The purpose of Communications is to develop, deploy, and manage internal and external communications to support resilience activities and processes.
Communication is a basic organizational activity and competency. From a resilience perspective, communication is an essential function, tying together disparate parts of the organization that collectively have a vested interest in protecting high-value assets and services and sustaining assets and services during and after a disruptive event.
Internally, communications processes are embedded in operational resilience management processes such as incident management, governance, and compliance, and support the development and execution of plans for sustaining the required level of resilience; externally, communications processes provide much-needed information to relevant stakeholders on the capability of the organization to protect and sustain assets and services, handle disruptions, and preserve customer confidence in unsettled and stressful times. Most important, communications are a critical success factor in ensuring the successful execution of service continuity plans and decision making, particularly during a crisis or disaster.
The Communications process area seeks to capture the communications activities that support and enable effective management of operational resilience. This requires foundational processes for basic and ongoing communications needs as well as more flexible ones for supporting the communications demands of managing events and executing service continuity plans. In the Communications process area, the organization establishes communications requirements that reflect the needs of stakeholders that are important to managing operational resilience. Communications guidelines and standards are developed to ensure the consistency and accuracy of messages and communications methods across all resilience processes. The communications infrastructure is established and managed to ensure effective and continuous communications flow when needed. The organization also regularly assesses its communications abilities, particularly after an event, incident, or crisis, to revise communications requirements and to make improvements in the type and media of communications and the communications infrastructure.
The Communications process area focuses on communications processes that directly support the management of operational resilience. These processes are likely to be part of a larger (and in some cases, enterprise-wide) communications process in the organization. Thus, the Communications process area is not considered a substitute for this larger process.
The definition of the resilience program and the development of program objectives are established in the Enterprise Focus process area.
The data and information that the organization needs to provide governance and control over the operational resilience management system are established in the Monitoring process area and used in the Enterprise Focus process area.
The guidelines and standards for communicating about events, incidents, and crises are addressed in the Incident Management and Control process area.
The guidelines and standards for communicating with external entities to coordinate management of events are addressed in the External Dependencies Management process area.
Specific communications activities relevant to service continuity plans are developed and implemented in the Service Continuity process area.
Awareness communications relative to operational resilience management are addressed in the Organizational Training and Awareness process area.
The requirements, guidelines, and standards for resilience communications are established.
An organization may have many diverse communications needs related to managing operational resilience. For example, effective oral and written communications support the organization’s ability to provide
• awareness about resilience plans, processes, and activities
• information about events, incidents, and disruptions that the organization is addressing
• support to the successful execution of service continuity plans
• emergency and on-demand information to first responders and public service providers
• proactive information to external stakeholders (vendors, suppliers, and business partners) on the status of the organization’s resilience program and effectiveness in meeting goals
• regular communications to regulators, lawmakers, and other constituencies that have a vested interest in the organization’s resilience
Resilience communications are typically part of a larger enterprise or organizational communications strategy. To ensure that these communications activities are consistent with the organization’s larger communications processes, and to address the range of communications needs required to support resilience processes, the organization establishes communications standards and guidelines that provide structure and context for resilience communications.
The essential elements for communications—the audience (stakeholders), the requirements (based on security and business continuity needs), and the standards by which communications are delivered—are established in this goal.
Internal and external stakeholders to which the organization must communicate relative to resilience activities are identified.
Organizations have many types of stakeholders that require communications related to managing operational resilience. These stakeholders may be very diverse depending on the type of communications needs they have, the frequency of the communications (whether discrete or continuous, circumstantial, or ongoing), and the level of communications necessary (notifications, press releases, crisis communications, etc.). Understanding the level and extent of stakeholders helps the organization to effectively develop and satisfy communications requirements.
Communications stakeholders are both internal and external to the organization. Internal stakeholders are identified to ensure ongoing communication about the organization’s resilience activities, promote resilience awareness, and ensure that staff can effectively communicate and collaborate during disruptive events. Likewise, external stakeholders may need information about the organization’s level of resilience, or they may have to be able to effectively communicate with the organization during times of crisis. These external organizations may even have a stated role in the communications plans or the service continuity of the organization. In addition, some regulatory and legal entities may require ongoing communications as evidence that an organization has taken appropriate actions to prepare for specific threats such as natural disasters and terrorism. Thus, the list of external stakeholders is developed to ensure proactive communications and message delivery regarding the organization’s preparedness and capabilities for managing resilience.
Because there are many stakeholders that require information, the organization must identify the relevant stakeholders and distribute information about communications plans to them as necessary.
Typical work products
Subpractices
When determining which stakeholders to include in the list, consider
• rationale for stakeholder involvement
• roles and responsibilities of the relevant stakeholders
• relationships between stakeholders
• relative importance of the stakeholder to the success of the program
• resources (e.g., training, materials, time, and funding) needed to ensure stakeholder interaction
Stakeholders and their communications needs may be defined as a part of other operational resilience management processes. For example, the communications needs of staff involved in the incident management process may be defined by that process. These communications requirements should be considered independently of the processes and practices in the Communications process area because they have a specialized purpose and involve specific stakeholders.
The plan identifies all internal and external stakeholders, including their roles and classes, as well as the types, frequencies, and levels of communication they are to receive in specified circumstances.
Refer to the Incident Management and Control process area for the identification and communications requirements of stakeholders relative to the incident management process.
Refer to the Service Continuity process area for the identification and communications requirements of stakeholders relative to the development and execution of service continuity plans.
Refer to the Monitoring process area for the identification of stakeholders that may have communications needs relative to monitoring and control processes. These stakeholders, as identified in MON:SG1.SP2, may overlap or be a subset of those that need specific and general resilience communications.
The types and extent of communications needed by the organization to support stakeholders are identified.
The foundation for communications requirements is the needs of stakeholders. The variety of communications types and duration is directly related to the diversity of the stakeholder community. For example, an internal communication might be about general awareness or about a specific event or incident. External communications might be public relations messages, critical communications during a crisis, or the execution of a service continuity plan.
In addition to stakeholders, communications requirements may also be derived directly from the needs of other operational resilience management processes. For example, the ways in which the organization must distribute information collected in the monitoring process may create requirements that must be met by the communications process. Moreover, many operational resilience management processes have communications processes embedded in their practices; this occurs in the process areas Incident Management and Control, Service Continuity, and Enterprise Focus (particularly in the governance cycle). These processes may directly provide requirements that must be considered in the larger, enterprise-focused communications process.
The organization must establish communications requirements as the foundation for the development and execution of a communications plan to support operational resilience management processes. Requirements help the organization to determine the scope of the communications process, plan, and program and to ensure the development of appropriate and cost-effective delivery mechanisms and infrastructure to support communications needs. Requirements determine whether communications methods are
• oral or written, or both
• provided on a one-time basis, at regular intervals, on an ongoing basis, or on demand
• provided on media that are disposable or able to be archived
• provided on more than one media type (paper, electronic, etc.)
Communications requirements also provide the foundation for the development and implementation of an infrastructure (people, processes, and technology) to support all types of resilience communication.
Service continuity plans and the organization’s incident management process (and other similar processes) may have very specific communications requirements. Thus, these requirements may be developed outside of the organization’s communications process to ensure accuracy and adequate coverage.
Typical work products
Subpractices
Because managing operational resilience is a broad, enterprise-wide activity, communications activities may need to cover diverse topics and may require focused messages to particular stakeholders. Communications needs must be purposefully aimed at distributing the appropriate message to each stakeholder group.
Communications requirements must be established by stakeholder and documented. Essential information about each requirement must be collected so that the requirements can be analyzed and prioritized.
Through analysis of communications requirements, the organization should seek to determine
• the scope of the requirement
• the potential infrastructure required to support the requirement
• the resources (human, capital, or expense) needed to support the requirement
• alternatives for meeting the requirement
• requirements that cannot be met, and the potential risk to the organization that results
• duplicative requirements or requirements that can be met through consolidated processes
The enterprise guidelines and standards for satisfying communications needs are established and maintained.
The effectiveness of communications is dependent on message clarity, the use of appropriate message media, the accuracy and consistency of the message, and the ability to confirm receipt of the communication. The inability to ensure high-quality and effective communications may result in a dilution of the message or in misunderstanding, misinterpretation, or confusion.
To ensure message consistency, accuracy, and completeness, as well as fitness for the intended purpose and stakeholder audience, the organization should establish communications guidelines and standards. These guidelines and standards should reflect the organization’s operational resilience management objectives and be implemented at a level that sufficiently ensures their use in all communications processes. All staff involved in the communications process should be bound by adherence to the guidelines and standards, and the guidelines and standards should be extensible to vendors and business partners who may handle specific and unique communications activities for the organization.
Guidelines and standards are typically organization-specific and may reflect the organization’s culture, industry and peer group, and environmental and geographical location.
Even though the requirements for communications may be specifically developed in other processes, such as the development of service continuity plans or in the incident management process, these requirements should be implemented under the auspices of the communications standards and guidelines that are established in COMM:SG1.SP3.
Typical work products
Subpractices
The process for developing, deploying, and managing resilience communications is established.
Resilience communications, especially communications about serious incidents or crises, cannot be effectively managed by reaction. The organization must plan its approach to communications, align this plan with strategic objectives, and provide sponsorship and oversight to the plan.
Managing communications requires the organization to establish a communications plan that addresses the unique and specific needs that arise from the processes involved in managing operational resilience. The communications plan is carried out through a communications program that is staffed with resources that are properly trained and authorized to develop, implement, and manage communications processes and specifically meet the needs of resilience communications.
In many organizations, the practices in COMM:SG2 may be a subset of the organization’s overall communications capability. Therefore, these practices may be satisfied by existing processes that are expanded to specifically include and address the requirements established in COMM:SG1.SP2. However, it may be necessary for an organization to establish plans and programs for resilience communications where existing communications competencies are not adequate. This must be considered in the development of a communications plan (in COMM:SG2.SP1) and a corresponding communications program (COMM:SG2.SP2).
Planning for the resilience communications process is performed.
The resilience communications plan details how the organization will meet the requirements of stakeholders and other operational resilience management processes (as established in COMM:SG1.SP2). The plan should specifically detail how the requirements will be met and should provide for the establishment of a resilience communications program as a conduit for implementing the plan. The plan may be a subset of the organization’s enterprise communications plan.
Specifically, the plan must address the development, delivery, and maintenance of communications and related materials to provide the organizational message to each class of stakeholder. The plan should address near-term development and delivery and should be adjusted with some regularity in response to new or changing needs and from the assessment of the effectiveness of communications activities.
The plan may establish the communications requirements, guidelines, and standards to be upheld by other operational resilience management processes. For example, the plan may address how provisions for communications during crisis management or disruptive events have to be handled in service continuity plans.
Communications needs are temporal and may change as a result of changes in technology, policy, strategy, and risks being managed. A routine process to maintain and update messages, content, intent, methods, and channels is a necessary part of communications planning.
Typical work products
Subpractices
The resilience communications plan may be a subset of the organization’s enterprise communications plan with specific references to meeting the requirements of resilience communications.
The resilience communications plan should address the following, at a minimum:
• the strategy and objectives for resilience communications
• the structure of the resilience communications program to carry out the plan (See COMM:SG2.SP2.)
• the identification of stakeholders with which communications are required
• the types of media and channels by which communications will be handled
• the various message types and level of communications appropriate to various stakeholders (For example, incident communications may be vastly different for incident responders than for those who simply need to know.)
• the frequency and timing of communications
• special controls over communications (i.e., encryption or secured communications) that are appropriate for some stakeholders
• the roles and responsibilities necessary to carry out the plan (See COMM:SG2.SP3.)
• applicable training needs and requirements (particularly for specialized types of communications)
• resources that will be required to meet the plan provisions
• internal and external resources that are involved in supporting the communications process
• relevant costs and budgets associated with communications activities
Specific types of planning may be necessary for communications processes that are embedded in other operational resilience management processes such as incident management and service continuity planning. In these cases, the resilience communications plan should, at a minimum, reference the planning activities in these other processes and should ensure that this planning follows the structure and guidelines of the Communications process area.
The resilience communications plan may be a subset of the organization’s enterprise communications plan with specific references to meeting the requirements of resilience communications.
A program for executing the resilience communications management plan is established and maintained.
A resilience communications program details the specific activities that the organization will perform to satisfy the communications plan and, in turn, to meet resilience communication requirements. The program addresses fundamental tasks such as
• identifying relevant stakeholders of the communications process
• collecting communications requirements
• analyzing and prioritizing requirements
• establishing and enforcing communications guidelines and standards
• establishing methods, procedures, and processes to develop, implement, and manage communications processes and to develop and distribute timely and effective communications
• establishing and maintaining an appropriate infrastructure to support the attainment of communications requirements
• managing external service providers who may have a role in supporting or carrying out communications requirements
The program details the roles and responsibilities that the plan relies upon for execution and establishes the communications flow and infrastructure that support the communications plan. Because resilience communications span the organization and needs can be diverse, the program must detail how the organization can meet these challenges in the most efficient and effective manner.
Subpractices
The program for resilience communications should address how the organization will carry out the communications plan, meet the needs of stakeholders, and ensure effective communications. It should include provisions for how the organization will
• identify and prioritize stakeholders
• collect communications requirements from stakeholders
• analyze and prioritize requirements
• set the scope of the communications program
• establish and enforce standards and guidelines
• enforce consistency across all communications activities related to resilience, whether or not they occur in other operational resilience management processes
• identify appropriate communications methods and channels
• plan for and implement an infrastructure to support communications
• manage external service providers who support communications activities on behalf of the organization
Staff are assigned authority and accountability for carrying out the communications plan and program.
The diverse and expansive nature of communications requirements for supporting operational resilience management processes requires knowledgeable, skilled, and experienced staff to be successful.
• Communications plan and program resources may fall into one or more of the following categories:
• internal communications and awareness
• public relations and external communications and outreach
• notification and escalation communications (related to managing incidents, communicating about risks or vulnerabilities, etc.)
• coordination-focused communications
Internal communications and public relations activities are informational types of communication. They present informative messages about the organization’s activities related to resilience and can even encompass such communications as testimony on congressional panels, conference presentations, and communication with regulators for compliance purposes. Notification and escalation communications represent communications processes that are embedded into other operational resilience management processes that require a free flow of information to achieve process goals. Coordination communications tend to be oral, spontaneous, and event- or response-driven and focus on coordinating the activities of a service continuity plan or the response component of an incident.
Resources must be available in the organization to staff or support all of these types of communications as needed. Internal communications and public relations activities tend to be carried out by communications professionals—staff who have specific training and skills in communications and who work primarily in communications roles in the organization. Notification, escalation, and coordination communications may be carried out by anyone in the organization who is in a primary or supporting resilience role. Thus, staff on an incident response team may be involved in a communications role because of the nature of their work. These types of communications are typically supported by a communications infrastructure and knowledgeable staff who support the infrastructure or are trained in effective communications during times of stress and disruption.
Regardless of the communications type, the organization must provide training (sometimes specialized) to staff who support and enable communications processes. This may begin with a skills inventory and gap analysis so that effective training programs can be identified and used. For staff involved in communications roles during the execution of service continuity plans, communications training may be extensive and may involve frequent exercises and tests to ensure effectiveness.
Communications resources may be internal or external to the organization. Thus, where the organization does not have direct control over communications resources, it must attempt to ensure that proper training is provided to carry out plan and program requirements.
Specific skills training for resilience staff is addressed in the Organizational Training and Awareness process area.
Skill inventories and gap analysis are addressed in the Human Resource Management process area.
Cross-training and training for succession planning are addressed in the Human Resource Management process area.
Managing relationships with external entities is addressed in the External Dependencies Management process area.
Typical work products
Subpractices
Because some communications processes are embedded in other operational resilience management processes, these job descriptions may not be communications-specific and could be part of a larger resource commitment or assignment.
Remember that these roles and responsibilities may already exist as part of the organization’s enterprise communications capabilities.
Skills and resource gaps for each role and responsibility should be identified and resolved.
This is especially important for communications roles in other operational resilience management processes, such as incident management and in the execution of service continuity plans.
The activities necessary to deliver communications for resilience activities on an operational and event-driven basis are established.
Resilience communications must be delivered on an as-needed basis, according to the organization’s requirements. Because resilience communications can be diverse, the organization may need to develop and implement a broad array of processes, practices, technology, and infrastructure to support those requirements. The organization should consider and identify various communications methods and channels (as appropriate to support requirements) and develop and implement an infrastructure (physical and technical) to support those methods and channels. Through these actions, the organization seeks to deliver timely, relevant, consistent, high-quality, and purposeful communications proactively or during an event, incident, or crisis.
Communications methods and channels relative to stakeholder and organizational needs are identified and established.
Effective communication requires a sender and a receiver. Depending on the goals, objectives, and target audiences outlined in the communications plan and program, the methods and channels used to deliver communications may vary. The methods and channels that the organization chooses must be able to support and enable communications requirements as stated in the communications plan and program.
Communications methods and channels may be formal or informal, oral or written, peer-to-peer, peer-to-subordinate, or peer-to-superior. Messages can also be delivered non-verbally through actions and gestures. Communications methods and channels can include
• policy statements
• procedures manuals and company handbooks
• specific press releases and wires
• company hotlines, such as those that allow for reporting of ethics violations
• email messages and text messaging
• intranet and internet sites and webcasts
• newsletters, posters, and flyers, as well as bulletin boards and other gathering spots
• newspapers, magazines, and other print media
• television, radio, podcasts, videocasts, and other public media
• presentations, tutorials, and symposia
• emergency broadcast systems and methods
• closed communications channels such as two-way radio, CB radio, and satellite phone
• secured communications channels (to provide for classified conversations) such as STUs (secure telephone units)
Methods and tools for communicating with staff, customers, end users, service provider staff, and other stakeholders during the course of service delivery are also part of the enterprise-wide communications strategy and execution. These methods and tools have to be regularly reviewed, tailored, and possibly supplemented to meet ongoing communications requirements.
Typical work products
Subpractices
Ensure that the methods and channels will enable the organization to meet the requirements of the communications plan and program and the stakeholders’ requirements.
Ensure that the organization is capable of performing the methods and channels identified and that there is sufficient infrastructure to support these methods and channels.
An infrastructure appropriate to meet the organization’s resilience communications needs is established and managed.
Communications methods and channels are typically supported and enabled by a communications infrastructure. This infrastructure may be as simple as a manual process for developing and distributing a newsletter or as complex as the development and implementation of a wireless network to support voice and data communications during a crisis. From a generic standpoint, the organization’s communications infrastructure must support
• communications requirements from stakeholders
• the specific requirements and scope of the communications plan and program
• the communications methods and channels that the organization chooses to use
Because it is likely that communications methods and channels extend beyond the organization’s direct span of control, the communications infrastructure may be developed, implemented, managed, and owned by an external business partner. The organization must seek to ensure that this infrastructure meets its requirements and is reliable for delivering the specific types of communications for which it has been contracted.
Important considerations for an appropriate communications infrastructure include
• the nature and extent of the message
• the immediacy of the message (whether on-demand, spontaneous, etc.)
• whether the message to be delivered over the infrastructure is sensitive, confidential, or classified
• how messages will be stored and protected, if necessary
• the scope of end users of the message (i.e., how extensive is the audience)
• whether the communication is to be one-way or interactive
Specialized infrastructure may be required to meet the communications demands of processes such as incident management and to carry out specific activities in service continuity plans. In these cases, the organization may develop and implement infrastructure that directly and uniquely supports these activities outside of that which is required for general communications.
Typical work products
Subpractices
Many communications requirements may be substantially met by existing capabilities and infrastructure as part of the organization’s larger communications process. Inventorying existing capabilities and infrastructure may help the organization to accurately determine additional infrastructure needs and reduce the overall cost of providing communications services.
In order to successfully develop infrastructure to support communications requirements, the organization may need to decompose these requirements into functional requirements. Functional requirements represent the people, processes, and technologies that are needed to meet the communications requirements. Without knowing these requirements, the organization may find it difficult to accurately identify infrastructure needs.
If the organization cannot meet infrastructure needs (or contract with business partners to meet them), the organization may not be able to meet communications requirements. The organization should identify any requirements that cannot be met and determine if this poses any additional risk to the organization.
Resilience communications are reviewed to identify and implement improvements in the communications process.
The importance of communications processes to supporting the management of operational resilience requires that the organization continually assess its effectiveness in meeting communications requirements and make improvements where necessary. This is especially true given the dynamic nature of the operational and risk environment, emerging threats, and changes in technology and the geographical environment for facilities.
Some communications processes are fairly static—that is, they are foundational activities that are not typically affected by change. For example, the organization may have structured processes for addressing the print and television media that are valid no matter what the current operating conditions are. Other communications processes must continually evolve. For example, crisis communications processes evolve as the organization is put to the test and as lessons are learned and shared. To some extent, every incident or crisis situation may pose new and emerging challenges that the organization has not previously encountered and that will cause a review of communications requirements, plans and programs, methods and channels, and infrastructure.
Learning from communications processes is focused on improving the organization’s ability to proactively meet its communications requirements rather than to resort to ad hoc methods and processes that may in fact harm the organization, particularly during an event, incident, or crisis. While all situations cannot be planned for, the organization can establish foundational competencies and improve these capabilities with what is learned from communications efforts—particularly those performed during times of stress. Eventually, this should result in a shift to planning and away from reacting.
Improving resilience communications requires the organization to formally assess the effectiveness of its communications processes and to develop and implement improvements in these processes on an ongoing basis.
The effectiveness of resilience communications plans and programs is assessed and corrective actions are identified.
Communications activities must be reviewed regularly to ensure that they continue to meet the needs of stakeholders and support operational resilience management processes.
Day-to-day communications, such as staff communications and press releases, are generally vetted before they are released to help prevent miscommunication and misinterpretation. Event, incident, and crisis communications, on the other hand, may not exhibit problems until execution. The organization may not be able to foresee all of the potential circumstances that could diminish effectiveness and ultimately impact the success of incident management and service continuity processes.
Assessing communications effectiveness should aim to answer basic questions such as these:
• Did the communication meet the purpose?
• Was the message clear, concise, unambiguous, and timely?
• Were all stakeholders that have a need to know included in the distribution of the information?
• Did the communications infrastructure support the process as intended?
• Were communications methods and channels effective for the purpose?
• Were spontaneous communications inhibited by technical glitches, lack of training of staff, or other obstacles?
Event, incident, and crisis communications may require additional levels of observation and examination to identify issues, concerns, obstacles, and errors. In some cases, these types of communications can be tested when service continuity plans are exercised or when incident drills are performed. These activities provide information that could improve communications competencies before they result in impacting the organization’s effectiveness. However, the organization should specifically plan for collecting effectiveness information during event, incident, and crisis communications so that real-time issues can be brought to light post-activity.
Subpractices
For event, incident, and crisis communications, this review should be performed during service continuity plan exercises and drills of the incident management process. In addition, communications issues that arise during an event, incident, or crisis should be uncovered in post-incident or post-event reviews.
The evaluation of service continuity plan exercises is performed in SC:SG5.SP3 and the post-execution review of service continuity plans is performed in SC:SG6.SP2 in the Service Continuity process area.
For post-incident review, this process may include the communications issues identified in a post-incident analysis report (as described in IMC:SG5.SP1). For a post-plan execution review, this process may include areas of improvement for service continuity plans (as described in SC:SG6.SP2).
Lessons learned in managing resilience communications are used to improve communications plans and programs.
The importance of communications to the operational resilience management system requires that the organization make a sizeable investment in human and capital resources. Thus, communications processes must be effective and efficient, preserve the organization’s investment, and prevent the organization from being impacted as a result of poorly designed and implemented communications.
Lessons learned from regular review of communications processes, and in particular during event, incident, and crisis communications, can strengthen resilience communications and help to improve the organization’s overall communications competency. These lessons learned can serve as a benchmark for continuous improvement of communications processes.
Subpractices
This process may require the organization to revisit the effectiveness of meeting communications requirements and to perform analysis of requirements to determine why they are not being met.
In addition, the organization may need to revisit and revise resilience policies and strategies, training needs and requirements, and the communications processes that are embedded in other operational resilience management processes. Specifically, service continuity plans may have to be updated to improve communications effectiveness.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Communications process area.
The operational resilience management system supports and enables achievement of the specific goals of the Communications process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the Communications process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Specific practices COMM:SG1.SP1 through COMM:SG4.SP2 are performed to achieve the goals of the communications process.
Communications is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the communications process.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the communications process.
Subpractices
Elaboration:
Elaboration:
Establish and maintain the plan for performing the communications process.
Elaboration:
COMM:SG2.SP1 requires the development of a plan for how the organization will carry out a program to support resilience communications. In COMM:GG2.GP2, the planning elements required in COMM:SG2.SP1 are formalized and structured, and performed in a managed way. The plan for the communications process should reflect the organization’s stated preferences for general resilience communications, communications during events and incidents, communications to external stakeholders, public relations, and communications needs as required by other resilience processes. The plan should also address how the process will be actualized (through individual roles, dedicated teams, virtual teams, etc.).
Subpractices
Elaboration:
Foundational elements such as communications requirements, stakeholders, and communications standards and guidelines (which are essential to support communications processes) are addressed in COMM:SG1 and should be reflected in the plan as called for here.
Elaboration:
Foundational elements such as communications requirements, stakeholders, and communications standards and guidelines (which are essential to support communications processes) are addressed in COMM:SG1. The process for developing, deploying, and managing resilience communications is described in COMM:SG2. Practices described in COMM:SG1 and COMM:SG2 should be reflected in the process description as called for here.
Provide adequate resources for performing the communications process, developing the work products, and providing the services of the process.
Elaboration:
COMM:SG2.SP3 requires the assignment of resources to the communications plan and program. In COMM:GG2.GP3, resources are formally identified and assigned to plan elements.
Subpractices
Elaboration:
This generic practice related to communications refers to staffing the communications process program, not the provision of communications resources in processes such as incident management and service continuity.
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for communications.
Elaboration:
Resilience communications require the provision of significant levels of tools, techniques, and methods to support the broad range of communications requirements. In COMM:SG3.SP1 and COMM:SG3.SP2, the supporting structure for communications is established. In COMM:GG2.GP3 subpractice 3, the provision of this structure is formally tied to the communications plan and program, and the ability of the tools, techniques, and methods to support stated communications requirements is validated.
Assign responsibility and authority for performing the communications process, developing the work products, and providing the services of the process.
COMM:SG2.SP3 requires the assignment of staff responsibility, accountability, and authority for communications plan and program tasks. In COMM:GG2.GP4, commitments are formally identified to support resource allocations to plan elements.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Subpractices
Elaboration:
Keep in mind that specialized communications needs may arise unexpectedly when an incident or crisis occurs, requiring virtual teams or responsibilities to be assigned quickly.
Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.
Train the people performing or supporting the communications process as needed.
Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.
Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.
Subpractices
Elaboration:
Elaboration:
Certification training is an effective way to improve communications skills and attain competency. Training and certification in crisis communications or specialized public relations are available for staff who focus specifically on communications regarding incidents and other resilience issues.
Place designated work products of the communications process under appropriate levels of control.
Elaboration:
COMM:SG4.SP2 specifically addresses the change control process over communications plans, programs, and processes. However, other work products of the communications process (such as the communications process plan and communications process policies) must also be managed and controlled.
Tools, techniques, and methods should be employed to perform consistent and structured version control over the communications infrastructure to ensure that all methods, channels, and media are the most current and “official.” The tools, techniques, and methods can also be used to provide access control over inquiry, modification, and deletion and to track version changes and updates.
Identify and involve the relevant stakeholders of the communications process as planned.
Elaboration:
Stakeholders both provide and receive communications. Several COMM-specific practices address aspects of the involvement of stakeholders in the communications process. For example, COMM:SG1.SP1 calls for the identification of internal and external stakeholders that require information relative to resilience activities. COMM:SG1.SP2 captures the communications needs of stakeholders to serve as a source of communications process requirements. COMM:SG1.SP3 establishes guidelines and standards informed by stakeholder needs and requirements. COMM:SG2.SP2 and COMM:SG2.SP3 describe the development of communications plans and programs that meet stakeholder requirements. COMM:SG3.SP1 requires that communications methods and channels meet stakeholder needs.
COMM:GG2.GP7 generically covers the role of stakeholders across all aspects of the communications process: developing plans and programs, executing plans and programs, and receiving communications.
Subpractices
Elaboration:
In COMM:GG2.GP7 subpractice 1, stakeholders are limited to those that have direct responsibility for the development and execution of the communications plan and process. Stakeholders that require direct communications in order to enable or support a service continuity plan or to communicate an incident or a response fall outside of this activity.
COMM:SG1.SP1 subpractice 1 lists examples of stakeholders of the communications process.
Monitor and control the communications process against the plan for performing the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.
Subpractices
Elaboration:
Elaboration:
COMM:SG4.SP1 and COMM:SG4.SP2 call for assessing the effectiveness of resilience communications, identifying improvement actions, and revising plans, programs, methods, and channels to reflect such improvements. In COMM:GG2.GP8 subpractice 3, the review activities are formalized and performed consistently to ensure identification of issues and concerns that need attention and could affect the process in the future. Because communications may be planned or on-demand, formal reviews may be periodic or post-incident or -event.
Elaboration:
Because communications can be spontaneous, deviations from the plan for performing the process are to be expected. In addition, deviations from the communications plan may occur when organizational units fail to follow the enterprise-sponsored plan. These deviations may affect the operational resilience of the organizational unit’s services but may also have a cascading effect on enterprise operational resilience objectives.
Objectively evaluate adherence of the communications process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the communications process with higher-level managers and resolve issues.
Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.
Communications is institutionalized as a defined process.
Establish and maintain the description of a defined communications process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect communications work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Elaboration:
COMM:SG4.SP1 and COMM:SG4.SP2 call for assessing the effectiveness of resilience communications, identifying improvement actions, and revising plans, programs, methods, and channels to reflect such improvements. In COMM:GG3.GP2, all improvement information is collected and documented in support of establishing and maintaining a defined process for communications.
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.
Subpractices