|
By Dave Newsom, Senior Security and BC/DR Consultant and Distinguished Member of Consulting Staff, Alcatel-Lucent.
Why should corporations implement an Incident Command System (ICS) within their response, recovery and restoration plans? How do we glue it all together before, during and after disasters strike? Is an ICS needed within corporate business continuity management programs, as it is within government response and recovery programs?
What is a corporate ICS?
The corporate Incident Command System provides a single command, control and communications process for all corporate response and resumption activities to be implemented as a result of a crisis event. The ICS is implemented for all events that impact operations outside of ‘business as usual’. It provides for an organized response that is scalable to meet the magnitude of any incident. This accommodates for the growth of response/recovery/restoration resources during disaster response and allows for the discontinuation of the same, as needed.
History of ICS
The original ICS was developed in the 1970s in response to catastrophic forest fires in California that took many lives and cost millions of dollars in property damage. The process was developed in order to manage communications, assessments, resources, and to prioritize the deployment of the same. This originating ICS interagency, called FIRESCOPE (Firefighting Resources of California Organized for Potential Emergencies) consists of local, state, and federal resources. The goal of this team is to provide management, technology and coordination of multi-agency resources to be implemented before, during or after catastrophic events.
Challenges due to the lack of an ICS
Many corporations focus their time on the development of business continuity and disaster recovery plans, without a thought to Incident Command Systems. When an actual event occurs, plans are activated and resources are deployed as defined. However, due to the lack of a pre-scoped ICS, these plans work independently of each other and in many cases require the use of common corporate and external resources, resulting in unnecessary conflict, chaos, escalations and stress. This also increases recovery/restoration costs as, well as their respective timelines.
Due to the inherently unpredictable nature of disaster events, it is impossible to predefine all event scenarios and the respective response actions required. Without a defined ICS process, corporations are not able to effectively manage communications, resources and changes as the crisis event unfolds. Usually this process will eventually be defined during longer term events, but only after costly delays, and unnecessary impacts to staff, customers and operations.
Typical corporate ICS structure
The basic ICS structure used within corporations resembles the standard structure used by local, state and federal government organizations today: Tier I – Site; Tier II – Recovery; and Tier III - Executive Teams. These are assembled as needed to support any type of disaster event.
Command
The ICS should be overseen by senior management, to assure proper alignment and prioritization of internal or external resources. This results in an increased level of success and a decrease in response and restoration timeframes. The senior manager on duty assumes the responsibility of becoming the initial event commander, and allows for adjustments to be made in management and resources, as the event escalation increases and/or decreases.
Control
Span of control is the management of individual team roles and responsibilities as they apply to the response, recovery and restoration for any event. These duties are defined and teams are trained to assure the proper awareness and implementation of resources. Span of control should be limited (target: five to seven teams) in order to maximize the resources assigned to managers, allowing for effective resource management and control. In order to manage this span effectively, additional resources can be assigned or dismissed as the event magnitude changes.
Communications
Integrating communications during emergency events is critical to assure the proper management of information and messaging, both internal and external to the corporation. For employees, executives, customers and emergency services, clear consistent communications will make or break any disaster recovery operation.
A defined communications reporting structure also helps in the successful management of critical communications. ECOA, which stands for Employees, Customers, Operations and Assets, provides such a structure. When providing updates from Tier I to Tier III this reporting structure is used to deal with the most critical issues first, being those of the corporation’s staff, next the critical customer impact issues, and lastly the impact to corporate operations and assets. When using a defined reporting structure, formal meeting agendas and reviews are more productive.
The ICS organization
The ICS organization consists of defined roles and responsibilities that can be staffed and expanded as needed in order to fit the ever changing magnitude of the event. The ICS organization consists of the following:
* Executive Members – oversees all aspects of the ICS in order to assure proper support and allocation of resources required to meet incident objectives.
* Operations Team - directs the activities necessary to meet defined recovery time/point objectives. This team is also responsible for overseeing restoration objectives once set and approved by senior management.
* Planning Team – provides the overall deployment status for all resources and associated event information. This team is responsible for the consistent reporting of event details to executive teams, using the ECOA format.
* Logistics Team – manages the actual deployment of all resources based on prioritized allocations, in order to meet approved recovery time/point objectives.
* Administration Team – provides for the funding and purchasing of related resources and supplies in support of planning/logistical needs.
* Public Relations – assembles and deploys all internal/external communications. This includes staffing, customer and media relations.
* Customer Communications – provides the interface between logistics and impacted clients to provide the approved communications and obtain customer impact assessment details. This information is then deployed into the field in order to manage timely changes in recovery and restoration activities.
* Liaison Team - provides the interface between both internal and external supporting teams. This provides clear communications with the emergency operations teams listed above, as well as emergency services external to the corporation. Requests from government emergency services for products and/or assistance, as well as corporate needs from these external agencies is also coordinated through this team.
Why is an ICS needed?
A defined ICS supports all levels of activities that take place during disaster events. Without the defined ICS process, site/recovery/executive plans operate independently, like individual islands, causing delays and misalignment of critical resources to include unneeded duplication and incorrect assignment/allocation.
In comparison to County, State and Federal Emergency Management agencies, the corporate ICS structure provides for the assembly of critical resources at all levels. This way, operations, planning and logistics teams work in concert together to properly control the effects that an event is having on the corporation and provide for the deployment of necessary resources to restore operational services in a timely manner. Tier I - site manages evacuations, assessments and restoration activities; Tier II - recovery manages the resumption of critical services; Tier III - executive team provides for the oversight and corporate infrastructure, required supporting response, recovery and restoration activities at all levels. In this manner, the ICS allows corporations to manage the event as effectively as possible, prioritizing the assignment of critical resources, avoiding duplication of materials and expenditures while allowing for the movement of resources, as needed, in order to meet the ever changing needs of an event.
Conclusion
The goal of any business continuity management program is to provide proper mitigation, safeguards and controls, in order to rapidly deploy precision response, recovery and restoration teams and services. Using a defined ICS program in the initial planning, training and exercise programs will assure proper command, control and communications during actual events in order to meet the defined recovery time/point objectives. This should provide for increased customer and stockholder confidence, and a decrease in response, recovery and restoration timelines.
About the author
Dave Newsom is a Senior Security – BCDR Consultant and Distinguished Member of Consulting Staff of Alcatel-Lucent. Dave has over 18 years experience in the business continuity and disaster recovery fields and holds CDRP, CBCP and MBCP certifications. He has developed numerous incident management, disaster recovery and business continuity plans for private and public sectors. He has also participated in more than 20 actual disaster response, recovery and restoration events. newsom@alcatel-lucent.com
•Date: 2nd Feb 2007• Region: US/World •Type: Article •Topic: Crisis management
Rate this article or make a comment - click here |
