A security breach of your information systems; a journalist who reveals a security vulnerability; an employee who has accidentally lost some data – these are just a few examples of incidents you can only partially prepare for. However hard you may try, mistakes will be made. It is very unfortunate, but with the right procedures and the right advice, you will be able to undo most of the damage your organisation may sustain as a result of an incident.
The procedures you follow in the event of an incident are called your incident response.
Incident response programme
An incident response programme contains all the information your employees need to contact the right person within the organisation for each type of incident, ranging from legal experts to communication officers, and from customer service officers to managers.
Sound procedures and the right kind of communication both within the organisation and to external parties will ensure that your organisation is able to handle incidents successfully. For instance, communication officers who are too quick to come out and present information which is later proven to be wrong will not actually control the damage, but rather add to it. That said, they must not wait too long before responding, either. By properly designing your procedures in advance, you will ensure that everyone has the knowledge and information they need in the event of an incident. However, your reputation, level of competitiveness and potential liability in the event of an incident will also depend on the way in which information is communicated. Having a solid communication strategy and sufficient knowledge of the legal pitfalls which must be avoided will help you get rid of unnecessary stumbling blocks.
Communication with supervisory authorities, if there are any, is another aspect of incident management. An increasing number of market sectors is subject to the duty to report incidents to one or more regulatory bodies. An incident response strategy will help you determine quite quickly whether or not an incident is subject to a duty to report, and if so, to which supervisory authority it must be reported and what information must be included in the report. By carefully considering such issues beforehand and embedding your solutions in your incident response programme, you will be able to satisfy your legal requirements quickly, which will give you more time to focus on communicating the incident to your other stakeholders.
Establishing an incident response programme
If you feel you need some help establishing an incident response programme, we will be very happy to give you step-by-step instructions, test your programme and draw up some communication strategies. And needless to say, you will always be able to get in touch with us when an incident arises.