Making Incident Management Work for Your Organization 14th Annual Making Incident Management Work for Your Organization Kathleen Lucey, FBCI – President, Montague Risk Management April 19, 2016 The Road to Resilience

Interruption Response Management Site Repair or Relocate INCIDENT MANAGEMENT MODEL - 1 Interruption Response Management Executive Team Damage Assessment Emergency Logistics We start with Disaster Recovery (IT only), damage assessment, and Site Repair or Relocate Disaster Recovery Team

INCIDENT MANAGEMENT MODEL - 2 Interruption Response Management Executive Team Damage Assessment Transportation, Communications Media Relations Team Emergency funding? Emergency Logistics Command Center Support Team Site Repair or Relocate Site Relocation and Re-creation Site Repair and Restoration Disaster Recovery Teams

INCIDENT MANAGEMENT MODEL - 3 Interruption Response Management Interruption Management Team Executive Oversight Team Damage Assessment Transportation, Communications Media Relations Team Emergency funding Physical Security Emergency Logistics Command Center Support Team Here we add Site Repair or Relocate Site Relocation and Re-creation Site Repair and Restoration Business Continuity Teams Information Technology Recovery Teams

INCIDENT MANAGEMENT MODEL - 4 Interruption Response Management Interruption Management Team Executive Oversight Team Damage Assessment Transportation, Communications Media Relations Team Emergency Funding Physical Security Emergency Logistics Command Center Support Team Employee Support Local Government Liaison Insurance Liaison Purchasing, Real Estate Business Recovery Coordination IT Recovery Coordination Site Repair or Relocate Site Relocation and Re-creation Site Repair and Restoration Business Continuity Teams Information Technology Recovery Teams

INCIDENT MANAGEMENT MODEL - 5 Interruption Response Management Interruption Management Team Executive Oversight Team Damage Assessment Transportation, Communications Communications and Social Media Team Emergency Funding Physical Security Emergency Logistics Employee Support Command Center Support Team Local Government Liaison Business Continuity Coordination Admin. Services Special Services Insurance Liaison Recovery Management Purchasing, Real Estate Business Recovery Coordination IT Recovery Coordination Site Repair or Relocate Site Relocation and Re-creation Site Repair and Restoration Business Continuity Teams Information Technology Recovery Teams

INCIDENT MANAGEMENT MODEL - 6 Interruption Response Management Supplier Availability Interruption Management Team Executive Oversight Team Damage Assessment Transportation, Communications Communications and Social Media Team Emergency Funding Physical Security Emergency Logistics Employee Support Command Center Support Team Local Government Liaison Business Continuity Coordination Admin. Services Special Services Insurance Liaison Recovery Management Purchasing, Real Estate Business Recovery Coordination IT Recovery Coordination Site Repair or Relocate Site Relocation and Re-creation Site Repair and Restoration Business Continuity Teams Information Technology Recovery Teams

Incident Management Timeline Warning Alarms Interruption! Backlog Begins All Mitigation Fails Begin Recovery MAD: Product Fully Functional Loss-of-Data @ RPO Permanent Restoration Failover Capacity Restored Auto-Failover Auto-Mitigation Commences Manual Mitigation Commences BAU Time-Objective Last Backup(s) Alarms Validation Begins Fallback Validation RTO Supporting Resources Incident Prelude Problem Detected Problem Diagnosed Additional Recovery Tasks MTPoD Risk to Brand Crisis/Incident Management Timeline for Site-driven Physical Event: SIMT, ECMC (Emergency Crisis Management Center) SIMT implements C/IM processes: Evacuation and IDRs Staff to safety Injured to treatment ECMC receives Site Damage Assessment ECMC involves necessary support groups: Insurance, Real Estate, Finance, HR, Legal, IT, etc. Remote and flyaway teams begin work. ECMC records progress, briefs CMT. SIMT alerts team members + ECMC. ECMC alerts Support Groups SIMT + participating teams debrief. ECMC files Incident Information for corrective actions. SIMT declares event to MCMC

Physical Event: Proposed Incident Management Structure Puts on Alert status: Site Incident Management Team (members) Site Business Continuity Teams (leaders) Site Incident Management Team Leader (or Alternate) Declare Event EVENT Wait Evacuate premises if necessary Employees execute IDRs* Brief Emergency Crisis Management Center (ECMC) Activate Site Incident Management Team and Site Business Continuity Management Team (s) Team members assemble in designated location Brief Emergency Crisis Management Center (ECMC) Verify Availability of Site Incident Management Team Members and Site Business Continuity Team Members *IDR = Individual Default Response: defined individual response for each employee based on whether at work location or not at work location.

Non-Physical Event: Incident Management Structure Cyber attack Customer-facing service failure on social media Adverse reputation event Other non-physical Incident detector notifies Business Management*, who notifies the ECMC. - ECMC Coordinator opens a non-physical incident investigation, assigns an investigation team (leader and members), and contacts additional investigation/support resources as needed. If this is a cyber situation, ECMC assigns the event to the appropriate Cyber Security Group, and notifies others as appropriate, such as Corporate Legal, Communications, Social Media. ECMC also assigns an Incident Coordinator to provide conference and other facilities as necessary for the team(s) involved. For Cyber: - Assigned Team Leader on the Cyber Security Team takes immediate action to limit incident exposure and damages; collects situation information and assesses incident. - Assigned Team staff documents incident resolution strategy; documents recommended long-term solution to avoid recurrence, and briefs appropriate management team(s); sends a written copy of the incident debrief to ECMC. *Call may come directly to ECMC.

Proposed Incident Management Team Structure: Physical and Non-Physical Events Corporate Level GIG (Global Intelligence Group) Corporate Crisis Management Team (CMT) Incident Support Team (IST) Risk HR Insurance Executive Management ECMC: Emergency / Crisis Management Center Technology Legal Comms Corporate Cyber Security Real Estate Compliance Finance Division Level Division Crisis Management Team Division Incident Mgmt Team (IMT) Division Operational Management Division Cyber Security Risk Comms Product Compliance Technology Legal Sales Finance Content / Operations HR Client Svcs Site Level Site Business BCM/DR Team(s) + Other teams as appropriate (SIMT) Site Incident Management Team

SELF-EXAMINATION Where are you on the road to effective crisis/incident management? Do you have an equivalent to the ECMC if you have many locations? Are your physical and non-physical (e.g.,cyber, social media, legal exposure) incident handling procedures effective and integrated? How do you know that an incident has occurred? How quickly can you respond to both a physical and a non- physical event? Have you installed tools to support your C/IM response work?

QUESTIONS?

THANK YOU FOR YOUR ATTENTION AND FEEDBACK. Let’s Talk About It…. THANK YOU FOR YOUR ATTENTION AND FEEDBACK. CONTACT ME AT: kathleenalucey@gmail.com mobile: 516.384.6437