It's a matter of fact that incidents will happen, and now more than ever, organizations have to be prepared to avoid being held liable. Small- and medium-size organizations (SME), however, cannot and will not spend too much money on Business Continuity Management (BCM) and Incident Management. The majority of SMEs that experience a serious incident, and were ill-prepared to respond to it, go out of business within one year following the incident. Therefore, not having BCM or incident management is no longer acceptable. Yet, the amount of time and effort one can spend is limited, so a more practical and realistic approach is required. This post provides a realistic approach to incident management in an effort to make it applicable for SMEs to improve their workplace safety and business continuity – without the huge expense or continuous effort usually associated with it. To make it work, BCM cannot become an academic exercise. But this is an easy statement, so what should you have in place then? The key is to have a flexible, efficient way to deal with incidents and events that require immediate attention within your organization. You need to have a way to inform and alert your team members quickly and support them to take the appropriate action. Furthermore, it is ideal to have information made readily available and transparent, as you consider the people involved – be it employees or clients – that you want to offer a safe environment.
Realistic BCM
Start by thinking of what you need in order to make your organization a safer environment, and how you can take appropriate action when it matters: 1. A way for your employees to issue an alert when there appear to be an incident (e.g., trespassing, a blackout, IT system or machine failure). 2. Alert information that is automatically passed on to the right people with instructions on how to act in this situation, including:
- Instructions on how to handle the issue effectively
- SLA or other relevant information
- Who else should be alerted
3. Monitor issued alerts audit trail to improve your organization. 4. A recovery plan to kick off after the incident has been responded to. Now, this approach requires some form of automation to allow your employees to:
- Issue alerts using their mobile phone, which they carry with them most of the time
- Receive alert information to take effective action
- A central place to describe your key action plans and information needed to take the right action
The bottleneck of this approach used to be the lack of knowledge and the software investment required. This bottleneck has been lifted completely thanks to the latest innovations. The mobile apps required are available for free and the linked desktop app often comes fully hosted. The structured approach driven by the software allows you to do the work yourself, and to do it quickly. You can document practical plans for things that are reasonably likely to happen, such as a first aid plan, an evacuation plan or an action plan detailing how to deal with a power down situation. You will even find free downloads that you can use like first aid instructions, templates etc., to get you going quickly. Once a year, you should evaluate the reported incidents and see which incidents were reported that did not have an effective plan linked. If these incidents are likely to occur again, you can see what you can do to avoid them (preventive) or decide to document a more appropriate action plan to take the right action when the incident occurs again. In conclusion, not having a BCM or incident management solution implemented for your organization can have many consequences that can impact your business' operations. The options are there, the software is available, the approach is clear and it is easy to implement and maintain. Your external auditor will also appreciate it, as well as your insurance broker. Start today, be sure tomorrow.
About the Author: Dr. T.M. (Tim) Willems is a Governance, Risk Management and Compliance expert since 1995. With an academic degree in psychology and a PhD in mechanical engineering and Artificial intelligence he combines the human factor with IT and technology. Tim is CEO and founder of Ba-PRO (est. 2005) and also was CEO and founder of BWise (currently a Nasdaq company). With a main focus on making GRC practical and easy he supports clients ranging from large multinationals to SME’s and not for profit organizations in all industries. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
