Suggestions

All organizations must have a critical incident management program consisting of risk management, disaster recovery and business resumption, policies and procedures, compliance auditing, critical incident response programs, Critical Incident Response Teams, legal and law enforcement relationships, and privacy management.

Qualified team members selected from senior staff of the organization's business units can perform risk management. Enthusiastic executive-level managers should be the sponsors of risk management teams. Their primary task is the collection of information relative to critical assets (those assets required for profitable operations), threats and their frequency, vulnerabilities, and safeguard effectiveness.

Risk management efforts should be documented in the form of reports, notes, and work papers, with these items being archived. Risk assessment teams are responsible for information collection and analysis, reporting their findings, and making recovery recommendations. They should write the report, keeping in mind that it will have a wide audience outside the organization. Test all aspects of the emergency response plan, including teams, sites, programs, equipment, procedures, and employees. After the exercise, have a positive critique session to revise and improve performance. Then implement plan changes under the change control policy. Archive all reports, notes, and minutes for future reference.