Resilience FAQs

Business Continuity Management (BCM): A holistic management process that identifies potential threats to an organisation and the impacts to business operations those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities (Good Practice Guidelines, 2018, based on ISO 22301:2012).

Activity (or Service or Product) to which urgency is given in order to avoid unacceptable impacts to the business during a disruption (ISO 22301: 2019).

No.  The focus of BCM is the continuation of Prioritised Activities in the event of an impact of any risk regardless of the cause of the disruption (e.g. continuing to teach when they lose their facility due to a fire / flooding); the focus of Incident Management / Response is the response to a specific hazard or threat (e.g. putting out the fire, stopping the pipes leaking). 

The purpose of BCM and Risk Management are aligned – they aim to protect the organisation’s ability to deliver its strategic mission.  BCM uses the Risk Management impact scales in its Business Impact Analysis.  Business Continuity Plans may be considered as a control against certain hazards.  Both BCM and Risk Management are drivers to develop organisational resilience which can be considered a preventative control for Risk Management.    There are also differences.  Risk Management considers specific risks and ensures that any remaining risk is at an acceptable level and / or that there is an action plan to prevent that risk materialising.  Management structures monitor the risks to – hopefully – prevent the risk materialising.  BCM doesn’t focus on risk, it focuses on those activities, services or products which are priorities for the organisation.  It considers how those priorities can be continued in the event of the impact of risks materialising .  This is based on the idea that multiple risks – both known and unknown – will have a smaller number of generic impacts (for example, the loss of staff can be caused by all manner of illnesses or scenarios). 

“The capability of an organisation to anticipate, detect, mitigate, prevent and, where necessary, withstand and recover from a challenge or disruption”.  Many Teams and Services contribute to organisational resilience – Security, Information Security, Safety, BCM, Insurance, Building Operations etc– all can be considered as Protective Functions to mitigate against Risks and monitor the mitigation of risk… i.e. Enterprise Risk Management is the unifying feature

Incident Management refers to both the actual management of an incident during a response but also refers to the developed capability of an organisation to respond, based on risk assessment and preparedness (including planning, training and exercising).

Imperial’s framework plan for managing incidents or crises. 

An incident is any event that can be, or could lead to a disruption, loss, emergency or crisis.  Examples could range from a first aid incident, fire alarm / evacuation, flooding to a newly emerging pandemic. 

Certain Teams have a role to respond to certain specific hazards or threats.  For example, Security respond to Security or first aid incidents.  These Teams will need to have Incident Response Plans / Procedures to steer their response.  Their focus will be saving life, preventing harm and mitigating the impact of the incident.  Other Teams have no such role to respond to fix the cause of the incident.  However, if they are involved in an incident (for example, they are evacuated), they will need to make sure they can continue to work – if they cannot, then they will need to invoke their Business Continuity Plans which will ensure they can continue to deliver their Prioritised Activities or Services while the responders respond to the incident itself. 

This is the group of operational team leaders who make up the initial response management group, coordinating the initial response to an urgent incident.  For example, they may be the team managers coordinating the initial response to a building evacuation, made up of Building Operations, Maintenance, Security and the building users.  Or perhaps, the initial team leaders from the ICT service coordinating the response to a cyber incident.  Their focus is on ensuring the safety of everyone involved and making the initial decisions to minimise the hazard / threat (‘fix the problem’).  They should have prepared incident response procedures / plans to support them.  If the incident impacts cannot be managed completely by the First Responder Group, they will escalate to line management who will initiate the Bronze Group.

It is the multi-service / wider-University Incident Management Group that coordinates the response at the Operational level and considers consequence management beyond that of the incident itself.  Its composition is based on the scenario – the responding teams as well as those affected.  For example a cyber incident will require a different composition than a flooding incident. 

The Silver Group is based on the Operations and Infrastructure Committee.  It provides tactical management of the incident, providing support for and direction to the Bronze Group.  It would be engaged in the event of a more serious, complex, wider ranging and more impactful incident.

The Gold Group is based on the President and Provost supported by the Chief Operating Officer, supported and advised by key members of the senior management.  It provides strategic management of and direction to the overall response.

From a personal perspective, download the SafeZone app and understand how to use it while on Campus; always be aware of your own personal and cyber security, as well as your friends’; follow Security or Safety messages; learn first aid.   From the organisational perspective, understand your personal role when your Team is responding to an incident; have an awareness of the Emergency Plan.