•WS-4
•Incident Management Planning
and Social Media
David Ziev, MBCP, MBCI
Ken Schroeder, MBCP, MBCI
Deidrich Towne MBCP, MBCI
Tuesday March 19, 3:00 - 5:30 PM
Page 2
• Introductions
• Module 1 – Incident Management Planning Basics
• Module 2 – PPBI Maturity Model Overview
• Module 3 – Incident Management Plan Components
• Module 4 – Assessing Your Plan
• Module 5 – Review and Conclusions
AGENDA
•Module I
Incident Management Planning Basics
Page 4
What is an Incident Management System?
An integrated set of processes, tools and responsibilities that allow effective, efficient and economical management of any event that could (or does) impact normal business operations.
AC3
• Assemble the decision makers• Coordinate response, recovery
& restoration efforts• Collect all incident related
information• Channel communications
appropriately
An integrated set of processes, tools and responsibilities that allow
effective, efficient and economical management of any event that could
(or does) impact normal business operations.
• Emergency Operation Center and Infrastructure• Documented Procedures and Guidelines• Emergency Management database & recovery plans• 24 x 7 Instant Meeting Line• Training / Rehearsal drills
• Outlined in the plan• Solidified during Planning &
Exercising
Page 5
Incident Command Systems (ICS) Organization
�Functional
�Scalable
�Common Terminology
�Communication Flow
�IFLOP
Safety
Communications
Liaison
Operations PlanningLogisticsFinance/Admin/HR
Incident Commander
Intelligence
Page 6
Facilities, Safety, Security & Insur.
Finance & Purchasing
IT
HR
Media / Social Media
Legal
Agencies
EOC
AC 3
Executive Management
Employees
Customers
Agencies
Shareholders
Media
Channel Communications
Public
Page 7
Why do Incident Management Planning?
• Effectively, Efficiently and Economically manage all aspects of a disruptive event throughout its lifecycle
o Links Technology Recovery and Business Recovery
o Enhance alignment - Private and Public Sectors
o Follows BC/DR Professional Practices
o Enhances Life Safety; No additional staff required
o Enhances Timely Communications to all Stakeholders
o Protects company image and value; Prudent Management
Page 8
Social Media – “The Game Changer”
• Influences conventional media
o When they don’t have the story, they report what is on social media, true or false.
• Changes the number and balance of stakeholders
• Influences control of story and facts.
Page 9
Social Media in Crisis: Social Media in Crisis: -- Adds, Accelerates, AmplifiesAdds, Accelerates, Amplifies
Volume of Partial information
Degree of Inaccurate information
Danger of Damaging information
Costly Complications:Costly Complications:
• Lack of social media savvy
reduces leaders’ ability &
willingness to factor new types of
information into decision-making
• Slows the velocity of crisis
response & business resumption
which increases damage costs: $,
morale, community goodwill, lives
@KathleenHessert | BuzzManager, Inc @KathleenHessert | BuzzManager, Inc
Page 10
Social Media: Your Early Warning SystemSocial Media: Your Early Warning System
New Expectations:New Expectations:1. Citizens, employees,
customers, everyone now has
a voice & expects to be heard
2. I’m listening to you via social media, so you must listen to me
3. 2-way communication
4. Respond to my needs in LESS THAN 1 hour
5. Elevated level of accountability
@KathleenHessert | BuzzManager, Inc @KathleenHessert | BuzzManager, Inc
•Module 2
Incident Management Maturity Model Overview
Page 12
The Dimensions of the Plan - AC3
• A - Assemble the Decision Makers
• C - Coordinate Response, Relocation
and Restoration Efforts
• C - Collect all Incident-related Information
• C - Channel Incident-related Communication
Page 12
Page 13
Incident Management Maturity Model
PPBI Program Maturity
• Level 1 = Inadequate
• Level 2 = Marginal
• Level 3 = Acceptable
• Level 4 = Outstanding
Refer to the handout containing the PPBI Incident Management Maturity Matrix.
NFPA 1600 Self Assessment
• Comments
• Nonconforming
• Partially conforming
• Conforming
Page 14
PPBI Incident Management Plan Maturity Model
Functional
Category
Level 1
Inadequate
Level 2
Marginal
Level 3
Acceptable
Level 4
Outstanding
Assemble Inadequate
notification
process.
Limited / outdated
contact information.
Expanded contact
information updated
within 12 months.
Comprehensive contact information
with automated process and
response capabilities updated
monthly.
Coordinate “Just in time”
assignments; in-
house
only.
Emergency
responsibilities pre-
assigned with limited
training. Coordination
with appropriate
emergency staff of
opposite sector.
ICS organization
implemented. EOC
equipped. Cross
section leadership
briefings.
Functionally exercised command
system within 6 months. Defined
interrelationships between
command staff and tactical
operations. Cross sector
stakeholders involved during
rehearsals.
Collect Limited staff to
handle incoming
calls (ad-hoc).
Staff trained in
situation monitoring.
I/P from multiple
sources.
Incident Action Plan
process utilized.
Documentation
system in place.
Electronic version of action plan
and documentation system.
Channel Timely information
not shared with
appropriate
stakeholders.
Information
disseminated/release
d upon request at
irregular intervals.
Communicating to
selected
stakeholders
regularly: PIO
established.
Announced / scheduled media
briefings to multiple stakeholders.
Publicize known information.
Trained PIO staff.
Page 15
Drill - Corporate Readiness BIO
• Corporation manufactures high end cosmetics. Nationwide distribution is healthy and eco-friendly. Excellent reputation and is considered a corporate leader in industry.
• Market media presence spans all outlets (Web, Blogs, Twitter)
• Everything except manufacturing is in this building: Accounting, Sales, Labs, IT, Corp HQ. Marketing, and HR. Current business continuity plans are mainly limited to data center/IT.
• The plans are IT centric and use a recovery center, with plans to send IT staff to the recovery center. Estimated recovery time is 24 hours from disaster declaration, but is highly dependent on the time of day a disaster strikes and travel availability.
• “We’ll get to a full business continuity program in two years,” said the EVP-Operations.
Page 16
SITREP
• Typical Monday afternoon, mild temperatures, slight breeze.
• It’s 2:15 PM
• FedEx Delivers a package to the corporate mail room.
• A mailroom intern opens the package while sorting for delivery and sees …
“White powder everywhere”
Page 17
Immediate Response
• What would you do first given this information? (5 mins)
1. _______________________________
2. _______________________________
3. _______________________________
Page 18
First Response
• Building evacuation
• Call 911
• IRT Assembles?
Page 19
The event gets complicated…
• Local TV media arrives with county HAZMAT team.
• Employee makes video with a camera phone and posts to YouTube. Video Goes viral.
• Twitter picks up on the story and rumors take on life of their own.
• HAZMAT initial field test indicates Bacillus Anthracis, or Anthrax, a biological agent . Confirmation will take 3 business days.
http://www.bt.cdc.gov/agent/anthrax/needtoknow.asp
Page 20
News picked up by wire services - Nationwide interest
Page 21
National News Media Reports Social Media Stories
• Company products have been contaminated with anthrax for two years.
• Employees have died.
• Consumers have contracted anthrax.
• Vice President of research and development, and communications director fired last year.
• “There is a cover up!”
Page 22
Containment
• Police set up inner and outer perimeters
• County Mobile Command Center arrives
• Fire department cuts building power.
• Emergency Generator for IT starts up.
• Fire department cuts generator to kill HVAC and stop the spread of “White Powder”, especially out of building.
• Sr. Management and IMT cut off, No Power.
• Need to move to a new command center.
Page 23
Panic Sets In
• What steps must be taken because of all this new information?
1. _________________________________
2. _________________________________
3. _________________________________
• Who is in charge of the scene; the facility?
1. _________________________________
2. _________________________________
3. _________________________________
• How will you manage communications and Social Media?
1. _________________________________
2. _________________________________
3. _________________________________
Page 24
Managing Social MediaManaging Social Media
Real World Solutions
Use of a smart social media listening tool for critical, near real-time business intelligence
Social media education
• what do decision-makers need to know & understand
• effective social media “community management”
• who your social media influencers
& advocates are & how to leverage them
Evolution to a more “social culture”
@KathleenHessert | BuzzManager, Inc @KathleenHessert | BuzzManager, Inc
Page 25
Incident Command Systems (ICS)
Safety Officer
PublicInformation
Officer
LiaisonOfficer
OperationsSection Chief
PlanningSection Chief
LogisticsSection Chief
Finance/AdmSection Chief
Incident Commander
IntelligenceSection Chief
Page 26
IT Operations Threatened
• How does this additional information pose a threat to the IT/IS operation?1. _________________________________
2. _________________________________
3. _________________________________
• What steps become more important with this new information?1. _________________________________
2. _________________________________
3. _________________________________
Page 27
Employee’s Affected
• 12 staff directly exposed. All taken to hospital. 3 critically ill with diverse symptoms, 7 have controlled, but serious symptoms.
• 120 with minor exposure are treated with emergency antibiotics.
• 157 unaffected.
• DHS declares building a crime scene, occupancy not expected for at least three weeks until investigation complete.
• Local TV station receives phone call from an activist organization ….their list of allegations:
o Not eco-friendly
o Uses animals for testing
o People with side effects are being bought off for their silence
o Anthrax used in product development
Page 28
Live Eye – What’s your position?
March 19, 2013: At 1450 hours EDT, FBI officials reported that WUTR Television received a phone call at its home office in Utica from someone claiming to be a member of AlterNOT. The caller claimed credit for mailing the Anthrax laced package. The caller said that other such packages have been mailed to multiple locations across the US, but didn’t say where.
Social Media outlets calling for boycott of products
Page 29
Decisions
• On what information can you base decisions at this point?
1. _________________________________
2. _________________________________
3. _________________________________
• Who has the authority to make these decisions?
1. _________________________________
2. _________________________________
3. _________________________________
• What is communication plan?
1. _________________________________
2. _________________________________
3. _________________________________
Page 30
Additional Issues and facts
• Neighboring corporations and residential communities are extremely agitated and worried.
• Board of Directors schedules an emergency meeting. They want to know what we are doing? (Need to prepare a briefing)
• No definitive evidence of anthrax.
• After 14 days, DHS returns the building to the company, but company must apply for certificate of occupancy AFTER cleanup is completed.
• Acme Anthrax Attackers, Inc estimates it will take 7 weeks to clear the building and render it safe for occupancy.
• Some active employees voicing apprehension of ever going back into this building.
Page 31
What Staff Is Needed?
• How do you protect IT Services under these conditions?1. _________________________________
2. _________________________________
3. _________________________________
• Who addressed the media concerns?1. _________________________________
2. _________________________________
3. _________________________________
Page 32
The “Problem”
• It is the first hour of response.
• Based on the preceding representative events, consider what actions and decisions you would be making during this period.
• How will you make your message, “the message”?
• Discuss your actions with the class.
Page 33
Debrief
• Review the entire incident and actions taken.
• What lessons have you learned?
• What steps will you take going forward?
• How could you better apply the ICS principles to your activities?
• Take notes for action to take when returning home.
Page 34
Do you have an Incident Management Plan?
• What would you like to see included in an Incident Management Plan?
• Who would author the plan in your organization?
• How would the chain of command differ from the chain used in normal business?
• Let’s examine some recommendations.
•Module 3
Incident Management Plan Components
Page 36
• Disaster/Emergency Management and Business Continuity Programs
• Notices and Disclaimers – Noted
• Additional Detail
• More Input from more stakeholders
NFPA 1600 – 2010 Edition
Page 37
Common Elements Comparison by Discipline
Page 38
• Functional Roles and Responsibilities
• Lines of Authority shall be established.
• Direction, Control, and Coordination
• Communications and Warning
• Operations and Procedures
• Logistics and Facilities
• Training
• Exercises, Evaluations, and Corrective Actions
• Crisis Communications, Public Information
• Finance and Administration
* (NFPA 1600, 2010 Edition, Chapters 4, 5, 6, 7, 8)
Common Elements of An Incident Management Plan*
Page 39
Functional Roles and Responsibilities
• Identify the functional roles and responsibilities of the following during Mitigation, Preparedness, Response and Recovery:
o Internal and External Agencies
o Organizations
o Departments
o Individuals
Page 40
Laws & Authorities
• The disaster/emergency management program shall comply with applicable legislation, regulations, directives, policies and industry codes of practice.
• The entity shall implement a strategy to address legislative and regulatory revision requirements that evolve over time.
Page 41
Direction, Control, and Coordination
• Develop the capability to direct, control, and coordinate response and recovery operations.
• Utilize an Incident Management System.
• Identify specific organizational roles, titles, and responsibilities for each management function as specified in the Emergency Operations Plan.
• Determine the level of plan implementation according to the magnitude of the incident.
• The Incident Management System shall be communicated to and coordinated with all stakeholders.
• Establish procedures for coordinating response, continuity, and restoration while complying with applicable regulations.
Page 42
Communications and Warning
• Communications systems and procedures shall be established and regularly tested.
• Develop and maintain a reliable capability to alert officials and emergency response personnel.
• An emergency communications and warning process / procedure shall be developed and periodically tested to alert customers or citizens of an actual or impending emergency.
• Communications to protect and maintain company image. (not in NFPA 1600)
Page 43
Operations and Procedures
• Develop, coordinate, and implement operational procedures to support the Incident Management Plan.
• Particular attention shall be paid to life safety considerations.
• Standard Operating Procedures are developed for identified credible hazards.
• Situation Analysis is conducted to include damage assessment and resource needs.
• Establish procedures for maintaining continuity of response via the Incident Management Plan.
Page 44
Logistics and Facilities
• The organization shall establish procedures to locate, acquire, distribute, and account for services, personnel, resources, materials, and facilities procured or donated to support the response to the incident.
• A facility capable of supporting response and recovery operations shall be established, equipped, periodically tested, and maintained.
Page 45
Training
• The organization shall perform a training needs assessment and develop and implement a training / education program to support the Incident Management Plan.
• Personnel shall be trained in the organization’s incident management system.
• Training records and documentation shall be maintained.
Page 46
Exercises, Evaluations, and Corrective Actions
• The Incident Management Plan shall be evaluated through periodic reviews, testing, after-action reports, and exercises.
• Exercises shall be designed to test individual essential elements, interrelated elements, or the entire plan.
• After-action or lessons learned debrief sessions shall be conducted to ensure that corrective action is taken on any deficiency identified.
Page 47
Crisis Communications, Public Information
• The organization shall develop procedures to disseminate and respond to requests for pre-disaster, disaster, and post-disaster information, including providing information to the media and to deal with their inquiries.
• Where the public may be impacted by a hazard, a public education program shall be implemented.
Page 48
Finance and Administration
• The organization shall develop financial and administrative procedures to support the Incident Management Plan before, during, and after an emergency or a disaster.
•Module 4
Assessing Your Plan
Page 50
PPBI Incident Management Plan Assessment Tool
• Use the tool to evaluate your organization’s Incident Management capabilities.
• Take 15 minutes to assess your plans against the common elements of an Incident Management Plan
Page 51
PPBI Incident Management Plan Maturity Model
Functional
Category
Level 1
Inadequate
Level 2
Marginal
Level 3
Acceptable
Level 4
Outstanding
Assemble Inadequate
notification
process.
Limited / outdated
contact information.
Expanded contact
information updated
within 12 months.
Comprehensive contact information
with automated process and
response capabilities updated
monthly.
Coordinate “Just in time”
assignments; in-
house
only.
Emergency
responsibilities pre-
assigned with limited
training. Coordination
with appropriate
emergency staff of
opposite sector.
ICS organization
implemented. EOC
equipped. Cross
section leadership
briefings.
Functionally exercised command
system within 6 months. Defined
interrelationships between
command staff and tactical
operations. Cross sector
stakeholders involved during
rehearsals.
Collect Limited staff to
handle incoming
calls (ad-hoc).
Staff trained in
situation monitoring.
I/P from multiple
sources.
Incident Action Plan
process utilized.
Documentation
system in place.
Electronic version of action plan
and documentation system.
Channel Timely information
not shared with
appropriate
stakeholders.
Information
disseminated/release
d upon request at
irregular intervals.
Communicating to
selected
stakeholders
regularly: PIO
established.
Announced / scheduled media
briefings to multiple stakeholders.
Publicize known information.
Trained PIO staff.
•Module 5
Review and Conclusions
Page 53
Not a Question of If, but When…
• Business and the Government are placing greater emphasis on being prepared.
1. http://www.ready.gov/business/index.html
2. Includes a Crisis Communications Plan
• Your customers will demand resiliency.
• Your shareholders will demand and depend on it.
• Our enemies know how much it matters to us.
Page 54
Who has the next question?
• Please complete the evaluation form for this course. We take your comments very seriously to improve our courses.
• Please visit our website at PPBI.Org, and keep in touch via e-mail to: