Bulletin / Writing Incident Management...

Writing Incident Management Objectives

Author: Charlie Maclean Bristol, Training Director, FBCI, FEPS

This week Charlie shares some advice on how to write incident management objectives.

For this week’s bulletin, instead of commenting on an item in the news, I thought I would share some technical information on how to write incident objectives. During an incident, it is seemingly obvious that your objective is to solve the problem and return the organisation back to normal as quickly as possible. This is possible in some incidents, but in many circumstances the organisation may be changed by the incident and when the incident has been resolved, the organisation may not be the same as it was before the incident began. Some incidents may be so catastrophic that the objective may just be for the organisation to survive! 

If we look at the ongoing TSB incident, where they locked a large number of their customers out of their accounts during a botched upgrade, they have lost customers and their reputation has suffered greatly. When the incident is over, they will be a different organisation with less customers, so the objective to return to where they were prior to the incident is not achievable for them. Success for them and their incident’s objective could be to retain 70% of their customers and to minimise the regulatory fine after the event. 

For each incident, once the organisation is able to understand the extent of the issue, top management or the strategic team should write an overall objective for what the organisation is trying to achieve during their response. Another way to look at this is to try and determine ‘what success looks like’.

I don’t think incident objectives are particularly easy to write, but they play a key role in ensuring that all parts of the organisation are given a common purpose, the response is coordinated and well-meaning actions do not make the situation worse. One of your key objectives after a fire in your headquarters could be that no action should be taken, as it could put staff lives in danger. You could have a situation where members of the IT team want to go back into the damaged building in order to speed up the recovery, risking their own lives to see if they can salvage any of the company’s servers. If the objective of not putting staff at risk is communicated to all those responding, then the IT team’s suggestion to go back into the building would be refused, as it is not in line with the stated incident objectives. 

It is important to note that there should be one set of master objectives, which cover the whole organisation responding to the incident and the complete duration of the incident. Different parts of the organisation or different levels within it should not be writing their own objectives in isolation. There is a level of sophistication used when an organisation level objective is written and from there different parts of the organisation adapt the main objective to their particular part of the recovery. Those who have been in the military will be familiar with this when they were taught how to carry out mission analysis. The main objective writing is most important and individual versions are a luxury, rather than a necessity.

So, how do you go about developing your objectives? The first step is to have a full understanding of the incident, the potential impact it could have, the risks to the organisation and the possible solutions to the incident. A good discussion is for top management or the strategic team to think about what a successful outcome of this incident would look like. 

The next step is to think about what you would like to write the objectives on. In some cases, it could be simple objectives, such as restoring all company operations to “business as usual” within three days. For most incidents, the objectives are more complex and you may consider writing objectives on the following items:

  • People (safety, prevention of further injury, long term protection of life)
  • Operations/Delivery of services
  • Customers 
  • Assets
  • Environment
  • Legal & regulatory requirements
  • Economics and money
  • Coordination
  • Communication
  • Mutually aid external organisations or partners

In the oil industry, they use the acronym PEAR when writing objectives, which means they write objectives on:

  • People
  • The Environment
  • Assets
  • Reputation 

I think PEAR is a little too rigid, especially as many incidents don’t have an environmental aspect, therefore I prefer to use the longer list above.

The following words might be useful in developing individual objectives:

  • Prevent
  • Normalise
  • Recover
  • Re-open
  • Maintain
  • Support
  • Stabilise
  • Coordinate
  • Inform
  • Educate
  • Search
  • Evacuate
  • Secure
  • Protect
  • Sustain
  • Care
  • Shelter
  • Assist
  • Liaise
  • Influence
  • Mutually support

When it comes to writing objectives, you will tend to end up with a list of them, rather than a single sentence. You will also have to decide if there are a list of priorities, such as people as the top priority, with no harm coming to them as the first objective, or whether all of the objectives have equal priority. You should also consider the list below when you are writing objectives and check the final written objectives using this list. 

Objectives should:

  • Make good sense (be feasible, practical, and suitable)
  • Be achievable and you should know when they have been achieved
  • Be within acceptable safety norms
  • Be easily understood by all that use them
  • Have sufficient detail and shouldn’t be vague
  • Be cost effective
  • Meet political considerations
  • Be SMART and have clear timings or numbers to achieve
  • Meet your stated responsibilities
  • Be in line with your organisation’s values

An example of a set of objectives are as follows:

  • Prevent any further injury and ensure staff well being
  • Meet all our regulatory requirements
  • Priority is given to end of year tasks
  • Financial constraints are not to be seen as a barrier to recovery
  • Normalise operations by 1 March 2018

Once the objectives have been written, reviewed by top management and signed off, they should be distributed to all those involved in managing the incident. As actions are agreed and decisions are made, they should be regularly revised against the incident objectives to make sure that they are aligned.

A good set of objectives should be able to last the duration of the incident, but as the incident changes, worsens or other events occur, they may need to be updated and redistributed. 

Writing objectives should be carried out as part of exercising and top management or the strategic team should receive instruction and should then practice writing them. A very good example of where objectives were set up at the beginning of the incident and then drove the response was in the Tylenol case. A video explaining the objectives and how they were arrived at can be found here: https://youtu.be/jtuvgAkKGqM

I would encourage you all to ensure that writing incident objectives are part of your plans, you teach senior managers how to write them and practice writing them during exercises.

You might be interested in the following stories

Why the scenario is not important in most exercises

A review of TSB’s communications in response to their failed IT upgrade

Checklists - How to Get Things Right

You may be interested in the following course

BCI Incident Response and Crisis Management course

Sign-up to our weekly bulletin

Twitter feed

Bulletin
What lessons can we learn from Marriott’s response to their Cyber Breach?

This week Charlie discusses the Marriott hotel hack and how you can prepare your organisation for a potential data breach.

7 December 2018

“An in-depth course that was well delivered, informative, and relevant.”

Andy Jeffery
Canterbury City Council
View further testimonials