Several New CyberSecurity Efforts in the News

Over the past few days, there have been media releases about several new cybersecurity initiatives that should have broad reaching benefits.

Timothy Riecker

First, reported on New Jersey’s consolidated fusion center-style approach to cybersecurity.  About a year ago, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) was formulated, following the model of the National Cybersecurity Communications Integration Cell (NCCIC).  Co-located with the NJ State Emergency Operations Center and with support from the NJ Office of Homeland Security and Preparedness intelligence resources, the NJCCIC is keeping a watchful eye on cybersecurity matters internal and external to state government and sharing information with the private sector. This is a model effort that will hopefully grow and change based on identified opportunities in both New Jersey as well as other states who have yet to build such a capability.

EDM Digest recently reported on an initiative from the National Governor’s Association to form a multi-state working group, or academy as they are calling it, to create strategies to fight the evolving cybersecurity threat.  States contributing to this effort include Connecticut, Illinois, Louisiana, Nevada, and Oregon.  While not states we would usually think of as being on the forefront of cybersecurity issues, each does have significant business and industry which will hopefully serve as partners and resources in this endeavor.

Lastly, US Representatives Richard Hanna (R-NY) (who represents my district) and Derek Kilmer (D-WA) introduced the Small Business Cybersecurity Act to help American entrepreneurs protect themselves from cybercrimes and create cybersecurity plans that meet their business’ needs.  Co-sponsors of the bill included a range of Representatives of both parties from across the nation.  The release states that three out of every five cyberattacks target small businesses, and with small businesses making up a significant portion of the US economy, it is vital to help protect them.  I couldn’t agree more!  The intent of the bill is to create no-cost legislation to leverage the expertise of Small Business Development Centers (SBDCs) around the nation as an information distribution point for cybersecurity preparedness.  Let’s hope this one passes!  Express support for the bill to your Congressional Representative!

All in all, it’s encouraging to see continued effort toward cybersecurity protection, preparedness, and response.  As with the preparedness efforts we see in emergency management, I hope soon these efforts in cybersecurity will become more unified and closely knit.  While they all technically fall under the President’s Cybersecurity Strategy, we need to ensure connectivity of these efforts to help prevent duplication of effort and minimize holes.  We also want to ensure that access to services and resources that are available are comprehensive and streamlined to the greatest extent.  Let’s keep cybersecurity in mind and continue this work!

© 2016 – Timothy Riecker, CEDP

Exercising the Recovery Mission Area

It doesn’t happen often, but when it does, I get pretty excited about it – I got a blog request!  Last week, Darin, a LinkedIn connection, messaged me with a request to post my thoughts on exercising the recovery phase (or mission area) of emergency management.  His idea, as he expressed it to me, came from discussion at a Public Health Preparedness conference he was attending, where they were discussing ESF 8 (Public Health and Medical Services) continuity of operations and recovery exercises.  Challenge accepted!

When it comes to Recovery exercises, my first thought is that they are horribly underutilized.  We conduct a lot of exercises in the Response mission area, but it’s a rare occasion that we even mention Recovery.  The reasoning here is pretty easy – Response is sexy.  It’s the lights and sirens, saving lives, put out the fire, pull people from the wreckage kind of stuff that makes a big impact.  Recovery is often viewed as slow, tedious, bureaucratic, engineering kind of stuff.  Well… yeah… but there is a lot more to it.  Since when we plan exercises, one of the first things we do is to identify what Core Capabilities will be tested, let’s look at the Core Capabilities of the Recovery Mission Area.  Within each, I’ll mention some ideas you can incorporate into exercises.

The Big Three – Planning, Operational Coordination, and Public Information and Warning.  These Core Capabilities are found in every mission area and are sometimes applied differently.

  • Planning – Yeah, we should have recovery plans. I would argue that we have entered the recovery phase when all or most of the first two incident management priorities have been addressed – Life Safety and Incident Stabilization.  Sometimes these are resolved quickly, sometimes they take some time.  There are some fairly complex issues to be addressed in the recovery phase (many of which we will identify through the Core Capabilities), and we don’t do them often, therefore we should most certainly plan for them.  Remember, we exercise plans and capabilities – therefore our plans (and policies and procedures) are a significant focus when it comes to Recovery exercises.    This Core Capability is where continuity of operations plans will also fall.  Can your organization survive the lasting impacts of a disaster?
  • Operational Coordination – Recovery activities often involve organizations that had little to no activity during the Response phase. Most of these organizations are non-traditional responders who don’t usually operate under more strict command and control models, such as ICS, but in the Recovery phase of a disaster, I certainly advocate that they do.  Many of these agencies, typically the human services types of organizations, are very good at coordination and cooperation, as their daily priorities dictate that working with others is how needs are addressed.  The big challenge we often see here, though, is the introduction of some other organizations – typically those with regulatory responsibilities.  Regulation usually requires bureaucracy.  Bureaucracy usually requires time – lots of time – especially when exceptions are requested.  It’s really important to consider all stakeholders when planning an exercise to ensure that you get a chance to see how they interact, what the information flow and chain of authority looks like, what benefits they bring, and how they can work together in a timely fashion for the common good.
  • Public Information and Warning – We often take for granted the role of public information and warning in the Recovery phase. There are many benefits to keeping external stakeholders informed of what’s going on during Recovery.  Consider elected officials, business and industry, and special interest groups, along with the general public.  Your PIO and possibly your JIC should be just as involved in Recovery phase exercises as they are in those for the Response phase.

Aside from the ‘big three’, the Recovery mission area shares a Core Capability with the Response mission area – Infrastructure Systems.  Long-term restoration and rebuilding of infrastructure can lead to lengthy discussions in a Recovery-focused workshop or tabletop exercise.  What are the priorities for rebuilding?  Who will do it?  How will it be funded?  What are the completion timelines?  Will it be rebuilt the same or differently?  What are the impacts of doing it differently?  Who is impacted by this?  What do we do while we are waiting for it to be rebuilt?  Who makes decisions?  All important things to consider.

The first unique Core Capability in the Recovery mission area is Economic Recovery.  I was recently asked to present at a conference for a niche professional association comprised of professionals found in government, private sector, and non-profits.  While we will be covering topics in Hazard Mitigation and Preparedness, the biggest focus will fall within Economic Recovery.  Economic Recovery involves businesses reopening and people getting back to work to serve customers, make money, and become customers themselves.  After a disaster, it is absolutely vital for a community to get back on its feet, and the center of that is the local economy.  While many disaster impacts may be a relative drop in the bucket for larger companies, smaller businesses may have a hard time recovering – the central pieces of this are infrastructure restoration (see previous paragraph) and cash flow.  The SBA, USDA, and even IRS have mechanisms to assist with cash flow issues.  And don’t forget insurance!  Bring these and other stakeholders to the table to discuss economic recovery.  Consider priorities and mechanisms that must be in place to meet needs to support these priorities.  Your local chamber of commerce and other business associations will certainly want to be part of these exercises.  Does your jurisdiction have a business operations center (BOC)?  If not, consider it.  If you do, exercise it!

Health and Social Services.  This is the heart of all matters related to ESF 8 (Public Health and Medical Services), which Darin mentioned.  While this Core Capability is an extension of the Response mission area Core Capability of Public Health, Healthcare, and Emergency Medical Services; it is also so much more.  ESF 8 activity after disasters can last months or even years, particularly with ongoing issues such as medical monitoring and psychological impacts.  Eventually many of these services are absorbed into the system of regular service providers, but for a time the circumstances of the disaster may require some special coordination or monitoring.  The coordination needed involves an amalgamation of organizations at all levels of government, not for profits, and the private sector.  This can involve ongoing coordination with insurance companies, general practitioners and specialists; and must address the needs of everyone fairly and consistently, regardless of any differences, including their own financial resources or insurance coverage.  Tracking data related to the care and services provided is often important, but consideration must be given to HIPAA and other privacy laws.  Exercises can benefit from scenarios, such as exposures to radiological, biological, or chemical sources, which will drive discussion on the types of services to be provided, who will provide them, at whose cost, and for how long.  Many of these discussions should include topics of how to avoid social stigmatization of clients, sharing information between organizations, and the full range of social services that individuals and families may require.

Housing is typically the hardest nut to crack in all of disaster recovery.  Relative to need, there is little government owned housing stock available.  What is available may require waiting lists and relocation to access.  While many home owners are insured, we know that it takes some time for home owners to receive payment from insurance companies, and insurance is rarely at 100% coverage for losses.  Those that don’t own their own homes are often the left with the most dire situations.  While ‘FEMA trailers’ have provided some medium-term solutions, there are many issues to address.  I posit that plans at all levels are inadequate to address housing needs after a disaster.  If you have a plan, get a good exercise team to write a great scenario to test it.  If you don’t have a plan, conducting a workshop to identify and address major planning issues is the way to go.  A housing exercise is probably going to be one of the more eye opening yet depressing exercises you’ve ever done.

Lastly is the Core Capability of Natural and Cultural Resources, which focuses on the recovery of libraries and museums, documents and art, as well as helping to restore our own environment after a disaster.  Activities can range from restoring a historical landmark to major engineering projects to restore a wetland.  These activities can involve a great deal of technical expertise as well as regulation.  FEMA, the EPA, and the National Parks Service are often big players in these types of activities.

As for what types of exercises to conduct, that’s largely dependent upon the status of your plans and if you have conducted exercises on these plans before.  I always suggest starting with discussion-based exercises.  We often forget about seminars, which are more about conveying information than obtaining feedback, but are still valuable for discussing initiatives and new plans.  Workshops not only support the planning process to develop plans, they can also serve to facilitate a detailed review of a plan in its final draft stages.  Most Recovery exercises I have experience with have been tabletop exercises, which use a scenario to provide context to discussion questions for a group of stakeholders.  This is a great way to exercise decision making and to talk through the key tasks associated with plans.  Disaster recovery involves a lot of policy-level decision making, which is ideal for a tabletop.

Operations-based exercises for disaster recovery are found much less often.  Drills can certainly be conducted to test focused aspects of plans and procedures.  Drills in Recovery can help identify strengths and weaknesses of our processes, both for ourselves and for those we are trying to serve.  Functional exercises are broader and more encompassing than drills.  Much can be gained from a Recovery mission area functional exercise, but make sure that it’s grounded in reality.  Most jurisdictions don’t have an EOC activated for Recovery mission area activities. If you don’t, don’t try to run an exercise within that environment.  Some functions, however, may be run, at least for a time, from some sort of operations/coordination center, such as a health operations center (HOC).  With a good scenario focusing on addressing longer-term issues in the aftermath of a response, they can be done successfully.  Be sure to develop a pretty solid ‘ground truth’, however, to support the exercise, as much of Recovery is dependent upon what was done in Response, so players will need this context.  With a bit more complication, a functional exercise could be run virtually, with people participating from their own regular work stations as they often do during Recovery operations.  Testing Recovery plans in full scale exercises is significantly challenging based on the array and type of activities.  Because of the focus of activities, continuity of operations plans are likely among the most suited for full scale Recovery mission area exercises.

I’m curious to hear about your experiences exercising Recovery mission area plans and capabilities.  What ideas do you have?  What best practices have you found?

As always, thanks for reading!

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness!

Calgary Report on Emergency Preparedness

Be sure to see the update posted at the bottom of this article!


Published in the Calgary Herald (and perhaps elsewhere), Calgary Emergency Management Agency released their 2016 report on the status of preparedness in the city.  While the data contained in the report only has direct relevance if you have interest in the city of Calgary, the concept and themes in the report have some broader relevance to everyone in emergency management.

First, let’s talk about the publication of this report.  I absolutely think this is a best practice and Calgary Emergency Management should be congratulated for it.  The Herald also deserves credit for putting the information out there… we know that media outlets don’t always have the time or ability to publish the information they are provided.  All in all, the information contained in the report should be pretty relatable to most readers.  They detail the hazards, highlight costs of certain past disasters in the province of Alberta, talk about some facts that demonstrate a continued need for preparedness efforts, and they talk about some of their actions and recommended actions for others.  I’m left wondering if these are highlights of a more detailed report.  Either way, it’s a nice bit of information and promotion of emergency management efforts.

Their report starts off providing a list of the top ten hazards and risks in Calgary, with an added bit of information telling what percentage of hazard mitigation efforts are focused on each hazard (I’m not sure what the mitigation percentage is based upon… percent of mitigation budget, perhaps?).  While much of the hazard list is intuitive, it should certainly serve as a good reminder to businesses and citizens about what can impact the area.  This is also a list that I largely suspect could be replicated in many other municipalities around the world, especially those in the colder reaches of the northern and southern hemispheres.

Another section in the report provides a number of bulleted facts related to preparedness in Calgary.  Some of these seem to have originated from a public survey, others from a survey of businesses, while others, such as the number of critical infrastructures in the city, were likely internal or in collaboration with other agencies.  Regardless of the source, they should be eye opening for people.  They are also, as with other information, fairly representative of many other municipalities around the world.  While the numbers may not be exact, I’m sure the percentages are pretty close.

They follow up their facts with two brief sections on hazard mitigation, one focusing on private sector and business continuity and the other from a broader emergency management perspective.  These are all certainly applicable in any of our locations.  Finally, they list their nine focuses for the year.  These nine areas may very well be pulled from an annual strategic plan update for Calgary Emergency Management and are also very relatable to most of us around the world.  They mention things like leveraging risk assessment, sustainability funding for capabilities, emergency plan revisions, public outreach, training and exercises, and others.

It’s great to see an emergency management agency putting information out to the populations they serve.  It adds context to ‘winter weather awareness week’ or other promotions, and provides more information on what emergency management does.  This report also showed that, while there are some differences based on our relative locations, much of what we are dealing with in emergency management is very similar.

Kudos again to CEMA.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness

~ Update

By virtue of posting this article, I was contacted by Ms. Tabitha Beaton who works for Calgary Emergency Management and was one of the principal authors of this report.  A full version of their report can be found here.


A New NFPA 1600

Several weeks ago (I forgot to post it!) the National Fire Protection Association (NFPA) released the 2016 update of their 1600 standard, and with a slightly different name: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs.  More on the name change in a bit.

For those not familiar with NFPA 1600, if you are in the emergency management field, you should be familiar with it.  While not legally binding (unless specifically referenced by a law or regulation), NFPA 1600 is an excellent standard for modeling an emergency management program.  Like any good standard, it provides guidance on what components you should have, but doesn’t tell you how to do it. NFPA 1600 is also very complimentary to the Emergency Management Accreditation Program (EMAP), with no conflicts between these standards – mostly because EMAP foundationally references much of NFPA 1600.  NFPA 1600 can be found here.  The NFPA provides a free download of the standard (it is heavily copyrighted, so exercise prudence in how you handle it) or you can pay to obtain paper copies.

On to the changes in this update.  As mentioned, the title has been altered a bit by adding ‘Continuity of Operations’.  While it doesn’t say so, I’m guessing that some government-types may have approached NFPA 1600 a bit skeptically thinking that it was really intended for the private sector.  The thing is, business continuity is a specific function within emergency management, but largely follows many of the same processes, just with a particular focus.

Within the standard, the early section titled ‘The Origin and Development of NFPA 1600’ summarizes the evolution of the standard, and provides some information on the changes to the 2016 update.  They mention that “The purpose of the standard has been changed to reflect the Committee’s decision to emphasize that the standard provides fundamental criteria for preparedness and that the program addresses prevention, mitigation, response, continuity, and recovery.  In other words, “preparedness” is no longer just an element of the program – it is the program.” That perspective on preparedness is a great continued evolution of the concept within emergency management.  While the standard in emergency management used to be the emergency management cycle with preparedness as one phase, that is thankfully beginning to go away (although it’s still seen out there way too much for my taste).

old em cycle

The Old Emergency Management Cycle – DON’T USE THIS ANYMORE!

The truth is preparedness permeates everything we do – all phases (or mission areas) of emergency management.  That’s why there are five mission areas identified in the National Preparedness Goal (Protection, Prevention, Response, Mitigation, and Recovery).  Where is preparedness?  It’s the root of the document (literally… it’s in the name of the document).  Preparedness is addressed for each mission area.  We must prepare to protect, prepare to prevent, prepare to respond, prepare to mitigate, and prepare to recover.

As usual, I digress…

Back to NFPA 1600.  This 2016 update includes language within “crisis management planning to include issues that threaten the reputation of and the strategic and intangible elements of the entity as a result of an event or series of events…”.  Smart move.  These elements of crisis management are something we see in both the public and private sector and certainly should be addressed.

Since business continuity does remain a focus element of the standard, they have continued to enhance those aspects.  As such, they have included information on supply chain risk and information security within the document.  When considering business continuity, we can’t just look at our own operations.  The vulnerabilities of other organizations can certainly impact us, so examining supply chain vulnerabilities is wise.  As for information security, we have seen plenty of internal and external cybersecurity issues to justify that.  Although a bit late, I’m glad the NFPA is keeping up with technology and current trends and hazards.  They have also rewritten much of the business impact analysis section (within Chapter 5) to address continuity planning and recovery planning, with a specific differentiation between the two.

Lastly, they have added Annex C, a small business preparedness guide (good move NFPA!), and have added material on addressing the needs of persons with access and functional needs, as well as adding some information on the role of social media in crisis communications plans.

These are all positive changes for the NFPA 1600 standard.  I encourage everyone who is part of an emergency management program to take a look at it and see what it has to offer.  It’s good guidance and will probably provide some good ideas for helping you grow and maintain an impactful program.

For those interested, I have a couple of past articles on standards in emergency management:

Standards in Emergency Management Programs

Business Continuity and Emergency Management Standards and Requirements


© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCWe are your Partner in Preparedness!

FBI vs Apple – iPhone Security

The struggle over encryption and device security continues.  This time it’s more visceral, representing the most relevant case on the side of criminal justice yet.  In the wake of the San Bernardino shooting, the FBI is seeking to gain access to an iPhone discovered in the vehicle where the shooters made their last stand with law enforcement.  The FBI is hoping to find additional evidence on this phone – phone records, emails, texts, etc. that might lead them to information on other conspirators of the attack, other potential targets and attackers, and anything else that might lead to prosecuting those involved in this attack or stopping future attacks.  Gaining access to this information is obviously extremely important.

The problem – the phone is locked with a passcode, and the FBI doesn’t know what that code is. While trial and error is certainly a viable methodology, Apple’s architecture limits passwords attempts to 10.  Once the tenth attempt fails, the iPhone will go into a sort of self-destruct, wiping all data from the device.  The FBI needs help, and they are seeking it from Apple.  Apple declined requests and is now being compelled by a federal judge who ordered Apple to assist the FBI in gaining access to the phone.  Apple is fighting the order – but why?

First of all, Apple states there is no ‘back door’ into their system that will allow them to bypass a security code.  On principal, they decided not to create one since if it exists, it can be exploited.  Based upon this, the FBI has requested that Apple at least disable the 10 attempt fail safe in the iOS programming, allowing the FBI to press on with many more attempts to crack the code.  Apple continues to refuse, again citing the potential for someone with criminal intent exploiting this.  Essentially, Apple feels they are protecting their customers from criminal acts and loss of personal information.  The CEO of Google recently voiced support for Apple’s stand.

This debate poses two strong arguments, each pulling at our values.  On one side, we need to support the efforts of law enforcement to prevent, protect, and prosecute.  The evidence gathered from a situation such as this can potentially lead to finding co-conspirators in these horrible shootings, and can potentially stop other crimes from occurring.

On the other side, there is also concern over preventing future criminal activity by those who would steal information.  Keeping in mind that what we have on our phones is not only a browsing history and Disney World selfies, but also private information such as bank accounts, and even access to business information; the theft of which can be devastating to individuals and entire organizations.

There are valid arguments on both sides, and consequences to action and inaction all around, with implications much broader than this one case.  I’m interested in seeing how this shakes out.

What are your thoughts?

© 2016 – Timothy Riecker

ICS: Who doesn’t need it?

In a recent discussion thread, someone shared some material for a new program that promotes resiliency for disaster housing.  While the intent of the program is good, there was one thing that struck me – it stated that it was based on the incident command system (ICS).  My question – why?

ICS is a great system.  It’s proven to be effective WHEN APPLIED PROPERLY.  That’s the catch, though, isn’t it?  A great many after action reports (AARs) identify areas for improvement relative to various facets of ICS after incidents, events, and exercises.  The organizations that the AARs are usually focused on are professional response organizations – fire, police, EMS, public works, public health, emergency management, etc.  These are organizations that generally get LOTS OF PRACTICE in applying ICS.  So what’s the problem?

The problem is that most organizations that do use ICS don’t get enough practice in applying ICS beyond smaller incidents.  So if responders, who are using ICS, have difficulty with expanded application despite some practice and more advanced training, how are organizations who don’t use it all expected to be able to remember it much less apply it properly on even the most basic of incidents?  (More on my issues with ICS training here, in case you’ve missed posts over the last year or so.)

So back to the main topic of this post – who doesn’t need ICS training?  I would suggest that those persons and organizations that don’t fit the broad definition of responders DON’T NEED IT.  While this may be blasphemous to some, consider the time and effort wasted on getting people trained to understand ICS who will NEVER USE IT.  “But what if they do need it?” you ask?

I’m challenged to really find that need.  Why does the management of an apartment complex need to know or understand ICS?  I find the thought of that foolish and wasteful.  Sure, they can be a partner in disaster preparedness, response, and recovery.  Does that make them a responder?  No. Will they become part of the ICS organization?  NO!  Is there any reason why they would need to use ICS to manage their own organization?  NO!!! They manage their organization every day through what should be a very effective model for them.  Why the hell do we want to change that?  We need to stop pushing our complex shit on other people who don’t need it.

I’m of two thoughts on this… One, there are people who are so gung-ho over including everyone under the sun into emergency management that they feel compelled to bring them into the profession.  News flash people – if they wanted to be emergency managers, they would.  There is no practical reason for them to be trained in the vast complexities of emergency management.  Two, there are people who don’t really understand the applications of emergency management themselves, and therefore try to make adaptations of the system for every variety of stakeholder out there.  This is something I’ve struggled with very often as people try to adapt ICS to their organization and, in doing so, change the foundational principles of ICS (span of control, terminology, organizational structure, etc.).  Further, every organization thinks they have an INCIDENT COMMANDER.  STOP!!!

ICS is not for everyone.  I’m not being elitist or exclusionary, I’m being practical.  That’s not to say that certain stakeholders shouldn’t at least be familiar with what it is, but still not every stakeholder or partner, and they certainly don’t need to know how to actually apply it.  For many, simply having a point of contact with certain departments or through the 911 center is enough.  Certainly if some have an interest in it they can ask, or take a class either in person or online.  (I would never withhold a training opportunity from anyone.)  This should certainly give them enough to satisfy their curiosity.

Along with my crusade to make better ICS training for responders (even non-traditional ones), I would suggest that we need to do a better job of advising other organizations about how they interact with the system.  Simply throwing ICS training at them DOESN’T WORK.  It creates false expectations and generates more confusion.

So please, fire away with your thoughts.  Who do you think shouldn’t have ICS training?  What would you change about the current ICS training model/requirements? 

Shameless plug time: Need ICS training or training in other areas of emergency management?  How about meaningful and practical emergency plans you can actually implement?  Exercises to test those plans and give staff an opportunity to practice implementing plans?  Emergency Preparedness Solutions can help!  Link to info below!

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Emergency Management: Coordinating a System of Systems

Emergency management, by nature, is at the nexus of a number of other practices and professions, focusing them on solving the problems of emergencies and disasters.  It’s like a Venn diagram, with many entities, including emergency management, having some overlapping interests and responsibilities, but each of them having an overlap in the center of the diagram, the place where coordination of emergency management resides. That’s what makes the profession of emergency management fairly complex – we are not only addressing needs inherent in our own profession, we are often times doing it through the application of the capabilities of others.  It’s like being the conductor of an orchestra or a show runner for a television show. It doesn’t necessarily put emergency management ‘in charge’, but they do become the coordination point for the capabilities needed.



This high degree of coordination depends on the functioning and often integration of a variety of systems.  What is a ‘system’?  Merriam-Webster offers that a system is a “regularly interacting or interdependent group of items forming a unified whole.”  Each agency and organization that participates in emergency management has its own systems.  I’d suggest that these broadly include policies, plans, procedures, and the people and technologies that facilitate them – and not just in response, but across all phases or mission areas.  Like the Venn diagram, many of these systems interact to (hopefully) facilitate emergency management.

There are systems we have in many nations that are used to facilitate components of emergency management, such as the National Incident Management System (NIMS), the Incident Command System (ICS) (or other incident management systems), and Multi-Agency Coordination Systems (MACS).  These systems have broad reach, working to provide some standardization and common ground through which we can manage incidents by coordinating multiple organizations and each of their systems.  As you can find indicated in the NIMS doctrine, though, NIMS (and the other systems mentioned) is not a plan.  While NIMS provides us with an operational model and some guidance, we need plans.

Emergency Operations Plans (EOPs) help us accomplish a coordination of systems for response, particularly when written to encompass all agencies and organizations, all hazards, and all capabilities.  Likewise, Hazard Mitigation Plans do the same for mitigation activities and priorities.  Many jurisdictions have smartly written disaster recovery plans to address matters post-response.  We also have training and exercise plans which help address some preparedness measures (although generally not well enough).  While each of these plans helps to coordinate a number of systems, themselves becoming systems of systems, we are still left with several plans which also need to be coordinated as we know from experience that the lines between these activities are, at best, grey and fuzzy (and not in the cuddly kitten kind of way).

The best approach to coordinating each of these plans is to create a higher level plan.  This would be a comprehensive emergency management plan (CEMP).  Those of you from New York State (and other areas) are familiar with this concept as it is required by law.  However, I’ve come to realize that how the law is often implemented simply doesn’t work. Most CEMPs I’ve seen try to create an operational plan (i.e. an EOP) within the CEMP, and do very little to actually address or coordinate other planning areas, such as the hazard mitigation plan, recovery plans, or preparedness plans.

To be successful, we MUST have each of those component plans in place to address the needs they set out to do so.  Otherwise, we simply don’t have plans that are implementation-ready at an operational level.  Still, there is a synchronicity that must be accomplished between these plans (for those of you who have experienced the awkward transition between response and recovery, you know why).  The CEMP should serve as an umbrella plan, identifying and coordinating the goals, capabilities, and resources of each of the component plans.  While a CEMP is generally not operational, it does help identify, mostly from a policy perspective, what planning components must come into play and when and how they interrelate to each other.  A CEMP should be the plan that all others are built from.


I’m curious about how many follow this model and the success (or difficulty) you have found with it.

As always, if you are looking for an experienced consulting firm to assist in preparing plans or any other preparedness activities, Emergency Preparedness Solutions is here to help!

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Continuity of Government – Preservation of Records and Data

A common but often low priority issue in emergency management is the loss of physical records and electronic data from a disaster.  To be honest, I ignored the issue for much of my career.  It wasn’t until working on a contract in the northeast and meeting with a lot of local governments did my eyes really open to the importance of the issue.  While this article focuses on preservation of records for governments, it can certainly apply to businesses, not for profits, and even individuals.

Many of the local governments we interfaced with on a completely unrelated contract, were talking about their experiences with Tropical Storm Irene.  Town officials told of their efforts hauling boxes of town records either to a higher floor of town offices or removing them offsite, with water to their knees or even waist high.  Needless to say, many records were lost.

While some of these offices were in known floodplains, others simply suffered from an extraordinary event and the fault of a place where we commonly store things – the basement.  Towns (and other municipal offices) often store physical copies of tax maps and records, property deeds, permits, flood insurance information (ironic, isn’t it?), human resources data for town employees, town financial records, court records, birth certificates, death certificates, marriage certificates, divorce certificates, and other information.  The loss of this information can have an impact, not only historically, but also on current government operations.

Continuity of government and continuity of operations plans should identify those records which are most important.  These are called vital records.  Vital records should have the highest degree of protection.  The National Archives offers some guidance on the protection of vital records.  While the guidance applies to federal agencies, there is still plenty of valuable information which can be applied to other organizations.

Every municipality should examine records storage as part of their continuity of operations and continuity of government planning.  It’s not to say that records can’t be stored in the basement of a building, but mitigation efforts must be made to flood proof the building as much as possible, including water alarms and sump pumps connected to emergency power systems.  Paper and water don’t mix – so get your records off the floor and consider waterproof storage solutions.  Ventilation is also important to prevent molding.

If mitigation is too costly, then you need to consider relocating the records.  Regardless of where your records are, you should have a component of your continuity of operations plan that addresses emergency relocation of records – when, how, to where, and who.  Digital storage is obviously a great solution.  Some towns I spoke with had decided after the storm to scan their records.  Catching up to a hundred plus years of records can be pretty time consuming and practically unsurmountable for most municipal offices.  This is a service that can be hired out.  Be sure to follow sound data protection standards for both storage and access to ensure the continuity of these records.

In the event that records do get wet, all is not necessarily lost.  The Preservation Directorate of the US Library of Congress has a lot of information on preservation of records, including a variety of resources and training opportunities.  There are also companies that specialize in document preservation and recovery after a disaster.  While it’s probably a good idea to identify who you might reach out to in the event of such a loss, know that this is expensive and it’s generally far more cost effective to mitigate against the risk.

Need assistance with government continuity or continuity of operations planning?  EPS can help!

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Another Great Emergency Management and Homeland Security Podcast

A couple months ago I came across another great podcast.  This one is done by a company called PreparedEx – and on Twitter @preparedex.  They link to their podcast from their website but you can also find it in the iTunes podcast listing.  They are only seven episodes in, and most episodes are about a half hour long, so you can catch up pretty quickly.  They generally post two episodes a month, which is excellent frequency.

PreparedEx is a consulting firm specializing in preparedness exercises.  Yes, they are technically a competitor of my company, but from what I’ve seen and heard, they are quite capable and do some really cool stuff.

The host of their podcast is Robert Burton, who is the company’s managing director.  Robert has some great counterterrorism creds and facilitates the podcast well.  What I love most about this podcast is the interview format.  Nearly every episode focuses on an interview, and they have gotten some great subjects – from state emergency management directors to corporate security specialists.  The interviews offer excellent insight and are very conversational and easy to listen to. They cover topics in emergency management, homeland security, and business continuity.

Go check them out and enjoy!

– TR

Emergency Management – Who Knows About Your Plans?

In emergency management and homeland security we put a lot of emphasis on planning.  Plans are important, afterall.  We need to take the time to identify what our likely hazards are and how we will address them.  But what happens when the plan is complete?  We congratulate members of the planning team and send them final copies.  Those copies get filed electronically or end up on a shelf, a trophy of our accomplishment and hard work.  Congratulations!

So… that’s it?  Is that all?

NO!  Of course not!  People need to be trained to the plan.  “Trained?” you ask.  Yes – trained.  Not just sent a copy and told to review it.  Let’s be honest, here.  Even assuming the highest degree of dedication and professionalism, many people simply won’t give it the time and attention it needs.  Very quickly the plan will get buried on their desks or the email will become one of dozens or hundreds in the inbox.  Even if they do give it a look through, most will only give a quick pass through the pages between meetings (or during a meeting!), not giving much attention to the details in the plan.

How effective do you expect people to be?

Sports analogy – when a coach creates new plays, do they simply give them to the players to become familiar with and expect proficiency?  No.  Of course not.  We’re all familiar with the classic, if not cliché, setting of the coach reviewing plays on a chalk board with the players in a locker room.  That’s training.  Then after that training, they go out in the field and practice the plays.

Back to our reality… The first real step of making people familiar with the plan is to review it with them.  This usually doesn’t need to be a sleep inducing line-for-line review of the plan (unless it is a detailed procedure), but a review of the concepts and key roles and responsibilities.  In fact, that’s who you invite to the training – those who are identified in the plan.  This is likely to include people in your own agency as well as people in other agencies (emergency management, after all, is a collaborative effort).  In states with strong county governments, we often see county-level emergency management offices creating plans that dictate or describe the activities of local governments and departments.  Most often, the local departments have no awareness of these plans, much less receive any training on them.  I’m guessing that plan won’t work.

Once you’ve trained these key stakeholders, be sure to conduct exercises on various aspects of the plan.  Exercises serve not only to validate plans, but to also help further familiarize stakeholders with the plan, their roles, and expectations of others.  When we plan, we tend to make many assumptions which exercises help to work through.  Through exercising we also identify other needs we may have.

Need help with planning? Training? Exercises?  EPS can do it!  Link below.

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC