The incident management plan (IMP) is a generic and tactical component of the Business Continuity Management (BCM) Plan, offering pragmatic guidelines and responses to support immediate crisis events across a wide spectrum of risk issues as more mature and comprehensive measures are brought into play—typically meeting the needs of the first 24 to 72 hours of a crisis event. The IMP might cover a broad array of subjects—for example, registering information from a threatening phone call, dealing with a road traffic accident, or responding to an explosion or natural disaster. The IMP is effectively the first line of defense for companies managing a crisis situation, while concurrently seeking accurate and timely information to support both strategic and longer term tactical decision‐making requirements. The IMP works to support the risk management policies, procedures, and plans, taking guidance from such elements as the organizational interface, resource management, and communication plans, while operating under the principles of corporate policies and any security instructions, such as guard orders, travel management policies, and standard operating procedures (SOPs). Therefore, the IMP should be considered another cog within the machinery of a broader Business Continuity Management Plan.
The IMP should be integrated within the Business Continuity Management Plan, while being sufficiently detailed to provide an autonomous set of instructions to first line responders who will neither have the time, nor possibly the access, to the entire Business Continuity Management Plan. In order to provide a stand‐alone policy and guidelines document that can act independently of the Business Continuity Management Plan (while still being integrated where desired or appropriate), a company should consider dividing its IMP into a series of components:
§ Instructions.: Providing corporate policies and instructions as an overall guideline on how the IMP should be managed and conducted, as well as pertinent reference documents and policies within the Business Continuity Management Plan.
§ Management Tools.: Providing integration and instructional components linking the IMP to the Business Continuity Management Plan, as well as providing higher‐level management tools. Placing response guidelines into a management framework such as decision making authorities and communication plans.
§ Education.: Introducing managers to the nature of the risks they might have to deal with, providing sufficient knowledge and understanding to set the scene for implementing response plans within a context understandable to a wide user audience. Effectively providing a risk register.
§ Response Guidelines.: Comprising the actual response instructions and guidelines—walking managers through a series of simple and pragmatic steps to enable local and incident managers to bring control to a crisis as more mature plans and expertise are brought into play.
§ Data Collection.: Comprising data calls, indicating and structuring the critical information local managers will need to collate, consolidate, and distribute within the crisis management plan to ensure effective organizational decision making and resource management.
The IMP should be designed to be user‐friendly, supporting managers who might not be versed in crisis management or security services to effectively bring the initial event under control—as more experienced risk and security professionals are mobilized to form a qualified and experienced crisis response team (CRT). The plan should therefore be written with a broad user audience in mind, rather than engineered to suit a particular division or industry sector.
While many aspects of an IMP will be generic and will suit a range of operating environments based on the typical risk natures and impact effects a company may face, the IMP should (where appropriate) be tailored locally to reflect any unique risks and challenges that a specific operating environment may present. Considerations to local laws, customs, risk natures, and social factors should be considered and incorporated within the IMP to ensure that responses reflect those factors that will affect them—without disrupting the structure or format of the plan. These unique influences—whether local laws, social infrastructures, political and religious considerations, or topographical and climatic conditions—should be addressed within both the management guidelines section of the IMP and the individual data call and response guidelines. The composition of both the incident management team and the crisis management team should also reflect these influences so that the IMP can be most effectively implemented and sustained.
The IMP should be considered a tactical element of the contingency planning process, as well as a functional aspect of a crisis response, providing sensible and practical considerations, guidelines, and response measures for both corporate and project management and allowing first responders, incident managers, and crisis response teams to respond quickly and effectively to a range of problems—in synchronization with each other. An effective IMP reflects the level of effort a company invests in the safety and welfare of its employees, its protection of investment capital and interests, its brand image, as well as its desire to maximize the profitability of business operations. An IMP should not be viewed in isolation, but will be supported with a range of complementary products, policies, procedures, and activities.