Incident Management Plan Policies and Procedures

The IMP should be aligned with the overarching policies and practices outlined within the overall Business Continuity Management Plan. Information flow should occur according to the communications plan. Organic and outsourced expertise and resources should be leveraged in conjunction with the organizational interface plan and the resource and procurement management plan. Interaction with media, families, and other groups should be guided by the public relations plan, and crisis response actions and decisions should conform with trigger plans and decision and authority matrixes. The IMP should also operate within the auspices of security management plans, standard operating procedures and tactics, techniques, and procedure policies. All policies, procedures, and plans should be complementary, with minimal duplication and overlap to avoid confusion, contradictory guidance, and wasted resources. Often the IMP and Business Continuity Management Plan will complement or leverage any company health and safety plans, as well as existing policies on dealing with the media or other operating practices; and companies may wish to provide some form of guidance to managers as to how the IMP will operate within the Business Continuity Management Plan, and what is expected of them during a crisis event.

The IMP may also work within the framework of security plans, which might determine how security and risk management is undertaken within a facility. A degree of tailoring may be required to merge the IMP into specific regional or task policies and plans. The IMP may also be supported by government response plans, and the points of connection should be defined and aligned to ensure that friction between internal and external plans or protocols does not occur. Modifications to the IMP should be done only as sanctioned by appropriate managers (or an IMP Custodian) in order to avoid conflicts with corporate interests, as well as to reduce the amount of deviation from response measures and information reporting formats.

Information Security
Some aspects of the IMP may be considered sensitive in nature, and consideration should therefore be given to who is permitted access to the plan. Other elements of the plan will be generic and intended for a wider audience, such as fire drills or suspect call responses, and managers should ensure that information and training are made available to the different levels of user audience. Where necessary, terms such as restricted and unrestricted can be applied to different elements of the IMP in order to ensure that managers share appropriate information with a wider audience, or restrict information to defined positions as required. Each recipient of the IMP is responsible for its safekeeping and for ensuring that no unauthorized copies are made.

Incident Management Stages

Typically, in management and response terms, the crisis event will include a series of stages. The duration of each stage may be protracted if the company has only a limited Business Continuity Management Plan and is unfamiliar with dealing with crisis events, or where the project may be remote and have unusual environmental challenges. Alternatively, the stages may be compressed where effective response plans, leadership, and support mechanisms are in place. Exhibit 2.4 illustrates some simple stages of a crisis, taking a managing group from the initial period of confusion where few facts may be known and effective decision making is problematic, through to a point where control is exerted, management can consolidate and stabilize the situation, and business recovery measures can be implemented.

• Confusion.: Often a period of confusion will occur at the outset of a crisis event where information is limited or erroneous, there is a lack of local expertise that can control the situation most effectively, coordination with internal and external resources is limited as understanding and control is brought to bear, and supporting resources have yet to be either identified or mobilized. It is at this stage that the highest risks and impacts might occur, as the organization may not be best placed to bring control to the situation and manage the initial and subsequent risk factors. It is at this stage that the IMP plays a significant part in defining the problem, evaluating the threats, identifying the resources required, sharing critical information with the wider crisis organization, and managing the situation tactically.

• Control.: If a mature crisis management and incident management plan is in place, the control stage may follow quickly after the initial period of confusion, and accurate information is quickly gathered and shared within the organization, enabling effective decision making. The crisis management structure will have been mobilized with expertise being provided either directly or indirectly to assist in guiding response groups through the crisis, and coordination between groups is established, allowing for good information sharing and decision making. Supporting resources such as special response teams, quick reaction forces, and other organic and external agencies will mobilize to support the response based on several stages of evaluations of requirements. Control will be brought to bear on the problem, managing the initial risks and reducing an escalation or subsequent threats resulting from the emergency.

• Consolidation.: The consolidation period typically sees the implementation of more matured and focused response plans, which requires a transition from incident management to crisis response. Information‐sharing procedures are defined, agreed on, and implemented—allowing for more mature communication flows and management decision making. Expertise will have arrived to start taking control of the situation or begin providing advisory services to the local response teams, either directly or remotely. Coordination requirements will have been consolidated and supporting group participation will have been agreed on to allow for full incorporation into the response activities and plans.

• Stabilization.: Stabilization sees the response measures running at optimal efficiency. The incorporation of organic and supporting organizations, activities, and policies is fully implemented and more matured and focused plans are in effect. It is at this stage that recovery planning is conducted. Information policies and procedures are in effect, specialist expertise may have taken over management responsibilities, and interorganizational processes and coordination are operating with full participation of supporting resources and external agencies.

• Recovery.: Typically recovery is when the crisis event is over or the effects are significantly diminished, communication flows are narrowed to a focused group so that business activities may occur, and management control may be migrated back to project control. Any crisis management processes and policies may be modified to reflect lessons learned from the emergency event and the effectiveness of response, and supporting resources may be demobilized as no longer required.

Exhibit 2.4: Management Stages of a Crisis

The value of the IMP within a Business Continuity Management Plan is seen predominantly within the confusion and control stages, where immediate actions are taken to gather and share accurate information to support better decision making, while concurrently seeking to bring control to the situation—preventing the situation from becoming worse or having more significant impacts. The other elements within the Business Continuity Management Plan then guide the company through the process to the recovery stage.