Avengers, Assemble! Roles and Responsibilities of Your Incident Management Team
We all know the storyline.
A fictional villain with a nefarious plan attacks and gains the upper hand. All seems lost until a team of heroes steps in and saves the day. This same scenario plays out in the real world of corporate security. Your incident management team plays the superhero standing by to fight threats to your company’s overall safety.
Incident management is the process a company follows to handle unplanned risk events like breaches, service crashes, or on-site robberies. It’s impossible to make that process happen without a skilled team. Much like each hero has a unique role on the Avengers’ team thanks to their powers, every member of your incident management team (IMT) is essential to its operations and success.
Ensuring your IMT holds these five positions means when a battle does come, your team can fight cohesively and utilize their collective strengths to provide the strongest defense. Though the people on your IMT may shift with the nature of the incident the team is responding to, here are five roles and core functions that you should consider.
1. Team Lead
The team lead (sometimes also called an incident manager) is responsible for a given incident response effort from end to end. They drive and coordinate incident response activities, delivering information or deciding on best course of action on behalf of your IMT. Just like a jury establishes a foreman to speak for the people on it, having your team lead speak for the whole team makes communication more efficient.
Establishing a clear IMT leader empowers other team members to focus on their parts of the incident response and resolution process. It also clarifies that someone is clearly overseeing the process and keeping them focused on the goal at hand. When you fill this position first, you also establish a clear chain of authority and responsibility. This gives other departments in your larger company confidence that someone owns the incident response process.
Characteristics your team lead should have
- Proximity to your facility or base of operations (for maximum visibility into the incident and what can be done to address it)
- Experience with operations directly related to the team or department experiencing the incident (so they have the knowledge to make informed decisions and, if needed, support why they made them)
- Excellent listening and communication skills (so they can accurately inform and update team members, and guide direction)
2. Investigative Lead
Though their role isn’t public like the team or PR lead (more on this below), an investigative lead is heavily involved in the entire incident response process. They’re responsible for case management or collecting and analyzing information about the risk events to prevent future ones. They also work with IT professionals and analysts to find the root causes of the incidents (through a risk management software like Resolver) and recommend system and service recovery options.
Your IMT can’t effectively respond to incidents without an investigative lead to provide a clear understanding and interpretation of the actual risk event, so you can brainstorm and implement viable solutions.
Characteristics your investigative lead should have
- Proximity to your facility or base of operations (for maximum visibility into the incident and to better work with your team lead and investigative assistants)
- Experience with operations directly related to the incident at hand (so they know how to dig into potential problems and understand possible solution pathways)
- Attention to detail and problem-solving skills (so they can examine the incident from all angles and look beyond apparent roadblocks to find hidden problems)
3. Documentation and Reporting Lead
A documentation and reporting lead helps your IMT create a clear trail of events. With someone in charge of tracking the timeline, your team can quickly address current and future risk events. Primary responsibilities of a documentation and reporting lead include what the job title implies: investigation and discovery of an incident and documenting what the IMT does about it. Beyond documentation and reporting, this person owns the chronology of the incident process and keeps the rest of the team working toward a timely resolution.
This person is less involved at the beginning (identification and analysis) stages of incident response. However, they’re central to its back-end success and are generally in charge of officially closing an incident—marking its resolution—after the investigation is complete.
Characteristics your documentation and reposting lead should have
- Relevant technical expertise (to anticipate and advise steps required for resolution)
- Knowledge about the industry or technical requirements (to understand the legal requirements that must be followed during complaint incident resolution)
- Excellent communication skills and an analytical mind (for accurate and thoughtful reporting)
4. Communications/PR Lead
Your IMT’s communications or public relations (PR) lead prevents siloing and keeps the team informed so that it can work successfully toward incident resolution and minimize possible damage to your company brand. They handle communications with the team, public, board, and other stakeholders to protect your public image during the incident response process. The communication or PR lead also aids management through clear internal communication assistance, to minimize the impact on overall performance and efficiency. The only core IMT member that likely doesn’t have a technical background, the communications lead, gets involved immediately after the incident has been discovered and is publicly engaged through to the incident close.
Characteristics your communications/PR lead should have
- A location likely at company HQ or operations base (for more direct communications and to protect your company image during press communications or photo opportunities)
- Calm presence in a crisis (so communications are clear and well delivered)
- Excellent interpretive skills (to take a variety of sources/styles and create a positive, cohesive message)
5. Legal Advisor
The final core incident management team member, the legal advisor, also leads the de-escalation of events to help your company recognize and address potential criminal charges the incident might cause. The legal advisor is involved throughout the incident response process and guides procedure and direction as needed to ensure you stay compliant.
A capable advisor should understand appropriate guidelines for incident response and encourage the team to follow them by sharing potential consequences of non-compliance.
Characteristics your advisor should have
- Access to both legal and company resources (to inform and advise proceedings within compliance)
- Framework expertise (to understand the various frameworks and how to act appropriately in them)
- Company knowledge and rapport (to gracefully navigate the complexities of incident resolution)
Arm Your Team With the Right Tools
Even the strongest team of incident management superheroes is limited without resources to help them save the day. If you’re still relying on outdated tools and manual processes to address modern threats—there’s an easier way.
Internal auditing aids and incident management software help your IMT work proactively and with agility by using technology to its advantage. Resolver’s incident management solution automates the incident and investigative process to mitigate losses and reduce the number and severity of incidents by streamlining incident submission, automating triage, and expanding reporting to show the impact of what you do.
Want to learn more about how Resolver could fit into your IMT planning? Tom Newman, Port Administrator at Manzanillo International Terminal (MIT) in Panama shares his experience of how Resolver’s incident management helped provide meaningful data to reduce incidents to personnel, property and cargo. “I believe our success directly relates to how we embrace change as an organization,” Newman says. “We were up and running with Resolver in just four months. Our case management and incident management is much improved, and we are now looking at risk in terms of mitigation and implementing controls. Just like putting on a seat belt when driving.”