Charlie outlines his ideas on building an incident team competency framework.
This week I thought I would share some ideas I have been developing on incident management. They are not fully solidified yet, so I would welcome any thoughts or comments on what I have written.
There are many lessons organisations will learn from COVID-19, but one of the major lessons is the need for every organisation to have the ability to manage incidents. In the past, I have spoken to organisations who have given many reasons why they don’t need to have an incident management plan in place, such as 'it will not happen to us', 'there are no threats to us', 'we don’t live in a flood zone', or 'IT is very secure, we can all work from home'. They have seen no need to prepare and wouldn’t even entertain the idea of their senior managers taking part in an exercise. Due to COVID-19, every organisation in the world has had to implement incident management and manage their response. I suspect, although I have not seen any academic evidence yet, that those who were prepared and had exercised their plans were more likely to manage their response well, rather than those who had done nothing and were not prepared.
In line with my bulletin last week, ‘Why, for many organisations, we are entering the most dangerous period of coronavirus’, I believe that incident management for organisations will become more and more important over the next few months. Just this week, our war of words with China over Huawei has been increasing. I was listening to a radio news programme, which was saying that China is very good at retaliating when they feel their national interest is under threat and knows which goods and services will cause maximum pain and political impact to those who incur their wrath. Chinese retaliation could impact your organisation alongside other changes happening in supply chains; re-lockdowns of areas, increase of COVID-19 cases in the USA and the impact of climate change. These all point to organisations needing a response to changing circumstances and having to activate their crisis team and respond to events. How the crisis team respond to an incident may make the difference between the organisation’s survival or failure.
If we accept that organisations should be ready to manage incidents, then they need to have plans in place and have thought through how they would respond. Vital to this is ensuring that those in incident teams know how to respond and practice through exercising. Within the current very volatile landscape, I think a once a year 2-3 hour tabletop exercise for the crisis team is no longer acceptable. For some organisations, once a year is too often and they do an exercise every 5 years. How do you have any chance of having trained people to respond to an incident if they train for 2 hours every 5 years? Boards, shareholders, regulators and senior managers themselves should review their present regime of training and exercising for incident teams and instead of saying 'we will do two exercises a year', they should look at building an incident management capability through developing an 'incident team competency framework' and use the framework to further develop their response.
My idea of this framework is to identify the requirements for incident management, and then measure your own organisation's individuals and the team as a whole against the framework’s requirements. The framework consists of 4 elements shown in Figure 1.
Figure 1: Elements which make up an incident management capability
These are the details of the four elements:
- Capabilities - Organisations should have plans, procedures, contingency items, services or third-party contracts, as well as the knowledge of how to manage specific incidents identified via risk assessments.
- Incident management skills - These are specific skills needed for managing an incident.
- Knowledge - This is the knowledge of the organisation’s own internal plans, procedures and hierarchy in place for managing an incident.
- Behaviours - These are the particular soft skills and attitudes you need to manage an incident (I am still thinking through whether these are individual behaviours or behaviours demonstrated as a team).
Below is how I see how the framework fits together and the content of each of the elements.
Figure 2: Details of the four elements
Competencies consist of knowledge and ability to apply the knowledge and the behaviors appropriate to the situation.
Once the framework is decided upon, the existing competencies can be measured and then improvement areas suggested.
Figure 3 - Details of measurements and how to develop competencies
A measurement needs to be developed for each of the elements and each member of the team assessed. Once this is done, you can develop a baseline score for the team. You then need to develop a programme of exercises and training to develop the team further and improve the competency of the team. By having a numerical score, you are able to see if the team is regressing rather than progressing, as team members leave and new members appointed. Your score should also consider deputies, so that you ensure that you have experienced ‘first calls’, but the deputies have little or no competency.
My thoughts on this need some more work, as I am sure I am muddling competency and capability and what is the best way to frame and differentiate between them. I think by breaking down the requirements of what a team needs to know, we have a better chance of making sure that the team is ready to manage an incident. It would also allow the person responsible for training the team to focus on what element of training or exercise the team requires. For me, and I think for the readers of this bulletin, the days of an annual (or every five-year exercise) with a rather randomly chosen scenario should be over. Good incident management is going to be required in the coming months and you should make sure by developing your own incident team competency framework your organisation is in the best place to face whatever incident they need to deal with next.