Incident Command and Control A Private Sector Approach

1
Incident Command and ControlA Private Sector
Approach
RSM McGladrey, Inc. is a member firm of RSM
International an affiliation of separate and
independent legal entities.
2
Randall W. TerpstraCISSP, CPP, CISM, CEM, MBCP,
LPI

• Manager, Technical Risk Management Services
• RSM McGladrey
• 445 Minnesota Street
• Suite 1700
• St Paul, MN 55101h
• 24x7 - 866-338-1195
• randall.terpstra_at_rsmi.com

3
Does this sound familiar??

• We have a BCP/DR plan but I dont know where it
  is.
• Yeah, we tested the plan, bout 4 years ago
• Our (President, CEO, insert appropriate title) is
  the one in charge if anything goes wrong
• Of course we have a disaster recovery plan. I
  just cant get the people in the office to read
  it
• Of course we have a Business Continuity Plan, but
  the IT department doesnt like it
• Our BCP/DR plan has been developed to respond to
  ANY incident that our company may face.

4
History

• When was the last time your company has had a
  services affecting incident?
• Did you activate your BCP/DR Plan?
• Did it work?

5
Reality

• Companies face incidents every day
• Not all incidents are disasters
• All disasters are incidents
• Incidents are categorized from level 1 (minor) to
  Level 3 (major)
• RARELY does an incident above level 1 only affect
  your company
• Company BCP/DR plans are myopic. They seem to
  only be focused at the company
• In a regional incident, assets, functions and
  services may not be available.

6
Factoid

• In the recent hurricane swarm in Florida,
  businesses discovered that their BCP/DR plans
  called on local services (diesel, technical
  support etc.) that also was contracted to the
  municipal government.
• In the aftermath of the storms, business were
  shocked when they couldnt get the services that
  were key to the execution of their recovery
  plans.
• In some cases, key service providers simply
  didnt exist any longer.

7
What is an Incident?

• Any action or actions whose results (aftermath)
  affect the day-to-day functional operations of a
  business or organization
• Five Basic types of potential Incidents
• Natural Disasters
• Accidents
• Civil or Political Incidents
• Terrorism or Criminal actions
• Significant Events (NFL football game, Convention
  etc.)

8
How do Major Incidents Develop?

• Event Based
• Precipitating event
• Catastrophic trigger
• Preplanned Event

• Evolves over Time
• Clinical Discovery
• Cascading Event

9
Business Continuity Planning and the Real World

• Most BCP/DR plans are written around an end of
  the world scenario.
• Businesses rely on BCP/DRs as their insurance
  policy

10
Homeland Security

• Business considers Homeland Security to be a
  governmental function
• Fire
• Police
• EMS
• National Guard
• Considered a support tool for the private sector
• Little to no private investment in Homeland
  Security Activities

11
Homeland Security for the Private Sector

• Business has a vested interest in Homeland
  Security
• 85 of the nations critical infrastructure is
  private sector business
• Homeland Security for the Private Sector
  includes
• Physical (operational) Security
• Information (data) Security
• Continuity of Operations Planning
• Emergency Incidence Response
• Business Continuity Planning
• Disaster Recovery Planning

12
Homeland Security for the Private Sector

• The business community remains myopic
• The private sector tends to consider themselves
  the center of the universe
• Few if any, disaster plans are developed with an
  eye to municipal impact or synergy
• Disaster plans are considered a one-time

13
Post 9/11 Homeland Security Risk Management
Calculus

• Risk Management costs coverage
• Customer Perceived Value of security
• Public perception and expectation for Business to
  be good citizens and be part of the Homeland
  Security solution
• Cost of implementing security measures
• Prevention vs Response
• Changing Global relationships

14
Homeland Security Preparations for the Private
SectorHow fast will you be out of business, if
you are not BACK in business??

• Focus on continuity of business operations
• Assume a seat at the Emergency table
• Evacuation Planning
• Identify and credential key and critical
  employees
• Identify and pool industry resources Mutual Aid

15
Characteristics of Major Incidents

• Exceeds local (on-scene) resources
• Involves large numbers of personnel
• Inherently high cost
• Complex, require written plans
• Affect multiple
• Companies
• Goals
• Days
• Functions
• Could involve local, State and Federal resources

16
Seven Critical Elements for Corporate Incidence
Response

• Pre-incident intelligence fusion and information
  exchange
• Adequate staffing for incident response
• Knowledge
• Detection of incident actions
• Unified Incident management
• Specialized equipment and training for incident
  response
• Inter and intra organizational response

17
Under the concept of Unified Incident Management
there will ALWAYS BE

• One Incident Operations Center
• A Single Coordinated Incident Action Plan
• One Incident Manager

18
Unified Incident Management manages

• Space (3 Dimensions)
• Time (4th Dimension)
• Functions
• Personnel
• Resources
• Objectives
• Incident Action Plans
• Incident Recovery Strategy

19
INCIDENT MANAGEMENT
ACHIEVE GOAL
EXECUTE TACTICAL STEPS
SELECT APPROPRIATE RESPONSE STRATEGY
ESTABLISH INCIDENT OBJECTIVES
UNDERSTAND POLICY PROCEDURES
20
Whos in Charge??

• Corporate Management feels compelled to be in
  charge
• Incidents are generally contained. The business
  continues to functions through the incident
• Just because the CEO is a great businessman,
  doesnt necessarily mean that he/she is the best
  leader in a high stress emergency incident
  situation.
• Incident response should be tasked to a team
  (group) that is best trained and prepared to
  respond to and recover from a services affecting
  incident.

21
Incident Response Staffing Model
Chief Executive Officer
Policy Group
Vice Presidents Senior Management Deans
Department Heads
Incident Manager
Public Information Officer Government Liaison
Officer Communication Officer Message Center
Incident Response Staff
Resources
Disaster Analysis
Operations and Response
22
SPAN OF CONTROL
INEFFECTIVE AND POSSIBLY DANGEROUS
EFFECTIVE SPAN OF CONTROL
23
OPTIMUM SPAN OF CONTROL IS ONE TO FIVE
24
10 Minute Break

• Next segment
• Development and implementation of an Incident
  Operations Center

25
Incident Operations Center

• An Incident Operations Center is a facility
  where the Incident Manager, Incident Management
  Staff and general support staff reside and
  provide coordination and EXECUTIVE DECISION
  MAKING for managing response and recovery
  activities for the duration of the incident
  response and recovery efforts.

26
Key Incident Operations Center Concepts

• Act in the best interests of the management and
  stakeholders
• Make key incident response decisions
• Focus on strategic incident response issues
• Centralize incident management and control
• Act to consolidate all available information for
  distribution to senior management and
  stakeholders
• Allow for easier verification of available
  information
• Simplify allocation and deployment of available
  resources

27
Key Incident Operations Center Decisions

• Declare a disaster and enable focused response
• Communicate with the public (customers and
  suppliers)
• Designate appropriate policy and decision making
  team
• Make fundamental policy decisions
• Evacuation
• Rescue or Recovery
• Quarantine
• Initiate appropriate Incident Action Plans (IAPs)

28
Incident Action Plan

• Should be written rather than oral
• Prepared and implemented prior to any incident
  response
• Should cover all objectives and support
  activities
• Should include realistic measurable goals
  prepared around a defined time frame.
• This time frame should be no longer than 24
  hours long

29
What do we do when an incident occurs??

• Incident response should be well scripted and
  rehearsed
• Plans should be developed before an incident, not
  while it is occurring
• Incident planning should be based on a
  comprehensive risk assessment.
• Your Business Impact Analysis should be the
  catalyst for ongoing IAP development

30
Business Continuity and Disaster Recovery Planning

• People dont plan to fail
• People fail to plan
• The people that do plan..
• dont plan for the plan to fail!

31
Incident
Incident Response Procedures
Incident Response Event Tree Level 1 Incident
Incident Notification Procedures
Problem Resolved
No
Yes
Initial Assessment of Incident
Assessment
Minor
Standard Operating Procedures
END
No
Need to update
Yes
Update Standard Operating Procedures
Yes
Update IAPs and Response Plan
Critique Incident
Deactivate Incident Operations Center
32
Incident
Incident Response Event Tree Level 1 or 2
Incident
Incident Response Procedures
Incident Notification Procedures
Problem Resolved
No
Yes
Initial Assessment of Incident
Assessment
Activate Incident Operations Center
Minor
Major
Standard Operating Procedures
Detailed Assessment of Incident
Assessment
Minor
END
No
Need to update
Yes
Update Standard Operating Procedures
Yes
Update IAPs and Response Plan
Critique Incident
Deactivate Incident Operations Center
33
Incident
Incident Response Procedures
Incident Response Event Tree Level 2 or 3
Incident
Incident Notification Procedures
Initial Assessment of Incident
Assessment
Activate Incident Operations Center
Major
Detailed Assessment of Incident
Assessment
END
Major
No
Execute BCP/DR Plan
Need to update
Yes
Update Standard Operating Procedures
Yes
Update IAPs and Response Plan
Execute organizational restoration
Standard Operating Procedures
IAP Based Procedures
Critique Incident
Problem Resolved
Deactivate Incident Operations Center
No
Yes
34
Incident
Incident Response Event Tree
Incident Response Procedures
Incident Notification Procedures
Problem Resolved
No
Yes
Initial Assessment of Incident
Assessment
Activate Incident Operations Center
Minor
Major
Standard Operating Procedures
Detailed Assessment of Incident
Assessment
Minor
END
Major
No
Activate BCP/DR Plan
Need to update
Yes
Update Standard Operating Procedures
Yes
Update IAPs and Response plans
Execute organizational restoration
Standard Operating Procedures
IAP Based Procedures
Critique Incident
Problem Resolved
Deactivate Incident Operations Center
No
Yes
35
Conclusion

• Business needs to expand its BCP/DR planning
  functions to include the initial response to a
  services affecting incident
• Continuity of Operations is more than the plan
• Homeland Security for the private sector is a
  hybrid of
• Physical (operational) security
• Information (technical) security
• Continuity of Operations Planning.
• Businesses must now include Homeland Security
  as an aspect of their overall business planning
• Business needs to be a good corporate citizen

36
Questions?
RSM McGladrey, Inc. is a member firm of RSM
International an affiliation of separate and
independent legal entities.