Embed Size (px)
Citation preview
The Incident Management Standardsand the application of software
The Incident Management Standards and the Application of Software The Business Continuity world is full of standards and best practice, however in May 2012; the International Standards Organization (ISO) published the first ‘global’ standard for Business Continuity Management Systems, known as ISO 22301. This standard was derived from a number of national standards, including BS25999 and NFPA1600 to name two. ISO22301 requires organisations to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to prepare for, respond to and recover from disruptive events when they arise.
ISO22301 follows on from BS25999 not only as the majority of its requirements have been transferred into the global standard, but it is also a standard that you can certify your organisation and processes against.
Why Certify?There are many reasons you might want to certify against ISO22301; it is certainly a mechanism to show that you take business continuity seriously, although you may have other drivers, such as ensuring good corporate governance, meeting industry regulations, to comply with requirements as a supplier (certainly the UK government required certification against BS25999 as a pre-cursor to tendering for some of its contracts) or simply the positive impact on the business’.
To further supplement the advice given in ISO22301, during September 2011 the UK Cabinet Office and British Standards Institute published a practical approach to Crisis Management, called PAS 200. From a UK perspective, this Publically Available Specification is the first step to meeting the requirements of an ISO standard, for example, the pre-cursor to ISO22301 was BS25999, and its pre-cursor was PAS56. It’s important to understand that a PAS type document is based upon experiences from UK consultation, whilst ISO22301 is built upon consensus of subject matter expertise and professionals from around the world.
PAS200, which is designed to be read by practitioners and senior management alike, is the first “standard” in the Incident and Crisis Management arena. Whilst you can certify against ISO22301, PAS200 is a practical aid which sets the bar for “good” practice and cannot be formally measured against.
The contents of PAS200 help to frame an incident and a crisis, the differences between them and the various types that may befall any organisation. It also informs organisations on how to create a Crisis Management capability, how to plan and prepare, how to communicate and how to evaluate what you have created. In addition it introduces the concept of Situational Awareness, and subsequent reporting, which is a very useful tool to keep senior management abreast of the crisis and to enable incoming, and returning, operational staff to be briefed.
During 2014, PAS200 will be superseded by a British Standard, BS11200 which is the second step in the path to an ISO standard, but like PAS200 cannot be used for certification purposes.
ISO22301 RequirementsThe two areas of ISO22301 that relate to Incident or Crisis Management and the use of software are sections 7 and 8, Support and Operation.
Requirement Application of SoftwareMake adequate provision for communication technology and communication with interested parties
Incident Management software is key to meeting this requirement – it can help with recording events that may turn into incidents, and then onto crises. In addition to recording software can notify interested parties, not only for mobilisation, response and managing. Finally, the pre-definition of responses facilitate this capability further.
Ensure that the means of communication remains available during an incident
In order to ensure that your communications mechanisms are not involved in one of your own incidents it might be appropriate to ensure the capability lies outside your IT perimeter. This moves the risk into the internet domain, which should increase the breadth of connectivity to the capability.
Establish incident response teams and ensure members are competent to successfully manage an incident
Whilst software will not directly help your responders to become competent the effective and timely usage of software provides a mechanism in which one competency can be measured
Provide communication procedures to provide effective exchange of information with interested parties
Software can provide the framework not only initial notification but on-going, timely, consistent communication. In addition pre-define responses within that framework facilitate an effective exchange of information, be they physically co-located or across the internet.
Integrate with national or regional threat advisory systems, if appropriate
At the moment, there is no integration into National & Regional threat advisory systems however it is possible to integrate users who run these threat advisory systems. Some software solutions have the ability to integrate “near term horizon planning” risk data providing warning of potential issues which would allow organisations to prepare, avoid or mitigate as appropriate.
Section 8 requires organisations to “establish appropriate communication procedures and protocols for activation, operation and coordination.” Software allows organisations to define a framework in which to operate, allowing individuals to focus on what is in front of them rather than having to waste time identifying whether you have the “right people, right place” with full set of information.
In addition, section 8 requires organisations to “implement and maintain procedures for Warning and Communication” in the following areas:
Requirement Application of Softwarea) Detecting and monitoring an impending incident In order to be able to detect an incident
organisations need to be aware. Once aware they can prepare, avoid, mitigate accordingly. Some software products facilitate the provision, and management of “pro-active” risk data.
b) Receiving, documenting, and responding to communication from interested parties
With software, receiving communication from stakeholders, either as users or with links into responders becomes significantly easier. In addition, documenting and responding becomes quicker, consistent and robust when software is the recording mechanism.
c) Alerting interested parties that might be impacted Alerting relevant parties becomes simple with notification software, be they within your organisation or other stakeholders.
d) Operating a communications facility Software, in conjunction with physical crisis management rooms allow you to operate around the globe
e) Supporting structured communications with emergency responders
Software may provide you with additional capabilities that are core to managing a response. Understanding who is fulfilling every role at all times is challenging so having a software based rota management system would remove the issue. In addition, some software facilitates the management of affected staff, assisting in regaining control over them, and managing interactions with them and associated friends & family.
f) Record vital information about the incident, including actions taken and decisions made
Software can record everything, across time, providing a complete audit trail. In addition some software can be configured to mandate the reasons why decisions have been made, in support of the available information.
g) Ensure interoperability of multiple responding organisations and personnel
A single, structured, Incident Room, appropriate to the incident type, all linked together, even if geographically split facilitates a more effective and timely response.
h) Regular exercising of warning and communica-tion procedures
Getting hold of the right people, at the right time is key. In addition, getting those people to respond in the right manner can also be difficult. A robust, standardised process, with concise information, reduces the thinking and mobilisation periods.
Situational Awareness - PAS200PAS200 introduces the concept of Situational Awareness, and subsequent reporting, which is useful for senior management, incoming and returning staff to gain an understanding of the incident in front of them. Situational Awareness is the ability to identify, process, and comprehend the critical elements of information about what is happening with regards to the incident.
By implication, situational awareness means more than knowing what is going on; it also means being able to model the implications of what is (and is not) going on and to project current events to establish what might happen. It requires a deliberate, active and disciplined process that requires practice to achieve and sustain.
PAS200 indicates two simple tools to achieve this, one of which is the “persistent questioning cycle”:
• What has changed? Distinguish between what is known, unclear and presumed about the changes that have taken place
• What is happening? Identify variations in the character of events, their extent and their tempo or severity
• What is changing? It can be helpful to look at the inverse of events and consider what might be expected but has not (yet) been observed
• So what? This is the critical question. A diversity of perspectives and viewpoints will add value.• What might happen? Look forward and visualize potential scenarios, using axes of time (short,
medium and long term) and severity (best case to worst case)
Whilst creating situational awareness is a management process, software will certainly be able to record the outputs from this, and ensure that the information is readily and consistently available to those who need it.
The Emergence of Other Models
Whilst the majority of organisational crisis management capabilities are reactive in nature there is a US-based model that is gaining momentum in the UK, although only in some markets, that facilitates re-active response to an incident, but also caters for pro-active use so it can be used to plan for events in advance.The Incident Command System (ICS) model arose out of the need for disparate responder organisations to work together, under a unified command structure.
The cornerstone of this model is “management by objective” where every activity undertaken during an incident/crisis response can be traced back to one or more objective. It creates a top-down approach, started with the definition of objectives for the next period, which range from a few hours to one day in length. Once defined and agreed these objectives are examined to identify what strategies could be employed, and the most appropriate ones selected. Once strategies are agreed for each objective, more detailed tactics can be identified to support each strategy; again the most appropriate is selected and agreed upon. The final element of the “management by objective” chain is the creation of specific tasks, which can be attributed back to one or more objective, which can be delivered by one or more singular, or groups of, responders.
One of the many advantages of the ICS model is that it is cyclical in nature, every operational period requires the same steps, and therefore the methodology is readily impressed upon responders. In addition it also uses Situational Reports, which are also a fundamental concept of PAS 200, at each stage of the planning process and as a result gives reporting consistency and stability.
SummaryThe sole purpose of crisis preparedness is to ensure the right people, structure and processes are in place so that decision-making can happen successfully. The sole purpose of software within this process is to make your life easier by facilitating:
• A structured approach for responding to, and managing, incidents and crises;• The pre-definition of a framework for your Incident & Crisis Management Organisation;• Quicker mobilisation for each level of response;• The availability of consistent information for stakeholders;• Controls over who can see what and when, allowing responders to concentrate on their role;• The provision of detailed reporting, either specific to an incident, or, for pan-organisational management
information on types of incidents faced
About the AuthorIan Ross is a Fellow of the Business Continuity Institute, a BS25999 Lead Auditor, and has been in the Incident / Crisis Management industry for over 20 years. He started in the industry when Business Continuity was the overarching management practice and has led programmes for Visa Europe, Merrill Lynch, UBS and Societe Generale. He also has significant experience in other industries, namely manufacturing, logistics and Central Government.
