Let’s start from the beginning, i.e. by determining which processes, services or activities carried out by the Organization should be included in crisis management. The best solution is a proven system approach, derived from the ISO 22301 standard, which is the standard for the implementation of Business Continuity Management Systems. Details on the BCMS and our business continuity services can be found here. The approach based on the requirements of ISO 22301 allows for a thorough understanding of the processes implemented in the organization and the selection of the most important ones – which are of interest to us primarily in business continuity and crisis management planning.
Services related to the creation of crisis structures and crisis management are derived primarily from the obligations imposed on the so-called critical infrastructure. It includes the following systems:
- supply of energy, energy resources and fuels,
- ICT networks,
- food supply,
- water supply,
- health protection,
- ensuring the continuity of public administration operations,
- production, storage, storage and use of chemical and radioactive substances, including pipelines of hazardous substances.
The experience gathered during the implemented projects shows that more and more organizations decide to implement crisis management mechanisms, despite the fact that they are not obliged to do so by the legal requirements resulting from the Act on Crisis Management, the Act on the National Cybersecurity System and the like. These activities result primarily from the need to prepare an orderly and conscious response to any crisis situations that affect all organizations from time to time.
As part of the implementation of crisis management mechanisms, Blue Energy experts help the Client to design a functional organizational structure and develop the necessary procedures. The scope of duties resulting from the implementation of crisis management is best presented in two parts – actions taken during “normal functioning” and tasks performed at the time of crisis situations.
Documents specifying how the Organization responds to the crisis vary depending on the rationale behind their implementation. Sometimes these are Business Continuity Plans (BCP), and when it comes to meeting the requirements of the Act – Critical Infrastructure Protection Plans. Regardless of the reason for the decision to implement crisis management – the content of the document is usually similar and has a number of common parts.
Crisis response procedures developed by Blue Energy experts are always created with customer representatives to meet the needs of the Organization and adjust to the organizational culture and other internal regulations.
The implemented crisis procedures are preceded by an analysis of the criticality of the processes being implemented and the infrastructure owned and include:
- description of crisis structures, identification of people and necessary competences, determination of substitutability, definition of the scope of responsibility for crisis management and decision making,
- requirements for internal and external communication, including: reporting a crisis situation or a potential crisis situation, informing relevant services, employees, public opinion, cooperation with external entities,
- the principles of appointing, implementing tasks, and solving a crisis management team,
- documentation management requirements, including: documentation review, change management, publication and archiving,
- identification of critical infrastructure, critical processes along with an indication of the characteristics and parameters of business continuity and infrastructure recovery,
- risk analysis, including: hazard identification, risk assessment, risk assessment,
- establishing a strategy for providing resources in the event of specific failure / crisis scenarios resulting from the risk assessment,
- requirements and schedules for testing crisis situations,
- principles of crisis management, including risk assessment and crisis development carried out by the Crisis Staff or other crisis management structures,
- requirements for distribution of procedures, awareness building, including instructors, exercises and training.
By creating response mechanisms to a crisis situation, Blue Energy experts focus on the practicality and applicability of the developed schemes during a crisis.
The first principle of proper crisis management is a properly defined accountability structure.
When selecting the composition of the crisis management team, we remember about proper leadership, substitutability and delegation of duties, as well as about ensuring the representation of all important representatives of the Organization.
The second aspect is a properly prepared strategy defined individually for individual critical resources used to implement critical processes.
The third issue is the ability to manage a crisis, constantly analyze scenarios for the development of a crisis situation and take an appropriate response to the crisis. We recommend proven mechanisms based on defining optimistic, pessimistic and the most realistic scenarios of crisis development.
Another issue that cannot be missing is the developed communication mechanisms along with the preparation of standard content addressed to various groups of recipients.
The last point we want to highlight is the ability to test internal structures and how to react. Our experience shows that even the most comprehensive crisis procedures will not pass the exam without regular training and testing of events carried out by Organizations.
Related blog articles
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?
One of our infrastructure customers was so focused on planning and testing for failure that he forgot that business continuity management starts with preventing failures. While improving the implementation of the BCMS system, we spent a lot of time on improving the risk management mechanisms, asset / asset management, and proper operation. We should remember that proper operation, proper operation of devices and systems is often the basic source of business continuity.
The financial sector institution has waged an age-old war on who is responsible for ensuring continuity. The business area claimed that they did not have the knowledge and resources to ensure continuity, and the ICT area claimed that they did not know what was critical and that no one told them what and how to secure it. We started our support in implementation by making everyone aware of the synergies that are required to ensure business continuity. The business must determine what activities (processes) and what tools (resources, systems) are critical and why (possible downtime, potential losses and possible penalties). The ICT area must define the gap between the current, expected availability and indicate the links between the assets. In the next step, decisions and actions regarding the availability gap should be made jointly.
The continuous production company was seriously affected by the failure. After the audit, it turned out that the preventive mechanisms and business continuity plans were tested only in the form of a staff game. After an event - a failure, most of the mechanisms did not work. We supported the client in proper planning and testing. Remember that we can use different techniques within one test and, where possible, try to use controlled exclusions, simulations and real tests, not just a staff game.