Ian Ross FBCI examines the benefits of using a software system for incident and crisis management. This is the fourth article in a series where we are publishing the short listed entries in the Continuity Central Business Continuity Paper of the Year competition.
There are a number of benefits that can be derived from using a technology-based system along with your standard processes and communication capabilities to manage an incident or a crisis. These value areas fall into three key categories: efficiency and effectiveness; audit, accountability and visibility; and analysis and reporting. While every organization will place a different value on each of these, in my experience it is through enhancing efficiency and effectiveness that technology delivers the greatest return.
From incident to crisis
In the incident management situation – and by ‘incident’ I mean those more frequent, potentially less severe events – the implementation of a user-friendly software system can help deliver a standardised approach to recording the event.
This standardisation can help ensure increased data quality and, providing the ‘correct’ questions are asked, improved quantification of the incident. A more controlled process will also ensure all the necessary information is logged in line with the organization’s incident management objectives.
Once a robust starting position is created it becomes easier to understand the issue, mobilise the ‘right’ personnel, and in turn manage and eventually resolve the incident in a more timely fashion. In addition, providing the recording process is easily understood and regularly used, logging does not have to be undertaken centrally, enabling individual sites and their personnel to record at source. This could apply to any incident type, such as health & safety, physical and information security, business continuity, facilities management etc.
For crises – low frequency, high impact events which require the mobilisation of significant resources and often span geographically disparate locations – there are significant advantages to having a software system customised to your business. Such advantages can include the ability to build onto a structured process, and to implant these defined roles and responsibilities into the system.
Historically, practitioners have focused much of their attention on physical crises. While such events do occur frequently, there is a growing need to expand the scope to encompass other types of crises, such as supply chain disruption, reputational damage and financial issues. These require not only different types of response, but also will require the involvement of different parties and personnel.
An effective system can enable the practitioner to manage these multiple participants by creating a virtual corridor of response types, with different ‘rooms’ available depending on the crisis faced. Each room can be configured specifically to manage an incident type, allowing different groups of personnel to use pre-defined processes and response mechanisms in the most effective manner. If a crisis occurs, it is simply a matter of identifying the most appropriate room based on the parameters of the event, and using intelligent automated notification to mobilise the right people at the right stages.
Controlling the flow
Once key staff are mobilised, a software system provides the means to control information flow, ensuring only authorised personnel have access to the relevant information. This in turn increases staff focus within their designated role, facilitating an improved response and potentially reducing the likelihood of information overload.
In addition, a well-defined system with inherent workflow capabilities should enhance collaboration across the various levels of your crisis management team, including senior management, partners and third parties. It can also ensure that no information is lost during the heat of the crisis. How many times have you written on physical whiteboards then, later when searching for that information, found the board had been wiped clean and no one had photographed it? Furthermore, it can remove the risk of failing to action specific steps when you are being pulled in multiple different directions.
Underlying these requirements is the need to provide each responder with pre-defined, role- based checklists. These can automatically inform others when individual tasks are complete and from which current, historical and situation reports can be easily created.
An information trail
There are a number of audit, accountability and visibility values that can be identified, predominantly in the context of a crisis. The main value that a software system can bring is the ability to produce a time-stamped audit trail that fully accounts for all actions and decisions, as well as being able to show which parties knew what and when.
Additionally, a system should provide easy access to the latest situation report updates and these should be available to the relevant stakeholders – from incoming operational staff to senior management. These updates should be available at login to the system, on demand when logged in, and if appropriate, via notification mediums to those stakeholders who need to be kept informed, but who do not have an operational role.
Of particular relevance to those organizations aligning or complying with business continuity and/ or crisis management standards, a well-structured information gathering system can prove a key tool when demonstrating compliance.
Reporting on the facts
The ability to perform detailed reporting tasks is key. This is particularly the case for crises where a defensible position may be required, or at least where actions must be accounted for. This will require the ability to report upon every aspect of the crisis, detailing matters such as, “When did we know about individual pieces of information?”, “When were they validated?” and “Where did they come from?” In essence, it establishes who knew what, when and where.
In the context of low impact incidents, management reporting enables designated parties to conduct detailed analysis of the data.
Another important factor that will require considerable thought is the fact that in today’s workplace there is an increasing focus on accountability. In the context of a crisis, this means that there will be attention given to developments such as who provided information and when; who made a decision, and on what basis etc. A software system will play an integral role in facilitating this. However, in some organizations, accountability can become blame. It is therefore vital to consider the prevailing culture in your organization. If there is a blame culture, this could have a negative impact on the overall effectiveness of the system and limit your ability to get the best from your crisis management team.
One final point to be conscious of; under the UK Data Protection Act and the EU Data Protection directive, if you are holding personal data (eg. personal telephone numbers and medical information), you must ensure that your staff are aware of this and have agreed to it – otherwise you might be creating your own crisis.
The remit of a crisis/incident management system can extend beyond those events already listed on an organization’s risk register and that have been planned for. Software systems can play a key role in facilitating horizon scanning for emerging threats. While the system might not automatically scan, it can be used to log data from feeder systems that provide ‘eyes and ears’ around the world, based upon specific parameters. These may include; different incident types, such as weather, travel, political or location-specific events; different levels, such as street, airport, resort, city or country level: and may also set the impact breadth’, setting the scope at a radius of one mile or 100 miles from a particular site.
Identifying key trends is important in ensuring that underlying causes can be investigated and remedial actions devised and implemented.
Furthermore, the ability of a system to re-run crises (either in ‘real’ or compressed time) can prove extremely beneficial for the purposes of learning and exercising.
Meeting the challenges
It must be acknowledged that there are a number of issues which must be addressed when implementing any IT-based system into an organization. When looking to embed an incident/crisis management system into your existing processes, it is important to:
- Never lose sight of the overall objective. The aim of software is to deliver tangible business benefits, such as cost reduction, productivity improvement and measurable results.
- Define your requirements properly. If these are not clearly understood you will have no chance of getting what you want.
- Keep those requirements simple and aligned to your business objective.
- Build a requirements consensus and keep the process moving.
- Know what success looks like from the start.
- Understand that IT system implementation requires a cultural change.
- Identify it early and embed it throughout the programme.
- Remember that in the heat of a crisis the more straightforward and user-friendly the system is, the more likely it will be that your team will use it effectively.
- Communicate, at all stakeholder levels, throughout the programme, factoring in different expectation levels.
- Define a suitable, focused, training programme that takes into account your objectives and also that personnel have a ‘day job’.
- Conduct the implementation of the system in stages. Trying to implement everything at once will lead to a lot of confusion.
- Be realistic about the time needed to implement it.
- Keep a handle on costs both at requirement, training and implementation stages. Features outside of the original scope make a system harder to develop and use.
There are a number of hurdles that will have to be overcome in order to ensure that your incident/ crisis management software system is fully embedded into your organization. However, it is important to remember that the majority, if not all of the system’s stakeholders, are likely to have already experienced a crisis, or at least exercised for one. This means they are therefore more likely to embrace the concept of a system that can help deliver a more intuitive, automated process that can enhance overall efficiency and improve analysis and reporting capabilities.
The value that technological advances provide are enormous in terms of their scope and potential for eliminating costly human error, not through culpability but rather by promoting best practice and efficiency at all times. The speed of adoption, however, will always depend on demonstrating how these processes directly affect an organization in three distinct areas;
- Professionalism - efficiency / effectiveness
- Profitability - direct / indirect ROI
- Industry pressure - regulation
Ian Ross FBCI, CITP, MBCS, CISA is currently a director of Upton BC. He was previously Strategic Account Manager at AIControlPoint, a Division of Access Intelligence Plc.