2016 National Preparedness Report Released

June 1, 2016June 1, 2016Tim Riecker, The Contrarian Emergency Manager 3 Comments

The fifth National Preparedness Report has been released by FEMA. The National Preparedness Report is based upon, as the report states, input of more than 450 data sources and 190 stakeholders, including 66 non-federal organizations (which would account for state preparedness report submissions and information from Urban Area Security Initiative regions). The report is intended as a summary of where the nation stands in regard to each of the 32 Core Capabilities outlined in the National Preparedness Goal.

As mentioned, this is the fifth National Preparedness Report to hit the streets. While they have some value and demonstrate that the data collection that is done is actually collated, I feel that through the years they are offering less meat and more potatoes. I appreciate the highlighting of best practices for each mission area, but, to me, there is a missed opportunity if a report is simply providing data and not recommendations. While it’s understood that the goal of the National Preparedness Report is not to provide recommendations (it would also take longer to publish the report, and the people pulling the data together do not likely have the expertise to create recommendations), I’d like to see FEMA (and stakeholders) have follow up efforts to provide recommendations in each mission area and not miss this valuable opportunity to then apply the findings and look forward.

Below, I’ve included their overall findings with a bit of my own commentary. Overall, I will say that there is nothing eye opening in this report for anyone who pays attention. It’s pretty easy to guess those Core Capabilities which are at the top and those which are at the bottom.

Planning; Public Health, Healthcare, and Emergency Medical Services; and Risk and Disaster Resilience Assessment are the three Core Capabilities in which the Nation has developed acceptable levels of performance for critical tasks, but that face performance declines if not maintained and updated to address emerging challenges.
- My commentary: BULLSHIT. If these Core Capabilities are at ‘acceptable levels’, then our standards must be pretty low. Planning is the one that disturbs me most. We continue to see plenty of poor plans that are not realistic, can’t be operationalized, and are created to meet requirements (which are typically met by formatting and buzzwords). Have we improved? Sure. But I wouldn’t say we are at ‘acceptable levels’. As for Public Health, Healthcare, and Emergency Medical Services, we are struggling in certain areas to simply keep our heads above water. While we are fairly solid in some areas of public health, one only needs to look at the Ebola incident to view how fragile our state of readiness is. The findings for Planning and Public Health, to me, are nothing but shameful pandering and we need to get realistic about where we are at and the challenges we face. Gold stars won’t stand up to the next disaster. As for Risk and Disaster Resilience Assessment I have admittedly less experience personally. I do know that we have some pretty incredible tools available that can help us determine impacts of various hazards for any given area under a variety of conditions, which is an amazing application of technology. My concerns here are that there are still many who don’t know about these tools, don’t use them, and/or don’t follow the findings of information from these tools in their hazard mitigation actions.
Cybersecurity, Economic Recovery, Housing, and Infrastructure Systems remain national areas for improvement. Two additional Core Capabilities – Natural and Cultural Resources, and Supply Chain Integrity and Security – emerged as new national areas for improvement.
- My commentary: NO KIDDING. While we have made a great deal of progress on Cybersecurity, we are still far behind the criminal element in most respects. It also needs to be fully recognized in the National Preparedness Goal that Cybersecurity is a Core Capability common to all five mission areas. Economic Recovery will always be a challenge, as every community impacted by an incident has a certain way it heals, essentially along the lines of Maslow’s Hierarchy. A strong local economy is important to this healing, ensuring that the community has access to the resources it needs to rebuild and a return to normalcy. While I’m sure studies have been done, we need to examine more closely how the economic recovery process evolves after a disaster to identify how it can be best supported. Housing is the absolutely most challenging Core Capability in the National Preparedness Goal. While I don’t have a solution for this, I do know that our current approaches, philosophies, and ways of thinking haven’t moved us an inch toward the finish line on this one. We need to change our current way of thinking to be successful. As for Infrastructure Systems, I could go on for days about this. I’ve written previously, several times, (as have many others) on the critically fragile state of our infrastructure. It’s no big secret.
States and territories continue to be more prepared to achieve their targets for Response Core Capabilities, while they are least prepared to meet their targets in the Recovery Mission Area.
- This is another NO KIDDING. While we must always have a greater focus on Response, as that’s where lives are saved and the immediate danger is addressed, we can’t lose sight of Recovery. Some recovery activities are more clear cut than others, and FEMA often muddies the waters more by inadvertently intimidating state and local governments when it comes to disaster recovery, as the focus becomes centered more on reimbursable activities vs doing what needs to be done. The report included some interesting findings (take a look in the Recovery Mission Area drop down on the web site) on ‘mixed trends in exercising recovery capabilities’. Again, this is nothing earth shattering, but it’s nice to see the matter addressed. Yes, we clearly need to exercise Recovery Mission Area Core Capabilities better and more often.

These reports are always worth looking through, even though much of the information is generally known by those of us in the profession. There are always little nuggets of learning available, and data from the report may be used to support your own endeavors for additional funding or resources for your own program.

As always, I’m interested in your insights and thoughts on this post and the National Preparedness Report.

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness

Exercising the Recovery Mission Area

April 25, 2016April 25, 2016Tim Riecker, The Contrarian Emergency Manager 2 Comments

It doesn’t happen often, but when it does, I get pretty excited about it – I got a blog request! Last week, Darin, a LinkedIn connection, messaged me with a request to post my thoughts on exercising the recovery phase (or mission area) of emergency management. His idea, as he expressed it to me, came from discussion at a Public Health Preparedness conference he was attending, where they were discussing ESF 8 (Public Health and Medical Services) continuity of operations and recovery exercises. Challenge accepted!

When it comes to Recovery exercises, my first thought is that they are horribly underutilized. We conduct a lot of exercises in the Response mission area, but it’s a rare occasion that we even mention Recovery. The reasoning here is pretty easy – Response is sexy. It’s the lights and sirens, saving lives, put out the fire, pull people from the wreckage kind of stuff that makes a big impact. Recovery is often viewed as slow, tedious, bureaucratic, engineering kind of stuff. Well… yeah… but there is a lot more to it. Since when we plan exercises, one of the first things we do is to identify what Core Capabilities will be tested, let’s look at the Core Capabilities of the Recovery Mission Area. Within each, I’ll mention some ideas you can incorporate into exercises.

The Big Three – Planning, Operational Coordination, and Public Information and Warning. These Core Capabilities are found in every mission area and are sometimes applied differently.

Planning – Yeah, we should have recovery plans. I would argue that we have entered the recovery phase when all or most of the first two incident management priorities have been addressed – Life Safety and Incident Stabilization. Sometimes these are resolved quickly, sometimes they take some time. There are some fairly complex issues to be addressed in the recovery phase (many of which we will identify through the Core Capabilities), and we don’t do them often, therefore we should most certainly plan for them. Remember, we exercise plans and capabilities – therefore our plans (and policies and procedures) are a significant focus when it comes to Recovery exercises. This Core Capability is where continuity of operations plans will also fall. Can your organization survive the lasting impacts of a disaster?
Operational Coordination – Recovery activities often involve organizations that had little to no activity during the Response phase. Most of these organizations are non-traditional responders who don’t usually operate under more strict command and control models, such as ICS, but in the Recovery phase of a disaster, I certainly advocate that they do. Many of these agencies, typically the human services types of organizations, are very good at coordination and cooperation, as their daily priorities dictate that working with others is how needs are addressed. The big challenge we often see here, though, is the introduction of some other organizations – typically those with regulatory responsibilities. Regulation usually requires bureaucracy. Bureaucracy usually requires time – lots of time – especially when exceptions are requested. It’s really important to consider all stakeholders when planning an exercise to ensure that you get a chance to see how they interact, what the information flow and chain of authority looks like, what benefits they bring, and how they can work together in a timely fashion for the common good.
Public Information and Warning – We often take for granted the role of public information and warning in the Recovery phase. There are many benefits to keeping external stakeholders informed of what’s going on during Recovery. Consider elected officials, business and industry, and special interest groups, along with the general public. Your PIO and possibly your JIC should be just as involved in Recovery phase exercises as they are in those for the Response phase.

Aside from the ‘big three’, the Recovery mission area shares a Core Capability with the Response mission area – Infrastructure Systems. Long-term restoration and rebuilding of infrastructure can lead to lengthy discussions in a Recovery-focused workshop or tabletop exercise. What are the priorities for rebuilding? Who will do it? How will it be funded? What are the completion timelines? Will it be rebuilt the same or differently? What are the impacts of doing it differently? Who is impacted by this? What do we do while we are waiting for it to be rebuilt? Who makes decisions? All important things to consider.

The first unique Core Capability in the Recovery mission area is Economic Recovery. I was recently asked to present at a conference for a niche professional association comprised of professionals found in government, private sector, and non-profits. While we will be covering topics in Hazard Mitigation and Preparedness, the biggest focus will fall within Economic Recovery. Economic Recovery involves businesses reopening and people getting back to work to serve customers, make money, and become customers themselves. After a disaster, it is absolutely vital for a community to get back on its feet, and the center of that is the local economy. While many disaster impacts may be a relative drop in the bucket for larger companies, smaller businesses may have a hard time recovering – the central pieces of this are infrastructure restoration (see previous paragraph) and cash flow. The SBA, USDA, and even IRS have mechanisms to assist with cash flow issues. And don’t forget insurance! Bring these and other stakeholders to the table to discuss economic recovery. Consider priorities and mechanisms that must be in place to meet needs to support these priorities. Your local chamber of commerce and other business associations will certainly want to be part of these exercises. Does your jurisdiction have a business operations center (BOC)? If not, consider it. If you do, exercise it!

Health and Social Services. This is the heart of all matters related to ESF 8 (Public Health and Medical Services), which Darin mentioned. While this Core Capability is an extension of the Response mission area Core Capability of Public Health, Healthcare, and Emergency Medical Services; it is also so much more. ESF 8 activity after disasters can last months or even years, particularly with ongoing issues such as medical monitoring and psychological impacts. Eventually many of these services are absorbed into the system of regular service providers, but for a time the circumstances of the disaster may require some special coordination or monitoring. The coordination needed involves an amalgamation of organizations at all levels of government, not for profits, and the private sector. This can involve ongoing coordination with insurance companies, general practitioners and specialists; and must address the needs of everyone fairly and consistently, regardless of any differences, including their own financial resources or insurance coverage. Tracking data related to the care and services provided is often important, but consideration must be given to HIPAA and other privacy laws. Exercises can benefit from scenarios, such as exposures to radiological, biological, or chemical sources, which will drive discussion on the types of services to be provided, who will provide them, at whose cost, and for how long. Many of these discussions should include topics of how to avoid social stigmatization of clients, sharing information between organizations, and the full range of social services that individuals and families may require.

Housing is typically the hardest nut to crack in all of disaster recovery. Relative to need, there is little government owned housing stock available. What is available may require waiting lists and relocation to access. While many home owners are insured, we know that it takes some time for home owners to receive payment from insurance companies, and insurance is rarely at 100% coverage for losses. Those that don’t own their own homes are often the left with the most dire situations. While ‘FEMA trailers’ have provided some medium-term solutions, there are many issues to address. I posit that plans at all levels are inadequate to address housing needs after a disaster. If you have a plan, get a good exercise team to write a great scenario to test it. If you don’t have a plan, conducting a workshop to identify and address major planning issues is the way to go. A housing exercise is probably going to be one of the more eye opening yet depressing exercises you’ve ever done.

Lastly is the Core Capability of Natural and Cultural Resources, which focuses on the recovery of libraries and museums, documents and art, as well as helping to restore our own environment after a disaster. Activities can range from restoring a historical landmark to major engineering projects to restore a wetland. These activities can involve a great deal of technical expertise as well as regulation. FEMA, the EPA, and the National Parks Service are often big players in these types of activities.

As for what types of exercises to conduct, that’s largely dependent upon the status of your plans and if you have conducted exercises on these plans before. I always suggest starting with discussion-based exercises. We often forget about seminars, which are more about conveying information than obtaining feedback, but are still valuable for discussing initiatives and new plans. Workshops not only support the planning process to develop plans, they can also serve to facilitate a detailed review of a plan in its final draft stages. Most Recovery exercises I have experience with have been tabletop exercises, which use a scenario to provide context to discussion questions for a group of stakeholders. This is a great way to exercise decision making and to talk through the key tasks associated with plans. Disaster recovery involves a lot of policy-level decision making, which is ideal for a tabletop.

Operations-based exercises for disaster recovery are found much less often. Drills can certainly be conducted to test focused aspects of plans and procedures. Drills in Recovery can help identify strengths and weaknesses of our processes, both for ourselves and for those we are trying to serve. Functional exercises are broader and more encompassing than drills. Much can be gained from a Recovery mission area functional exercise, but make sure that it’s grounded in reality. Most jurisdictions don’t have an EOC activated for Recovery mission area activities. If you don’t, don’t try to run an exercise within that environment. Some functions, however, may be run, at least for a time, from some sort of operations/coordination center, such as a health operations center (HOC). With a good scenario focusing on addressing longer-term issues in the aftermath of a response, they can be done successfully. Be sure to develop a pretty solid ‘ground truth’, however, to support the exercise, as much of Recovery is dependent upon what was done in Response, so players will need this context. With a bit more complication, a functional exercise could be run virtually, with people participating from their own regular work stations as they often do during Recovery operations. Testing Recovery plans in full scale exercises is significantly challenging based on the array and type of activities. Because of the focus of activities, continuity of operations plans are likely among the most suited for full scale Recovery mission area exercises.

I’m curious to hear about your experiences exercising Recovery mission area plans and capabilities. What ideas do you have? What best practices have you found?

As always, thanks for reading!

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness!

Course Review – RDPC Isolation and Quarantine

April 11, 2016Tim Riecker, The Contrarian Emergency Manager Leave a comment

Last week I had the opportunity to take two courses sponsored by the Rural Domestic Preparedness Consortium (RDPC), MGT 433: Isolation and Quarantine for Rural Communities and PER 308: Rural Isolation and Quarantine for Public Health and Healthcare Professionals. These courses together were completed in one day.

First came MGT 433. This course covered a variety of topics associated with isolation and quarantine, including:

Case studies
Legal and ethical issues
Agencies and entities involved
Planning priorities
Resources

While the course is intended for rural audiences, which my home area generally is, the issues and considerations associated with isolation and quarantine are still largely the same for more densely populated areas. While weaving through the various course topics, they mostly all related back to understanding the reasoning behind the use of isolation and/or quarantine as tools to limit the spread of certain communicable diseases and the planning and implementation associated with these activities. The course did elevate my rather foundational knowledge of isolation and quarantine, and provided some great references for future application.

The second course, PER 308, didn’t really provide much more information than the previous course did, although it allowed an opportunity for a greater degree of analysis and discussion through a guided tabletop exercise. The tabletop information from the participant manual was supplemented with several video segments which were produced with reasonable quality and help set the stage for many of the issues one would expect from dealing with an isolation/quarantine event.

Both courses were pretty solid, with only a few little tweaks or updates which I provided feedback on to the instructor. As with most RDPC courses, those from larger agencies and more populated areas shouldn’t be dissuaded from participating – the foundational concepts they present are applicable to any area, rural or otherwise.

The instructor was very personable, professional, and knowledgeable of the course content. While he didn’t have a public health background, which surprised me given the course topics, he clearly has a great cooperative public safety background. I’ve found that the RDPC tends to prefer sending only one instructor to teach a course, along with an assistant to handle administrative matters. While it’s certainly viable to handle the course alone, it’s challenging for both the instructor and the audience.

All in all, these are good courses, and I do recommend you keep a look out for them in your area. Both courses are excellent for furthering your understanding of isolation and quarantine, when to use them, how to use them, and who to involve. They are particularly good courses for public safety leadership and public health leadership and preparedness staff.

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness

The NIMS Refresh – The Good, the Bad, and the Ugly

April 10, 2016Tim Riecker, The Contrarian Emergency Manager 4 Comments

The current National Incident Management System (NIMS) doctrine document, dated December 2008, has guided NIMS for over seven years. This iteration, as I recall, wasn’t much of a change from its predecessor (2004), with the most significant updates being some changes to the NIMS components and the inclusion of the concept and arrangement of the Intelligence function within ICS. We now have a new draft NIMS document which has been posted for a national engagement period. If you haven’t had a chance to review the document, it can be found here.

While I certainly intend on providing my comments directly to FEMA through their feedback mechanism (which I encourage you all to do), I wanted to provide a bit of an overview of the draft document to my readers, which of course will include some of my opinions on the changes they are proposing. I remain a huge proponent of NIMS and fully believe in the positive impact it has had, although I have been quite outspoken (and will remain so) about the issues associated with ICS training.

In this NIMS refresh, as they are calling it, there are some significant changes to certain areas while largely maintaining the foundations of the system. The significant changes include:

NIMS has consolidated its five components to three, dropping the components of Preparedness and Ongoing Management and Maintenance.
The introduction of the Center Management System (CMS) as part of the restructured Management and Coordination (formerly Command and Management) component
Incorporation of the NIMS Intelligence and Investigations Function Guidance

First off, the consolidation of the five NIMS components to three. While I’m disappointed with the preparedness component being deemphasized, especially with so much preparedness work to always be done, I found many of the concepts of preparedness to be sprinkled throughout the document, including a nod to the National Preparedness Goal (NPG) in the introduction of the draft document. The NPG should certainly be the guiding document of all preparedness efforts related to emergency management. While there are some aspects that are NIMS-specific, I’m fairly confident they won’t get lost in the shuffle. Withdrawing the Ongoing Management and Maintenance component, similarly has seen some of these activities being mentioned elsewhere in the document, although only a few of them, with some of the important elements simply not being apparent.

In my review of the document, I was pleased with the inclusion (albeit small) of the concept of Unity of Effort as a newly introduced guiding principal of NIMS. Unity of Effort is an concept essential to the success to all components of emergency management and homeland security and certainly in incident management. This is definitely a positive.

Credentialing – the first major component discussed in the document is Resource Management. Within Resource Management is the concept of credentialing. Despite an intent of the document being to emphasize that NIMS isn’t just about ICS, the narrative on credentialing essentially focuses only credentialing through use of a position task book – which is generally only used for ICS positions. While this is an important element of personnel qualifications, credentialing of personnel within ICS positions is not the only aspect of personnel qualifications.

Based upon the content of the NIMS Intelligence and Investigation function guidance published a few years ago, the NIMS refresh has officially decreed that the Intelligence and Investigations function will reside at the general staff level. You might recall that the previous version of NIMS allowed for several options, including general staff, command staff, or imbedded within Planning or Operations. While the flexibility of ICS is one of its greatest benefits, people didn’t seem comfortable with all those options. It’s not to say those options still can’t be employed for incidents involving much smaller or potential criminal components, as the option of placing a technical specialist in any of those positions is still available.

Next up, the long awaited Center Management System (CMS). To be honest, I’m not crazy about the name, and I’m not sure we need fully developed separate guidance on operations/coordination centers. I feel that specific application of ICS concepts to an operations/coordination center should be kept simple and would be an addendum to the ICS portion of the NIMS document. That said, the NIMS refresh has saw fit to include a whole section on the CMS as part of the revamped Management and Coordination component, so we’ll break down some of the highlights. It’s important to note that the CMS is expected to be guidance and not a requirement.

While I can live with the introduction of a formal Center Management System, they have chosen to declare the title of the individual in charge of an operations/coordination center a Center Director. If there is anything that I 100% disagree with in this document, it’s this title. Let’s step back and look at the principles of ICS, which, thankfully ,the CMS is largely based upon. From our common organizational terminology, we know that those in charge of facilities (which an operations/coordination center is) are called managers, not directors. Directors are found at the branch level. It’s for this reason I have always been in favor of the Center Manager title and will continue to be.

A positive about the CMS narrative is the important mention of a policy group, as a MAC concept, as those providing advice or direction to the Center Director. Not only is the policy group a reality in many jurisdictions, inclusion of this in the CMS is an excellent compromise to those systems which centered on a policy group and operations group as their EOC organization.

Within discussion of the CMS, the NIMS refresh identifies primary functions or reasons a center might activate. While they are headed in the right direction, they need their explanations to be a bit more inclusive of other options. They only make a minor mention of the possibility of an incident actually being run from an operations/coordination center, such as a public health incident, which could be a departmental operations center or some type of a multi-agency operations center. I just think this needs to be shored up some. It should also be mentioned that EOCs may take primary responsibility for actions that are decided to be outside the scope of incident command, which may desire to remain focused on incident suppression activities. Activities such as sheltering/mass care, evacuation, or assessment and evaluation may be run out of an EOC instead of an ICP.

Now on to the CMS organization. Along with the Center Director, the NIMS refresh has tried to make several other positions distinct from their ICS counterparts (although not all of them). While I certainly acknowledge that the focus of an operations/coordination center is often different than that of an ICP, I see little reason to change the titles of some of these positons. I think this has more potential to add to confusion rather than detract from it. While the command staff (yes, still being called ‘command staff’) positions have remained the same, the following has been identified as the CMS general staff positions:

Strategic Operations Section
Intelligence/Investigations Section
Information and Planning Section
Resource and Center Logistics Section
Finance/Administration Section

As for some of the specific language within the sections, there are some positives. Two particular ones are the inclusion of ‘future planning’ within the Information and Planning Section, and the acknowledgement that in most EOCs, the Logistics Section/Resource and Center Logistics Section tends to handle tracking of resources.

There is additional and expanded information on the CMS found in Appendix B. These show some different organizational arrangements, particularly within the Information and Planning Section and the Resource and Center Logistics Section. All in all, I think these proposed arrangements are practical and a reflection of reality in most operations/coordination centers. Well done.

Lastly, Communications and Information Management has included mentions of different reports which may be required, including flash reports, status reports, and situation reports. This is a good reflection of reality. They have also listed important considerations for elements of essential information (EEI) (I’d love to see this list added to a field operations guide!), which must be constantly monitored for the maintenance of situational awareness, and they have bolstered the incident information portion of this component. All great positives! Interesting to note that the term ‘common operating picture’ has been significantly de-emphasized.

After reviewing this document, I’m overall encouraged with the direction NIMS is taking, although I obviously have some reservations. I’m confident that, over time, the kinks will shake out as they have done with other aspects of NIMS. I’m looking forward to some of the other changes that will spin off of this central document, such as new planning guidance and training.

As always, I’m interested in your feedback on my ideas as well as your own reactions and analysis of the NIMS refresh.

Thanks for reading!

Emergency Preparedness Solutions – Your Partner in Preparedness

7 Emergency Management Priorities for the Next Administration

March 17, 2016Tim Riecker, The Contrarian Emergency Manager Leave a comment

Heritage.org recently published a piece outlining the top four homeland security priorities for the next administration, which can be found here. It’s a thought provoking article that certainly identifies some important issues. In the same spirit, I’d like to offer what I think are the emergency management priorities for the next administration.

1) Support an Effective FEMA Organizational Model

The Heritage.org model pointed out several issues with the DHS organization that need to be addressed sooner rather than later. I’d like to add some FEMA-specific items to their suggestions, regardless of if FEMA is kept within DHS or not (honestly, I think that ship has sailed and FEMA is there to stay).

In building a bit of background for this article, I took a look at FEMA’s current strategic plan, knowing that the document already identifies some of their priorities. Within in that list of priorities, they mention mission and program delivery, becoming an expeditionary organization, posturing and building capability for catastrophic disasters, and strengthening their organizational foundation. To me, these four all directly relate to their organizational model.

Along with having a strong central administration of programs, FEMA needs to have agility in their program delivery. This is best accomplished through the FEMA regional offices, which act as an extension of the ‘central administration’ by coordinating directly with states and neighboring regions to apply those programs in the best possible manner within the guidelines of the program. While this is currently performed, it is not performed to the greatest extent possible. John Fass Morton provides some great perspective on this approach in his book ‘Next-Generation Homeland Security’. Info on the book can be found here.

2) Bolster Risk Reduction Programs

I write often about preparedness, as that has always been a focus of my career. Risk reduction, however, is essential to eliminating or reducing the impacts of hazards on communities. Risk reduction includes all aspects of hazard mitigation and resilience, which are ideally applied at the local level but supported by state and federal programs, policies, and resources.

While the National Weather Service has implemented and promoted the StormReady program, which encourages community resilience, the best program we have ever had in our field is Project Impact. I’d love to see a revival of Project Impact (call it that or something else – I don’t really care), incorporating the concepts of StormReady as well as other best practices in risk reduction. A big part of this program MUST be incentivization, especially access to funds that can be applied for in the present for hazard mitigation activities.

3) Build a Better Cybersecurity Program

This item was added to the list by a colleague of mine. It’s also found on the Heritage.org list. It must be pretty important, then.

Yes, there are a LOT of initiatives right now involving cybersecurity, but I think there can be more. Jon, the same colleague who suggested this for my list has also stated repeatedly that cybersecurity is really a Core Capability that cuts across all mission areas – Prevention, Protection, Response, Mitigation, and Recovery. The recent update of the National Preparedness Goal suggests this, but sadly doesn’t commit.

What do we need in regard to cybersecurity? First of all, we need to demystify it. There are plenty of people out there who have just enough tech savvy to turn on their computer, send some email, and post to Facebook. While that may work for them, they are likely intimidated by talk of cybersecurity, hackers, and the like. We need to continue programs in plain speak that will help to inform the average consumer about how to protect themselves.

Better coordination with the private sector will pay off heavily when it comes to cybersecurity. Not only is the private sector generally better at it, they also have a tendency to attract experts through better incentives than the government can offer, such as higher pay. Cybersecurity also impacts everyone. We’ve seen attacks of all types of systems. The only way to stop a common enemy is to work together. Let’s think of it as a virtual whole-community approach.

4) Prepare for Complex Coordinated Attack

Another of Jon’s suggestions. While terrorism is often quickly shoved into the category of homeland security, there is a lot that emergency management can assist with. These types of attacks (think Mumbai or Paris) have a significant impact on a community. They require a multi-faceted approach to all mission areas – again, Prevention, Protection, Response, Mitigation, and Recovery. While law enforcement is clearly a lead, they must be strongly supported by emergency management as part of a whole-community approach to be successful. Preparedness across all these mission areas must be defined and supported by federal programs.

5) Infrastructure Maintenance

We have roads, bridges, rail, pipes, and other infrastructure that MUST be maintained. Maintenance (or replacement) will not only prevent failure of the infrastructure as a disaster itself, but will also make it more resilient to impacts from other disasters. Yes, these are projects with huge price tags, but what alternative do we have?

6) Continuity of Existing Model Programs

There are few things more infuriating than a new administration wiping the slate clean of all predecessor programs to make room for their own. While every administration is entitled to make their own mark, getting rid of what has been proven to work is not the way to do that. Eliminating or replacing programs has a significant impact all the way down the line, from the federal program administrators, to the state program people, to the local emergency managers who are often understaffed and underfunded to begin with.

Changing gears is not as simple as using a different form tomorrow, it requires research and training on the new program and costs time to re-tool. While I would never say there is nothing new under the emergency management sun, as I believe we are still innovating, I’m pretty skeptical of some new appointee walking into their job and making wholesale changes. While improvements can certainly be made, summary execution of successful programs does no one any good. Let’s not make change simply for the sake of change.

Related to this, I fully support the efforts of FEMA in the last few years to gain comprehensive input on changes to documents and doctrine through the formation of committees and public comment periods. This approach works!

7) Pull Together Preparedness Programs

NIMS, HSEEP, NPG, THIRA, etc… While each of these programs have their own purpose and goals, more can be done to bring them together. I’m not suggesting a merger of programs – that would simply make a huge mess. What I’m suggesting is to find the connections between the programs, where one leads to another or informs another, and highlight those. Things like better application of the Core Capabilities within HSEEP exercises to have a more effective evaluation of NIMS capabilities (I suggested this while being interviewed for a GAO report), or referencing the THIRA when building a multi-year training and exercise plan. While some jurisdictions may already do this, these are best practices that should be embraced, promoted, and indoctrinated. These links typically don’t add work, in fact they capitalize on work already done, allowing one project/program/process to be informed or supported by another, creating efficiencies and supporting a synchronization of efforts and outcomes.

There is my list of seven. What are your thoughts on the list? There are certainly plenty of other ideas out there. If you had the ear of the next President, what would you suggest be their administration’s emergency management priorities?

Emergency Preparedness Solutions, LLC – Your Partner in Preparedness

Don’t Just Take It From Me – There are Issues with ICS Training

March 1, 2016March 1, 2016Tim Riecker, The Contrarian Emergency Manager Leave a comment

The February 2016 edition of the Domestic Preparedness Journal highlighted, among other things, some concerns with ICS training in the United States. First off, if you aren’t subscribed to the DPJ, you should be. It’s free and they offer good content, with few extraneous emails beyond the journals. Check them out at www.domesticpreparedness.com.

The specific article in this issue I’m referencing is Incident Command System: Perishable if Not Practiced, by Stephen Grainer. Mr. Grainer is the Chief of Incident Management Systems for the Virginia Department of Fire Programs. Steve has a significant depth in ICS and understands all the nuances of preparedness and application. I first met him when serving on the national NIMS steering committee with him several years back.

The title of the article is a bit deceptive – it’s not just focused on the issue of the training being perishable. Right up front, Mr. Grainer, who is a longtime supporter and advocate of ICS, outlines a few shortcomings and constraints related to the application of ICS and ICS training. He states that “little attention has been given to developing the students’ ability to recognize an evolving situation in which more formalized implementation of the ICS should be undertaken”. This underscores one of my main points on the failings of the ICS curriculum. We teach people all about what ICS is, but very little of how to use it.

After giving a few case studies that reflect on the shortcomings he highlighted, Mr. Grainer expresses his support for continued training, refresher training (something not currently required), and opportunities to apply ICS in ways that public safety and emergency management don’t do on a regular basis. He summarizes by stating that not only does training need to continue to address succession and bench depth, but also the need to address how to maintain competencies and address misunderstandings in NIMS/ICS.

Yes, training does need to continue, but it must be the RIGHT training! We continue doing a disservice by promoting the current ICS courses which fall well short of what needs to be accomplished. Mr. Grainer’s mention of the need for our training to address better implementation of ICS, particularly beyond the routine, is perhaps a bit understated, but nonetheless present. Refresher training also needs to be incorporated into a new curriculum, as these skills are absolutely perishable – particularly the aspects of ICS typically reserved for more complex incidents.

In the event you aren’t familiar with my earlier posts on ICS and my crusade for a better curriculum, check out these posts. As I’ve said before, this isn’t a pick-up kickball game… this is public safety. We can do better.

Shameless plug: Assessments, Planning, Training, Exercises. Emergency Preparedness Solutions does it all. Contact us to find out how our experience can benefit your jurisdiction’s or organization’s emergency and disaster preparedness. We are your partner in preparedness. www.epsllc.biz.

Emergency Preparedness Solutions, LLC

Adjustment of Public Assistance Cost Share per Capita

February 17, 2016February 17, 2016Tim Riecker, The Contrarian Emergency Manager Leave a comment

The following was provided in today’s FEMA Daily Digest Bulletin…

“Based on an increase of 0.8 percent in the Consumer Price Index for All Urban Consumers for the 12-month period that ended December 2015, FEMA adjusted the calendar year 2016 statewide per capita indicator for recommending a cost share adjustment for the public assistance program to $137.

FEMA will recommend an increase in the standard 75 percent federal cost share to not more than 90 percent of eligible costs when a disaster is so extraordinary that actual federal obligations under the Stafford Act, excluding administrative costs, meet or exceed $137 per capita of state population. This adjustment applies to all disasters declared on or after January 1, 2016 through December 31, 2016.”

It’s always interesting that there are ‘rules’, yet so much of the declaration process is political.

Book Review – Failures of Imagination by Michael McCaul

February 15, 2016Tim Riecker, The Contrarian Emergency Manager Leave a comment

Failures of Imagination: The Deadliest Threats to our Homeland – and how to Thwart Them by Michael McCaul. A few months ago I put up a short post when I heard about this book coming out. I speculated a bit on what I anticipated and fortunately those were good assumptions.

Michael McCaul is chairman of the House Homeland Security Committee. Congressman McCaul (R-TX) has served with the US Department of Justice and was chief of Counterterrorism and National Security for the US Attorney’s Office in Texas. Along with chairing the House Homeland Security Committee, he is also a member of the Committee on Foreign Affairs. The background all contributes to some interesting insights and perspectives on the threats our nation faces. Several of those threats have been presented to us in this book. FoI

Failures of Imagination presents several scenarios including an attack on our seat of government, a radiological dispersion device (RDD), foreign influence on an election, a mass shooting in a public space, a cyberattack on finance and infrastructure, a bioterrorism attack, an airplane bombing, and an invasion by foreign powers. Each scenario is introduced with what I will term a short story, followed by a fictionalized executive situation report, and concluded with a factual review of how the scenario is plausible.

The short stories that introduce each scenario are fairly compelling. They read like any popular thriller novel, establishing two or three converging story lines with a brief bit of character development which quickly establish motive, plot, and execution. The timelines are set anywhere from two to 10+ years from now.

With the those scenarios set further in the future, I feel the author has taken some liberties assuming that little has changed in comparison to the current global politics and state of affairs, but that doesn’t bother me too much. I expect that some readers might feel these fictionalized stories sensationalize the scenarios a bit. While on the surface that is understandable, consider that the plots as they unfold in these stories may not be far from reality, and that the Congressman has discovered that a mix of fiction and non-fiction can help enhance the readers’ experience and sell more books. Also consider that we often do the same thing when doing scenario-based planning, training, and exercises.

As a follow-on to each scenario’s short story, a mock executive-level situation report is provided which gives an overview of the impacts of each scenario as presented in the short story. The basis of this is something we also do in many of our preparedness efforts as we try to gauge a realistic scope of impact. The Congressman outlines in many of these not only the casualties, but broader impacts such as those to the economy, and takes some realistic stabs at longer term recovery matters. These situation reports give a good perspective to the reader about the potential impacts of each scenario beyond the more narrow scope of the short story.

Lastly, McCaul provides some narrative on how each scenario presented is rooted in reality. These summaries provide information on the current situation as it relates to each scenario, typically regarding the modus operandi of certain terrorist groups or state sponsors of terrorism, relationships these groups may have with each other across the globe, and weaknesses in our own security construct which may permit these groups to gain access to the US and do us harm. While much of the information and recommendations provided by Mc Caul in these sections are factual, practical, and eye-opening, I have to admit that I was significantly turned off by several instances of what I can only call antagonistic political finger pointing. While I don’t disagree with what the Congressman was saying about certain policies and actions of other elected officials which have influenced our ability to prevent, protect, and prepare for these types of attacks, the messages often came across as snarky and partisan – something I have little patience for, especially in this election cycle.

Failures of Imagination certainly delivered. While the focus of this book is on threats to the US, I would suggest that the foundational issues identified can apply to most nations and are a good read for anyone in emergency management and homeland security. The short stories included in each scenario feed our desire to be entertained and contribute to the book being a quick read. While the scenarios overall don’t serve as much of a resource for emergency management planning, as many of these types of scenarios are already in use in our efforts, the book does provide some context for each scenario which could be referenced, especially in regard to impacts. Of most importance are the recommendations which Congressman McCaul provides for each scenario. Many of the recommendations indicate higher-level actions we as a government need to take to prevent, protect, and prepare for attacks of these types. Increased awareness of these actions will hopefully lead to development, funding, and implementation.

ICS: Who doesn’t need it?

February 10, 2016Tim Riecker, The Contrarian Emergency Manager 16 Comments

In a recent discussion thread, someone shared some material for a new program that promotes resiliency for disaster housing. While the intent of the program is good, there was one thing that struck me – it stated that it was based on the incident command system (ICS). My question – why?

ICS is a great system. It’s proven to be effective WHEN APPLIED PROPERLY. That’s the catch, though, isn’t it? A great many after action reports (AARs) identify areas for improvement relative to various facets of ICS after incidents, events, and exercises. The organizations that the AARs are usually focused on are professional response organizations – fire, police, EMS, public works, public health, emergency management, etc. These are organizations that generally get LOTS OF PRACTICE in applying ICS. So what’s the problem?

The problem is that most organizations that do use ICS don’t get enough practice in applying ICS beyond smaller incidents. So if responders, who are using ICS, have difficulty with expanded application despite some practice and more advanced training, how are organizations who don’t use it all expected to be able to remember it much less apply it properly on even the most basic of incidents? (More on my issues with ICS training here, in case you’ve missed posts over the last year or so.)

So back to the main topic of this post – who doesn’t need ICS training? I would suggest that those persons and organizations that don’t fit the broad definition of responders DON’T NEED IT. While this may be blasphemous to some, consider the time and effort wasted on getting people trained to understand ICS who will NEVER USE IT. “But what if they do need it?” you ask?

I’m challenged to really find that need. Why does the management of an apartment complex need to know or understand ICS? I find the thought of that foolish and wasteful. Sure, they can be a partner in disaster preparedness, response, and recovery. Does that make them a responder? No. Will they become part of the ICS organization? NO! Is there any reason why they would need to use ICS to manage their own organization? NO!!! They manage their organization every day through what should be a very effective model for them. Why the hell do we want to change that? We need to stop pushing our complex shit on other people who don’t need it.

I’m of two thoughts on this… One, there are people who are so gung-ho over including everyone under the sun into emergency management that they feel compelled to bring them into the profession. News flash people – if they wanted to be emergency managers, they would. There is no practical reason for them to be trained in the vast complexities of emergency management. Two, there are people who don’t really understand the applications of emergency management themselves, and therefore try to make adaptations of the system for every variety of stakeholder out there. This is something I’ve struggled with very often as people try to adapt ICS to their organization and, in doing so, change the foundational principles of ICS (span of control, terminology, organizational structure, etc.). Further, every organization thinks they have an INCIDENT COMMANDER. STOP!!!

ICS is not for everyone. I’m not being elitist or exclusionary, I’m being practical. That’s not to say that certain stakeholders shouldn’t at least be familiar with what it is, but still not every stakeholder or partner, and they certainly don’t need to know how to actually apply it. For many, simply having a point of contact with certain departments or through the 911 center is enough. Certainly if some have an interest in it they can ask, or take a class either in person or online. (I would never withhold a training opportunity from anyone.) This should certainly give them enough to satisfy their curiosity.

Along with my crusade to make better ICS training for responders (even non-traditional ones), I would suggest that we need to do a better job of advising other organizations about how they interact with the system. Simply throwing ICS training at them DOESN’T WORK. It creates false expectations and generates more confusion.

So please, fire away with your thoughts. Who do you think shouldn’t have ICS training? What would you change about the current ICS training model/requirements?

Shameless plug time: Need ICS training or training in other areas of emergency management? How about meaningful and practical emergency plans you can actually implement? Exercises to test those plans and give staff an opportunity to practice implementing plans? Emergency Preparedness Solutions can help! Link to info below!

Emergency Preparedness Solutions, LLC

Failed Attempts to Measure NIMS Compliance – How can we get it right?

February 5, 2016Tim Riecker, The Contrarian Emergency Manager 3 Comments

Yesterday the US Government Accountability Office (GAO) released a report titled Federal Emergency Management Agency: Strengthening Regional Coordination Could Enhance Preparedness Efforts. I’ve been waiting for a while for the release of this report as I am proud to have been interviewed for it as a subject matter expert. It’s the second GAO report on emergency management I’ve been involved in through my career.

The end game of this report shows an emphasis for a stronger role of the FEMA regional offices. The GAO came to this conclusion through two primary discussions, one on grants management, the other on assessing NIMS implementation efforts. The discussion on how NIMS implementation has thus far been historically measured shows the failures of that system.

When the National Incident Management System (NIMS) was first created as a nation-wide standard in the US via President Bush’s Homeland Security Presidential Directive (HSPD) 5 in 2003, the NIMS Integration Center (NIC) was established to make this happen. This was a daunting, but not impossible task, involving development of a standard (lucky much of this already existed through similar systems), the creation of a training plan and curricula (again, much of this already existed), and encouraging something called ‘NIMS implementation’ by every level of government and other stakeholders across the nation. This last part was the really difficult one.

As identified in the GAO report: “HSPD-5 calls for FEMA to (1) establish a mechanism for ensuring ongoing management and maintenance of the NIMS, including regular consultation with other federal departments and agencies and with state and local governments, and (2) develop standards and guidelines for determining whether a state or local entity has adopted NIMS.”

While there was generally no funding directly allocated to NIMS compliance activities for state and local governments, FEMA/DHS associated NIMS compliance as a required activity to be eligible for many of its grant programs. (So let’s get this straight… If my jurisdiction is struggling to be compliant with NIMS, you will take away the funds which would help me to do so????) (the actual act of denying funds is something I heard few rumors about, but none actually confirmed).

NIMS compliance was (and continues to be) a self-certification, with little to no effort at the federal level to actually assess compliance. Annually, each jurisdiction would complete an online assessment tool called NIMSCAST (the NIMS Compliance Assistant Support Tool). NIMSCAST ran until 2013.

NIMSCAST was a mix of survey type questions… some yes/no, some with qualified answers, and most simply looking for numbers – usually numbers of people trained in each of the ICS courses. From FEMA’s NIMS website: “The purpose of the NIMS is to provide a common approach for managing incidents.” How effective do you think the NIMSCAST survey was at gauging progress toward this? The answer: not very well. People are good at being busy but not actually accomplishing anything. It’s not to say that many jurisdictions didn’t make good faith efforts in complying with the NIMS requirements (and thus were dedicated to accomplishing better incident management), but many were pressured and intimidated, ‘pencil whipping’ certain answers, fearing a loss of federal funding. Even for those will good faith efforts, churning a bunch of people through training courses does not necessarily mean they will implement the system they are trained in. Implementation of such a system required INTEGRATION through all realms of preparedness and response. While NIMSCAST certainly provided some measurable results, particularly in terms of the number of people completing ICS courses, that really doesn’t tell us anything about IMPLEMENTATION. Are jurisdictions actually using NIMS and, if so, how well? NIMSCAST was a much a show of being busy while not accomplishing anything as some of the activities it measured. It’s unfortunate that numbers game lasted almost ten years.

In 2014, the NIC (which now stands for the National Integration Center) incorporated NIMS compliance questions into the Unified Reporting Tool (URT), including about a dozen questions into every state’s THIRA and State Preparedness Report submission. Jurisdictions below states (unless they are Urban Area Security Initiative grant recipients) no longer need to provide any type of certification about their NIMS compliance (unless required by the state). The questions asked in the URT, which simply check for a NIMS pulse, are even less effective at measuring any type of compliance than NIMSCAST was.

While I am certainly being critical of these efforts, I have and continue to acknowledge how difficult this particular task is. But there must be a more effective way. Falling back to my roots in curriculum development, we must identify how we will evaluate learning early in the design process. The same principal applies here. If the goal of NIMS is to “provide a common approach to managing incidents”, then how do we measure that? The only acceptable methodology toward measuring NIMS compliance is one that actually identifies if NIMS has been integrated and implemented. How do we do that?

The GAO report recommends the evaluation of after action reports (AARs) from incidents, events, and exercises as the ideal methodology for assessing NIMS compliance. It’s a good idea. Really, it is. Did I mention that they interviewed me?

AARs (at least those well written) provide the kinds of information we are looking for. Does it easily correlate into numbers and metrics? No. That’s one of the biggest challenges with using AARs, which are full of narrative. Another barrier to consider is how AARs are written. The HSEEP standard for AARs is to focus on core capabilities. The issue: there is no NIMS core capability. Reason being that NIMS/ICS encompasses a number of key activities that we accomplish during an incident. The GAO identified the core capabilities of operational coordination, operational communication, and public information and warning to be the three that have the most association to NIMS activities.

The GAO recommends the assessment of NIMS compliance is best situated with FEMA’s regional offices. This same recommendation comes from John Fass Morton who authored Next-Generation Homeland Security (follow the link for my review of this book). Given the depth of analysis these assessments would take to review AAR narratives, the people who are doing these assessments absolutely must have some public safety and/or emergency management experience. To better enable this measurement (which will help states and local jurisdictions, by the way), there may need to be some modification to the core capabilities and how we write AARs to help us better draw out some of the specific NIMS-related activities. This, of course, would require several areas within FEMA/DHS to work together… which is something they are becoming better at, so I have faith.

There is plenty of additional discussion to be had regarding the details of all this, but its best we not get ahead of ourselves. Let’s actually see what will be done to improve how NIMS implementation is assessed. And don’t forget the crusade to improve ICS training!

What are your thoughts on how best to measure NIMS implementation? Do you think the evaluation of AARs can assist in this? At what level do you think this should be done – State, FEMA Regional, or FEMA HQ?