Incident Response Procedures: Facilities Management 2026
- Solomons FM

- 3 days ago
- 12 min read
Effective incident response procedures in facilities management come down to six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. The urgency is obvious in the UK, where only 23% of businesses have a formal incident response plan and 78% of organisations have never conducted a formal cyber incident exercise, which leaves building teams exposed when an overnight alert turns into an operational problem.
If you manage a London office, apartment block, retail site, or event venue, you already know the pattern. A door alarm triggers after hours. CCTV picks up movement in a service corridor. A resident reports an unknown person tailgating through reception. Water appears under a riser cupboard door and no one knows whether it is a leak, vandalism, or something electrical. The first few minutes decide whether the issue stays small or spreads into a building-wide disruption.
That is why good incident response procedures can't sit in an IT folder and gather dust. In facilities management, they have to work on the ground, with front desk staff, mobile patrols, concierge teams, cleaners, duty managers, CCTV operators, and contractors all knowing what happens next. The six-phase model is still the right framework, but it only works when it is translated into site realities like key control, access permissions, evidence preservation, tenant communications, and out-of-hours escalation.
Table of Contents
Why a Small Incident Becomes a Crisis Without a Plan - What the six phases look like on a real site - Why facilities teams need a different playbook
Preparation Defining Your On-Site Roles and Responsibilities - Build a response team around the building, not the org chart - Sample Incident Response Roles in Facilities Management - Write the call order before you need it
Rapid Identification and Containment in Practice - Identification starts with usable signals - Containment means controlling the site, not creating panic - What good containment looks like on shift
Eradicating Threats and Recovering Operations - Eradication is the point where temporary control becomes a permanent fix - Recovery needs a managed return to normal
The Post-Incident Review and Documentation Loop - Most teams improve only when the review is blame-free - Documentation is what turns a bad night into a better system
How to Train and Test Your Response Procedures - Use short tabletop exercises, not theoretical policy reviews - What to rehearse with building teams
Why a Small Incident Becomes a Crisis Without a Plan
At 2 AM, a motion alert lands from a ground-floor camera. The image shows a forced-open window at the rear of an office building. The night guard sees it, but pauses. Should they call the mobile patrol first, wake the building manager, ring the police, or check the site alone? While those decisions bounce around by phone, the intruder has more time inside, the footage isn't tagged, and no one is logging a clean timeline.
That sort of failure rarely starts with bad intentions. It starts with missing decisions. Who has authority to lock down access control. Who preserves CCTV clips. Who meets police at the entrance. Who tells tenants in the morning what happened. Without those answers, a minor incident becomes a messy one.

The scale of the preparedness gap is wider than many site teams assume. Only 23% of UK businesses have a formal incident response plan in place, according to the UK Government 2023 Cyber Security Breaches Survey referenced here. In a facilities setting, that gap doesn't just affect laptops and servers. It affects keys, access logs, staff safety, contractor movements, visitor records, and the confidence tenants place in the building team.
What the six phases look like on a real site
The standard six phases are practical if you strip away the jargon:
Preparation means roles, call trees, access rights, keys, and reporting lines are already set.
Identification means someone can confirm quickly whether an alert is real.
Containment means limiting harm fast, such as isolating a floor, stopping entry, or shutting off a leaking supply.
Eradication means fixing the root issue, not just coping with it.
Recovery means reopening safely and restoring normal service.
Lessons Learned means reviewing what failed and updating the procedure.
A site never rises to the level of the written plan. It falls to the level of the shift team's shared understanding.
UK guidance for incident response procedures follows those same six phases, and that matters because buildings don't fail in neat categories. A forced door may also become a data issue if access records are compromised. A flood may become a security problem if fire exits are propped open for contractors. The framework creates order when the incident itself is untidy.
Why facilities teams need a different playbook
A generic IT response plan usually assumes a screen, a ticket, and a technical team. Buildings operate differently. The first responder may be a concierge, a cleaner finding damage in a basement corridor, or a CCTV operator watching an external gate. They need short instructions they can use under pressure.
That means strong incident response procedures for facilities management should answer practical questions such as:
Who takes command on shift
What gets logged immediately
Which area is secured first
What evidence must be preserved
When tenants, residents, or clients are informed
If those basics aren't set in advance, the incident owns the team. Not the other way round.
Preparation Defining Your On-Site Roles and Responsibilities
Preparation is where most response plans either become usable or collapse into theatre. If the document says "notify relevant stakeholders" but nobody knows who that means at 1 AM, the plan isn't operational. In buildings, the preparation phase has to reflect who is physically present, who can make decisions remotely, and which contractors can fix the problem.
Build a response team around the building, not the org chart
The biggest mistake is creating a plan around job titles that aren't on site when something happens. A practical team usually starts with the people closest to the incident and then expands outward.
That often includes:
Front desk or concierge staff who receive first reports from residents, staff, or visitors
SIA-licensed security officers who verify, secure, and document the scene
CCTV operators who confirm movement, direction of travel, and timing
Mobile patrol supervisors who can respond physically out of hours
Facilities or property managers who authorise contractors and tenant communications
Approved contractors for locks, glazing, electrical faults, leaks, or access systems
If your operation uses licensed guarding, the standard of training and accountability matters. A useful reference point for non-security managers is this guide on what an SIA licence means for businesses, because response quality often depends on whether the person on shift is authorized and competent to act, not just observe.
Sample Incident Response Roles in Facilities Management
Role | Primary Responsibility | Example Action |
|---|---|---|
Front desk or concierge | Receive and log the first report | Record time, caller, location, and immediate risk |
On-site security officer | Verify incident and protect people | Attend location, assess risk, restrict access |
CCTV operator | Confirm facts and preserve evidence | Review live feed, bookmark footage, track movement |
Mobile patrol supervisor | Provide out-of-hours physical support | Attend site, conduct perimeter and lock checks |
Facilities manager | Direct escalation and business continuity | Approve contractor call-out and area closure |
Duty manager or client contact | Make operational decisions | Authorise tenant updates or partial shutdown |
Maintenance contractor | Remove the root cause | Repair failed lock, isolate leak, secure window |
Admin support or control room | Keep the timeline accurate | Maintain incident log and call record |
Practical rule: Assign one person to own the incident log from the first alert to the all-clear. If everyone logs bits of the story, nobody has the full record.
Write the call order before you need it
A communication tree has to do more than list phone numbers. It should show sequence. For example, if a rear-entry breach is confirmed after hours, the guard may call the control point first, then the mobile supervisor, then the duty manager, then police if thresholds are met. If the issue is a burst pipe rather than forced entry, the sequence changes. Security may still secure the area, but the first escalation may be to maintenance and the building manager.
The strongest plans also define fallback communication. If a person doesn't answer, who is next? If the manager is abroad, who has delegated authority? If tenants need a morning update, who drafts it?
A good preparation pack for facilities teams usually includes:
A role sheet with named responsibilities by shift
An escalation matrix for security, safety, access, and building services incidents
A contact list with primary and backup numbers
Site-specific actions for areas like loading bays, risers, reception, plant rooms, and vacant floors
Evidence handling guidance covering logs, photos, patrol reports, and CCTV retention
Preparation is not paperwork for its own sake. It is what lets the night team make good decisions without waiting for daylight.
Incident Response Procedures - Rapid Identification and Containment in Practice
When an incident starts, speed matters, but blind speed makes things worse. The point of Identification is to work out what is happening. The point of Containment is to stop it spreading. In buildings, those two phases often run almost side by side.
Identification starts with usable signals
Good identification depends on signal quality. A generic "motion detected" alert isn't enough. Teams work faster when the alert already includes camera location, timestamp, relevant access event, and a clear route for verification.
That is why integrated tools matter in day-to-day facilities work. A live feed, door event, patrol report, and incident log should support one another rather than sit in separate systems. For teams relying on remote observation, 24/7 CCTV monitoring is valuable because it gives the responder context before anyone physically attends. If the camera shows one person leaving through a forced side entrance carrying items, the response is different from a wind-blown service door with no sign of entry.
Containment means controlling the site, not creating panic
The National Cyber Security Centre advises UK organisations to aim for a Mean Time to Acknowledge under 15 minutes and a Mean Time to Contain under 30 minutes for critical incidents, as noted in this summary of NCSC benchmarks. Those numbers come from cyber guidance, but the operational logic applies strongly to physical security and facilities settings. Delayed acknowledgement creates uncertainty. Delayed containment gives the incident room to grow.
In practice, containment in a building might mean:
Securing one zone rather than evacuating the whole site
Disabling one access credential rather than shutting every door
Closing a lift bank if a leak affects electrics nearby
Holding visitors at reception while a threat is verified
Preventing cleaning or contractor traffic through a live evidence area
The best containment action is the one that buys control without causing a second incident.
What good containment looks like on shift
Consider three common scenarios.
A trespass alert on an upper floor should trigger camera confirmation, physical attendance by the nearest competent responder, temporary restriction of lift or stair access if safe to do so, and preservation of the footage before anyone starts overwriting or casually reviewing clips on different devices.
A water leak in a riser cupboard needs the same discipline. Someone identifies the source, isolates supply if authorised, secures the area, protects electrics, and logs which services are affected. Too many teams treat that as maintenance only. It isn't. Once common areas become slippery, access routes narrow, or fire doors are wedged for contractor movement, the incident has become a broader site-control problem.
A suspicious package report at reception is another example. Identification is not guesswork by the nearest person. It is controlled questioning, preservation of the area, escalation to the duty lead, and disciplined communication to avoid crowding the scene with well-meaning staff.
A useful rule set for first responders is short enough to remember:
Confirm the location
Verify the risk
Protect people first
Restrict spread
Preserve evidence
Escalate using the agreed tree
Facilities teams that do this well don't chase every alert with the same response. They categorise quickly, contain proportionately, and keep the building functioning where possible.
Eradicating Threats and Recovering Operations
Containment only stabilises the problem. It doesn't remove it. A failed maglock that has been manually watched by security is still a failed maglock. A smashed ground-floor pane boarded over at 3 AM is still a damaged perimeter. A flood isolated at the valve is still a recovery job until the area is inspected, dried, cleaned, and signed off.

Eradication is the point where temporary control becomes a permanent fix
Take a simple overnight intrusion. Security has attended, police have been informed where required, and the affected area is under control. Eradication means removing the conditions that made the breach possible. That may involve replacing a lock, repairing a frame, resetting compromised access credentials, checking whether any internal doors were tampered with, and reviewing whether the intruder left tools, damage, or hazards behind.
The same logic applies to buildings support work. If a patrol has only stood on a door because the closer failed, the threat isn't gone. If a concierge has taped off a wet floor caused by a ceiling leak, the threat isn't gone. Eradication requires the technical fix and verification that the immediate cause has been dealt with.
For sites that need out-of-hours attendance and perimeter checks, mobile security patrols are often the bridge between first response and permanent remedy. They can keep a site controlled while specialist contractors arrive, but they should never become a substitute for completing the repair.
Recovery needs a managed return to normal
Recovery is where weak plans often rush. Everyone wants the building "back to normal", but reopening too early creates repeat incidents. The safer approach is staged recovery.
A solid recovery sequence often looks like this:
Verify the root cause has been addressed. The leak is stopped. The lock is functioning. The hazard is removed.
Inspect affected areas. Not just the obvious point of failure, but adjacent corridors, plant spaces, ceilings, and access routes.
Confirm documentation. Photos, contractor notes, patrol logs, and footage retention should be complete before the site forgets what happened.
Restore access in order. Staff areas, tenant routes, public-facing spaces, then non-essential areas if needed.
Communicate the all-clear. Occupiers need to know whether any restrictions remain.
One useful way to walk teams through that handoff is to use a short scenario review during training. This video gives a practical reference point for the wider incident response cycle before you adapt it to building operations:
A flood scenario shows the difference clearly. Containment is shutting off water and securing the zone. Eradication is repairing the failed component and removing the immediate hazard. Recovery is testing electrics where needed, cleaning the area, checking slip risk, reopening in phases, and confirming to tenants or residents that the space is safe to use again.
Recovery is not the moment people get tired and skip checks. It is the moment the building team proves control has actually returned.
When these stages are handled well, the incident ends with a recorded all-clear, not a vague sense that things seem fine again.
The Post-Incident Review and Documentation Loop
The review after an incident is where mature operations separate themselves from reactive ones. Anyone can look busy during a live issue. Fewer teams can explain, the next morning, why the event happened, where delay entered the response, and what will change before the next one.
Most teams improve only when the review is blame-free
A useful review is factual, short, and honest. It doesn't ask who looked bad. It asks what happened, when it happened, and what blocked an effective response. If staff think the meeting is a hunt for mistakes, they will protect themselves instead of exposing weak points in the process.
UK government guidance on incident response uses Lessons Learned as the final phase and recommends realistic testing with board involvement so the organisation rehearses before a real event, as summarised in this overview of the six-phase methodology. In a facilities context, the same principle applies to client representatives, building managers, supervisors, and contractors. If one of those groups is absent from the review, the fix is usually incomplete.

Documentation is what turns a bad night into a better system
The review should produce concrete outputs, not broad observations. "Communication could improve" is not useful. "The mobile supervisor was called before CCTV footage was bookmarked, which delayed evidence preservation" is useful.
A strong post-incident review usually captures:
Timeline accuracy. First alert, acknowledgement, attendance, containment, handover, all-clear.
Decision quality. Which calls were correct, delayed, unnecessary, or missing.
Control gaps. Failed lock, unclear authority, missing key, outdated contact list, weak camera view.
Evidence quality. Whether logs, photos, footage, and witness details were properly retained.
Action owners. Named people with deadlines to update procedure, training, or equipment.
The incident report is not admin. It is the raw material for better staffing, clearer procedures, and a stronger budget case.
This is also where cross-functional input matters. Legal, HR, PR, suppliers, and operational leads may all need to feed back after a serious event. If the security team reviews the incident alone, you often miss the communication delays or contractor bottlenecks that caused the main disruption.
The best reviews end by updating the live plan. Not a folder copy. Not a draft nobody uses. The actual call tree, role sheet, contractor list, and site instructions that the next shift will follow.
How to Train and Test Your Response Procedures
A response plan that hasn't been exercised is still just a theory. That gap is larger than many managers realise. The NCSC reports that 78% of UK organizations have never conducted a formal cyber incident exercise, and that gap leads to a 45% longer Mean Time to Detect during real breaches compared with organisations that regularly test their plans, according to this IASME article on incident exercises.
Use short tabletop exercises, not theoretical policy reviews
Facilities teams don't need elaborate simulations to start. A short tabletop works if it mirrors the building's actual risks.
Pick one scenario. For example, unauthorised entry through a loading bay at 11:40 PM, or a leak above a tenant suite discovered before opening time. Put the relevant people in one room or one call. Ask them to state, in order, what they would do, who they would contact, what they would log, and what would trigger escalation.
Then pressure-test the weak points:
Unavailable manager. Who has delegated authority?
Conflicting reports. Which source decides whether the incident is verified?
Contractor delay. How is the site kept safe meanwhile?
Evidence issue. Who secures footage and patrol notes?
Tenant pressure. Who communicates status without guessing?
What to rehearse with building teams
The most useful exercises are ordinary incidents handled with discipline, because those are the ones teams face most often.
Focus on:
Access control failures such as tailgating, forced entry, or lost credentials
Out-of-hours alarms where CCTV, patrols, and managers must coordinate
Building services incidents like leaks or power-related access disruptions
Reception incidents involving suspicious behaviour, aggressive visitors, or unattended items
Recovery handoffs where security, FM, and contractors must reopen an area safely
Keep the review tight after each drill. What slowed action. What wasn't clear. Which phone number failed. Which report field nobody filled in. Then update the live procedure while the lessons are fresh.
Training works when it becomes routine. Staff stop treating incidents as surprises and start treating them as managed events.
If your site needs incident response procedures that work in real buildings, not just on paper, Solomon's Facilities Management supports London offices, residential buildings, retail locations, and event venues with integrated security, concierge, reception, cleaning, CCTV monitoring, and mobile patrol services. Their teams provide 24/7 cover, SIA-licensed personnel, digital incident logging, and a single point of accountability across Central, East, and North London.


Comments