Managing public events with hundreds or thousands of people is a challenge, as disruptions of these events may result in huge material losses or even loss of life. We face the classical situation where disruptions may lead to unforeseeable consequences. As such, a business continuity approach based on ISO 22301 appears to be a powerful tool to manage these types of events.
Managing mass events
Public gatherings with masses of participants certainly create a potential for catastrophic events. The concentration of people is attractive to potential attackers. But even relatively harmless triggers (such as a firecracker) may trigger a mass panic. There is a range of circumstances which may lead to catastrophic outcomes. As such, controlling and managing mass events is of utmost importance.
The business continuity approach
When viewed from a business continuity management standpoint, we face similar challenges as when attempting to protect an organization from unforeseen consequences of business interruptions:
- there are processes and resources to be protected from serious impacts,
- there is certainly a need for preventive actions and controls,
- we need a strategy how to deal with different scenarios,
- we need to have response structures in place (in case the risks materialize), and
- we need to exercise response scenarios in order to be sufficiently prepared.
The complete BCM lifecycle can be mapped and applied to managing mass events. Let’s have a look at a different component of this lifecycle.
1) Impact analysis – What are the most important resources in this scenario? Certainly the people attending the event, but we need to determine if critical material resources might be affected as well: roads, motorway, subway and bus lines, parts of the critical infrastructure of the city, etc.
2) Developing a strategy – After having determined what potential impacts could occur, it’s time to formulate one or several strategies, as the kind of “answer” to the questions raised during the impact analysis. During the impact analysis we tried not to think in scenarios, but focused on the impacts: resource X has been impacted (injured, killed, damaged, burned, etc.) regardless of the cause, but when developing a strategy, it is more realistic to paint certain scenarios.
In practice, we will end up having set up a range of scenarios each supported by one or more strategies. Each strategy is a high level description of either a preventive or corrective range of measures. Examples of preventive measures: physically securing the area of the event, security checks for all participants, deployment of security guards, keeping possibly opposing hostile groups of participants at a distance, etc. Examples of corrective measures: preparation of evacuation pathways, keeping emergency exits free from obstacles, having intervention forces on the scene, etc.
3) Setting up a response structure – As we can already assume from the above paragraph, especially corrective measures are based on proper response structures: a policy or strategy on paper is necessary, but these are useless in case a proper response becomes necessary. As with conventional BCM projects, we certainly need a command and control center (providing high level guidance) and “boots on the ground” to actually control the situation on the scene. It goes without saying that these interventions need to be based on thorough scenario-based plans.
4) Exercising and validating – Of course, a plan which has not been exercised is of little value. This is why this fourth section of the BCM lifecycle focuses on tests exercises. It is of great importance that all response structures be tested in advance. It is advisable to start with simple, paper-based exercises to check out certain components of the response structures but it’s also necessary to gradually increase the complexity and reality of exercises in order to check if all levels of actions and interactions within the response structures, and to and from other interested parties work as planned.
Validation and auditing of the whole approach by an independent third party is highly advisable. This procedure greatly reduces mistakes, errors and omissions which may happen to internal-only resources.
The BCM lifecycle model: applicable to a wide range of security-related projects
Due to the well thought out methodology and multi-decade continual improvement of the BCM lifecycle model, it is certainly applicable for a range of projects where management and mitigation of impacts is a core task. This includes management of public events as well.
The BCM lifecycle is best documented in ISO 22301:2012, which even covers a kind of advanced implementation of BCM as a Business Continuity Management System BCMS. The implementation of this and similar ISO standards are supported by the BCMS guidance document ISO 22313:2012 and a guidance document for business impact analysis: ISO 22317:2015.
Don’t waste time and re-invent the wheel. Let widely accepted international standards as well as proven tools help you get your project done quickly and efficiently.