Every organization, no matter the size, longevity, or brand familiarity will experience some type of business-altering incident during its lifetime.
This may be as simple as a PR hiccup or as daunting as a hack into the company’s sensitive information. Without a comprehensive incident response plan, these events can cripple an entire organization, leaving its employees disengaged, its management team powerless, and its industry perception forever compromised.
For those with a long tenure in business, most incidents barely made it into the company newsletter. Today, they are plastered across social media in nanoseconds. In the past, time was your friend when dealing with a company crisis. Today, it’s your worst enemy. A few decades ago, you could control your message. Today, companies quickly lose control with many unable to regain it without serious loss to revenues and brand reputation.
There are numerous types of incidents that impact organizations. To outline all of them would be an exercise in futility. What’s most important to know is that there is no industry or business vertical that is immune. In fact, even small businesses, schools, and nonprofits are at risk given the unlikelihood of sufficient resources to handle an incident.
Let’s take a look at a few examples of business-altering incidents. (Spoiler: some may surprise you!)
What is a business-altering incident (a.k.a. crisis)
1. The Big Kahuna – Data Breaches
According to Forbes.com, a “data breach occurs when there is an unauthorized entry point into a corporation’s database that allows cyber hackers to access customer data.” These hackers have a singular purpose – to cause harm to the organization, its employees, and its customers.
While it’s tempting to say that these only happen to companies with weak firewalls or poor password schemas, the truth is, hackers are getting smarter. Therefore, organizations must stay two (dare we say ten?) steps ahead to protect their priceless digital resources.
2. The Not So Big Kahuna – PR Mishaps
We’ve all gotten a chuckle or two out of the multitude of public relations nightmares that some organizations have faced in recent years. These have ranged from customer service blunders to incidents of food poisoning to outright lying about the event in question.
These incidents have a near-instant impact to business operations, stock prices, revenues, and eventually – but not long after – brand reputation. They are seared in the minds of consumers, investors, and the media to replay ad nauseum, making it nearly impossible for an organization to get out from under the backlash without a well-prepared and continuously updated incident response plan.
3. The Little Kahuna – Internal Affairs
The above examples of typical modern day incidents are what likely come to mind for most people when they are tasked with defining the term “incident” or “crisis.” Smaller and less public incidents are occurring more often than we think and many can have the same crippling effects.
Incidents that happen within your own organization, such as lawsuits from employees or weather-related crisis, also impact your daily business operations. Don’t be fooled into thinking that these incidents require any less of a thorough incident response plan. While they may have fewer steps and only a handful of team members to execute, each one deserves a comprehensive and proactive incident response plan.
What is incident response planning?
The crisis management plans of days gone by are a drop in the bucket to the robust incident response templates that must be in place today in order to fully address the various incidents impacting organizations across the globe. These plans must reflect your entire business operation as it is likely each functional area will be impacted in some way.
Solely relying on your PR team to “fix it” is a short-sighted response. It’s like throwing a bucket of water on a raging wildfire. You must involve key stakeholders at multiple management levels in your organization and develop a comprehensive and well-tested incident response template that can be easily updated and implemented.
Additionally, relying on the dusty disaster management guide that’s been sitting on your team’s shelves or worse, tucked away in a file cabinet won’t cut it either. Organizations cannot rely on outdated incident response plans to address modern-day incidents. Additionally, they cannot and must not rely on archaic approaches to incident response planning.
Why Old School Incident Response Plans Fail
There are several reasons why outdated and poorly-constructed incident response plans fail. Let’s take a look at a few:
1. There is no ownership of the incident response plan
In order for any plan to execute flawlessly, it must have an owner – a leader – who understands the importance of delivering the best response possible in any type of crisis. Failing to assign a properly vetted team member puts your organization, its employees, and its brand at risk.
2. There is a lack of understanding of your organization’s vulnerabilities
Businesses love to speak about their revenues, market share gains, and brand reputation, however, this singular focus on core strengths blurs their vision on weaknesses or gaps. While this may not be a fitting conversation at company cocktail parties, knowing your vulnerabilities and how you will address each are the backbone of any comprehensive incident response plan.
3. There is management bias or denial
For the hundreds of CEOs who’ve thought “that’ll never happen here,” there are hundreds more who have experienced a business crippling event who once thought the same way. Business leaders, government officials, and even school principals, must understand and accept that unexpected incidents happen every day.
It’s time for Incident response management 2.0
It only takes one poorly-managed incident response for business leaders to recognize that there has to and must be a better way. Enter incident response management 2.0.
Previous incident response management activities had one thing in common. They were nearly 100% reactive. Team members scrambled to put out the various fires and then breathed a sigh of relief when the building didn’t burn down. This approach will no longer work. Today’s fast-paced news cycle and people’s insatiable need to share bad news on social media won’t allow it. It’s time to take incident response planning and management to the next level.
Four steps to building and executing an effective incident response plan
1. Build an Incident Response Team
Today’s incident response management must be strategic. It must be proactive. It must take advantage of modern technology. It also must have robust post-incident reporting so that the incident response template can be continuously modified and refined.
Your organization’s incident response management must also have a team of knowledgeable professionals assigned to develop and execute upon its tasks, with purposeful and effective communications from the first seconds of the incident to days or weeks afterward.
The first step in having an incident response plan that actually works is having an incident response team or IRT in place. But don’t be fooled into thinking this team is to be comprised only of your senior leaders. Those rookies in accounting or HR can bring fresh ideas and perspectives to the table that may make all the difference between a successful incident response plan and one that’s doomed.
2. Learn from, but don’t get stuck in, past incident response plans
There’s value in reviewing previous incident response templates or even re-examining prior incidents when crafting your shiny, new incident response plan. However, you must avoid rehashing what didn’t work and instead keep your focus on what you will do differently the next time.
While incidents may be similar – they are not the same. There’s a big difference here and it’s critical to understand this in order to avoid a cookie-cutter approach to your incident response template. Incident response management is not a set it and forget it exercise.
3. Communicate, communicate, and then communicate even more
Your incident response team and template must include timely and actionable communications, whether these consist of text messages, phone calls, or emails to employees, customers, or your board members. Nothing will short-circuit your plan more than a failed communication plan. This is not the time for surprises. Each step of the incident response template must have an associated communication tied to it. For example:
- At the time of the incident, an alert should be distributed to your IRT informing them that it’s time to mobilize and invoke the respective incident response template.
- Shortly after, a company-wide email should be sent informing your employees of the incident and the response that will take place.
- If appropriate and applicable, an outreach to trusted media sources or proactive social media posts, to fend off any fake news or other brand-altering messaging that’s out of your control.
4. Develop post-incident response reporting
It’s tempting to think that once the respective incident is over, that everyone can take a deep breath and relax. This could not be further from the truth. Throughout the entire incident, your IRT should be noting areas that require process improvement. A successful incident response plan is a living, breathing template or system that is ever-evolving and reflective of the learnings of each incident.
Once the dust settles, a thorough post-event analysis should be conducted. Every action, every communication, every team player must be reviewed to see if the plan was well-executed and achieved the desired results.
This is not the time to point fingers. This is the time to honestly and transparently review the incident and determine how your incident response plan can be improved. Remember – while every incident may have similarities, no two are exactly the same and therefore, your plans must be reviewed and tested thoroughly on a regular basis.
Just as each task and activity may need to be adjusted, your IRT team members may also need some fine-tuning. Job responsibilities change as does the expertise of your major players. It’s always a good idea to reevaluate your team to ensure that the best and brightest people are properly assigned and committed to the task.
Is it time to outsource your incident response planning?
Any savvy business owner knows that he or she cannot do everything and that there will come a time when outside counsel must be sought. A third-party can evaluate your business operations and identify any weaknesses without the built-in bias of being on the inside. In today’s world of incident response planning, this is a must-have for companies of all shapes and sizes.
When evaluating an organization to take over your incident response planning, you will want to have answers to the following questions:
- What is their track record with other organizations of your size and caliber?
- How long does it take to develop an effective incident response template?
- How do they help you test and maintain your incident response template?
- What technology do they use to develop, execute, and manage incident response plans?
Having an incident response plan that is fully vetted, tested, and managed is critical to how your organization will respond to the various internal and external incidents that will occur. In fact, the more robust your plan and how well it is executed is directly correlated to your brand’s perception and reputation not only among your customers, but with your competitors.
Who wouldn’t want to do business with a company that puts time and effort into their incident response planning and management? What consumer would shy away from spending their hard-earned monies with a company that knows how to expertly address the many curveballs thrown on a near-daily basis in today’s business climate?
Your organization cannot afford a mismanaged, poorly developed, or haphazardly-executed incident response plan. At Groupdolists, we help incident response teams globally be better prepared to respond to incidents such as cyber-attacks, data breaches, disasters, workplace threats, storms, outages and more.
Take control of your incident response plan and don’t let the blazingly fast news cycle steal this control from you. At Groupdolists, we’ve got the expertise, technology, and resources to help your organization do more than survive a crisis. Our team will help you develop an incident response template that can withstand any crisis that comes your way.