Analysis · Doctrine audit
Plan vs. practice
When violence hits a campus — an active shooter, an armed person, a bomb threat — what should the alerting plan say to do? Federal regulation and guidance answer that question in writing. This page holds those answers up against the archived record: 1,062 violent-threat cases, message by message. Nine published claims of doctrine, each cited — quoted verbatim or explicitly paraphrased; beside each, what the record shows; and a verdict — consistent, in tension, mixed, or not testable — computed from thresholds declared before the fact. Where practice diverges from doctrine, the divergence is the finding. It is not a recommendation to follow the crowd.
The analysis on this page is by Claude Fable 5, the Anthropic model that now owns the archive’s analytics layer. The corpus itself is compiled and fact-checked by other Claude models (the ingestion agents), and the per-alert message-element coding was produced by Claude Opus 4.8; Fable 5’s role is the cross-corpus computation, interpretation, and recommendations. None of it is human-reviewed, and it should be read the way you would read any analyst’s memo: as argued judgment over checkable evidence, not as ground truth.
Every figure in the claims, statistics, and charts of these verdicts is recomputed from the live corpus at each build; the surrounding prose and headlines paraphrase those computed figures and were checked against them by independent replication before publishing. Each finding states its inclusion rule, its n, its computation steps, and its known limits. The complete evidence sets are downloadable as findings.json, the raw corpus as cases.json, and the full method is documented on the methodology page. If a claim here can’t be reproduced from those files, it’s wrong — tell the maintainer.
How to read this · Four rules
1 — What was done is not what should be done. The archive describes practice; the doctrine prescribes. When the two diverge, the gap is a finding about practice — not an argument that doctrine is wrong, and never a recommendation to copy the majority. Every “for planners” note on this page is anchored to the cited doctrine; the record only tells us where doctrine is and isn’t reaching the message stream.
2 — The archive measures what was sent and preserved. Not what was decided, weighed, or done on the ground. A message is evidence of communication, not of the full response behind it — and a missing message can be a documentation gap rather than an operational one. Verdicts are only issued where the record can actually carry the weight.
3 — Verdicts are computed, not narrated. Each testable claim declares numeric thresholds in advance, published beside the result and fixed in the site’s versioned source. The verdict is derived from those rules by code, re-derived independently by the test suite, and recomputed from the live corpus at every build. MIXED often means the evidence clears neither pre-declared bar — ambiguity, not contradiction.
4 — NOT TESTABLE is an answer. Two of the nine claims are untestable by construction — they regulate things a message archive cannot observe (pre-scripting workflows, send fan-out) — and get the honest verdict instead of a manufactured one. Any tested claim also degrades to NOT TESTABLE if its sample falls under its declared floor.
The violent-threat subset (1,062 of 2,798 cases) covers incident types active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package — browse the exact set. Latency figures cover the 139 of those cases where sources document the interval; the findings pages publish every inclusion rule.
The audit at a glance · 2 consistent · 1 in tension · 4 mixed · 2 not testable
| # | Doctrine says | Source | Key number | Verdict |
|---|---|---|---|---|
| D1 | Notify without delay | 34 CFR § 668.46(g)(3) | 15 minMedian documented latency | MIXED |
| D2 | Provide follow-up information | 34 CFR § 668.46(e)(3) | 92%Share of cases documenting a follow-up-type message | CONSISTENT |
| D3 | Send a complete message | FEMA IPAWS guidance | 16%Violent-threat first alerts carrying all five components | TENSION |
| D4 | Tell people what to do | DHS 2008 · Run. Hide. Fight. | 83%Violent-threat first alerts carrying any protective instruction | MIXED |
| D5 | Assess bomb threats before evacuating | DHS-DOJ Bomb Threat Guidance | 98%Archived bomb threats resolving as hoax or unfounded | CONSISTENT |
| D6 | Pre-script your templates | FEMA IPAWS guidance | 4.26Mean elements, alerts within 10 min (of 6) | NOT TESTABLE |
| D7 | Fast alert, then fill in | 34 CFR § 668.46(g) + (e) | 20 minMedian gap to first update, complete first alerts (≥5 of 6 elements) | MIXED |
| D8 | Use redundant channels | IHE EOP Guide (2013) | 71%Cases preserving exactly one channel | NOT TESTABLE |
| D9 | Communicate the end | IHE EOP Guide (2013) | 75%Violent-threat cases documenting an explicit all-clear | MIXED |
Doctrine D1 · 34 CFR § 668.46(g)(3)
Notify without delay
“without delay, and taking into account the safety of the community, determine the content of the notification and initiate the notification system, unless issuing a notification will, in the professional judgment of responsible authorities, compromise efforts to assist a victim or to contain, respond to, or otherwise mitigate the emergency”
34 CFR § 668.46(g)(3) — the emergency-notification “without delay” requirement · U.S. Code of Federal Regulations (eCFR) · accessed 2026-07-06 · mirror
What the archive shows
15 min
Median documented latency
n=139
29%
Share taking more than 30 minutes
n=139
43%
Share alerting within 10 minutes
n=139
Context: Lower quartile: 5 min (n=139) · Upper quartile: 38 min (n=139)
Documented incident-start → first-alert intervals in violent-threat cases.
| Pre-declared test | Consistent if | Tension if | Computed | Outcome |
|---|---|---|---|---|
| Median documented latency | ≤ 10 min | > 30 min | 15 min (n=139) | clears neither bar |
| Share taking more than 30 minutes | ≤ 10% | ≥ 25% | 29% (n=139) | tension |
| Share alerting within 10 minutes | ≥ 50% | ≤ 20% | 43% (n=139) | clears neither bar |
Aggregation (pinned): any sample under its declared floor → NOT TESTABLE; otherwise all tests consistent → CONSISTENT; a strict majority in tension and none consistent → TENSION; otherwise MIXED. Result: MIXED.
Why these bars: Ten minutes is this audit's editorial bar for “fast” — the regulation itself sets no number. Thirty minutes from incident start is the mark that strains “without delay” even after granting the unmeasured confirmation interval; Virginia Tech's 131-minute gap in 2007 is the historical anchor for the rule itself. The wide middle band is deliberate: the archive's clock runs from incident start, not from the confirmation moment where the regulatory clock starts.
For planners
- Plan the confirmation step, not just the send. The regulation's clock starts at confirmation — and the canonical slow cases, Virginia Tech above all, were slow at confirmation and authorization, not at typing.
- The regulation's standard is “without delay,” not a number. If you adopt a working target (this audit's editorial bar for fast is ten minutes from first report), the documented record shows speed is attainable — the fastest documented responses landed within a minute or two — though the documented subset skews toward well-covered incidents.
- Pre-authorize senders. The regulation's only sanctioned delay is professional judgment that notifying would compromise the response — committee sign-off is not on that list.
Where these numbers come from
Every figure above resolves from the named metrics of “Under violence, the documented first alert takes a median 15 min” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=139): Violent-threat cases (incident type in: active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package) whose top-level responseTimeMinutes field holds a number — a curator-entered value recorded only when sources document both the incident start and the first alert time. A handful of legacy files (8 corpus-wide) carry the value at a deprecated nested path and are excluded until verified and migrated.
Honest limits of this verdict
- Latency is documented for a minority of cases, skewed toward well-reported incidents; the undocumented majority is absent, not average.
- The archive measures incident start → first alert; the regulation measures confirmation → initiation. The difference (the confirmation time) is real work the public record rarely shows.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
Doctrine D2 · 34 CFR § 668.46(e)(3)
Provide follow-up information
“An institution that follows its emergency notification procedures is not required to issue a timely warning based on the same circumstances; however, the institution must provide adequate follow-up information to the community as needed.”
34 CFR § 668.46(e)(3) — the follow-up information requirement · U.S. Code of Federal Regulations (eCFR) · accessed 2026-07-06 · mirror
What the archive shows
92%
Share of cases documenting a follow-up-type message
n=1062
Context: Median first-alert → first-update gap: 41.5 min (n=104) · Updated within 30 minutes: 38% (n=104)
| Pre-declared test | Consistent if | Tension if | Computed | Outcome |
|---|---|---|---|---|
| Share of cases documenting a follow-up-type message | ≥ 85% | < 60% | 92% (n=1062) | consistent |
Aggregation (pinned): any sample under its declared floor → NOT TESTABLE; otherwise all tests consistent → CONSISTENT; a strict majority in tension and none consistent → TENSION; otherwise MIXED. Result: CONSISTENT.
Why these bars: Eighty-five percent asks the record to show follow-up as the norm while allowing for documentation loss; below sixty percent would mean the public record routinely stops at one message. The regulation sets no follow-up clock, so cadence is published as context, not tested.
For planners
- Budget for the second message before the first goes out: who writes it, on what trigger, on what clock. The duty to keep informing is regulatory, not stylistic.
- Treat the archive's median wait for a first update — published as context beside this verdict — as a warning, not a benchmark: warning research consistently finds that people who receive an alert immediately begin seeking confirmation, and silence sends them to rumor.
Where these numbers come from
Every figure above resolves from the named metrics of “Most violent-threat cases get a follow-up; in 25% the public record never closes” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=1,062): All violent-threat cases (incident type in: active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package). Gap figures use the subset with a timestamped initial alert and a timestamped update within 24 hours; duration figures use timestamped initial → all-clear pairs under the same window.
Honest limits of this verdict
- A missing follow-up in this archive is a documentation gap, not proof none was sent; the share is best read as how often the public record goes on.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
Doctrine D3 · FEMA IPAWS guidance
Send a complete message
FEMA's alerting guidance calls for a warning message to carry five components: the source issuing it, the hazard, the location, the protective action to take, and when the guidance expires.
Paraphrase of IPAWS Best Practices Guide · Federal Emergency Management Agency · accessed 2026-07-06 · mirror
Also drawing on IPAWS Tip 44 — Best Practices for Wireless Emergency Alerts · Federal Emergency Management Agency (July 2022) · accessed 2026-07-06 · mirror
What the archive shows
16%
Violent-threat first alerts carrying all five components
n=422
Context: Corpus-wide baseline: 25% (n=828) · Time element present: 47% (n=422) · Impact element present: 40% (n=422)
Share of coded violent-threat first alerts where each element is present, against the all-corpus baseline.
| Pre-declared test | Consistent if | Tension if | Computed | Outcome |
|---|---|---|---|---|
| Violent-threat first alerts carrying all five components | ≥ 75% | ≤ 40% | 16% (n=422) | tension |
Aggregation (pinned): any sample under its declared floor → NOT TESTABLE; otherwise all tests consistent → CONSISTENT; a strict majority in tension and none consistent → TENSION; otherwise MIXED. Result: TENSION.
Why these bars: Seventy-five percent would show the five-component message as standard practice; forty percent or below shows it is the exception. The bar tests presence only — a vague instruction counts — so it is generous to practice.
For planners
- Build the five components into the template so completeness is structural: a blank labeled SOURCE / HAZARD / LOCATION / ACTION / TIME survives stress better than prose recall.
- The elements that fall furthest under violence are time and impact — the two that require saying how bad and how current. Draft those clauses in advance for each scenario.
- The evidence here is a gap between doctrine and practice, and the recommendation stays with doctrine: nothing in this record suggests the five components are the wrong target — only that current practice is not reaching it.
Where these numbers come from
Every figure above resolves from the named metrics of “Under violence, first alerts are less complete, not more” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=422): Coded verbatim first alerts (the message-anatomy set) whose case's incident type is in the violent-threat set: active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package. The corpus baseline is every coded first alert.
Honest limits of this verdict
- Element coding is AI-generated (25 passes per alert, auditable per alert); presence says nothing about quality.
- Only verbatim-confirmed first alerts are coded, over-representing institutions that publish archives.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
Doctrine D4 · DHS 2008 · Run. Hide. Fight.
Tell people what to do
Federal active-shooter doctrine tells individuals to evacuate if escape is possible, hide if it is not, and — as a last resort, when life is in imminent danger — take action against the shooter. Since 2012 the public formulation has been Run. Hide. Fight.
Paraphrase of Active Shooter: How to Respond · U.S. Department of Homeland Security (October 2008) · accessed 2026-07-06 · mirror
Also drawing on Active Shooter — Run, Hide, Fight (protective actions) · FEMA Protective Actions Research (community.fema.gov) · accessed 2026-07-06 · mirror
Also drawing on Guide for Developing High-Quality Emergency Operations Plans for Institutions of Higher Education · U.S. Departments of Education, Homeland Security, Justice, HHS; FEMA; FBI (June 2013) · accessed 2026-07-06 · mirror
What the archive shows
83%
Violent-threat first alerts carrying any protective instruction
n=422
81%
Armed-report first alerts carrying any protective instruction
n=283
49%
Armed-report first alerts ordering concealment (lockdown / shelter / stay inside)
n=283
Context: First alerts containing “Run. Hide. Fight.”: 19 (n=422)
Share of coded violent-threat first alerts matching each instruction category. Categories overlap; shares sum past 100%.
| Pre-declared test | Consistent if | Tension if | Computed | Outcome |
|---|---|---|---|---|
| Violent-threat first alerts carrying any protective instruction | ≥ 90% | ≤ 75% | 83% (n=422) | clears neither bar |
| Armed-report first alerts carrying any protective instruction | ≥ 90% | ≤ 75% | 81% (n=283) | clears neither bar |
| Armed-report first alerts ordering concealment (lockdown / shelter / stay inside) | ≥ 75% | ≤ 40% | 49% (n=283) | clears neither bar |
Aggregation (pinned): any sample under its declared floor → NOT TESTABLE; otherwise all tests consistent → CONSISTENT; a strict majority in tension and none consistent → TENSION; otherwise MIXED. Result: MIXED.
Why these bars: Ninety percent asks protective action to be near-universal in violent-threat first alerts, which is doctrine's premise; seventy-five percent of armed-report alerts carrying a concealment-family order would show the doctrine's protective action reliably reaching the message stream.
For planners
- Run. Hide. Fight. instructs the person in the room; a mass alert addresses a population. Decide in the plan — before the incident — which protective action each scenario's alert orders, and teach the individual doctrine in training rather than assuming the alert will deliver it.
- Whatever the phrasing, the instruction must be there: a meaningful minority of coded violent-threat first alerts carry none (the computed share sits in the test table above), and doctrine treats the protective action as the reason the message exists.
- If Run. Hide. Fight. is your institution's trained doctrine, decide in advance whether and when the phrase itself belongs in an alert — the archive shows a small number of first alerts do carry it verbatim.
Where these numbers come from
Every figure above resolves from the named metrics of “The archived alerts say “lock down,” not “Run. Hide. Fight.”” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=422): Coded verbatim first alerts whose case's incident type is in the violent-threat set (active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package). The armed-report subset keeps active-shooter, shooting, armed-person, stabbing, and swatting — the types where the alert reports a person with a weapon, whatever later proved true.
Honest limits of this verdict
- The instruction taxonomy is keyword-based over verbatim texts; presence itself comes from the 25-pass element coding.
- A first alert with no instruction is not proof none followed — later messages in the sequence often carry it.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
Doctrine D5 · DHS-DOJ Bomb Threat Guidance
Assess bomb threats before evacuating
Federal bomb-threat guidance is graduated: assess the threat's specificity and credibility first, then choose among monitoring, searching, sheltering, or evacuating. Evacuation is a decision the assessment can reach — not a default the threat triggers. The overwhelming majority of bomb threats prove not credible; CISA's review of the 2017–2021 mass bomb-threat campaigns found a real device in 3 of 6,071 incidents.
Paraphrase of DHS-DOJ Bomb Threat Guidance (quad-fold) · DHS / DOJ / FBI, via CISA · accessed 2026-07-06 · mirror
Also drawing on Bomb Threat Guide · Cybersecurity and Infrastructure Security Agency · accessed 2026-07-06 · mirror
Also drawing on Responding to Mass Bomb Threat Campaigns · Cybersecurity and Infrastructure Security Agency · accessed 2026-07-06 · mirror
What the archive shows
98%
Archived bomb threats resolving as hoax or unfounded
n=269
46%
Verbatim first alerts ordering or announcing evacuation
n=92
Context: Resolved as a confirmed threat: 4 (n=269) · Median first alert → all-clear: 130 min (n=67)
Instruction categories in verbatim bomb-threat first alerts. Categories overlap; shares sum past 100%; categories matching zero alerts are omitted.
| Pre-declared test | Consistent if | Tension if | Computed | Outcome |
|---|---|---|---|---|
| Archived bomb threats resolving as hoax or unfounded | ≥ 80% | ≤ 50% | 98% (n=269) | consistent |
| Verbatim first alerts ordering or announcing evacuation | ≤ 50% | ≥ 75% | 46% (n=92) | consistent |
Aggregation (pinned): any sample under its declared floor → NOT TESTABLE; otherwise all tests consistent → CONSISTENT; a strict majority in tension and none consistent → TENSION; otherwise MIXED. Result: CONSISTENT.
Why these bars: Eighty percent hoax-or-unfounded confirms doctrine's premise that most threats are false — the archive's computed share sits beside CISA's 0.05% real-device rate. An evacuation-order share at or below half is read as consistent with graduated response; three quarters or more would read as reflexive evacuation. The band between those bars is wide, and where the computed share sits near a bar the takeaways treat the margin as thin rather than settled.
For planners
- Write the assessment step into the plan as a named decision with a named owner: who evaluates specificity and credibility, against what checklist, before the first instruction goes out.
- Pre-script the hold-in-place variant, not just the evacuation variant. A large share of archived bomb-threat first alerts order the most disruptive option against a threat class that overwhelmingly proves false — and evacuation itself moves people past unsearched spaces.
- The doctrine is not “never evacuate”: a specific, credible threat warrants it. The plan's job is to make evacuation the assessment's conclusion rather than the alert's reflex.
Where these numbers come from
Every figure above resolves from the named metrics of “98% of bomb threats came to nothing — 46% of first alerts still ordered evacuation” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=283): Cases with incident type bomb-threat. Resolution shares use the subset with a non-empty recorded resolution; instruction shares use the subset whose case-opening alert is verbatim-confirmed with non-empty text; duration uses timestamped initial → all-clear pairs within 24 hours.
Honest limits of this verdict
- The archive over-collects dramatic incidents including hoax waves; its hoax share describes this corpus, not a national rate — though federal data points the same direction.
- An evacuation order in a first alert is not proof the assessment was skipped; the record shows what was sent, not what was weighed.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
Doctrine D6 · FEMA IPAWS guidance
Pre-script your templates
FEMA's alerting guidance tells originators to draft message templates before an emergency, so that composing under stress becomes filling in blanks rather than writing from scratch.
Paraphrase of IPAWS Tip 44 — Best Practices for Wireless Emergency Alerts · Federal Emergency Management Agency (July 2022) · accessed 2026-07-06 · mirror
Also drawing on IPAWS Best Practices Guide · Federal Emergency Management Agency · accessed 2026-07-06 · mirror
What the archive shows
Mean elements, alerts within 10 min (of 6): 4.26 (n=27) · Mean elements, slower alerts (of 6): 4.08 (n=49)
Whether an institution composed from a pre-scripted template is invisible in the sent message — the archive records outputs, not workflows. The nearest observable fingerprint — mean element counts for fast versus slower alerts — is published as context beside this claim, on samples too small to settle anything in either direction.
For planners
- Pre-script per scenario — armed person, bomb threat, shelter-in-place, all-clear — with the five message components as labeled blanks, and keep the templates where the sender under stress actually is.
- Exercise the templates: the component most often missing under violence (time, of the five FEMA components — the archive also codes a sixth element, impact) is precisely the blank a drill would catch.
Where these numbers come from
Every figure above resolves from the named metrics of “Under violence, first alerts are less complete, not more” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=422): Coded verbatim first alerts (the message-anatomy set) whose case's incident type is in the violent-threat set: active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package. The corpus baseline is every coded first alert.
Honest limits of this verdict
- This claim is untestable from sent messages by construction; nothing here is evidence against pre-scripting.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
Doctrine D7 · 34 CFR § 668.46(g) + (e)
Fast alert, then fill in
Taken together, the two Clery duties order a sequence: initiate notification without delay once the emergency is confirmed, then keep the community adequately informed as the situation develops.
Paraphrase of 34 CFR § 668.46(g)(3) — the emergency-notification “without delay” requirement · U.S. Code of Federal Regulations (eCFR) · accessed 2026-07-06 · mirror
Also drawing on 34 CFR § 668.46(e)(3) — the follow-up information requirement · U.S. Code of Federal Regulations (eCFR) · accessed 2026-07-06 · mirror
What the archive shows
Median gap to first update, complete first alerts (≥5 of 6 elements): 20 min (n=23) · Median gap to first update, less complete first alerts: 42 min (n=43)
Composite of D1 (MIXED) and D2 (CONSISTENT) under the pinned rule (not testable if any input is; consistent if all are; tension if any is; otherwise mixed) → MIXED.
How this verdict is formed: This verdict composes D1 and D2 under the pinned composite rule rather than declaring new bars.
For planners
- “Send fast, then follow up” is a sequence, not a trade. The archive gives no support to treating a thin first message as a down payment on a fast second one: in the current sample where both are measurable, less complete first alerts got slower first updates, not faster ones (medians beside this verdict; small samples).
- Plan the pair as one unit: the first alert's template and the first update's trigger belong on the same page of the plan.
Where these numbers come from
Every figure above resolves from the named metrics of “Under violence, the documented first alert takes a median 15 min” and “Most violent-threat cases get a follow-up; in 25% the public record never closes” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=139): Violent-threat cases (incident type in: active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package) whose top-level responseTimeMinutes field holds a number — a curator-entered value recorded only when sources document both the incident start and the first alert time. A handful of legacy files (8 corpus-wide) carry the value at a deprecated nested path and are excluded until verified and migrated.
Honest limits of this verdict
- The completeness × cadence cross rests on a small two-group sample — its n is published with the context metrics above — and is context, not a tested claim.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
Doctrine D8 · IHE EOP Guide (2013)
Use redundant channels
Federal planning guidance for higher education directs institutions to plan redundant means of alerting — multiple communication methods, because no single channel reaches everyone during an emergency.
Paraphrase of Guide for Developing High-Quality Emergency Operations Plans for Institutions of Higher Education · U.S. Departments of Education, Homeland Security, Justice, HHS; FEMA; FBI (June 2013) · accessed 2026-07-06 · mirror
Also drawing on IPAWS Best Practices Guide · Federal Emergency Management Agency · accessed 2026-07-06 · mirror
What the archive shows
Cases preserving exactly one channel: 71% (n=1062) · Cases documenting three or more: 2% (n=1062) · Cases with a WEA/IPAWS message: 2 (n=1062)
Distinct documented delivery channels per violent-threat case, under the published counting rule.
The archive records the channel each preserved message traveled, not the fan-out of the send: a case preserved as one SMS may have been a five-channel send documented once. The single-channel share below is therefore a preservation floor, and a floor cannot test a redundancy requirement in either direction.
For planners
- Plan channels by failure mode, not by count: opt-in SMS misses visitors and move-in week; email misses the quad; sirens carry no detail. The richest archived records show the pairing doctrine intends — SMS plus sirens, PA, or WEA.
- The preserved record almost never shows WEA — a floor, like every channel count here — but whatever the preservation gap hides, WEA origination authority is arranged before the emergency or not at all.
Where these numbers come from
Every figure above resolves from the named metrics of “The preserved record usually shows one channel per emergency — which is the finding” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=1,062): All violent-threat cases (incident type in: active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package), counting the distinct delivery channels across each case's archived messages.
Honest limits of this verdict
- Single-channel shares overstate single-channel practice by an unknowable margin — which is exactly why this claim carries no verdict.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
Doctrine D9 · IHE EOP Guide (2013)
Communicate the end
Planning doctrine treats the emergency's end as a communication event of its own: tell the community when the threat has passed and what happens next. Recovery begins with an explicit all-clear.
Paraphrase of Guide for Developing High-Quality Emergency Operations Plans for Institutions of Higher Education · U.S. Departments of Education, Homeland Security, Justice, HHS; FEMA; FBI (June 2013) · accessed 2026-07-06 · mirror
Also drawing on 34 CFR § 668.46(e)(3) — the follow-up information requirement · U.S. Code of Federal Regulations (eCFR) · accessed 2026-07-06 · mirror
What the archive shows
75%
Violent-threat cases documenting an explicit all-clear
n=1062
Context: Median first alert → all-clear: 110 min (n=233)
| Pre-declared test | Consistent if | Tension if | Computed | Outcome |
|---|---|---|---|---|
| Violent-threat cases documenting an explicit all-clear | ≥ 90% | ≤ 60% | 75% (n=1062) | clears neither bar |
Aggregation (pinned): any sample under its declared floor → NOT TESTABLE; otherwise all tests consistent → CONSISTENT; a strict majority in tension and none consistent → TENSION; otherwise MIXED. Result: MIXED.
Why these bars: Ninety percent would show closure as a norm of the record; sixty percent or below would show the record routinely ending mid-emergency. The documentation caveat cuts both ways — an absent all-clear may be preservation loss, which is why the tension bar sits low.
For planners
- Script the all-clear with the same care as the first alert: what was found, what is lifted, where to get help. It is the cheapest message in the sequence and the one that formally releases thousands of people from a protective action.
- Archive your own messages. Where the public record ends without an all-clear — as it does in a substantial share of violent-threat cases — a preservation gap is indistinguishable from a communication gap, and a published institutional alert archive is what lets the record close at all.
Where these numbers come from
Every figure above resolves from the named metrics of “Most violent-threat cases get a follow-up; in 25% the public record never closes” on the Findings page, where the full inclusion rule, computation steps, and honest limits are published. The audit itself never recomputes from raw data — one computation site per figure, covered by independent recount tests.
Denominator of the primary finding (n=1,062): All violent-threat cases (incident type in: active-shooter, shooting, armed-person, bomb-threat, swatting, stabbing, threat-of-violence, and suspicious-package). Gap figures use the subset with a timestamped initial alert and a timestamped update within 24 hours; duration figures use timestamped initial → all-clear pairs under the same window.
Honest limits of this verdict
- An absent all-clear is a documentation gap, not proof none was sent; the tested share measures how often the public record closes the loop.
Check it yourself
Browse the underlying cases: pre-filtered search · machine-readable verdict and thresholds: plan-vs-practice.json · complete evidence slugs: findings.json · raw corpus: cases.json.
The synthesis · What a plan should say
Nine lines for the plan on the shelf
Each line restates the cited doctrine as a planning directive. The chip beside it is the archive’s computed verdict on current practice — what the record says about how often campuses already do this, not whether they should.
- D1Name who confirms and who sends, pre-authorize them, and drill the path from first report through confirmation to first message until “without delay” is a rehearsed sequence, not a phrase.MIXED
- D2Assign the second message before the first goes out — an owner, a trigger, and a clock.CONSISTENT
- D3Template the five message components — source, hazard, location, action, time — as labeled blanks, not prose to recall under stress.TENSION
- D4Put a protective action in every alert, teach Run. Hide. Fight. in training, and decide in advance how the trained doctrine maps into the mass message.MIXED
- D5Give bomb threats a named assessment step with a hold-in-place message variant ready, so evacuation is a decision rather than a reflex.CONSISTENT
- D6Pre-script every scenario's first message and all-clear, and exercise the templates.NOT TESTABLE
- D7Plan the first alert and the first update as one unit, on the same page of the plan.MIXED
- D8Layer channels by failure mode — and arrange WEA origination authority before the day you need it.NOT TESTABLE
- D9Script the all-clear with the same care as the first alert — tell the community when the threat has passed and what happens next.MIXED
The plans themselves often adopt the doctrine’s own words: 42% of the 318 campus alerting policies in this archive use the regulation’s “without delay” standard in their own text — browse the policy collection. This page tests what reaches the message stream.
Keep going
The evidence behind every verdict
The 14 findings publish each number’s inclusion rule, method, limits, and complete evidence set; the playbook turns the corpus into concrete practices for the people who write and send alerts.
Doctrine sources cited on this page
34 CFR § 668.46(g)(3) — the emergency-notification “without delay” requirement · U.S. Code of Federal Regulations (eCFR) · accessed 2026-07-06 · mirror
34 CFR § 668.46(e)(3) — the follow-up information requirement · U.S. Code of Federal Regulations (eCFR) · accessed 2026-07-06 · mirror
IPAWS Best Practices Guide · Federal Emergency Management Agency · accessed 2026-07-06 · mirror
IPAWS Tip 44 — Best Practices for Wireless Emergency Alerts · Federal Emergency Management Agency (July 2022) · accessed 2026-07-06 · mirror
Active Shooter: How to Respond · U.S. Department of Homeland Security (October 2008) · accessed 2026-07-06 · mirror
Active Shooter — Run, Hide, Fight (protective actions) · FEMA Protective Actions Research (community.fema.gov) · accessed 2026-07-06 · mirror
Guide for Developing High-Quality Emergency Operations Plans for Institutions of Higher Education · U.S. Departments of Education, Homeland Security, Justice, HHS; FEMA; FBI (June 2013) · accessed 2026-07-06 · mirror
DHS-DOJ Bomb Threat Guidance (quad-fold) · DHS / DOJ / FBI, via CISA · accessed 2026-07-06 · mirror
Bomb Threat Guide · Cybersecurity and Infrastructure Security Agency · accessed 2026-07-06 · mirror
Responding to Mass Bomb Threat Campaigns · Cybersecurity and Infrastructure Security Agency · accessed 2026-07-06 · mirror
Quoted passages are verbatim from the cited source and were verified against multiple independent reproductions of the text; passages labeled “paraphrase” condense the cited document and are never presented in quotation marks. Accessed dates state when each source’s wording and URL were last checked.
Verdicts on this page recompute from data/cases/ at every build under thresholds fixed in versioned source; the archive grows continually, so verdicts can change as evidence accumulates — that is the design. Analysis and framing: Claude Fable 5 · element coding: Claude Opus 4.8 · corpus compilation: Claude ingestion agents. See the methodology.