After my career in the U.S. Secret Service, I stepped into my first corporate security position in 2005 as director for global security in the oil and gas sector – and then I began serving as a senior security risk management advisor to clients across many industries. Over the years, I have found that professionals and colleagues often harbor competing and conflicting views on business continuity and incident response, from the roles of various crisis management team members to, surprisingly, the definition of a “crisis.”
By late 2005, corporate security had a role – but was not fully involved – in the business continuity and incident response side of the corporation. For the most part, business continuity and incident response were largely environmental, health and safety (EHS) responsibilities. In the oil and gas sector, the Operations and EHS teams are very good at preparing for and responding to fires, spills or other related oil well-control incidents.
Hurricane Rita and Shifting Perspectives on Incident Management
Unfortunately, sometimes it takes a disaster to uncover new and better ways of operating. During Hurricane Rita, some companies – mine included – found out just how unprepared we were when disaster struck, shutting down large office and administrative facilities in and around Houston, Texas. Our reaction during Hurricane Rita would forever change my colleagues’ and my perspective on how a crisis management team works and how to respond to incidents.
We had not fully thought through the impact of a major company office being uninhabitable for days or weeks. We didn’t fully appreciate the implications of fuel, food and water shortages, the humanitarian response effort needed to support thousands of displaced workers, and the consequences imposed on business operations. And it wasn’t just us. At that time, most companies were not prepared to address such a crisis.
The company I worked for handled the situation admirably, doing whatever it took to care for employees and support business continuity. However, our team still needed to reconcile clear deficiencies in our process. After Hurricane Rita, we held an after-action session. We examined our reaction and response to that incident and how it impacted our employees and operations – what we did and did not do right. We knew we could do better. Our employees, shareholders and community neighbors deserved a better preparation, plan and response.
Incident Command Structures Emerge in the U.S.
In the U.S., 2005 was a turning point for corporations in relation to incident response and business continuity. Fortune 500 companies started training for and using the Incident Command System (ICS) for their incident management teams, similar to the structure mandated by city, state and federal governments for their agencies. The ICS was originally developed in California as a response to wildfires. Today, it is the foundation for any good incident management team, public or private.
With the ICS concept in mind, industry professionals set out to significantly change our approach to business continuity and incident response. At my organization, we dropped the term “crisis” in favor of “incident.” We quickly brought in an experienced consultant partner, hired the right people and focused our attention on creating a world-class business continuity program and incident response team with an “all hazards approach” to incidents.
We knew if we put the right stakeholders on the team – and provided them with the right tools, training and authority – we would have an incident management team capable of addressing any incident, at any time with little-to-no business interruption. It would not matter if the incident were a natural disaster, well-control issue or a life-threatening security incident – our team would activate and manage the incident to its conclusion, while maintaining business operations and resiliency. At the end of the day, it’s about the company taking care of its employees, assets and community, while staying profitable.
An ‘All Hazards Approach’ Incident Command Structure
One incident that stands out to me was an F5 tornado that damaged and destroyed many business properties, employees’ homes and a major natural gas processing plant. Within a few hours, we accounted for every employee, deployed damage assessment teams and ensured assistance was on the way to employees in need, as well as business operational units impacted by the tornado.
This was one of many instances in which these new best practices in all-hazards incident management significantly mitigated an adverse event. I am proud to have been part of this shift in security policy and to continue bettering the process as I continue my career with Hillard Heintze.
The process works. It requires:
- The Right People: Depending on the industry, this may include representatives from Security, Safety, Legal, Human Resources, Operations and Communications departments, each with clearly defined roles and responsibilities.
- The Right Tools: These tools include action plans that consider any incident that could affect the company, a properly equipped incident command room and mass communication tools to communicate with a global employee base such as Send Word Now or Everbridge.
- The Right Training: Focus your training on tabletop exercises and scenario-based event exercises. Firms can help your team train on specific incidents ranging from a kidnap and ransom incident to natural disasters. FEMA has many courses from ICS-100 to advanced position-specific courses that can quickly train your team on the incident command structure and their role in the incident. Think also about incorporating media, social media and crisis communication training.
- Delegated Authority: This is important. The team needs to know they can make decisions on behalf of the company. Sometimes those decisions will be made with partial information or incomplete data. That is going to happen. Simply adjust, adapt and move on. The CEO/COO does not always need to be in the room but should be kept apprised of the situation. The team you choose is important as they must be capable of making responsible decisions and know they have the authority to do so.
I have been privileged to serve on many incident response teams and know first-hand how thoughtful plans and procedures save lives, property and reputations. If you need help developing or assessing your incident management approach, let us know. We’re here to help.