Wednesday, 15 May 2013

Developing a response for the unexpected

The only thing harder than planning for an incident, is having to explain why you didn't.”
John Bartlett CBCI, DBCI
A number of organisations believe that, somehow, they are different and unlikely to experience or suffer from an incident, the “it will never happen to me” attitude. More often than not, they are wrong. No organisation wants to be affected by an incident or expects it, but that does not mean that they should not consider and plan a response in case it does happen. 

Developing and implementing a response to incidents and disruptions is at the core of Business Continuity. It can determine how your organisation is perceived and whether your business survives. It consists of ensuring the appropriate plans are developed and communicated; the required infrastructure and facilities are implemented to support the plans; and completing the necessary risk treatments to achieve the desired Business Continuity strategy defined and agreed (see previous article).


No matter what the incident or serious disruption, there are five overlapping stages of the response, each of which needs to be considered and included within the planning. These stages are:

Emergency – the immediate response and actions that should be considered and if necessary taken, for example evacuation of a building;

Incident Management – the management and coordination of a response to an incident, for example deciding priorities and communicating with stakeholders.

Continuity – the initial response to ensure that essential activities can continue at their minimum level (as defined in the Continuity Requirements Analysis).

Recovery – the actions and activities required to recover additional important activities and increase the essential activities up to a sustainable level above the minimum level.

Resumption – the activities and actions required to return the organisation back to its desired state of operation, which is considered to be “normal” operations. This stage is sometimes referred to as the “Return to normal” stage.

Within each of these stages, most organisations will need to consider activities that fall within either a strategic, tactical or operational context. These three levels should be considered and addressed for each of the 5 response stages above.


Once you have discussed and decided on appropriate responses for your organisation, the appropriate individuals to be involved in each context (strategic, tactical and operational) should be identified along with how decisions, actions and communication will operate between them. The responses and corresponding structure should then be documented.

The purpose of a Business Continuity Plan (BCP) is to provide guidance, not to be too prescriptive, detailed and complex. This will defeat its purpose, reduce the likelihood of it being used and make it time consuming to maintain. A BCP should include all the necessary and essential information, but be concise, accessible and easy to follow. There is no “one size fits all” definitive structure that is appropriate for all organisations, but there are numerous examples of BCP’s on the internet. The ones which are appropriate for you will depend upon your organisation. However, Business and BCM knowledge should be combined to determine the optimum Business Continuity response structure for your organisation, and each plan should have an owner, be regularly reviewed, tested and validated - then updated if necessary.

Within large organisations it is reasonable to expect there to be a number of different plans covering aspects of the recovery stages, for example a Crisis/Incident Management Plan, Business continuity/recovery plans for each department, IT disaster Recovery plan and a “return to normal” plan. These may be complimented with specialist plans or procedures to deal with different types of incident such as evacuation, product recall, stakeholder/media communication, social media management, pandemics (not to be confused with specific threat scenarios). Within small organisations or SMEs, a number of these plans may be combined together.

Infrastructure and facilities

All Business Continuity responses and strategies will require resources, including people, infrastructure and facilities, whether the strategy is to operate from someone’s home, or commercial premises. Someone will need to do something and will need to use something to do it. The BIA and CRA previously undertaken will identify the essential items required and how quickly they are required; the agreed strategy will define how they should be provided. The essential part in planning and implementing the response is to ensure these requirements can be provided when needed, and the necessary provisions are implemented and tested to ensure this can happen.

Technology is at the core of most businesses these days and most organisations struggle to operate without it. Whether it be a large data centre with multiple, complex servers, data storage and communication links, or whether it is simply a GSM, laptop and internet connection. Developing a response, includes implementing the strategy for technology and proving its capability to support the business during the response stages. This may be spare GSMs, a backup data centre, replication of data storage, spare maintenance parts, additional supplies of PCs, laptops and printers or duplicate communication links.

In addition to the technology, people require somewhere to work and facilities to assist their working. This is true of a Crisis/Incident response team and also the people required to continue essential business activities. Facilities may include office space, desk, chair, telephone, fax, photocopier, filing cabinets and such forth. If the organisation is involved in manufacturing, there may also be a requirement for plant and machinery. These should be identified and provisions implemented to ensure they can be available when required.

Risk Treatment

As part of achieving the desired and agreed business continuity strategy, it is important that the agreed treatment for business continuity risks have been implemented, thereby reducing the likelihood or impact if certain incidents or disruptions do occur. The response plans should integrate into the risk treatment plans and ensure methods are implemented to identify when a risk materialises and the point at which escalation is required in case it develops into an incident or disruption which requires activation of part or all of the response plans. The risk treatments should also be regularly reviewed and monitored to ensure they are still appropriate and achieve the desired results.

No comments:

Post a Comment