Tag response

Contingency Planning

Tim Riecker, The Contrarian Emergency Manager 3 Comments

I’m going to wrap up 2020 by discussing contingency planning, which is a practice not seen often enough. Before I get started, I should contextualize my use of the term ‘contingency plan’. My general use of the term, at least in emergency management applications, is intended to refer to a plan which may be needed to address the disruption of current event management, incident response, or recovery operations. Essentially, it’s the emergency plan to use while dealing with an emergency, in the event that something bad occurs.

When might you need a contingency plan? Contingency plans should be developed for the kind of situations that have you looking over your shoulder or asking ‘what if…’. Weather events are often good examples, such as a response taking place during some very active tornado weather. You might be responding to the impacts of an earlier tornado, or something completely unrelated, but a tornado warning is in effect, meaning that one could materialize at any time. This could also be a response taking place in a low-lying area during a flash flood warning. We sometimes build contingency plans into our standard operating guidelines or procedures (SOPs/SOGs) by having back-up teams, such as rapid intervention teams (RITs) in the fire service, which are standing by to rescue firefighters in trouble during an interior firefighting operation. Assessing risks on an ongoing basis and developing contingency plans should be part of your incident management battle rhythm.

Where to start with contingency planning? Let’s fall back to the CPG 101 planning process. Yep, that works here, too. The first step is to build your planning team. Contingency planning is a responsibility of the Planning Section, but others need to be involved. Working from a traditional ICS structure, I’d certainly suggest involving Safety and Operations, at a minimum, but depending on circumstances, you may wish to expand this, such as considerations for failures in the supply chain (thus Logistics and Finance/Admin), which may be less of a life safety matter, but can heavily impact operational continuity.

With consideration to the Safety Officer, I’d argue that tactical safety is the primary focus of the Safety Officer; while things that can have much broader impact to the incident, while still a concern of the Safety Officer, may require more in-depth and coordinated planning, thus why I tag the Planning Section to lead contingency planning efforts. My experience has always had the Planning Section taking the lead in this. That said, your incident management organization may decide to assign this to the Safety Officer or an assistant Safety Officer. That’s totally fine in my book, so long as it’s being addressed.

Step two of the planning process is to understand the situation. Some of your risks might be really apparent, such as the tornado warning, but others may require a bit more assessment and discussion. If you need to dig deeper, or are looking at a potential need for a variety of contingency plans, I’d recommend using a risk assessment matrix to help assess the likelihood and impacts of the risks you are examining. Here’s an example of a risk assessment matrix from the United States Marine Corps. Sadly, the risk assessment matrix is not yet a common tool in our incident management doctrine and practices in the US, though I do see it referenced elsewhere. In looking at the tool, obviously those with higher probabilities and severity of impact are the priorities on which to focus. Be sure to consider cascading impacts! Keep in mind that this risk assessment, depending on the duration and kinetics of your response and the dynamics of the environment, may need to be performed more than once throughout your operations. It should at least be considered every operational period.

Step three is to identify goals and objectives. Of course, in the broadest sense, our operational priority is always life safety, but we need to refine this a bit based on the specific hazard we are planning for. Second to life safety, we should also be considering operational continuity, ensuring that we can return to current operations with the least disruption possible OR be able to immediately respond to emergent needs created by the hazard in the event of the hazard creating a more kinetic environment. Your plan may also need to address impacts to the public at large (essentially anyone not part of your incident management organization). Depending on your operational scope and the area of responsibility, this may actually exceed the capacity and mandate of your incident management organization. You will need to determine how to ‘right size’ the scope of your planning efforts. This is perhaps a good opportunity to consult the local emergency manager. Don’t lose focus, though. The contingency plan is not intended to save the world. Remember, responder safety is our number one priority.

Step four is developing the plan. This is largely an outline of the essential elements. There are a number of components to consider for your plan. First, with consideration of cascading impacts, we should identify what aspects of the hazard we can mitigate and how. If there are hasty mitigation steps we can take, those may help limit the risk to life, resources, and operations. Next, consider your concept of operations for the life safety aspect of this plan. As with any other emergency operations type of plan, we need to maintain situational awareness and have protocols for notification and warning. Using the tornado warning (during an active response) as an example, who is responsible for maintaining a watchful eye on the skies and keeping tabs on dynamic weather products? If they see something of concern, who do they notify and how? Is there an emergency radio frequency that everyone’s radio will automatically go to if used? Perhaps three blasts of an air horn? Identify what will work for your operating environment. Keep in mind that if the matter is of urgent life safety, you want to minimize the number of steps and the amount of time taken between awareness and notification to responders. Next, upon notification, what is the emergency action plan – i.e., what needs to take place? Evacuation? Shelter in place? Some other action? A great reference for this from the wildfire incident management community is Lookouts, Communications, Escape Routes, and Safety Zones (LCES), which is part of their incident safety analysis.

What happens after those protective actions? Ideally some kind of status check-in of the impacted personnel for accountability and continued situational awareness. Who is responsible for communicating that and to whom is it communicated? Is it wise to have some sort of rescue team standing by incase anyone is in trouble? If so, what resources need to be tasked to it, what is its organization, and what are their operating protocols? Can you reasonably keep the rescue team out of harm’s way to help ensure continuity of their capability?

You may also have a continuity of operations (COOP) aspect to this plan, to address how the incident management organization will minimize down time, restore prior operations, and possibly even identify alternate methods of operations. Depending on the hazard, a reassessment of the operation may need to take place to see if objectives will change to address a new situation created by impacts from this secondary incident.

Consider the current operational environment that every jurisdiction is facing at this moment. Jurisdictions, EOCs, and others should certainly have a contingency plan in place right now that addresses things like potential Coronavirus exposures, symptomatic personnel, and personnel that test positive. Many have been dealing with it, but do they have their protocols in writing? Most do not. In New York State, all public employers are now required to develop a plan to address these and other factors for public health emergencies.

Step 5 is plan preparation, review, and approval. This is the actual writing of the plan. Of course, you are in the middle of an incident, and it’s likely that the contingency(ies) you are planning for is breathing down your neck. Depending on how much haste is needed, your plan might be a few bullet points, or it could be a few pages long with more detail. Obviously do whatever is appropriate. Have the planning team members review the plan to ensure that it addresses all critical points and accurately reflects the necessary steps. Have you identified what will trigger the plan? Who is responsible for monitoring the situation? Who is responsible or activating the plan? How will they activate it and notify others? What are the responsibilities of others once they are notified?  Once you and the planning team are satisfied that you’ve addressed all the important points, the plan should be forwarded to the appropriate authority for approval, such as the incident commander, EOC manager, agency administrator, etc.

I’ll also note here that if you have multiple threats and/or hazards for which you are developing contingency plans, try to keep your contingency operations as similar as possible. The more complexity you have, especially to deal with different hazards, the more problems can occur during implementation. For example, your means and methods for notifying personnel of a tornado and a flash flood can likely be the same if their protective actions are also the same.

Lastly, step 6 is implementation of the plan. This is where someone should be working on any mitigation actions that you identified and personnel should be briefed on the plan, so they know what they are responsible for and what they need to do, when, and how.

It seems like a long process, but it can be done in a few minutes for urgent hazards. Some contingency plans may certainly be longer and more complex, especially if you are preparing for something that has a lower risk factor or something that isn’t yet a hazard, like a distant weather front. Several years back, I was part of the overhead team for a state-wide months-long debris removal initiative in the aftermath of a late season hurricane. As operations went on, we eventually entered the next hurricane season, and with that we identified the threat of future tropical storms to our area of operations (an entire state) and the operations we were responsible for. We needed to identify who and how systems would be monitored, trigger points for activation of the plan, and how to communicate emergency actions to several debris removal and debris monitoring contractors. We had time leading into hurricane season and were able to develop a well-crafted plan to meet this need. Fortunately, we didn’t have to use it.

Have you written contingency plans for incidents and events? What lessons have you learned from contingency planning?

~~

As a final bit on 2020, we are all certainly happy to see it pass. Keep in mind that while the new year offers a mental benchmark, we still have months ahead of us continuing to manage the consequences of the pandemic and our response to it. We have learned a lot of lessons from this response, which every organization should be capturing, if you haven’t already. As we go into the new year, resolve to do something meaningful with those lessons learned. Don’t just let them languish in yet another after-action report. Implement those corrective actions!

Stay safe.

© 2020 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

An Updated Community Lifelines Toolkit and Relationships to Incident Management

Tim Riecker, The Contrarian Emergency Manager 4 Comments

Earlier this year, FEMA released guidance on the Community Lifelines.  I wrote a piece in the spring about integrating the concept into our preparedness and response activities.  Last month, FEMA issued updated guidance for Community Lifeline Implementation through Toolkit 2.0.  In this update, FEMA cites some lessons learned in actually applying the Lifeline concept in multiple exercises across the nation, as well as from feedback received by stakeholders. Based on these lessons learned and feedback, they have made some adjustments to their toolkit to reflect how they understand, prioritize, and communicate incident impacts; the structure and format for decision-making support products. And planning for these impacts and stabilization prior to and during incidents.  They have also made some changes based upon the updated National Response Framework.  The documents associated with the updated Community Lifelines all seem to reflect an inclusion in the efforts of the National Response Framework.  It’s great to see FEMA actually tying various efforts together and seeking to provide grounded guidance on application of concepts mentioned in doctrine-level documents.

The biggest addition to the Community Lifelines update is the inclusion of the FEMA Incident Stabilization Guide.  The ‘operational draft’ is intended to serve as a reference to FEMA staff and a resource to state, local, and tribal governments on how “FEMA approaches and conducts response operations”.  It’s a 77-page document the obviously leans heavily into the Community Lifelines as a standard for assessing the impacts to critical infrastructure and progress toward restoration, not only in response, but also into recovery operations.  It even reflects on bolstering Community Lifelines in resilience efforts, and ties in the THIRA and capability analysis efforts that states, UASIs, and other governments conduct.  I’m not sure the document is really a review of how FEMA conducts operations, as they say, but it does review the ideology of a portion of those operations.  Overall, there is some very useful information and references contained in the document, but this brings me to a couple of important thoughts:

  1. The utility of this document, as with the entire Community Lifelines concept, at the state and local level is only realized through integration of these concepts at the state and local levels.
  2. We finally have guidance on what ‘incident stabilization’ really entails.

To address the first item… In my first piece on Community Lifelines, I had already mentioned that if states or communities are interested in adopting the concept of Community Lifelines, that all starts with planning.  An important early step of planning is conducting assessments, and the most pertinent assessment relative to this initiative would be to identify and catalog the lifelines in your community.  From there the assessment furthers to examine their present condition, vulnerabilities, and align standards for determining their operational condition aligned with the Community Lifelines guidelines.  I would also suggest identifying resiliency efforts (hopefully these are already identified in your hazard mitigation plan) which can help prevent damages or limit impacts.  As part of your response and short-term recovery lexicon, procedures should be developed to outline how lifeline assessments will be performed, when, and by who, as well as where that information will be collected during an incident.

As for my second item, the concept of incident stabilization has an interesting intersection with a meeting I was invited to last week.  I was afforded the opportunity to provide input to an ICS curriculum update (not in the US – more on this at a later time), and as part of this we discussed the standard three incident priorities (Life Safety, Incident Stabilization, and Property Conservation).  We identified in our discussions that incident stabilization is incredibly broad and can ultimately mean different things to different communities, even though the fundamental premise of it is to prevent further impacts.  This Incident Stabilization Guide is focused exclusively on that topic.  In our endeavor to make ICS training better, more grounded, less conceptual, and more applicable; there is a great deal of foundational information that could be distilled from this new document for inclusion in ICS training to discuss HOW we actually accomplish incident stabilization instead of making a one-off mention of it.

Going a bit into my continued crusade against the current state of ICS training… I acknowledge that any inclusion of this subject matter in ICS training would still be generally brief, and really more of a framework, as implementation still needs to be grounded in community-level plans, but this document is a great resource.  This also underscores that “learning ICS” isn’t just about taking classes.  It’s about being a professional and studying up on how to be a more effective incident manager.  ICS is simply a tool we use to organize our response… ICS is NOT inclusive of incident management.  Not only are we teaching ICS poorly, we are barely teaching incident management.

While I’ve been away for a while working on some large client projects, I’m looking forward to ending the year with a bang, and getting in a few more posts.  It’s great that in my travels and interactions with colleagues, they regularly mention my articles, which often bring about some great discussion.  I’m always interested in hearing the thoughts of other professionals on these topics.

© 2019 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®

10 Strategies for Improving Emergency Management

Tim Riecker, The Contrarian Emergency Manager 2 Comments

I recently listened to an interview with author and professor Sean McFate.  In the interview he discusses the changing landscape of warfare and what the US must do to keep up, particularly since we are still largely stuck in a mindset of conventional warfare.  For those interested in this very insightful interview, it was on The Security Studies Podcast.

Obviously, a great deal has changed over the decades in warfare, but many philosophies and perspectives have remained the same.  As I listened to the interview, I found McFate’s words to ring true for emergency management as well.  We have had some changes in focus from civil defense, to natural hazards, to terrorism, and now toward what seems to be the most comprehensive all-hazards perspective we’ve ever had.  We’ve also had changes in technology and methodologies, but we still seem stuck in a lot of old ways of thinking.  Emergency management isn’t linear.  In fact the lines are blurred so much that it’s hardly cyclical (another old way of thinking).

McFate espoused that high-level warfare strategies should span administrations and leadership changes.  They should be durable and adaptable.  In the interview he discussed 10 new rule of war, which were summarized from his new book.  As such, I offer 10 strategies for improving emergency management.  You will see that most of these items aren’t radical.  The fundamentals of what we do in emergency management must certainly persist, but some perspectives do need to change.  Here’s what I have to offer:

  1. More incentivization for data-driven hazard mitigation and resilience

There are a few items to unpack in this one.  First of all, fully bringing the concept of resilience on board and marrying it up hazard mitigation.  Where there is some overlap in the two, there are also distinct differences.  Ultimately, however, the ideal end state for the two is the same: eliminate or significantly reduce hazards and impacts from those hazards.  The more we start discussing hazard mitigation and resilience together, the more we will see the linkages between the two.  Hazard mitigation funding, likewise, needs to be broadened to incorporate concepts of resilience.

Another key item here is making these projects data-driven.  Let’s do a better job of quantifying risk in relatable terms.  Risk needs to include not only immediate potential impacts, but also cascading effects.  Once we have that impact data, then root cause analysis is important.  Some of this is regulation, some engineering, some human behavior.  Also keep in mind that this needs to truly be all-hazards.

Lastly, incentivization.  Incentivization isn’t just funding, and gold stickers are not tangible incentives.  Make it meaningful.  Also make these incentives more immediate.  It’s great that mitigation measures can result in a locality paying a lower percentage in the event of a future public assistance declaration, but that could happen years from now, or it might not.  That’s still good to include, but let’s be real – tax payers and law makers don’t just want to dream about the reward, they want to enjoy it now.

  1. Ground preparedness in reality

I’ve seen a lot of preparedness activities (planning, organizing, equipping, training, and exercises) based on someone’s “good ideas” instead of actual data and needs.  It’s no coincidence that I just mentioned data in the previous point.  How many jurisdictions actually use all that data from their hazard mitigation plan, generally synthesized at significant expense, for other emergency management needs?  It’s quite a rare occasion.  Why?  Most practitioners view hazard mitigation to be a totally different animal.  It’s not sexy response stuff, so they don’t see a need to pay attention to it.  Instead, they fully dismiss what was done for hazard mitigation planning and do their own hazard analysis.  It seems to be a no-brainer that we should do better at developing one system to meet both needs.

Needs assessments take time and that has a cost, but leadership should be making informed decisions about what preparedness needs exist.  Absent conducting a needs assessment, the wrong decisions can easily be made, which results in a waste of time and money.  Most every emergency management agency has a story of time and money wasted on knee-jerk reactions.

Needs assessments should be applied to every aspects of preparedness.  In planning, we want to minimize assumptions and maximize data.  If an incident of the type you are looking at has never happened in your jurisdiction, make comparisons other similar jurisdictions.  Training programs should be based on identified needs, and individual courses should be developed based upon identified needs.  Probably a good opportunity for me to mention that ICS Training Sucks (but a realistic training needs assessment would fix it).  Similarly, the objectives we identify for exercises should be grounded in recognizing what capabilities and plans we need to validate.

Observation: When we look at the 32 Core Capabilities from the National Preparedness Goal, Threat and Hazard Identification is a Core Capability sitting in the Mitigation mission area.  If threat and hazard identification is so fundamental to what we do across all of emergency management, why isn’t it a common capability along with Planning, Operational Coordination, and Public Information and Warning?  Perhaps that needs to change?

  1. Boost regional efforts and coalitions

It’s interesting that everyone talks about how emergency management is a collaborative effort, yet in practice so many are resistant, reluctant, or negligent in working collaboratively.  Sure, it’s often easier to write a plan yourself, but the end result likely isn’t as good as it would be from a group effort.  In healthcare preparedness (yep, that’s a part of emergency management, too), they have been using regional healthcare coalitions.  These coalitions cover all aspects of healthcare, from hospitals, to clinics, to private practices, nursing homes, and EMS, along with health departments.

There is certainly precedent in emergency management to work collaboratively.  There are required collaborations, such as Local Emergency Planning Committees (LEPCs), as well as those emphasized in practice, such as in plan development.  LEPCs are great, and often under-utilized in a lot of areas.  In some areas, especially those with heavy industry, they are large and busy, and can’t really take on any more than they already do, but in other areas they have much less to do and could certainly work with a dual purpose as a standing emergency management coordination or advisement entity.  Regardless of how it’s done, build a local or regional EM coalition.  The relationships and perspectives, if properly organized and tasked, will reap some great benefits.  Don’t forget to make them regional, if that makes sense for you.  Disasters don’t give a damn about the funny lines we draw on maps.  And don’t just make these groups about meetings… actually engage them in meaningful preparedness activities and other aspects of emergency management.

  1. Embrace scholar-practitioners

One of the items McFate mentioned in his interview was embracing scholar-practitioners. Now I’m not the kind of person to espouse that a practitioner is any better than a scholar, or vice versa.  They each have an important role, especially in a profession like emergency management, where there is a lot of theory (more than most people realize) and a lot of application.  That said, we don’t have to pick a side.  You can be whoever you want, in fact you can even do both.  Does being a practitioner mean that you have to be a full-time emergency manager? Nope.  Being a scholar doesn’t necessarily mean you must be a professor or a student pursuing an advanced degree, either.  I would absolutely argue that regularly reading some research papers or a book on related topics, or even this blog, makes you a scholar.  If you have interest beyond just direct application, and like to think or discuss broader ideas in emergency management, that makes you a scholar.

I think it is scholar-practitioners that have that capacity to advance our profession more than others.  Not only is this group doing, but they are thinking about how to do it better.  If they come up with an idea of how to do it better, they have the greatest chance of actually giving their idea a try.  They are also the ones most prone to share their lessons learned, both successes and otherwise.

  1. Understand emergency management as a social science

Speaking of theory, we need to recognize emergency management for what it is.  While specific applications of emergency management may be within niche areas of practice and academic disciplines, most of emergency management is really a social science.  Social science is fundamentally about the relationships of people.  That is what we do in emergency management.  There are aspects of social science that may apply more than others, such as sociology or public health, but we also need to embrace political science.

In application, emergency managers need to become more astute in politics.  Not the partisan running for office type of politics, but politics as an aspect of governance, policy, and relationship building.  As an emergency manager, it’s your job to understand what every agency and department does in your jurisdiction, and how they fit into the function of emergency management.  Yes, you can espouse the benefits of emergency management and business continuity to them, but how do they fit into emergency management?  Some connections are easy to make, especially the public safety ones or extensions of that such as transportation, public works, and public health.  But many are quick to dismiss administrative, support, and social welfare agencies.  The better you understand them and are able to champion their involvement in emergency management, the stronger coalition you will build.

  1. Mindset: always in the disaster space

I mentioned in the introduction that the lines between the phases of emergency management are blurred.  We used to teach (and some still do) of distinct phases of emergency management: mitigation, preparedness, response, and recovery.  Sure it’s easier to teach about these when we put them in their own box, but that gives the impression to many that we only do one at a time.  The reality is that most jurisdictions are certainly doing mitigation, preparedness, and recovery right now – and maybe even some element of response.

The main point here is that we need to change mindsets of people.  I’ve had plenty of people ask me what emergency managers do when there isn’t an active disaster.  I certainly have no problem satisfying this common curiosity, but the simple fact that they ask means that we aren’t promoting enough of what we do.  We need put ourselves and others in the mindset that are always operating in the disaster space.  It doesn’t need to mean that there is always a disaster response we are involved in, but we need to be very clear that we are active every single day in disaster-related work.

I’ll take this one step further, and that’s to suggest that the primary function of every government agency is emergency management.  Consider that we have roads not only for ease of everyone’s transportation, but so that we can more quickly and efficient respond to save lives and property.  Our public works departments provide potable water and sewage systems for public health purposes, which is part of the greater emergency management family.  I could give examples for every government agency.  The administrative departments support those agencies and the implementation of their missions.

It’s also worth mentioning here that since several of these agencies have involvement in our infrastructure that we need to seriously step up our investments in infrastructure, which not only make it better and more effective and efficient, but also more resilient (tying back to my first point)

  1. Step away from tactics

Far too many emergency managers still focus on tactics.  In defense of that, it’s easy to do, especially if you come from a public safety background.  I still think it’s important to understand tactics.  That said, an effective emergency manager needs to think less about implementation and more about strategy and relationships. There are plenty of tacticians out there.  One more isn’t needed.  What is needed is someone who can step back and see the forest for the trees, as they say.

  1. Private citizens won’t prepare, but volunteers can be engaged

We need to let citizen preparedness go.  I’m not saying we should give up on our message of individual and family preparedness, because it can make a difference, but we need to recognize that most citizens simply won’t do it.  This is a concept that has largely evolved out of society.  In the days of civil defense we were engaging a different generation of people.  We also presented them with a credible and scary threat that was being put in their face all the time.  Now is not that time.  Sure, there are models of citizen preparedness that still work to extraordinary lengths, such as in Cuba, but government oppression and a cold war mentality contribute significantly to that.  Our society has evolved to an extent of individuals not having the time, wherewithal, or interest in preparing themselves.  Sure there are exceptions to every rule, but largely, society has an expectation of being provided for by the government.

Citizen engagement, on the other hand, is still a great reserve that we can spend more effort tapping.  Trained, organized volunteers can accomplish an incredible extent of activity.  Volunteer management is no easy task, though.  Programs need to be developed and promoted, volunteers recruited and trained, and organizations sustained.  Volunteers must be given purpose and don’t forget about the critical link with government… how will this happen.  Religious institutions, corporate and union volunteer groups, and entities such as CERT are all great.  We just need to do a better job at incentivizing, managing, and engaging.

  1. Plan better for recovery

Ah, recovery.  Everyone talks about how we need to do it better, but too few resources are applied to making that happen.  Remember that preparedness starts with a needs assessment and planning.  We can identify estimates of disaster impacts from which we then extrapolate reasonable benchmarks of performance within the core capabilities of recovery.  The problem is that most recovery plans are written at too high a level and generally not followed through on.  Why? Maybe because the emphasis is always on the life safety aspect of response plans.  Certainly that’s important (and we can still do so much better with our response plans), but most recovery oriented plans fall incredibly short.  It seems that most governments that even bother to write recovery plans only do so to the extent of the plan being a framework.  They identify what the goals are, what agencies are involved, and provide some high-level objectives.  Typically no strategy is provided and the management of the recovery function is rarely mentioned, despite such a focus that we have on incident management.

I just recently had a discussion with a client about recovery exercises.  They were approached about the need to conduct more of them.  Smartly, they responded by putting the focus back on the requester by asking if the recovery plans were ready to be exercised.  Once the requestor took a moment to consider, their answer was no.  Remember that (in most cases) exercises validate plans.  We can conduct an exercise in the absence of a plan, but generally that only confirms the lack of a plan.  Plans establish the standards of performance that we use in exercises and in real life.

  1. Use technology to the greatest extent, but prepare for austerity

Ah, technology.  It’s a wonderful thing, until it doesn’t work.  I’m a big fan of the efficiencies that technology provide, especially when technology is developed to solve a specific problem, not to create new ones.  Processes should dictate technology needs, not the other way around.

Technology is mostly a data tool.  It helps us to communicate more quickly and efficiently; access, organize, and transmit data; visualize data; and collect data.  More specifically, we use technology platforms such as EOC management systems and GIS.  These have allowed us to make significant strides in what we do and how we do it.  I’ve used dashboards, databases, maps, 3D models, simulators, and more to do my job.

I’ve seen some emergency managers simply not embrace technology.  And I mean at all.  Not even a computer.  I understand how they are able to function, and though they may have brilliant minds for emergency management, they are simply not able to do much without an assistant to research, type, print, and even communicate for them.  While I’m seeing this less and less, there are still some of these folks out there, and it’s not just older generations, either.

There are many who have a reasonable literacy of technology, but still aren’t embracing inexpensive or even free resources that would make them more effective.  This is even more important for the majority of emergency managers, who are typically one-person offices with few resources.   Maybe listing some of these resources will occur in a future post of mine.

Despite the wonders of technology, I often advocate procedures for going dark (i.e. when your technology fails).  After all, we are emergency managers, are we not?  Every EOC that uses a technology tool to manage functions within their EOC should absolutely have a low tech back up, procedures and training in how to implement it, and an annual exercise to test those procedures and keep people in practice.  Carbon paper and gas station maps are your friends.

~~

Well there they are: 10 strategies for improving emergency management.  As I stated in the introduction, there really isn’t anything revolutionary here, although some concepts might be a bit controversial, which I am happy to embrace.  Perhaps I missed an important point or have a poor perspective on something.  I absolutely welcome your comments and feedback, as always.

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC℠®

 

Changing The Lexicon on Terrorism Preparedness, Response, and Recovery

Tim Riecker, The Contrarian Emergency Manager Leave a comment

A couple months ago I posted about NFPA 3000: Standard for Active Shooter/Hostile Event Response Program.  Soon after posting, I ended up purchasing a copy of the standard and, combined with other readings and discussions, am fully bought into not only this standard but a change in our lexicon for this type of incident.

NFPA3000

First off, in regard to NFPA 3000, it’s not rocket science.  There is nothing in this standard that is earth shattering or itself wholly changing to what we do or how we do it.  But that’s not the intent of NFPA standards.  NFPA technical committees compile standards based upon best practices in the field. The standards they create are just that – standards.  They are a benchmark for reference as we apply the principles contained therein.  NFPA 3000 provides solid guidance that everyone in EM/HS should be paying attention to.

What NFPA 3000 has helped me realize is that our focus has been wrong for a while.  Terrorism isn’t necessarily the thing we need to be preparing for.  Why?

First, let’s look at what is generally referenced definition of terrorism in the United States.  This comes from Title 22 Chapter 38 US Code § 2656f.  It states that terrorism is “premeditated, politically motivated violence perpetrated against noncombatant targets by subnational groups or clandestine agents’.  Note that the definition focuses on motive more than action or consequence.  While motive is very important in prevention/intelligence and prosecution, it is far less important to most preparedness, response, and recovery activities.

The term ‘active shooter’ has been used quite a bit, yet it’s not a good description of what communities and responders can face when we consider that perpetrators could use means and methods instead of or in addition to firearms.  We’ve seen a wide variety of these instances that involve knives, vehicles, improvised explosives, and more.

This is why I prefer the term ‘active shooter/hostile event response’ or ASHER.  While the term has been around for a bit (a quick internet search shows references going back to at least 2013), NFPA 3000 has essentially canonized it in our lexicon.  The definition provided in NFPA 3000 is focused on the incident, rather than the motivation, and is comprehensive of any means or methods which could be used.  That definition is – Active Shooter/Hostile Event Response (ASHER): An incident where one or more individuals are or have been active engaged in harming, killing, or attempting to kill people in a populated area by means such as firearms, explosives, toxic substances, vehicles, edged weapons, fire, or a combination thereof.

When it comes to preparedness, response, and recovery ASHER is the focus we need to have.  Motivations generally make little difference in how we should respond.  We should always be looking for secondary devices or other attackers – these are not features unique to terrorist attacks.  As we do with any crime scene, we should always be mindful of evidence that can lead us to the motives and potential co-conspirators of an attacker.  That’s important for investigation, prosecution, and the prevention of further attacks.  Does the term ‘terrorism’ still have a place?  Of course it does.  In our legal system, that’s an important definition.  Philosophically, we can argue that all attacks are acts of terror, but because of the legal definition that exists of terrorism, we can’t – at least in the US.

I encourage everyone to start making the move to changing the lexicon to ASHER where appropriate.  It makes sense and gives us the proper perspective.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC ™

Adapting to the Cyber Threat – Who Holds Liability?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks.  Among the highest profile attacks are:

  • Target department stores suffered the theft of credit card holder data
  • the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
  • and just recently the theft and subsequent public release of information of Ashley Madison account holders.

While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents.  This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings.  We have recently seen some insurance companies offering cybersecurity policies.  I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack.  Presumably, the insurance  policy covers financial losses to the company and perhaps even litigation.  Consumers have a variety of protections available for identity theft offered through banks and credit cards.

With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies.  Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss.  The same can be held true for those whose data was stolen from the Target and US government hacks.  Those individuals trusted and were generally assured that their personal and financial information would be protected.  These assurances place a liability on the entity that holds their information.  However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.

I’m convinced that any system can eventually be hacked and suffer either data loss or data theft.  Unlike a natural disaster, intentional human-caused incidents include the factor of persistence.  Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts.  Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while.  While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.

Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers.  Even if the perpetrators are found and convicted, is there still a shared liability among other parties?

Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects.  We are finally shifting to a new philosophy of adaptation.  While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability.  This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans.  Incidents will occur.  While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.

While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity.  I welcome your thoughts and ideas on this.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Are You Really Considering All Hazards?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

Natural hazards, such as flooding, tornados, wildfire, and earthquakes, bring about the greatest losses, calculated in nearly every metric possible, as compared to human-caused incidents.  Human-caused incidents, either accidental or intentional, still bring tremendous impact to communities world-wide on a daily basis.  While working to prepare for, mitigate, respond to, and recover from natural hazards will always continue to be important, it seems that many still often forget about human-caused incidents despite all the conversations out there.

Human-caused incidents include a variety of hazards such as infrastructure failure, transportation accidents, hazardous materials incidents, and intentional attacks.  These are all things which we can fit into our traditional model of Prepare, Mitigate, Respond, and Recover.  The National Planning Goal introduced the model of the five Mission Areas – Prevention, Protection, Mitigation, Response, and Recovery – to help address our many of our major functions (Core Capabilities) for human-caused incidents (note that Preparedness is now a higher level concept that applies to all Mission Areas).  While this Mission Area model has helped bring these key activities into the greater fold of what we do, it has also kept them largely isolated through the thought that many human-caused incidents are only addressed through Prevention and Protection Mission Area activities.

Nowhere, it seems, do we see this more than in the area of hazard mitigation.  The vast majority of hazard mitigation plans which exist only address natural hazards (even at the state level).  Since many readers view this blog for my opinion, here it is – this is archaic and dangerous thinking!  We have all seen hazard mitigation plans which claim they are ‘all hazards’, yet only list natural hazards.  That’s fine, if by some unbelievable circumstance, your jurisdiction is only impacted by natural hazards.  This is a circumstance which I am highly doubtful of.  Some mitigation plans get a little more realistic and will address human-caused hazards such as dam failure and/or hazardous materials release, which were likely the greatest human-caused threats they may have been vulnerable to in the previous century.  In today’s world this still doesn’t quite get us to where we need to be.  There are a great many mitigation activities which we can leverage against human-caused incidents.

How do we fix this?  It’s easy – start with conducting a hazard analysis.  A hazard analysis, be it as a stand-alone activity or part of the THIRA process, should review all possible hazards which your jurisdiction, company, or organization is vulnerable to.  It should be comprehensive, not just limited to the set of natural hazards.  Along with infrastructure failure and hazardous materials incidents (both in-transit and fixed site), consider hazards such as active shooters, cyber attacks, improvised explosives, and civil unrest.  This may require bringing some additional subject matter experts into the room for your hazard analysis – like your IT director.  In a hazard analysis, each hazard is ranked (at a minimum) by its likelihood to occur and its severity of impact should it occur.

A well conducted hazard analysis provides the basis for everything we do in emergency management and homeland security.  It not only informs our activities such as planning, training, and exercises, it also helps assign priority to those hazards which require the greatest focus and allocation of resources.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

NIMS Alert – FEMA Seeks Feedback on Federal Interagency Operational Plans

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Take some time to review and comment on these.  Be heard!  TR

<from press release>

FEMA is requesting stakeholder feedback on working drafts of four of the five Federal Interagency Operational Plans (FIOPs):  Protection, Mitigation, Response, and Recovery. The Prevention FIOP is Unclassified and For Official Use Only (FOUO)/Law Enforcement Sensitive (LES), Restricted Access and therefore available to appropriate personnel through separate and secure communication means. The FIOPs describe how the Federal government aligns resources and delivers core capabilities. Each FIOP outlines the concept of operations for integrating and synchronizing existing national-level Federal capabilities to support the whole community.

This update of the FIOPs focuses on discrete, critical content revisions, and confirming edits as a result of comments received on the National Preparedness Goal and National Planning Frameworks. Additional changes in the draft are the result of the lessons learned from implementing the FIOPs and recent events, as well as the findings of the National Preparedness Report.  The FIOPs and feedback submission forms may be found at http://www.fema.gov/ppd-8-news-updates-announcements.

To ensure all feedback is properly handled, reviewers are asked to use the provided feedback submission form to submit feedback and recommendations. Please provide any comments and recommendations, using the submission form, to PPD8-Engagement@fema.dhs.gov by Tuesday, September 2, 2015 at 5:00 PM EDT.