How to Write an Incident Response Plan in 10 Steps
Category : Preparedness
I am in the process of developing an incident response plan for a client and thought that it would be good to share the 10 points you need to consider when writing your incident response plan. Having spent almost 3 decades responding to emergency situations I have learned that the key to successfully overcoming an emergency event is preparedness. Preparedness means that you have thought about what might happen, have taken steps to minimize the impact of the risk, written a plan about what to do with those risks that can’t be eliminated, tested it and trained all concerned in its use. This post will concentrate on developing the plan. I’ll talk about the other aspects in other posts.
- The first thing you need to consider is what could be the impacts on your business from a variety of events. You may think about floods, fire, pandemic flu, power failure, loss of telecoms, loss of water supply, terrorist activity etc. The key here though is not to write a plan that addresses each of the possible scenarios, that would be too much like hard work and would end up in plans for events that would never happen. Instead, you need to focus on the impacts of those type of events. The impact of a telecoms outage, power failure or a fire could be similar and amount to a loss of internet connection for example. Transport disruption from a heavy snowfall may have the same impact as a flu pandemic, both may prevent staff getting to work. So it’s the loss of internet connection or staff shortage you are planning for, not the event itself.
- Your plan is going to have to be flexible. You can’t write a plan that addresses every eventuality that you have meticulously thought through. Life isn’t like that and the incident you find yourself in will be unique so you will need flexible response modules covering the broad areas of staff shortage, supply chain issues, infrastructure issues for example. The aim is to have a series of response plan checklists that you can use but that is not so rigid and prescriptive that they hamper the response.
Chain of command
- Once you have an idea of what your plan should contain you need to think about the chain of command. During my time in the emergency services, the chain of command was fairly easy to identify because everyone has rank and levels of training appropriate to their role. It’s not so easy where people don’t wear uniforms or have emergency response as their main role so you will have to give careful thought to whom in your organisation does what. It may be that you think the CEO should head the response but my experience has taught me that this is probably not the best use of the CEO. An operational director is probably most suited to leading a response to an operational issue, an HR director to a human resources issue for example. This strategy releases the CEO to carry on running the company and ensuring business as usual as much as possible or to being the talking head for the media if the incident warrants it.
Activation of the plan
- Activation protocols are really important. How do you know when you are in an emergency and the plan needs to be activated? Who will be responsible for activating the plan? How will the plan be activated and those involved alerted? These are all questions that need to be answered in the plan and it needs to be absolutely clear or the plan will fail.
Emergency Response Room
- Where are the response team going to work from? Is there a conference room that can be converted to an incident response room or are you looking to outsource the incident response room? Some hotels and conference centres, as well as dedicated providers, can provide facilities you can use if you don’t have suitable premises or don’t want the expense of maintaining them. An important point to remember here is that it may be the premises that your incident response room is in that has the problem so you may need to deploy elsewhere.
- Communications! In almost every sizeable incident or exercise debrief that I have been involved with, communications is the area that always could have been better. You need to be really clear about communication channels. Not just the mechanics of it like providing an emergency response email account everyone can use during the incident or a special telephone number but you also need to detail who is going to communicate with whom. The incident commander clearly shouldn’t be spending much time talking on the phone so the team need to understand their role, for example, one person should be dealing with the emergency services, another should be communicating with the media, another should be talking to suppliers etc.
Testing the Plan
- Test the plan or it won’t work. I guarantee that your plan won’t work when you first come to test it. Not because you or your consultant expert haven’t written a good plan but because the devil is in the detail. It’s a bit like playing golf. You can read about it as much as you like, you can practice it on your PlayStation and you can watch YouTube videos forever but it’s only when you get out on the course and start hitting balls you really begin to understand what to do. I have spent a lot of time approving plans and it’s worth telling the story about the time one senior manager came to me with his ‘finished’ plan. He had never tested it. The plan involved relocating him and his team to another office in the city. As I ran through the plan with him it became clear that neither he nor his team had ever been to the standby office, they didn’t know how they would get in there as it was not normally manned and they didn’t know what equipment they had at their disposal once they got in. It quickly became apparent that the plan was all but useless as they hadn’t really thought it through. The office they were going to use was seriously inadequate for their purpose so in the end the plan was abandoned and they started again, using different backup premises.
- Now you have a plan you are going to have to train your staff in how to use it. This is a good opportunity to also test the plan. If you bring your team together to train and test at the same time you will quickly make changes to the plan that will make it work better. You would be well advised to use someone independent of the planning or response team to facilitate this training/testing. It’s amazing how much confirmation bias comes into play when the planners are running the exercise! What you want to achieve is a team that can be involved in the further development of the plan, can make mistakes and try new ways of doing things in a safe environment and will, therefore, buy into the plan and make it better if you ever have to use it.
- After every exercise and incident, you will need to conduct a review. This will almost always lead to some changes to the plan because you will learn something every single time. The questions the review should ask are: What went well? What went badly? What lessons did we learn? What changes do we need to make? Again, finding someone independent of the planning or response teams to facilitate the review will lead to a better outcome.
Rinse and Repeat
- Rinse and repeat. Unfortunately, it’s not all over once you have written the plan and tested it. The world around us changes, your organisation changes and your people change. You will need to keep going round the cycle on a regular basis. Your staff will have day jobs and emergency response will be something they do infrequently if at all, so they need to be regularly training if your response is to be effective. Emergency services do emergency response day in day out, this is their day job but they still train for those once in a lifetime events. That’s why our emergency services response is as good as it is and if your response is going to be as good as it can be you need to train. If you don’t your response may well fail and the consequences of that could be catastrophic to the business.
Developing a workable plan isn’t always straightforward and you may not have the people in-house to be able to develop one. I would also recommend that you use someone independent to help with training and testing the plan. My blog here will give you an indication about what consultancy services might cost.