Planning for incident recovery is not a new concept. Many businesses have exercised this strategy by planning for response and recovery to a natural disaster or in-facility accident.
Up-front, pre-incident mitigation planning as an adjunct to recovery planning, however, represents a new, or at least an expanded, direction for many corporate chief operating officers.
Before beginning this endeavor, it will be necessary to evaluate the cost of extensive pre-incident risk assessment, baselining, resource allocation, and training and exercise programs versus the cost of recovery without an investment in full-spectrum incident planning.
Proactive businesses, desiring to surmount recovery problems, will begin with careful pre-incident planning. Recently, the United States Government, with active Department of Defense involvement, has invested a great deal of effort in ensuring that pre-incident planning guidelines have been provided. With the establishment of the 120 cities program, the USG is bringing many of these policies to the civilian level. The basic tenets and guidelines of the USG's new planning documents hold many valuable insights and lessons for the private community.
Most businesses applying the USG approach will seek to employ a three-prong methodology to incident planning. The first tine is planning steps designed to deter incidents. This may include physical security measures at an entrance or isolation of critical information technology systems, for example. Reasonable deterrence investments can ensure that the greater cost associated with recovery is avoided. The second tine is planning steps to mitigate the effects of an incident. Mitigation may again include physical steps such as building damage mitigation structural design or electronic firewalls for information systems. Planning to recover from the effects of an incident is the third tine. The best recovery plans will include pre-coordinated mutual aid elements, to ensure that the company does not attempt isolated recovery.
The deterrence, mitigation, and recovery scope of the incident plan highlighted above should remain consistent from company to company. However, the strategies that determine the depth in investment of the Disaster and Incident Response Plan will vary greatly based on:
- A company's risk assessment and management philosophy;
- The perceived threat to the business, its employees, facilities, and assets.
To properly plan your company's deterrence, mitigation, and recovery steps and processes, a full-spectrum assessment is requisite. Begin with an assessment of the threat to your company giving specific attention to the following questions:
- Does any entity have intentions to threaten your company?
- Do those with the intent possess the capability to create a problem for your company?
- Which assets are critical to your company's operations?
- How vulnerable are each of these assets?
After completing this initial assessment, your company will likely choose the baselining approach to disaster planning. Baselining consists of:
1) Examining critical/vulnerable assets;
2) Reviewing the capabilities/intentions of those who would threaten those assets;
3) Applying common sense, 'gut-level-feel' solutions to those problems.
Baselining may reveal the need to take simple physical security steps; such as adding more lighting to parking areas and more frequent patrols of those areas to your company's security manager. Some baselining efforts may be more complex-such as requiring employees to wear ID badges or adding other entry-control systems. Whatever the level of expenditure or complexity, a company's baselining efforts should be driven by application of measures to bring the corporate assets to an acceptable minimum-security posture.
In light of the results received from the baselining process, many corporations will likely choose to conduct more formal, extensive security reviews. These reviews may offer a set of protective actions, based on 'environmental' changes. Environmental changes can be local, such as an increased crime rate near your corporate facilities; or they can be much larger, such as the election of a new, less/more tolerant government in your company's overseas area of operations.
In response to these environmental factors, your company may choose to pursue mutual assistance agreements (with local or host nation governments), increase public relations activities, fortify services (power, water, waste), and implement a wide variety of physical security measures.
To avoid or minimize recovery requirements, corporate security personnel and key corporate leaders, should structure a company plan that responds to changes in the operating environment. These plans must be tightly written with a high level of detail. A mental shortcut method, which ensures that a company has planned properly, is use of the W5H process. For any action or set of actions the company may take due to environmental changes, the company plan should describe Who will do What, When and Where that set of actions will occur, Why these actions may be taken, and exactly How these actions are to be accomplished. For every positive, mitigating action a company plans, ensuring that the actions answer all six questions (W5H) will result in complete planning-leading to seamless execution.
While pre-incident planning is important to the full-spectrum effort, awareness, training, and periodic exercise of the plan is requisite for success.
Employees who are aware of environmental changes may in fact enable a company to take preventive steps prior to an incident. Your company may want to encourage personnel to practice Operational Security (OPSEC) measures. Even efforts as simple as reporting a suspicious vehicle or guarding personal or company information in unsecured areas can go a long way in deterring hostile actions directed against your company.
Corporate training to properly execute a plan is the next essential step. To effectively check this block, you may refer to the W5H questions discussed above. For your plan to be successful, those individuals who have primary responsibility for certain tasks must be fully aware of the what, where, when, why and how surrounding their efforts.
Periodic exercise of company disaster or incident response plans, just as one practices fire drills, is key to success. The rapid response to an incident may make the difference between success and failure of early mitigation attempts, and can have an enormous impact on investment in recovery. Due to attrition, your corporate demographics are constantly changing.
Unless you exercise the plan regularly, you cannot effectively evaluate the strengths and weaknesses.
Each corporation must assess its situation to determine the scope and frequency of awareness, training, and exercise programs; the cost of these programs must be compared to the potential loss in personnel, facilities, and assets and the associated costs in recovery.
The final element of your Disaster and Incident Response Plan--recovery planning--is essential to complete and close the planning circle. Recovery planning must satisfy several criteria. It must be inclusive; all elements that will respond and assist in incident mitigation and recovery must be included. It must be comprehensive; all actions that normally occur must be addressed in the corporate recovery plan. It must be coordinated; the most difficult aspect of recovery planning and execution is that it requires many corporate elements, and external elements as well, to work together in ways outside of the daily corporate operations structure. Careful planning for coordination is required if one expects successful incident and recovery plan execution. Finally, incident response and recovery planning control procedures must be clearly described and completely understood at all levels of the company. Persons or entities outside of the daily operational corporate leadership structure may control recovery operations. Where that is the case, clear lines of control and 'Response & Recovery Command' must be established in the company's incident response and recovery plan.
According to Benjamin Franklin, 'an ounce of prevention is worth a pound of cure.' As you prepare to guide your company into the next century, it is important to be cognizant of the emerging terrorist threat against U.S. businesses and other private organizations. As outlined here, it is clear that a full-spectrum approach to response and recovery planning offers most businesses the best, most cost-effective method to respond to unexpected incidents or disasters. While your business may never be the victim of a terrorist attack, by planning for an effective response and recovery, you can ensure your company's success should such an incident occur.
Mr. Propst is the Manager of Analytic Services' (ANSER) Technical Assessments Division; Ms. Beirne is a Policy Analyst; Mrs. Dunkle is a Senior Operations Analysts in ANSER's Regional Conflict Division; They have a combined 52 years of research, analysis, and operational experience on a wide variety of emerging and continuing transnational threat issues, including: disaster and consequence management, risk assessment and management, combating terrorism, and counterproliferation of weapons of mass destruction. They are the principal authors for several catastrophic terrorism and disaster response, and consequence management products for the Department of Defense, the Joint Staff, and the USAF Air Staff.