Incident Management Plan Alert States and Trigger Response Plans

It is important for incident managers to be provided with simple guidance as to how to sensibly and effectively escalate a risk management posture to reflect threat indicators, or increasing levels of threat. It is also important to define the difference between a problem and a crisis, so that managers do not ignore a real crisis event, or conversely do not mobilize resources that far exceed a requirement, as this will quickly fatigue the crisis management responses. Frequently the determination between a problem and a crisis is a subjective one; however, some simple guidelines will assist those less experienced in identifying and managing crisis events.

The Business Continuity Management Plan will typically contain detailed alert states and trigger plans to meet a range of possible crisis scenarios; however, a simplified version can be useful within the IMP itself. Threat levels are often the key indicators of alert states, but threat levels can be extremely volatile and do not necessarily reflect actual risks to personnel, facilities, resources, or activities. Assessing alert states in terms of the threat and vulnerability will provide a more tailored and local alert state. This should be a continuous process of assessing the risk environment in which the company is operating, at local, regional, and national levels—rather than being purely associated with IMP requirements. Sound judgment forms the basis of a decision; however, the development of agreed alert states provides a common vocabulary, context, and structure for assessing and reacting to the threats that confront the company's people or project. In essence, these alert states provide a simple and effective way of conveying the severity of a situation to local, national, and corporate management in order to facilitate their decision‐making process, as well as evidence and justify a response need. They also bring important consistency to the risk management approach. Alert states can also be used to trigger internal risk and security measures, increasing awareness, initiating contingency measures, and mobilizing resources to be positioned to enable the company to respond at appropriate levels to a particular need.

Alert states can be influenced by internal assessments, or may be influenced or guided by government, military, or civil assessments. There may be differences in what a government considers just reason to evacuate, and what commercial organizations see as the final trigger for a withdrawal. Businesses will bear the brunt of financial or project losses, whereas diplomatic warnings are more advisory and often not audience specific. Alert state risk assessments can also be tied directly to actions required and policies implemented. This will assist in a semi‐automated process following the risk assessment. Alert states may vary from negligible to low, medium, high, or extreme. In each instance, an explanation of what drives the classification should be provided to avoid personal perspective or ambiguity, as well as what actions are required in association with alert states to reflect a change to risk levels. Tables may be complex or simple, depending on the complexity of the company requirement—although the IMP version should be as clear and focused as possible to reflect the user audience's knowledge, capabilities, and experiences. Exhibit 2.16 illustrates a simple table that might be used to guide first responders and incident managers through a simple and directed decision‐making process connected to certain levels of risk probability. Numerical alerts can be used to guide managers to where they need to start taking action; alternatively, color coding is an option to making interpretation of risk levels easier for users.

Exhibit 1: Incident Management Plan Alert State Trigger Plan

Generic and macro‐level trigger natures are illustrated in Exhibit 1; however, more specific triggers or trip wires may be defined by companies so as to provide granular‐level guidance to staff. Organizations such as the U.S. Overseas Security Advisory Council (OSAC) advocate trip‐wire planning for commercial organizations operating abroad. The OSAC advocates determining points at which certain risks—principally natural disasters, civil disorder and political unrest, terrorism, health and environmental threats, infrastructure weakness, and other facility or employee concerns—mobilize an organization into predetermined response measures (OSAC, “Tripwire Approach to Emergency Planning,” May 11, 2008). Establishing trip wires or trigger points enables local managers, as well as corporate officers, to have clearly defined and unambiguous points at which decisions or actions are taken, whether they be major earthquakes, large‐scale riots, pandemic alerts, fuel shortages, or water contamination threats. These specific trigger points or trip wires can include:

• Demonstrations that indicate growing social unrest, whether peaceful or violent in nature, especially if aimed at foreign workers, facilities, or other associated company activities.

• The media, host nation government, religious groups or leadership, or militia leaders preaching or actively spreading inflammatory propaganda or directives that could adversely affect the company, its personnel, or its facilities.

• A rapidly diminishing ability to gain accurate and timely information from local government organizations, foreign missions, and media agencies on local or regional events that could present threats to the company.

• Increasing levels of opportunistic criminal activity, especially if directed at specific ethnic or religious groups, genders, or business activities, locations, or facilities.

• Focused attention by organized crime on the company and its employees, activities, or facilities, or unwanted attention toward associated or similar commercial groups.

• Rising levels of insurgent, terrorist, or activist targeting, especially if directed toward the company or toward associated or parallel groups.
• 
  
• Host nation, embassy, media, or other public announcements indicating an increase in specific threat types or pending crisis events.

• Sustained disruptions to basic infrastructure or utilities preventing the supply of clean water, gas, electricity, food, fuel, or other life‐support essentials.

• Reliable reports of an imminent natural disaster—hurricane, typhoon, tsunami, wildfire, volcanic eruption, or flooding.

• Reports of a pending or occurring industrial or environmental disaster that could present toxic or physical hazards to personnel, as well as contaminate facilities, food or water supplies, or critical materials.

• An outbreak of contagious diseases that the local government or responding agencies do not have the resources, expertise, or medicines to treat.

• Rapid economic decline brought about by sanctions, civil unrest, coups, assassinations, or the turnover in host nation leadership, which might lead to local authorities being unable to maintain law and order.

• Political instability and loss of governance resulting from the abrupt replacement, detention, or arrest of key government officials, military leaders, political opponents, religious leaders, or other prominent figures.

• Similar organizations increasing security profiles, ceasing operations, closing facilities, rapidly evacuating personnel, or demobilizing activities.

• Foreign embassies and aid agencies declaring heightened risk alerts or withdrawing their presence from the area, region, or nation.

• The inability, lack of resources, or unwillingness for local or national security and law enforcement agencies to provide adequate protection to foreign workers and the company's interests.

• Rising levels of corruption, extortion, and legal liability risks presented by corrupt political leadership, which could result in detentions or imprisonment.

• Rapidly declining transportation capacities for road, rail, air, or maritime facilities, which could adversely affect the ability of company employees to evacuate the country.

Each company, and indeed project, should provide definitions and responses that are appropriate to its unique requirements and operating environment. The risk assessment conducted during the contingency planning aspect of the Business Continuity Management Plan's development should define what postulated threats are posed against a company or particular activity, and thus what should be included within the risk type category. The guidelines should be considered as such, guidelines, with common sense playing a critical role in how managers respond.

Interorganizational Management

The company should, as part of the Business Continuity Management (BCM) Plan, determine what resources can be leveraged or outsourced to support incident and crisis management. Even major international companies will not have the expertise or past performance experience to manage every aspect of a crisis situation, and often governments or specialist organizations can bring expertise or considerable weight to bear that commercial organizations might not be able to match. Where possible and appropriate, the crisis management organization should seek to include government support and outsourced expertise as part of its crisis team composition. By predefining such supporting elements, the company might enhance contingency planning measures and make incident and crisis response measures more effective (i.e., exponentially increasing the response capabilities of the company), as well as actually reducing the costs required for contingency planning and crisis management.

The company should define with any external interfaces the preferences and requirements for communication traffic during an emergency situation. This also applies to contracted security vendor companies, as often the company project or program managers feel that their corporate offices are too involved in the tactical event and should not be directing response measures, or that they themselves have not been provided sufficient time to understand the scope and impacts of the problems before executive management begin asking questions and demanding or directing action. Conflicts within the company's own organization are common during crisis events; and subcontracted vendors supporting with such issues require clear guidelines and policies, as well as diplomacy and a balanced approach to multilevel requirements in order to understand from whom they should take direction, and how they should support the company's crisis response. Tiering the crisis management structure often helps companies understand the different focus areas as well as the spectrum of levels involved within a crisis event, as illustrated in Exhibit 1.

Exhibit 1: Interorganizational Management

The company, supporting agencies, and subcontracted security or crisis response vendors should collaborate, where possible, to determine the structure of the crisis response levels, functions, and responsibilities in order to align structures, policies, and procedures to best match crisis requirements. The event itself will also significantly influence the manner in which such response and management teams are established and how they operate. An example of a typical event chain of management functions follows:

§  First Responder.: The nonspecialist person or manager who might be first on the scene and will initiate the crisis response, as well as start information flows and control measures.

§  Source Incident Response Team (IRT).: A trained local incident control team or manager who might be first on site, or in close proximity to start to bring control to the crisis event.

§  Project IRT.: An incident response trained manager or team who will take from local responders the control over gathering information and controlling the tactical aspects of the crisis event.

§  Program Crisis Response Team (CRT).: A trained senior incident manager who might manage multiple aspects of the crisis event and mobilize local outsourced support, bridging the gap between incident management and crisis management.

§  Country CRT.: The first layer or true crisis management element that will support controlling the actual event in strategic terms, while also undertaking peripheral crisis management functions and mobilizing in‐country resources and outsourced support. They will often bridge the field and corporate levels.

§  Corporate CRT.: Senior‐level crisis managers who will deal with strategic needs and issues for the company as a whole. They will sanction procurements and deal with public relations issues, as well as senior government agencies and special support groups.

While some organizations may have fewer levels within their crisis management structure, the three principle levels of the person at the scene, those dealing with the physical aspects of an emergency response, and the strategic crisis management element are nearly always found within a crisis event. The right balance of ownership, authorities, and operating parameters needs to be struck between the roles of the corporate and country office and those of the incident management teams. The key issues companies should consider are:

§  The type, scope, and severity of the incident.

§  How undertaking the role will undermine primary work functions for incident and crisis managers.

§  The liability implications for those appointed to the tasks, are they the best choice to protect the company.

§  Effectively managing the threat at the local, national, and corporate levels—focusing holistically on the implications of an event.

§  Implementing standard operating procedures to reduce the risk probabilities.

§  Implementing incident management plans (IMPs) to reduce the impacts of risk events and bring control to the situation.

§  Implementing event‐specific crisis response plans to augment and transition from incident management responses to full scale crisis management.

§  Availability and experience of local management to handle an incident, determining early whether additional support is needed

§  Identifying other supporting agencies that might be leveraged to assist with crisis management.

§  Potential of the incident to have an effect on the company beyond the impacts of the actual event.

Companies will organize their crisis response teams based on a range of factors, including corporate structures, risk policies and management approaches, risk tolerance levels, geographic and industry influences, the ability and quality of government and other external support, as well as business partner or subcontracted security vendor participation. Each business activity may also bring unique requirements to the composition of a crisis team, either internally or in terms of outsourced support.

Education and Training | Crisis Management Structures

Education and training creates the conditions in which individuals and groups can successfully utilize sound BCM Plans, as well as have the confidence to step outside of established policies and plans to meet unique challenges which the BCM Plan may not have fully addressed. The following forms of education and training are available to develop and sustain the skills and capabilities of an organization's crisis leaders.

§  Formal Instruction.: Formal instruction may take the shape of a focused training course for crisis leaders on risk and security management issues, whether conducted as part of a series of modules or as a condensed package.

§  Mentoring Programs.: Mentoring programs may be formal or semiformal with experience, and trained crisis leaders mentoring less experienced team members so that cross‐pollination of skills and knowledge occurs.

§  Shadowing and Transitioning.: Crisis leaders may delegate or transition responsibilities over a defined period to ensure that new crisis leader incumbents have a period of indoctrination prior to fully assuming responsibilities.

§  Tabletop Exercises.: Management leadership exercises and discussions can be used to run a crisis management team, and individuals, through their paces as a low cost, high value training medium.

§  Discussion Groups.: Discussion and working groups or forums can provide a valuable medium whereby information and ideas are shared and friction points or shortfalls are identified and resolved.

§  Instructional Manuals.: Training manuals can be used (often in conjunction with other education and training mediums) to educate crisis leaders on their own role, as well as how an organization will function and respond to a crisis.

§  Web‐Based Training.: Web‐based education and training mediums can be used to meet the needs of a dispersed crisis management team.

§  Train the Trainer.: Creating internal capability through a train the trainer scheme can improve the knowledge and capabilities of the instructor, while also creating a pyramid effect of capability within a wider group.

§  Activation Exercises.: Activation exercises can be used to determine the ability for individuals and the crisis management team to effectively respond to a crisis event. This tests both the mechanisms for activation, as well as the competence of individuals and the wider group in terms of response.

There is no miracle answer for how crisis leadership should work, nor necessarily a way of predicting, nor assessing after the event whether the individual or group leadership approach used was the most effective way of managing a particular crisis. Establishing a solid platform from which good decisions can be made should be the principle goal of companies and organizations. In addition, corporate leadership should bear in mind that it is better to make some form of decision, rather than make no decision at all in the event of a crisis—recovery is invariably preferable than inaction.

Crisis Management Structures

Each company will define the composition and structure of its own crisis response group dependent on the nature, size, and scope of the organization, as well as the operating regions and risk types it is exposed to. The tiering of response groups creates an effective command‐and‐control chain that meets both corporate and field requirements, as well as reflecting the size and complexity of response needs. Four basic layers might be found within a typical crisis response organizational structure:

1.     Corporate

2.     Country

3.     Program

4.     Project

A company should consider the value or determining participation from external groups in support of crisis response measures at each level, as well as drawing on its own knowledge, resources, and capabilities. Both parent and operating region governments and military or law enforcement agencies can provide considerable support during crisis events, often bringing influence or capabilities far outside of a commercial organization's area of expertise—although these should not be relied upon. The company might also wish to consider collaboration arrangements where mutual support is offered to other groups in return for reciprocal levels of assistance during a crisis event. The engagement of specialist subcontracted vendors is also an area where the company may wish to identify, retain, or contract support for services outside of its area of competence (see Exhibit 1).

Exhibit 3.5: Crisis Response Organizational Structuring

\

Exhibit 1: Crisis Response Organizational Structuring

The following information captures some layers of crisis response structures as well as key participant leadership that might be found within a crisis response organization.

Corporate Crisis Response Team

The corporate CRT is responsible for strategic risks and issues that affect the company as a whole, as well as for mobilizing resources and financial assistance to support the overall management of the crisis event. The corporate CRT may also liaise with government agencies in order to leverage support and will contract with outsourced advisory groups and resources to bridge gaps within the organization's capabilities. The corporate CRT will also liaise with corporate partnering companies and subcontractors in order to ensure that all appropriate measures are being taken, in terms of operational support as well as business continuity and recovery, legal, liability, reputational, and media liaison. The corporate CRT will also liaise and advise investors and shareholders as to the situation, to mitigate the effects of speculation, rumor, and erroneous reporting.

The corporate CRT should ensure that any partner companies or subcontractors that fall under the umbrella of the business activities CRT are informed of response activities, and also conform to agreed response measures (especially media management). The corporate CRT should also ensure that any subcontracted security vendors provide the appropriate levels of support throughout the incident, supplying both operational services, as well as capturing information and performing in a manner that reflects the standards and ethos of the company. In addition, the corporate CRT will ensure that human resources, media, and legal groups are linked between vendor and teaming companies to coordinate any information releases or responses.

Most important, the corporate CRT will ensure that information sharing with employee families as well as support and care for any persons involved in the incident are appropriately addressed. In addition, direct support to families and repatriation measures will be established and coordinated to support the country CRT. The corporate CRT will mobilize all human resources, media, government, and legal specialists in order to offer support, guidance, and management of the incident and personnel in practical resource terms, as well as mobilizing resources necessary to support a crisis event and deploy specialists and support staff to augment country management initiatives. The corporate CRT will have overall decision‐making authority and will be responsible for strategic planning and senior‐level liaison. The corporate CRT will also typically guide business recovery measures and decision making once the situation has stabilized. Following an incident, the corporate CRT will be responsible for capturing all information, decisions, and details in order to conduct an audit of the incident, as well as provide instructions on any policy or procedural changes. This team will also determine whether the business or operational activity remains viable, or whether business approaches require change.

Country Crisis Response Team

The country or national CRT is typically comprised of the most senior managers responsible for a geographic region, typically led by the country or general manager or chief of party. The country CRT will coordinate all national‐level activities and support as the focal point of regional crisis management. The country CRT has the local expertise and relationships to mobilize resources and support in‐country to deal practically with an incident, on behalf and under direction of the corporate CRT. The country CRT will normally provide expert advice and recommendations to both corporate and program CRTs, and also coordinate all support in the area from both internal and external resources, including military, diplomatic missions, law enforcement, and other supporting or commercial organizations. The country CRT will focus information flow from the program incident response team (IRT) to the in‐country subcontracted security vendors and teammates, as well as act as the coordination point for tactical and strategic‐level advice, requirements, decision making, and actions.

The country CRT may also act as the national reception team for evacuations, and may deploy supporting company resources from other projects to meet resource gaps for an affected group. In addition, the country CRT may locally contract supporting vendors to provide medical, transportation, security, legal, and life support needs. The country CRT will also liaise closely with teammates and subcontractor management to bring coordination to a multiple‐participant response, ensuring that all crisis management needs are being met and that information is shared among affected parties. The country CRT may also initiate local reciprocal or mutual aid agreements, as well as memorandums of understanding.

A country CRT may be led by the most senior commercial manager and security or risk adviser for the region, and will typically be the group that establishes or evaluates national and subordinate crisis response plans and policies. The team should therefore be intimately familiar with each subordinate program or project and should be capable of supporting operational decision making from a local perspective, as well as relaying detailed and personalized information upward to the corporate CRT.

Program Incident Response Team

The program incident response team (IRT) will often bridge the gap between incident management and crisis response, dealing concurrently with both the event effects as well as considering strategic issues. The program IRT might, depending on the size and complexity of the program as well as the scope and nature of the team's appointment, either focus more on strategic‐level or crisis management initiatives or, if more tactically aligned, concentrate on managing the granular aspects of the emergency situation. The focus area of the program IRT will also depend on whether the program has been directly affected and the team is dealing with emergency requirements firsthand, or they are supporting a subordinate project experiencing a crisis situation. The program IRT will use both the IMP and more detailed and event‐focused response plans as guidelines.

The program IRT is principally led by the most senior security consultant or company program manager within the program. If a company or vendor security manager leads this team, this security manager typically does so in close partnership with the senior company program manager. The point at which management decision making transfers from the program manager to the security manager must be defined in order to streamline decision making—as often the program manager will initially lead decision making during the opening stages of a crisis, up until the crisis has reached a certain stage when operational or security and safety decision making becomes more important. The program IRT manager and staff must ensure that all security staff and supporting military, medical, and other external service support groups are directed to assist the local incident response team commander in order to effectively evacuate personnel and assets from the risk area, as well as ensure that any medical support is readied to receive casualties. In addition, the program IRT will often integrate any vendor's or teaming partner's staff into the existing program IRT, ensuring they complement each other's efforts and avoid duplication or unnecessary confusion or friction.

The program IRT's secondary function is to notify all company management chains of the incident in order to initiate the country and corporate CRTs. At appropriate junctures, the program IRT manager will provide documented accounts (in predetermined formats) as to the status and details of the incident, as well as formal serious incident reports. The program IRT may also assess the risk implications to support decision‐making requirements. Any subcontractor program IRTs should be expected to conduct similar reports and documentation concurrently, liaising with its own country CRTs. The program IRT will typically report directly to the country CRT.

Project Incident Response Team

The project IRT may be led by an experienced security manager, or the project manager in the absence of a security professional. A transition of control may also occur if both a project manager and a security manager are within the project team, with the security professional assuming a command role, rather than an advisory role, only if the risk exceeds certain limits—typically where security and safety are central to the nature of the emergency situation. These limits should be clearly defined to avoid friction and ambiguity of leadership roles during a crisis event. Typically the project IRT will focus on dealing with the actual crisis event, leveraging support from program, country, and corporate crisis management structures in order to mobilize resources outside of the project's organic capabilities. The project IRT may deploy response groups within its structure and may also instigate local agreements and support capabilities within defined plans and protocols. They will be the main users of the IMP and may under emergency circumstances implement more complex crisis response protocols and plans, such as emergency evacuations and disaster response plans.

The project IRT is normally tactically focused, rather than dealing with the strategic and non‐tangible aspects of the crisis, such as reputation and liability concerns, although managers should be aware of the implications their actions and the crisis event may have further up the chain of responsibility, and should act to mitigate these risks where possible or appropriate. The project IRT will, however, be responsible for feeding information, insights, and guidance to more senior management teams so as to ensure an accurate representation of the event to support sound decision making, as well as making sure that threat and impact evaluations are fed throughout the crisis management structure. The size, complexity, and makeup of the project management team will determine the degree of autonomy and responsibility the project IRT will have.

Special Response Teams

A special response team (SRT) may be mobilized to support the corporate CRT in dealing with strategic crises, such as public relations and media advisers, legal counsel, or investigative services, or they may be deployed to the region or area in which a crisis is occurring in order to bring knowledge, experience, and additional capabilities to bear to support incident management groups. The configuration and objectives of an SRT will depend on the nature of the crisis, as well as the operating environment in which an event is occurring. The SRT may be highly specialized, such as advisers in kidnapping and ransom situations, legal counsel, or technology consultants, or may be more tactical in nature, such as security consultants and disaster and evacuation response managers. A series of SRT options may be defined within the contingency planning component of the Business Continuity Management Plan in advance of a crisis event occurring, and may require retainer fees or preagreed contractual and operating arrangements. Conversely, an SRT may be created ad hoc to meet unique and unplanned crisis events, requiring the mobilization of either in‐house or outsourced support.