Charlie looks at incident management and discusses when the appropriate time is to 'invoke' or 'activate' the plan.
For the time I have been teaching or implementing business continuity, I have been very clear on the need to invoke a plan as the first part of the process for managing an incident. What I mean by this is that, those managing the incident need to decide, usually fairly swiftly at the beginning of an incident, whether to use the structures, protocols and procedures within the plan, to manage the incident or to manage it as a ‘day to day’ incident. I teach that this decision is a bit like pregnancy, you are either pregnant or not, so your organisation should be clear in an incident, whether you are using the business continuity plan to manage the incident or not. I have seen a number of organisations sort of half use the plan, which just causes confusion and nobody is sure what is actually happening.
The threshold for invoking the plan is different for each organisation and industry. I have worked with a number of logistic companies and their threshold for invoking the plan is much higher than I initially thought. A lorry crash or even widespread snow is a day to day incident and they would only invoke the plan for loss of a major asset, such as one of their hubs or loss of their head office. While for other organisations dealing with snow causes them to invoke their business continuity plan and manage the event as an incident.
I think within all plans there should be very clear criteria and a fairly comprehensive list on when the plan should be invoked. This is so if a member of the incident management team gets called about an incident at 3am they have a clear list of events they would invoke the plan for. They can also be confident that if they call out the rest of the incident management team, that the team is required. The list of events to invoke the team should be SMART and cover the full PPRS list (Premises, People, Resources and Suppliers).
I always also teach that it is better to invoke the plan, get the team together and then monitor the situation. If the incident turns out not to be as bad as initially thought, then close the incident, deal with it on a day to day basis and stand down the team. It is better to have the team together and stand them down than to delay getting the team together. Alternatively, when you do eventually invoke the plan, you could find that you have wasted hours and sometimes days of not managing the incident and have allowed the unmanaged situation to get worse.
Over the years one of the terms many of those I have taught or worked with have struggled with, is the word 'invoke'. This has especially been the case with those whose first language is not English. The word, for some, doesn’t easily translate and secondly, for some there are cultural issues in that they are reluctant to invoke their business continuity plan in all but the most extreme instances, as invoking the plan is seen more as organisational failure, rather than as a tool for efficient management of an incident.
Recently, I had a bit of a halleluiah moment courtesy of a colleague, BCT Tutor and BC Advisor of the year (2018) Ewan Donald! He was teaching the BCI Introduction to Business Continuity Management two-day course, and noticed in the new Good Practice Guidelines 2018, which I had missed, that you should activate the team at the beginning of an incident. Then only once the team has assessed the incident and understood it a bit more fully, should the incident management team then implement the recovery strategies within the plan.
I really liked this, as it very much fits with the idea of getting the team together to assess the incident, and then make a formal decision whether to go into full blown incident management, or to stand the team down and manage it as a day to day incident. The invoking bit, which is carried out only after the team has got together is where you start to implement one of your predetermined strategies, such as going to a work area recovery centre, switching to a backup data centre or to switch the carrying out of a task to another location or team. For me the wording seems to work better, and for those who are culturally reluctant to use their plan, they can get the team together to assess the situation without needing to go into full blown incident mode. Thanks Ewan, everyday I learn something new to refine my business continuity thoughts!
I am interested in hearing any others thoughts on this issue and how your organisation deals with it, and what wording you use 'activation' or 'invoking' or both!