Facing Coronavirus/COVID19 and Implementing Business Continuity

Many organizations are trying to figure out how to sustain in the midst of COVID19.  While we have been advocating business continuity plans for decades, many organizations haven’t seen the necessity.  COVID19 seems to be demonstrating that necessity.  Understanding that many organizations are not familiar with business continuity, I’m offering some considerations in this article and have written on the topic in the past as well.  You may be tempted to short-cut the planning process in a sense of urgency… don’t do it.  This can result in missing important things. 

  1. Don’t do it alone.  The first step in all emergency planning is to build a team.  Get the right people together in a room to talk things through.  It ensures you have multiple perspectives and helps you divide the work. 
  2. Document, document, document.  Documentation is a key to successful planning and implementation. It helps support effective communication and understanding internally and externally. 
  3. Identify your Mission Essential Functions.  Mission Essential Functions are those activities that are absolutely necessary to keep your organization running.  Things like finance, payroll, HR, IT, and critical organizational operations (the activities that make you money or the activities that are part of your core organizational charter) are among your Mission Essential Functions.
  4. What else to think about? What work can or can’t be performed remotely?  Consider how your organization will handle the absence of your own employees if they become ill, must care for an ill family member, or have to care for children if schools are closed.  It’s also important to identify considerations for key partners (shippers, suppliers, etc.) if they are unable to conduct their services for a time.  How will these things impact your organization? 
  5. Engage HR.  Your Human Resources staff are critical cogs in the wheel of business continuity.  They will help identify HR/personnel/labor union policies, contracts, and other matters that may encumber the success of your business continuity.  Once problems are identified, set them to addressing those problems.  Sick leave policies, remote work policies, child care, and worker safety are among the priority discussions we’ve been seeing lately. 
  6. Engage IT.  Information Technology is a big aspect of business continuity.  Most business continuity plans call for many of an organization’s staff to work remotely.  Amazingly, so many organizations still have policies against working remotely, or at least no standard addressing how remote work is to be implemented, conducted, and managed.  HR and IT should be partnering on policies and procedures to address accountability, expectations of the organization, expectations of staff working remotely, and expectations of any staff still working in the office.   
    1. Along with policy matters, there are also matters of hardware, connectivity, and procedures.  What staff will be working remotely?  Has the organization provided them with the tools to do so?  Do they have internet connectivity from their remote location?  What systems and information will be accessed remotely and how?  How will system security be monitored and maintained?  Will a help desk be available to address problems?
    1. Test, test, test.  If you’ve not engaged a number of your staff in remote work before, now is the time.  Have some staff work from home and see how it goes.  Don’t just pick your most tech-savvy staff, either.  Now is the time to identify and address problems. 
  7. Consider the impacts of your changes.  Whatever organizational operations you are changing will have some impact on how you do business.  Where will your phones be directed to?  How will you conduct meetings?  How will signatures be handled?  How will you accept deliveries?  How will staff send mail from their remote work location?  Will you still meet face to face with clients/customers?  Does the office still need to be staffed? 
  8. Staff Communication.  Ensure that staff know what’s going on. Don’t leave them in the dark on this. Keep safety as the central point of your messaging.  Listen to their questions and concerns, and be timely and honest in your responses.  Keep open lines of communication.
  9. Stakeholder Communication.  Vendors, clients/customers, shippers, boards of directors, even the public at large… they all need to know what’s going on and how the continuity event will impact them and their interests.  Just as with your staff, listen to their questions and concerns, and be timely and honest in your responses.  Keep open lines of communication.

The items I listed here are some of the more common concerns and considerations I’ve seen as of recent.  There are a lot of other aspects to business continuity and business continuity planning.  Pressure may be on, but move with urgency, not reckless haste.  If your plan and systems aren’t properly in place, your organization will suffer from poor preparations. 

© 2020 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®

A Review and 3 Highlights of the DHS Active Shooter Preparedness Workshop

Last month I had the opportunity to attend a day-long active shooter workshop in Rochester, NY conducted by the DHS Office of Infrastructure Protection.  The focus was awareness of, preparedness for, and response to an active shooter event, with a lean towards a facilities-based audience rather than public safety.

The workshop began with discussions on recognition, then worked through each of the five mission areas (Prevention, Protection, Mitigation, Response, and Recovery).  The primary speaker was excellent, with real-world experience in active shooter situations.  While they referred to the offering as a pilot, the workshop has been around for a few years in various versions.  Understandably, and unfortunately, it’s difficult for the workshop to keep up with lessons learned from recent events.

As mentioned, the workshop weaves through the five mission areas, rather awkwardly trying to also align with the CPG 101 planning process.  I’m not sure that the two really fit well and it was clearly something new to the course, as the primary speaker missed some of the indicators for activities.  The workshop agenda also fell short, with the facilitators clearly offering a higher than usual number of breaks and of longer than usual length to maintain the workshop as a full day.

The activities were table-based, and focused on the primary steps as outlined in CPG 101, with the goal of giving some ideas and structure to the creation of an active shooter preparedness plan for a facility.  Ideas and discussion generated at our table and others were great, as attendees came from a broad array of facilities, such as schools, night clubs, health care, office buildings, and others.  The most disappointing comments were those about roadblocks people faced within their own organizations in planning and other preparedness activities for active shooters.  There is clearly a lot of denial about these incidents, which will only serve to endanger people.

With a number of public safety professionals in attendance, there was some great reflection on coordination with public safety in both preparedness and response.  One of the gems of the workshop was the number of audio and video clips provided throughout.  The segments included media and 911 clips, as well as post incident interviews with victims and responders.  The insight offered by these was excellent and they were a great value add.

Three pieces of information resonated above all others in this workshop:

  • Run, Hide, Fight (or variants thereof) was stressed as the best model for actions people can take in the event of an active shooter.
  • The inclusion of planning for persons with disabilities is extremely important in an active shooter situation. They may have less of an ability to Run, Hide, and/or Fight, and this should be accounted for in preparedness measures.
  • Essential courses of action for planning include:
    1. Reporting
    2. Notification
    3. Evacuation
    4. Shelter in Place
    5. Emergency Responder Coordination
    6. Access Control
    7. Accountability
    8. Communications Management
    9. Short Term Recovery
    10. Long Term Recovery

Since the workshop was in pilot form, there were no participant manuals provided, which a number of people were hopeful to have.  They did, however, provide a CD with a plethora of materials, including references, some videos, and planning guides.  Many of these I’ve seen and used before, but some were new to me.  There was a commitment to send us all an email with a link to a download of the participant manual once it was available.  Some of those resources can be found here.

All in all, this was a good workshop.  The mix of an audience (numbering over 60, I believe) contributed to great discussion and the primary speaker was great.  The presentation materials were solid and provided a lot of context.  While I was disappointed in the lack of a participant manual and the inclusion of too many breaks, I certainly understand that this is the pilot of a redeveloped program which they are trying to keep as timely and relevant as possible.  While I already knew of many of the concepts and standards, there was some great material and discussion, especially in the context of facilities rather than public safety response.  This is a good program which I would recommend to facility owners, managers, and safety/emergency management personnel as well as jurisdiction emergency management and public safety personnel.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC Your Partner in Preparedness

Five Guidelines for Creating Effective Disaster Exercise Injects

While there is a lot of important and necessary planning that takes place before the development of exercise injects can even be considered, injects themselves are where the proverbial rubber meets the road.  How we craft those injects can often times make or break the conduct of the exercise.  Injects provide context, as if the events of the exercise were occurring in real life.  While we try to avoid delivering injects that directly prompt player responses, injects will often provide information which will lead players to react to the information provided.  Here are five guidelines to help you develop effective exercise injects:

  1. Injects must be purposeful and each one must relate back to one or more exercise objectives. Far too often we see injects that have no real bearing on the objectives of the exercise.  These are simply distractions and lead to busy work.  Keep things focused.  Just a few well-crafted injects can engage a number of players in active discussion or activity.
  2. Realistic injects are a must. While there will always be a grumble from some people claiming that something would ‘never happen that way’, due diligence must go into ensuring that injects are as realistic and grounded as possible.
  3. Be aware of who an inject would actually originate from. A common mistake I see is injects being scripted to originate from inappropriate sources.  This distracts from reality.  Also, injects should never originate from a player.
  4. Be flexible and aware. Sometimes players accomplish what they need to without an inject.  In that event, there may not be a need to use that inject.  Similarly, players may not respond to an inject as expected, so further action on the part of the Facilitators/Controllers/Simcell may be needed.
  5. Always have backups! As you build your Master Scenario Events List (MSEL), maintain a side list of contingency injects that can be used to speed up or slow down the exercise, or to address occurrences where players did not respond as expected.

Thoughts and ideas on these and other guidelines are always welcome!

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC Your Partner in Preparedness!

2016 National Preparedness Report Released

The fifth National Preparedness Report has been released by FEMA.  The National Preparedness Report is based upon, as the report states, input of more than 450 data sources and 190 stakeholders, including 66 non-federal organizations (which would account for state preparedness report submissions and information from Urban Area Security Initiative regions).  The report is intended as a summary of where the nation stands in regard to each of the 32 Core Capabilities outlined in the National Preparedness Goal.

As mentioned, this is the fifth National Preparedness Report to hit the streets.  While they have some value and demonstrate that the data collection that is done is actually collated, I feel that through the years they are offering less meat and more potatoes.  I appreciate the highlighting of best practices for each mission area, but, to me, there is a missed opportunity if a report is simply providing data and not recommendations.  While it’s understood that the goal of the National Preparedness Report is not to provide recommendations (it would also take longer to publish the report, and the people pulling the data together do not likely have the expertise to create recommendations), I’d like to see FEMA (and stakeholders) have follow up efforts to provide recommendations in each mission area and not miss this valuable opportunity to then apply the findings and look forward.

Below, I’ve included their overall findings with a bit of my own commentary.  Overall, I will say that there is nothing eye opening in this report for anyone who pays attention.  It’s pretty easy to guess those Core Capabilities which are at the top and those which are at the bottom.

  • Planning; Public Health, Healthcare, and Emergency Medical Services; and Risk and Disaster Resilience Assessment are the three Core Capabilities in which the Nation has developed acceptable levels of performance for critical tasks, but that face performance declines if not maintained and updated to address emerging challenges.
    • My commentary: BULLSHIT.  If these Core Capabilities are at ‘acceptable levels’, then our standards must be pretty low.  Planning is the one that disturbs me most.  We continue to see plenty of poor plans that are not realistic, can’t be operationalized, and are created to meet requirements (which are typically met by formatting and buzzwords).  Have we improved?  Sure.  But I wouldn’t say we are at ‘acceptable levels’.  As for Public Health, Healthcare, and Emergency Medical Services, we are struggling in certain areas to simply keep our heads above water.  While we are fairly solid in some areas of public health, one only needs to look at the Ebola incident to view how fragile our state of readiness is.  The findings for Planning and Public Health, to me, are nothing but shameful pandering and we need to get realistic about where we are at and the challenges we face.  Gold stars won’t stand up to the next disaster.  As for Risk and Disaster Resilience Assessment I have admittedly less experience personally.  I do know that we have some pretty incredible tools available that can help us determine impacts of various hazards for any given area under a variety of conditions, which is an amazing application of technology.  My concerns here are that there are still many who don’t know about these tools, don’t use them, and/or don’t follow the findings of information from these tools in their hazard mitigation actions.
  • Cybersecurity, Economic Recovery, Housing, and Infrastructure Systems remain national areas for improvement. Two additional Core Capabilities – Natural and Cultural Resources, and Supply Chain Integrity and Security – emerged as new national areas for improvement.
    • My commentary: NO KIDDING. While we have made a great deal of progress on Cybersecurity, we are still far behind the criminal element in most respects.  It also needs to be fully recognized in the National Preparedness Goal that Cybersecurity is a Core Capability common to all five mission areas.  Economic Recovery will always be a challenge, as every community impacted by an incident has a certain way it heals, essentially along the lines of Maslow’s Hierarchy.  A strong local economy is important to this healing, ensuring that the community has access to the resources it needs to rebuild and a return to normalcy.  While I’m sure studies have been done, we need to examine more closely how the economic recovery process evolves after a disaster to identify how it can be best supported.  Housing is the absolutely most challenging Core Capability in the National Preparedness Goal.  While I don’t have a solution for this, I do know that our current approaches, philosophies, and ways of thinking haven’t moved us an inch toward the finish line on this one.  We need to change our current way of thinking to be successful.  As for Infrastructure Systems, I could go on for days about this.  I’ve written previously, several times, (as have many others) on the critically fragile state of our infrastructure.  It’s no big secret.
  • States and territories continue to be more prepared to achieve their targets for Response Core Capabilities, while they are least prepared to meet their targets in the Recovery Mission Area.
    • This is another NO KIDDING. While we must always have a greater focus on Response, as that’s where lives are saved and the immediate danger is addressed, we can’t lose sight of Recovery.  Some recovery activities are more clear cut than others, and FEMA often muddies the waters more by inadvertently intimidating state and local governments when it comes to disaster recovery, as the focus becomes centered more on reimbursable activities vs doing what needs to be done.  The report included some interesting findings (take a look in the Recovery Mission Area drop down on the web site) on ‘mixed trends in exercising recovery capabilities’.  Again, this is nothing earth shattering, but it’s nice to see the matter addressed.  Yes, we clearly need to exercise Recovery Mission Area Core Capabilities better and more often.

These reports are always worth looking through, even though much of the information is generally known by those of us in the profession.  There are always little nuggets of learning available, and data from the report may be used to support your own endeavors for additional funding or resources for your own program.

As always, I’m interested in your insights and thoughts on this post and the National Preparedness Report.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness

 

Several New CyberSecurity Efforts in the News

Over the past few days, there have been media releases about several new cybersecurity initiatives that should have broad reaching benefits.

Timothy Riecker

First, Govtech.com reported on New Jersey’s consolidated fusion center-style approach to cybersecurity.  About a year ago, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) was formulated, following the model of the National Cybersecurity Communications Integration Cell (NCCIC).  Co-located with the NJ State Emergency Operations Center and with support from the NJ Office of Homeland Security and Preparedness intelligence resources, the NJCCIC is keeping a watchful eye on cybersecurity matters internal and external to state government and sharing information with the private sector. This is a model effort that will hopefully grow and change based on identified opportunities in both New Jersey as well as other states who have yet to build such a capability.

EDM Digest recently reported on an initiative from the National Governor’s Association to form a multi-state working group, or academy as they are calling it, to create strategies to fight the evolving cybersecurity threat.  States contributing to this effort include Connecticut, Illinois, Louisiana, Nevada, and Oregon.  While not states we would usually think of as being on the forefront of cybersecurity issues, each does have significant business and industry which will hopefully serve as partners and resources in this endeavor.

Lastly, US Representatives Richard Hanna (R-NY) (who represents my district) and Derek Kilmer (D-WA) introduced the Small Business Cybersecurity Act to help American entrepreneurs protect themselves from cybercrimes and create cybersecurity plans that meet their business’ needs.  Co-sponsors of the bill included a range of Representatives of both parties from across the nation.  The release states that three out of every five cyberattacks target small businesses, and with small businesses making up a significant portion of the US economy, it is vital to help protect them.  I couldn’t agree more!  The intent of the bill is to create no-cost legislation to leverage the expertise of Small Business Development Centers (SBDCs) around the nation as an information distribution point for cybersecurity preparedness.  Let’s hope this one passes!  Express support for the bill to your Congressional Representative!

All in all, it’s encouraging to see continued effort toward cybersecurity protection, preparedness, and response.  As with the preparedness efforts we see in emergency management, I hope soon these efforts in cybersecurity will become more unified and closely knit.  While they all technically fall under the President’s Cybersecurity Strategy, we need to ensure connectivity of these efforts to help prevent duplication of effort and minimize holes.  We also want to ensure that access to services and resources that are available are comprehensive and streamlined to the greatest extent.  Let’s keep cybersecurity in mind and continue this work!

© 2016 – Timothy Riecker, CEDP

A New NFPA 1600

Several weeks ago (I forgot to post it!) the National Fire Protection Association (NFPA) released the 2016 update of their 1600 standard, and with a slightly different name: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs.  More on the name change in a bit.

For those not familiar with NFPA 1600, if you are in the emergency management field, you should be familiar with it.  While not legally binding (unless specifically referenced by a law or regulation), NFPA 1600 is an excellent standard for modeling an emergency management program.  Like any good standard, it provides guidance on what components you should have, but doesn’t tell you how to do it. NFPA 1600 is also very complimentary to the Emergency Management Accreditation Program (EMAP), with no conflicts between these standards – mostly because EMAP foundationally references much of NFPA 1600.  NFPA 1600 can be found here.  The NFPA provides a free download of the standard (it is heavily copyrighted, so exercise prudence in how you handle it) or you can pay to obtain paper copies.

On to the changes in this update.  As mentioned, the title has been altered a bit by adding ‘Continuity of Operations’.  While it doesn’t say so, I’m guessing that some government-types may have approached NFPA 1600 a bit skeptically thinking that it was really intended for the private sector.  The thing is, business continuity is a specific function within emergency management, but largely follows many of the same processes, just with a particular focus.

Within the standard, the early section titled ‘The Origin and Development of NFPA 1600’ summarizes the evolution of the standard, and provides some information on the changes to the 2016 update.  They mention that “The purpose of the standard has been changed to reflect the Committee’s decision to emphasize that the standard provides fundamental criteria for preparedness and that the program addresses prevention, mitigation, response, continuity, and recovery.  In other words, “preparedness” is no longer just an element of the program – it is the program.” That perspective on preparedness is a great continued evolution of the concept within emergency management.  While the standard in emergency management used to be the emergency management cycle with preparedness as one phase, that is thankfully beginning to go away (although it’s still seen out there way too much for my taste).

old em cycle

The Old Emergency Management Cycle – DON’T USE THIS ANYMORE!

The truth is preparedness permeates everything we do – all phases (or mission areas) of emergency management.  That’s why there are five mission areas identified in the National Preparedness Goal (Protection, Prevention, Response, Mitigation, and Recovery).  Where is preparedness?  It’s the root of the document (literally… it’s in the name of the document).  Preparedness is addressed for each mission area.  We must prepare to protect, prepare to prevent, prepare to respond, prepare to mitigate, and prepare to recover.

As usual, I digress…

Back to NFPA 1600.  This 2016 update includes language within “crisis management planning to include issues that threaten the reputation of and the strategic and intangible elements of the entity as a result of an event or series of events…”.  Smart move.  These elements of crisis management are something we see in both the public and private sector and certainly should be addressed.

Since business continuity does remain a focus element of the standard, they have continued to enhance those aspects.  As such, they have included information on supply chain risk and information security within the document.  When considering business continuity, we can’t just look at our own operations.  The vulnerabilities of other organizations can certainly impact us, so examining supply chain vulnerabilities is wise.  As for information security, we have seen plenty of internal and external cybersecurity issues to justify that.  Although a bit late, I’m glad the NFPA is keeping up with technology and current trends and hazards.  They have also rewritten much of the business impact analysis section (within Chapter 5) to address continuity planning and recovery planning, with a specific differentiation between the two.

Lastly, they have added Annex C, a small business preparedness guide (good move NFPA!), and have added material on addressing the needs of persons with access and functional needs, as well as adding some information on the role of social media in crisis communications plans.

These are all positive changes for the NFPA 1600 standard.  I encourage everyone who is part of an emergency management program to take a look at it and see what it has to offer.  It’s good guidance and will probably provide some good ideas for helping you grow and maintain an impactful program.

For those interested, I have a couple of past articles on standards in emergency management:

Standards in Emergency Management Programs

Business Continuity and Emergency Management Standards and Requirements

 

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCWe are your Partner in Preparedness!

Continuity of Government – Preservation of Records and Data

A common but often low priority issue in emergency management is the loss of physical records and electronic data from a disaster.  To be honest, I ignored the issue for much of my career.  It wasn’t until working on a contract in the northeast and meeting with a lot of local governments did my eyes really open to the importance of the issue.  While this article focuses on preservation of records for governments, it can certainly apply to businesses, not for profits, and even individuals.

Many of the local governments we interfaced with on a completely unrelated contract, were talking about their experiences with Tropical Storm Irene.  Town officials told of their efforts hauling boxes of town records either to a higher floor of town offices or removing them offsite, with water to their knees or even waist high.  Needless to say, many records were lost.

While some of these offices were in known floodplains, others simply suffered from an extraordinary event and the fault of a place where we commonly store things – the basement.  Towns (and other municipal offices) often store physical copies of tax maps and records, property deeds, permits, flood insurance information (ironic, isn’t it?), human resources data for town employees, town financial records, court records, birth certificates, death certificates, marriage certificates, divorce certificates, and other information.  The loss of this information can have an impact, not only historically, but also on current government operations.

Continuity of government and continuity of operations plans should identify those records which are most important.  These are called vital records.  Vital records should have the highest degree of protection.  The National Archives offers some guidance on the protection of vital records.  While the guidance applies to federal agencies, there is still plenty of valuable information which can be applied to other organizations.

Every municipality should examine records storage as part of their continuity of operations and continuity of government planning.  It’s not to say that records can’t be stored in the basement of a building, but mitigation efforts must be made to flood proof the building as much as possible, including water alarms and sump pumps connected to emergency power systems.  Paper and water don’t mix – so get your records off the floor and consider waterproof storage solutions.  Ventilation is also important to prevent molding.

If mitigation is too costly, then you need to consider relocating the records.  Regardless of where your records are, you should have a component of your continuity of operations plan that addresses emergency relocation of records – when, how, to where, and who.  Digital storage is obviously a great solution.  Some towns I spoke with had decided after the storm to scan their records.  Catching up to a hundred plus years of records can be pretty time consuming and practically unsurmountable for most municipal offices.  This is a service that can be hired out.  Be sure to follow sound data protection standards for both storage and access to ensure the continuity of these records.

In the event that records do get wet, all is not necessarily lost.  The Preservation Directorate of the US Library of Congress has a lot of information on preservation of records, including a variety of resources and training opportunities.  There are also companies that specialize in document preservation and recovery after a disaster.  While it’s probably a good idea to identify who you might reach out to in the event of such a loss, know that this is expensive and it’s generally far more cost effective to mitigate against the risk.

Need assistance with government continuity or continuity of operations planning?  EPS can help!  consultants@epsllc.biz.

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

The Force Awakens – A Potential Soft Target?

“There has been an awakening.  Have you felt it?”  This line from the first trailer of the new Star Wars movie is chilling.  Many of my readers are aware that I am a HUGE Star Wars fan.  As you would expect, I am incredibly excited about the release of Star Wars: The Force Awakens next week.

download

Image courtesy of Disney and Lucasfilm Ltd.

With the recent terror attacks and shootings, though, safety at the theater has certainly been on my mind.  We need to work together as a whole community – theater goers, theater owners/managers and staff, law enforcement, and municipalities.

When I first starting thinking about writing a post on this, I quickly realized that I needed some input from an expert in security.  I reached out to a colleague that not only has the qualifications, but is also a fellow blogger and consultant: Ralph Fisk.  You can find Ralph’s blog here: https://fiskconsultants.wordpress.com/.  He has some great insights on security and risk assessment matters – I strongly suggest you check out his blog, follow, participate, etc.  Ralph agreed to collaborate on a piece related to this global event.  He is also posting this same article on this blog.  Enjoy – and May the Force be With You!

– TR

~

(This article, cross-posted and co-authored by Ralph Fisk and Tim Riecker, draws collectively on our experiences and expertise to provide guidance to municipalities, theaters, and movie goers on awareness, preparedness, and response concerns as we look toward this global event.)

The rapidly approaching release of Star Wars: The Force Awakens stands to be the largest premiere in theater history.  It has already broken a multitude of pre-sale records, with more records certainly to be broken on opening day and opening weekend, both domestically and internationally.  Even if you aren’t a Star Wars fan, you must certainly be at least aware of a new movie being released.  But what does this have to do with emergency management and homeland security?

On July 20, 2012 James Eagan Holmes killed 12 and injured 70 others when opening fire on patrons in an Aurora, CO theater.  This mass murder took place at the midnight premiere of the Batman film The Dark Knight Rises. The recent terrorist attacks in Paris involved a music venue, in which nearly 100 people were killed.  Gathering places like movie theaters are just one more item on the list of potential soft targets for people wishing to do harm, be they terrorists, disgruntled, or disturbed.

IMDB provides a listing of international release dates for The Force Awakens here.  We caution that this list isn’t entirely accurate.  For example, while December 18th is the official release date of The Force Awakens in the US, thousands will be seeing the movie at a select list of theaters participating in a 7pm special premiere time on the 17th.  While you should certainly be aware of the date and time of this premiere at your local theaters, it should be emphasized that theaters will be packed with fans for some time.

While there are no credible threats involving this premiere that we are aware of, municipalities, theaters, and movie goers all need to be aware of the potential for an attack and what each can do.  Surprisingly, despite high visibility active shooter and terrorist events of the past few years, most municipalities still do not have appropriate preparedness measures in order.  While there isn’t time to assemble a solid response plan prior to the premiere of The Force Awakens, there is still plenty of time for beneficial, albeit ad-hoc preparedness efforts.

Our thoughts are below…

With the release of the much anticipated next chapter of the Star Wars Saga, The Force Awakens; theaters and local first responders need to have a heightened level of awareness. There are a number of potential threat indicators associated with this release:

1)            Of course the current terrorism threat situation is first and foremost in our minds

2)            The history of an Active Shooter Attacks on movie theaters goes back to 1989 during the screening of Harlem Nights in Chicago, Sacramento, and Richmond California; on 20 July 2012 during the midnight release, in Aurora, Colorado, of the much anticipated film – Batman: The Dark Knight Rises; another Active Shooter Incident that involved another movie theater in Lafayette, Louisiana on 23 July 2015 during the screening of Train Wreak.

3)            But also other considerations should be given to just the more than “normal” volume of theater goers, and which possible incidents could result from that.

Theaters are known to be soft targets and as such we need to be aware of the threat and how to address it.

We are going to cover the first two indicators listed above as they are not only the largest possible casualty producers, but also pose the greatest immediate impact.

Below are some suggestions and considerations for an ad hoc plan not just for the venues featuring these events; but also for those that maybe in attendance.

Introduction:

Most Active Shooter Incidents, an estimated 90%, are single actor attacks, meaning unless that person has been overt in their planning, little is known about the possibility of an Active Shooter Attack;

Unlike Terrorist Cells; which typically contain up to 4 – 6 members, not just for ease of control and planning, but also for the strict adherence to Operational Security, on the part of the Terrorists.

The difference between the two attacks may appear to be subtle to the uninitiated;

The main goal of an Active Shooter incident is to cause as much destruction as possible in a very short time span; Active Shooter incidents are different from other weapons related crimes in that they intend to commit mass murder.

Terrorist Attacks however have a very distant signature. They are commented for a number of political or ideological reasons; and may result in mass murder or hostage taking. Terrorist attacks may seem very methodical in nature of the execution.

Terrorism:

Terrorism is all around us, whether we chose to look for it or not. Terrorist Groups tend to fall into one of six different categories;

  • Nationalist/Separatist – Sometimes referred to as Freedom Fighters
  • Religious – and we are not just talking about Radical Islamic terrorists here
  • Political – which include; right and left-wing
  • Anarchist – Freedom without the burden of a Central Government
  • ECO/Animal Rights – Motivated by Environmental/Animal Political Policies
  • Single Issue Causes – involves the use of force and violence for the purpose of coercing a government and/or population to modify its behavior with respect to a specific area of concern. Typically, these types of organizations do not have an overall political agenda

Which any number of these groups with related or different causes are already operating in the heart of the Country. Terrorist Attacks could have one or more of these four main objectives;

  • Recognition of the groups’ cause or purpose
  • Coercion toward the populace and/or government to the groups’ ideology
  • Intimidation to cause fear or terror; to cause the populace to lose faith in their governments’ ability to protect them
  • Provocation: attacks are aimed to cause the ruling government to take repressive actions against the population; demonstrate the weakness of the government and the strength of the terror organization

It would be almost impossible to go into the ideology of every single group. Suffice it to say, that they all mean to get their points across, sometimes with protesting, sometimes with criminal destruction of property, and yes, sometimes they will introduce violence.

Violence could be in almost any form imaginable. The most used form of violence directed towards a population tends to lean toward Armed Attacks and/or Bombings (Including suicide bombings); because for the most part these are relatively inexpensive approaches, the logistics to effect these types of attacks are relatively easy to obtain and these tend to produce the most casualties and incite the most fear in the general population. Between 1998 and 2007 out of the estimated 28000 terrorist attacks around the world, almost 21000 involved one of these two types of tactics.

Other terror techniques also used could include; Assassination, Arson, Hijacking, Hostage Taking, Kidnapping, Sabotage, Seizure, Sniper Attacks/Mass Shootings, Threats or Hoaxes, Cyber Terrorism, Agricultural Terrorism, Civil Disturbances and Weapons of Mass Destruction (WMD). WMD is the use of any weapon or device that is intended or has the capability to cause death or serious bodily injury to a significant number of people through the release; dissemination; or impact of one of the following means; Toxic or poisonous chemicals or their precursors; diseases, biological organisms; radiation or radioactivity.

Combined attacks of different types have also been used in the recent past. The attacks on the United States on 11 September 2001 included the use of Airplanes as Weapons of Mass Destruction; the Terrorists Hijacked the planes through the use of an armed attack, albeit the arms were box-cutters, and crashed the planes into buildings causing the planes themselves to be used as WMD’s

Terrorists seek to create public fear and anxiety in order to influence government policy. Through the randomness and unpredictability of their acts, terrorists attempt to undermine confidence in government’s ability to protect the public. Terrorists hope the resulting insecurity fuels public demands for government concessions in order to stop the terrorist acts.

Today, as has been evident with recent terror attacks and attempted attacks, terrorist target selection wants to affect the maximum number of innocent people, in order to generate the fear, they desire. As the government has mobilized to protect our infrastructure from attack, our less protected target; schools, universities, shopping malls, et al., become more attractive targets.

As other sites and venues are “hardened” for security, these measures cannot be implemented across all avenues of society. One, it would infringe on our basic constitutional rights, two, the potential cost associated with “hardening” every facility would surely bankrupt the organization or governmental body imposing such restrictions, and three, we would become a “jailed” society.

Planning for terror incidents doesn’t require you have access to CIA, FBI or other intelligence organizational files, it, for the most part, only requires Common Sense, Situational Awareness of your surroundings, and a Communications Plan.

Some things to take into consideration when you’re making your plans to be in these potential soft target environments:

  • Remain Alert
  • Develop an informed vigilance; meaning, know what possible terror threats could be in your area or the area you’re going to
  • Let someone, not going with you, know your plans; where you’re going; when you expect to return
  • Attempt to blend in with your surroundings, Don’t try to stand out
  • Know your surroundings; Know how to exit the area you will be in; what is the shortest way out; have an alternate plan should that not be a viable opinion should there be an issue
  • Communicate that information to your family and others with you
  • Identify a meeting place if you become separated

Report any suspicious activity. Again remember to use your common sense; examples of suspicious actions could include:

  • People loitering in the same general area without a recognizable legitimate reason; people who appear preoccupied with a specific building or area; electronic audio and video devices in unusual places
  • Just because someone seems to belong there, they might not be whom they seem especially if they are exhibiting any of the actions stated above
  • DO NOT TRY TO DEAL WITH ANY INDIVIDUAL YOURSELF contact the venue security or Law Enforcement Personnel
  • Look for things out-of-place; bags left unattended; packages; persons attempting to conceal items either on their person or receptacles

In threatening situations, take steps to reduce your exposure – leave the immediate area

If an incident does occur; follow the instructions of venue staff, emergency personnel and first responders.  If you are close to the incident walk away with your hands visible.  Walk, do not run as secondary injuries can occur to you or others; move toward the walls as people evacuating a building tend to gravitate in the center

Active Shooter:

Although mass killings have been around for some time, Active Shooter incidents have only relatively recently come into the main stream. I’m not going to mention them as most of you reading this post know the infamous locations of these horrific incidents.

 The National Tactical Officers Association defines an Active Shooter as:

  • One or more subjects who participate in a random or systematic shooting spree
  • Demonstrating their intent to continuously cause serious physical injury or death to others
  • Their overriding objective appears to be that of mass murder, rather than some other criminal conduct such as robbery, hostage taking, etc.
  • In most cases some type of firearm is used, however, the Active Shooter may use any weapon that may be available
  • A suspect is considered an active shooter if he or she is still actively shooting, has access to additional potential victims, and has a willingness to harm others until stopped by authorities or his/her own suicide

Most Active Shooter incidents are often over within 10 to 15 minutes, in a 2012 FBI Active Shooter report, 37% of Active Shooter incidents last under five minutes, before law enforcement arrived on the scene, individuals must be prepared both mentally and physically to deal with an active shooter.

We will cover some very basic steps to plan for, react to and recover from an Active Shooter Incident. As with every planning recommendation I give; this is not all inclusive, I would highly recommend you attend an Active Shooter Training Seminar or ask for a visit from your local law enforcement organization that can give you a block of instruction on Active Shooter.

No matter where you find yourself, at work, in a restaurant, or any other venue where people congregate, you could very well be a target for an individual or individuals’ intent on causing great harm.

First rule in any Emergency Situation, Active Shooter included;

YOU ARE THE MOST IMPORTANT PERSON IN THE EQUATION! YOUR SAFETY IS PARAMOUNT!

I have talked numerous times about maintaining your situational awareness. When you arrive at any venue take a few seconds to find the exits; which one is closest to you; how will you evacuate the area should you have too? What is around you that could protect you? I personally like sitting at booth tables in restaurants; with my back against a wall or other solid object: having a complete view of the whole restaurant if possible and facing the door.

Remember there are three basic fundamentals to reacting to an Active Shooter Incident;

RUN – Leave everything behind; find that exit and GET OUT! Encourage others to come with you, but if they don’t want to leave, REMEMBER YOU ARE THE MOST IMPORTANT PERSON IN THE EQUATION!

HIDE – Put as many barriers/walls between you and the shooter as you can, turn off cell phones, radios, any device that could make a noise and give up your position! Lock or block the door; hide under a desk, remain quiet and claim!

FIGHT — AS A LAST RESORT, AND ONLY WHEN YOUR LIFE IS IN IMMINENT DANGER: Act as aggressively as possible against him/her; Throwing items and improvising weapons; Committing to your actions; Attempt to incapacitate the active shooter; (EXERCISE EXTREME PREJUDICE IN YOUR ACTIONS) That last part isn’t a fancy movie catch phrase; remember you are in a fight for your life!

Once police arrive on the scene here are a few do’s and don’ts;

DON’T:

  • Run up to the police; Their first priority will be to eliminate the threat(s) and secure the scene to allow EMS to come in and assess and treat casualties
  • Avoid making quick movements toward officers such as attempting to hold on to them for safety
  • Don’t stop to ask officers for help or direction when evacuating, just proceed in the direction from which officers are entering the premises.

DO:

  • Be VERY AWARE! That once Law Enforcement Personnel arrive on the scene you may very well be considered a suspect. That is normal response protocol
  • DO AS YOUR TOLD, it is BETTER YOU PLACE YOUR HANDS OVER TOP YOUR HEAD
  • YOU may be told to get on the ground…. Just do it…… Better to be treated like a criminal at first and then cleared, than being shot. You made it that far, go home at the end of the day

Active Shooter Preparedness is also becoming a very large part of Workplace Violence Planning and Training.

Although it is good to receive some rudimentary training on Active Shooter; each organization will need to tailor their response plans to fit into their building lay out.

Corporate Climates cannot afford to have a lackadaisical approach to workplace violence, emergency response or security, this is a leadership/management issue. Corporate Leadership must take ownership of safety, emergency response and workplace violence responsibilities for their organizations and require their First-tier leaders to stress the importance of these processes and procedures, one of the first things I learned about leadership was, led by example. You can direct more people into doing what you want if you first do it yourself! If you don’t, what makes you think that the employees will!

Active Shooter Awareness has to be incorporated with emergency response planning and work place violence planning; you are setting yourself and your company up for failure by not planning, training and conducting exercises.

This next point has greatly concerned me, I have seen some reports lately that companies are being sued for conducting Active Shooter Awareness Training and most, if not all claimants say they were traumatized by the training. Well I’ll simply put it this way, would you rather have some knowledge and a sense of what to expect should you ever have to act in an Active Shooter Situation; or would you rather be a victim. A 2012 FBI Active Shooter report indicated that over 50% of Active Shooter Incidents occurred at a business.

I’d also recommend that you receive some treatment for Post-Traumatic Stress (PTSD) after the incident, as you would have seen and experienced things that no person should every have too.

Recommendations both for Active Shooter and Terror Attacks for those that may not have a developed response plan

Municipalities;

  • Consider activating, even with minimum staffing, the local Emergency Operations Center
  • Consider “up-staffing” Law Enforcement, Fire and EMS Personnel, not only the first night but a number of consecutive nights as well
  • Consider a review of local mutual aid plans (Police, Fire, EMS)
  • Consider having a Public Safety Organizational meeting prior to release

Law Enforcement Organizations;

  • Consider high visibility patrols in theater areas, not only the first night, but a number of consecutive nights as well
  • Meet with theater owners/management to discuss awareness, protocols, and expectations
  • Consider reviewing your Active Shooter and Terrorism Response Plans
  • Act immediately on any reported perceived threats
  • Consider “Up-staffing” patrol personnel
  • Consider a review of local mutual aid plans
  • Check with local FBI Field office, Joint Terrorism Task Force, or if so supported, Fusion Center; prior to release night for any updates of possible threats

Fire/EMS

  • Consider having one medical and one fire unit “staged” close to the venue
  • Consider reviewing your Active Shooter and Terrorism Response Plans
  • Consider “up-staffing” the closet Engine/Ladder/EMS Companies
  • If possible, predesignate locations for Medical and Fire Staging Locations
  • Consider Review Local Mutual Aid Plans

Theater Company

  • Consider coordinating with local law enforcement for security
  • Brief Theater Staff that will be working those nights, on Emergency Response and Active Shooter Plans
  • Maintain a Passive Security Posture the entire night; Some Passive Security measure suggestions can be found above
  • Know the limitations of the theater rooms and know when they are close to capacity
  • Assign personnel with no other responsibility but to observe theater patrons; Only in an observe and report capacity
  • Consider review of local mutual aid plans
  • All theater staff must know where all the exits are and how to lead patrons to them; remind the staff the closest exit maybe behind them

Conclusion

As a sociality we have become increasingly dangerous, in that we have to worry about the seemingly random act of an Active Shooter; although most are not random at all, but go through as many as five phases before the shooter executes his/her actions. I fear that we will continue on this path of wanton violence and the better educated you are, not to these types of incidents, but any type, the better you will be to handle the situation.

As with any planning you do, whether you’re planning for a natural disaster or human initiated events/incidents, you need to take into account your own special considerations, also keep in mind that these planning and situational mindset ideas will not always be all inclusive. Your primary focus should be on personal safety, continued situational awareness and exercise your common sense.

The world has changed over the last few decades, more than anyone of us could have ever imagined. Thirty years ago, the only emergency-related thing we had to worry about at school was the surprise annual fire drill. The escalating violence in our world and attacks on soft targets like schools, churches, and hospitals has taught us that we are no longer safe in those places we once considered as morally protected sanctuaries. We must strive to provide a safe environment for all of us.

So Your AAR Says Bad Things… Now What?

There it is.  Your recently delivered after action report (AAR).  Uncomfortably sitting across the room from you.  You eye it like Tom Hanks looking at Wilson for the first time.

Wilson

Wilson!!!

You know what’s in it.  It says bad things.  Things you don’t like.  Things your boss really doesn’t like.  But what will you do?

First, let’s assume that, despite you being unhappy with the areas for improvement identified in the AAR, they are fair representations.  What will you do with the dreaded information now that you have it?  Your AAR may have come with a corrective action plan (CAP), but this is only guidance that still needs to be reviewed and acted upon.

First, each identified area for improvement should be prioritized.  After all, if everything is important, then nothing is important.  Even if the areas for improvement and/or corrective actions are already identified in the AAR (particularly if done by a third party or if the AAR is representative of a multi-agency exercise) you should review this prioritization with your own organization’s stakeholders.  This means pulling together a committee (sorry for cursing!) comprised of key areas within your organization.  This may even mean people from areas that may not have participated, such as information technology, as I’m betting there was something in the exercise about computer systems, programs, internet connection, data access, data continuity, etc.  Don’t forget the finance people, either… some fixes aren’t cheap!

Once everyone has had an opportunity to review the AAR, each identified area for improvement should prioritized, at least to the degrees of high, medium, and low; with a secondary filtering of short-term vs long-term projects.  While some may be relatively quick fixes, others can take months, if not years, to accomplish.  Activities should also be identified that are dependent upon others which may need to be completed first (i.e. a procedure needs to be written before it can be trained on).

That’s probably enough for one meeting.  But the people you gathered aren’t cut loose yet… in fact they are pretty much locked in, so you need to be sure that the people you bring together for this corrective action group have the knowledge, ability, and authority to commit resources within their respective areas of responsibility.  Now that activities have been prioritized, it’s time to assign them… this is why involvement of your boss (if you aren’t the boss) is so important.

Some individuals within your organization will be able to act on their own to make the corrective actions that are needed – while others will need to work together to make these happen.  Consider that there may be more activities than just those identified in the AAR.  For example, the AAR may identify a need for a resource management plan.  That’s good, but we all know you can’t just build a plan and expect it to be ready for action.

For those who are regular readers of my blog, you know I’m a big fan of the POETE elements.  (More on POETE here).  What is POETE?  POETE is an acronym that stands for:

  • Planning
  • Organizing
  • Equipping
  • Training
  • Exercising

What is the value of POETE and what does it all mean?  POETE is a great reminder of the key activities we need to do to enhance our preparedness.  Given that, when we look at an identified need for improvement, we need to consider how to properly address it.  So start at the top:

  • What plans, policies, and procedures are needed to implement and support this corrective action?
  • What organizational impact will occur? Do we need to change our organization in any way?  Do we need to form any special teams or committees to best implement this corrective action?
  • What equipment or systems are needed to support the corrective action?
  • What do people need to be trained in to support the corrective action? Do we need to train them in the plan, about a new policy or procedure?  Do they need training on organizational changes?  How about training in the use of equipment or systems?
  • Lastly, once you’ve made a corrective action, it’s a good idea to test it. Exercises are the best way to accomplish this.

There are obviously other considerations depending on the specific corrective actions and the circumstances of your organization.  Funding is often times one of the most significant.  If you need to obtain funding to make corrective actions, the AAR is one of the best documented investment justifications you can get.

From a project management perspective, the committee should regularly reconvene as a matter of checking in to see how the corrective actions are going.  On a continuing basis, the progress of corrections should be tracked (spreadsheets are great for this), along with who has been tasked with addressing it, timelines for completion, related finances, progress notes, etc.  Otherwise, in our otherwise busy days, these things get lost in the shuffle.

From a program management perspective, this is a process that should be engrained culturally into your organization.  Ideally, one person should be responsible in your organization for coordinating and tracking this corrective action process.  As additional exercises are conducted and actual incidents and events occur, corrective actions from these will be brought into the mix.  It is all too often that organizations complain of seeing the same remarks on every AAR or from experiencing the same issues for every response.  BREAK THE CYCLE!  Establishing a corrective action program for your organization will go a long way toward making these chronic issues go away.

By the way, the same concept can be applied to multi-organizational/agency efforts at any level – local, county, state, federal, regional, etc.  Since we respond jointly, there are great benefits to joint preparedness efforts.  We will likely find that even that we have our own house in order, working with someone else is a very different experience and will require a whole new list of corrective actions as we identify areas for improvement.  This process works great with multi-agency committees.

The bottom line – the biggest reason why we exercise is to test our capabilities.  When we test them, we find faults.  Those faults need to be corrected.  Capitalize on the investment you made in your exercise effort to address those identified deficiencies and improve your capabilities.

What ideas do you have for addressing corrective actions?

Need help with preparedness activities?  Be Proactive and Be Prepared™ – Reach out to Emergency Preparedness Solutions!  We’re always happy to help.

Thanks for reading!

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

National Preparedness Month Webinars for Businesses

September is National Preparedness Month in the US and to help promote preparedness across the whole community, FEMA is partnering with the Small Business Administration and their consultant Agility Recovery to spread the word to the business community.  Below is information on a webinar series with topics to help prepare your business!  

Get Your Business Ready For Any Kind of Disaster at Free National Preparedness Month Webinar Series

 WASHINGTON – Each year small businesses nationwide are forced to close their doors in the aftermath of severe storms, flooding, tornadoes, wildfires and hurricanes. Business interruptions, even if they last just a few hours, are costly in terms of lost productivity and profits.

 You can get help with your own business preparedness planning through a series of free webinars in September hosted by the U.S. Small Business Administration and Agility Recovery.   The September series is presented in collaboration with FEMA’s Ready Campaign as part of National Preparedness Month.  

 The SBA wants to help business owners take charge of the well-being of their own companies, the safety of their employees, and the sustenance of their local economies by being prepared to rebound quickly from any kind of disaster.

 The half-hour webinars will be presented at 2 p.m., Eastern time, each Wednesday in September. Visit http://snurl.com/296yw4e to register for any or all of the webinars listed below:

 September 3: Crisis Communications for Any Organization

Learn best practices for developing an emergency communication strategy.

 September 10: How to Plan for a Power Interruption…and Recover Fast

Tips on how to make your company resilient and better prepared to mitigate losses during power outages.

 September 17: The Top 5 Steps for Preparedness This Year

The top five ways to prepare for disaster-related business interruptions will be discussed.

 September 24: If You Do Nothing Else This Year

Simple, low-cost tips on building a solid business continuity plan.

 SBA has partnered with Agility Recovery to offer business continuity strategies through their “PrepareMyBusiness” website. Visit www.preparemybusiness.org to check out the archived webinars and for more disaster preparedness tools.