Maximize Incident Response Effectiveness: Guidance for mid-market companies

In light of the recent COVID-19 pandemic, the operational and technology experts at Elliott Davis have created a body of simple, easy to understand, practical guidance for mid-market company leadership teams to maximize incident response effectiveness while minimizing operational risk and disruption. We are receiving questions and seeing requests for management team support, specifically with the development and execution of incident response (IR) programs. It is for these reasons we wanted to share our expertise, cross-industry experience, and observations of working with other mid-market companies facing the same set of challenges.

As we know, this pandemic has not discriminated in terms of the industries it is impacting. It is adversely affecting companies of all sizes, in all sectors. Regardless of your size or industry, there are six key areas we are recommending mid-market company leadership teams focus their response efforts upon. These are:

The links above will bring you to more detailed information, guidance, and practical consideration for each topic.  While this is certainly not an all-inclusive list of topics, our focus is on the Operational and Technology aspects of IR, as we believe these areas have a disproportionately high degree of impact on IR success or failure.

Guidance context: At the macro level, we are recommending you review these response focus areas in the context of the following:

From the perspective of

  • Associates and employees
  • Customers and suppliers
  • Third-party relationships

Impact & Risk Management

  • Minimize the impact upon associates and employees
  • Minimize the impact upon service delivery to customers
  • Minimize risk in the supply chain
  • Protect the company brand and marketplace reputation
  • Minimize financial impact
  • Return to pre-pandemic conditions as soon as possible

Timing from today

  • Your next 48 hours
  • Days 3-7
  • Days 8-30
  • Days 31-90
  • Days 91+

General considerations: The quality of underlying assumptions used are a significant factor in determining the overall quality of an IR plan.  We believe there are several key considerations every company must make when planning assumptions and operating decisions around.  These include;

  • Timing: You can hope for the best, but should model the worst.  We believe 6-12 month event horizons for planning are appropriate, not 2-8 weeks.
  • Pace of change: The speed at which conditions are changing is fast.  We do not expect this velocity to decrease in the short term. Adaptability of IR plans to rapidly changing circumstances will be important.
  • Triggers: Impacts of things such as quarantines, prolonged travel restrictions and school closures, employee absenteeism, and mandatory business operating reductions will likely trigger incremental constraints on IR plans.  Anticipate the need for flexibility.
  • Supply chain diligence: Assessment and preparedness for supply chain/third party disruption will be critical.  Now is the time to plan and execute as resource availability will likely change.
  • Technology: The use of key technology enablers will be an advantage for those organizations who select the right options and use them effectively.
  • Residential internet: Some geographies may not adequately handle a sudden increase in demand due to a large-scale shift to a remote work scenario.
  • Critical business services/resources: Companies should plan for scenarios where key resources may be limited or unavailable for periods of time. Contract labor, fuel for standby power generation, etc.
  • Situational Awareness (SA): Situational awareness is critical.  Dynamics are rapidly changing and companies must be prepared to adjust quickly.  “It is not the strongest of a species which survives, it is the one most adaptable to change”.
  • Active management: Focus on speed of execution versus perfection.  It will be critically important to be an “imperfect doer” vs a “perfect non-doer”.

Business Continuity vs. Incident Response: We often get the questions, “What is the difference between a Business Continuity Plan (BCP), an Incident Response (IR) plan and Disaster Recovery (DR)”…and, “What should I be focusing on right now?”. The simple answer is this, while the three are related, they serve different purposes. BCPs are the high level and over-arching mechanisms for maintaining business operations under a variety of different unfavorable scenarios.  For those who have pre-defined BCPs for the overall continuity of the business, you should be validating them and invoking the relevant components. An IR plan is typically a subset of the overall BCP and is designed to address specific adverse conditions, like a pandemic event. DR is typically related to the recovery of failed operations, most commonly used in the Information Technology domain.  For those who have inadequate or non-existent BCP’s, our recommendation is that immediate efforts are focused on IR plans as we are currently “in-incident” they are most relevant from a tactical perspective.

We Can Help

If your organization has concerns about continuing operations, developing and implementing an incident response plan or is working to determine the best way to serve its customers and employees, the Operational and Technology experts at Elliott Davis can help. We have a team of experts with the deep practical experience and expertise necessary to help you actively manage through this unprecedented series of events and keep your business moving in the right direction.

For more helpful resources to navigate COVID-19, visit the Elliott Davis COVID-19 Resource Center



Questions on COVID-19?