When Does it Belong in the Incident Management Plan vs Business Continuity Plan


While working on a Business Continuity Plan for one of our Credit Union clients last week I ran into this question from my client.  Just for a little history and context, they had built a Business Continuity Plan out several years ago.  It was being regularly updated, but they were looking for a complete revision to be less templated and to more reflect the reality of how they would actually respond to a Disaster.  After having just gone through a Pandemic there is was a renewed desire to get plans ready to be activated, followed, and actually usable.  Additionally, they also have an Incident Management Plan which has several different types of incidents that fall under it, including their Pandemic Plan.  

As we were creating procedures to go under the BCP, they started to get confused about what should go in the BCP and what should go in the IRP.  We had a few discussions about this and I started trying to write up some guidelines to help them know when it was an Incident and handled under the IRP and when it was a Crisis to be handled under the BCP.  This involved going through and trying to create lists of the types of events that could occur.  The lists started listing things like a security incident, website defacement, fire or flood.  But trying to get all the possible things down in a list was proving to be very difficult.  There needed to be a way for someone to quickly understand which plan they should be looking in.  

Later that evening I was out with my wife on our regular evening walk around the neighborhood as we combat the "Pandemic Pounds" that I seemed to be piling on these last few months.  I was telling her about my day and trying to answer to this question.  She then helped me put together the answer in a simple example that I had to share with everyone.  

An Incident is when you go out to get in your car and you cannot find your keys.  You may have misplaced them, your 18mo old grandson may have picked them up and dropped them into a bucket full of tools (real example from last week), or they may have actually been taken for nefarious reasons to steal something from your vehicle or even the vehicle itself.  Your response to this Incident can vary.  You may have a spare set of keys, you may have to activate a search team to find them, you may remove items from the vehicle that could be stolen, or you may want to change the code on the key fob to ensure that those keys are no longer active.  

A Crisis is when you go out to get in your car and it is gone.  You vehicle may have been stolen, moved, or towed.  Now you have to activate a Crisis Management Plan and investigate.  How much of a crisis is this?  Did one of your kids drive your car?  Was it towed away?  Or was it actually stolen?  You assess the situation and contact the authorities and the insurance company and declare the disaster.  Then you determine if you can get the car back or if you will need to restore the car through the use of your insurance policy.  Meanwhile, what do you do in the meantime while you are waiting to recover or replace?  That is the Crisis Management Plan part of your Business Continuity Plan for your car.  

An Incident may lead to a Crisis and a Crisis may open you up for an Incident.  After sharing this simple example with my client, we have moved certain procedures around and updated some of the plans.  The Pandemic Plan is now part of the Business Continuity Plan because, as we saw, it affects all of the facilities and services and needs to be managed as a much larger event.  

I thought this was a great way to think about the two different types of plans.  And now I believe I owe my wife a consulting fee for her assistance.   If your credit union needs some help in getting your Business Continuity Plan, Business Impact Assessment, Incident Response Plan, or Information Security Program updated, contact Pure IT Credit Union Services, we would love to help you.