Incident management : gearing up to be able to handle a crisis event part 1
Denis Treacy, head of Culture Compass Ltd, lends us his expertise to talk about best practice guidelines for incident management.
"It's a vuca* world out there
*VUCA - US Military term defined to describe an indeterminate strategic battlefield situation as Volatile - Uncertain - Complex - Ambiguous.
As supply chains become increasingly global, the further they stretch the more vulnerable they are and the greater the risk of issues and incidents. Coupled with this is the increasing demand from consumers and customers to deliver products and services without delay and in a reliable and sustainable way. Further to this, when a business is reliant upon bought in services from a third-party manufacturer and contracted supplier the risks are even greater.
More often than not, the concept of failure is the last thing to be considered when a business is developing new products, processes or services, defining its strategy, growth plans and routes to market.
Organisations are required to be more and more resilient in the face of change and challenge.
“However effective we believe our preventive measures are, the world will find a way of delivering a surprise, so we should expect and prepare for it.“ …. Denis Treacy
A business must have a holistic risk assessment model (RAM) in place and means to systemise it. This RAM must consider as many elements as it is physically possible to both understand and have the resources to legislate for.
The practical application of a business continuity process is not to prepare for failure but to identify where risks and vulnerabilities are, how likely they are to manifest themselves and to embed measures to prevent or to implement should those risks materialise. A crisis management process simply sits within business continuity and should be constructed in a way that ensures incidents are managed competently, consistently and where necessary, escalated appropriately.
If we consider that process control is the means by which we manage consistent inputs and outputs from any process, then we will see normal variability and should have the means to react to it proportionately. With a well-defined process, it should be clear when a process is in control and when it is moving out of control.
When the process control system alerts us to the fact that we are now outside our normal distribution, we are at the point where process control meets incident management. Where the process is understood and risks have been properly assessed, there is a natural movement from process control to incident management.
An incident can often fall across more than one decision group, depending on perspective, environment, the capability to manage - perhaps even the relationship with a customer.
Often the financial implications are a significant influencing factor, but the business values and culture must never be compromised in decision making.
If an organisation has an immature or ill-considered process management linked to its business continuity system with no clear definition of what represents in or out of control, then we are likely to see far more frequent departures from normal distribution with the increased likelihood of management by crisis.
The alternative is a clearly defined, organised movement from in control to incident management to crisis management. There will always be the opportunity for significant or catastrophic events that take us straight to a crisis but still require a competent escalation to ensure the best outcome.
A competent escalation process enables us to manage incidents and issues in a proportionate way with the right competencies and teams in place. Considering localised issues, perhaps on one manufacturing line and concerning one product, we then move to an issue that affects more than one product or production line, to an event that affects an entire production facility. Each time we move from one situation to the next, there should be a clear escalation plan that identifies the decision makers, the data gatherers and the key stakeholders. Ideally, we should already have in place a guideline to the critical actions for each step and each escalation.
“Change is when we are most vulnerable to issues, the last to be considered is often the first to cause the problem…” Denis Treacy
Change is when we are most vulnerable to issues, mistakes and failures. When the situation is new, the process is not fully understood and so the definition of in control and out of control is far less mature. We may be dealing with a new process, raw material, equipment or indeed a new set of people or a change of staff. Change is when we should be most considerate in what we do, what we check and how we control. There should always be a conscious consideration of the new situation, requiring us to operate in a different way, - perhaps positive release - until we have enough information to confirm the difference between in control and out of control.
I am sure that many of us have experienced the delight of going from new product launch straight to recall because we just didn't take the time to understand the causes and effects.
In part two, Denis talks about how to put this into practice to implement your own incident management system.