Resource Center

article / February 13, 2023

How to draft a modern incident management policy

It’s not just your mind playing tricks on you: Corporate incidents are on the rise. A recent survey of over 350 senior security, compliance, and legal professionals working at large companies found that nearly 90% of respondents believed physical security threats had significantly increased since the beginning of 2021.

Another comprehensive study by the World Meteorological Organization revealed that natural disasters are becoming increasingly common — and the financial losses they incur have jumped sevenfold over the last five decades.

These and other trends underscore how important it is for modern companies to develop an incident management policy. Covering everything from incident categorization to specific protocols, these essential documents are the foundation of an effective response. Here’s how to write one.

What is an incident management policy?

An incident management policy is a document that explains how an organization will respond to events that could disrupt it in some way.

Although some incident management policies only pertain to IT-relevant events — often called “information incident management policies” — it’s critical companies have a clear game plan for dealing with the numerous types of threats that could endanger the physical security of their customers, employees, proprietary assets, and more. Without appropriate preparation, organizations significantly increase the risk connected with such events.

Incident management policies usually rely on various security technologies to help organizations navigate challenging scenarios. These technologies can include documentation tools, de-escalation devices, and data management platforms.

Trusted by thousands of federal organizations, state agencies, and private security companies, Axon has developed a comprehensive suite of solutions that enhance speed and effectiveness at every stage in the response cycle. Contact our experts today to see how Axon can help you protect your organization.

5 components of an effective incident management policy

While you should tailor your incident management policy to your organization’s individual needs, challenges, and resources, many policy documents include some version of the following elements. Feel free to use these five components — and the examples they contain — as a guide during your writing process.

1. Explain the purpose

Many incident management policies begin by defining the document’s purpose. This brief section typically provides quick, high-level answers to questions like, “What’s contained in the policy?” and “Who is involved in the incident management process?”

For an example of a good purpose section, see this excerpt from James Cook University’s incident management policy:

“This policy provides a framework for the University’s response to prepare for and in the period immediately following an incident (including emergencies and critical incidents), and for its management of the longer term consequences of such an incident. This policy and the Incident Management Procedures define the roles and responsibilities of key staff in:

  • The management, coordination, and communication of information about an emergency or critical incident; and

  • In the recovery and post-incident review of an incident, emergency response or critical incident and its handling.”

2. Outline the scope and define important terms

Once you’ve established the intent of your policy document, it’s time to lay out its scope. This section often details whom the policy pertains to — like company leadership, employees, contractors, etc. — what kind of incidents the policy accounts for — like cyberattacks, natural disasters, physical security threats, etc. — and what locations it concerns — like company campuses, remote work sites, etc. While you may have already touched on a few of these topics in the purpose section, the scope section allows you to get more specific.

Some policies also include a definition section near the top that breaks down any important terms used throughout the document as a reference. This section is particularly relevant for policies that use language in a specific, unique, or uncommon way.

3. Assign roles and responsibilities

Another important section of your incident management policy is roles and responsibilities, which describes the key individuals and groups that need to work together for the organization to effectively respond to challenging events, as well as the part they will play in the response.

To illustrate what these descriptions can look like, here’s a passage from Gardner-Webb University’s incident management policy:

“Chief Communications Officer:

The Chief Communications Officer will be responsible for the team managing the official communications channels during an emergency. This team will; review emergency messaging as it is developed and deployed from emergency management (SWN), direct media outlets where to stage for coverage, handle media calls and inquiries, arrange for on-camera interviews, post updates on and monitor social media and post updated content to University homepage “emergency” banner.

At no time should any faculty or staff speak with the media. All media requests should be directed to the Chief Communications Officer.”

4. Classify Incident Types

Incident management policies also have, in some form or another, a classification of the incidents the document covers. This classification can include categories like IT events, physical security issues, compliance violations, natural disasters, etc. Some policies break the incident types into separate subsections with tailored incident management workflows in the procedures portion of the document. Others group them in a single table.

However you decide to integrate this component into your policy, you must provide clear distinctions between incident types so responders are not confused about how to proceed or to whom they should be reporting. Downtime can be very costly — as high as hundreds of thousands per hour in some industries — so eliminating indecision is critical.

5. Lay Out the Incident Management Plan and Procedures

The heart of your document is the incident management plan and procedures. This section can provide high-level explanations of your incident management framework and get into the weeds, describing each specific action your organization will take.

The high-level section should tackle how your organization will prepare for an incident, including activities like policy development and training. It should also dive into the overall response timeline, from the initial notification process to the final review of the event. Here’s how Macquarie University sketched out its approach in its critical incident management policy:

“The University's critical incident management capability is designed and implemented to include the following core elements:

  • planning and preparing - developing, documenting, training and testing arrangements;

  • detecting and mitigating - identifying, assessing, controlling, treating and monitoring risks;

  • responding - making people safe, minimizing damage to assets, and managing strategic issues and consequences;

  • recovering - implementing business continuity arrangements and repairing negative impacts; and

  • learning and adapting - reviewing and improving arrangements.”

The more detailed procedures section can be contained within the incident management policy, developed as a supporting document, or both, but it needs to explicitly break down the who, what, where, when, and how of your response. Unlike some of the previous sections, the procedures are rarely compact. While the language should be succinct, don’t sacrifice comprehensiveness to reduce length.

How to build your incident response infrastructure

Once your incident management policy is complete, the next step is to develop the technical infrastructure you need for your response team to execute at the highest level.

With decades of experience serving law enforcement and security professionals, Axon’s private security solutions provide organizations with the situational awareness, data management, and de-escalation tools required to meet today’s challenges head-on. Contact our team of experts today to learn how our tailor-made solutions can help you accelerate your response.