3 Key Tenets of a Modern Incident Response Plan
Businesses today operate in a “not if, but when” risk environment. This means that every entity at some point will likely experience a significant disruption from one cause or another, whether a natural catastrophe, climate-related event, cyber incident, legal or regulatory snafu or reputational crisis.
Many have started looking inward at their response plans to such disruptions. The consensus seems to be that a more integrated and comprehensive incident response plan is needed. Traditional business continuity and disaster response plans deal with traditional (read: tangible) exposures. In most cases, this means a reactive approach to recovery. An event happens, you assess the damage, gather the resources you need to fix it, and move forward as quickly as possible.
Intangible assets are more difficult to protect but have grown vastly more valuable, and the threats against them more unpredictable.
To contend with these risks, however, businesses need less of a plan and more of a decision-making framework that allows flexibility and collaboration on a real-time response.
“We’ve learned a lot in the past 20 years about behavioral cognitive science — how people think,” said Sean Murphy, Crisis Management & Business Continuity Leader, BDO USA. “We understand better how people behave in conflict situation.”
In short, initial reaction to a crisis is panic, not a calm and clear thought process. In an environment where it is impossible to be prepared for every consequence of every event, business leaders instead need to practice the art of thinking strategically in a pinch.
Here are the three key tenets of building an incident response plan in the modern era.
1) Practice
BDO helps companies do this by turning disaster response training into a game. Flash cards brandishing crisis vignettes are presented, and participants must explain what should happen first, who would do what, and who’s in charge. The exercises are not designed to lead to a final plan, but rather to open discussion and encourage participants to think through impacts that hadn’t occurred to them before.
A more traditional version of this is the tabletop exercise… a similar though less pressurized task nonetheless designed to encourage more thorough and comprehensive thought.
“We suggest doing a tabletop exercise at least once per year, running through different hypothetical scenarios, sometimes based on recent events,” said EY’s Jeff Phillips, managing director of insurance & federal claims services.
“How are all of the various teams going to respond? What’s the insurance recovery going to look like? Is there coverage and what are the deductibles and limits? What resources do we need and how will we get them? Do we have the capability and how long would it take?”
Practicing a response also helps to work out the kinks, helping participants identify what parts of the plan don’t make sense anymore or are too slow.
“I’m finding that the more a company practices its plan, the more concise and practical it becomes,” said Elizabeth Queen, VP risk management, Wolters Kluwer.
2) Multidisciplinary Approach
Practice can’t be effective without representation from every department. A multidisciplinary approach is critical.
Input from all parts of company helps to demystify some of the unrealized connections between risks and in turn helps to prioritize resources for a response an establish a realistic timeline. The IT department needs to play an active role.
“Most organizations want all their systems back online as fast as possible – that is just not realistic for the majority of organizations,” said Ian Thornton-Trump, head of cyber security at AmTrust International.
“The biggest failure I see is when business expectations are completely misaligned to what the IT capability is.”
A diverse team results in a more integrated and comprehensive response strategy.
3) Employee Engagement
Managing incident response might seem like a job for high-ranking members of an organization. But the front-line employees are often the ones executing the details of the plan.
“When something happens, you’re not going back to normal in a month or two. It can take a minimum of a year and sometimes up to two to four years to actually get back to pre-event condition,” Phillips said.
“During that time employees are essentially working two jobs. Their handling their regular duties in addition to recovery-related tasks. It wears people down and I think a lot of companies don’t truly appreciate that.”
Employees have to be invested in the incident response plan and have input themselves. This allows them to move faster and more efficiently.
“Every soul working for the organization should have a role in the disaster recovery and business continuity plan,” Thornton-Trump said.
“These plans are called on in situations when there is a dire threat to the organization and the future of the organization may be in jeopardy — that’s a message that needs to be loud and clear to all employees. Training is vital. Everyone needs to know the plan.” &