14th Annual
Making Incident Management Work
for Your Organization
Kathleen Lucey, FBCI – President, Montague Risk
Management
April 19, 2016
The Road to
Resilience
0
INCIDENT MANAGEMENT MODEL - 1
Interruption Response Management
Executive
Disaster
Recovery
Team
Damage
Assessment
Site Repair or Relocate
Emergency Logistics
Team
1
INCIDENT MANAGEMENT MODEL - 2
Interruption Response Management
Executive
Media Relations
Team
Command Center
Support Team
Disaster
Recovery
Teams
Site Repair or Relocate
Emergency Logistics
Team
Damage
Assessment
Transportation,
Communications
Emergency
funding?
Site Repair
and
Restoration
Site
Relocation
and
Re-creation
2
INCIDENT MANAGEMENT MODEL - 3
Interruption Response Management
Emergency Logistics
Interruption
Management
Team
Media Relations
Team
Command Center
Support Team
Business
Continuity
Teams
Information
Technology
Recovery
Teams
Site Repair or Relocate
Executive
Oversight Team
Damage
Assessment
Transportation,
Communications
Emergency
funding
Physical
Security
Site Repair
and
Restoration
Site
Relocation
and
Re-creation
3
INCIDENT MANAGEMENT MODEL - 4
Interruption Response Management
Emergency Logistics
Interruption
Management
Team
Media Relations
Team
Command Center
Support Team
Business Recovery
Coordination
Business
Continuity
Teams
IT Recovery
Coordination
Information
Technology
Recovery
Teams
Site Repair or Relocate
Executive
Oversight Team
Damage
Assessment
Transportation,
Communications
Emergency
Funding
Physical
Security
Employee
Support
Local
Government
Liaison
Insurance
Liaison
Purchasing,
Real Estate
Site Repair
and
Restoration
Site
Relocation
and
Re-creation
4
INCIDENT MANAGEMENT MODEL - 5
Interruption Response Management
Communications
and Social Media
Team
Command Center
Support Team
Business
Continuity
Coordination
Recovery Management
Business Recovery
Coordination
Business
Continuity
Teams
IT Recovery
Coordination
Information
Technology
Recovery
Teams
Site Repair or Relocate
Emergency Logistics
Interruption
Management
Team
Executive
Oversight Team
Damage
Assessment
Transportation,
Communications
Emergency
Funding
Physical
Security
Employee
Support
Local
Government
Liaison
Special
Services
Admin.
Services
Insurance
Liaison
Purchasing,
Real Estate
Site Repair
and
Restoration
Site
Relocation
and
Re-creation
5
INCIDENT MANAGEMENT MODEL - 6
Interruption Response Management
Supplier Availability
Communications
and Social Media
Team
Command Center
Support Team
Business
Continuity
Coordination
Recovery Management
Business Recovery
Coordination
Business
Continuity
Teams
IT Recovery
Coordination
Information
Technology
Recovery
Teams
Site Repair or Relocate
Emergency Logistics
Interruption
Management
Team
Executive
Oversight Team
Damage
Assessment
Transportation,
Communications
Emergency
Funding
Physical
Security
Employee
Support
Local
Government
Liaison
Special
Services
Admin.
Services
Insurance
Liaison
Purchasing,
Real Estate
Site Repair
and
Restoration
Site
Relocation
and
Re-creation
6
Incident Management Timeline
Warning
Alarms
Interruption!
Backlog Begins
All Mitigation Fails
Begin Recovery
MAD: Product Fully
Functional
Loss-of-Data @ RPO
Failover Capacity
Restored
Auto-Failover
Last Backup(s)
Auto-Mitigation
Commences
Alarms
Manual Mitigation
Commences
Permanent
Restoration
Validation Begins
BAU Time-Objective
Incident Prelude
Problem Problem
Detected Diagnosed
RTO Supporting
Resources
Additional Recovery
MTPoD
Tasks
Risk to Brand
Crisis/Incident Management Timeline for Site-driven Physical Event: SIMT, ECMC (Emergency Crisis Management Center)
SIMT alerts team
members + ECMC.
ECMC alerts Support
Groups
SIMT declares
event to
MCMC
SIMT implements C/IM
processes:
Evacuation and IDRs
Staff to safety
Injured to treatment
ECMC receives Site Damage
Assessment
ECMC involves
necessary support
groups:
Insurance, Real Estate,
Finance, HR, Legal, IT,
etc.
Remote and flyaway
teams begin work.
ECMC records progress,
briefs CMT.
SIMT + participating
teams debrief.
ECMC files Incident
Information for
corrective actions.
7
Physical Event: Proposed Incident Management Structure
EVENT
Site Incident Management Team Leader (or Alternate)
Puts on Alert status:
Site Incident Management Team (members)
Site Business Continuity Teams (leaders)
Declare
Event
Wait
 Evacuate premises if necessary
 Employees execute IDRs*
 Brief Emergency Crisis Management Center
 Brief Emergency Crisis Management Center (ECMC)
 Activate Site Incident Management Team and
Site Business Continuity Management Team (s)
 Team members assemble in designated location
 Verify Availability of Site Incident
Management Team Members and
Site Business Continuity Team Members
(ECMC)
*IDR = Individual Default Response: defined
individual response for each employee based on
whether at work location or not at work location.
8
Non-Physical Event: Incident Management Structure
EVENT
Cyber attack
Customer-facing service failure on social media
Adverse reputation event
Other non-physical
Incident detector notifies Business Management*, who notifies the ECMC.
- ECMC Coordinator opens a non-physical incident investigation, assigns an investigation
team (leader and members), and contacts additional investigation/support resources as
needed. If this is a cyber situation, ECMC assigns the event to the appropriate Cyber
Security Group, and notifies others as appropriate, such as Corporate Legal, Communications,
Social Media. ECMC also assigns an Incident Coordinator to provide conference
and other facilities as necessary for the team(s) involved.
For Cyber:
- Assigned Team Leader on the Cyber Security Team takes immediate action to limit incident
exposure and damages; collects situation information and assesses incident.
- Assigned Team staff documents incident resolution strategy; documents recommended
long-term solution to avoid recurrence, and briefs appropriate management team(s);
sends a written copy of the incident debrief to ECMC.
*Call may come directly to ECMC.
9
Proposed Incident Management Team Structure:
Physical and Non-Physical Events
GIG (Global Intelligence
Corporate Level
Group)
Incident Support
Team (IST)
Risk
HR
Insurance
Technology
Legal
Comms
Real
Estate
Finance
Compliance
Corporate
Cyber Security
ECMC:
Emergency /
Crisis
Management
Center
Corporate Crisis
Management Team
(CMT)
Executive Management
Division Level
Division Crisis
Management Team
Division Incident
Mgmt Team (IMT)
Division
Cyber Security
Risk
Compliance Technology
Finance
Content /
Operations
Division Operational
Management
Comms
Product
Legal
Sales
HR
Client Svcs
Site Level
(SIMT) Site Incident
Management Team
Site Business
BCM/DR Team(s) +
Other teams as appropriate
10
SELF-EXAMINATION
•Where are you on the road to effective crisis/incident
management?
– Do you have an equivalent to the ECMC if you have many
locations?
– Are your physical and non-physical (e.g.,cyber, social media, legal
exposure) incident handling procedures effective and integrated?
– How do you know that an incident has occurred?
– How quickly can you respond to both a physical and a nonphysical event?
– Have you installed tools to support your C/IM response work?
11
QUESTIONS?
12
Let’s Talk About It….
THANK YOU FOR YOUR ATTENTION AND FEEDBACK.
CONTACT ME AT:
[email protected]
mobile: 516.384.6437
13