In this week’s bulletin, Charlie reflects on a recent SIMEX exercise and explores whether traditional tactical teams in incident management might be replaced, or better supported, by smaller, focused work groups.
I did a SIMEX exercise on Tuesday for a large insurance company. They had a large Gold Team but didn’t have a Silver Team which sat below it. Instead, they split themselves up into a number of work groups to address different aspects of the incident. This got me thinking about the concept of the Silver Team, and whether it has outlived its day and should be replaced with work groups.
I can claim some responsibility for the introduction of a tactical team into the business continuity world. At the time, I was working for Anglian Water, and as I was working as an Emergency Planning Manager, I was close to the emergency services. Plus, just having come out of the army, I was very clued in to incident management hierarchy. This was when the first BCI Good Practice Guidelines (GPG) came out. I found that many people in business continuity didn’t have a clear grasp of planning, which led me to contribute to the GPG by introducing the idea of Strategic, Tactical, and Operational level plans. This aligned to the emergency services doctrine of Gold, Silver and Bronze plans, but we didn’t adopt this nomenclature as we felt that we wanted to differentiate ourselves from the emergency services.
Moving forward to about two years ago and the writing of the GPG 7.0, I felt that in the previous version the concept of the tactical team had not been totally lost but misunderstood, and that those who wrote it didn’t really understand the concept of it. I volunteered to help with the rewrite of the implementation, now the ‘Enabling Solutions’ section of the GPG. Working with Fiona Raymond-Cox, and under the guidance of Michael Crooymans, we set out to rewrite the section on tactical plans and return it to its proper place and prominence in the Business Continuity GPG plan hierarchy.
The tactical team has three main roles. First, it acts as a filter, preventing the strategic team from getting drawn into the details of the response or trying to manage the operational team directly. This allows the strategic team to focus outward, managing reputation, communications, and setting strategic intent while making key organisational decisions. Secondly, the tactical team keeps the strategic team informed of progress and highlights the key challenges faced at the operational level. It also coordinates multiple operational teams to ensure they’re working towards the same goals, and it prioritises response, recovery, and resources as needed. Thirdly, it is also where the organisational support functions are situated, which all parts of the organisation need to recover. This is where financial aspects, IT, and HR are coordinated alongside subject matter experts such as security, scientific and health and safety experts advising the team. The Tactical Team’s role is coordination of the response looking inwards, while the strategic team looks outward to customers, regulators, the board, partners, owners and other stakeholders.
A tactical team is not needed in smaller organisations as they have combined the strategic and tactical team roles, and they only have one team who manages the response. Tactical teams are more likely to be found in large complex organisations.
The issue I see at the moment is that many organisations haven’t truly embraced the tactical concept. They often have large, unwieldy teams trying to manage both the strategic and tactical aspects of an incident. Even when a tactical team does exist, it’s frequently made up of representatives from every department, which again makes it cumbersome. Too often, team members are chosen based on their position in the organisational hierarchy rather than their incident management skills or the department’s importance in the recovery process.
On the other hand, communications – and we have this as a point in almost every post-exercise report – turn up with one person in the communications role either on the strategic or tactical team, and they are overwhelmed by the task they have to do. They are trying to attend and impart their expertise into team meetings while at the same time trying to monitor the media, write statements, work social media, identify stakeholders, and often carry out internal communications as well. We suggest that they bring a support team to work on the incident, without being part of the tactical team itself. Their input is represented through the communications role, who attends the team meetings on their behalf.
In the exercise I ran this week, although they were a very large organisation, they only had a strategic team. But when presented with the scenario, they split into a number of working groups looking at technical aspects of the incident, operations and communications. This broke up the large unwieldy group and let team members concentrate on their area of expertise rather than involving themselves in all aspects of the response. I heard an excellent presentation on the response to the Royal Mail International Parcels cyber incident in January 2023, the team had divided their response into six work groups, each managing a different aspect of the incident.
I like the idea of work groups, where people with expertise in a particular area can collaborate on the response. These groups could be predefined or formed based on the nature of the incident. Possible work groups might include technical, operations, communications, people, and scientific, as well as forward-looking groups focused on planning the recovery. Each work group would have a leader, who could coordinate with other groups without involving the large numbers often seen in strategic or tactical teams. In smaller organisations, the work group leaders could form a strategic team, or a tactical team that reports their progress to a strategic team.
Having a small team to make decisions and coordinate the response is key to effective incident management. Research suggests that the optimal team size is six to seven members, which this approach would allow. Those currently part of large, unwieldy teams could still contribute as members of the working groups, so they remain involved and can provide their expertise, without being part of the organisation-wide decision-making process. I think this approach strikes the right balance: it keeps people included while giving clear focus to the incident response.
I think that if this concept were widely adopted, the current form of the tactical team could become largely unnecessary. It could either be replaced entirely by a strategic team supported by work groups, or remain as a tactical team focused on coordinating the response, while most of the work, planning, and recovery efforts are handled within the work groups themselves.
Are you doing this already? Any thoughts greatly appreciated.
