Crisis Management and Physical Security: what to do in the first 72 hours

The 3-step operating model

Phase 1 – 0-4 hours: securing and stabilizing

Goal: protect people and assets, contain the event, preserve evidence.

Key Actions

• People & site safety: evacuation or confinement; HSE triage; physical perimeter and checkpoints.
• Command & control: activate the Crisis Cell (Security lead, HSE, IT/OT, HR, Legal, Operations). Appointment of Incident Commander and substitutes.
• Evidence & logs: block overwriting DVR/NVR; forensic copy of relevant video segments; temporary seizure badge/access log; time-stamped event log.
• Flash (internal) communication: short message to all staff on status, instructions, and official channels; designate a single spokesperson.
• Authority: assess activation Law Enforcement/VVF/118; inform insurance according to policy.

Output phase 1

• Event stabilized, perimeter under control, first evidence sealed, chain of custody initiated, internal memo circulated.

Phase 2 – 4-24 hours: contain, assess impact, plan restoration

Goal: To understand what happened, how much it affected, what functions are critical.

Key Actions

• Structured assessment:
  • Damage to people/assets/plants; impairment of production lines and services.
  • Verify gates, routes, sensors, intrusion detection systems, and access controls.
  • Correlation with IT/OT: badge vs login, network anomalies, possible physical-cyber correlation.
• Business impact: identify priority processes (“A” list) and supply chain dependencies.
• 24h plan: choose options for containment and rapid restoration (alternate site, special shifts, escorts).
• Targeted communication: inform management, area leaders, and critical customers with verified facts and restoration horizon.
• Contracting & insurance: open claims, verify SLA clauses with vendors, document out-of-pocket expenses.

Output phase 2

• Initial report (“Situation Report”) with probable causes, impacts, decided actions, residual risks, estimated time.

Phase 3 – 24-72 hours: restore, communicate, prepare post-incident

Goal: To return to service in a controlled manner and set the path for improvement.

Key Actions

• Controlled recovery: phased reopening, hardening of critical gates, functional testing (access, video, alarms).
• Workforce: temporary reassignments, mandatory briefing on new procedures; HR support if event involves staff.
• Public & stakeholder comms: consistent messages to customers, partners, media, and insurers; unified Q&A.
• After Action Review (AAR): within 72h collect timeline, decisions, problems, lessons learned; define remediation and owner.
• Governance: update crisis plans, training and contracts (SLAs/penalties) based on findings.

Output phase 3

• Service restored with audits, remediation plan, closed communications, audit materials and assurance.

Ready-to-use checklist (to be kept in the crisis room)

Crisis Cell – minimal roles

• Incident Commander (Security) – operational decisions and priorities.
• HSE – safety people/plants
• IT/OT – data integration, event correlation
• HR – workforce, internal communications, support
• Legal/Privacy – compliance, assurance, chain of custody
• Operations – production continuity/supply chain
• Media/Comms – messages to stakeholders

Evidence & logs

• Copy video segments and badge access
• Georeferenced photos of damage (timestamps)
• Record decisions (who, what, when, why)
• Storage of objects/evidence in labeled containers

Critical contacts

• Law Enforcement / Fire Department / 118 / Municipality
• Insurance (claims, adjusters)
• Vital providers (energy, security, maintenance)
• “A” customers and logistics partners

Essential crisis kit

• Floor plans, crossing lists, useful numbers
• Emergency credentials, sealed master keys
• Flashlights, portable UPS, radios or satellite phones.
• Pre-filled forms (incident report, damage inventory)

Incident types and specific moves

Intrusion/theft

Blocking gates and escape routes; geofence reconstructed from video + badges; rapid inventory; coordination with Law Enforcement; increased temporary garrison.

Fire/smoke

Post-event: air/plant testing; hot area interdiction; checking cable runs and compartmentalization; sensor realignment (reduce false alarms post-recovery).

Internal sabotage

“Need-to-know” teams; segregation of functions; HR/Legal comparison; log mirror to avoid contamination; temporary suspension of at-risk credentials.

Prolonged blackout

Prioritization of essential loads; control of restarting systems (overcurrents); enhanced physical surveillance on gates and valuable areas.

Climatic event

Mobile barriers, pumps, perimeter protection; restoration by cluster of dry areas; alternate routes for goods and personnel.

Physical + cyber event

Joint war-room; timeline correlation; network/area emergency segmentation; integrated customer and authority communication.

Mistakes to avoid

• Excessive waiting to “get all the information”: better iterative decisions with partial data.
• Inconsistent messages between HR, Operations, and Legal.
• Underestimating insider threat in early assumptions.
• Do not preserve video/badge logs in the first few minutes.
• Delegating to too many vendors without single coordination: lengthens time and increases friction. Here a single point of contact and purchasing center simplifies and creates economies of scale.

KPIs to measure 72-hour management

• MTTA / MTTR crisis (activation time / recovery time)
• % “A” processes safeguarded within 24/48/72h
• Chain of custody integrity (positive audit)
• Pre/post intervention false alarm rate
• SLA of garrison/technology during the event (>96% target)
• Losses avoided vs baseline (ALE), insurance claims recognized

What an effective partner should look like

An effective partner brings in dowry:

• End-to-end value chain (risk analysis, design, technology, presidium, auditing) and single point of contact for execution and reporting.
• Network independent of supervisory institutions (“super partes” site-by-site choice, avoid lock-in).
• Dedicated coordinators with small teams, continuous inspections and monitoring, high SLAs and measurable efficiency recovery.

Conclusion

A crisis is not “improvised”: it is governed by clear procedures, known roles, preserved evidence, unambiguous communications, and a partner who shortens the time. The first 72 hours is when physical security proves to be an investment: people protection, process continuity, business value preserved.