Tag preparedness

Finding Local Hazard Information

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Among all the information shared across the internet, something that would be of great assistance to many stakeholders is local hazard information.  It surprises me how inaccessible this information is.  Typically, in most places around the US, ‘local’ will mean a city, village, or town, and depending on the structure of government in the state, counties (or other similar governmental units) may also be considered local.  Specific to this discussion, I’m referencing the most local level of government which has an emergency management function.

So often, we advise businesses and organizations to work with their local emergency managers on preparedness initiatives, yet necessary information lacks in availability or accessibility.  One of the foundational elements of information for all emergency management activities is a hazard analysis.  While every organization should conduct their own to ensure that their own hazards are identified and analyzed, an informed hazard analysis will consider information from other sources.  What better source, we would assume, than the hazard analysis conducted at the most local level of government possible?  Sadly, this information is not often regularly available.

Many governments who conduct comprehensive emergency management activities post plans on their websites, which is a good start.  Often these are hazard mitigation plans and sometimes even emergency operations plans (EOPs).  Both of these plans, if well written, should include hazard analysis information.  Typically, if EOPs include this information, it’s a very brief summary, perhaps only a small chart or table.  Hazard mitigation plans are really centered on a comprehensive hazard analysis, but as I’ve written before, most hazard mitigation plans are not truly ‘all hazard’.  Most commonly, hazard mitigation plans only address and examine natural hazards and some human-caused incidents such as dam failures or hazardous materials incidents.  Because so much effort goes into the hazard analysis conducted for a hazard mitigation plan, many jurisdictions will then only reference this hazard analysis in their preparedness activities, such as developing EOPs.  Fundamentally, this then means that many jurisdictions are not properly preparing for other threats, such as an active shooter/hostile event response (ASHER) incident.

So there are really two issues here, one being that of making information readily available, the other is ensuring quality of information.  Ideally, I’d like to see jurisdictions post hazard analysis information on their websites.  People working for organizations or businesses who are less familiar with emergency management aren’t likely to read through a hazard mitigation plan to find this information.  A stand-alone document with a reasonable summary of this information can easily be provided.  Aside from organizations and businesses, such a practice would also make this information more accessible to the general public.  With so much time and effort spent on telling people they need to prepare, perhaps we should make the information more accessible which tells them what they need to prepare for?

What are you doing to make hazard information more accessible?

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC℠

Changing The Lexicon on Terrorism Preparedness, Response, and Recovery

Tim Riecker, The Contrarian Emergency Manager Leave a comment

A couple months ago I posted about NFPA 3000: Standard for Active Shooter/Hostile Event Response Program.  Soon after posting, I ended up purchasing a copy of the standard and, combined with other readings and discussions, am fully bought into not only this standard but a change in our lexicon for this type of incident.

NFPA3000

First off, in regard to NFPA 3000, it’s not rocket science.  There is nothing in this standard that is earth shattering or itself wholly changing to what we do or how we do it.  But that’s not the intent of NFPA standards.  NFPA technical committees compile standards based upon best practices in the field. The standards they create are just that – standards.  They are a benchmark for reference as we apply the principles contained therein.  NFPA 3000 provides solid guidance that everyone in EM/HS should be paying attention to.

What NFPA 3000 has helped me realize is that our focus has been wrong for a while.  Terrorism isn’t necessarily the thing we need to be preparing for.  Why?

First, let’s look at what is generally referenced definition of terrorism in the United States.  This comes from Title 22 Chapter 38 US Code § 2656f.  It states that terrorism is “premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents’.  Note that the definition focuses on motive more than action or consequence.  While motive is very important in prevention/intelligence and prosecution, it is far less important to most preparedness, response, and recovery activities.

The term ‘active shooter’ has been used quite a bit, yet it’s not a good description of what communities and responders can face when we consider that perpetrators could use means and methods instead of or in addition to firearms.  We’ve seen a wide variety of these instances that involve knives, vehicles, improvised explosives, and more.

This is why I prefer the term ‘active shooter/hostile event response’ or ASHER.  While the term has been around for a bit (a quick internet search shows references going back to at least 2013), NFPA 3000 has essentially canonized it in our lexicon.  The definition provided in NFPA 3000 is focused on the incident, rather than the motivation, and is comprehensive of any means or methods which could be used.  That definition is – Active Shooter/Hostile Event Response (ASHER): An incident where one or more individuals are or have been active engaged in harming, killing, or attempting to kill people in a populated area by means such as firearms, explosives, toxic substances, vehicles, edged weapons, fire, or a combination thereof.

When it comes to preparedness, response, and recovery ASHER is the focus we need to have.  Motivations generally make little difference in how we should respond.  We should always be looking for secondary devices or other attackers – these are not features unique to terrorist attacks.  As we do with any crime scene, we should always be mindful of evidence that can lead us to the motives and potential co-conspirators of an attacker.  That’s important for investigation, prosecution, and the prevention of further attacks.  Does the term ‘terrorism’ still have a place?  Of course it does.  In our legal system, that’s an important definition.  Philosophically, we can argue that all attacks are acts of terror, but because of the legal definition that exists of terrorism, we can’t – at least in the US.

I encourage everyone to start making the move to changing the lexicon to ASHER where appropriate.  It makes sense and gives us the proper perspective.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC ™

Active Shooter Drills with Students – Good Idea or Bad?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

While school shootings, unfortunately, are nothing new, we are seeing them occur with greater frequency.  Without getting into my thoughts on firearms, I will say that preparedness, prevention, and mitigation for mass shooting incidents in schools and other soft targets of opportunity, are multi-faceted.  Shooters are just as much of a persistent threat as hurricanes, tornadoes, or flooding; amplified by the will of the shooter(s) to do harm and their ability to reason through paths of deterrence.  While a number of measures can and should continue to be implemented to prevent and protect soft targets, just as we do with natural hazards, we must continue to prepare for an attack that slips past or through our preventative measures.

Readers will know that I’m a huge advocate of exercises in the emergency management/public safety/homeland security space.  While the primary purpose of exercises is to validate plans, policies, and procedures; we also use them to practice and reinforce activities.  Certainly every school, college, shopping mall, office building, and other mass gathering space should hold active shooter drills.  Many of these facilities already conduct regular fire evacuation drills, and shooter drills should also be added to the mix.

Where to start?  First of all, you need a plan.  ALL EXERCISES START WITH A PLAN.  The sheer number of exercises I’ve seen conducted with no plan or a knowingly poor plan in place is staggering.  If people don’t know what to do or how to do it, the value of the exercise is greatly diminished.  If you are a responsible party for any of these spaces, reach out to your local law enforcement and emergency management office for assistance in developing an active shooter protection plan.  If you are a regulated facility, such as a school or hospital, the state offices that provide your oversight are also a resource.  You can find some planning guidance here and here.   While your focus with this activity is an active shooter protection plan, recognize that you will also need to re-visit the public information component of your emergency operations plan (you have one, right?) and your business continuity plan, as I guarantee you will need to reference these in the event of a shooting incident.  A final note on planning… don’t do it in a vacuum!  It should be a collaborative effort with all relevant stakeholders.

As for exercises, consider what you want to accomplish and who needs to be involved.  In a mall, it’s not wise to include shoppers in exercises since they are a transient audience and forcing their involvement will very likely be some bad PR and impact stores financially.  That said, you need to anticipate that mall shoppers won’t know what to do or how to react to a shooter, therefore mall staff need to be very forceful and persistent in how they deal with patrons in such an incident.  Therefore, involving mall staff along with law enforcement and other stakeholders in an off-hours exercise is a great idea.

Schools, however, are a different situation, as their populations are static for an extended period of time.  While school faculty and staff should exercise with law enforcement, there are different thoughts on how and when to involve kids in these exercises.  There are some that advocate their involvement, while there are some who are adamantly opposed.  I reflect back on fire evacuation drills, which occur with regularity in schools. These drills reinforce procedure and behavior with students.  They know they need to line up and proceed calmly and well behaved along a designated path to exit the building, proceeding to a meeting spot where teachers maintain order and accountability.  These are behaviors that stick with many into adulthood if they find themselves in a fire evacuation (drill or otherwise) – so it’s also a learning experience.  The same holds for tornado and earthquake drills, which are held regularly in many areas around the country.  Fundamentally, for a shooter situation, we also need to reinforce procedure and behavior with students.  They need to know what to do in lockdown, lockout, and evacuation.

The prospect of a shooter is a horrible thing for anyone to deal with, much less a child.  I’ve spoken to parents who, themselves, are horrified about the prospect of speaking to their children about a shooter in their school.  In every occasion, I’ve said this: You damn well better talk to them about it.  This is a discussion with perhaps greater importance than talks about strangers, drugs, alcohol, or sex; and it needs to begin with children from kindergarten on up.  Schools need to teach students what to do when the alert occurs for an active shooter – typically this involves getting them safely out of view from someone who might be in the hallway while teachers lock or barricade the door and turn off lights.  Students need to understand the gravity of the situation and remain still and quiet.  Evacuation will generally only occur under someone’s direction.  There will be loud noises and it’s likely the police won’t speak kindly as they are clearing rooms, looking for a shooter and potential devices.  To be certain, it’s scary for adults and I wish our children didn’t have to endure such a thing, but practicing and reinforcing procedures and behavior will save lives.  I’ll offer this article, that discusses some of the potential psychological impacts of shooter drills on kids.  These impacts are a reality we also need to deal with, but I think the benefits of the drills far outweigh the costs.

Mass shootings, like most aspects of public safety, underscore the need for us to do better not only in public safety response, but also as a society.  The answers aren’t easy and there is no magic pill that will provide a solution to it all.  It requires a multifaceted approach on the part of multiple stakeholders, sadly even those as young as four years old, to prepare, prevent, and protect.

© 2018 – Timothy M. Riecker, CEDP

Emergency Preparedness Solutions, LLC

2017 National Preparedness Report – A Review

Tim Riecker, The Contrarian Emergency Manager 1 Comment

With my travel schedule, I missed the (late) release of the 2017 National Preparedness Report (NPR) in mid-October.  Foundationally, the findings of the 2017 report show little change from the 2016 report.  If you are interested in comparing, you can find my review of the 2016 NPR here.

The 2017 NPR, on the positive side, provided more data and more meaningful data than its predecessor.  It appeared to me there was more time and effort spent in analysis of this data.  If you aren’t familiar with the premise of the NPR, the report is a compilation of data obtained from State Preparedness Reports (SPRs) submitted by states, territories, and UASI-funded regions; so the NPR, fundamentally, should be a reflection of what was submitted by these jurisdictions and regions – for the better or worse of it.  The SPR asks jurisdictions to provide an honest analysis of each of the core capabilities through the POETE capability elements (Planning, Organizing, Equipping, Training, and Exercising).

From the perspective of the jurisdictions, no one wants to look bad.  Not to say that any jurisdiction has lied, but certainly agendas can sway subjective assessments.  Jurisdictions want to show that grant money is being spent effectively (with the hopes of obtaining more), but not with such terrific results that anyone would think they don’t need more.  Over the past few years the SPRs, I believe, have started to normalize and better reflect reality.  I think the authors of the NPR have also come to look at the data they receive a little more carefully and word the NPR to reflect this reality.

The 2017 NPR (which evaluates 2016 data from jurisdictions) identified five core capabilities the nation needs to sustain.  These are:

  • Environmental Response/Health and Safety
  • Intelligence and Information Sharing
  • Operational Communications
  • Operational Coordination
  • Planning

I’m reasonably comfortable with the first two, although they both deal with hazards and details that change regularly, so keeping on top of them is critical.  Its interesting that Operational Communication is rated so high, yet is so commonly seen as a top area for improvement on after-action reports of exercises, events, and incidents.  To me, the evidence doesn’t support the conclusion in regard to this core capability.  Operational Coordination and Planning both give me some significant concern.

First, in regard to Operational Coordination, I continue to have a great deal of concern in the ability of responders (in the broadest definitions) to effectively implement the Incident Command System (ICS).  While the implementation of ICS doesn’t comprise all of this core capability, it certainly is a great deal of it.  I think there is more room for improvement than the NPR would indicate.  For example, in a recent exercise I supported, the local emergency manager determined there would be a unified command with him holding ‘overall command’.  Unfortunately, these false interpretations of ICS are endemic.

I believe the Planning core capability is in a similar state inadequacy.  Preparedness lies, fundamentally, on proper planning and the assessments that support it. While I’ve pontificated at length about the inadequacy of ICS training, I’ve seen far too many plans with gaps that you could drive a truck through.  I’ve recently exercised a college emergency response plan that provided no details or guidance on critical tasks, such as evacuation of a dormitory and support of the evacuated students.  The plan did a great job of identifying who should be in the EOC, but gave no information on what they should be doing or how they should do it.  The lack of plans that can be operationalized and implemented is staggering.

The NPR identified the top core capabilities to be improved.  There are no surprises in this list:

  • Cybersecurity
  • Economic Recovery
  • Housing
  • Infrastructure Systems
  • Natural and Cultural Resources
  • Supply Chain Integrity and Security

Fortunately, I’m seeing some (but not all) of these core capabilities getting some needed attention, but clearly not enough.  These don’t have simple solutions, so they will take some time.

Page 10 of the NPR provides a graph showing the distribution of FEMA preparedness (non-disaster) grants by core capability for fiscal year 2015.  Planning (approx. $350m) and Operational Coordination (approx. $280m) lead the pack by far.  I’m curious as to what specific activities these dollars are actually being spent on, because my experience shows that it’s not working as well as is being reported.  Certainly there has been some positive direction, but I’m guessing that dollars are being spent on activities that either have negligible impact or actually have a negative impact, such as funding the development of some of the bad plans we’re seeing out there.

I’m curious as to what readers are seeing out in real life.  What capabilities concern you the most?  What capabilities do you see successes in?  Overall, I think everyone agrees that we can do better.  We can also get better and more meaningful reports.  This NPR was a step in the right direction from last year’s, but we need to continue forward progress.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

FEMA Seeks Input on Fiscal Year 2018-2022 Strategic Plan

Tim Riecker, The Contrarian Emergency Manager Leave a comment

From today’s FEMA Daily Digest Bulletin is an item related to FEMA’s FY 2018-2022 strategic plan.  FEMA Administrator Brock Long is inviting stakeholders to provide input to their upcoming strategic plan update.  They are doing this via IdeaScale, which is the same platform being used by DHS for an information campaign they promoted back in May of this year.  I’ve been monitoring the submissions to the DHS campaign and unfortunately find that the vast majority of ideas submitted are crap.  Many are ill informed (such as one idea of sending passenger baggage on a separate plane solely intended for that purpose) or politically motivated, with few offering any practical solutions to real problems.

Relative to the FEMA campaign, I’m seeing much of the same.  Here’s what FEMA requested input on:

Simplifying Recovery and Reducing Disaster Costs

  • How can FEMA simplify recovery programs and reduce disaster costs while ensuring accountability, customer service, and fiscal stewardship?

Buying Down Risk through Preparedness and Mitigation

  • How should risk be calculated in awarding grants?
  • What type of grants are best suited for effectively reducing risk?
  • How do we incentivize more investment in preparedness/mitigation prior to a disaster (not only federal investment)?
  • How should the nation, including but not limited to FEMA, train and credential a surge disaster workforce ahead of major disasters?
  • What are new ways to think about a true culture of preparedness?

Much of the input they are receiving thus far is less than helpful in the endeavor to drive strategic planning.  Rather, they are receiving ideas of tactical applications both in general as well as specific to disasters, such as Hurricane Harvey.  While some of these ideas aren’t bad (some are), it seems that people are missing the point.

This brings about some thoughts on the concept of whole community engagement, which is obviously what FEMA and DHS as a whole are trying to accomplish through these IdeaScale endeavors.  I’m 100% in favor of whole community engagement, but opening the doors and inviting unstructured commentary is less than productive.  I’m sure it’s frustrating to the people on the receiving end who are having to sift through a lot of largely irrelevant input to find a few gems.  At the community level, these discussions can be moderated in public forums, but through an electronic means, it’s pretty much a free-for-all.  A valiant effort, but I wonder if they are getting the input they really need or if this merely accomplishes them ‘checking a box’ to say they solicited whole community feedback.

While feedback from the public can be valuable, I posit that most of the public simply isn’t aware enough of the mission, organization, and activities of FEMA to provide meaningful ideas toward their strategic plan.  Instead, forums such as the ones they’ve opened up simply provide opportunities for people to vent frustrations, which I suppose has some value but not in this forum.

What I’m hopeful of is that professionals in emergency management and public safety take advantage of the opportunity to provide thoughtful feedback and ideas which can contribute to FEMA’s strategic plan update.  If they are making the effort to obtain feedback, let’s give them what they need.  That’s my challenge to you!

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Exercises: Simple is Usually Better

Tim Riecker, The Contrarian Emergency Manager 2 Comments

I find often that people want to run exercises they aren’t quite ready for.  Sometimes those exercises are too complex, or they simply aren’t the appropriate type.  Most often, we run exercises to test plans, policy, and procedures; but sometimes those plans, policies, and procedures aren’t quite ready to be tested.  Last year I advised a client to run a workshop instead of a tabletop exercise.  The initial goal of the tabletop was to validate a new plan, but this plan wasn’t ready to be validated.  The problem was that many stakeholders hadn’t yet seen the plan, and the review of that plan by our team in preparedness for the exercise wasn’t favorable.  The plan had much of the needed content, but it was disjointed and didn’t have any logical flow.  By conducting a scenario-based workshop, we were able to identify not only the ideal flow of the plan by flagging benchmark activities, but we were also able to discuss expectations of and for each stakeholder agency in the plan.  The client was then able to apply the results of the workshop to restructure their plan and make some needed substantive changes.

Similarly, I’ve encouraged a current client to conduct a workshop instead of a tabletop.  The initial goal of this tabletop was to identify how a new group of stakeholders could integrate into an existing plan.  In this situation, the tabletop would have been less than effective as the new stakeholder group isn’t yet identified in the plan.  The outcome of the workshop will be to identify how this integration can occur.

I think that sometimes people gravitate to certain exercises simply because they are more popular in a certain application.  That preconceived notion might be too complex or simply a poor choice for what you really need to accomplish.  When it comes to discussion-based exercises, most people default to a tabletop.  With operations-based exercises, it can vary.  Drills are often used for tactical applications, but we don’t see them as much in EOCs.  Drills certainly have a place in an EOC if you are looking to test a very specific function or activity.  While full-scale exercises are fun and sexy, I’ve been to the site of plenty that are total chaos because the fundamental premise of certain plans hasn’t been worked out (or some stakeholders aren’t familiar with them), which perhaps should have been done through a discussion-based exercise or a drill or functional exercise first.  Running a drill to test and familiarize the process of setting up key equipment prior to doing it for the first time in a full scale will pay a lot of benefits, and certainly prevent dozens or hundreds of other people being held up in a full scale.

Another issue I often see with exercises is very long and complex Master Scenario Events Lists (MSELs).  The MSEL is essentially the timeline or script of the exercise.  Along with listing all injects, it also identifies all benchmarks in the management of the exercise, such as StartEx and EndEx, and the introduction of new elements or transition to a different segment.  While there is no particular rule of thumb for how many injects are needed for different exercise types, everything needs to associate back to the objectives of the exercise.  I hate injects that are crafted simply for ‘noise’ (unless it’s an intel exercise), or injects intended to just give someone something to do.  Arguably, if the participants take an exercise seriously, such as a functional exercise, and play out the situation as they would in real life, you can engage an entire EOC for a few hours with even ten well-crafted injects.  While some functions are very focused, consider that the vast majority of what we do in emergency management requires coordination among a variety of elements and functions.  Capitalize on that.  One inject may engage multiple agencies or functions because of the need to coordinate and problem solve.  It’s not enough to identify a solution to the problem, but work through where the resources will come from, how they will get to where they need to go, and what support is needed for them and how long.  That’s a lot of problems to solve and will often transcend every function within the incident command system.  Exercises don’t need to be complex to be effective.  Create a handful of objectives and make sure everything relates back to them.  Simplicity can work.

My last recommendation is to keep your exercise planning team a manageable size.  I’ve been the lead planner for some very large exercises.  These exercises, largely due to their sponsors, ended up involving massive exercise planning teams – and by massive I mean over five or six dozen people – or more.  These are just sheer insanity.  Not every agency or organization involved in the exercise needs to be directly represented, nor does each organization need to send a small army of people.  What you do need is consensus from those organizations on the objectives and their scope of play.  That doesn’t mean they have to be involved in every aspect of planning the exercise.  Just like any other meeting or group project, a large exercise planning team can be cumbersome and management by committee is never efficient.  If need be, stakeholder groups can be developed based upon function.  For example, a fire service exercise planning team would develop their contributions to the exercise.  Just make sure that these groups are well coordinated and the overall exercise planning effort is unified, otherwise you’ll end with a disjointed exercise effort.

In the end, simplicity rules.  As you begin planning your exercise, consider, in every step if it can or should be simplified.  Always refer back to your intent and your objectives.  Chances are you can create a simpler exercise that is just as impactful, or perhaps more impactful.  When our inclination is to make things overly complicated, we often miss the point entirely.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

 

 

NIMS is Worthless, Unless You Put it into Action

Tim Riecker, The Contrarian Emergency Manager Leave a comment

It’s so often that I hear people proclaim in response to a problem that NIMS will fix it.  I’ve written in the past that many organizations reference the National Incident Management System (NIMS) and the Incident Command System (ICS) in their plans, as they should, but it’s often a reference with no substance.  The devil is in the details, as the saying goes; and the details of implementation are necessary to ensure that difficulties can be overcome.

The premise is simple… NIMS is a doctrine, only as valuable as the paper you print it on.  So fundamentally, NIMS has no value – unless it is implemented.  This human factor is the biggest hurdle organizations and jurisdictions must face, yet so many are lulled into a false sense of security because they cite it in their plans and they’ve taken some ICS courses.  I encourage every organization to review the NIMS doctrine and give your organization an honest assessment of how you are actually following it.  It’s bound to be pretty eye opening for many.

nims_document

We also have to keep in mind that NIMS isn’t just for your own organization.  While there are plenty of great practices in NIMS for your own organization, the greatest value in it is for multi-agency responses.  These don’t have to be to the extent of Hurricane Katrina or a massive wildfire, either.  Multi-agency responses occur in most jurisdictions every day – even what we regard as some of the most simple or routine incidents require multiple agencies to respond.  While the actions and responsibilities of these agencies are fairly rote and well-practiced, a slight increase in complexity can cause significant changes.

Consider that different agencies, even those within the same discipline have some different ways of doing things.  These can be simply in the mechanics of what they do, or they can be driven by procedures, equipment, or personality.  Some of this may be in writing, some may not.  Where this matters is in tactics.  NIMS won’t solve differences in tactical application or ensuring interoperability.  Only preparedness can accomplish that.  Before an incident occurs, we need to be having regular conversations with other agencies within our jurisdiction and outside of it.  How often do you exercise with your mutual aid partners?  I mean really exercise with them…  It’s great that you all arrive to the exercise site and set up your own stuff, but how about mixing and matching equipment?  What will work?  What won’t?  How will it impact tactical application?  These are some of the most meaningful lessons learned.

Bottom line – don’t try to pencil-whip NIMS as the solution to your problems.  It’s meaningless unless it’s actually put into action – and the way to proactively do that is through preparedness efforts.   Work together through POETE activities – Planning, Organizing, Equipping, Training, and Exercises.  Once you put the concepts of NIMS into action, then it will work for you!

How has your organization implemented NIMS concepts?

© 2017 –  Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Public Area Security National Framework

Tim Riecker, The Contrarian Emergency Manager Leave a comment

The Transportation Security Administration (TSA) recently released this report in cooperation with a variety of stakeholders which provides information and guidance on preparedness, prevention, and response activities to strengthen the public spaces of transportation venues.  While the focus of the document is on airports, the information in the document is great not only across all transportation venues, but other public spaces as well.  I think there are great takeaways for other areas of vulnerability, such as malls, convention centers, event spaces, and others.

To be honest, there is nothing particularly earthshattering in this document.  The document is brief and identifies a number of best practices across emergency management and homeland security which will help agencies and organizations prevent, protect, prepare, and respond to threats, particularly attacks.  That said, the document does accomplish providing concise information in one document on key activities that absolutely should be considered by entities which control public-access spaces.  I would also suggest that this document is still 100% relevant to those which have some access controls or entry screenings.

Information in the document is segmented into three key tenets: Information Sharing, Attack Prevention, and Infrastructure and Public Protection.  Within these tenets are found recommendations such as relationship building, communication strategies, vulnerability assessments, operations centers, planning, training, and exercises.  Most of the recommendations provide examples or leading best practices (although no links or sources of additional information, which is a bit disappointing).

The framework is worth a look and can probably serve as an early foundation of activity for those who haven’t yet done much to prepare their spaces for an attack.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Can we Require Preparedness?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

The City of Pittsburgh recently lost an effort to require emergency preparedness training for security officers and building service employees.  The Commonwealth Court ruled that the City did not have the authority to require such an ordinance.  This is just another example we’ve seen with difficulties across the US with requirements for preparedness measures.  Why is it so challenging?  It often comes down to the legality of the requirement.

When it comes to the interface of local jurisdictions with states, we often see the concept of home rule providing one of the greatest challenges.  Some interpretations of home rule laws identify that states can’t require local (often to include county) jurisdictions to conduct certain activities, such as have certain plans, attend training, or conduct exercises.  In some states, we see law or regulation that states that if a jurisdiction is to have an emergency plan, then there is a required format of said plan.  But if there is no stick, there is often a carrot.

If requirements can’t be established, then incentives are often the best alternative.  Again, in the local/state relationship, states have grant allocations which can be provided to local governments.  Grant rules can be established that identify certain requirements as conditions of funding.  This tends to be highly effective, especially when funding is expected to continue year after year, and the grants continue to reinforce sustained maintenance on these requirements, such as periodic updates to emergency plans.  Generally, I see no down side to this alternative, so long as the required initiatives are well thought out and realistic given the amount of funds the jurisdiction is receiving.  To ensure effectiveness, however, there must be accountability and quality control measures in place to monitor execution of these requirements; such as reviewing plans, After Action Reports, and auditing training programs. This same methodology is typically how DHS/FEMA is able to get states and funded urban areas (UASIs) to comply with their wishes for various initiatives.

Outside of government, requirements can still be difficult.  While regulations may be put into place for certain industries and under certain conditions, we often have to rely on other, more practical, means of getting businesses, industry, and even not for profits on board.  This often comes with certifications.  An example would be ISO certifications, which some businesses and industry need to compete in certain markets.  Yes, there is even an ISO standard for emergency management.

Unfortunately, many entities, be they public, private, or even individuals, don’t want to be bothered with preparedness.  Most will agree that it’s a good idea, but it takes time, money, and effort.  It’s long been said that you can’t legislate preparedness, and that is often true.  Even if a requirement is able to be established, the extent of implementation can range widely, depending on the internal motivations and resources available to the entity.  Establish whatever requirements you want, but I guarantee there are some that will barely meet those requirements, and in doing so likely not meet the actual intent of the requirement; while others who are believe in the requirement and have available resources, will exceed the requirement.  Largely, organizations are motivated by funding and certification standards.

I’m interested in the perspectives you have on requiring preparedness, both in the US as well as other nations.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Customization of ICS

Tim Riecker, The Contrarian Emergency Manager 2 Comments

Even since before the National Incident Management System (NIMS), I’ve seen individuals and organizations have a desire to customize the Incident Command System (ICS).  This has always been troubling to me, as customization is fully contradictory to using a standardized system.

ICS offers an abundance of flexibility.  If you are familiar enough with the system, its foundational features, and the intent of the roles and responsibilities within the system, you can meet practically every need utilizing these functions and features.  Is ICS perfect?  No.  Is it the best we have?  Yep, it sure is.  Having many years as a practitioner, trainer, and evaluator of ICS, I’m confident that it can meet 95% of needs that an organization will have.

Generally, I find the argument that many organizations who insist on customization put forward is that the rigidity of ICS does not accommodate their needs, structure, and culture. On the occasion that I’ve had to sit down with the organization’s personnel and ask questions about what they are trying to accomplish, it becomes quite clear that they simply don’t have a good understanding of ICS.  Some can be fairly obvious, such as moving the Safety Officer position to Operations.  Others require a bit more analysis, such as creating an element in the Operations Section to address security needs of their own facility.  Security of your own facility is actually a responsibility of the Facilities Unit within Logistics, not an Operations responsibility.

Foundationally, let’s consider the main purpose of ICS – interagency coordination.  ICS is a standardized system which supports integration, cooperation, and unity of effort between and among multiple organizations.  One of the main reasons I see organizations struggling to fit elements into an ICS organization chart is because some simply don’t belong there.  If you have functions internal to your own agency, even if they are used during emergency operations, but don’t interact with others, I honestly couldn’t care if you organize them within ICS, so long as they are accounted for within your own organization’s own chain of command.  There is no doctrine or best practice that requires organizations to account for every internal function within an ICS org chart.

The other reason, which I eluded to earlier, for organizations trying to customize ICS for their purposes, is a lack of understanding of ICS.  While I’m aware that some people who have done this might only have taken ICS 100, giving them only a scratched surface of ICS knowledge, which they easily misapply since they don’t have a good understanding of the fundamental concepts of ICS.  However, I’m aware of plenty of individuals who have taken ICS 300 and possibly ICS 400 who still fall into this trap.  I feel this situation stems from a result of misapplied learning, which ultimately comes from poor ICS curriculum.  (If you want to read more on my opinions on how ICS Training Sucks ⇐visit here).

ICS training should not only provide learning to support operational implementation of ICS concepts, but also adequate preparedness activities, such as integrating ICS into plans, policy, and procedures.  Current training leaves many people feeling they know enough about ICS to integrate it into these important documents, but they feel compelled to be creative, when not only is creativity generally not required, it flies in the face of a standardized system.  ICS has an abundance of flexibility which can accommodate a multitude of functions; one just has to relate these to the fundamental features of ICS to identify where they might go.  I’m not opposed to creating a new organizational element, just make sure that it fits appropriately, without duplicating efforts, usurping responsibility from another standard element, or violating span of control.

Consider this: will your organization chart integrate with others?  If so, how?  Is there operational integration or is it through an agency representative?  If the answer is the latter, there is less concern, but if there is an expectation for operational integration or shared functions, such as Planning or Logistics, sticking to the standards is even more important.

I’m interested to hear your thoughts on ICS customization, the reasons behind it, and the ramifications of it.  Fire away!

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC