The latest business continuity news from around the world

Gold, Silver, and Bronze command tiers are a common way of structuring crisis response. The approach has been borrowed from UK Emergency Services, but does it always successfully transfer to other organizations? Robin Bucknall explores…

What’s the issue?

Many organizations and business have adopted the Gold, Silver, and Bronze (1) tiers of command developed in the UK by the Emergency Services to structure their response to a disruption or a crisis. For the most part this has been successful, but in some organizations this system has been applied without a true understanding of what it seeks to achieve, and in others it has become synonymous with the status of executives in their business-as-usual roles.  

This article will suggest that organizations should, as much as possible, organize their incident response framework to leverage existing line-management structures, delegations and authorities and construct an incident response system based on who is best located to decide what needs to be done; where coordination of the implementation is best achieved and how the response at the coalface should be delivered.

This article will argue that the Gold, Silver, and Bronze structure remains an excellent framework through which to respond to an incident or a crisis, but it does not apply to all organizations in all circumstances and a more nuanced, bespoke approach is needed to enable organizations to make timely decisions based on the best understanding of the information available.

The Gold, Silver, and Bronze command system

The Gold, Silver, and Bronze command system was introduced by the Metropolitan Police following the Broadwater Farm riots in 1985, which resulted in the death of PC Keith Blakelock. Since then, this has become the default structure for the UK Emergency Services and through the work of Local Resilience Forums and the designation of some industries as specified responders within legislation, the Gold, Silver and Bronze system has achieved much wider adoption by non-emergency service organizations and businesses.

For large organizations, particularly those that have traditional pyramidical hierarchies, such a three-layer crisis response structure may be entirely appropriate, but for smaller organizations, organizations with very flat management structures, or for global multinationals a more nuanced application may be required.

“I’m a Director so I should be in Gold…”

For organizations comprising high-status professional staff, there can be tendency to associate business-as-usual job titles with the level of command they should occupy during an incident or crisis. In these cases, a perception that the term ‘Gold’ implies a greater level of personal status within the organization can become the driver of crisis management structures rather than a focus on the function these staff are required to fulfil in response to an incident.

In extreme cases, where Directors and Heads of Department believe that belonging to the Silver response team demeans their personal status within the organization, some businesses have resorted to the creation of a ‘Platinum level’ as the forum in which to consider truly strategic issues.

This phenomenon also exists at lower levels in the organization.  For those at the Bronze-level this perceived ‘lower-value’ can be disempowering and act as a disincentive to initiative and decision making.  This presents a significant danger, as it is the Operational level where the onset of an incident may first be detected and where rapid immediate action may prevent an incident escalating into a crisis.

In some organizations, the response to an incident requires the Gold team to meet first to decide whether to invoke the Crisis Management Plan and instruct the Silver response team to convene. In cases where there are not clear delegations and authorities to carry out an immediate action (such as isolating the IT system in the event of a suspect cyber-attack) this can build-in an unnecessary delay and ultimately exacerbate the disruption.

What should we be trying to achieve during an incident or a crisis?

Broadly, incidents and crises can be described as either rapid onset events where the organization has to stop business-as-usual and focus all of its efforts on resolving the adverse situation, or an emergent or ‘rising tide’ set of circumstances where the organization attempts to continue business-as-usual whilst addressing the disruption.  COVID 19 for many organizations provided extensive experience of the latter, but what worked, in crisis response terms, during the pandemic may not work in a sudden and rapidly deteriorating environment.

When faced with a disruption, organizations need to achieve rapid situational awareness, contextualise the problem, conduct holistic cross-organizational problem solving, prioritise the organization’s outputs to be maintained, allocate resources, and coordinate the synchronisation of activities needed to resolve the situation. To achieve this a framework which sets out how these different activities are best achieved is needed.

What should the levels of command be doing?

In a crisis, the main command functions comprise: the Strategic level (which sets the strategic direction and objectives, apportions resources, and engages the most senior and significant stakeholders); the Tactical level (which converts the Strategic direction and objectives into practical activities to be achieved); and the Operational level which implements the delivery of the activity on the ground.

Of these, the Tactical level may differ most from business-as-usual structures, as its purpose is to act as the ‘gearing’ in the organization to coordinate, sequence and integrate (in time and space) the activities of different Operational departments to resolve the incident and return the organization to business as usual (or the new normal).

During business-as-usual, it is not uncommon for business units to run semi-autonomously and for different departments to operate in vertical ‘stove-piped’ line-management chains. In responding to a disruption, organizations should seek, as far as possible, to work through these existing authorities and delegations to affect the response and recovery.  Incident response command teams should therefore act as management enhancements to business-as-usual structures and create the forum to break down organizational boundaries and better enable more diverse creative-problem-solving, integration and coordination.

Focus on the task

To achieve optimal crisis response structures, organizations need to map the likely decisions and activities required to resolve an incident against the Strategic, Tactical and Operational levels. This should include levels of delegated authority, decision making and escalation criteria for invocation of the Crisis Management Plan. This work must consider the speed needed to affect an immediate action response (such as an evacuation), what can be delegated to the lowest possible level (the principle of Subsidiarity (2)), and which matters must remain reserved for the Board. 

To achieve this, the organization must consider which part of the response is best dealt with centrally (such as long-term financial and reputational impact, stakeholder engagement, political interests, and legal and regulatory obligation) and where the greatest understanding of the local context and dynamic exists (normally the Tactical or Operational level) and whether a decentralised response may be more appropriate.

For smaller organizations it may be determined that three distinct levels of command add unnecessary complexity and may slow a response, in which case some of the functions or whole levels could be merged. In the case of large multinational organizations, a more complex matrix of country, regional, and global response structures may be needed.

What’s in a name?

Once organizations have determined what decisions need to be taken during an incident, they can determine how many levels of command are actually required. Having arrived at an appropriate structure, the organization should consider whether the nomenclature Gold, Silver, and Bronze acts as a simplifying and unifying mechanism (as with the Emergency Services) or within the context of the organization could create a status-driven distraction.  If this is the case, organizations may consider using either the Strategic, Tactical and Operational prefix (though it is accepted that this can create similar challenges) or select another title that aligns with business-as-usual naming conventions and better describes the function of each incident response team.

In summary

Following the global pandemic, organizations have an opportunity to review their incident management structures and consider whether these appropriately reflect the nature of decision making needed to resolve a rapid-onset crisis as well as a long-term disruption.

The Gold, Silver, and Bronze incident response structure remains a very effective framework, particularly for large pyramidical hierarchical structures, but this does not mean it is appropriate for all organizations in all circumstances. There is no one-size-fits-all structure to effectively manage a disruption, but whatever approach is chosen, it must be appropriate to the context of the organization and be designed to ensure that appropriate timely decisions can be taken in the event of an incident.

In determining their optimal incident response structures, organizations should consider which part of the organization is best placed to gain situational awareness and contextualise the problem, where it is best for a decision to be made and what delegations and authorities are needed to empower staff to take action to affect an immediate response. Where possible, organizations should try to utilise their existing business-as-usual line-management process and implement additional crisis structures as management enhancements to drive greater holistic organizational decision making, integration, coordination.

The author

Robin Bucknall MA, MSc, is Senior Consultant, Needhams 1834 Ltd.

Notes

  1. The Gold, Silver and Bronze tiers mirror the Strategic, Tactical and Operational levels
  2. The principle that a central authority should have a subsidiary function, performing only those tasks which cannot be performed at a more local level.


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.