The IMP should be designed to follow some simple principles in order to be most effective. The plan should reflect the nature of the business in which the company operates and the risks associated with those activities. The plan should also reflect the challenges and nuances different socioeconomic, climatic, and topographical operating environments may bring, as well as the nature, composition, and spectrum of the user audience and supporting groups—meeting the needs of different levels of management and expertise. The plan should be generic enough to ensure consistency of application, but be tailored sufficiently to meet local needs. It should be designed and developed with as much input and buy‐in from stakeholders as possible and appropriate, and tested and proven through training and exercises. The IMP is a guideline, and flexibility should be built in and acknowledged to meet unique or new challenges. The IMP should also be correctly resourced and kept live and applicable through scheduled and event‐driven reviews and training exercises. In tactical terms, the following principles should be adopted by IMP users:
§ Always gather accurate facts; never pass on rumor or speculation.
§ Send information quickly and accurately, with regular updates.
§ Use the templates provided; however, adapt and enhance as required.
§ Taking decisive action is often better than delaying a response.
§ Supporting organizations should be notified early to ensure support.
§ Only appropriate persons should represent the company.
§ Information chains and authority parameters should be clear and understood.
§ Sensitive information should flow only to appropriate managers.
§ Primary as well as peripheral or secondary risks and impacts should be identified.
§ Gaps should be identified quickly for resolution.
§ Training and education are important to enable effective implementation.
It is useful to provide, either within the IMP or as part of a separate threat section (or Risk Registry) within a Business Continuity Management Plan, an introduction to the nature and implications of the threats the IMP has been designed to manage. This section places the response plan in context and should be developed to meet a wide audience's level of expertise. Simple, clear, and focused language should be used to bring an appropriate level of understanding to the threat nature so that the first responder or incident manager understands what questions to ask, how best to utilize the response guidelines, and what impacts may result from a possible threat. This element can be considered an educational or advisory aspect of the IMP; however, it is not intended as a complete review of each risk nature but purely as a usable insight to provide a foundation of understanding. As a risk or threat overview, it provides direction to the design and development of the IMP, as well as educating users in the nature of the problems they may face, and thus places their responses into an understandable context.
The IMP is intended to meet immediate response needs, often undertaken by managers or personnel who may have little or no training within the field of security or crisis response. The IMP will typically go through a transition of management during the course of a crisis event, as more experienced expertise is mobilized to deal with the immediate, interim, and long‐term requirements of an event. The IMP provides definition to an organization through guidelines and templates for the successful management of incidents, helping companies respond in a more organized and professional manner to manage the tactical aspects of the crisis event more effectively. Simplistically, crisis management meets the strategic aspects of managing a crisis event and the two areas should be self supporting and operate in unison.
The IMP can be designed to meet both domestic and foreign activities, supporting responses to both mundane and unique crisis events. The mandate of the IMP should include all incidents that constitute a significant threat to the life, health, or liberty of employees of the company, or those situations that might damage or undermine the image or reputation of the company, its physical assets, or its operations. The IMP might be developed for companies that are exposed to risks such as:
§ Medical risks in regions where medical infrastructures are poor or remote.
§ Areas subject to natural disasters such as floods, fires, earthquakes, or disease.
§ Political risks in areas subject to unstable rule of law and political tensions.
§ Regions with especially high levels of organized or opportunistic crime.
§ Countries that have active insurgent, activist, and terrorist groups in operation.
§ Companies whose activities might be subject to unwanted media attention.
§ Industries that might be exposed to high‐profile or spectacular risk impacts.
§ Companies that might be subject to extortion, threats, sabotage, or kidnappings.
§ Companies with high‐value materials, technologies, brands, or assets.
§ Companies whose operations might be vulnerable to industrial or environmental accident risks.
§ Companies whose operations are in remote and inaccessible regions with poor transportation networks.
The IMP defines appropriate and sanctioned response guidelines and information requirements to guide personnel through the first stages of a crisis. Some of the following objectives should be considered central to the design of an IMP:
§ Mobilizing the right organic and external resources quickly and effectively.
§ Collating and gathering accurate and detailed information.
§ Ensuring accurate information flow occurs in a timely and focused manner.
§ Coordinating response activities during the first stages of a crisis.
§ Preventing the crisis from expanding or reoccurring.
§ Representing the company and its interests professionally.
§ Reducing the likelihood of physical and psychological harm to personnel.
§ Reducing the likelihood of damage to facilities, assets, or materials.
§ Supporting the restoration of business activities as quickly as possible.
Incident management plans can be considered one element of a company's risk insulation policy. If risk management is considered in terms of the insulating layers surrounding a live wire (the program or business activity), each layer of mitigation or management affords an additional level of protection against disruptive or harmful influences—thus making a risk pass through several layers of protection or defense prior to being able to cause harm
1 comments:
Nice article on Principles of Planning.
Post a Comment