Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex B

(informative)

B. Examples of Incident Prevention, Preparedness, and Response

It is the responsibility of each organization to develop (an) incident prevention, preparedness, and response procedure(s) that suits its own particular needs. In developing its procedure(s), the organization should include consideration of:

• A potential disruptive incident should be identified, understood, and addressed and – in doing so – avoided or prevented. The risk assessment can be used to identify the specifics of potential disruptive incidents, including any precursors and warning signs.

  • Risk management should be a systematic and holistic process that builds on the formal risk assessment to identify, measure, quantify, and evaluate risks to provide the optimal solution.

  • Risk treatment options can include avoidance, elimination, reduction, spreading, sharing, and acceptance strategies. Avoidance and elimination can either evade activities that gives rise to the risk or remove the source of the risk. Reduction lowers the risk or the severity of the consequences. Spreading distributes assets and/or the potential loss of capacity. Sharing the risk with another party or parties. Acceptance is an informed decision to take a particular risk.

• Prevention can include proactive steps to coordinate with intelligence, law enforcement, and public agencies; establish information sharing agreements; physical protection of key assets; access controls; awareness and readiness training programs; warning and alarm systems; and practices to reduce the threat.

• Organizational culture, operational plans, and management objectives should motivate individuals to feel personally responsible for prevention, avoidance, deterrence, and detection.

• Deterrence and detection can make a disruptive act or activity more difficult to carry out against the organization or significantly limit, if not negate, its impact. Consideration of prevention, detection, and deterrence strategies may be:

  • Architectural: Natural or manmade barriers; redesigned or relocated infrastructure.

  • Operational: Removal of hazardous materials; redesigned systems and operations; security officers’ post orders; employee awareness programs; counter surveillance and counter intelligence as avoidance; relocation of systems, operations, infrastructure, and personnel.

  • Technological: Alternative materials and processes, interoperable communication and information networks, intrusion detection, access control, recorded surveillance, package and baggage screening, and system controls.

• Physical security planning includes protection of perimeter grounds, building perimeter, internal space protection, and protection of contents. Defense begins at the external perimeter.

  • Physical security planning is a function of deterrence, detection, delay, and response.

  • Physical security measures should be designed so detection is as far from the target as possible. Delays are planned closer to the target.

  • Security system design should link exterior or interior detection with assessment and response.

  • Physical security measures may include crime prevention through environmental design; physical barriers and site hardening; physical entry and access controls; security lighting; intrusion detection systems and alarms; closed-circuit televisions; security personnel; and security policies and procedures.

• Cost-effective mitigation strategies should be employed to prevent or lessen the impact of potential crises.

  • The mitigation strategy should consider immediate, interim, and long-term actions.

  • The various resources that would contribute to the mitigation process should be identified. These resources – including essential personnel and their roles and responsibilities, facilities, technology, and equipment – should be documented in the plan and become part of “business as usual.”

  • Systems and resources should be monitored continually as part of mitigation strategies. Such monitoring can be likened to simple inventory management.

  • The resources that will support the organization to mitigate the crisis should also be monitored continually to ensure that they will be available and able to perform as planned during the crisis. Examples of such systems and resources include, but are not limited to: emergency equipment, fire alarms and suppression systems, local resources and vendors, alternate worksites, maps and floor plans, system backup, and offsite storage.

• The organization should establish procedures to recognize when specific dangers occur that necessitate the need for some level of response. A strong program of detection and avoidance policies and procedures will support this process.

  • Certain departments or functions are uniquely situated to observe warning signs of an imminent crisis. Personnel assigned to these departments or functions should be trained appropriately. The responsibility to report a potential crisis (including the notification mechanism) should be communicated to all employees. The general employee population may also be an excellent source of predictive information when there is a documented reporting structure and where attention is paid to what the employee reports.

• A potential disruptive incident, once recognized, should be immediately reported to a supervisor, a member of management, or another individual tasked with the responsibility of crisis notification and management.

  • Specific notification criteria should be established, documented, and adhered to by all employees (with the timing and sequence of notification calls clearly documented). The actual activation of a response process should require very specific qualifications being met.

  • Qualified personnel should have ready access to the updated, confidential listings of persons and organizations to be contacted when certain conditions or parameters of a potential crisis are met.

  • Notifications in a crisis situation should be timely and clear, and should use a variety of procedures and technologies – with recognition that devices used have advantages and limitations.

  • In some types of crises, the notification systems are themselves impacted by the disaster, either through capacity issues or infrastructure damage. Thus, it is important to have redundancies built into the notification system, and several different ways to contact the listed individuals and organizations.

• Problem assessment (an evaluative process of decision making that will determine the nature of the issue to be addressed) and severity assessment (the process of determining the severity of the crisis and what any associated costs may be in the long run) should be made at the outset of a crisis. Factors to be considered include the size of the problem, its potential for escalation, and the possible impact of the situation.

• The point at which a situation is declared to be an emergency or crisis should be clearly defined, documented, and fit very specific and controlled parameters. Responsibility for declaring a crisis should also be clearly defined and assigned. First and second alternates to the responsible individual should be identified. The activities that declaring a emergency or crisis will trigger include, but are not limited to:

  • Additional call notification;
  • Evacuation, shelter, or relocation;
  • Safety protocol;
  • Response site and alternate site activation;
  • Team deployment;
  • Personnel assignments and accessibility;
  • Emergency contract activation; and
  • Operational changes.

• Preparedness and response plans should be developed around a "worst case scenario," with the understanding that the response can be scaled appropriately to match the actual crisis.

• People are the most important aspect of any preparedness and response plan. How an organization’s human resources are managed will impact the success or failure of incident management.

  • A system should be devised by which all personnel can be accounted for quickly after the onset of a crisis. This system could range from a simple telephone tree to an elaborate external vendor’s call-in site. Current and accurate contact information should be maintained for all personnel. Consideration should be given to engaging the company’s travel services to assist in locating employees on business travel.

  • Arrangements should be made for notification of any next-of-kin in case of injuries or fatalities. If at all possible, notification should take place in person by a member of senior management. Appropriate training should be provided.

  • The organization should implement a Family Representative program in case of severe injury or fatality. The Family Representative should be someone other than the person who performed the notification. This representative should act as the primary point of contact between the family and the organization. Comprehensive training for the representative is a necessity.

  • Crisis counseling should be arranged as necessary. In many cases, such counseling goes beyond the qualifications and experience of an organization’s employee assistance program (where available). Other reliable sources of counseling should be identified prior to a crisis situation.

  • A crisis may have far reaching financial implications for the organization, its employees and their families, and other stakeholders; these implications should be considered an important part of a preparedness and response plan. Implications may include financial support to families of victims. Additionally, there may be tax implications that should be referenced and clarified in advance.

  • The payroll system should remain functional throughout the crisis.

• Logistical decisions made in advance will impact the success or failure of a good preparedness and response plan. Among them are the following:

  • A primary Crisis Management Center should be identified in advance. This is the initial site used by the Crisis Management Team and Response Teams for directing and overseeing crisis management activities. The site should have an uninterruptible power supply; essential computer, telecommunications, heating/ventilating/air conditioning systems; and other support systems. Additionally, emergency supplies should be identified and kept in the center.

  • Where a dedicated center is not possible, a designated place where the teams may direct and oversee crisis management activities should be guaranteed. Access control measures should be implemented, with the members of all teams given 24x7 access.

  • A secondary Crisis Management Center should also be identified in the event that the primary center is impacted by the crisis event.

  • The organization should consider the establishment of virtual command centers for distributed access to information as well as to reach dispersed or remote stakeholders.

  • The organization should have alternate worksites identified for business resumption and recovery. In the absence of other company facilities being available and/or suitable, access to alternate worksites can be arranged through appropriate vendors. Planning concerning the identification and availability of alternate worksites should take place early in the preparedness and response plan process. Alternate worksites should provide adequate access to the resources required for business resumption identified in the impact analysis.

  • Offsite storage is a valuable mitigation strategy allowing rapid crisis response and business resumption/recovery. The off-site storage location should either be a sufficient distance from the primary facility or hardened, so that it is not likely to be similarly affected by the same event. Items to be considered for off-site storage include vital records (paper and other media) critical to the operations of the business. Procedures should be included in the plan to ensure the timely delivery of any necessary items from offsite storage to the Crisis Management Center or the alternate worksites.

• Once the Crisis Management Team has been activated, the damage should be assessed. The damage assessment may be performed by the Crisis Management Team itself or a designated Damage Assessment Team. Responsibility should be assigned for the documentation of all incident related facts and response actions, including financial expenditures.

  • For situations involving physical damage to company property, the Crisis Management Team or its designated Damage Assessment Team should be mobilized to the site. The team will gain entry if permission from the public safety authorities is granted, and make a preliminary assessment of the extent of damage and the likely length of time that the facility will be unusable.

  • Certain types of crises do not involve immediate physical damage to a company worksite or facility. These would include the business, human, information technology, and societal types of crises. In these crises, the team will likely assess the damage or impact as the crisis unfolds.

  • A reconstitution or reconstruction team should be created once it becomes apparent that the facility requires significant repair or the search for a replacement becomes necessary due to severe damage.

• If appropriate, existing funding and insurance policies should be examined, and additional funding and insurance coverage should be identified and obtained.

  • Policy parameters should be established in advance, including pre-approval by the insurance provider of any response related vendors. Where possible, the amount of funds to help ensure continuity of operations should be determined in the planning process.

  • Any cash should be stored in an easily accessible location to assure its availability during a crisis, and some cash and credit should be available for weekend and after-hours requirements.

  • All crisis related expenses should be recorded throughout the response and recovery periods.

  • Insurance providers should be contacted as early as possible in the crisis period, particularly in instances of a wide-reaching crisis, where competition for such resources could be vigorous. All insurance policy and contact information should be readily available to the Crisis Management Team and backed up or stored offsite as appropriate.

• Transportation in a time of crisis can be a challenge. Provisions should be arranged ahead of time, if possible. Areas where transportation is critical include, but are not limited to:

  • Evacuation of personnel (this may be from a demolished work-site or from a satellite facility in another region or country);
  • Transportation to an alternate worksite;
  • Supplies into the site or to an alternate site;
  • Transportation of critical data to worksite; and
  • Transportation for staff with special needs.

• Critical vendor or service provider agreements should be established as appropriate and their contact information maintained as part of the preparedness and response plan. Such information could include phone numbers, contact names, account numbers, pass-codes (appropriately protected), and other information in the event that someone unfamiliar with the process would need to make contact.

  • In some instances, it may be appropriate to request and review the preparedness and response plan, or a summary of such, of the critical vendors, in order to evaluate their ability to continue to provide necessary supplies and services in the case of a far-reaching crisis. At a minimum, the vendor or service provider roles and service level agreements should be discussed in advance of the crisis.

• Mutual aid agreements identify resources that may be shared with or borrowed from other organizations during a crisis, as well as mutual support that may be shared with other organizations. Such agreements should be legally sound and properly documented, clearly understood by all parties involved, and representative of dependable resources as well as a commitment to cooperation. However, it must be determined if other competing mutual aid agreements are in place with this resource.

• Strategic alliances identify delivery partners with which it has an interdependent relationship with other organizations to produce and supply products and services and share risk.

• Once the extent of damage is known, the process recovery needs should be prioritized and a schedule for resumption determined and documented. The prioritization should take into account the fundamental criticality of the process and other factors, including relationships to other processes, critical schedules, and regulatory requirements, as identified in the impact analysis. Decisions regarding prioritization of processes should be documented and recorded, including the date, time, and justification for the decisions.

• Once the processes to be restored have been prioritized, the resumption work can begin with processes restored according to the prioritization schedule. The resumption of these processes may occur at either the current worksite or an alternate worksite, depending on the circumstances of the crisis. Documentation should be kept of when the processes were resumed.

• Once the critical processes have been resumed, the resumption of the remaining processes can be addressed. Where possible, decisions about the prioritization of these processes should be thoroughly documented in advance, as should the timing of actual resumption.

• The organization should seek to bring the organization “back to normal.” If it is not possible to return to the pre-crisis “normal,” a “new normal” should be established. This “new normal” creates the expectation that, while there may be changes and restructuring in the workplace, the organization will phase back into productive work. Each step of the process and all decisions should be carefully documented.

  • As a rule, it is at this point that the crisis may be officially declared “over.” It is important to document this decision. Press conferences and mass media communications may be undertaken to bolster employee and client confidence.

Next: Annex C