The Future of NFPA 1600

NFPA 1600: Standard on Continuity, Emergency, and Crisis Management is a standard I often reference. The contents of the standard, applicable to all organizations including government, non-profit, and private sector; compliments other standards and doctrine well, and is regularly updated to integrate new practices. The latest editions have gained even more value with what can be collectively referred to as implementation notes, which really help support putting the standard into action. The NFPA has also been releasing ‘Handbook’ editions of their standards, with even more professional commentary to support implementation. There is news, though… NFPA 1600 is going away – but don’t worry!

Last year, the NFPA announced the Emergency Response and Responder Safety Document Consolidation Plan. This is part of a larger movement within the NFPA to pull together a variety of similar codes and standards. NFPA 1600 will be combined into a new consolidated standard, NFPA 1660. NFPA 1660 will consist of the present NFPA 1600, NFPA 1616 (Standard on Mass Evacuation, Sheltering, and Re-Entry Programs), and NFPA 1620 (Standard for Pre-Incident Planning). The respective scopes of each of these documents are very complimentary and it absolutely makes sense for them to be in a combined edition. I appreciate that the combined editions will better allow readers to connect the dots of the continuity of activity.

The new NFPA 1660: Standard on Community Risk Assessment, Pre-Incident Planning, Mass Evacuation, Sheltering, and Re-entry Programs is in a public input period for the first draft through November 13, 2020; with a second draft scheduled for release in 2021; and a final draft by the end of 2022. So, don’t worry, NFPA 1600, or the other two standards it is being combined with, are not yet ‘obsolete’, but these standards on their own will no longer be updated.

For many years, NFPA 1600 has been available free digitally. I’m hoping the new combined standard will also be available for free as it will be an even more valuable resource and reference for a very broad range of emergency management and business continuity professionals, as well as students of these professions. I certainly expect the new NFPA 1660 to include new or modified standards as the result of lessons learned from the Coronavirus pandemic.

Is there anything you would like to see in the new standard?

©2020 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®

A New NFPA Standard for Active Shooter/Hostile Event Response

The National Fire Protection Association (NFPA) has recently published a new standard for Active Shooter/Hostile Event Response (ASHER) programs.  NFPA 3000 is consistent with other standards we’ve seen published by the organization.  They don’t dictate means or methods, leaving those as local decisions and open for changes as we learn and evolve from incidents and exercises.  What they do provide, however, is a valuable roadmap to help ensure that communities address specific considerations within their programs.  It’s important to recognize that, similar to NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs, you aren’t getting a pre-made plan, rather you are getting guidance on developing a comprehensive program.  With that, NFPA 3000 provides information on conducting a community risk assessment, developing a plan, coordinating with the whole community, managing resources and the incident, preparing facilities, training, and competencies for first responders.

NFPA standards are developed by outstanding technical committees with representation from a variety of disciplines and agencies across the nation.  In the development of their standards, they try to consider all perspectives as they create a foundation of best practices.  While the NFPA’s original focus was fire protection, they have evolved into a great resource for all of public safety.

I urge everyone to take a look at this new standard and examine how you can integrate this guidance into your program.  The standard is available to view for free from the NFPA website, but is otherwise only available by purchase.  Also available on their website is a fact sheet and information on training for the new standard.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

A New Standard for Emergency Management Programs

Over two years ago I wrote on the two primary standards for emergency management programs in the United States – the Emergency Management Accreditation Program (EMAP) and the National Fire Protection Association (NFPA) 1600: Standard on Disaster/Emergency Management and Business Continuity Programs.  These two standards are voluntary in their adoption and provide common sense guidelines on proven effectiveness and best practices for emergency management programs.  EMAP goes the additional step in offering accreditation for jurisdictions and/or programs based upon compliance with their standards.

Recently, New York’s Governor Cuomo announced what is apparently the nation’s first state-coordinated local emergency management accreditation program.  New York’s program is based upon 21 standards, created and maintained by a committee co-chaired by the NYS Emergency Management Association and the NYS Office of Emergency Management.  The accreditation process identified by NYS’ program guidance is fairly similar to EMAP’s, with application, preparation, a site visit, and committee review.

On the plus side, New York’s system is a further encouragement of the use and application of standards and has enough similarity to EMAP which puts the two accreditations on a close enough path that a jurisdiction can pursue both with little deviation.  The processes of preparation, an on-site review, and final accreditation council review are very similar. Further, agencies accredited through the New York State program are granted the ability to display the accreditation program logo, similar to EMAP, as a matter of pride and recognition.  New York’s system also requires a periodic reaccreditation, which encourages jurisdictions to maintain their accreditation standards.

Where New York’s program differs from EMAP…

  • EMAP accreditation is available to any entity, whereas New York’s appears to be specifically designed for local/county emergency management offices, although it does acknowledge the need for a whole community approach to emergency management
  • EMAP standards identify what components must be in place, not the means and methods used to accomplish those components. This is a significant difference from New York State’s program, which rather heavy handedly dictates means and methods, including mandatory completion of New York State’s emergency management and certification training by key staff, completion of the State’s County Emergency Preparedness Assessment (CEPA) program, and active use of the NY Responds system.  While fundamentally, I agree with promoting these as standards across the state, requiring them for accreditation can lead to a stagnated or stalled program if better training or systems are made available and the standard is not able to be kept current.  Required means and methods also stall innovation, which is another reason by NFPA 1600 and EMAP shy away from this practice.  That said, the aforementioned means and methods are the standard of practice in New York State, so this is a good opportunity to reinforce use of those standards.

New York’s new standard provides a solid exploration into the new territory of state-coordinated accreditation.  I’m a big proponent of states’ rights, and firmly believe this to be a good practice, especially when such accreditations reflect the principles of nationally recognized standards such as EMAP and NFPA 1600.  I don’t view New York’s system as being competitive with EMAP, rather it is quite complimentary.  With additional interests in standards, I’m hopeful that all standards will remain contemporary and cutting edge, constantly encouraging excellence and striving for improvements.

As always, I’m interested in your thoughts on state-coordinated accreditation and emergency management standards in general.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Do We Need Different Systems for Catastrophic Incidents?

We’ve long heard, albeit in small pockets, people proclaiming that emergency management and public safety need different systems for larger incidents vs smaller incidents.  For years, the Incident Command System (ICS) fought that stigma, with many saying that ICS is only used for hazardous materials incidents (specifically because of OSHA requirements) or for large incidents that required such a high degree of organization.  Following the release of HSPD-5 and the resultant requirements for everyone to use the National Incident Management System (NIMS), we finally seemed to transcend that mentality – although we are still seeing people apply ICS poorly, and often with the thought that it will all work out fine when a large incident occurs.

Since the mid-2000s, coupled with the push for ‘catastrophic planning’, I’ve been hearing people proclaiming that catastrophic incidents require different systems – be it for planning or management.  Recently, I’m hearing this mentioned again.  Yet, interestingly enough, none of the arguments identify specifically what it is about our current systems of preparedness or incident management that fail at the sight of a catastrophic incident.

While I’m a critic of various aspects of our current systems, I’m a believer in them overall.  Do we need a new system of planning?  No, we just need to do it better.  When we plan for a catastrophic level event, we must consider that NOTHING will work in the aftermath of such an incident.  I’m shocked that some people are still counting on the existence and functionality of critical infrastructure following a catastrophic event.  No roads, no communications, no life lines.  These surprised disclosures are revealed in the After Action Reports (AARs) of incidents and exercises that test catastrophic incidents, such as the recent Cascadia Rising exercise.

Fundamentally, are these losses all that different than what we experience in smaller disasters?  Not so much.  Smaller disasters still take out our roads and disable our communications systems – but such disasters are small enough that we can work around these issues.  So how is it a surprise that a large hurricane or earthquake will do even more damage?  It really shouldn’t be.  It’s essentially a matter of scale.

That said, I certainly acknowledge the difficulties that come with the combined impacts of a catastrophic disaster, coupled with the sheer magnitude of it all.  There are challenges offered that we don’t normally see, but a new system of planning is not the answer.  The current frameworks and standards, such as CPG-101 and NFPA 1600 are absolutely substantial.  The processes are not flawed.  The issue is a human one.  We can’t blame the standards.  We can’t blame the plans.  The responsibility lies with the people at the table crafting the plan.  The responsibility lies with them to fully understand the hazards and the potential impacts of those hazards.  Conducting a hazard analysis is the first step for a planning team to accomplish, and I think this is often taken for granted.  While the traditional hazard analysis has value, the current standard is the Threat and Hazard Identification and Risk Assessment (THIRA).  It is an exhausting and detailed process, but it is highly effective, with engaged teams, to reveal the nature and impacts of disasters that can impact a community.  Without a solid and realistic understanding of hazards, including those that can attain catastrophic levels, WE WILL FAIL.  It’s that simple.

As we progress through the planning process and identify strategies to accomplish objectives, alternate strategies must be developed to address full failures of infrastructure and lack of resources.  Assumptions are often made in plans that we will be able to apply the resources we have to fix problems; and if those resources are exhausted, we will ask for more, which will magically appear, thus solving our problems.  Yes, this works most of the time, but in a catastrophic incident, this is pure bullshit.  This assumption needs to be taken off the table when catastrophic incidents are concerned.  The scarcity of resources is an immediate factor that we need to address along with acknowledging that a severely damaged infrastructure forces us out of many of the technological and logistical comforts we have become accustomed to.  It doesn’t require a new system of planning – just a realistic mentality.

This all logically ties to our incident management system – ICS.  ICS is fully able to accommodate a catastrophic-level incident.  The difficulties we face are with how we apply it (another human factor) and integration of multiple ICS organizations and other incident management entities, such as EOCs.  The tenant in ICS is that one incident gets one incident command system structure.  This is obviously not a geo-political or practical reality for a catastrophic incident that can have a large footprint.  This, however, doesn’t mean that we throw ICS out the window.  This is a reality that we deal with even on smaller disasters, where different jurisdictions, agencies, organizations, and levels of government all have their own management system established during a disaster.  Through implementations such as unified command, multi-agency coordination, agency representatives and liaison officers, and good lines of communication we are able to make effective coordination happen.  (Side note: this is absolutely something I think we need to plan for and tighten up conceptually.  It’s often pulled together a bit too ad-hoc for my comfort).

While some time and effort needs to be applied to develop some solid solutions to the issues that exist, I’m confident that we DO NOT need to create alternate preparedness or response systems for addressing catastrophic incidents – we simply need to apply what we have better and with a more realistic perspective.  The answers won’t come easy and the solutions might be less than ideal, but that’s the nature of a catastrophic event.  We can’t expect it to be easy or convenient.

© 2016 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLCYour Partner in Preparedness

A New NFPA 1600

Several weeks ago (I forgot to post it!) the National Fire Protection Association (NFPA) released the 2016 update of their 1600 standard, and with a slightly different name: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs.  More on the name change in a bit.

For those not familiar with NFPA 1600, if you are in the emergency management field, you should be familiar with it.  While not legally binding (unless specifically referenced by a law or regulation), NFPA 1600 is an excellent standard for modeling an emergency management program.  Like any good standard, it provides guidance on what components you should have, but doesn’t tell you how to do it. NFPA 1600 is also very complimentary to the Emergency Management Accreditation Program (EMAP), with no conflicts between these standards – mostly because EMAP foundationally references much of NFPA 1600.  NFPA 1600 can be found here.  The NFPA provides a free download of the standard (it is heavily copyrighted, so exercise prudence in how you handle it) or you can pay to obtain paper copies.

On to the changes in this update.  As mentioned, the title has been altered a bit by adding ‘Continuity of Operations’.  While it doesn’t say so, I’m guessing that some government-types may have approached NFPA 1600 a bit skeptically thinking that it was really intended for the private sector.  The thing is, business continuity is a specific function within emergency management, but largely follows many of the same processes, just with a particular focus.

Within the standard, the early section titled ‘The Origin and Development of NFPA 1600’ summarizes the evolution of the standard, and provides some information on the changes to the 2016 update.  They mention that “The purpose of the standard has been changed to reflect the Committee’s decision to emphasize that the standard provides fundamental criteria for preparedness and that the program addresses prevention, mitigation, response, continuity, and recovery.  In other words, “preparedness” is no longer just an element of the program – it is the program.” That perspective on preparedness is a great continued evolution of the concept within emergency management.  While the standard in emergency management used to be the emergency management cycle with preparedness as one phase, that is thankfully beginning to go away (although it’s still seen out there way too much for my taste).

old em cycle

The Old Emergency Management Cycle – DON’T USE THIS ANYMORE!

The truth is preparedness permeates everything we do – all phases (or mission areas) of emergency management.  That’s why there are five mission areas identified in the National Preparedness Goal (Protection, Prevention, Response, Mitigation, and Recovery).  Where is preparedness?  It’s the root of the document (literally… it’s in the name of the document).  Preparedness is addressed for each mission area.  We must prepare to protect, prepare to prevent, prepare to respond, prepare to mitigate, and prepare to recover.

As usual, I digress…

Back to NFPA 1600.  This 2016 update includes language within “crisis management planning to include issues that threaten the reputation of and the strategic and intangible elements of the entity as a result of an event or series of events…”.  Smart move.  These elements of crisis management are something we see in both the public and private sector and certainly should be addressed.

Since business continuity does remain a focus element of the standard, they have continued to enhance those aspects.  As such, they have included information on supply chain risk and information security within the document.  When considering business continuity, we can’t just look at our own operations.  The vulnerabilities of other organizations can certainly impact us, so examining supply chain vulnerabilities is wise.  As for information security, we have seen plenty of internal and external cybersecurity issues to justify that.  Although a bit late, I’m glad the NFPA is keeping up with technology and current trends and hazards.  They have also rewritten much of the business impact analysis section (within Chapter 5) to address continuity planning and recovery planning, with a specific differentiation between the two.

Lastly, they have added Annex C, a small business preparedness guide (good move NFPA!), and have added material on addressing the needs of persons with access and functional needs, as well as adding some information on the role of social media in crisis communications plans.

These are all positive changes for the NFPA 1600 standard.  I encourage everyone who is part of an emergency management program to take a look at it and see what it has to offer.  It’s good guidance and will probably provide some good ideas for helping you grow and maintain an impactful program.

For those interested, I have a couple of past articles on standards in emergency management:

Standards in Emergency Management Programs

Business Continuity and Emergency Management Standards and Requirements

 

© 2016 – Timothy Riecker

Emergency Preparedness Solutions, LLCWe are your Partner in Preparedness!

Best Practices for the New Year – Standards in Emergency Management Programs

Going into the New Year I’m endeavoring to write a few posts on best practices in emergency management.  The New Year is a great opportunity for us to take a broad look at our emergency management programs to identify needs and develop and implement some strategies to improve.  Instead of looking back in a rather cliché “year in review”, let’s look ahead toward improvement!

I also wanted to express appreciation to all of my blog readers.  Some of you find me directly through my blog’s home at WordPress, some through LinkedIn or Twitter (@triecker or @epsllc), and some through my company’s website – Emergency Preparedness Solutions, LLC.  If you like my blog please share it with others.  Comments are always welcome.

On to our topic… Standards in Emergency Management Programs

All emergency management programs – government, private sector, and not-for-profit – should strive for their programs to meet accepted industry standards.  The two most significant standards in the United States are the National Fire Protection Association (NFPA) 1600: Standard on Disaster/Emergency Management and Business Continuity Programs and the Emergency Management Accreditation Program (EMAP).  The two standards are very similar in content and in fact complimentary, with the most significant difference being that EMAP offers an actual accreditation process.  Both programs offer copies of their standards free of charge, which is reflective of the spirit of sharing and improvement that exists in emergency management.

The NFPA offers the most recent previous version of their standard as a free download from their website.  The NFPA 1600 standard is quite detailed and can be initially overwhelming but really should be referenced piecemeal.  The free EMAP standards are published in a bit less detail, but they provide a very detailed assessment tool for those who initiate the formal accreditation process.  Because neither standard references specific laws or FEMA documents, they are also great references for governments, private sector, and not-for-profits outside the US.

How should you review the standards? 

They both essentially serve as checklists for what is programmatically needed for successful emergency management programs.  They are both organized by functions, such as planning, training, exercises, and logistics allowing a program to see what activities within each area are needed.  Neither standard will tell you how to meet any particular section of their standard, as they don’t want to be seen as favoring any particular published processes or products and want to encourage innovation and resourcefulness.  This also lends itself well to either/both standards being applicable and achievable by large and small organizations alike.

Examining your own emergency management program through the lens of either of these standards provides a great opportunity to see where you stand.  Examine your functions piece by piece, function by function.  Check off what areas you feel meet the standards and highlight those which you feel do not.  Use these areas as a point of reference for improvements.  Conduct a bit of a needs assessment in these areas to identify exactly what needs to be done to improve and meet the standard then create an improvement plan to make it happen.

Having helped organizations with both NFPA 1600 compliance as well as EMAP accreditation, I’ll attest that much of it simply comes down to paperwork and good systems management.  Many of the standards can be addressed through creating and applying polices and solid practices and procedures.  Organized and thorough record keeping is very important for these matters.

What if you don’t have a specific emergency management function or certain activities are conducted by someone else?

Of course you probably should have a specific emergency management function within your community, company, or organization; but many do not.  Needs are often met in these circumstances through an amalgamation of functions found throughout the rest of the jurisdiction, company, or organization.  Hopefully you at least have an emergency management committee (or one which can serve this purpose such as a safety committee) which has representation from these various entities.  Such a committee is an ideal group to review these standards.  An emergency management program isn’t necessarily a specific agency or office; it’s really the entire system.  These standards should be examined through the entire jurisdiction, company, or organization as responsibilities and functions may be spread around.

What advantages do these standards offer for emergency management programs?

There is certainly a piece of mind knowing that your program meets these standards which are based upon industry best practices, even more so if you took advantage of EMAP’s accreditation.  These standards also provide documented justification for grants, budget allocations, resources, and activities which will contribute to a thriving emergency management program.  Overall, however, you will find that your program will be more professional and more responsive to the emergency and disaster needs of your constituency – be it a community, company, or organization.

Meeting these standards is an investment, but mostly of time and effort.  Sure, there are ways you can meet certain standards better by purchasing some cutting edge software or hiring six more people, but these standards are not intended to serve only the most fortunate and affluent emergency management programs.  A program run by a part time emergency manager with minimal funding can still successfully meet these standards.

Maintaining compliance with these standards is important and is an ongoing effort – it’s quite easy to fall off the carnival ride, especially when distracted by our daily routines and changing priorities.  Set a schedule to conduct an annual review of the standards, incorporate your compliance efforts into strategic plans, and regularly refer back to the standards to keep them fresh in your head.

Of course help is available!  Emergency Preparedness Solutions can help your jurisdiction, company, or not-for-profit conduct a Standards Assessment to determine what standards are met, what standards need to be met, and develop a strategic plan to meet these standards.  Through our full range of preparedness services we can also help you meet these standards and develop a maintenance plan for your program.

If you have questions please contact me at tim@epsllc.biz.

Have a wonderful, safe, and productive New Year!

@ 2014 – Timothy Riecker

Business Continuity and Emergency Management Standards and Requirements

When building a business continuity or emergency management program – or the foundation of that program in a business continuity or emergency management plan – there is a lot of research that needs to be performed before much work can even begin.  Some of the most critical research is the identification of the standards and requirements which apply to your program/plan.  Note a significant difference in terminology between requirement and standard.  Requirements are generally items that are in passed into law or included in regulation.  Standards are typically developed by standards organizations or accrediting bodies and are generally looked upon as best practices within an industry.  Standards are also more likely to be regularly updated whereas requirements (laws) are generally updated on a less often basis.

Where should you look for requirements and standards which apply to you?  Much of it is based upon what industry you are in and where you are located.

Start locally.  Research local laws and codes which may have requirements for certain industries.  Local emergency management planning codes that I’ve seen include industries that use or produce specific chemicals, healthcare facilities, day care programs, and the hospitality industry (hotels and resorts), to name a few.  These codes may require certain planning or notification elements which you must address.  You should search the codes/laws of your city/town/village as well as your county.  The clerks or emergency management officials for those jurisdictions should be of great help to you.  States usually also have specific planning requirements found in state law and/or regulation which cover requirements for local jurisdictions as well as many of the industries mentioned previously.  Contact your state emergency management agency as well as the state agency that regulates your industry for the best information.

Local and state laws comprise most of the requirements you will find – however certain industries may have federal laws or regulations which must be followed – many of these come from the EPA.  Nationally, however, you are more likely to find standards.  FEMA’s standard for emergency planning (which largely applies to jurisdictions but can certainly be used by other organizations) is found in Comprehensive Preparedness Guide (CPG) 101 – Developing and Maintaining Emergency Operations Plans.  While there is no up front legal requirement to follow CPG 101 from FEMA, it may be a requirement of grant funding – yet another requirement you must explore and address.  Certain industries seeking ISO (International Standards Organization) accreditation may need to follow various ISO standards on emergency management and safety.  Overall, if your industry has a professional association or accrediting body, they are an excellent resource for you.

But isn’t there some standard that applies broadly to everyone?  Yes – that is NFPA 1600.  The National Fire Protection Association (NFPA) creates standards which apply to many industries and are often legally adopted as code by jurisdictions.  The NFPA itself does not create law or regulation but they drive many of the standards we see across the nation in many applications including chemical production and handling, engineering, electrical, plumbing, building and development codes, fire codes and others.  NFPA documents are developed through a consensus standards development process approved by the American National Standards Institute (ANSI).  NFPA 1600 is the Standard on Disaster/Emergency Management and Business Continuity Programs.  Typically access to NFPA documents requires membership or a fee per document (their material is copyrighted), however NFPA 1600 is seen as so critical and broad-reaching that the NFPA offers access to the document free of charge.

NFPA 1600 is comprehensive yet open enough for individual application.  You won’t see from NFPA 1600 any detailed guidance in how to write a plan, but you will see the steps of a planning process and key benchmarks they recommend be addressed in a plan.  In addition to planning, the standard also addresses program management, training and exercises, and program improvement.  Intended to be used as a tool, the standard also includes program evaluation checklists and references other best practices in emergency management and business continuity including DRII (Disaster Recovery Institute International) and United Nations programs.  An annex within the standard even addresses family preparedness programs intended for employees.

While the standards you must follow are dependent upon your location and industry, NFPA 1600 can be applicable to all organizations and should be referenced in the building and maintenance of your emergency management and business continuity plan.  For those of you dependent upon access to information on your mobile devices, they even have a free NFPA 1600 mobile app (I reference it often!).

Adherence to requirements and standards helps ensure that your program meets or exceeds all expectations and best practices.  Even if you are not legally obligated to do so, following standards, such as NFPA 1600, provides you with a comprehensive program which will help you better prepare for, respond to, and recover from disaster.

If you need help navigating your emergency management requirements or standards, contact Emergency Preparedness Solutions.  Visit our website at www.epsllc.biz.

© 2014 Timothy Riecker