Using ISO 22301 business continuity practices to support mass public events

Managing public events with hundreds or thousands of people is a challenge, as disruptions of these events may result in huge material losses or even loss of life. We face the classic situation where disruptions may lead to unforeseeable consequences. As such, a business continuity approach based on ISO 22301 appears to be a powerful tool to manage these types of events.

Managing mass events

Public gatherings with masses of participants certainly create a potential for catastrophic events. The concentration of people is attractive to potential attackers. But, even relatively harmless triggers (such as a firecracker) may cause a mass panic. There is a range of circumstances that may lead to catastrophic outcomes. As such, controlling and managing mass events is of utmost importance.


The business continuity approach

When viewed from a business continuity management standpoint, we face similar challenges as when attempting to protect an organization from unforeseen consequences of business interruptions:

  • there are processes and resources to be protected from serious impacts,
  • there is certainly a need for preventive actions and controls,
  • we need a strategy for how to deal with different scenarios,
  • we need to have response structures in place (in case the risks materialize), and
  • we need to practice response scenarios in order to be sufficiently prepared.

The complete BCM lifecycle can be mapped and applied to managing mass events. Let’s have a look at a different component of this lifecycle.

1) Impact analysis – What are the most important resources in this scenario? Certainly the people attending the event, but we need to determine if critical material resources might be affected as well: roads, motorway, subway and bus lines, parts of the critical infrastructure of the city, etc.

2) Developing a strategy – After having determined what potential impacts could occur, it’s time to formulate one or several strategies, as the kind of “answer” to the questions raised during the impact analysis. During the impact analysis we tried not to think in scenarios, but focused on the impacts: resource X has been impacted (injured, killed, damaged, burned, etc.) regardless of the cause, but when developing a strategy, it is more realistic to paint certain scenarios.

In practice, we will end up having to set up a range of scenarios, each supported by one or more strategies. Each strategy is a high-level description of either a preventive or corrective range of measures. Examples of preventive measures include physically securing the area of the event, security checks for all participants, deployment of security guards, keeping possibly hostile opposing groups of participants at a distance, etc. Examples of corrective measures could be preparation of evacuation pathways, keeping emergency exits free from obstacles, having intervention forces on the scene, etc.

3) Setting up a response structure – As we can already assume from the above paragraph, corrective measures in particular are based on proper response structures: a policy or strategy on paper is necessary, but these are useless in case a proper response becomes necessary. As with conventional BCM projects, we certainly need a command and control center (providing high-level guidance) and “boots on the ground” to actually control the situation on the scene. It goes without saying that these interventions need to be based on thorough scenario-based plans.

4) Exercising and validating – Of course, a plan that has not been exercised is of little value. This is why this fourth section of the BCM lifecycle focuses on test exercises. It is of great importance that all response structures be tested in advance. It is advisable to start with simple, paper-based exercises to check out certain components of the response structures, but it’s also necessary to gradually increase the complexity and reality of exercises in order to check whether all levels of actions and interactions within the response structures, and to and from other interested parties, work as planned.

Validation and auditing of the whole approach by an independent third party is highly advisable. This procedure greatly reduces mistakes, errors, and omissions that could happen to internal-only resources.

The BCM lifecycle model: Applicable to a wide range of security-related projects

Due to the well-thought-out methodology and multi-decade continual improvement of the BCM lifecycle model, it is certainly applicable to a range of projects where management and mitigation of impacts is a core task. This includes management of public events as well.

The BCM lifecycle is best documented in ISO 22301:2012, which even covers a kind of advanced implementation of BCM as a Business Continuity Management System (BCMS). The implementation of this and similar ISO standards is supported by the BCMS guidance document ISO 22313:2012, and a guidance document for business impact analysis: ISO 22317:2015.

Don’t waste time and re-invent the wheel. Let widely accepted international standards, as well as proven tools, help you get your project done quickly and efficiently.

Use this free Project checklist for ISO 22301 implementation to help you plan your ISO 22301 activities.