Incident management has a direct correlation to risk management, the latter is aimed at putting measures in place (controls) to prevent the incident materialising in the first place.
The Business Continuity Management Policy of an organisation outlines the procedures to be applied to Crisis/Incident Management, Business Continuity Management, and IT Service Continuity/IT Disaster Recovery as well as Pandemic Management. Its applicability must be broad enough to include all of an organisations stakeholders. Generally a Business Continuity Management Policy should include assurances on acceptable levels of: continuity of business operations, protection from a range of threats, service delivery and maximising the return on investment of business interests.
Risk Assessment plays a critical role in the formulation of incident management plans. The team managing the plans, which normally consists of departments like Risk, Compliance, ICT, Facilities management etc. must conduct such assessments in order to identify critical processes and functions which then form the plans for preventing or mitigating potential loss or disruption due to critical incidents or threats. During this planning phase, the team also assists various departments in an organisation to prepare for alternative work processes in the event of extended outages or relocation. This is done through the preparation or revision of individual department Business Continuity Plans. As a general practice, an annual review of the plans must be conducted to ensure relevance as well as its alignment with other plans and policies. It is prudent though to conduct such assessment after each and every incident that materialises.
Following the COVID-19 Pandemic it is important that organisations consider whether pandemic risk should still be treated as an ‘outlier’ and managed through the BCP? And if so, are the current assumptions on the BCP accurate? Also, are ‘outliers’ not sui generis risks that must be treated on their own? As well as, are we realising now that perhaps fresh assessment criterion needs to be applied to high impact, low likelihood risks?
