WS-5 Incident Management Planning and Social Media

Transcription

1 WS-5 Incident Management Planning and Social Media Tuesday April, 01 1:00-3:30 PM David Ziev, MBCP, MBCI Ken Schroeder, MBCP, MBCI Deidrich Towne MBCP, MBCI AGENDA Introductions Module 1 Incident Management Planning Basics o How Social Media Affects Incident Management Planning Module 2 PPBI Maturity Model Overview Module 3 Incident Management Plan Components Module 4 Assessing Your Plan Module 5 Review and Conclusions Page 2

2 Module I Incident Management Planning Basics What is an Incident Management System? An integrated set of processes, tools and responsibilities that allow effective, efficient and economical management of any event that could (or does) impact normal business operations. An integrated set of processes, tools and responsibilities that allow effective, efficient and economical management of any event that could (or does) impact normal business operations. AC 3 Assemble the decision makers Coordinate response, recovery & restoration efforts Collect all incident related information Channel communications appropriately Page 4 Outlined in the plan Solidified during Planning & Exercising Emergency Operation Center and Infrastructure Documented Procedures and Guidelines Emergency Management database & recovery plans 24 x 7 Instant Meeting Line Training / Rehearsal drills

3 Incident Command Systems (ICS) Organization Incident Commander Functional Scalable Common Terminology Communication Flow IFLOP Safety Communications Liaison Intelligence Finance/Admin/HR Logistics Operations Planning Page 5 Channel Communications Facilities, Safety, Security & Insur. Finance & Purchasing IT HR Media / Social Media Legal Agencies Executive Management EOC AC 3 Employees Customers Agencies Shareholders Media Public Page 6

4 Why do Incident Management Planning? Effectively, Efficiently and Economically manage all aspects of a disruptive event throughout its lifecycle o Links Technology Recovery and Business Recovery o Enhance alignment - Private and Public Sectors o Follows BC/DR Professional Practices o Enhances Life Safety; No additional staff required o Enhances Timely Communications to all Stakeholders o Protects company image and value; Prudent Management Page 7 Module I Social Media and Communications

5 Social Media The Game Changer Social Media Changes Information Gathering and Distribution Influences conventional media o When they don t have the story, they report what is on social media, true or false. Changes the number and balance of stakeholders Influences control of story and facts. Page 9 Social Media The New Communications Team Remember AC 3? - Assemble, Coordinate, Collect, and Channel Communications. Communication Teams must be Social Media Savvy and understand the outlets (Twitter, Facebook, etc.) The communications team might need more members to monitor social media, or companies can hire professional firms to monitor social media. Contributing to social media can help to shape the tone and direction of the conversation. Communication teams must consider impact of social media when gathering information and communicating. Page 10

6 Social Media in Crisis: - Adds, Accelerates, Amplifies Volume of Partial information Degree of Inaccurate information Danger of Damaging information Costly Complications: Lack of social media savvy reduces leaders ability & willingness to factor new types of information into decision-making Slows the velocity of crisis response & business resumption which increases damage costs: $, morale, community goodwill, BuzzManager, Inc Page 11 Social Media: Your Early Warning System New Expectations: 1) Citizens, employees, customers, everyone now has a voice & expects to be heard 2) I m listening to you via social media, so you must listen to me 3) 2-way communication 4) Respond to my needs in LESS THAN 1 hour 5) Elevated level of BuzzManager, Inc Page 12

7 Module 2 Incident Management Maturity Model Overview The Dimensions of the Plan - AC 3 A - Assemble the Decision Makers C - Coordinate Response, Relocation and Restoration Efforts C - Collect all Incident-related Information C - Channel Incident-related Communication Page 14 Page 14

8 Why a Maturity Model? Perform an honest assessment of current situation against a common standard. Create a baseline for the organization Establish goals, over time, of where organization wants to be. Develop action plans to achieve goals Reassess against the baseline to determine progress. Page 15 PPBI Incident Management Plan Maturity Model Functional Category Level 1 Inadequate Level 2 Marginal Level 3 Acceptable Level 4 Outstanding Assemble Inadequate notification process. Limited / outdated contact information. Expanded contact information updated within 12 months. Comprehensive contact information with automated process and response capabilities updated monthly. Coordinate Just in time assignments; inhouse only. Emergency responsibilities preassigned with limited training. Coordination with appropriate emergency staff of opposite sector. ICS organization implemented. EOC equipped. Cross section leadership briefings. Functionally exercised command system within 6 months. Defined interrelationships between command staff and tactical operations. Cross sector stakeholders involved during rehearsals. Collect Limited staff to handle incoming calls (ad-hoc). Staff trained in situation monitoring. I/P from multiple sources. Incident Action Plan process utilized. Documentation system in place. Electronic version of action plan and documentation system. Channel Timely information not shared with appropriate stakeholders. Information disseminated/release d upon request at irregular intervals. Communicating to selected stakeholders regularly: PIO established. Announced / scheduled media briefings to multiple stakeholders. Publicize known information. Trained PIO staff. Page 16

9 Drill - Corporate Readiness BIO Corporation manufactures high end cosmetics. Nationwide distribution is healthy and eco-friendly. Excellent reputation and is considered a corporate leader in industry. Market media presence spans all outlets (Web, Blogs, Twitter) Everything except manufacturing is in this building: Accounting, Sales, Labs, IT, Corp HQ. Marketing, and HR. Current business continuity plans are mainly limited to data center/it. The plans are IT centric and use a recovery center, with plans to send IT staff to the recovery center. Estimated recovery time is 24 hours from disaster declaration, but is highly dependent on the time of day a disaster strikes and travel availability. We ll get to a full business continuity program in two years, said the EVP-Operations. Page 17 SITREP Typical Monday afternoon, mild temperatures, slight breeze. It s 2:15 PM FedEx Delivers a package to the corporate mail room. A mailroom intern opens the package while sorting for delivery and sees White powder everywhere Page 18

10 Immediate Response What would you do first given this information? (5 mins) Page 19 First Response Building evacuation Call 911 IRT Assembles? Page 20

11 The event gets complicated Local TV media arrives with county HAZMAT team. Employee makes video with a camera phone and posts to YouTube. Video Goes viral. Twitter picks up on the story and rumors take on life of their own. HAZMAT initial field test indicates Bacillus Anthraces, or Anthrax, a biological agent. Confirmation will take 3 business days. Page 21 News picked up by wire services - Nationwide interest Page 22

12 National News Media Reports Social Media Stories Company products have been contaminated with anthrax for two years. Employees have died. Consumers have contracted anthrax. Vice President of research and development, and communications director fired last year. There is a cover up! Page 23 Containment Police set up inner and outer perimeters County Mobile Command Center arrives Fire department cuts building power. Emergency Generator for IT starts up. Fire department cuts generator to kill HVAC and stop the spread of White Powder, especially out of building. Sr. Management and IMT cut off, No Power. Stock price drops on news, management can t respond. Need to move to a new command center. Page 24

13 Panic Sets In What steps must be taken because of all this new information? Who is in charge of the scene; the facility? How will you manage communications and Social Media? Page 25 Managing Social Media Real World Solutions Use of a smart social media listening tool for critical, near real-time business intelligence Social media education what do decision-makers need to know & understand effective social media community management who your social media influencers & advocates are & how to leverage them Evolution to a more social BuzzManager, Inc Page 26

14 Incident Command Systems (ICS) Incident Commander Safety Officer Public Information Officer Liaison Officer Intelligence Section Chief Finance/Adm Section Chief Logistics Section Chief Operations Section Chief Planning Section Chief Page 27 IT Operations Threatened How does this additional information pose a threat to the IT/IS operation? What steps become more important with this new information? Page 28

15 Employee s Affected 12 staff directly exposed. All taken to hospital. 3 critically ill with diverse symptoms, 7 have controlled, but serious symptoms. 120 with minor exposure are treated with emergency antibiotics. 157 unaffected. DHS declares building a crime scene, occupancy not expected for at least three weeks until investigation complete. Local TV station receives phone call from an activist organization.their list of allegations: o o o o Not eco-friendly Uses animals for testing People with side effects are being bought off for their silence Anthrax used in product development Page 29 Live Eye What s your position? April 1, 2014: At 1450 hours EDT, FBI officials reported that WUTR Television received a phone call at its home office in Utica from someone claiming to be a member of AlterNOT. The caller claimed credit for mailing the Anthrax laced package. The caller said that other such packages have been mailed to multiple locations across the US, but didn t say where. Social Media outlets calling for boycott of products Page 30

16 Decisions On what information can you base decisions at this point? Who has the authority to make these decisions? What is communication plan? Page 31 Additional Issues and facts Neighboring corporations and residential communities are extremely agitated and worried. The Board of Directors schedules an emergency meeting. They want to know what we are doing? (Need to prepare a briefing) No definitive evidence of anthrax. After 14 days, DHS returns the building to the company, but company must apply for certificate of occupancy AFTER cleanup is completed. Acme Anthrax Attackers, Inc. estimates it will take 7 weeks to clear the building and render it safe for occupancy. Some active employees voicing apprehension of ever going back into this building. Page 32

17 What Staff Is Needed? How do you protect IT Services under these conditions? Who addressed the media concerns? Page 33 The Problem It is the first hour of response. Based on the preceding representative events, consider what actions and decisions you would be making during this period. How will you make your message, the message? Discuss your actions with the class. Page 34

18 Debrief Review the entire incident and actions taken. What lessons have you learned? What steps will you take going forward? How could you better apply the ICS principles to your activities? Take notes for action to take when returning home. Page 35 Do you have an Incident Management Plan? What would you like to see included in an Incident Management Plan? Who would author the plan in your organization? How would the chain of command differ from the chain used in normal business? Let s examine some recommendations. Page 36

19 Module 3 Incident Management Plan Components NFPA Edition Disaster/Emergency Management and Business Continuity Programs Notices and Disclaimers Noted Additional Detail More Input from more stakeholders Page 38

20 Common Elements Comparison by Discipline NFPA Chapter / Section DRII Professional Practices for Business Continuity Practitioners, 2008 Subject Area CSA Z Emergency Management and Business Continuity Programs Chapter / Section 4.1 Leadership and Commitment 1. Project Initiation and Management 4.1 Leadership and Commitment 4.2 Program Coordinator 1. Project Initiation and Management 4.2 Program Coordinator 4.3 Program committee 1. Project Initiation and Management 4.3 Advisory Committee 4.4 Program Administration 1. Project Initiation and Management 4.4 Program Administration 4.5 Laws and Authorities 9. Crisis Communications 10. Coordinating With External Agencies 4.5 Laws and Authorities 4.4 Program Administration 1. Project Initiation and Management Program Goals and Objectives 4.6 Finance and Administration 1. Project Initiation and Management 4.6 Financial Management 4.7 Records Management BIA (B.2.f.) Records Management 5.1 Planning and Design Process 2. Risk Evaluation and Control 3. Business Impact Analysis 4. Business Continuity Strategies 5. Emergency Preparedness and Response 6. Business Continuity Plans 5.2 Planning Process 6.1 & 5.1 Common Plan Requirements 2. Risk Evaluation and Control 3. Business Impact Analysis 4. Business Continuity Strategies 5. Emergency Preparedness and Response 6. Business Continuity Plans 8. Business Continuity Plan Exercise, Audit, and Maintenance 5.3 Common Plan Requirements Page 39 Common Elements of An Incident Management Plan* Functional Roles and Responsibilities Lines of Authority shall be established. Direction, Control, and Coordination Communications and Warning Operations and Procedures Logistics and Facilities Training Exercises, Evaluations, and Corrective Actions Crisis Communications, Public Information Finance and Administration * (NFPA 1600, 2013 Edition, Chapters 4, 5, 6, 7, 8) Page 40

21 Functional Roles and Responsibilities Identify the functional roles and responsibilities of the following during Mitigation, Preparedness, Response and Recovery: o Internal and External Agencies o Organizations o Departments o Individuals Page 41 Laws & Authorities The disaster/emergency management program shall comply with applicable legislation, regulations, directives, policies and industry codes of practice. The entity shall implement a strategy to address legislative and regulatory revision requirements that evolve over time. Page 42

22 Direction, Control, and Coordination Develop the capability to direct, control, and coordinate response and recovery operations. Utilize an Incident Management System. Identify specific organizational roles, titles, and responsibilities for each management function as specified in the Emergency Operations Plan. Determine the level of plan implementation according to the magnitude of the incident. The Incident Management System shall be communicated to and coordinated with all stakeholders. Establish procedures for coordinating response, continuity, and restoration while complying with applicable regulations. Page 43 Communications and Warning Communications systems and procedures shall be established and regularly tested. Develop and maintain a reliable capability to alert officials and emergency response personnel. An emergency communications and warning process / procedure shall be developed and periodically tested to alert customers or citizens of an actual or impending emergency. Communications to protect and maintain company image. (not in NFPA 1600) Page 44

23 Operations and Procedures Develop, coordinate, and implement operational procedures to support the Incident Management Plan. Particular attention shall be paid to life safety considerations. Standard Operating Procedures are developed for identified credible hazards. Situation Analysis is conducted to include damage assessment and resource needs. Establish procedures for maintaining continuity of response via the Incident Management Plan. Page 45 Logistics and Facilities The organization shall establish procedures to locate, acquire, distribute, and account for services, personnel, resources, materials, and facilities procured or donated to support the response to the incident. A facility capable of supporting response and recovery operations shall be established, equipped, periodically tested, and maintained. Page 46

24 Training The organization shall perform a training needs assessment and develop and implement a training / education program to support the Incident Management Plan. Personnel shall be trained in the organization s incident management system. Training records and documentation shall be maintained. Page 47 Exercises, Evaluations, and Corrective Actions The Incident Management Plan shall be evaluated through periodic reviews, testing, after-action reports, and exercises. Exercises shall be designed to test individual essential elements, interrelated elements, or the entire plan. After-action or lessons learned debrief sessions shall be conducted to ensure that corrective action is taken on any deficiency identified. Page 48

25 Crisis Communications, Public Information The organization shall develop procedures to disseminate and respond to requests for pre-disaster, disaster, and post-disaster information, including providing information to the media and to deal with their inquiries. Where the public may be impacted by a hazard, a public education program shall be implemented. Page 49 Finance and Administration The organization shall develop financial and administrative procedures to support the Incident Management Plan before, during, and after an emergency or a disaster. Page 50

26 Module 4 Assessing Your Plan PPBI Incident Management Plan Assessment Tool Use the tool to evaluate your organization s Incident Management capabilities. Take 15 minutes to assess your plans against the common elements of an Incident Management Plan Page 52

27 PPBI Incident Management Plan Maturity Model Functional Category Level 1 Inadequate Level 2 Marginal Level 3 Acceptable Level 4 Outstanding Assemble Inadequate notification process. Limited / outdated contact information. Expanded contact information updated within 12 months. Comprehensive contact information with automated process and response capabilities updated monthly. Coordinate Just in time assignments; inhouse only. Emergency responsibilities preassigned with limited training. Coordination with appropriate emergency staff of opposite sector. ICS organization implemented. EOC equipped. Cross section leadership briefings. Functionally exercised command system within 6 months. Defined interrelationships between command staff and tactical operations. Cross sector stakeholders involved during rehearsals. Collect Limited staff to handle incoming calls (ad-hoc). Staff trained in situation monitoring. I/P from multiple sources. Incident Action Plan process utilized. Documentation system in place. Electronic version of action plan and documentation system. Channel Timely information not shared with appropriate stakeholders. Information disseminated/release d upon request at irregular intervals. Communicating to selected stakeholders regularly: PIO established. Announced / scheduled media briefings to multiple stakeholders. Publicize known information. Trained PIO staff. Page 53 Module 5 Review and Conclusions

28 Not a Question of If, but When Business and the Government are placing greater emphasis on being prepared Includes a Crisis Communications Plan Your customers will demand resiliency. Your shareholders will demand and depend on it. Our enemies know how much it matters to us. Page 55 Who has the next question? Please complete the evaluation form for this course. We take your comments very seriously to improve our courses. Please visit our website at PPBI.Org, and keep in touch via to: Mail@PPBI.org Page 56