Tag Emergency Preparedness Solutions

“No Battle Plan Survives Contact With the Enemy”

Tim Riecker, The Contrarian Emergency Manager 2 Comments

This quote is credited to a German military strategist named Helmuth von Moltke, who served in several wars in the mid-1800s.  He had a certain theory of war, understanding that several strategies must be identified in planning, as it is difficult to ascertain exactly what will happen after first contact with the enemy.  What can we in emergency management learn from this?

First off, we should all recognize that it’s a rare occasion that anything goes according to plan.  That is a reality which we must identify as a foundation of our planning efforts.  These realities are part of our planning assumptions.  In essence, we simply don’t know exactly what will happen, when it will happen, where it will happen, or what the impacts will be.  We also can never be completely certain about the resources we will have available to us to respond.

Based on these planning assumptions, we should not count on our plans working from the moment an incident occurs.  Very simply, there is always some catch up that we need to account for.  Most importantly, we need to gain situational awareness to determine the scope and magnitude of the incident.  Once we have a reasonable degree of situational awareness (often we never know everything we would like to), we can start making decisions as to how we will respond.  These decisions should be guided by our plans.

Our initial response – what we do when we first run in approach, assess, and begin our initial life saving measures – may not have a solid plan, but the foundation of it does follow a certain algorithm.  Many disciplines, especially the traditional first response ones, often underscore the importance of a scene size up.  While this varies a bit based on our respective disciplines and the nature of the incident, the common themes involve seeking answers to the usual questions – who, what, where, when, why, and how.  As we begin to gain answers and process this information, we request and assign resources.  Our initial response is often unorganized.  We don’t know all there is to know about the incident.  We don’t have all of our resources readily available.  Mentally we are overwhelmed with information, trying to process everything quickly.  Eventually, though, we should begin to transition into our planned response, bringing order to the chaos.

While emergency and incident management isn’t war, there are certainly a number of parallels that can be drawn.  While von Moltke’s statement is often cited in our profession, devaluing the plans we create, I think the perspective of those who cite it is wrong.  We should not intend for our plans to be implemented immediately upon occurrence of an incident.  Rather than sticking a square peg into a round hole by trying to immediately apply our plans, our initial response should deliberately guide us to our planned response.

One of the chief elements of our plans is our organization – the incident command system (ICS) or incident management system (IMS).  Our ability to properly implement our plans is predicated on our ability to manage.  In a complex incident, one person cannot handle all the elements and tasks.  Delegation is necessary and ICS/IMS is the organizational model we should be following.  It is through our incident management organization that we manage resources, hopefully in accordance with a plan, which helps us to manage the incident.  The transition to managing the incident instead of responding to the incident can be a difficult one to make, especially for those not experienced with larger incidents.  Much time can be wasted resisting or struggling through this transition.  The transition, however, is a conscious and deliberate effort.  It won’t happen automatically.  It must be managed.

I’ve referenced in previous blog posts Cynthia Renaud’s paper “The Missing Piece of NIMS: Teaching Incident Commanders How to Function on the Edge of Chaos’.  Much of what I’m talking about in terms of managing our ICS/IMS through the transition of initial response into our planned response has also been cited by Chief Renaud.  The bottom line is that we can do better in our core ICS/IMS training to aid our incident managers in making this happen.  Much ICS training seems to have dropped the essential concept of scene size up/assessment, or simply glosses over it.  How can you make decisions about how to manage the incident if you don’t know what’s going on?  It’s also a rare occasion that ICS training has much mention of the planned response.  The focus is on incident action planning, which is certainly needed to guide us through tactical application, but courses often fail to indicate the indispensable reference of emergency plans when identifying objectives and strategies.  This is a clear disconnect in our preparedness efforts and must be fixed.  We can do better.

If you haven’t yet heard of my crusade to improve our current state of ICS training, there are a number of articles I would direct you toward.  Check them out here.

Of course I’m always happy to hear what you think – comments are welcome!

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness!

7 Emergency Management Priorities for the Next Administration

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Heritage.org recently published a piece outlining the top four homeland security priorities for the next administration, which can be found here.  It’s a thought provoking article that certainly identifies some important issues.  In the same spirit, I’d like to offer what I think are the emergency management priorities for the next administration.

1) Support an Effective FEMA Organizational Model

The Heritage.org model pointed out several issues with the DHS organization that need to be addressed sooner rather than later.  I’d like to add some FEMA-specific items to their suggestions, regardless of if FEMA is kept within DHS or not (honestly, I think that ship has sailed and FEMA is there to stay).

In building a bit of background for this article, I took a look at FEMA’s current strategic plan, knowing that the document already identifies some of their priorities.  Within in that list of priorities, they mention mission and program delivery, becoming an expeditionary organization, posturing and building capability for catastrophic disasters, and strengthening their organizational foundation.  To me, these four all directly relate to their organizational model.

Along with having a strong central administration of programs, FEMA needs to have agility in their program delivery.  This is best accomplished through the FEMA regional offices, which act as an extension of the ‘central administration’ by coordinating directly with states and neighboring regions to apply those programs in the best possible manner within the guidelines of the program.  While this is currently performed, it is not performed to the greatest extent possible.  John Fass Morton provides some great perspective on this approach in his book ‘Next-Generation Homeland Security’.  Info on the book can be found here.

2) Bolster Risk Reduction Programs

I write often about preparedness, as that has always been a focus of my career.  Risk reduction, however, is essential to eliminating or reducing the impacts of hazards on communities.  Risk reduction includes all aspects of hazard mitigation and resilience, which are ideally applied at the local level but supported by state and federal programs, policies, and resources.

While the National Weather Service has implemented and promoted the StormReady program, which encourages community resilience, the best program we have ever had in our field is Project Impact.  I’d love to see a revival of Project Impact (call it that or something else – I don’t really care), incorporating the concepts of StormReady as well as other best practices in risk reduction.  A big part of this program MUST be incentivization, especially access to funds that can be applied for in the present for hazard mitigation activities.

3) Build a Better Cybersecurity Program

This item was added to the list by a colleague of mine.  It’s also found on the Heritage.org list.  It must be pretty important, then.

Yes, there are a LOT of initiatives right now involving cybersecurity, but I think there can be more.  Jon, the same colleague who suggested this for my list has also stated repeatedly that cybersecurity is really a Core Capability that cuts across all mission areas – Prevention, Protection, Response, Mitigation, and Recovery.  The recent update of the National Preparedness Goal suggests this, but sadly doesn’t commit.

What do we need in regard to cybersecurity?  First of all, we need to demystify it.  There are plenty of people out there who have just enough tech savvy to turn on their computer, send some email, and post to Facebook.  While that may work for them, they are likely intimidated by talk of cybersecurity, hackers, and the like.  We need to continue programs in plain speak that will help to inform the average consumer about how to protect themselves.

Better coordination with the private sector will pay off heavily when it comes to cybersecurity.  Not only is the private sector generally better at it, they also have a tendency to attract experts through better incentives than the government can offer, such as higher pay.  Cybersecurity also impacts everyone.  We’ve seen attacks of all types of systems.  The only way to stop a common enemy is to work together.  Let’s think of it as a virtual whole-community approach.

4) Prepare for Complex Coordinated Attack

Another of Jon’s suggestions.  While terrorism is often quickly shoved into the category of homeland security, there is a lot that emergency management can assist with.  These types of attacks (think Mumbai or Paris) have a significant impact on a community.  They require a multi-faceted approach to all mission areas – again, Prevention, Protection, Response, Mitigation, and Recovery.  While law enforcement is clearly a lead, they must be strongly supported by emergency management as part of a whole-community approach to be successful. Preparedness across all these mission areas must be defined and supported by federal programs.

5) Infrastructure Maintenance

We have roads, bridges, rail, pipes, and other infrastructure that MUST be maintained.  Maintenance (or replacement) will not only prevent failure of the infrastructure as a disaster itself, but will also make it more resilient to impacts from other disasters.  Yes, these are projects with huge price tags, but what alternative do we have?

6) Continuity of Existing Model Programs

There are few things more infuriating than a new administration wiping the slate clean of all predecessor programs to make room for their own.  While every administration is entitled to make their own mark, getting rid of what has been proven to work is not the way to do that.  Eliminating or replacing programs has a significant impact all the way down the line, from the federal program administrators, to the state program people, to the local emergency managers who are often understaffed and underfunded to begin with.

Changing gears is not as simple as using a different form tomorrow, it requires research and training on the new program and costs time to re-tool.  While I would never say there is nothing new under the emergency management sun, as I believe we are still innovating, I’m pretty skeptical of some new appointee walking into their job and making wholesale changes.  While improvements can certainly be made, summary execution of successful programs does no one any good.  Let’s not make change simply for the sake of change.

Related to this, I fully support the efforts of FEMA in the last few years to gain comprehensive input on changes to documents and doctrine through the formation of committees and public comment periods.  This approach works!

7) Pull Together Preparedness Programs

NIMS, HSEEP, NPG, THIRA, etc… While each of these programs have their own purpose and goals, more  can be done to bring them together.  I’m not suggesting a merger of programs – that would simply make a huge mess.  What I’m suggesting is to find the connections between the programs, where one leads to another or informs another, and highlight those.  Things like better application of the Core Capabilities within HSEEP exercises to have a more effective evaluation of NIMS capabilities (I suggested this while being interviewed for a GAO report), or referencing the THIRA when building a multi-year training and exercise plan.  While some jurisdictions may already do this, these are best practices that should be embraced, promoted, and indoctrinated.  These links typically don’t add work, in fact they capitalize on work already done, allowing one project/program/process to be informed or supported by another, creating efficiencies and supporting a synchronization of efforts and outcomes.

There is my list of seven.  What are your thoughts on the list?  There are certainly plenty of other ideas out there.  If you had the ear of the next President, what would you suggest be their administration’s emergency management priorities?

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

A New NFPA 1600

Tim Riecker, The Contrarian Emergency Manager 7 Comments

Several weeks ago (I forgot to post it!) the National Fire Protection Association (NFPA) released the 2016 update of their 1600 standard, and with a slightly different name: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs.  More on the name change in a bit.

For those not familiar with NFPA 1600, if you are in the emergency management field, you should be familiar with it.  While not legally binding (unless specifically referenced by a law or regulation), NFPA 1600 is an excellent standard for modeling an emergency management program.  Like any good standard, it provides guidance on what components you should have, but doesn’t tell you how to do it. NFPA 1600 is also very complimentary to the Emergency Management Accreditation Program (EMAP), with no conflicts between these standards – mostly because EMAP foundationally references much of NFPA 1600.  NFPA 1600 can be found here.  The NFPA provides a free download of the standard (it is heavily copyrighted, so exercise prudence in how you handle it) or you can pay to obtain paper copies.

On to the changes in this update.  As mentioned, the title has been altered a bit by adding ‘Continuity of Operations’.  While it doesn’t say so, I’m guessing that some government-types may have approached NFPA 1600 a bit skeptically thinking that it was really intended for the private sector.  The thing is, business continuity is a specific function within emergency management, but largely follows many of the same processes, just with a particular focus.

Within the standard, the early section titled ‘The Origin and Development of NFPA 1600’ summarizes the evolution of the standard, and provides some information on the changes to the 2016 update.  They mention that “The purpose of the standard has been changed to reflect the Committee’s decision to emphasize that the standard provides fundamental criteria for preparedness and that the program addresses prevention, mitigation, response, continuity, and recovery.  In other words, “preparedness” is no longer just an element of the program – it is the program.” That perspective on preparedness is a great continued evolution of the concept within emergency management.  While the standard in emergency management used to be the emergency management cycle with preparedness as one phase, that is thankfully beginning to go away (although it’s still seen out there way too much for my taste).

old em cycle

The Old Emergency Management Cycle – DON’T USE THIS ANYMORE!

The truth is preparedness permeates everything we do – all phases (or mission areas) of emergency management.  That’s why there are five mission areas identified in the National Preparedness Goal (Protection, Prevention, Response, Mitigation, and Recovery).  Where is preparedness?  It’s the root of the document (literally… it’s in the name of the document).  Preparedness is addressed for each mission area.  We must prepare to protect, prepare to prevent, prepare to respond, prepare to mitigate, and prepare to recover.

As usual, I digress…

Back to NFPA 1600.  This 2016 update includes language within “crisis management planning to include issues that threaten the reputation of and the strategic and intangible elements of the entity as a result of an event or series of events…”.  Smart move.  These elements of crisis management are something we see in both the public and private sector and certainly should be addressed.

Since business continuity does remain a focus element of the standard, they have continued to enhance those aspects.  As such, they have included information on supply chain risk and information security within the document.  When considering business continuity, we can’t just look at our own operations.  The vulnerabilities of other organizations can certainly impact us, so examining supply chain vulnerabilities is wise.  As for information security, we have seen plenty of internal and external cybersecurity issues to justify that.  Although a bit late, I’m glad the NFPA is keeping up with technology and current trends and hazards.  They have also rewritten much of the business impact analysis section (within Chapter 5) to address continuity planning and recovery planning, with a specific differentiation between the two.

Lastly, they have added Annex C, a small business preparedness guide (good move NFPA!), and have added material on addressing the needs of persons with access and functional needs, as well as adding some information on the role of social media in crisis communications plans.

These are all positive changes for the NFPA 1600 standard.  I encourage everyone who is part of an emergency management program to take a look at it and see what it has to offer.  It’s good guidance and will probably provide some good ideas for helping you grow and maintain an impactful program.

For those interested, I have a couple of past articles on standards in emergency management:

Standards in Emergency Management Programs

Business Continuity and Emergency Management Standards and Requirements

 

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCWe are your Partner in Preparedness!

Don’t Just Take It From Me – There are Issues with ICS Training

Tim Riecker, The Contrarian Emergency Manager Leave a comment

The February 2016 edition of the Domestic Preparedness Journal highlighted, among other things, some concerns with ICS training in the United States.  First off, if you aren’t subscribed to the DPJ, you should be.  It’s free and they offer good content, with few extraneous emails beyond the journals.  Check them out at www.domesticpreparedness.com.

The specific article in this issue I’m referencing is Incident Command System: Perishable if Not Practiced, by Stephen Grainer. Mr. Grainer is the Chief of Incident Management Systems for the Virginia Department of Fire Programs.  Steve has a significant depth in ICS and understands all the nuances of preparedness and application.  I first met him when serving on the national NIMS steering committee with him several years back.

The title of the article is a bit deceptive – it’s not just focused on the issue of the training being perishable.  Right up front, Mr. Grainer, who is a longtime supporter and advocate of ICS, outlines a few shortcomings and constraints related to the application of ICS and ICS training.  He states that “little attention has been given to developing the students’ ability to recognize an evolving situation in which more formalized implementation of the ICS should be undertaken”.  This underscores one of my main points on the failings of the ICS curriculum.  We teach people all about what ICS is, but very little of how to use it.

After giving a few case studies that reflect on the shortcomings he highlighted, Mr. Grainer expresses his support for continued training, refresher training (something not currently required), and opportunities to apply ICS in ways that public safety and emergency management don’t do on a regular basis.  He summarizes by stating that not only does training need to continue to address succession and bench depth, but also the need to address how to maintain competencies and address misunderstandings in NIMS/ICS.

Yes, training does need to continue, but it must be the RIGHT training!  We continue doing a disservice by promoting the current ICS courses which fall well short of what needs to be accomplished.  Mr. Grainer’s mention of the need for our training to address better implementation of ICS, particularly beyond the routine, is perhaps a bit understated, but nonetheless present.  Refresher training also needs to be incorporated into a new curriculum, as these skills are absolutely perishable – particularly the aspects of ICS typically reserved for more complex incidents.

In the event you aren’t familiar with my earlier posts on ICS and my crusade for a better curriculum, check out these posts.  As I’ve said before, this isn’t a pick-up kickball game… this is public safety.  We can do better.

Shameless plug:  Assessments, Planning, Training, Exercises.  Emergency Preparedness Solutions does it all.  Contact us to find out how our experience can benefit your jurisdiction’s or organization’s emergency and disaster preparedness.  We are your partner in preparedness.  www.epsllc.biz.

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

FBI vs Apple – iPhone Security

Tim Riecker, The Contrarian Emergency Manager Leave a comment

The struggle over encryption and device security continues.  This time it’s more visceral, representing the most relevant case on the side of criminal justice yet.  In the wake of the San Bernardino shooting, the FBI is seeking to gain access to an iPhone discovered in the vehicle where the shooters made their last stand with law enforcement.  The FBI is hoping to find additional evidence on this phone – phone records, emails, texts, etc. that might lead them to information on other conspirators of the attack, other potential targets and attackers, and anything else that might lead to prosecuting those involved in this attack or stopping future attacks.  Gaining access to this information is obviously extremely important.

The problem – the phone is locked with a passcode, and the FBI doesn’t know what that code is. While trial and error is certainly a viable methodology, Apple’s architecture limits passwords attempts to 10.  Once the tenth attempt fails, the iPhone will go into a sort of self-destruct, wiping all data from the device.  The FBI needs help, and they are seeking it from Apple.  Apple declined requests and is now being compelled by a federal judge who ordered Apple to assist the FBI in gaining access to the phone.  Apple is fighting the order – but why?

First of all, Apple states there is no ‘back door’ into their system that will allow them to bypass a security code.  On principal, they decided not to create one since if it exists, it can be exploited.  Based upon this, the FBI has requested that Apple at least disable the 10 attempt fail safe in the iOS programming, allowing the FBI to press on with many more attempts to crack the code.  Apple continues to refuse, again citing the potential for someone with criminal intent exploiting this.  Essentially, Apple feels they are protecting their customers from criminal acts and loss of personal information.  The CEO of Google recently voiced support for Apple’s stand.

This debate poses two strong arguments, each pulling at our values.  On one side, we need to support the efforts of law enforcement to prevent, protect, and prosecute.  The evidence gathered from a situation such as this can potentially lead to finding co-conspirators in these horrible shootings, and can potentially stop other crimes from occurring.

On the other side, there is also concern over preventing future criminal activity by those who would steal information.  Keeping in mind that what we have on our phones is not only a browsing history and Disney World selfies, but also private information such as bank accounts, and even access to business information; the theft of which can be devastating to individuals and entire organizations.

There are valid arguments on both sides, and consequences to action and inaction all around, with implications much broader than this one case.  I’m interested in seeing how this shakes out.

What are your thoughts?

© 2016 – Timothy Riecker

ICS: Who doesn’t need it?

Tim Riecker, The Contrarian Emergency Manager 16 Comments

In a recent discussion thread, someone shared some material for a new program that promotes resiliency for disaster housing.  While the intent of the program is good, there was one thing that struck me – it stated that it was based on the incident command system (ICS).  My question – why?

ICS is a great system.  It’s proven to be effective WHEN APPLIED PROPERLY.  That’s the catch, though, isn’t it?  A great many after action reports (AARs) identify areas for improvement relative to various facets of ICS after incidents, events, and exercises.  The organizations that the AARs are usually focused on are professional response organizations – fire, police, EMS, public works, public health, emergency management, etc.  These are organizations that generally get LOTS OF PRACTICE in applying ICS.  So what’s the problem?

The problem is that most organizations that do use ICS don’t get enough practice in applying ICS beyond smaller incidents.  So if responders, who are using ICS, have difficulty with expanded application despite some practice and more advanced training, how are organizations who don’t use it all expected to be able to remember it much less apply it properly on even the most basic of incidents?  (More on my issues with ICS training here, in case you’ve missed posts over the last year or so.)

So back to the main topic of this post – who doesn’t need ICS training?  I would suggest that those persons and organizations that don’t fit the broad definition of responders DON’T NEED IT.  While this may be blasphemous to some, consider the time and effort wasted on getting people trained to understand ICS who will NEVER USE IT.  “But what if they do need it?” you ask?

I’m challenged to really find that need.  Why does the management of an apartment complex need to know or understand ICS?  I find the thought of that foolish and wasteful.  Sure, they can be a partner in disaster preparedness, response, and recovery.  Does that make them a responder?  No. Will they become part of the ICS organization?  NO!  Is there any reason why they would need to use ICS to manage their own organization?  NO!!! They manage their organization every day through what should be a very effective model for them.  Why the hell do we want to change that?  We need to stop pushing our complex shit on other people who don’t need it.

I’m of two thoughts on this… One, there are people who are so gung-ho over including everyone under the sun into emergency management that they feel compelled to bring them into the profession.  News flash people – if they wanted to be emergency managers, they would.  There is no practical reason for them to be trained in the vast complexities of emergency management.  Two, there are people who don’t really understand the applications of emergency management themselves, and therefore try to make adaptations of the system for every variety of stakeholder out there.  This is something I’ve struggled with very often as people try to adapt ICS to their organization and, in doing so, change the foundational principles of ICS (span of control, terminology, organizational structure, etc.).  Further, every organization thinks they have an INCIDENT COMMANDER.  STOP!!!

ICS is not for everyone.  I’m not being elitist or exclusionary, I’m being practical.  That’s not to say that certain stakeholders shouldn’t at least be familiar with what it is, but still not every stakeholder or partner, and they certainly don’t need to know how to actually apply it.  For many, simply having a point of contact with certain departments or through the 911 center is enough.  Certainly if some have an interest in it they can ask, or take a class either in person or online.  (I would never withhold a training opportunity from anyone.)  This should certainly give them enough to satisfy their curiosity.

Along with my crusade to make better ICS training for responders (even non-traditional ones), I would suggest that we need to do a better job of advising other organizations about how they interact with the system.  Simply throwing ICS training at them DOESN’T WORK.  It creates false expectations and generates more confusion.

So please, fire away with your thoughts.  Who do you think shouldn’t have ICS training?  What would you change about the current ICS training model/requirements? 

Shameless plug time: Need ICS training or training in other areas of emergency management?  How about meaningful and practical emergency plans you can actually implement?  Exercises to test those plans and give staff an opportunity to practice implementing plans?  Emergency Preparedness Solutions can help!  Link to info below!

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Emergency Management: Coordinating a System of Systems

Tim Riecker, The Contrarian Emergency Manager 1 Comment

Emergency management, by nature, is at the nexus of a number of other practices and professions, focusing them on solving the problems of emergencies and disasters.  It’s like a Venn diagram, with many entities, including emergency management, having some overlapping interests and responsibilities, but each of them having an overlap in the center of the diagram, the place where coordination of emergency management resides. That’s what makes the profession of emergency management fairly complex – we are not only addressing needs inherent in our own profession, we are often times doing it through the application of the capabilities of others.  It’s like being the conductor of an orchestra or a show runner for a television show. It doesn’t necessarily put emergency management ‘in charge’, but they do become the coordination point for the capabilities needed.

Presentation1

 

This high degree of coordination depends on the functioning and often integration of a variety of systems.  What is a ‘system’?  Merriam-Webster offers that a system is a “regularly interacting or interdependent group of items forming a unified whole.”  Each agency and organization that participates in emergency management has its own systems.  I’d suggest that these broadly include policies, plans, procedures, and the people and technologies that facilitate them – and not just in response, but across all phases or mission areas.  Like the Venn diagram, many of these systems interact to (hopefully) facilitate emergency management.

There are systems we have in many nations that are used to facilitate components of emergency management, such as the National Incident Management System (NIMS), the Incident Command System (ICS) (or other incident management systems), and Multi-Agency Coordination Systems (MACS).  These systems have broad reach, working to provide some standardization and common ground through which we can manage incidents by coordinating multiple organizations and each of their systems.  As you can find indicated in the NIMS doctrine, though, NIMS (and the other systems mentioned) is not a plan.  While NIMS provides us with an operational model and some guidance, we need plans.

Emergency Operations Plans (EOPs) help us accomplish a coordination of systems for response, particularly when written to encompass all agencies and organizations, all hazards, and all capabilities.  Likewise, Hazard Mitigation Plans do the same for mitigation activities and priorities.  Many jurisdictions have smartly written disaster recovery plans to address matters post-response.  We also have training and exercise plans which help address some preparedness measures (although generally not well enough).  While each of these plans helps to coordinate a number of systems, themselves becoming systems of systems, we are still left with several plans which also need to be coordinated as we know from experience that the lines between these activities are, at best, grey and fuzzy (and not in the cuddly kitten kind of way).

The best approach to coordinating each of these plans is to create a higher level plan.  This would be a comprehensive emergency management plan (CEMP).  Those of you from New York State (and other areas) are familiar with this concept as it is required by law.  However, I’ve come to realize that how the law is often implemented simply doesn’t work. Most CEMPs I’ve seen try to create an operational plan (i.e. an EOP) within the CEMP, and do very little to actually address or coordinate other planning areas, such as the hazard mitigation plan, recovery plans, or preparedness plans.

To be successful, we MUST have each of those component plans in place to address the needs they set out to do so.  Otherwise, we simply don’t have plans that are implementation-ready at an operational level.  Still, there is a synchronicity that must be accomplished between these plans (for those of you who have experienced the awkward transition between response and recovery, you know why).  The CEMP should serve as an umbrella plan, identifying and coordinating the goals, capabilities, and resources of each of the component plans.  While a CEMP is generally not operational, it does help identify, mostly from a policy perspective, what planning components must come into play and when and how they interrelate to each other.  A CEMP should be the plan that all others are built from.

Presentation2

I’m curious about how many follow this model and the success (or difficulty) you have found with it.

As always, if you are looking for an experienced consulting firm to assist in preparing plans or any other preparedness activities, Emergency Preparedness Solutions is here to help!

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Continuity of Government – Preservation of Records and Data

Tim Riecker, The Contrarian Emergency Manager Leave a comment

A common but often low priority issue in emergency management is the loss of physical records and electronic data from a disaster.  To be honest, I ignored the issue for much of my career.  It wasn’t until working on a contract in the northeast and meeting with a lot of local governments did my eyes really open to the importance of the issue.  While this article focuses on preservation of records for governments, it can certainly apply to businesses, not for profits, and even individuals.

Many of the local governments we interfaced with on a completely unrelated contract, were talking about their experiences with Tropical Storm Irene.  Town officials told of their efforts hauling boxes of town records either to a higher floor of town offices or removing them offsite, with water to their knees or even waist high.  Needless to say, many records were lost.

While some of these offices were in known floodplains, others simply suffered from an extraordinary event and the fault of a place where we commonly store things – the basement.  Towns (and other municipal offices) often store physical copies of tax maps and records, property deeds, permits, flood insurance information (ironic, isn’t it?), human resources data for town employees, town financial records, court records, birth certificates, death certificates, marriage certificates, divorce certificates, and other information.  The loss of this information can have an impact, not only historically, but also on current government operations.

Continuity of government and continuity of operations plans should identify those records which are most important.  These are called vital records.  Vital records should have the highest degree of protection.  The National Archives offers some guidance on the protection of vital records.  While the guidance applies to federal agencies, there is still plenty of valuable information which can be applied to other organizations.

Every municipality should examine records storage as part of their continuity of operations and continuity of government planning.  It’s not to say that records can’t be stored in the basement of a building, but mitigation efforts must be made to flood proof the building as much as possible, including water alarms and sump pumps connected to emergency power systems.  Paper and water don’t mix – so get your records off the floor and consider waterproof storage solutions.  Ventilation is also important to prevent molding.

If mitigation is too costly, then you need to consider relocating the records.  Regardless of where your records are, you should have a component of your continuity of operations plan that addresses emergency relocation of records – when, how, to where, and who.  Digital storage is obviously a great solution.  Some towns I spoke with had decided after the storm to scan their records.  Catching up to a hundred plus years of records can be pretty time consuming and practically unsurmountable for most municipal offices.  This is a service that can be hired out.  Be sure to follow sound data protection standards for both storage and access to ensure the continuity of these records.

In the event that records do get wet, all is not necessarily lost.  The Preservation Directorate of the US Library of Congress has a lot of information on preservation of records, including a variety of resources and training opportunities.  There are also companies that specialize in document preservation and recovery after a disaster.  While it’s probably a good idea to identify who you might reach out to in the event of such a loss, know that this is expensive and it’s generally far more cost effective to mitigate against the risk.

Need assistance with government continuity or continuity of operations planning?  EPS can help!  consultants@epsllc.biz.

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC

Emergency Management – Who Knows About Your Plans?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

In emergency management and homeland security we put a lot of emphasis on planning.  Plans are important, afterall.  We need to take the time to identify what our likely hazards are and how we will address them.  But what happens when the plan is complete?  We congratulate members of the planning team and send them final copies.  Those copies get filed electronically or end up on a shelf, a trophy of our accomplishment and hard work.  Congratulations!

So… that’s it?  Is that all?

NO!  Of course not!  People need to be trained to the plan.  “Trained?” you ask.  Yes – trained.  Not just sent a copy and told to review it.  Let’s be honest, here.  Even assuming the highest degree of dedication and professionalism, many people simply won’t give it the time and attention it needs.  Very quickly the plan will get buried on their desks or the email will become one of dozens or hundreds in the inbox.  Even if they do give it a look through, most will only give a quick pass through the pages between meetings (or during a meeting!), not giving much attention to the details in the plan.

How effective do you expect people to be?

Sports analogy – when a coach creates new plays, do they simply give them to the players to become familiar with and expect proficiency?  No.  Of course not.  We’re all familiar with the classic, if not cliché, setting of the coach reviewing plays on a chalk board with the players in a locker room.  That’s training.  Then after that training, they go out in the field and practice the plays.

Back to our reality… The first real step of making people familiar with the plan is to review it with them.  This usually doesn’t need to be a sleep inducing line-for-line review of the plan (unless it is a detailed procedure), but a review of the concepts and key roles and responsibilities.  In fact, that’s who you invite to the training – those who are identified in the plan.  This is likely to include people in your own agency as well as people in other agencies (emergency management, after all, is a collaborative effort).  In states with strong county governments, we often see county-level emergency management offices creating plans that dictate or describe the activities of local governments and departments.  Most often, the local departments have no awareness of these plans, much less receive any training on them.  I’m guessing that plan won’t work.

Once you’ve trained these key stakeholders, be sure to conduct exercises on various aspects of the plan.  Exercises serve not only to validate plans, but to also help further familiarize stakeholders with the plan, their roles, and expectations of others.  When we plan, we tend to make many assumptions which exercises help to work through.  Through exercising we also identify other needs we may have.

Need help with planning? Training? Exercises?  EPS can do it!  Link below.

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC 

 

Updating ICS Training: Identification of Core Competencies

Tim Riecker, The Contrarian Emergency Manager Leave a comment

The crusade continues.  ICS training still sucks.  Let’s get enough attention on the subject to get it changed and make it more effective.

If you are a new reader of my blog, or you happened to miss it, check out this post from last June which should give you some context: Incident Command System Training Sucks.

As mentioned in earlier posts on the topic, the ICS-100 and ICS-200 courses are largely OK as they current exist.  Although they could benefit from a bit of refinement, they accomplish their intent.  The ICS-300 course is where we rapidly fall apart, though.  Much of the ICS-300 is focused on the PLANNING PROCESS, which is extremely important (I’ve worked a lot as an ICS Planning Section Chief), however, there is knowledge that course participants (chief and supervisor level responders) need to know well before diving into the planning process.

First responders and other associated emergency management partners do a great job EVERY DAY of successfully responding to and resolving incidents.  The vast majority of these incidents are fairly routine and of short duration.  In NIMS lingo we refer to these as Type IV and Type V incidents.  The lack of complexity doesn’t require a large organization, and most of that organization is dedicated to getting the job done (operations).  More complex incidents – those that take longer to resolve (perhaps days) and require a lot more resources, often ones we usually don’t deal with regularly – are referred to as Type III incidents.  Type III incidents, such as regional flooding or most tornados, are localized disasters.  I like to think of Type III incidents as GATEWAY INCIDENTS.  Certainly far more complex than the average motor vehicle accident, yet not hurricane-level.  The knowledge, skills, and abilities applied in a Type III, however, can be directly applied to Type II and Type I incidents (the big ones).

It’s not to say that what is done in a car accident, conceptually, isn’t done for a hurricane, but there is so much more to address.  While the planning process certainly facilitates a proactive and ongoing management of the incident, there are other things to first be applied.  With all that said, in any re-writing and restructuring of the ICS curriculum, we need to consider what the CORE COMPETENCIES of incident management are.

What are core competencies?  One of the most comprehensive descriptions I found of core competencies comes from the University of Nebraska – Lincoln, which I summarized below.  While their description is largely for a standing organization (theirs), these concepts easily apply to an ad-hoc organization such as those we establish for incident management.

Competency: The combination of observable and measurable knowledge, skills, abilities and personal attributes that contribute to enhanced employee performance and ultimately result in organizational success. To understand competencies, it is important to define the various components of competencies.

  • Knowledge is the cognizance of facts, truths and principles gained from formal training and/or experience. Application and sharing of one’s knowledge base is critical to individual and organizational success.
  • A skill is a developed proficiency or dexterity in mental operations or physical processes that is often acquired through specialized training; the execution of these skills results in successful performance.
  • Ability is the power or aptitude to perform physical or mental activities that are often affiliated with a particular profession or trade such as computer programming, plumbing, calculus, and so forth. Although organizations may be adept at measuring results, skills and knowledge regarding one’s performance, they are often remiss in recognizing employees’ abilities or aptitudes, especially those outside of the traditional job design.

When utilizing competencies, it is important to keep the following in mind:

  • Competencies do not establish baseline performance levels
  • Competencies support and facilitate an organization’s mission 
  • Competencies reflect the organization’s strategy; that is, they are aligned to short- and long-term missions and goals.
  • Competencies focus on how results are achieved rather than merely the end result. 
  • Competencies close skill gaps within the organization.
  • Competency data can be used for employee development, compensation, promotion, training and new hire selection decisions.

So what are the CORE COMPETENCIES OF INCIDENT MANAGEMENT?  What are the knowledge, skills, and abilities (KSAs) that drive organizational success in managing and resolving an incident?  Particularly for this application, we need to focus on WHAT CAN BE TRAINED.  I would offer that knowledge can be imparted through training, and skills can be learned and honed through training and exercises; but abilities are innate, therefore we can’t weigh them too heavily when considering core competencies for training purposes.

All in all, the current ICS curriculum, although in need of severe restructuring, seems to cover the knowledge component pretty well – at least in terms of ICS ‘doctrine’.  More knowledge needs to be imparted, however, in areas that are tangential to the ICS doctrine, such as emergency management systems, management of people in the midst of chaos, and other topics.  The application of knowledge is where skill comes in. That is where we see a significant shortfall in the current ICS curriculum.  We need to introduce more SCENARIO-BASED LEARNING to really impart skill-based competencies and get participants functioning at the appropriate level of Bloom’s Taxonomy.

Aside from the key concepts of ICS (span of control, transfer of command, etc.), what core competencies do you feel need to be trained to for the average management/supervisor level responder (not an IMT member)?  What knowledge and skills do you feel they need to gain from training?  What do we need a new ICS curriculum to address?

(hint: this is the interactive part!  Feedback and comments welcome!)

As always, thanks to my fellow crusaders for reading.

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLC