Security and Safety Awareness

An important precursor to the IMP is the training and education of employees operating either domestically or within foreign operating environments. Companies may wish to expand IMP training to include hostile environment briefings or training in order to illustrate the typical risks employees traveling to, or operating in, a new or challenging environment may face, and thus assist them in avoiding many of the issues that could befall them, but may fall outside of their common experiences or understanding. Often corporate policies and plans may not be provided to a wider audience as a complete product, but instead only appropriate sections are furnished to employee users. Therefore, each plan should contain the relevant information to allow it to operate in isolation to achieve its objectives, whether geared toward a domestic audience familiar and comfortable with their cultural or environmental surroundings or toward an audience operating within a new or unfamiliar territory.

Companies should consider at what level they should educate and train staff in order to provide the appropriate foundations for the IMP. Layered training within an organization will often be appropriate, as a sizable company will typically have a small proportion of staff exposed to certain levels of risk or specific risk types, while the wider group will be exposed to more generic levels and types of risk. Some groups may require a cursory level of education and training, while others may require a more comprehensive training regime. The function of hostile environment or security awareness training can have broad objective parameters, or may be focused on a particular operating environment. Some common themes that may be covered are:

§  Typical risk types and impacts.

§  Assessing and evaluating risk.

§  Situational awareness and travel security.

§  Cultural sensitivity and awareness.

§  Social, religious, political, and gender norms.

§  Regional infrastructures and support structures.

§  Medical and health impacts.

§  Risk mitigation techniques and emergency responses.

Hostile environment (or traveler's safety) training will often act as both supportive and preemptive measures for the IMP. Some company staff may not be aware that there are approximately 300 religions in nearly 200 independent countries worldwide, all with their own unique characteristics and risk factors. Some countries are led autocratically, others through democratically elected or monarchical systems. In some countries gender equality is a given, whereas in others women have diminished social roles. Shaking hands or showing feet in some cultures is offensive, while folding your arms in other cultures indicates that you are paying attention. In some countries free speech is a right, whereas in others public expressions of opinion can result in imprisonment. Taking photographs in some countries may lead to arrest; in others, drinking alcohol is forbidden. Companies may therefore wish to precede the IMP with some form of security or safety awareness training so that personnel will understand the cultural and environmental context in which the IMP is set.

Monitoring Crisis Management Programs

A Business Continuity Management Plan and its constituent elements should be considered a living entity, subject to growth and change. While the company may develop an all‐encompassing IMP to meet a wide spectrum of typical operating challenges, tailoring and updates of the IMP will often be required to ensure that the plan retains its accuracy and effectiveness for each operating activity and region. An intelligence‐driven policy will govern how the procedures are amended, adapted, or revised. The changing and evolving external socioeconomic and geopolitical influences should be used in concert with internal and external monitoring evaluations and validations, ensuring that security measures and crisis response arrangements reflect the current threats and that the potential for complacency within the company is minimized. Changing supporting structures or management elements should also be incorporated within aspects of the Business Continuity Management Plan and supporting components such as the IMP, reflecting fluctuating and evolving organizational structures, capabilities, and focuses (i.e., notably if stages within a project see significant differences in approach requirement).

An internal monitoring or assessment team can be used to test, evaluate, and exercise personnel in their responsibilities, ensuring that corporate policy is being effectively implemented at all levels, as well as identifying any areas for change or improvement. Enhancements should be collaboratively sought from both corporate and field levels. Such a monitoring team is also useful in the formal assessment of personnel, contributing to the evaluation of a crisis management structure as well as key individuals within it.

External monitoring teams allow a fresh and impartial validation on how well formulated and relevant the current security policies and plans are. They can also contribute in a consultancy role, offering suggestions to the executive management on policy amendments and alternative methods of implementing security arrangements. External monitoring can be through unannounced spot checks, exercises, or allocated assessment periods, and can be conducted concurrently with management exercises in the IMP's utilization.

External consultants may also be required to offer guidance on how to amend or adapt the Business Continuity Management Plan and IMP following a crisis incident. Many organizations, having successfully managed a crisis, slip into a state of complacency, believing that they now have the expertise to overcome any future crises (Ian I. Mitroff and Christine M. Pearson, Crisis Management: A Diagnostic Guide for Improving Your Organization's Crisis‐Preparedness, Jossey‐Bass, 1993, p. 23). Companies should seek to learn from a crisis event and improve their response policies, procedures, and mechanisms to better manage any subsequent crises.

Crisis Control Center | Crisis Management Structures

The company should either establish a permanent facility in which to manage crisis events (if the frequency and scope of crises facing its business activities warrant such an investment) or develop and pre‐position portable crisis management resources to quickly establish a temporary crisis control center within an operating area. Alternatively, a virtual crisis management center may be more preferable in terms of cost and ease of management. It is critical that resources enable the crisis team to communicate with multiple groups, both those dealing with a crisis at the point of the emergency as well as those leveraged or contracted to support the resolution of a crisis. Multiple mediums for communication are often required, as the crisis event may have affected one or several communication lines. The following considerations are offered to assist companies in provisioning an effective crisis control center:

Communications

§  Landlines, satellite phones, and mobile phones

§  Fax machine

§  Videoconferencing

Information Technology

§  Computers and printers

§  Internet connectivity

§  PowerPoint and monitors

Management

§  Status boards and personnel rosters

§  Action plans and operational instructions

§  Management and interface structures

§  Action boards and personnel status tracker

§  Implemented plan tracker

§  Intranet management site

Information

§  Intelligence reports

§  News channels (television and radio)

§  Intelligence briefing boards

§  Ongoing directives

§  Status reports

§  Threat reviews

Documents

§  Business Continuity Management Plan

§  Security plans and exhibits

§  Agreements and contact lists

Mapping and Imagery

§  Regional and local maps

§  Satellite and aerial photography

§  Schematics and floor plans

Facilities

§  Conference rooms and offices

§  Private briefing room

§  Secure area for security materials

Administrative Support

§  Photocopier machine

§  Satellite and aerial photography

§  Schematics and floor plans

Ancillary Equipment

§  Stationery supplies

§  Rubber gloves and plastic bags

§  Medical stores

§  Air‐conditioning or heating

§  Beds and showers

§  Securable cabinets

§  Paper shredder

§  Access control (locks)

§  Food and water

§  Power and lighting

Access to the crisis control center should be restricted to only appropriate persons, and should be locked if the center is not operated during certain hours. Access to intranet sites or other information technology storage facilities or mediums should also be restricted and monitored. The location and resources available to the crisis control center, whether sited within the affected area or positioned outside of an impacted area, will determine what resources are required, as well as the level of security needed to secure this critical facility.