Communications

Enterprise

Purpose

The purpose of Communications is to develop, deploy, and manage internal and external communications to support resilience activities and processes.

Introductory Notes

Communication is a basic organizational activity and competency. From a resilience perspective, communication is an essential function, tying together disparate parts of the organization that collectively have a vested interest in protecting high-value assets and services and sustaining assets and services during and after a disruptive event.

Internally, communications processes are embedded in operational resilience management processes such as incident management, governance, and compliance, and support the development and execution of plans for sustaining the required level of resilience; externally, communications processes provide much-needed information to relevant stakeholders on the capability of the organization to protect and sustain assets and services, handle disruptions, and preserve customer confidence in unsettled and stressful times. Most important, communications are a critical success factor in ensuring the successful execution of service continuity plans and decision making, particularly during a crisis or disaster.

The Communications process area seeks to capture the communications activities that support and enable effective management of operational resilience. This requires foundational processes for basic and ongoing communications needs as well as more flexible ones for supporting the communications demands of managing events and executing service continuity plans. In the Communications process area, the organization establishes communications requirements that reflect the needs of stakeholders that are important to managing operational resilience. Communications guidelines and standards are developed to ensure the consistency and accuracy of messages and communications methods across all resilience processes. The communications infrastructure is established and managed to ensure effective and continuous communications flow when needed. The organization also regularly assesses its communications abilities, particularly after an event, incident, or crisis, to revise communications requirements and to make improvements in the type and media of communications and the communications infrastructure.

The Communications process area focuses on communications processes that directly support the management of operational resilience. These processes are likely to be part of a larger (and in some cases, enterprise-wide) communications process in the organization. Thus, the Communications process area is not considered a substitute for this larger process.

Related Process Areas

The definition of the resilience program and the development of program objectives are established in the Enterprise Focus process area.

The data and information that the organization needs to provide governance and control over the operational resilience management system are established in the Monitoring process area and used in the Enterprise Focus process area.

The guidelines and standards for communicating about events, incidents, and crises are addressed in the Incident Management and Control process area.

The guidelines and standards for communicating with external entities to coordinate management of events are addressed in the External Dependencies Management process area.

Specific communications activities relevant to service continuity plans are developed and implemented in the Service Continuity process area.

Awareness communications relative to operational resilience management are addressed in the Organizational Training and Awareness process area.

Summary of Specific Goals and Practices

Specific Practices by Goal

Prepare for Resilience Communications

The requirements, guidelines, and standards for resilience communications are established.

An organization may have many diverse communications needs related to managing operational resilience. For example, effective oral and written communications support the organization’s ability to provide

• awareness about resilience plans, processes, and activities

• information about events, incidents, and disruptions that the organization is addressing

• support to the successful execution of service continuity plans

• emergency and on-demand information to first responders and public service providers

• proactive information to external stakeholders (vendors, suppliers, and business partners) on the status of the organization’s resilience program and effectiveness in meeting goals

• regular communications to regulators, lawmakers, and other constituencies that have a vested interest in the organization’s resilience

Resilience communications are typically part of a larger enterprise or organizational communications strategy. To ensure that these communications activities are consistent with the organization’s larger communications processes, and to address the range of communications needs required to support resilience processes, the organization establishes communications standards and guidelines that provide structure and context for resilience communications.

The essential elements for communications—the audience (stakeholders), the requirements (based on security and business continuity needs), and the standards by which communications are delivered—are established in this goal.

Identify Relevant Stakeholders

Internal and external stakeholders to which the organization must communicate relative to resilience activities are identified.

Organizations have many types of stakeholders that require communications related to managing operational resilience. These stakeholders may be very diverse depending on the type of communications needs they have, the frequency of the communications (whether discrete or continuous, circumstantial, or ongoing), and the level of communications necessary (notifications, press releases, crisis communications, etc.). Understanding the level and extent of stakeholders helps the organization to effectively develop and satisfy communications requirements.

Communications stakeholders are both internal and external to the organization. Internal stakeholders are identified to ensure ongoing communication about the organization’s resilience activities, promote resilience awareness, and ensure that staff can effectively communicate and collaborate during disruptive events. Likewise, external stakeholders may need information about the organization’s level of resilience, or they may have to be able to effectively communicate with the organization during times of crisis. These external organizations may even have a stated role in the communications plans or the service continuity of the organization. In addition, some regulatory and legal entities may require ongoing communications as evidence that an organization has taken appropriate actions to prepare for specific threats such as natural disasters and terrorism. Thus, the list of external stakeholders is developed to ensure proactive communications and message delivery regarding the organization’s preparedness and capabilities for managing resilience.

Because there are many stakeholders that require information, the organization must identify the relevant stakeholders and distribute information about communications plans to them as necessary.

Typical work products

1. List of stakeholders that need to receive communications
2. Classes or roles of stakeholders
3. List of appropriate internal and external stakeholders
4. Stakeholder involvement plan

Subpractices

1. Identify relevant stakeholders that may have a vested interest or vital role in communications about resilience.

   When determining which stakeholders to include in the list, consider

   • rationale for stakeholder involvement

   • roles and responsibilities of the relevant stakeholders

   • relationships between stakeholders

   • relative importance of the stakeholder to the success of the program

   • resources (e.g., training, materials, time, and funding) needed to ensure stakeholder interaction

   These are examples of stakeholders that may need to receive communications:

   • members of the incident handling and management team (if the organization has established such a team) or internal staff who have incident handling and management job responsibilities

   • shareholders

   • asset owners and service owners

   • information technology staff

   • middle and higher-level managers

   • business continuity staff (if they will be required to enact continuity or restoration plans as a result of an incident)

   • human resources departments, particularly if safety is an issue

   • communications and public relations staff

   • staff involved in governance and oversight functions

   • support functions such as legal and audit

   • legal and law enforcement staff as required

   • external media outlets, including newspaper, television, radio, and internet

   • customers, business partners, and upstream suppliers

   • local, state, and federal emergency management

   • local utilities such as power, gas, telecommunications, and water, if affected

   • regulatory and governing agencies

   Stakeholders and their communications needs may be defined as a part of other operational resilience management processes. For example, the communications needs of staff involved in the incident management process may be defined by that process. These communications requirements should be considered independently of the processes and practices in the Communications process area because they have a specialized purpose and involve specific stakeholders.

2. Establish a plan that describes the involvement of all communications stakeholders.

   The plan identifies all internal and external stakeholders, including their roles and classes, as well as the types, frequencies, and levels of communication they are to receive in specified circumstances.

   Refer to the Incident Management and Control process area for the identification and communications requirements of stakeholders relative to the incident management process.

   Refer to the Service Continuity process area for the identification and communications requirements of stakeholders relative to the development and execution of service continuity plans.

   Refer to the Monitoring process area for the identification of stakeholders that may have communications needs relative to monitoring and control processes. These stakeholders, as identified in MON:SG1.SP2, may overlap or be a subset of those that need specific and general resilience communications.

Identify Communications Requirements

The types and extent of communications needed by the organization to support stakeholders are identified.

The foundation for communications requirements is the needs of stakeholders. The variety of communications types and duration is directly related to the diversity of the stakeholder community. For example, an internal communication might be about general awareness or about a specific event or incident. External communications might be public relations messages, critical communications during a crisis, or the execution of a service continuity plan.

In addition to stakeholders, communications requirements may also be derived directly from the needs of other operational resilience management processes. For example, the ways in which the organization must distribute information collected in the monitoring process may create requirements that must be met by the communications process. Moreover, many operational resilience management processes have communications processes embedded in their practices; this occurs in the process areas Incident Management and Control, Service Continuity, and Enterprise Focus (particularly in the governance cycle). These processes may directly provide requirements that must be considered in the larger, enterprise-focused communications process.

The organization must establish communications requirements as the foundation for the development and execution of a communications plan to support operational resilience management processes. Requirements help the organization to determine the scope of the communications process, plan, and program and to ensure the development of appropriate and cost-effective delivery mechanisms and infrastructure to support communications needs. Requirements determine whether communications methods are

• oral or written, or both

• provided on a one-time basis, at regular intervals, on an ongoing basis, or on demand

• provided on media that are disposable or able to be archived

• provided on more than one media type (paper, electronic, etc.)

Communications requirements also provide the foundation for the development and implementation of an infrastructure (people, processes, and technology) to support all types of resilience communication.

Service continuity plans and the organization’s incident management process (and other similar processes) may have very specific communications requirements. Thus, these requirements may be developed outside of the organization’s communications process to ensure accuracy and adequate coverage.

Typical work products

1. Communications requirements by stakeholder and process

Subpractices

1. Analyze the resilience program to identify the types and extent of communications that are necessary to satisfy resilience program objectives.
2. Document the communications needs of stakeholders.

   Because managing operational resilience is a broad, enterprise-wide activity, communications activities may need to cover diverse topics and may require focused messages to particular stakeholders. Communications needs must be purposefully aimed at distributing the appropriate message to each stakeholder group.

3. Establish communications requirements for operational resilience management processes.

   Communications requirements must be established by stakeholder and documented. Essential information about each requirement must be collected so that the requirements can be analyzed and prioritized.

4. Analyze and prioritize communications requirements.

   Through analysis of communications requirements, the organization should seek to determine

   • the scope of the requirement

   • the potential infrastructure required to support the requirement

   • the resources (human, capital, or expense) needed to support the requirement

   • alternatives for meeting the requirement

   • requirements that cannot be met, and the potential risk to the organization that results

   • duplicative requirements or requirements that can be met through consolidated processes

5. Revise the communications needs of the organization as changes to the resilience program and strategy are made.

Establish Communications Guidelines and Standards

The enterprise guidelines and standards for satisfying communications needs are established and maintained.

The effectiveness of communications is dependent on message clarity, the use of appropriate message media, the accuracy and consistency of the message, and the ability to confirm receipt of the communication. The inability to ensure high-quality and effective communications may result in a dilution of the message or in misunderstanding, misinterpretation, or confusion.

To ensure message consistency, accuracy, and completeness, as well as fitness for the intended purpose and stakeholder audience, the organization should establish communications guidelines and standards. These guidelines and standards should reflect the organization’s operational resilience management objectives and be implemented at a level that sufficiently ensures their use in all communications processes. All staff involved in the communications process should be bound by adherence to the guidelines and standards, and the guidelines and standards should be extensible to vendors and business partners who may handle specific and unique communications activities for the organization.

Guidelines and standards are typically organization-specific and may reflect the organization’s culture, industry and peer group, and environmental and geographical location.

Even though the requirements for communications may be specifically developed in other processes, such as the development of service continuity plans or in the incident management process, these requirements should be implemented under the auspices of the communications standards and guidelines that are established in COMM:SG1.SP3.

Typical work products

1. Resilience communications guidelines and standards

Subpractices

1. Develop resilience communications guidelines and standards.

   Communications guidelines and standards may address

   • alignment with and reflection of organizational strategy, policies, and governance processes

   • appropriateness of various types of media and message content for different types of communications requirements

   • approval levels and processes for approving message content and delivery

   • determination of who is authorized to create messages and deliver them in the organization

   • requirements for crisis communications between the organization and first responders and other emergency and public service staff

   • communications between the organization and its environmental and public infrastructure partners

   • specific guidelines for communicating with regulators, law enforcement, or other governmental or legal entities

   • specific guidelines for vendors and business partners when communicating on behalf of the organization

   • specific guidelines for vendors and business partners who perform communications processes on behalf of the organization

   • a taxonomy for industry-specific terms and a glossary

   • templates for standardized types of communications and media interaction

   • documentation requirements for use of trademarks and other identity guidelines

   • quality assurance processes and practices to perform fact-checking and to ensure consistency and accuracy

   • technical guidelines and standards for communications during crisis situations and for interaction with public service providers and first responders

Prepare for Communications Management

The process for developing, deploying, and managing resilience communications is established.

Resilience communications, especially communications about serious incidents or crises, cannot be effectively managed by reaction. The organization must plan its approach to communications, align this plan with strategic objectives, and provide sponsorship and oversight to the plan.

Managing communications requires the organization to establish a communications plan that addresses the unique and specific needs that arise from the processes involved in managing operational resilience. The communications plan is carried out through a communications program that is staffed with resources that are properly trained and authorized to develop, implement, and manage communications processes and specifically meet the needs of resilience communications.

In many organizations, the practices in COMM:SG2 may be a subset of the organization’s overall communications capability. Therefore, these practices may be satisfied by existing processes that are expanded to specifically include and address the requirements established in COMM:SG1.SP2. However, it may be necessary for an organization to establish plans and programs for resilience communications where existing communications competencies are not adequate. This must be considered in the development of a communications plan (in COMM:SG2.SP1) and a corresponding communications program (COMM:SG2.SP2).

Establish a Resilience Communications Plan

Planning for the resilience communications process is performed.

The resilience communications plan details how the organization will meet the requirements of stakeholders and other operational resilience management processes (as established in COMM:SG1.SP2). The plan should specifically detail how the requirements will be met and should provide for the establishment of a resilience communications program as a conduit for implementing the plan. The plan may be a subset of the organization’s enterprise communications plan.

Specifically, the plan must address the development, delivery, and maintenance of communications and related materials to provide the organizational message to each class of stakeholder. The plan should address near-term development and delivery and should be adjusted with some regularity in response to new or changing needs and from the assessment of the effectiveness of communications activities.

The plan may establish the communications requirements, guidelines, and standards to be upheld by other operational resilience management processes. For example, the plan may address how provisions for communications during crisis management or disruptive events have to be handled in service continuity plans.

Communications needs are temporal and may change as a result of changes in technology, policy, strategy, and risks being managed. A routine process to maintain and update messages, content, intent, methods, and channels is a necessary part of communications planning.

Typical work products

1. Resilience communications plan
2. Documented requests for commitment to the plan
3. Documented commitments to the plan

Subpractices

1. Develop and implement a resilience communications plan.

   The resilience communications plan may be a subset of the organization’s enterprise communications plan with specific references to meeting the requirements of resilience communications.

   The resilience communications plan should address the following, at a minimum:

   • the strategy and objectives for resilience communications

   • the structure of the resilience communications program to carry out the plan (See COMM:SG2.SP2.)

   • the identification of stakeholders with which communications are required

   • the types of media and channels by which communications will be handled

   • the various message types and level of communications appropriate to various stakeholders (For example, incident communications may be vastly different for incident responders than for those who simply need to know.)

   • the frequency and timing of communications

   • special controls over communications (i.e., encryption or secured communications) that are appropriate for some stakeholders

   • the roles and responsibilities necessary to carry out the plan (See COMM:SG2.SP3.)

   • applicable training needs and requirements (particularly for specialized types of communications)

   • resources that will be required to meet the plan provisions

   • internal and external resources that are involved in supporting the communications process

   • relevant costs and budgets associated with communications activities

   Specific types of planning may be necessary for communications processes that are embedded in other operational resilience management processes such as incident management and service continuity planning. In these cases, the resilience communications plan should, at a minimum, reference the planning activities in these other processes and should ensure that this planning follows the structure and guidelines of the Communications process area.

2. Establish commitments to the communications plan.

   The resilience communications plan may be a subset of the organization’s enterprise communications plan with specific references to meeting the requirements of resilience communications.

3. Revise the plan and commitments as necessary.

Establish a Resilience Communications Program

A program for executing the resilience communications management plan is established and maintained.

A resilience communications program details the specific activities that the organization will perform to satisfy the communications plan and, in turn, to meet resilience communication requirements. The program addresses fundamental tasks such as

• identifying relevant stakeholders of the communications process

• collecting communications requirements

• analyzing and prioritizing requirements

• establishing and enforcing communications guidelines and standards

• establishing methods, procedures, and processes to develop, implement, and manage communications processes and to develop and distribute timely and effective communications

• establishing and maintaining an appropriate infrastructure to support the attainment of communications requirements

• managing external service providers who may have a role in supporting or carrying out communications requirements

The program details the roles and responsibilities that the plan relies upon for execution and establishes the communications flow and infrastructure that support the communications plan. Because resilience communications span the organization and needs can be diverse, the program must detail how the organization can meet these challenges in the most efficient and effective manner.

Typical work products

1. Program scope and objectives
2. Project plans for program activities

Subpractices

1. Establish a resilience communications program.

   The program for resilience communications should address how the organization will carry out the communications plan, meet the needs of stakeholders, and ensure effective communications. It should include provisions for how the organization will

   • identify and prioritize stakeholders

   • collect communications requirements from stakeholders

   • analyze and prioritize requirements

   • set the scope of the communications program

   • establish and enforce standards and guidelines

   • enforce consistency across all communications activities related to resilience, whether or not they occur in other operational resilience management processes

   • identify appropriate communications methods and channels

   • plan for and implement an infrastructure to support communications

   • manage external service providers who support communications activities on behalf of the organization

Identify and Assign Plan Staff

Staff are assigned authority and accountability for carrying out the communications plan and program.

The diverse and expansive nature of communications requirements for supporting operational resilience management processes requires knowledgeable, skilled, and experienced staff to be successful.

• Communications plan and program resources may fall into one or more of the following categories:

• internal communications and awareness

• public relations and external communications and outreach

• notification and escalation communications (related to managing incidents, communicating about risks or vulnerabilities, etc.)

• coordination-focused communications

Internal communications and public relations activities are informational types of communication. They present informative messages about the organization’s activities related to resilience and can even encompass such communications as testimony on congressional panels, conference presentations, and communication with regulators for compliance purposes. Notification and escalation communications represent communications processes that are embedded into other operational resilience management processes that require a free flow of information to achieve process goals. Coordination communications tend to be oral, spontaneous, and event- or response-driven and focus on coordinating the activities of a service continuity plan or the response component of an incident.

Resources must be available in the organization to staff or support all of these types of communications as needed. Internal communications and public relations activities tend to be carried out by communications professionals—staff who have specific training and skills in communications and who work primarily in communications roles in the organization. Notification, escalation, and coordination communications may be carried out by anyone in the organization who is in a primary or supporting resilience role. Thus, staff on an incident response team may be involved in a communications role because of the nature of their work. These types of communications are typically supported by a communications infrastructure and knowledgeable staff who support the infrastructure or are trained in effective communications during times of stress and disruption.

Regardless of the communications type, the organization must provide training (sometimes specialized) to staff who support and enable communications processes. This may begin with a skills inventory and gap analysis so that effective training programs can be identified and used. For staff involved in communications roles during the execution of service continuity plans, communications training may be extensive and may involve frequent exercises and tests to ensure effectiveness.

Communications resources may be internal or external to the organization. Thus, where the organization does not have direct control over communications resources, it must attempt to ensure that proper training is provided to carry out plan and program requirements.

Specific skills training for resilience staff is addressed in the Organizational Training and Awareness process area.

Skill inventories and gap analysis are addressed in the Human Resource Management process area.

Cross-training and training for succession planning are addressed in the Human Resource Management process area.

Managing relationships with external entities is addressed in the External Dependencies Management process area.

Typical work products

1. Job descriptions for roles and responsibilities in the plan
2. List of available and skilled resources
3. List of skill and resource gaps
4. Mitigation plans to address skill and resource gaps
5. Updated communications plan with resources assigned

Subpractices

1. Develop detailed job descriptions for each role and responsibility detailed in the communications plan.

   Because some communications processes are embedded in other operational resilience management processes, these job descriptions may not be communications-specific and could be part of a larger resource commitment or assignment.

2. Establish a list of candidate and skilled resources to fill each role and responsibility in the communications plan.

   Remember that these roles and responsibilities may already exist as part of the organization’s enterprise communications capabilities.

   Skills and resource gaps for each role and responsibility should be identified and resolved.

3. Assign resources to communications process roles and responsibilities.
4. Ensure that organizational training is provided to communications staff with respect to the specific resilience communications roles they perform.

   This is especially important for communications roles in other operational resilience management processes, such as incident management and in the execution of service continuity plans.

Deliver Resilience Communications

The activities necessary to deliver communications for resilience activities on an operational and event-driven basis are established.

Resilience communications must be delivered on an as-needed basis, according to the organization’s requirements. Because resilience communications can be diverse, the organization may need to develop and implement a broad array of processes, practices, technology, and infrastructure to support those requirements. The organization should consider and identify various communications methods and channels (as appropriate to support requirements) and develop and implement an infrastructure (physical and technical) to support those methods and channels. Through these actions, the organization seeks to deliver timely, relevant, consistent, high-quality, and purposeful communications proactively or during an event, incident, or crisis.

Identify Communications Methods and Channels

Communications methods and channels relative to stakeholder and organizational needs are identified and established.

Effective communication requires a sender and a receiver. Depending on the goals, objectives, and target audiences outlined in the communications plan and program, the methods and channels used to deliver communications may vary. The methods and channels that the organization chooses must be able to support and enable communications requirements as stated in the communications plan and program.

Communications methods and channels may be formal or informal, oral or written, peer-to-peer, peer-to-subordinate, or peer-to-superior. Messages can also be delivered non-verbally through actions and gestures. Communications methods and channels can include

• policy statements

• procedures manuals and company handbooks

• specific press releases and wires

• company hotlines, such as those that allow for reporting of ethics violations

• email messages and text messaging

• intranet and internet sites and webcasts

• newsletters, posters, and flyers, as well as bulletin boards and other gathering spots

• newspapers, magazines, and other print media

• television, radio, podcasts, videocasts, and other public media

• presentations, tutorials, and symposia

• emergency broadcast systems and methods

• closed communications channels such as two-way radio, CB radio, and satellite phone

• secured communications channels (to provide for classified conversations) such as STUs (secure telephone units)

Methods and tools for communicating with staff, customers, end users, service provider staff, and other stakeholders during the course of service delivery are also part of the enterprise-wide communications strategy and execution. These methods and tools have to be regularly reviewed, tailored, and possibly supplemented to meet ongoing communications requirements.

Typical work products

1. Documented communications methods and channels (by stakeholder class or requirement)
2. Tools, techniques, and methods for communication

Subpractices

1. Inventory communications methods and channels that currently exist in the organization.
2. Identify the appropriate communications methods and channels (media and message) for each type of stakeholder.

   Ensure that the methods and channels will enable the organization to meet the requirements of the communications plan and program and the stakeholders’ requirements.

   Ensure that the organization is capable of performing the methods and channels identified and that there is sufficient infrastructure to support these methods and channels.

3. Identify communications methods and channels that do not currently exist in the organization.
4. Identify tools, techniques, and methods required to use the identified methods and channels.

Establish and Maintain Communications Infrastructure

An infrastructure appropriate to meet the organization’s resilience communications needs is established and managed.

Communications methods and channels are typically supported and enabled by a communications infrastructure. This infrastructure may be as simple as a manual process for developing and distributing a newsletter or as complex as the development and implementation of a wireless network to support voice and data communications during a crisis. From a generic standpoint, the organization’s communications infrastructure must support

• communications requirements from stakeholders

• the specific requirements and scope of the communications plan and program

• the communications methods and channels that the organization chooses to use

Because it is likely that communications methods and channels extend beyond the organization’s direct span of control, the communications infrastructure may be developed, implemented, managed, and owned by an external business partner. The organization must seek to ensure that this infrastructure meets its requirements and is reliable for delivering the specific types of communications for which it has been contracted.

Important considerations for an appropriate communications infrastructure include

• the nature and extent of the message

• the immediacy of the message (whether on-demand, spontaneous, etc.)

• whether the message to be delivered over the infrastructure is sensitive, confidential, or classified

• how messages will be stored and protected, if necessary

• the scope of end users of the message (i.e., how extensive is the audience)

• whether the communication is to be one-way or interactive

Specialized infrastructure may be required to meet the communications demands of processes such as incident management and to carry out specific activities in service continuity plans. In these cases, the organization may develop and implement infrastructure that directly and uniquely supports these activities outside of that which is required for general communications.

Typical work products

1. Infrastructure requirements
2. Infrastructure architecture, map, or diagram for communications flows
3. Communications tools, techniques, and methods

Subpractices

1. Identify and inventory existing communications infrastructure and capabilities that may be able to meet plan and program objectives and communications requirements.

   Many communications requirements may be substantially met by existing capabilities and infrastructure as part of the organization’s larger communications process. Inventorying existing capabilities and infrastructure may help the organization to accurately determine additional infrastructure needs and reduce the overall cost of providing communications services.

2. Identify infrastructure needs to support communications requirements, methods, and channels.

   In order to successfully develop infrastructure to support communications requirements, the organization may need to decompose these requirements into functional requirements. Functional requirements represent the people, processes, and technologies that are needed to meet the communications requirements. Without knowing these requirements, the organization may find it difficult to accurately identify infrastructure needs.

   If the organization cannot meet infrastructure needs (or contract with business partners to meet them), the organization may not be able to meet communications requirements. The organization should identify any requirements that cannot be met and determine if this poses any additional risk to the organization.

3. Implement and manage communications infrastructure.

Improve Communications

Resilience communications are reviewed to identify and implement improvements in the communications process.

The importance of communications processes to supporting the management of operational resilience requires that the organization continually assess its effectiveness in meeting communications requirements and make improvements where necessary. This is especially true given the dynamic nature of the operational and risk environment, emerging threats, and changes in technology and the geographical environment for facilities.

Some communications processes are fairly static—that is, they are foundational activities that are not typically affected by change. For example, the organization may have structured processes for addressing the print and television media that are valid no matter what the current operating conditions are. Other communications processes must continually evolve. For example, crisis communications processes evolve as the organization is put to the test and as lessons are learned and shared. To some extent, every incident or crisis situation may pose new and emerging challenges that the organization has not previously encountered and that will cause a review of communications requirements, plans and programs, methods and channels, and infrastructure.

Learning from communications processes is focused on improving the organization’s ability to proactively meet its communications requirements rather than to resort to ad hoc methods and processes that may in fact harm the organization, particularly during an event, incident, or crisis. While all situations cannot be planned for, the organization can establish foundational competencies and improve these capabilities with what is learned from communications efforts—particularly those performed during times of stress. Eventually, this should result in a shift to planning and away from reacting.

Improving resilience communications requires the organization to formally assess the effectiveness of its communications processes and to develop and implement improvements in these processes on an ongoing basis.

Assess Communications Effectiveness

The effectiveness of resilience communications plans and programs is assessed and corrective actions are identified.

Communications activities must be reviewed regularly to ensure that they continue to meet the needs of stakeholders and support operational resilience management processes.

Day-to-day communications, such as staff communications and press releases, are generally vetted before they are released to help prevent miscommunication and misinterpretation. Event, incident, and crisis communications, on the other hand, may not exhibit problems until execution. The organization may not be able to foresee all of the potential circumstances that could diminish effectiveness and ultimately impact the success of incident management and service continuity processes.

Assessing communications effectiveness should aim to answer basic questions such as these:

• Did the communication meet the purpose?

• Was the message clear, concise, unambiguous, and timely?

• Were all stakeholders that have a need to know included in the distribution of the information?

• Did the communications infrastructure support the process as intended?

• Were communications methods and channels effective for the purpose?

• Were spontaneous communications inhibited by technical glitches, lack of training of staff, or other obstacles?

Event, incident, and crisis communications may require additional levels of observation and examination to identify issues, concerns, obstacles, and errors. In some cases, these types of communications can be tested when service continuity plans are exercised or when incident drills are performed. These activities provide information that could improve communications competencies before they result in impacting the organization’s effectiveness. However, the organization should specifically plan for collecting effectiveness information during event, incident, and crisis communications so that real-time issues can be brought to light post-activity.

Typical work products

1. Communications analysis report
2. Recommendations for plan or program improvements
3. Recommendations for improvements to event, incident, and crisis management communications processes

Subpractices

1. Establish and implement a formal communications review activity.

   For event, incident, and crisis communications, this review should be performed during service continuity plan exercises and drills of the incident management process. In addition, communications issues that arise during an event, incident, or crisis should be uncovered in post-incident or post-event reviews.

   The evaluation of service continuity plan exercises is performed in SC:SG5.SP3 and the post-execution review of service continuity plans is performed in SC:SG6.SP2 in the Service Continuity process area.

2. Prepare an analysis report on the effectiveness of communications activities.

   For post-incident review, this process may include the communications issues identified in a post-incident analysis report (as described in IMC:SG5.SP1). For a post-plan execution review, this process may include areas of improvement for service continuity plans (as described in SC:SG6.SP2).

3. Compare outcomes of communications processes with plan objectives and expectations.
4. Document suggested improvements to the communications plan and program based on the evaluation of the effectiveness of awareness activities.

Improve Communications

Lessons learned in managing resilience communications are used to improve communications plans and programs.

The importance of communications to the operational resilience management system requires that the organization make a sizeable investment in human and capital resources. Thus, communications processes must be effective and efficient, preserve the organization’s investment, and prevent the organization from being impacted as a result of poorly designed and implemented communications.

Lessons learned from regular review of communications processes, and in particular during event, incident, and crisis communications, can strengthen resilience communications and help to improve the organization’s overall communications competency. These lessons learned can serve as a benchmark for continuous improvement of communications processes.

Typical work products

1. Service continuity plans
2. Resilience policy
3. Updated communications plan and program
4. Training needs and requirements
5. Communications process improvements list

Subpractices

1. Review results of communications assessment activities and effectiveness analysis reports.
2. Review communications processes, plans, and programs and update for any perceived deficiencies or omissions.

   This process may require the organization to revisit the effectiveness of meeting communications requirements and to perform analysis of requirements to determine why they are not being met.

   In addition, the organization may need to revisit and revise resilience policies and strategies, training needs and requirements, and the communications processes that are embedded in other operational resilience management processes. Specifically, service continuity plans may have to be updated to improve communications effectiveness.

3. Revise the communications methods, channels, and supporting work products as necessary.

Elaborated Generic Practices by Goal

Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Communications process area.

Achieve Specific Goals

The operational resilience management system supports and enables achievement of the specific goals of the Communications process area by transforming identifiable input work products to produce identifiable output work products.

Perform Specific Practices

Perform the specific practices of the Communications process area to develop work products and provide services to achieve the specific goals of the process area.

Elaboration:

Specific practices COMM:SG1.SP1 through COMM:SG4.SP2 are performed to achieve the goals of the communications process.

Institutionalize a Managed Process

Communications is institutionalized as a managed process.

Establish Process Governance

Establish and maintain governance over the planning and performance of the communications process.

Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the communications process.

Subpractices

1. Establish governance over process activities.

   Elaboration:

   Governance over the communications process may be exhibited by

   • developing and publicizing higher-level managers’ objectives and requirements for the process

   • sponsoring process policies, procedures, standards, and guidelines, including the standards and guidelines described in COMM:SG1.SP3

   • making higher-level managers aware of applicable compliance obligations related to the process, and regularly reporting on the organization’s satisfaction of these obligations to higher-level managers

   • sponsoring and funding process activities

   • aligning process requirements, plans, and programs with identified resilience needs and objectives and stakeholder needs and requirements

   • sponsoring, supporting, and overseeing the communications plan and program as well as the process plan

   • verifying that the process supports strategic resilience objectives and is focused on the assets and services that are of the highest relative value in meeting strategic objectives

   • regular reporting from organizational units to higher-level managers on process activities and results

   • creating dedicated higher-level management feedback loops on decisions about communications and recommendations for improving the process

   • providing input on identifying, assessing, and managing operational risks to communications, including risks to plans, programs, methods, and channels

   • conducting regular internal and external audits and related reporting to audit committees on process effectiveness

   • establishing formal programs to measure the effectiveness of process activities, and reporting these measurements to higher-level managers

2. Develop and publish organizational policy for the process.

   Elaboration:

   The communications policy should address

   • responsibility, authority, and ownership for performing process activities, including identifying stakeholders and requirements and establishing standards and guidelines

   • standards and guidelines as described in COMM:SG1.SP3, including

   — identifying and documenting communications requirements

   — identifying communications media types and message content for different types of requirements

   — identifying communications methods and channels

   — communicating with specific types of stakeholders based on their roles

   • managing the communications plan and program as well as the process plan

   • approving communications methods and channels by purpose and stakeholder

   • communications infrastructure requirements

   • methods for measuring adherence to policy, exceptions granted, and policy violations

Plan the Process

Establish and maintain the plan for performing the communications process.

Elaboration:

COMM:SG2.SP1 requires the development of a plan for how the organization will carry out a program to support resilience communications. In COMM:GG2.GP2, the planning elements required in COMM:SG2.SP1 are formalized and structured, and performed in a managed way. The plan for the communications process should reflect the organization’s stated preferences for general resilience communications, communications during events and incidents, communications to external stakeholders, public relations, and communications needs as required by other resilience processes. The plan should also address how the process will be actualized (through individual roles, dedicated teams, virtual teams, etc.).

Subpractices

1. Define and document the plan for performing the process.

   Elaboration:

   Foundational elements such as communications requirements, stakeholders, and communications standards and guidelines (which are essential to support communications processes) are addressed in COMM:SG1 and should be reflected in the plan as called for here.

2. Define and document the process description.

   Elaboration:

   Foundational elements such as communications requirements, stakeholders, and communications standards and guidelines (which are essential to support communications processes) are addressed in COMM:SG1. The process for developing, deploying, and managing resilience communications is described in COMM:SG2. Practices described in COMM:SG1 and COMM:SG2 should be reflected in the process description as called for here.

3. Review the plan with relevant stakeholders and get their agreement.
4. Revise the plan as necessary.

Provide Resources

Provide adequate resources for performing the communications process, developing the work products, and providing the services of the process.

Elaboration:

COMM:SG2.SP3 requires the assignment of resources to the communications plan and program. In COMM:GG2.GP3, resources are formally identified and assigned to plan elements.

Subpractices

1. Staff the process.

   Elaboration:

   This generic practice related to communications refers to staffing the communications process program, not the provision of communications resources in processes such as incident management and service continuity.

   These are examples of staff required to perform the communications process:

   • staff responsible for

   — identifying relevant stakeholders, their roles, and the plan for their involvement

   — identifying, analyzing, prioritizing, and maintaining communications requirements that satisfy resilience program objectives

   — developing communications guidelines and standards

   — developing and maintaining the communications plan and program, as well as the process plan

   — identifying and assigning qualified staff to carry out the communications plan and program and addressing any skill and resource gaps

   — identifying communications methods and channels, as well as the methods, techniques, and tools that support these

   — defining communications infrastructure requirements and architecture, along with supporting methods, techniques, and tools to fulfill these requirements

   — identifying and implementing improvements to the communications plan, program, and process plan, and making recommendations to improve event, incident, and crisis management communications processes

   • internal and external auditors responsible for reporting to appropriate committees on process effectiveness

   Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.

   Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.

2. Fund the process.

   Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for communications.

3. Provide necessary tools, techniques, and methods to perform the process.

   Elaboration:

   Resilience communications require the provision of significant levels of tools, techniques, and methods to support the broad range of communications requirements. In COMM:SG3.SP1 and COMM:SG3.SP2, the supporting structure for communications is established. In COMM:GG2.GP3 subpractice 3, the provision of this structure is formally tied to the communications plan and program, and the ability of the tools, techniques, and methods to support stated communications requirements is validated.

   These are examples of tools, techniques, and methods to support the communications process:

   • communications requirements management tools

   • methods and techniques to support various types and levels of communications

   • methods, techniques, and tools to support various types of stakeholders, communications channels, and media

   • communications infrastructure, diagramming, and mapping tools

   • survey tools for assessing communications effectiveness

   • methods for training stakeholders on resilience communications

Assign Responsibility

Assign responsibility and authority for performing the communications process, developing the work products, and providing the services of the process.

Elaboration:

COMM:SG2.SP3 requires the assignment of staff responsibility, accountability, and authority for communications plan and program tasks. In COMM:GG2.GP4, commitments are formally identified to support resource allocations to plan elements.

Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.

Subpractices

1. Assign responsibility and authority for performing the process.

   Elaboration:

   Keep in mind that specialized communications needs may arise unexpectedly when an incident or crisis occurs, requiring virtual teams or responsibilities to be assigned quickly.

2. Assign responsibility and authority for performing the specific tasks of the process.

   Responsibility and authority for performing communications tasks can be formalized by

   • defining roles and responsibilities in the communications plan and program and in the process plan

   • including process tasks and responsibility for these tasks in specific job descriptions

   • developing policy requiring organizational unit managers, line of business managers, project managers, and asset and service owners and custodians to participate in and derive benefit from the process for assets and services under their ownership or custodianship

   • including process tasks in staff performance management goals and objectives, with requisite measurement of progress against these goals

   • developing and implementing contractual instruments (including service level agreements) with external entities to establish responsibility and authority for performing process tasks on outsourced functions

   • including process tasks in measuring performance of external entities against contractual instruments

   Refer to the External Dependencies Management process area for additional details about managing relationships with external entities.

3. Confirm that people assigned with responsibility and authority understand it and are willing and able to accept it.

Train People

Train the people performing or supporting the communications process as needed.

Refer to the Organizational Training and Awareness process area for more information about training the people performing or supporting the process.

Refer to the Human Resource Management process area for more information about inventorying skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill deficiencies.

Subpractices

1. Identify process skill needs.

   Elaboration:

   These are examples of skills required in the communications process:

   • knowledge of the tools, techniques, and methods necessary to provide all levels and types of communication in support of stakeholders, channels, and media, including those necessary to perform the process using the selected methods, techniques, and tools identified in COMM:GG2.GP3 subpractice 3

   • knowledge unique to each type of stakeholder, channel, and media that is required to meet communications requirements

   • knowledge necessary to establish and maintain the communications infrastructure

   • knowledge necessary to work effectively with stakeholders, including asset owners and custodians

   • knowledge necessary to elicit and prioritize stakeholder requirements and needs and interpret them to develop effective communications requirements, plans, and programs as well as the process plan

2. Identify process skill gaps based on available resources and their current skill levels.
3. Identify training opportunities to address skill gaps.

   Elaboration:

   Certification training is an effective way to improve communications skills and attain competency. Training and certification in crisis communications or specialized public relations are available for staff who focus specifically on communications regarding incidents and other resilience issues.

   These are examples of training topics:

   • communications requirements identification

   • communications media and channels

   • communications types and levels

   • development and implementation of communications infrastructure

   • use of communications infrastructure

   • working with stakeholders in a crisis situation

   • identifying communications lessons learned

4. Provide training and review the training needs as necessary.

Manage Work Product Configurations

Place designated work products of the communications process under appropriate levels of control.

Elaboration:

COMM:SG4.SP2 specifically addresses the change control process over communications plans, programs, and processes. However, other work products of the communications process (such as the communications process plan and communications process policies) must also be managed and controlled.

Tools, techniques, and methods should be employed to perform consistent and structured version control over the communications infrastructure to ensure that all methods, channels, and media are the most current and “official.” The tools, techniques, and methods can also be used to provide access control over inquiry, modification, and deletion and to track version changes and updates.

Identify and Involve Relevant Stakeholders

Identify and involve the relevant stakeholders of the communications process as planned.

Elaboration:

Stakeholders both provide and receive communications. Several COMM-specific practices address aspects of the involvement of stakeholders in the communications process. For example, COMM:SG1.SP1 calls for the identification of internal and external stakeholders that require information relative to resilience activities. COMM:SG1.SP2 captures the communications needs of stakeholders to serve as a source of communications process requirements. COMM:SG1.SP3 establishes guidelines and standards informed by stakeholder needs and requirements. COMM:SG2.SP2 and COMM:SG2.SP3 describe the development of communications plans and programs that meet stakeholder requirements. COMM:SG3.SP1 requires that communications methods and channels meet stakeholder needs.

COMM:GG2.GP7 generically covers the role of stakeholders across all aspects of the communications process: developing plans and programs, executing plans and programs, and receiving communications.

Subpractices

1. Identify process stakeholders and their appropriate involvement.

   Elaboration:

   In COMM:GG2.GP7 subpractice 1, stakeholders are limited to those that have direct responsibility for the development and execution of the communications plan and process. Stakeholders that require direct communications in order to enable or support a service continuity plan or to communicate an incident or a response fall outside of this activity.

   COMM:SG1.SP1 subpractice 1 lists examples of stakeholders of the communications process.

   Stakeholders are involved in various tasks in the communications process, such as planning for the process

   • making decisions about communications

   • making commitments to communications plans, programs, and activities and to the process plan

   • communicating communications plans, programs, and activities

   • coordinating communications activities

   • reviewing and appraising the effectiveness of process activities

   • establishing requirements for the process

   • resolving issues in the process

   • receiving and responding to various types of communications

2. Communicate the list of stakeholders to planners and those responsible for process performance.
3. Involve relevant stakeholders in the process as planned.

Monitor and Control the Process

Monitor and control the communications process against the plan for performing the process and take appropriate corrective action.

Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.

Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.

Refer to the Enterprise Focus process area for more information about providing process information to managers, identifying issues, and determining appropriate corrective actions.

Subpractices

1. Measure actual performance against the plan for performing the process.
2. Review accomplishments and results of the process against the plan for performing the process.

   Elaboration:

   These are examples of metrics for the communications process:

   • number of communications delivered by event type, stakeholder type, method and channel type (or other meaningful categorization) per unit of time

   • percentage of communications media and channels operating within expected tolerances (e.g., press release must be issued within one hour of a significant event)

   • percentage increase or decrease in length of time to commence communications by event type

   • number and percentage of stakeholders that do not receive communications within expected tolerances, by stakeholder type and by event type

   • number of communications methods and channels required to deliver same or similar messages

   • percentage of uptime or availability of preferred communications methods, channels, and infrastructure

   • number of recommendations for improvement referred to the event, incident, and crisis management communications processes

   • number of process risks referred to the risk management process; number of risks where corrective action is still pending (by risk rank)

   • level of adherence to process policies; number of policy violations; number of policy exceptions requested and number approved

   • number of process activities that are on track per plan

   • rate of change of resource needs to support the process

   • rate of change of costs to support the process

3. Review activities, status, and results of the process with the immediate level of managers responsible for the process and identify issues.

   Elaboration:

   COMM:SG4.SP1 and COMM:SG4.SP2 call for assessing the effectiveness of resilience communications, identifying improvement actions, and revising plans, programs, methods, and channels to reflect such improvements. In COMM:GG2.GP8 subpractice 3, the review activities are formalized and performed consistently to ensure identification of issues and concerns that need attention and could affect the process in the future. Because communications may be planned or on-demand, formal reviews may be periodic or post-incident or -event.

   Periodic reviews of the communications process are needed to ensure that

   • the communications plan, program, and process plan are meeting the resilience needs of the organization

   • media and channels are meeting communications requirements

   • stakeholders are receiving timely, accurate, and complete messages when required

   • communications requirements are valid (continue to be valid)

   • communications infrastructure is adequately supporting requirements

   • communications are being revised and improved on a timely basis when problems or issues arise

   • event-driven or spontaneous communications adequately meet needs

   • training is adequate for meeting communications requirements

   • status reports are provided to appropriate stakeholders in a timely manner

   • process issues are referred to the risk management process when necessary

   • communications issues are referred to the event, incident, and crisis management communications processes when necessary

   • actions requiring management involvement are elevated in a timely manner

   • the performance of process activities is being monitored and regularly reported

   • key measures are within acceptable ranges as demonstrated in governance dashboards or scorecards and financial reports

   • administrative, technical, and physical controls are operating as intended

   • controls are meeting the stated intent of the resilience requirements

   • actions resulting from internal and external audits are being closed in a timely manner

4. Identify and evaluate the effects of significant deviations from the plan for performing the process.

   Elaboration:

   Because communications can be spontaneous, deviations from the plan for performing the process are to be expected. In addition, deviations from the communications plan may occur when organizational units fail to follow the enterprise-sponsored plan. These deviations may affect the operational resilience of the organizational unit’s services but may also have a cascading effect on enterprise operational resilience objectives.

5. Identify problems in the plan for performing and executing the process.
6. Take corrective action when requirements and objectives are not being satisfied, when issues are identified, or when progress differs significantly from the plan for performing the process.
7. Track corrective action to closure.

Objectively Evaluate Adherence

Objectively evaluate adherence of the communications process against its process description, standards, and procedures, and address non-compliance.

Elaboration:

Review Status with Higher-Level Managers

Review the activities, status, and results of the communications process with higher-level managers and resolve issues.

Refer to the Enterprise Focus process area for more information about providing sponsorship and oversight to the operational resilience management system.

Institutionalize a Defined Process

Communications is institutionalized as a defined process.

Establish a Defined Process

Establish and maintain the description of a defined communications process.

Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.

Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.

Subpractices

1. Select from the organization’s set of standard processes those processes that cover the communications process and best meet the needs of the organizational unit or line of business.
2. Establish the defined process by tailoring the selected processes according to the organization’s tailoring guidelines.
3. Ensure that the organization’s process objectives are appropriately addressed in the defined process, and ensure that process governance extends to the tailored processes.
4. Document the defined process and the records of the tailoring.
5. Revise the description of the defined process as necessary.

Collect Improvement Information

Collect communications work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.

Elaboration:

COMM:SG4.SP1 and COMM:SG4.SP2 call for assessing the effectiveness of resilience communications, identifying improvement actions, and revising plans, programs, methods, and channels to reflect such improvements. In COMM:GG3.GP2, all improvement information is collected and documented in support of establishing and maintaining a defined process for communications.

Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.

Subpractices

1. Store process and work product measures in the organization’s measurement repository.
2. Submit documentation for inclusion in the organization’s process asset library.
3. Document lessons learned from the process for inclusion in the organization’s process asset library.
4. Propose improvements to the organizational process assets.