Incident response and crisis management

Chapter summary

A security incident is anything that causes harm to staff or associated people, or loss of or damage to assets. Recording and tracking security incidents, as well as near-misses and threats, can inform decision-making across an entire organisation, within and outside security functions. Organisations should have procedures for reporting, analysing, sharing, and using incident data internally.

Incident information management supports staff and operational security in four main ways:

• Incident reporting and immediate response. To alert relevant teams so that they are aware and, if necessary, can provide help to anyone affected during an incident. Other humanitarian actors operating in the area can also be alerted to enhance the security of the wider community.
• Incident analysis and lessons learned. To analyse the incident and implement lessons to prevent similar incidents from occurring in the future, and respond more effectively if they do.
• Context analysis. Tracking incidents and analysing trends and patterns informs context analyses and security risk assessments. Analysing aggregated incident data from within and outside the organisation helps inform decision-making and indicates whether procedures need to be adapted.
• Informed strategic decision-making and policies. To enable the sharing of security incident information internally within an organisation to inform actions and decisions, and improve ways of working.

Comparing incident data with that of peers in the same locations can allow for a more objective analysis of incident patterns and help determine trends if the data are analysed over time. External incident data can be accessed through interagency security forums and from open-source databases (see below for examples).

While all incidents require a response, the severity of the incident determines the type of response required.

• A non-critical incident can be dealt with using existing organisational procedures and capacity in the location where the incident took place.
• Critical incidents are events that seriously threaten the life or health of staff, requiring support outside of standard local office management structures.
• A crisis is a highly disruptive event that severely interrupts normal operations, causes or threatens severe consequences, and requires extraordinary measures and immediate action from senior management. A crisis can be triggered by a critical incident – but not all crises are linked to a critical incident.

An organisation’s management response to a critical incident or crisis can consist of:

• Planning and preparedness
  • The development of a crisis management plan.
  • The organisation’s crisis management structure (teams and roles).
  • Crisis management training and awareness raising.
• Incident and crisis management
  • The initial response, such as providing medical support and informing key stakeholders, and activation (if warranted) of the crisis management structure.
  • Managing the situation, including a strategy to support those affected, as well as managing communications, liaising with internal and external stakeholders (including affected family members, authorities and the media) and managing information.
  • Resolution of the situation, such as the successful release of kidnapped personnel.
• Post-incident actions
  • Deactivation of the crisis management response.
  • Post-incident staff care that is survivor-centred, which includes medical, psychological and material support and, in some cases, longer-term care for affected individuals.
  • A review of the event to assess the organisation’s response and security risk management policies and procedures, along with an action plan to implement follow-up actions.