Incident Management and Emergency Management

Risk Management Insights for Emergency Managers
By Johannes Swanepoel

What is Incident Management?


Incident management is an application of risk management theory that prescribes procedures, processes, systems, and resources that are applied to risk hazards or or states that have materialized. A typical incident management process may include incident reporting, warnings and notifications, a situation-based assessment leading to strategic and tactical planning, execution, response management, post-incident investigation, risk assessment, root cause analysis, recording of incidents, and lessons learned. All of these items contributing to preparedness and continuous improvement. The NFPA® 1600 defines an incident management system (IMS) as “[t]he combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure and designed to aid in the management of resources during incidents” (2013, p. 12).

How does Incident Management apply to Emergency Management Programs?


The National Incident Management System (NIMS) is a core function of the National Preparedness Plan and is designed to prepare the nation for incidents that may impact safety and security. NIMS is applied to incidents that arise from any hazard or threat. Although incident management forms only a portion of wider emergency management program, it is the most visible since it’s activities are usually covered extensively by the media during a crisis.

Implementing Incident Management in Emergency Management


All organizations must have an emergency plan in place that includes resources, roles and responsibilities, procedures, logistics and contractual arrangement for an EOC (NFPA® 1600 , 2013, p. 12). The Emergency Operations Center is a physical location near the incident where the incident response will be coordinated. From the FEMA goals, it is understood that emergency management programs prioritizes the overall coordination of an incident response. Although it is essential to minimize loss of life and impact to the environment or biodiversity, it may be more beneficial in the long term to prevent incidents from occurring. According to the NFPA® 1600 “[t]he entity shall develop an incident management system to direct, control, and coordinate response, continuity, and recovery operations”. Incident management is however more than coordinating the response, continuity, and recovery operations. The following three risk management processes are vital in implementing incident management in an organization:

  • Hindsight
  • Insight
  • Foresight

An Integrated Approach is Essential


This means that the risk assessment process is inclusive and transparent and all partners of the emergency program, the public, and those that are responsible for implementing the security measures participate to some degree. Information is shared selectively based on roles and responsibilities, and sensitive information is never distributed. It is important for those who are responsible for implementing security measures to understand the basis and rationale of decisions that are taken, otherwise, new risk could be introduced due to assumptions as discussed previously.

Overcome the Common Pitfalls in Risk Assessment


A disorganized command structure may lead to units that self-dispatch to an incident or task, and do not have accountability to a supervisor. It is important that there is an established process for communications within the delegation of authority system, as well as free sharing of information between units.

About Johannes Swanepoel

These articles are the independent opinions of Johannes Swanepoel and do not necessarily reflect the opinions of Standard Model Partners. Johannes is a GRC technology specialist with over 15 years in a GRC product and advisory services capacity. Johannes has implemented over 30 GRC software and consulting projects worldwide. Johannes has led GRC vendors to leading positions in GRC analyst reports and has been a certified trainer of the ISO 31000 Foundations course leading to individual certification in ISO 31000, the international risk management standard, since December 2012. Johannes holds certifications in risk based decision making, sustainability as well as the GRC – governance, risk and compliance professional certification (GRCP) and software engineering certifications. Johannes holds a Bachelor in Risk Management from DePaul University and The University of South Africa, and Master of Science in Threat and Response Management candidate at University of Chicago.