)
  • Email: [EMAIL]
  • FAQ: [URL]

We sincerely apologize for this incident and any concern it causes.

[Signature]


#### All-Customer Notification

Subject: Security Update from [Company]

Dear [Customer],

We're writing with an important security update.

On [DATE], we discovered a security incident affecting some customer accounts. We want to be transparent about what happened and what we're doing.

THE INCIDENT [2-3 sentence summary of what happened]

YOUR ACCOUNT Based on our investigation, your account [was / was not] affected. [If affected: See separate email with specific details]

OUR RESPONSE

  • [Action taken 1]
  • [Action taken 2]
  • [Action taken 3]

GOING FORWARD [Steps being taken to prevent future incidents]

We're deeply sorry this occurred and are committed to earning back your trust.

[Signature]


#### Media Statement

STATEMENT FROM [COMPANY] REGARDING SECURITY INCIDENT

[DATE]

[Company] recently discovered unauthorized access to certain company systems. Upon discovery, we immediately took steps to secure our systems and engaged leading cybersecurity experts to investigate.

Based on our investigation:

  • [Key fact 1]
  • [Key fact 2]
  • [Key fact 3]

We have notified the appropriate authorities and are working closely with law enforcement.

Affected individuals are being notified directly and we are providing [specific remediation].

We take the security of our customers' information extremely seriously. We apologize for this incident and are taking steps to prevent similar incidents in the future.

For more information, please visit: [URL]

Media Contact: [Name], [Email]


---

## Phase 3: RESOLVE (4-24 Hours)

### Technical Remediation

| Action | Owner | Deadline | Status |
|--------|-------|----------|--------|
| Patch vulnerability | Security | +6hr | [ ] |
| Reset affected credentials | IT | +8hr | [ ] |
| Deploy additional monitoring | Security | +12hr | [ ] |
| Third-party security audit | Security | +7 days | [ ] |

### Customer Remediation

| Action | Owner | Deadline | Status |
|--------|-------|----------|--------|
| Credit monitoring enrollment | CX | +24hr | [ ] |
| Password reset flow | Product | +24hr | [ ] |
| Support surge staffing | CX | +24hr | [ ] |
| FAQ page live | Marketing | +6hr | [ ] |

---

## Phase 4: RECOVER (1-7 Days)

### Operational Recovery

| Milestone | Target | Owner |
|-----------|--------|-------|
| Normal operations | +24hr | Ops |
| Support queue normal | +72hr | CX |
| Security audit complete | +7 days | Security |
| All notifications sent | +72hr | Legal |

### Communication Recovery

| Activity | Timing | Owner |
|----------|--------|-------|
| Progress update #1 | +24hr | Comms |
| Progress update #2 | +72hr | Comms |
| Final resolution notice | +7 days | Comms |
| Thank you to customers | +14 days | CEO |

---

## Phase 5: LEARN (7-30 Days)

### Post-Incident Review

**Schedule within 7 days of resolution**

Agenda:
1. Timeline reconstruction
2. What worked well
3. What needs improvement
4. Action items for prevention
5. Communication effectiveness
6. Documentation updates

### Playbook Updates

Based on learnings, update:
- [ ] Detection capabilities
- [ ] Response procedures
- [ ] Communication templates
- [ ] Team training
- [ ] Vendor relationships

Example 2: Real-Time Response Coordination

Input:

We're in the middle of a crisis - product recall needed.
Contaminated ingredient found in batch.
What do we do now?

Output:

## ACTIVE CRISIS: Product Recall

### STATUS: PHASE 1 - CONTAIN

---

### IMMEDIATE ACTIONS (Next 60 Minutes)

| # | Action | Owner | Done |
|---|--------|-------|------|
| 1 | STOP all shipments of affected batch | Operations | [ ] |
| 2 | Identify batch numbers affected | QC | [ ] |
| 3 | Pull from retail shelves (notify partners) | Sales | [ ] |
| 4 | Count units sold vs. in inventory | Operations | [ ] |
| 5 | Assemble full crisis team | CEO | [ ] |
| 6 | Contact legal counsel | CEO | [ ] |
| 7 | Notify regulatory authority (FDA/etc) | Legal | [ ] |

---

### INFORMATION NEEDED NOW

Fill in as you gather:

AFFECTED BATCH:

  • Batch number(s): _______________
  • Production date(s): _______________
  • Contamination type: _______________
  • Health risk level: [ ] Low [ ] Medium [ ] High [ ] Critical

DISTRIBUTION:

  • Units produced: _______________
  • Units shipped: _______________
  • Units in warehouse: _______________
  • Retailers received: _______________
  • Units sold to consumers (est): _______________

CUSTOMERS AT RISK:

  • Can you identify purchasers? [ ] Yes [ ] No
  • Geographic distribution: _______________

---

### COMMUNICATION PRIORITY

| Priority | Who | When | Message |
|----------|-----|------|---------|
| 1 | Retail partners | NOW | Stop sales, pull from shelves |
| 2 | Regulatory body | Within 1hr | Formal notification |
| 3 | Identified customers | Within 2hr | Direct recall notice |
| 4 | All customers | Within 4hr | Public recall announcement |
| 5 | Media | As needed | Press statement ready |

---

### HOLDING STATEMENT (Use if media calls NOW)

"We are aware of an issue with [product] and are taking immediate action. Customer safety is our top priority. We will have a full statement within [X] hours.

In the meantime, customers who have purchased [product] should [specific action].

Questions: [contact]"


---

### CUSTOMER COMMUNICATION TEMPLATE

URGENT PRODUCT RECALL NOTICE

[Company] is voluntarily recalling [Product Name] due to potential contamination with [substance].

AFFECTED PRODUCTS:

  • Product: [Name]
  • Batch #: [Numbers]
  • Expiration dates: [Dates]
  • Sold at: [Retailers]

WHAT TO DO:

  1. STOP using the product immediately
  2. [Disposal instructions OR return instructions]
  3. Contact us for full refund: [phone/email/url]

IF YOU'VE CONSUMED THE PRODUCT:

  • [Symptoms to watch for]
  • [When to seek medical attention]
  • [Who to call]

We sincerely apologize for this situation and are taking all steps to ensure this doesn't happen again.

Questions: [24/7 Hotline Number]


---

### NEXT CHECK-IN: 30 MINUTES

At that time, confirm:
- [ ] All shipments stopped
- [ ] Batch scope finalized
- [ ] Retail partners notified
- [ ] Regulatory notification sent
- [ ] Customer communication ready

Skill Boundaries

What This Skill Does Well

  • Structuring response playbooks
  • Creating communication templates
  • Coordinating response timelines
  • Organizing team actions

What This Skill Cannot Do

  • Make legal determinations
  • Access your systems
  • Speak on your behalf
  • Know regulatory requirements

Iteration Guide

Follow-up Prompts:

  • "Create a playbook for [crisis type]"
  • "Draft communication for [stakeholder]"
  • "What should our next 30 minutes look like?"
  • "How do we communicate [specific development]?"

References

  • Burson Crisis Communications
  • PPRR Crisis Management Model
  • FEMA Incident Command System
  • Harvard Business Review Crisis Response

Related Skills

  • crisis-detector
    - Early warning
  • social-listening
    - Monitoring
  • reputation-recovery
    - Post-crisis

Skill Metadata

  • Domain: Crisis
  • Complexity: Advanced
  • Mode: centaur
  • Time to Value: Immediate in crisis
  • Prerequisites: Stakeholder alignment, authority to act