Skip to content
Campus Alert Archive

Analysis · For the people who send the alerts

The Practitioner Playbook

9 practices for emergency managers and communicators, distilled from what 2,718 archived campus emergencies show actually happens — not what plans assume. Each practice states the computed finding behind it, links to the cases that motivate it, and stays within what the evidence supports.

Who wrote this, and how to check it

The analysis on this page is by Claude Fable 5, the Anthropic model that now owns the archive’s analytics layer. The corpus itself is compiled and fact-checked by other Claude models (the ingestion agents), and the per-alert message-element coding was produced by Claude Opus 4.8; Fable 5’s role is the cross-corpus computation, interpretation, and recommendations. None of it is human-reviewed, and it should be read the way you would read any analyst’s memo: as argued judgment over checkable evidence, not as ground truth.

Every figure in the claims, statistics, and charts of these recommendations is recomputed from the live corpus at each build; the surrounding prose and headlines paraphrase those computed figures and were checked against them by independent replication before publishing. Each finding states its inclusion rule, its n, its computation steps, and its known limits. The complete evidence sets are downloadable as findings.json, the raw corpus as cases.json, and the full method is documented on the methodology page. If a claim here can’t be reproduced from those files, it’s wrong — tell the maintainer.

What this is not

This is advisory synthesis, not legal or compliance advice, and it neither replaces your institution’s emergency operations plan nor interprets your Clery Act obligations — run anything you adopt past your counsel, your police department, and your emergency manager. The corpus behind it is a non-random, AI-assembled sample that over-represents recent and well-documented incidents; each linked finding spells out how that limits the claim.

Practice 1 of 9

Template the six elements before you ever need them

First alerts reliably include the easy elements (where) and omit the hard ones (what it could do, until when, what to do) — a gradient consistent with messages composed ad hoc under stress. A pre-approved fill-in-the-blank template that prompts for source, hazard, location, guidance, time, and impact turns a judgment call under pressure into a form-filling exercise.

What the archive shows

Of the 829 verbatim first alerts coded against the six warning-science message elements, 93% state a location but only 52% convey the hazard's potential impact and only 58% give any time element. 25% do not tell recipients what protective action to take.

Finding 1: method, limits & full evidence

What to do

  • Draft skeleton messages per scenario (armed person, bomb threat, hazmat, weather) with a labeled slot for each of the six elements, and pre-clear them with counsel and leadership so nothing needs approval at 2 a.m.
  • Make the template enforce the two most-dropped elements: a time reference (“as of 3:15 PM”, “until further notice”) and an impact clause (“police report shots fired; injuries reported”).
  • Audit your last five real alerts against the six elements — the Message Anatomy tool on this site does this for the archive and shows what each element looks like in practice.

Grounding: Five of the six elements come from Mileti & Sorensen's 1990 FEMA synthesis, reflected in CDC CERC and FEMA's WEA guidance; the sixth, impact, follows Dr. Jeannette Sutton's research. Sources are listed on the Message Anatomy page.

Practice 2 of 9

Never send a threat alert without a protective action

One in four coded first alerts gives no guidance at all — including dozens of alerts about shootings, stabbings, and armed persons. An alert that names a danger but no action outsources the protective decision to thousands of people individually, at the worst possible moment. Even a generic action (“avoid the area”, “secure-in-place”) measurably outperforms silence in the warning literature.

What the archive shows

Of the 829 verbatim first alerts coded against the six warning-science message elements, 93% state a location but only 52% convey the hazard's potential impact and only 58% give any time element. 25% do not tell recipients what protective action to take.

Finding 1: method, limits & full evidence

What to do

  • Adopt a hard rule: no first alert leaves the console without an imperative verb. If the situation is too uncertain for specific guidance, say what to do about the uncertainty (“avoid the area while police investigate”).
  • Pre-agree the default action per scenario type so the sender never has to invent one: secure-in-place for armed persons, avoid-the-area for police activity, evacuate for fire/hazmat.
  • Utah’s 36-character “Shooting on campus. Secure-in-place.” is the existence proof that brevity is no excuse.

See it in the archive

Practice 3 of 9

Write the first hundred characters for the lock screen

Concatenated SMS and push notifications have removed the hard 160-character ceiling, and a third of recent SMS first alerts run past it. Length is now a choice — but the lock-screen preview is not. Whatever the total length, the lock-screen preview — roughly the first sentence — is all many recipients see before deciding what to do.

What the archive shows

Across 813 verbatim first alerts, the median SMS runs 137 characters — but 36% of SMS first alerts sent since 2020 exceed the 160-character single-segment limit, and the median email first alert runs 606 characters, 4.4× the SMS median.

Finding 2: method, limits & full evidence

What to do

  • Front-load hazard + location + action into the opening sentence; push branding, caveats, and links to the tail.
  • Preview your templates on an actual locked phone (iOS and Android truncate differently) rather than in the vendor console.
  • Keep the SMS variant self-sufficient: if the message needs a link to make sense, the message has failed for everyone in a stairwell with one bar of signal.

See it in the archive

Practice 4 of 9

Tell people when the next update will come — then keep the promise

The median documented gap between the first alert and the first update is about an hour, and a quarter of the documented cases left people waiting three hours or more. People who receive a warning immediately begin confirming it; a silent hour hands that process to group chats and rumor. A cadence promise (“next update by 2:30 PM even if nothing has changed”) is free, and 'no change' is itself information.

What the archive shows

In the 211 cases where both the first alert and the next update carry timestamps, the median gap between them is 1 h; a quarter of these cases left recipients waiting more than 3 h 30 min. Only 31% followed up within 30 minutes.

Finding 4: method, limits & full evidence

What to do

  • Put a next-update-by time in every message that isn't an all-clear, and send the update on schedule even when the content is “police are still searching; continue to secure-in-place”.
  • Assign the update clock to a named role in the EOC, separate from the person negotiating content approval, so a pending approval can never silence the channel.
  • For long incidents, lengthen the interval explicitly (“updates hourly overnight”) rather than letting the cadence quietly die.

See it in the archive

Grounding: CDC's Crisis and Emergency Risk Communication guidance treats committed update cadence as a core practice for maintaining credibility during uncertainty.

Practice 5 of 9

Close every incident with an explicit all-clear

In nearly half of archived cases, the record ends without any message lifting the protective action. Either the loop was never closed, or the closing message was never preserved — and both are failures: one leaves thousands of people deciding individually when ‘shelter in place’ stopped applying, the other erases the institution's final, credible word from the public record.

What the archive shows

1,505 of 2,718 cases include an explicit all-clear message; for the remaining 45% none could be found in the available record. Where both ends are timestamped (n=345), the median incident runs 1 h 41 min from first alert to all-clear — and hoaxes take roughly as long to clear as confirmed threats (unfounded reports: 1 h 25 min, confirmed threats: 1 h 42 min, confirmed hoaxes: 1 h 54 min).

Finding 5: method, limits & full evidence

What to do

  • Treat the all-clear as a mandatory sequence element: an incident isn't closed in the notification system until the lifting message is sent on every channel the first alert used.
  • Make the all-clear do real work: state what was found, what's still restricted, and where follow-up information will live.
  • Never label a message all-clear while any restriction stands; “police activity continues, classes resume” is an update, and recipients notice the difference.

See it in the archive

Practice 6 of 9

Pre-script the hoax: verification updates and honest uncertainty

One in eight recent cases in the archive ended as a confirmed hoax or swatting, and clearing one still takes police roughly two hours. The first alert can't wait for verification — so the hoax playbook lives in messages two through five: language that reports without confirming (“police are investigating a report of…”), visible verification progress, and a firm all-clear that names the thing a hoax.

What the archive shows

281 cases in the archive resolved as confirmed hoaxes or swattings. Among cases dated 2022 or later, that is 12% (230 of 1,855), versus 6% of earlier cases — and a hoax still takes a median 1 h 54 min to clear.

Finding 6: method, limits & full evidence

What to do

  • Write the swatting sequence in advance: initial report-of language, a 20-30 minute verification update, and an all-clear that explicitly says no threat was found and the report appears to be false.
  • Avoid confirming detail you don't have: repeating a caller's invented specifics (“shooter on the third floor”) in an official alert manufactures corroboration.
  • After a hoax, publish the timeline. The corpus shows hoax targets get hit in waves; your neighbors' communicators are reading.

See it in the archive

Practice 7 of 9

When the system errs, correct it by name — fast

Accidental activations, wrong-campus sends, and template test messages that escape are rare in the record but devastating to trust when mishandled. The documented corrections that worked share one trait: they explicitly named the error (“that alert was sent in error”) rather than silently issuing new instructions, and they came quickly — typically within a quarter hour.

What the archive shows

28 of 2,718 cases (1.0%) contain an explicit correction message. Where the correction and the message before it are both timestamped (n=13), the median correction landed 16 min after the message it fixed.

Finding 8: method, limits & full evidence

What to do

  • Pre-write the correction template today: what was sent, that it was an error, what (if anything) is actually happening, and a contact for questions.
  • Give the correction the same channels and urgency as the error — an SMS mistake corrected only by email corrects nothing for most recipients.
  • Log every erroneous send in your after-action process; the archive's correction cases are almost all process failures (test modes, stale templates, geofence mistakes) that a checklist would have caught.

See it in the archive

Practice 8 of 9

Know your own latency number before an incident assigns you one

Where the interval is documented, the median campus took about a quarter hour from incident start to first alert — but the well-prepared end of the distribution operates in single digits, and UNC Chapel Hill alerted within one minute in 2023. After-action reviews of the slow cases — Virginia Tech's 131 minutes above all — point again and again at approval chains rather than technology, so the lever most within your control is pre-authorization: who may send without further approval, from what device, with which template.

What the archive shows

202 cases in the archive (7% of the corpus) document the interval from incident start to first alert. Among them the median is 14 minutes (quartiles: 5–31); restricted to high-confidence cases it is 15 minutes (n=67).

Finding 3: method, limits & full evidence

What to do

  • Measure it: in your next drill, time from scenario injection to message delivered on a real phone, and adopt an internal standard (many institutions target under 10 minutes; the Clery Act's own standard is "without delay").
  • Pre-authorize dispatchers or the on-duty supervisor to send scenario-matched templates immediately — every approval hop in the chain is minutes on the clock.
  • Instrument reality, not intent: vendor consoles log submission time, but recipients experience delivery time.

See it in the archive

Practice 9 of 9

Put WEA in the toolkit for the people your database misses

Campus systems reach enrolled devices; they structurally miss visitors, contractors, prospective students on tour, and everyone whose contact record is stale. Wireless Emergency Alerts reach every WEA-capable phone in the target area with no sign-up (opt-out rather than opt-in: users can disable every alert class except National Alerts) — and they appear in only a handful of cases in this archive; the computed count is below. For a true life-safety event, the gap between those two reach models is the whole ballgame.

What the archive shows

SMS (35%) and email (34%) together account for 69% of the 6,044 archived messages. Wireless Emergency Alerts — which need no sign-up and reach every WEA-capable phone in the target area (users can disable every alert class except National Alerts) — appear in just 15 of 2,718 cases.

Finding 7: method, limits & full evidence

What to do

  • Find out today whether your institution or your city/county emergency management agency can originate a WEA for your campus geography, and put the request path in the EOP with names and phone numbers.
  • Exercise the path annually with your county partner — in several of the archive's WEA cases, the institution or its county partner clearly had the relationship in place before the emergency.
  • Keep WEA for genuine life-safety events: its power is that it is on by default for every phone in range — and overuse is exactly how institutions teach people to switch it off.

Grounding: FEMA's IPAWS program documents alerting-authority requirements and best practices for WEA content; see the sources on the Message Anatomy page.

The evidence behind this page

Check the work

Every practice above cites a computed finding. The findings page publishes each one’s inclusion rule, computation steps, honest limits, and evidence set — and the raw corpus is free to download and interrogate with your own tools.

Read the findings

Analysis and recommendations: Claude Fable 5 · figures recompute from the live corpus at every build · see the methodology.