Developing and implementing a response plan
Whether or not there is a legal requirement to do so, prepare for the eventuality of a major incident by drawing up an internal emergency response/business continuity/disaster recovery plan, otherwise referred to as an incident management (IM) plan tailored to the business. This should be a living document, amended to take account of relevant changes in operations, personnel or circumstances.
Among other things, the IM plan should set out:
- key emergency actions to take in various scenarios, including regulatory requirements, if appropriate (eg securing the site in the immediate aftermath of an incident)
- names and emergency contact details for the group of key individuals from which members of the IM team should be drawn (see Activating an IM team)
- internal response procedures (eg linked to the organisation's health and safety and/or environmental policies)
- anticipated responsibilities and reporting lines
- procedures for using a disaster recovery space (if premises have been rendered unusable/inaccessible by the incident)
- procedures for using any offsite IT hub or server for business continuity purposes
- instructions for dealing with the emergency services (see Working with the emergency services), public authorities (see Reporting the incident to the appropriate parties), affected third parties (see Dealing with employees and next of kin), and insurers (see Do insurers need to be notified?)
- external advisers and consultants who need to be contacted
- appropriate media strategy (see Media relations)
- how to prepare and preserve evidence needed for any post-incident claim (eg by keeping a log of management time spent on the incident)
IM plan protocols should be reviewed and implemented in the immediate aftermath of a major incident. This may mean, for example, establishing whether key members of the management team have been informed and whether people "on the ground" know what to do and what not to do.
