It is important that at the time of a major disruption an organisation has in place a structure that will allow the management to make informed decisions and to take control of the situation. An Incident Response Structure (IRS) supports all levels of activities that take place during a disruptive incident. Our typical management style, based on debate and consensus will have to switch to a ‘command and control’ model, as illustrated above. The emergency services will have no problem with this approach as it is their normal management style.
The new international standard for Business Continuity Management ISO 22301 requires an organisation to establish “procedures and a management structure to respond to a disruptive incident using personnel with the necessary responsibility, authority and competence to manage an incident.” Future Risks’s Incident, Crisis and Continuity planning is structured around this key principle.
There are some fundamental requirements to adhere within incident handling and crisis and continuity management capability, as follows;
1. A key requirement in the election of people to roles is to ensure that the individual has a decision-making capability commensurate with that position and this principle operates at all levels of the emergency management organisational structure.
2. The next key requirement is that each role must not be ambiguous, although there may well be overlapping tasks and responsibilities until all parties are in position.
3. Roles within emergency and crisis management should, in many ways, mirror the requirement of any business and we find the need to have the most senior position in the company (MD/CEO etc) occupying a similar position on the CMT, as we do with Finance, Human Resources, Facilities, and Legal for example. This mirroring runs through the whole structure and again, in simple terms, should be matched with the requirement to have, one, a strategic view of the world, two, a tactical middle management (business expertise/decision making) capability and, three, an operational support of skilled, experienced incident handlers.
4. That the structure recognises, Business Continuity Management, Crisis Management and Incident Management as three interconnected, but associated disciplines.
An organisation’s Incident, Crisis and Continuity Management plans should be designed to;
- Allow mobilisation of the right resources with the relevant expertise for the problem at hand.
- Facilitate full concentration on emergency management tasks.
- Allow business to continue as normally as possible.
- Enable an organisation to show competence in the face of the unexpected.
As within any business organisational structure there are defined roles for individuals, in both management and functional positions, which are, in large part, now duplicated within the three broad operating areas of this emergency management system. In simple terms, we are positioning people, whose current business expertise and position makes them ideal to occupy what we will refer to as either an Operational, Tactical, or Strategic space.
The following diagram illustrates the positioning of the specific plans, set against the three levels of involvement, which in official organisations – police, fire, and local government emergency planning, is referred to as Gold, Silver and Bronze control.
The concept upon which this structure is based operates on the basis that;
- Information is escalated up
- Decisions and resource allocation cascade down
Background to the Three Disciplines
1. Incident Management
The starting point where, if handled speedily and correctly, the consequences and implications of the event may be contained. The Business Continuity British Standard BS 25999
Crisis Management defines an incident as follows: “A situation that might, or could lead to, a business disruption, loss, emergency, or crisis.”
The key to avoiding loss, business disruption and crises is, therefore, to have prepared, rehearsed and comprehensive plans for managing a range of incidents that, from a risk assessed perspective, have the possibility, however remotely in some cases, to affect the business. The difference from an incident and a crisis can be found in the definition of a crisis, for example: “an inherently abnormal, unstable and complex situation that represents a threat to strategic objectives, reputation or existence of an organisation.”
2. Crisis Management
So crises are associated with highly complex problems, the full implications and nature of which may well be unclear at the time and it is therefore argued that pre-prepared solutions (of the sort we will find in the Incident Response and BCM manuals) are unlikely to work in complex and ill-structured crises, especially external communications, a minefield in itself. As such, crisis management needs to be able to deal with issues that may not be manageable within these other structures, as each possible solution may have severe consequences of one form or another. Often it is a case of choosing the “least bad” solution, and accepting that there will be some strategic dilemmas.
3. Business Continuity Management (BCM)
BCP (Business Continuity Planning) and BCM are interchangeable titles for the same practice of having in place policies, plans and processes (and having exercised these) for recovering business functionality following a serious incident. We often hear of reference to Disaster Recovery, which today has come to refer to the subset of plans specifically for IT recovery. Disaster recovery Planning (DRP) includes planning for resumption of applications, hardware, communications (such as networking) and other IT infrastructure. There are usually contingency arrangements in place for migrating these functions to a pre-arranged alternate site.
Many organisations start by developing continuity plans against perceived risks such as loss of IT services or building facilities – a traditional disaster recovery approach. However, many organisations recognise that this may well overlook critical activities outside these services and facilities. The direction that BCM should take therefore is based on ensuring the continuity of critical processes and activities that deliver key products and services; which is more aligned with ‘total quality management’, itself based on the supplier/customer relationship and the processes that serve them.