8 Predicted Changes to Emergency Management Post-Pandemic

In public safety we learn from every incident we deal with.  Some incidents bring about more change than others.  This change comes not just from lessons learned, but an effort to apply change based upon those lessons. In recent history, we’ve seen significant changes in emergency management practice come from disasters like the 9/11 terrorist attacks and Hurricane Katrina, with many of the changes so significant that they are actually codified and have led to new doctrine and new practices at the highest levels.  What changes can we expect from the Coronavirus pandemic?

Of course, it’s difficult to predict the future.  We’re also still in the middle of this, so my thoughts may change a month or two into the future.  Any speculation will begin with idealism, but this must be balanced with pragmatism.  Given that, the items I discuss here are perhaps more along the lines of changes I would like to see which I think have a decent chance of actually happening. 

  1. Legislation.  Similar to the aforementioned major disasters, this too will spawn legislation from which doctrine and programs will be derived.  We are always hopeful that it’s not politicians who pen the actual legislation, but subject matter experts and visionaries with no political agendas other than advancing public health preparedness and related matters. 
  2. More public health resources. This one, I think, is pretty obvious.  We need more resources to support public health preparedness, prevention, and detection efforts.  Of course, this begins with funding which will typically be spawned from the legislation mentioned previous.  Public health preparedness is an investment, though like most preparedness efforts, it’s an investment that will dwindle over time if it’s not properly maintained and advanced to address emerging threats and best practices.  Funding must address needs, programs to address those needs, and the resources to implement those programs. 
  3. Further integration of public health into emergency management.  Emergency management is a team sport.  Regardless of the hazard or the primary agencies involved, disasters impact everyone and many organizations and practices are stakeholders in its resolution and can contribute resources to support the resolution of primary impacts and cascading effects.  Despite some gains following 9/11, public health preparedness has still been treated like an acquaintance from another neighborhood. The legislation, doctrine, programs, and resources that we see MUST support an integrated and comprehensive response.  No longer can we allow public health to be such an unfamiliar entity to the rest of the emergency management community (to be clear – the fault to date lies with everyone). 
  4. Improved emergency management preparedness.  Pulling back to look at emergency management as a whole, we have certainly identified gaps in preparedness comprehensively.  Plans that were lacking or didn’t exist at all.  Equipment and systems that were lacking or didn’t exist at all.  People who didn’t know what to do.  Organizations that weren’t flexible or responsible enough.  Processes that took too long.  Poor assumptions on what impacts would be. We can and must do better.
  5. An increase in operational continuity preparedness.  We’ve been preaching continuity of operations/government for decades, yet so few have listened. The Coronavirus pandemic has shown us so many organizations jumping through their asses as they figure it all out for the first time.  By necessity they have figured it out, some better than others.  My hope here is that they learned from their experience and will embrace the concepts of operational continuity and identify a need to leverage what they have learned and use that as a basis for planning, training, exercises, and other preparedness efforts to support future continuity events. 
  6. Further expansion of understanding of community lifelines and interdependencies of critical infrastructure.  This pandemic gave us real world demonstrations of how connected we are, how vulnerable some of our critical infrastructure is, and what metrics (essential elements of information) we should be monitoring when a disaster strikes.  I expect we will see some updated documents from DHS and FEMA addressing much of this. 
  7. More/better public-private partnerships.  The private sector stepped up in this disaster more than they previously ever had. Sure, some mistakes were made, but the private sector has been incredibly responsive and they continue to do so.  They have supported their communities, customers, and governments to address needs they identified independently as well as responding to requests from government.  They changed production.  Increased capacity.  Distributed crisis messages.  Changed operations to address safety matters.  Some were stretched to capacity, despite having to change their business models.  Many companies have also been providing free or discounted products to organizations, professionals, and the public.  We need to continue seeing this kind of awareness and responsiveness.  I also don’t want to dismiss those businesses, and their employees, that took a severe financial hit.  Economic stabilization will be a big issue to address in recovery from this disaster, and I’m hopeful that our collective efforts can help mitigate this in the future. 
  8. An improved preparedness mindset for individuals and families.  Despite the panic buying we saw, much of the public has finally seemed to grasp the preparedness messaging we have been pushing out for decades.  These are lessons I hope they don’t forget. Emergency management, collectively, absolutely must capitalize on the shared experience of the public to encourage (proper) preparedness efforts moving forward and to keep it regularly in their minds. 

In all, we want to see lasting changes – a new normal, not just knee-jerk reactions or short-lived programs, that will see us eventually sliding backwards.  I’m sure I’ll add more to this list as time goes on, but these are the big items that I am confident can and (hopefully) will happen.  I’m interested in your take on these and what you might add to the list.

Be smart, stay safe, stay healthy, and be good to each other. 

© 2020 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Facing Coronavirus/COVID19 and Implementing Business Continuity

Many organizations are trying to figure out how to sustain in the midst of COVID19.  While we have been advocating business continuity plans for decades, many organizations haven’t seen the necessity.  COVID19 seems to be demonstrating that necessity.  Understanding that many organizations are not familiar with business continuity, I’m offering some considerations in this article and have written on the topic in the past as well.  You may be tempted to short-cut the planning process in a sense of urgency… don’t do it.  This can result in missing important things. 

  1. Don’t do it alone.  The first step in all emergency planning is to build a team.  Get the right people together in a room to talk things through.  It ensures you have multiple perspectives and helps you divide the work. 
  2. Document, document, document.  Documentation is a key to successful planning and implementation. It helps support effective communication and understanding internally and externally. 
  3. Identify your Mission Essential Functions.  Mission Essential Functions are those activities that are absolutely necessary to keep your organization running.  Things like finance, payroll, HR, IT, and critical organizational operations (the activities that make you money or the activities that are part of your core organizational charter) are among your Mission Essential Functions.
  4. What else to think about? What work can or can’t be performed remotely?  Consider how your organization will handle the absence of your own employees if they become ill, must care for an ill family member, or have to care for children if schools are closed.  It’s also important to identify considerations for key partners (shippers, suppliers, etc.) if they are unable to conduct their services for a time.  How will these things impact your organization? 
  5. Engage HR.  Your Human Resources staff are critical cogs in the wheel of business continuity.  They will help identify HR/personnel/labor union policies, contracts, and other matters that may encumber the success of your business continuity.  Once problems are identified, set them to addressing those problems.  Sick leave policies, remote work policies, child care, and worker safety are among the priority discussions we’ve been seeing lately. 
  6. Engage IT.  Information Technology is a big aspect of business continuity.  Most business continuity plans call for many of an organization’s staff to work remotely.  Amazingly, so many organizations still have policies against working remotely, or at least no standard addressing how remote work is to be implemented, conducted, and managed.  HR and IT should be partnering on policies and procedures to address accountability, expectations of the organization, expectations of staff working remotely, and expectations of any staff still working in the office.   
    1. Along with policy matters, there are also matters of hardware, connectivity, and procedures.  What staff will be working remotely?  Has the organization provided them with the tools to do so?  Do they have internet connectivity from their remote location?  What systems and information will be accessed remotely and how?  How will system security be monitored and maintained?  Will a help desk be available to address problems?
    1. Test, test, test.  If you’ve not engaged a number of your staff in remote work before, now is the time.  Have some staff work from home and see how it goes.  Don’t just pick your most tech-savvy staff, either.  Now is the time to identify and address problems. 
  7. Consider the impacts of your changes.  Whatever organizational operations you are changing will have some impact on how you do business.  Where will your phones be directed to?  How will you conduct meetings?  How will signatures be handled?  How will you accept deliveries?  How will staff send mail from their remote work location?  Will you still meet face to face with clients/customers?  Does the office still need to be staffed? 
  8. Staff Communication.  Ensure that staff know what’s going on. Don’t leave them in the dark on this. Keep safety as the central point of your messaging.  Listen to their questions and concerns, and be timely and honest in your responses.  Keep open lines of communication.
  9. Stakeholder Communication.  Vendors, clients/customers, shippers, boards of directors, even the public at large… they all need to know what’s going on and how the continuity event will impact them and their interests.  Just as with your staff, listen to their questions and concerns, and be timely and honest in your responses.  Keep open lines of communication.

The items I listed here are some of the more common concerns and considerations I’ve seen as of recent.  There are a lot of other aspects to business continuity and business continuity planning.  Pressure may be on, but move with urgency, not reckless haste.  If your plan and systems aren’t properly in place, your organization will suffer from poor preparations. 

© 2020 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®

Public-Private Partnerships Should be a Two-Way Relationship

Public-private partnerships are not a new concept to emergency management.  There are municipalities, regional areas, and states that have formed committees and strategized how the private sector can provide support during a disaster.  Certainly we have seen a lot of support, on both a large scale and locally, from the ‘big box’ stores, such as Wal-Mart, Lowes, and Home Depot.  Tide’s Loads of Hope program, something so simple but extraordinarily impactful, provides a means for disaster victims to have clean clothing.  Insurance companies have established a response capability to expedite their assessments and services to their clients.  Private sector partners know that these things are not just good public relations, but that they have a means of supporting communities that government and relief organizations may not.

There is another aspect to public-private partnerships that doesn’t seem to be widely addressed, and that’s the community business.  How can they help the community in a disaster?  First, business continuity is essential, since they may also be impacted by the disaster.  Small businesses don’t have the level of capability to leverage that large companies do.  Yes, the SBA can help them with long-term recovery, but the ability of some small businesses to get back to operations quickly can directly help a community recover.  I work with a lot of small communities, many of them serviced by small shops and independent grocers.  There are no big box stores for many, many miles.  For grocers, power outages result in spoiled food.  Road closures result in crippling supply chain problems.  While we’d like all businesses to have mitigation measures and preparedness for disasters, many small businesses simply don’t have the capitol to invest in things like generators and they obviously can’t control road closures.

What’s to be done?  Local municipalities absolutely need to bring these small business owners to the table, establish relationships, identify their needs, and consider identifying them as part of the community’s critical infrastructure.  The resilience of small grocers, lumber companies, and other purveyors is essential to the resilience and recovery of so many small towns.  The impacts are easy to see… if a store can keep running, they are not only providing essential goods and services to the community, they are also supporting the economy by keeping their employees working. What do they need?  Things like power and access, obviously, but tangential things like the availability of child care is huge.  Following disasters schools usually close and often become community shelters. Many parents work when their kids are in school.  If school is closed, they need access to child care.

How far can government go in supporting the private sector?  Many governments tend to avoid supporting the private sector as if it were some kind of disease.  It took many months to convince FEMA in the aftermath of Sandy to make dredging of private marinas eligible for disaster cost recovery.  These marinas (mostly small businesses themselves) support capabilities of fire and police watercraft, recreation (which has economic impact), and a significant fishing and crabbing industry, which is the livelihood of many off and on shore.  Obviously, FEMA needs to maintain accountability of funds and ensure they are being spent appropriately, but a big part of this was resistance to the idea of government providing direct support to the private sector.

While I agree that there are many nuances to this situation, it seems that in many cases the impact of small, local businesses in short-term recovery are disregarded, especially by state and federal governments, and that there exists a one-way door for business participation, where in this ‘partnership’ they are asked to provide goods and services, but how is government contributing to that partnership?  With the big box stores and other large companies, local governments certainly help with some permit expediting and perhaps physical space to set up and access to utilities, there is typically not much support required beyond that.  Small businesses may need more direct support to recover.  They may need help clearing their private access road or parking lot.  They may need the public road they are located on to be cleared for traffic sooner.  They may need a generator that can power their building.  They may need quantities of potable water brought on-site.  Their employees may need child care or public transportation.  These are things they either can’t immediately afford or simply don’t have access to. Local government may have better access to these resources, though, and with the justification of these small businesses providing essential goods and services to the community, the choice is easy.

Does this open government to potential criticism?  Absolutely.  Some business owners may claim discriminatory practices of government supporting some businesses and not others.  Some tax payers may even complain about the use of tax dollars in such a fashion.  While people may always complain, legal consequences and public relations problems should certainly be mitigated.  The road to addressing this is preparedness.  Engage your local attorney and the legal council for the state’s emergency management agency.  Municipal laws and state laws regarding authorities that can be enacted during a state of emergency need to be explored to not only make sure that local government has the legal ability to provide this support, but the conditions and procedures required for doing so.  The legal sources and procedures and standards for providing this support should be documented and made part of the local emergency plan. The municipality should have a criteria for determining what types of businesses could be included in such direct support (what is regarded as the municipality’s privately owned critical infrastructure?), and even outline requirements for those businesses, such as having a business continuity plan, implementing certain resiliency measures, or participating in coordination activities prior to a disaster.  Memoranda of understanding may be required, or other legal tools to identify the terms and conditions of support.

While this type of support from government to the private sector isn’t common, there are some municipalities who do it well.  I’m certainly interested in hearing what you’ve implemented and what best practices you’ve identified.

© 2020 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®℠

Taking Care of Your Staff After a Disaster

We are slowly seeing Continuity of Operations (COOP) Plans becoming more popular for organizations ranging from government, private sector, and not for profit.  There are numerous lessons learned that promote the benefits of these efforts to reduce the impacts from an incident on your organization, decrease down time, and increase the overall chances of your organization surviving a disaster.  Most COOP plans, however, are focused on organizational operations and mission essential functions, which is great, but organizations must remember that none of these can be performed without staff.

The ability of an organization to care for its staff, to the greatest extent possible, will not only support the organization’s recovery, it’s also the right thing to do.  Consider that taking care of staff also includes taking care of their families.  It’s difficult for a staff member to come to work focused on your mission when they have family members endangered by a disaster.

What can you do?  I don’t think anyone expects their employer to take care of all needs, but a bit of support and understanding go a long way.  If your organization has a direct role in emergency or disaster response or recovery, the support you provide your staff is even more critical.  While I have a number of tips and lessons learned from my own experiences on this, I came across a paper recently published by the US Department of Health and Human Services (HHS) Office of the Assistant Secretary for Preparedness and Response (ASPR).  While ASPR’s mission is to support hospitals and other healthcare facilities, this four-page document provides great information for all organizations.

Remember – the time to prepare is now!

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Planning for Preparedness

Yes, planning is part of preparedness, but organizations must also have a plan for preparedness.  Why?  Preparedness breaks down into five key elements  – remember the POETE mnemonic – Planning, Organizing, Equipping, Training, and Exercising.  I’m also in favor of including assessment as a preparedness element.  Needless to say, we do a lot when it comes to preparedness.  Each of these elements alone involves significant activity, and together there are opportunities for activities to be synchronized for maximum benefit.  In smaller organizations, these elements may be addressed by one or two people, which itself can be challenging as these are the same people running the organization and addressing myriad other tasks.  In larger organizations each element alone may be addressed by a number of people, which also provides a complication of synchronizing tasks for maximum benefit.  Either way, as with all project and program management, without a plan of action, we may forget critical tasks or do things out of order.

By establishing a preparedness plan, we can address many of these issues.  The plan can be as detailed as necessary, but should at least identify and address requirements (internally and externally imposed) as well as benchmarks to success.  But what do we plan for?

Assessment – Yes, I’m including this as an element.  Assessment is something we should constantly be doing.  Just as we strive to maintain situational awareness throughout an incident, we have to be aware of and assess factors that influence our state of readiness.  There are a variety of assessments that we do already and others that can be done as they relate to the other five elements.  In fact, assessments will inform our preparedness plan, helping us to identify where we are and where we need to be.  We can review after action reports from incidents, events, and exercises to determine what improvements must be made.  We can research best practices and examine funding requirements, legal requirements, and standards such as EMAP or NFPA 1600 which can broadly influence our programs.  We assess current plans to identify what our gaps are and what plans need to be revisited.  We can assess our organization to determine if staffing is maximized and that policy, procedure, and protocol support an agile organization.  The status of equipment can be assessed to determine what is operational and ready to deploy.  We can conduct a training needs assessment to identify what training is needed; and lastly, we can assess opportunities to exercise.  Not only should our assessments inform what needs to be accomplished for each of the POETE elements, but regular assessment check ins and activities should be identified, nay planned for, within our preparedness plan.  Consider what else can inform our preparedness plan.  A recent hazard analysis, THIRA, or state preparedness report (SPR) can feed a lot of information into a preparedness plan – especially the state preparedness report, as it is specifically structured to identify POETE gaps.

Planning – We should always examine what we have.  If plan reviews aren’t scheduled, they often fall to the wayside.  Plan review teams should be identified for each plan, and a review schedule or cycle established.  Benchmark activities for plan review activities should also be identified.  The need for new plans should also be highlighted.  Based on standards, requirements, best practices, or other need, what plans do you organization need to assemble in the next year or two?  Again, identify benchmarks for these.

Organization – Assessments of your organization, either as direct efforts or as part of after action reports or strategic plans can identify what needs to be accomplished organizationally.  Maybe it’s a reorganization, an increase in staffing levels, an impending change in administration, expected attrition, union matters, or something else that needs to be addressed.  As with many other things, some matters or organization are simple, while others are very difficult to navigate.  Without a plan of action, it’s easy to allow things to fall to the wayside.  What changes need to be made?  Who is responsible for implementing them?  Who else needs to be involved? What’s a reasonable timeline for making these changes happen?

Equipping – Many logisticians are great at keeping accurate records and maintenance plans.  This measure of detail isn’t likely needed for your preparedness plan, but you still should be documenting the big picture.  What benchmarks need to be established and followed?  Are there any large expenditures expected for equipment such as a communications vehicle?  Is there an impending conversion of equipment to comply with a new standard?  Are there any gaps in resource management that need to be addressed?

Training – Informed by a training needs assessment, a training plan can be developed.  A training plan should identify foundational training that everyone needs as well as training needed for people functioning at certain levels or positions.  Ideally, you are addressing needs through training programs that already exist, either internally or externally, but there may be a need to develop new training programs.  A training plan should identify what training is needed, for who, and to what level (i.e. to steal from the hazmat world – Awareness? Operations? Technician?).  The plan should identify who will coordinate the training, how often the training will be made available, and how new training will be developed.

Exercises – We have a standard of practice for identifying exercises into the future – it’s called the multi-year training and exercise plan (MYTEP).  While it’s supposed to include training (or at least training related to the identified exercises), training often falls to the wayside during the training and exercise planning workshop (TEPW).  The outcomes of the TEPW can be integrated into your preparedness plan, allowing for an opportunity to synchronize needs and activities across each element.

Just as we do with most of our planning efforts, I would suggest forming a planning team to shepherd your preparedness plan, comprised of stakeholders of each of the elements.  I envision this as a group that should be in regular communication about preparedness efforts, with periodic check-ins on the preparedness plan.  This engagement should lead to synchronization of efforts.  Identify what activities are related and how.  Has a new plan been developed?  Then people need to be trained on it and the plan should be exercised.  Has new equipment been procured?  Then people should be trained in its use and plans should account for the new or increased capability.

Like any effort, endorsement from leadership is necessary, especially when multiple stakeholders need to be brought together and working together.  Many emergency management and homeland security organizations have positions responsible for preparedness, often at the deputy director level.  The formation and maintenance of a comprehensive preparedness plan should be a foundation of their efforts to manage preparedness and forecast and synchronize efforts.

Does your organization have a plan for preparedness beyond just a multi-year training and exercise plan?  What elements do you tie in?  Do you find it to be a successful endeavor?

Do you need assistance in developing a preparedness plan?  Contact us!

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

Water System Preparedness

For at least the past eight years or so, I’ve kept tabs on what the Environmental Protection Agency (EPA) has been doing for emergency preparedness for water systems.  Their efforts, spearheaded from their Water Security Division, include information on comprehensive emergency management activities – mitigation and resilience, surveillance and response, preparedness, and more.  Their website offers a plethora of resources, not only for water utilities and systems operators, but for others as well.  These resources include tools and guidance for conducting risk assessments, creating emergency plans, building resilience, developing a training and exercise plan, and conducting exercises.  These resources and tools all help to de-mystify emergency management systems and help to build a bridge into the emergency management world.  While they provide information on certain hazards, such as flooding or criminal activity, their approach, overall is all-hazards.  The EPA includes links to ICS and other FEMA training, as well as other agencies, and encourages water systems to interact with other agencies at the local, state, and federal level.

Back in November of last year, I gave a review of the TEEX course MGT: 342 Strategic Overview of Disaster Management for Water and Wastewater Utilities.  Those who work with or for water utilities would certainly benefit from attending this training and reviewing the EPA’s Water Security Division website.  Water is an important component of our Critical Infrastructure, with dependencies cascading across all other sectors.  These resources strengthen and support our continued preparedness within these sector, while also adding to whole community preparedness.

The EPA Water Security Division provides a quarterly e-newsletter, to which you can subscribe to stay abreast of their tools, resources, and information.

© 2016 – Timothy M. Riecker, CEDP

Emergency Preparedness Solutions, LLC Your Partner in Preparedness

A Review and 3 Highlights of the DHS Active Shooter Preparedness Workshop

Last month I had the opportunity to attend a day-long active shooter workshop in Rochester, NY conducted by the DHS Office of Infrastructure Protection.  The focus was awareness of, preparedness for, and response to an active shooter event, with a lean towards a facilities-based audience rather than public safety.

The workshop began with discussions on recognition, then worked through each of the five mission areas (Prevention, Protection, Mitigation, Response, and Recovery).  The primary speaker was excellent, with real-world experience in active shooter situations.  While they referred to the offering as a pilot, the workshop has been around for a few years in various versions.  Understandably, and unfortunately, it’s difficult for the workshop to keep up with lessons learned from recent events.

As mentioned, the workshop weaves through the five mission areas, rather awkwardly trying to also align with the CPG 101 planning process.  I’m not sure that the two really fit well and it was clearly something new to the course, as the primary speaker missed some of the indicators for activities.  The workshop agenda also fell short, with the facilitators clearly offering a higher than usual number of breaks and of longer than usual length to maintain the workshop as a full day.

The activities were table-based, and focused on the primary steps as outlined in CPG 101, with the goal of giving some ideas and structure to the creation of an active shooter preparedness plan for a facility.  Ideas and discussion generated at our table and others were great, as attendees came from a broad array of facilities, such as schools, night clubs, health care, office buildings, and others.  The most disappointing comments were those about roadblocks people faced within their own organizations in planning and other preparedness activities for active shooters.  There is clearly a lot of denial about these incidents, which will only serve to endanger people.

With a number of public safety professionals in attendance, there was some great reflection on coordination with public safety in both preparedness and response.  One of the gems of the workshop was the number of audio and video clips provided throughout.  The segments included media and 911 clips, as well as post incident interviews with victims and responders.  The insight offered by these was excellent and they were a great value add.

Three pieces of information resonated above all others in this workshop:

  • Run, Hide, Fight (or variants thereof) was stressed as the best model for actions people can take in the event of an active shooter.
  • The inclusion of planning for persons with disabilities is extremely important in an active shooter situation. They may have less of an ability to Run, Hide, and/or Fight, and this should be accounted for in preparedness measures.
  • Essential courses of action for planning include:
    1. Reporting
    2. Notification
    3. Evacuation
    4. Shelter in Place
    5. Emergency Responder Coordination
    6. Access Control
    7. Accountability
    8. Communications Management
    9. Short Term Recovery
    10. Long Term Recovery

Since the workshop was in pilot form, there were no participant manuals provided, which a number of people were hopeful to have.  They did, however, provide a CD with a plethora of materials, including references, some videos, and planning guides.  Many of these I’ve seen and used before, but some were new to me.  There was a commitment to send us all an email with a link to a download of the participant manual once it was available.  Some of those resources can be found here.

All in all, this was a good workshop.  The mix of an audience (numbering over 60, I believe) contributed to great discussion and the primary speaker was great.  The presentation materials were solid and provided a lot of context.  While I was disappointed in the lack of a participant manual and the inclusion of too many breaks, I certainly understand that this is the pilot of a redeveloped program which they are trying to keep as timely and relevant as possible.  While I already knew of many of the concepts and standards, there was some great material and discussion, especially in the context of facilities rather than public safety response.  This is a good program which I would recommend to facility owners, managers, and safety/emergency management personnel as well as jurisdiction emergency management and public safety personnel.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC Your Partner in Preparedness

Five Guidelines for Creating Effective Disaster Exercise Injects

While there is a lot of important and necessary planning that takes place before the development of exercise injects can even be considered, injects themselves are where the proverbial rubber meets the road.  How we craft those injects can often times make or break the conduct of the exercise.  Injects provide context, as if the events of the exercise were occurring in real life.  While we try to avoid delivering injects that directly prompt player responses, injects will often provide information which will lead players to react to the information provided.  Here are five guidelines to help you develop effective exercise injects:

  1. Injects must be purposeful and each one must relate back to one or more exercise objectives. Far too often we see injects that have no real bearing on the objectives of the exercise.  These are simply distractions and lead to busy work.  Keep things focused.  Just a few well-crafted injects can engage a number of players in active discussion or activity.
  2. Realistic injects are a must. While there will always be a grumble from some people claiming that something would ‘never happen that way’, due diligence must go into ensuring that injects are as realistic and grounded as possible.
  3. Be aware of who an inject would actually originate from. A common mistake I see is injects being scripted to originate from inappropriate sources.  This distracts from reality.  Also, injects should never originate from a player.
  4. Be flexible and aware. Sometimes players accomplish what they need to without an inject.  In that event, there may not be a need to use that inject.  Similarly, players may not respond to an inject as expected, so further action on the part of the Facilitators/Controllers/Simcell may be needed.
  5. Always have backups! As you build your Master Scenario Events List (MSEL), maintain a side list of contingency injects that can be used to speed up or slow down the exercise, or to address occurrences where players did not respond as expected.

Thoughts and ideas on these and other guidelines are always welcome!

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC Your Partner in Preparedness!

Several New CyberSecurity Efforts in the News

Over the past few days, there have been media releases about several new cybersecurity initiatives that should have broad reaching benefits.

Timothy Riecker

First, Govtech.com reported on New Jersey’s consolidated fusion center-style approach to cybersecurity.  About a year ago, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) was formulated, following the model of the National Cybersecurity Communications Integration Cell (NCCIC).  Co-located with the NJ State Emergency Operations Center and with support from the NJ Office of Homeland Security and Preparedness intelligence resources, the NJCCIC is keeping a watchful eye on cybersecurity matters internal and external to state government and sharing information with the private sector. This is a model effort that will hopefully grow and change based on identified opportunities in both New Jersey as well as other states who have yet to build such a capability.

EDM Digest recently reported on an initiative from the National Governor’s Association to form a multi-state working group, or academy as they are calling it, to create strategies to fight the evolving cybersecurity threat.  States contributing to this effort include Connecticut, Illinois, Louisiana, Nevada, and Oregon.  While not states we would usually think of as being on the forefront of cybersecurity issues, each does have significant business and industry which will hopefully serve as partners and resources in this endeavor.

Lastly, US Representatives Richard Hanna (R-NY) (who represents my district) and Derek Kilmer (D-WA) introduced the Small Business Cybersecurity Act to help American entrepreneurs protect themselves from cybercrimes and create cybersecurity plans that meet their business’ needs.  Co-sponsors of the bill included a range of Representatives of both parties from across the nation.  The release states that three out of every five cyberattacks target small businesses, and with small businesses making up a significant portion of the US economy, it is vital to help protect them.  I couldn’t agree more!  The intent of the bill is to create no-cost legislation to leverage the expertise of Small Business Development Centers (SBDCs) around the nation as an information distribution point for cybersecurity preparedness.  Let’s hope this one passes!  Express support for the bill to your Congressional Representative!

All in all, it’s encouraging to see continued effort toward cybersecurity protection, preparedness, and response.  As with the preparedness efforts we see in emergency management, I hope soon these efforts in cybersecurity will become more unified and closely knit.  While they all technically fall under the President’s Cybersecurity Strategy, we need to ensure connectivity of these efforts to help prevent duplication of effort and minimize holes.  We also want to ensure that access to services and resources that are available are comprehensive and streamlined to the greatest extent.  Let’s keep cybersecurity in mind and continue this work!

© 2016 – Timothy Riecker, CEDP

Exercising the Recovery Mission Area

It doesn’t happen often, but when it does, I get pretty excited about it – I got a blog request!  Last week, Darin, a LinkedIn connection, messaged me with a request to post my thoughts on exercising the recovery phase (or mission area) of emergency management.  His idea, as he expressed it to me, came from discussion at a Public Health Preparedness conference he was attending, where they were discussing ESF 8 (Public Health and Medical Services) continuity of operations and recovery exercises.  Challenge accepted!

When it comes to Recovery exercises, my first thought is that they are horribly underutilized.  We conduct a lot of exercises in the Response mission area, but it’s a rare occasion that we even mention Recovery.  The reasoning here is pretty easy – Response is sexy.  It’s the lights and sirens, saving lives, put out the fire, pull people from the wreckage kind of stuff that makes a big impact.  Recovery is often viewed as slow, tedious, bureaucratic, engineering kind of stuff.  Well… yeah… but there is a lot more to it.  Since when we plan exercises, one of the first things we do is to identify what Core Capabilities will be tested, let’s look at the Core Capabilities of the Recovery Mission Area.  Within each, I’ll mention some ideas you can incorporate into exercises.

The Big Three – Planning, Operational Coordination, and Public Information and Warning.  These Core Capabilities are found in every mission area and are sometimes applied differently.

  • Planning – Yeah, we should have recovery plans. I would argue that we have entered the recovery phase when all or most of the first two incident management priorities have been addressed – Life Safety and Incident Stabilization.  Sometimes these are resolved quickly, sometimes they take some time.  There are some fairly complex issues to be addressed in the recovery phase (many of which we will identify through the Core Capabilities), and we don’t do them often, therefore we should most certainly plan for them.  Remember, we exercise plans and capabilities – therefore our plans (and policies and procedures) are a significant focus when it comes to Recovery exercises.    This Core Capability is where continuity of operations plans will also fall.  Can your organization survive the lasting impacts of a disaster?
  • Operational Coordination – Recovery activities often involve organizations that had little to no activity during the Response phase. Most of these organizations are non-traditional responders who don’t usually operate under more strict command and control models, such as ICS, but in the Recovery phase of a disaster, I certainly advocate that they do.  Many of these agencies, typically the human services types of organizations, are very good at coordination and cooperation, as their daily priorities dictate that working with others is how needs are addressed.  The big challenge we often see here, though, is the introduction of some other organizations – typically those with regulatory responsibilities.  Regulation usually requires bureaucracy.  Bureaucracy usually requires time – lots of time – especially when exceptions are requested.  It’s really important to consider all stakeholders when planning an exercise to ensure that you get a chance to see how they interact, what the information flow and chain of authority looks like, what benefits they bring, and how they can work together in a timely fashion for the common good.
  • Public Information and Warning – We often take for granted the role of public information and warning in the Recovery phase. There are many benefits to keeping external stakeholders informed of what’s going on during Recovery.  Consider elected officials, business and industry, and special interest groups, along with the general public.  Your PIO and possibly your JIC should be just as involved in Recovery phase exercises as they are in those for the Response phase.

Aside from the ‘big three’, the Recovery mission area shares a Core Capability with the Response mission area – Infrastructure Systems.  Long-term restoration and rebuilding of infrastructure can lead to lengthy discussions in a Recovery-focused workshop or tabletop exercise.  What are the priorities for rebuilding?  Who will do it?  How will it be funded?  What are the completion timelines?  Will it be rebuilt the same or differently?  What are the impacts of doing it differently?  Who is impacted by this?  What do we do while we are waiting for it to be rebuilt?  Who makes decisions?  All important things to consider.

The first unique Core Capability in the Recovery mission area is Economic Recovery.  I was recently asked to present at a conference for a niche professional association comprised of professionals found in government, private sector, and non-profits.  While we will be covering topics in Hazard Mitigation and Preparedness, the biggest focus will fall within Economic Recovery.  Economic Recovery involves businesses reopening and people getting back to work to serve customers, make money, and become customers themselves.  After a disaster, it is absolutely vital for a community to get back on its feet, and the center of that is the local economy.  While many disaster impacts may be a relative drop in the bucket for larger companies, smaller businesses may have a hard time recovering – the central pieces of this are infrastructure restoration (see previous paragraph) and cash flow.  The SBA, USDA, and even IRS have mechanisms to assist with cash flow issues.  And don’t forget insurance!  Bring these and other stakeholders to the table to discuss economic recovery.  Consider priorities and mechanisms that must be in place to meet needs to support these priorities.  Your local chamber of commerce and other business associations will certainly want to be part of these exercises.  Does your jurisdiction have a business operations center (BOC)?  If not, consider it.  If you do, exercise it!

Health and Social Services.  This is the heart of all matters related to ESF 8 (Public Health and Medical Services), which Darin mentioned.  While this Core Capability is an extension of the Response mission area Core Capability of Public Health, Healthcare, and Emergency Medical Services; it is also so much more.  ESF 8 activity after disasters can last months or even years, particularly with ongoing issues such as medical monitoring and psychological impacts.  Eventually many of these services are absorbed into the system of regular service providers, but for a time the circumstances of the disaster may require some special coordination or monitoring.  The coordination needed involves an amalgamation of organizations at all levels of government, not for profits, and the private sector.  This can involve ongoing coordination with insurance companies, general practitioners and specialists; and must address the needs of everyone fairly and consistently, regardless of any differences, including their own financial resources or insurance coverage.  Tracking data related to the care and services provided is often important, but consideration must be given to HIPAA and other privacy laws.  Exercises can benefit from scenarios, such as exposures to radiological, biological, or chemical sources, which will drive discussion on the types of services to be provided, who will provide them, at whose cost, and for how long.  Many of these discussions should include topics of how to avoid social stigmatization of clients, sharing information between organizations, and the full range of social services that individuals and families may require.

Housing is typically the hardest nut to crack in all of disaster recovery.  Relative to need, there is little government owned housing stock available.  What is available may require waiting lists and relocation to access.  While many home owners are insured, we know that it takes some time for home owners to receive payment from insurance companies, and insurance is rarely at 100% coverage for losses.  Those that don’t own their own homes are often the left with the most dire situations.  While ‘FEMA trailers’ have provided some medium-term solutions, there are many issues to address.  I posit that plans at all levels are inadequate to address housing needs after a disaster.  If you have a plan, get a good exercise team to write a great scenario to test it.  If you don’t have a plan, conducting a workshop to identify and address major planning issues is the way to go.  A housing exercise is probably going to be one of the more eye opening yet depressing exercises you’ve ever done.

Lastly is the Core Capability of Natural and Cultural Resources, which focuses on the recovery of libraries and museums, documents and art, as well as helping to restore our own environment after a disaster.  Activities can range from restoring a historical landmark to major engineering projects to restore a wetland.  These activities can involve a great deal of technical expertise as well as regulation.  FEMA, the EPA, and the National Parks Service are often big players in these types of activities.

As for what types of exercises to conduct, that’s largely dependent upon the status of your plans and if you have conducted exercises on these plans before.  I always suggest starting with discussion-based exercises.  We often forget about seminars, which are more about conveying information than obtaining feedback, but are still valuable for discussing initiatives and new plans.  Workshops not only support the planning process to develop plans, they can also serve to facilitate a detailed review of a plan in its final draft stages.  Most Recovery exercises I have experience with have been tabletop exercises, which use a scenario to provide context to discussion questions for a group of stakeholders.  This is a great way to exercise decision making and to talk through the key tasks associated with plans.  Disaster recovery involves a lot of policy-level decision making, which is ideal for a tabletop.

Operations-based exercises for disaster recovery are found much less often.  Drills can certainly be conducted to test focused aspects of plans and procedures.  Drills in Recovery can help identify strengths and weaknesses of our processes, both for ourselves and for those we are trying to serve.  Functional exercises are broader and more encompassing than drills.  Much can be gained from a Recovery mission area functional exercise, but make sure that it’s grounded in reality.  Most jurisdictions don’t have an EOC activated for Recovery mission area activities. If you don’t, don’t try to run an exercise within that environment.  Some functions, however, may be run, at least for a time, from some sort of operations/coordination center, such as a health operations center (HOC).  With a good scenario focusing on addressing longer-term issues in the aftermath of a response, they can be done successfully.  Be sure to develop a pretty solid ‘ground truth’, however, to support the exercise, as much of Recovery is dependent upon what was done in Response, so players will need this context.  With a bit more complication, a functional exercise could be run virtually, with people participating from their own regular work stations as they often do during Recovery operations.  Testing Recovery plans in full scale exercises is significantly challenging based on the array and type of activities.  Because of the focus of activities, continuity of operations plans are likely among the most suited for full scale Recovery mission area exercises.

I’m curious to hear about your experiences exercising Recovery mission area plans and capabilities.  What ideas do you have?  What best practices have you found?

As always, thanks for reading!

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness!