Business Continuity – More than just a plan

Don't throw away all of your effort to build your business - Be prepared!  (image courtesy of FEMA)

Don’t throw away all of your effort to build your business – Be prepared! (image courtesy of FEMA)

Every year businesses are forced to close due to the impacts of disaster.  Research from the National Federation of Independent Business (NFIB) tells us that the top four threats to business suffering the impact of disaster are:

  1. Power Loss
  2. Loss of Sales and Customers
  3. Length of Recovery
  4. Uninsured Loss

How can businesses protect themselves against these impacts?  Planning for them is, of course, the easy answer.  Just like governments, though, wouldn’t it make the most sense for a business to have an emergency preparedness program in place?

Consider that small business owners invest a great deal of time, energy, and funding to build and grow their business.  As an independent consultant I can be working on a variety of things on any given day including project management, marketing, and accounting.  Small business owners that deal with products (vs services) often times have even more to deal with including inventory, vendors, and distributors.  The foundation of these entrepreneurial efforts is often times the business plan.  Aspiring business owners put a lot of effort into creating this plan which describes what the business will do, what the market capacity is, what the competition looks like, and even trying to forecast revenues for several years.  A successful business may continue elements of this business plan years later through a strategic plan intended to guide growth and company-wide efforts.  Doesn’t it make sense that if we put so much effort into building and growing our businesses that we put some effort into ensuring that our businesses will survive a disaster?

As a society we generally like plans.  They are an organized tome capturing our assumptions, ideas, and strategies to accomplish something.  Plans are good and certainly help us through a great deal.  A disaster plan, though, is not a disaster program.  The plan may embody our program, helping to guide and inform our decisions in the event of a disaster, but our preparedness efforts must stretch beyond a plan if we are to be successful.  Consider DHS’ POETE capability elements – Planning, Training, Organizing, Equipping, Training, and Exercising.  With these elements in your head scroll back up to those top four threats from the NFIB and give them a moment of thought.  You probably now have some additional ideas as to how you can address and prevent each of those with activity which may go beyond planning.

This recent article from Small Business Trends (which provided my initial inspiration for this blog post) provides a good outline of initial considerations for every business relative to disaster preparedness.

What does your business do to be better prepared?

Shameless plug time: Need help building your business continuity program?  Emergency Preparedness Solutions can help!  Contact us at or check out our website at

© 2014 Timothy Riecker


Hackers Endanger Public Safety With Pranks

VMS Vulnerabilities Can Have Serious Consequences (Image from

VMS Vulnerabilities Can Have Serious Consequences (Image from

Over the past few years we’ve seen some prominent occurrences of hackers gaining access to public safety systems where they make changes which, while a bit humorous at first blush, are serious examples of the vulnerability of our systems.

This article describes a vulnerability in variable message signs (VMS), which can be programmed remotely to notify drivers of hazards or give other pertinent information.  In another occurrence, in February of 2013, hackers gained access to the Emergency Alert System, broadcasting messages about a zombie attack.

The favor these pranks do for us is to identify vulnerabilities in our systems.  Both articles mention that some vulnerabilities were exploited simply because the default passwords on these systems were never changed.  Agencies that maintain any kind of public messaging system (and yes, this should also include websites and social media accounts), should adhere to the guidance we all normally hear about passwords – create strong passwords including combinations of numbers, letters, and symbols (when possible), avoid patterns or predictable passwords, and change passwords regularly.  As a matter of information security, these passwords should only be known by a select few.

Why are these occurrences serious?  Obviously (to most of us) they are taken in jest, but these are public safety systems which should only be accessed by public safety professionals.  The information and instructions provided over these systems need to come from reliable sources to ensure that the public takes the messages seriously and follows the instructions given.  We should be thankful these instances were pranks, as someone with malicious intent could have provided information which could have endangered the public.

All levels of government and any other organizations which maintain public alerting systems, including colleges and universities and even highway construction firms need to make a thorough examination of their systems, identify potential vulnerabilities, and take steps to ensure they are protected.

What other systems offer vulnerabilities to hacking?


© 2014 Timothy Riecker



Engaging a Nation in Preparedness – Learning from History

June 14, 1954 saw the first nation-wide civil defense drill conducted in the United States.  The Civil Defense Administration organized and promoted the event, which included operations in 54 cities around the country, including Puerto Rico, the US Virgin Islands, Alaska, and Hawaii.  Canada had also participated in the event.  The History Channel website has a nice write-up on the event.  The History Channel’s article explains some of the activities conducted during the event, which largely consisted of sheltering drills.

Today we do see some nation-wide exercises which engage citizens through the Shake Out earthquake drills.  Their website has a great deal of information on the program, including how you can participate.  The statistics on their site are great, showing not only the US regional exercises but also Shake Out exercises conducted in nations around the world (something I was not familiar with until visiting their site this morning).  The earthquake hazard in the US and around the globe is significant – in fact we just saw two large earthquakes late yesterday – a 7.9 near Alaska and a 7.2 near New Zealand.  While the core activity of the Shake Out exercises is the ‘Drop, Cover, and Hold on’ (similar to the ‘duck and cover’ of the civil defense days), their website also promotes preparedness activities including a ‘hazard hunt’ for items which may fall during an earthquake, a family disaster plan, business and organizational continuity planning, and emergency supply kits.  This is the type of preparedness activity we need to continue, but we also need to do more.  Unfortunately the message still isn’t getting through to many people.

How do you think we should get the message out?


© 2014 Timothy Riecker



Kansas City Changing the Paradigm In Shooter Responses

Despite some discussions going back to late last year about changing they way we respond to mass shootings, I’ve not heard of any major municipalities actually make these changes – until now.  Responders in Kansas City, MO (KCM) have exercised their new plan regarding early insertion of EMS personnel into an active shooter scenario.  The exercise appears to be very early stage, using it as a learning experience from which to further develop plans.  (another great use of exercises!)

I commented on the discussed changes back in January and I still have the same concerns today that I did then.  I had posted some discussion threads similar to my blog post onto LinkedIn discussion boards which prompted some very spirited discussion.  Most people agreed that getting EMS into an active shooter area early can save lives, but it needs to be done the right way.  KCM seems to be going in the right direction by developing plans and protocols jointly with law enforcement and working out the kinks and questions via drills and other exercises.  Carrying the preparedness cycle further, I’m sure they will work toward training and equipping EMTs appropriately for such a situation.  Constant practice of these protocols by all parties will be very important.  Responder safety needs to be the utmost concern.  While there have been incidents to the contrary, we as responders and we as a society are not used to EMTs and firefighters being shot at, much less killed in action by an aggressor.  Certainly the first EMT fatality in an incident such with an early insertion protocol will result in the protocol being aggressively questioned – as it should.  I just hope that those doing the questioning keep the appropriate context.

Just as there is no easy answer on how to stop mass shootings, there are no easy answers on how best to respond to them.  I’m hoping KCM is willing to share their worked out plan and protocols with the responder community so we can learn from them.  Such sharing will be very important to the evolution of responses to these types of incidents.

© 2014 Timothy Riecker

Hazard Analysis – Looking Beyond Your Borders

In the radiological emergency preparedness niche field of emergency management we conduct a lot of preparedness activities for a hazard which may not even be within our jurisdiction.  The emergency planning zone (EPZ) for a nuclear power plant often times transcends multiple towns, cities, villages, counties, and even state lines.  While I have some issues with the effectiveness and implementation of radiological emergency planning, they at least address the reality of the hazard crossing the artificial borders we humans have established.  For other hazards, this premise usually does not hold true.

In January of this year a chemical leaked from a storage tank at a coal processing facility in Charleston, West Virginia.  This chemical leaked into the Elk River and both directly and indirectly impacted hundreds of thousands of citizens, businesses, and governments requiring evacuations and preventing water use for several weeks. The DHS Lessons Learned Information Sharing (LLIS) website has posted a brief by The Joint Commission on this incident with specific citations on the impacts to area hospitals, mostly through contracted laundry services.

In the private sector, we often encourages businesses to examine the vulnerabilities of suppliers and distributors as part of their hazard vulnerability analysis (HVA) and business impact assessment (BIA).  This is not something often considered by governments.  For example, in my town, there is only one very small gas station, so due their limited hours (fuel is not available 24/7) government services and the town’s contracted fire company must leave the town for fuel.  That is a significant dependency on a supplier outside the jurisdiction.  I’ve sure there are many other suppliers used by the town which lie outside their borders.  Additionally, what are the potential impacts of an incident that occurs in a neighboring jurisdiction?  Such an incident could either directly impact you, such as a chemical plume entering your jurisdiction; or would require your jurisdiction to address sheltering, traffic, or mutual aid needs.

I would suggest, as part of the hazard analysis phase of your planning process, that you obtain copies of the hazard analysis of neighboring jurisdictions.  The hazards they indicate may be quite eye-opening to you and may require you to better prepare for a hazard beyond your borders.

©2014 Timothy Riecker

FEMA National Preparedness System Updates

This afternoon hosted Donald ‘Doc’ Lumpkins, the Director of the National Integration Center from the National Preparedness Directorate. Doc had some great information on their current and near future activities regarding updates to the National Incident Management System (NIMS) and new Comprehensive Preparedness Guides (CPGs) expected to be released this year.  This is great news as we are always seeking additional national guidance and revisions which help us to maintain standards of practice.

Regarding NIMS, the guiding document has not been revised since 2008.  Doc specifically mentioned updates to NIMS to include:

  • the National Preparedness Goal and the National Preparedness System
  • Expanding NIMS across all five mission areas (Prevention, Protection, Mitigation, Response, and Recovery)
  • Encouraging whole community engagement and understanding
  • Continued emphasis that NIMS is more than just the Incident Command System (ICS)
  • Integrating incident support structures (such as EOCs – more on EOCs later)
  • Integrating situational awareness content
  • Incorporating lessons learned from exercises and real world events (Doc mentioned his office’s activity of culling through to gain much of this information)
  • Including stakeholder feedback in the revision efforts
  • NIMS update activities will be conducted through the summer with an expected release of a new document this fall

As a significant component of the NIMS update, there will also be continued efforts to update the resource typing list.  Priority will be given to resources which are often requested.

The next topic of discussion was the Comprehensive Preparedness Guides (CPGs).  I was very excited to see a list of likely and potential CPGs either currently under development or expected to be developed soon.  These included:

  • Updating CPG 101
  • A CPG for Strategic Planning (This should shape out to be excellent guidance and essentially serves as a ‘catch all’ for many of the strategic planning tasks we do in emergency management)
  • Incident Action Planning (Doc said this will not be anything new or a replacement of best practices such as the Planning P.  Rather this document will serve to capture these best practices and ensure currency and critical linkages)
  • Planning for mass casualty incidents
  • Social media (a critical aspect of emergency management that is still changing regularly, and I don’t yet feel that we have a firm grasp on it and how to best use it.)
  • Access/Re-Entry to disaster sites
  • Improvised Explosive Devices (crafting hazard-specific annexes)
  • EOC guidelines (I’m hoping this document, while outlining best practices, provides flexibility for different management models of EOCs)
  • Search and rescue management

I’ve come to greatly appreciate that the National Preparedness System is a blanket thrown over the five mission areas, recognizing that each mission area (again – Prevention, Protection, Mitigation, Response, and Recovery) must be prepared for at every level of government to achieve the greatest measure of effectiveness.  There are many critical linkages within preparedness that are found within each or at least most mission areas and the continued efforts of the National Preparedness Directorate seem to be going in a good direction and incorporating the right people and information in their efforts.  Within this frame of thought, Doc mentioned that all of these efforts will utilize subject matter experts from across the country, with many drafts having public comment periods.  Be on the look out for these (I’ll post them as I see them) and be sure to review and comment on them.

As a final note, this was the last broadcast for EMForum.  After 17 years they are shutting down their program.  There has been no mention as to why they are shutting down.  While I’ve not attended every webinar, I do catch a few each year when the topic and/or speaker interest me.  The loss of EMForum is a loss to emergency management and the spirit of sharing information we have.  Through EMForum, there have been many great webinars, such as this one, where new programs and best practices are shared.  I’m hopeful the function that EMForum has served in facilitating this soon replaced so we can continue to stay up to date on what is transpiring.

©2014 Timothy Riecker

Talking Turkey – Point of Distribution (POD) Exercise

I recently read an article (although I can’t find it) about a health department who conducted a point of distribution (POD) exercise during the holidays.  Instead of handing out Tic Tacs or some other silliness, they did something great for their community – they distributed turkey dinners to those in need.  As I don’t have the article to reference and I had only skimmed over it the first time through, I don’t have the details of how they pulled this off, but having participated in the planning of POD exercises (particularly those that have a direct impact on the community, such as one that distributed preparedness kits and information) I can surmise how they did it.

As most of my readers know, emergency management is a collaborative process.  While local health departments are responsible for medical points of distribution, they can’t do it alone.  These are massive efforts to inoculate or prophylax hundreds if not thousands of persons within a narrow time frame.  These efforts require cooperation and support from emergency management, law enforcement, fire service, EMS, hospitals, volunteer organizations, and the private sector.  Commodity PODs can also be established, not necessarily run by the health department, with the intent of distributing needed commodities – such as tarps, food, or water – to the populace.  Health departments, however, are required to exercise their POD plans, which requires registration, intake, education, and inoculation of citizens.

In the example I linked to in the first paragraph regarding the preparedness kits, the health department was able to purchase most items and utilized a mix of staff and volunteers to run the POD, with support from other agencies to address traffic, parking, and other needs.  In the turkey dinner exercise, I imagine they were able to pay for some items and had others donated for this worthwhile effort.  It’s a great way of supporting the community with an immediate need while preparing for a future need.  Kudos to that community!

Now if I can only find that article…


6/17/14 Edit… I found a reference!

LLIS posted an ‘Innovative Practice’ bulletin about this exercise.  It can be found here.  To clarify/correct, it was actually an SNS exercise.


© 2014 Timothy Riecker

Verizon Ready for Storm Season

Great article from the Wall Street Journal on Verizon’s preparedness efforts for hurricane season.  The article seems to indicate all the right preparations, from planning and exercises to equipment and staging, response teams, and their own corporate EOC.  Much of our critical infrastructure is owned and operated by the private sector – it’s good to see the measures of preparedness Verizon takes responsibility for.  It’s certainly a model for other companies and industries – and even local governments.


Was the Sewol Korea’s Katrina?

By now everyone is familiar with the South Korean disaster this past April – the sinking of the MV Sewol and the loss of almost 300 passengers, most of which were high school students, and to date, two divers involved in the recovery of the bodies.  The vessel was carrying almost 4000 tons of cargo – over 4 times its rated limit.  The morning of its fateful trip, the top-heavy Sewol took on water and capsized.  A lack of leadership on the vessel resulting in confusion, trapping hundreds in a watery grave.  This would be a horrific disaster for any nation to face.

Through the years we’ve seen numerous ferry boat disasters around the world, most of which are off the shores of developing nations – those with few if any safety standards and a lack of regulatory and enforcement agencies.  Rarely, however, do we see ferry boat disasters occurring in developed nations.  In many regards we consider South Korea our peer and sometimes even an innovator, especially in the areas of technology and engineering.  It seems, however, that regulation has not kept up with innovation.  South Korea’s response efforts have also been criticized.

In 2005, the United States suffered the impacts of Hurricane Katrina on the Gulf Coast.  Over 1800 people lost their lives.  The disaster within the disaster was how poorly our emergency management system worked.  Their were failures at higher levels of Federal and State government, resulting in response delays and poor coordination and delivery of resources.  FEMA was blamed for most of these failures.  People were fired or asked to resign and new plans were created and implemented – most of which at the behest of legislators.

Now in South Korea in the wake of the ferry tragedy, their federal government is on the verge of launching a new national safety agency, meant to usurp responsibilities from various other federal agencies including the Ministry of Security and Public Administration, the National Emergency Management Agency, the Ministry of Oceans and Fisheries, and the Coast Guard.  Change is clearly needed, but will a new organization bring about the changes needed to protect the citizens of South Korea?

We tend to see a great deal of change when tragedies such as this occur.  Obviously changes need to be made, but few accept responsibility.  Changes also seem to be made to give the illusion of progress, with no real plans set in place to address the underlying issues that exist.  It seems people feel that change itself will provide the fixes which are needed.  We’ve seen reorganizations put in place at FEMA on several occasions, intended to streamline or address dysfunctionality.  We’ve seen the same happen with the American Red Cross – who seems to alternate between two different organizational models with each decade.  Just recently the Secretary of the Veterans Affairs Administration resided amidst their scandal – activities which have taken place quite a distance from his post, activities which you hear little responsibility taken by the individual hospital administrators where it truly lies.

It’s not to say that all organizational change is unnecessary.  Organizations are organic, living, breathing entities – not static creations.  They must evolve and adapt to continue being successful.  That doesn’t mean, however, that every occurrence of negative press necessitates an organizational change.  Organizational changes are expensive in time, money, and the anxiety of employees.  They stall out progress of the organization until rebuilding is complete, then progress resumes slowly as the kinks are worked out.  Many think a plan for reorganization is simply drawing a new organization chart and that its implementation, after the firing of a few people and handing out new titles to others can be implemented overnight.  This, clearly, is fundamentally wrong.  Consider that even small businesses put a great deal of time into creating business plans which outline the resources, organization, and strategy of a new company.

I would challenge that it’s the people and the culture of these agencies that need to change.  Certainly they need new or different approaches to problems, some adjustments in their chain of command, and the tools to do their jobs better.  A radical reorganization should only take place if it’s completely necessary.  Consider what the creation of DHS has done for us – yes, their have been some improvements in prevention, preparedness and response; but at what cost?  A massive umbrella agency with coordination and leadership problems of its own.  DHS didn’t escape Katrina unscathed either due to its position between the FEMA Administrator and the President.

It seems that reorganization is the easy knee-jerk answer to problems.  Let’s slow down a bit, assess the failures and their causes, and address the internal problems first.  Without doing so, new agencies and new titles will carry the same problems.

© Timothy Riecker 2014