Published in


The Incident Management Response Pyramid

By Brad Law | Senior Consultant & Country Manager. Pyramid designed by RiskLogic

Since living and working in NZ and across Asia, all too often I see different terminology for what we do in the resilience space. Your incident management and my business continuity might be the same thing, we just call it something different. It can get confusing, for people we work with, especially if they are new to this industry and with all the jargon and acronyms we love to use. Here at Risklogic, we are all about keeping it simple. People like simple, no one is crying out for complicated during a crisis.

Therefore, many years ago, we built an overarching response process that everyone could use with the same terminology, that would allow them to slot in their teams or plan names with whatever they wanted to call them. So, in line with the Business Continuity Good Practice Guide, we have developed our incident response triangle. Everything is an incident, it just has a different level of severity and response, from tactical to operational to strategic.

This is how it looks:

Step 1: Tactical Response

This is classed as an immediate response to an incident to protect people and property and I the first stage we tend to find ourselves when meeting and working with a client for the first time:


  • Impact limited to a small area of one building/site.
  • An Emergency can be managed by the warden team (ECO).
  • Emergency Services will be notified to respond.
  • Likely response will be less than 1 hour.


  • People
  • Assets

Examples of causes:

  • Assault
  • Fire (minor)
  • Bomb Threat
  • Medical emergency
  • Gas Leak
  • IT outage (short term)

Who to activate:

  • First Response Team (FRT)
  • Emergency Control Organsiation (ECO)
  • Security
  • HR

Plans to use:

  • Emergency Response Plan (ERP)
  • DRP

Step 2: Operational Response

The ability to continue to deliver services at an acceptable level following a disruption:


  • The emergency is affecting more than one building/site
  • Coordination required to manage recovery of the site
  • Warden team needs support to manage people
  • Requires coordination of large volume of people
  • Requires recovery of critical business functions
  • Regional or national media exposure
  • Likely response will be a few hours


  • People
  • Assets
  • Business Operations

Examples of causes:

  • Active Shooter
  • Comms outage
  • Cyber attack
  • Death of staff member
  • Disease
  • Extreme weather
  • Fire (major)
  • IT Failure
  • Natural disaster
  • Negative media exposure (Local)
  • Terrorist attack

Who to activate:

  • Management Response and Recovery Team (MRT)
  • Incident Management Team (IMT)
  • Business Continuity Team (BCT)

Plans to use:

  • Response & Recovery Plan (RRP)
  • Business Continuity Plans (BCP)
  • Cyber Response Plan (CMP)
  • Incident Management Plan (IMP)

Step 3: Strategic Response

Management of significant events that threaten the organisation and its stakeholders:


  • Large-scale impact on multiple sites
  • Requires management at off-site locations
  • Requires management of key stakeholders and media
  • International media exposure
  • Impact on Operations, Reputation, Financial etc
  • Requires strategic management decision making


  • People
  • Assets
  • Financial
  • Reputation
  • Operational
  • Strategic

Examples of causes:

  • Conflict of interest
  • Data breach
  • Fraud
  • Negative media exposure (Wide)
  • Key staff resignation

Who to activate:

  • Senior Leadership Team (SLT)
  • Crisis Management Team (CMT)

Plans to use:

  • Strategic Management Plan (SMP)
  • Crisis Management Plan (CRM)
  • Critical Incident management plan (CIMP)

A situation that cannot be managed at a site level or within a business as usual practices will escalate through the organisation, and be managed by the various response and recovery teams. A clear escalation process and the links between the teams who are expected to respond is critical to an effective swift response to an incident that is identified.

Many Business Continuity professionals we’ve met with, those experienced or not, have the same mindset around a process or tier system for event escalation. What we have noticed though is that most of them struggle to identify and map impacts and processes per event.

By setting out a clear pyramid that breaks it down into only four steps (including business as usual), you can simplify the problem and quickly implement a plan you’ve already built, practised and agreed upon.

From saving lives to saving business operations, what is your response process and where do your teams fit into the RiskLogic response triangle? Does you or organisation already have a similar process?

Until next time, plan, do, check and act…




RiskLogic is the leading provider of resilience services for the public, private and not for profit sectors throughout Australasia. We provide expert advice and consulting services, innovative, award-winning technology solutions, and high impact training.

Recommended from Medium

Security Models and Mechanisms

Dogecoin and Elon Musk: Mission to the Moon?

Fiat infotainment CAN messages

{UPDATE} Toy Robot War Hack Free Resources Generator

Are billion dollar Silicon Valley tech companies subject to the same laws as US citizens?

Gopher, Incentivizing the people with a contribution [Series 2]

What’s in a name? Ripple rebrand required over PayID stoush

What's in a name? Ripple rebrand required over PayID stoush

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ollie Law

Ollie Law

As a Commercial Marketing Manager, I write and explore different topics within the business resiliency world with the support of an expert consulting team.

More from Medium

Why the Digital Society needs the Open Society

Will We Run Out Of Fossil Fuels Before We Can Built All The Solar Panels We Need?

Network Effect of Radical Transparency — Note for C-Suite and Senior Leaders

Traditional company structure — blocked communication flow

#16 Blameless postmortems at ASOS