The latest business continuity news from around the world

The ‘why’ and ‘how’ of writing incident management objectives

Writing incident management objectives is an art that needs to be taught and practised and should be included as an aspect of business continuity exercises. In this article Charlie Maclean Bristol shares some advice on the subject.

During an incident, it is seemingly obvious that your objective is to solve the problem and return the organization back to normal as quickly as possible. This is possible in some incidents, but in many circumstances the organization may be changed by the incident and when the incident has been resolved, the organization may not be the same as it was before the incident began. Some incidents may be so catastrophic that the objective may just be for the organization to survive! 

If we look at the ongoing high-profile TSB incident, where the bank locked a large number of their customers out of their accounts during a botched upgrade, they have lost customers and their reputation has suffered greatly. When the incident is finally over, they will be a different organization with less customers, so the objective to return to where they were prior to the incident is not achievable for them. Success for them and their incident’s objective could be, for example to retain 70 percent of their customers and to minimise the regulatory fine after the event. 

For each incident, once the organization is able to understand the extent of the issue, top management or the strategic team should write an overall objective for what the organization is trying to achieve during their response. Another way to look at this is to try and determine ‘what success looks like’.

I don’t think incident objectives are particularly easy to write, but they play a key role in ensuring that all parts of the organization are given a common purpose, the response is coordinated and well-meaning actions do not make the situation worse.

One of your key objectives after a fire in your headquarters could be that no action should be taken, as it could put staff lives in danger. You could have a situation where members of the IT team want to go back into the damaged building in order to speed up the recovery, risking their own lives to see if they can salvage any of the company’s servers. If the objective of not putting staff at risk is communicated to all those responding, then the IT team’s suggestion to go back into the building would be refused, as it is not in line with the stated incident objectives. 

It is important to note that there should be one set of master objectives, which cover the whole organization responding to the incident and the complete duration of the incident. Different parts of the organization or different levels within it should not be writing their own objectives in isolation. There is a level of sophistication used when an organization level objective is written and, from there, different parts of the organization adapt the main objective to their particular part of the recovery. Those who have been in the military will be familiar with this when they were taught how to carry out mission analysis. The main objective writing is most important and individual versions are a luxury, rather than a necessity.

So, how do you go about developing your objectives? The first step is to have a full understanding of the incident, the potential impact it could have, the risks to the organization and the possible solutions to the incident. A good discussion is for top management or the strategic team to think about what a successful outcome of this incident would look like. 

The next step is to think about what you would like to write the objectives on. In some cases, it could be simple objectives, such as restoring all company operations to ‘business as usual’ within three days. For most incidents, the objectives will be more complex and you may consider writing objectives on the following items:

  • People (safety, prevention of further injury, long term protection of life);
  • Operations/delivery of services;
  • Customers;
  • Assets;
  • Environment;
  • Legal & regulatory requirements;
  • Economics and money;
  • Coordination;
  • Communication;
  • Mutual aid from external organizations or partners.

In the oil industry, they use the acronym PEAR when writing objectives, which means they write objectives on:

  • People
  • the Environment
  • Assets
  • Reputation. 

I think PEAR is a little too rigid, especially as many incidents don’t have an environmental aspect, therefore I prefer to use the longer list above.

The following words might be useful in developing individual objectives:

  • Prevent
  • Normalise
  • Recover
  • Re-open
  • Maintain
  • Support
  • Stabilise
  • Coordinate
  • Inform
  • Educate
  • Search
  • Evacuate
  • Secure
  • Protect
  • Sustain
  • Care
  • Shelter
  • Assist
  • Liaise
  • Influence
  • Mutually support.

When it comes to writing objectives, you will tend to end up with a list of them, rather than a single sentence. You will also have to decide if there are a list of priorities, such as people as the top priority, with no harm coming to them as the first objective, or whether all of the objectives have equal priority. You should also consider the list below when you are writing objectives and check the final written objectives using this list. 

Objectives should:

  • Make good sense (be feasible, practical, and suitable);
  • Be achievable and you should know when they have been achieved;
  • Be within acceptable safety norms;
  • Be easily understood by all that use them;
  • Have sufficient detail and shouldn’t be vague;
  • Be cost effective;
  • Meet political considerations;
  • Be SMART and have clear timings or numbers to achieve;
  • Meet your stated responsibilities;
  • Be in line with your organization’s values.

An example of a set of objectives is as follows:

  • Prevent any further injury and ensure staff well-being;
  • Meet all our regulatory requirements;
  • Priority is given to end of year tasks;
  • Financial constraints are not to be seen as a barrier to recovery;
  • Normalise operations by 1st March 2018.

Once the objectives have been written, reviewed by top management and signed off, they should be distributed to all those involved in managing the incident. As actions are agreed and decisions are made, they should be regularly revised against the incident objectives to make sure that they are aligned.

A good set of objectives should be able to last the duration of the incident, but as the incident changes, worsens or other events occur, they may need to be updated and redistributed. 

Writing objectives should be carried out as part of exercising and top management or the strategic team should receive instruction and should then practice writing them. A very good example of where objectives were set up at the beginning of the incident and then drove the response was in the Tylenol case. A video explaining the objectives and how they were arrived at can be found here: https://youtu.be/jtuvgAkKGqM

I would encourage you all to ensure that:

  • Writing incident objectives are part of your plans;
  • You teach senior managers how to write them; and
  • You practice writing them during exercises.

The author

Charlie Maclean-Bristol, FEPS, FBCI, is Director of Training at PlanB Consulting.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

   

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.