Skip to content


The Incident Management Response Pyramid

incident management response
  • Url copied to clipboard.
Since living and working in NZ and across Asia, all too often I see different terminology for what we do in the resilience space. Your incident management and my business continuity might be the same thing, we just call it something different. It can get confusing for people new people, with so much jargon and acronyms. Here at Risklogic, we are all about keeping it simple. People like simple, no one is crying out for complicated during a crisis.

Therefore, nearly a decade ago, we built an overarching response process that everyone could use with the same terminology, that would allow them to slot in their teams or plan dialogues to whatever they wanted to call them. In line with the Business Continuity Good Practice Guide, we have developed our incident response triangle. Everything is an event, it just has a different level of severity and response, from tactical, to operational, to strategic.

With everything that’s happening in the world right now, perhaps this is a good time to pull out a tool that has not failed us yet.

This is how it looks:

Business Continuity lifecycle

Step 1: Tactical Response

This is classed as an immediate response to an incident to protect people and property and I the first stage we tend to find ourselves when meeting and working with a client for the first time:

  1. Criteria/Description:
    1. Impact limited to a small area of one building/site.
    2. An Emergency can be managed by the warden team (ECO).
    3. Emergency Services will be notified to respond.
    4. Likely response will be less than 1 hour.
  2. Impacts:
    1. People
    2. Assets
  3. Examples of causes:
    1. Assault
    2. Fire (minor)
    3. Bomb Threat
    4. Medical emergency
    5. Gas Leak
    6. IT outage (short term)
  4. Who to activate:
    1. First Response Team (FRT)
    2. Emergency Control Organsiation (ECO)
    3. Security
    4. HR
  5. Plans to use:
    1. Emergency Response Plan (ERP)
    2. DRP

Step 2: Operational Response

The ability to continue to deliver services at an acceptable level following a disruption:

  1. Criteria/Description:
    1. The emergency is affecting more than one building/site
    2. Coordination required to manage the recovery of the site
    3. Warden team needs support to manage people
    4. Requires coordination of a large volume of people
    5. Requires recovery of critical business functions
    6. Regional or national media exposure
    7. Likely response will be a few hours
  2. Impacts:
    1. People
    2. Assets
    3. Business Operations
  3. Examples of causes:
    1. Active Shooter
    2. Comms outage
    3. Cyberattack
    4. Death of staff member
    5. Disease
    6. Extreme weather
    7. Fire (major)
    8. IT Failure
    9. Natural disaster
    10. Negative media exposure (Local)
    11. Terrorist attack
  4. Who to activate:
    1. Management Response and Recovery Team (MRT)
    2. Incident Management Team (IMT)
    3. Business Continuity Team (BCT)
  5. Plans to use:
    1. Response & Recovery Plan (RRP)
    2. Business Continuity Plans (BCP)
    3. Cyber Response Plan (CMP)
    4. Incident Management Plan (IMP)


Step 3: Strategic Response

Management of significant events that threaten the organisation and its stakeholders:

  1. Criteria/Description:
    1. Large-scale impact on multiple sites
    2. Requires management at off-site locations
    3. Requires management of key stakeholders and media
    4. International media exposure
    5. Impact on Operations, Reputation, Financial etc
    6. Requires strategic management decision making
  2. Impacts:
    1. People
    2. Assets
    3. Financial
    4. Reputation
    5. Operational
    6. Strategic
  3. Examples of causes:
    1. Conflict of interest
    2. Data breach
    3. Fraud
    4. Negative media exposure (Wide)
    5. Key staff resignation
  4. Who to activate:
    1. Senior Leadership Team (SLT)
    2. Crisis Management Team (CMT)
  5. Plans to use:
    1. Strategic Management Plan (SMP)
    2. Crisis Management Plan (CRM)
    3. Critical Incident management plan (CIMP)

A situation that cannot be managed at a site level or within a business as usual practices will escalate through the organisation, and be managed by the various response and recovery teams. A clear escalation process and the links between the teams who are expected to respond is critical to an effective swift response to an incident that is identified.

Many business continuity professionals we’ve met, experienced or not, have the same mindset around a process or tier system for event escalation. What we have noticed is that most of them struggle to identify and map impacts and processes per event.

By setting out a clear pyramid that breaks it down into only four steps (including business as usual / BAU), you can simplify the problem and quickly implement a plan you’ve already built, practised and agreed upon.

From saving lives to saving business operations, what is your response process and where do your teams fit into the RiskLogic response triangle? Does you or organisation already have a similar process?

If you’re not sure, call us today.

The Resilience Digest