Tag Tim Riecker

Gauging Return on Investment in Preparedness: Planning

Tim Riecker, The Contrarian Emergency Manager 5 Comments

Inspired a bit by my previous post Measuring Return on Investment in Emergency Management and Homeland Security: Improving State Preparedness Reports, I’ve decided upon writing a series of posts picking apart our primary activities in emergency management and homeland security preparedness to identify ways to gauge our Return on Investment (ROI).  To encapsulate our primary activities, I’m using the five POETE capability elements:

  • Planning
  • Organizing
  • Equipping
  • Training
  • Exercises

Most preparedness activities within emergency management and homeland security fall within one or more of the POETE capability elements.  The capability element of Planning is the foundational activity on which all preparedness is built and will be the topic of this post.  Here’s what I’m covering:

  • What is Return on Investment?
  • What planning efforts are involved in preparedness?
  • What organizational investments are involved in Planning?
  • Does the planning effort comply with applicable standards?
  • Can the plan be implemented?
  • What will exercises tell you?
  • Is there a need to maintain plans?

Return on Investment, or ROI, is a business term used to identify the profitability of certain investments or actions.  While preparedness is certainly done to protect against losses, for public and private sector alike, we generally don’t see preparedness activities as generating revenue.  However, when most entities INVEST time, money, and other resources into preparedness activities, they often want a reasonable assurance that their investment has paid off.  How do we gauge ROI for planning efforts?

First off, what planning efforts might we see in public or private organizations?  Obviously emergency and disaster plans are the big ones.  These plans are designed to identify key processes, such as alert and notification, response organization and incident management, and others which are intended to save lives and protect property.  These plans are likely to have annexes and appendices which address uniqueness of certain hazards, response circumstances, and support activities.  Continuity plans – usually business continuity or government continuity – identify how the organization will survive as an entity in the face of disaster.  Planning activities also involve the creation, review, and maintenance of policies and procedures.  We also create plans for hazard mitigation, long term recovery, specific events, and other needs.

What investments are involved in planning activities?  Organizations can and should allocate staff time and physical space and infrastructure to planning efforts.  The dedication of staff (full or part time) and/or consultants is often required, especially when planning efforts are viewed as a continual process and a critical part of preparedness.  The organization itself must make a commitment to the planning effort.  This commitment isn’t just in concept, but also practical involvement of staff throughout the organization, access to information, and even an involvement of third parties.

Certainly a first step in assessing return on investment of planning is to evaluate compliance with applicable rules, regulations, and guidelines.  These requirements can be hard (legally binding) or soft (general guidance) and can differ from industry to industry, nation to nation, and state to state.  Here in the US, FEMA provides guidance on emergency planning through Comprehensive Preparedness Guide (CPG) 101.  Some states may have requirements for emergency planning, such as New York State’s Executive Law Article 2-bNFPA 1600: The Standard on Disaster/Emergency Management and Business Continuity Programs is often referenced by public and private entities alike, while the International Standards Organization (ISO), has many industry-specific requirements for emergency planning.  If grant funding is being used for the planning effort, the grant may also have specific requirements.  Regardless of what the requirements are, planning efforts, plans, and associated documents should be audited to ensure that requirements are met.

Compliance, however, isn’t necessarily indicative of a good planning effort.  I’ve seen many plans which may meet requirements but the content itself was severely lacking.  Far too often planners get caught up in the world of checking boxes and fail to consider implementation.  If a plan cannot be implemented, it is useless to the organization.  Many plans exist now that meet applicable requirements but are still yet vacant of any meaningful direction or guidance in the event of an emergency.  These types of ‘plans’ are really better seen as policy documents.  A plan should identify what will be done, when, how, and by who.  If your ‘plan’ simply contains a statement on the requirement to use NIMS/ICS, but doesn’t provide detail on who will be in charge of what, when, and how; it is a policy document, not a plan.  Plans and their associated documents (i.e. procedures, guidelines, and job aids) need to chase down the lifespan of each critical step, especially early in a response.  They must identify who is responsible to make key decisions, who will be notified (how and by who), and who will take what actions.  A logical review of planning documents by the planning committee or perhaps even a third party is another good means of assessing your return on investment.

Does the plan work?  This is, perhaps, the ultimate factor in determining return on investment.  Usually our best means for identifying if a plan works is to exercise it.  Exercises provide a controlled and focused environment for testing plans or components of plans.  They will also help us in identifying if the plan can truly be implemented.  I’ve written a lot on exercises: articles can be found here.  (I also anticipate writing about assessing ROI for exercises as part of this series).  Generally, an incremental exercise program is usually recommended, beginning with discussion-based exercises – such as table tops and workshops – and progressing to operations-based (hands on) exercises.  A well written and honestly evaluated exercise will go a long way toward identifying the return on investment of your planning efforts.

Are we there yet?  Nope.  Planning, like all other preparedness efforts, requires maintenance.  If you create a plan then walk away, even if it’s a good plan, your plan’s value will diminish over time – and we’re talking months, not decades.  Think about how often something changes in your organization.  Staffing.  Equipment.  Technology.  Procedures.  Insurance policies.  All of these things, and more, influence your plans in some way.  Over time these changes not only occur, but also compound and move the present reality of your organization further from the assumptions of your planning efforts.  This is why plans must be maintained and updated on a regular basis.

Is there some mathematical formula for identifying the return on investment of preparedness efforts?  Given all the factors involved and their fluidity, I don’t think so.  It’s not cut and dry like a traditional business investment.  As you can see, though, there are a number of steps we can take to assess the utility of our investment.  I’ve seen organizations pay a lot for bad plans, and others pay much less for great plans.  Not only do organizations need to ensure that their planners know what they are doing, but the organization itself needs to have a commitment to success.  Without it, the planning effort is doomed to fail.

As always, feedback is appreciated.  What are your thoughts on assessing the return on investment of planning efforts?  What do you think is a good measure?

Does your organization need a new plan or need to update a plan?  Do you need help with the planning process or evaluating your organization’s preparedness?  How about exercises?  Emergency Preparedness Solutions can help!  Email to consultants@epsllc.biz or visit www.epsllc.biz.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Measuring Return on Investment in Emergency Management and Homeland Security: Improving State Preparedness Reports

Tim Riecker, The Contrarian Emergency Manager 3 Comments

A lot of money is spent within the emergency management and homeland security enterprise.  Looking just at the last couple of years of annual Homeland Security Grant Program (HSGP) (this is the annual grant provided by the US Federal government to states and urban areas), $1.044 billion was allocated in FFY 2015 and $1.043 billion allocated in FFY 2014.  These billions of dollars only account for a portion of spending within EM/HS.  There are other federal initiatives as well as state, tribal, territorial, and locally funded efforts.  Businesses and NGOs also invest significantly in emergency management, homeland security, and business continuity activities.  But where does it all get us?

Through the past decade or so there have been a few efforts by DHS/FEMA to try to measure preparedness, ideally to identify improvements in our preparedness as the result of the billions of dollars invested.  None of these efforts have really provided obvious and tangible results.  The current measure is through annual State Preparedness Reports (SPRs), which utilize the THIRA process (Threat and Hazard Identification and Risk Assessment) outlined in Comprehensive Preparedness Guide (CPG) 201 as a foundation, but with the POETE analysis (Planning, Organizing, Equipping, Training, and Exercising) for each of the 31 Core Capabilities.  (You can find articles I’ve written on the utility and application of POETE here.) The SPR is a good methodology for identifying the current condition of preparedness for each state as viewed through the 31 Core Capabilities.  The POETE analysis helps to identify the strengths and weaknesses within each Core Capability.

The SPR, however, still falls short.  How can we improve it?

1. Include historical data for trend analysis. The SPR largely provides only a snapshot of current conditions.  The format of the SPR does not provide for any analysis of historical data to identify trends (i.e. improvements or otherwise) in the state’s assessed condition of its 31 Core Capabilities.  FEMA regional offices, upon receipt of an SPR, do provide a brief feedback report of the current SPR with a passing mention of the previous year’s submission, but the report provides so little information it could hardly be called an analysis.

A rudimentary table identifying trends for a selected Core Capability is below.  For those not familiar, higher scores rate a higher measure of capability.  In this table, I’ve identified POETE elements which have trended lower from year to year with a RED highlight, and those which have trended higher with a GREEN highlight.  A simple analysis such as this give an at-a-glance comparison.  To make this analysis more comprehensive, I would suggest the addition of narrative for each trend (higher or lower) which explains what has changed to warrant the new ranking.

Historical Comparison of a Core Capability

2. Include a financial analysis for the current year to identify return on investment. An identification and summary of key program area investments for the year will lay the groundwork for a return on investment (ROI) analysis.  ROI will help identify how much bang for the buck you are getting in certain areas.  It’s easy to lose sight through the year from a program management perspective on how much money was spent on certain programs and activities – especially for larger agencies with a layered bureaucracy.  Incorporating this analysis into an SPR is not only good financial and program management, but provides an opportunity to identify where money was spent and to measure, at least on a broader scale, what the results were.  Certainly we have to fund continued operations to simply sustain our capabilities, but we should also be funding, where possible, programs to enhance our high priority capabilities and those needing the most improvement.

Again, as a rudimentary example, we can build on the table provided earlier to identify where funds were spent to see if they made a difference in our level of preparedness.  As with the earlier example, a narrative should be provided for each investment to identify what it was and assess the impact.  This also provides an excellent opportunity to review the investment justification written for grants to determine if the investment met the intended objectives (which should have been to maintain or enhance some aspect of the capability).  Historic investment data can also be included for each year.  This all leads directly to identifying the return on investment – did the investment make a difference and to what extent?

Historical Analysis of a Core Capability with Identified Investments

Ultimately this added data and analysis requires more work, potentially the involvement of more people, and likely more time to complete the SPR.  However, this new process will also result in a positive return on investment itself by helping to identify trends and outcomes.  Financial information is regularly reported to DHS (for those grants that originate with them) in the form of progress reports, but that information is stovepiped and usually not associated with a more comprehensive assessment such as the THIRA/SPR.  Bringing this data together paints a much more accurate picture.

The concept of preparedness is difficult to put in a box.  It’s amorphic and challenging to identify, yet people often ask the question ‘Are we prepared?’  States, locals, DHS, and Congress often have difficulties measuring preparedness and advances in preparedness, especially relative to the dollars spent on it.  The GAO has regularly recommended efforts to better identify return on investment, yet we haven’t gotten there.  The recommendations identified here can bring us much closer to nailing down where we are and where we need to be.  Armed with this knowledge, we can make better decisions for future investments and activities.

Moving forward, I expect to write a bit on each POETE element, with my thoughts on how we can identify return on investment for each.  As always, I’m very much interested in your thoughts on the approach I identified above and how we can better identify return on investment in the realm of emergency management and homeland security.

If you are interested in utilizing this approach to better identify your return on investment for local, state, tribal, territorial, or organizational preparedness efforts (whether or not you do a State Preparedness Report), Emergency Preparedness Solutions is here to help!  Check out our website at www.epsllc.biz or contact me directly to discuss what we can do for you.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

FEMA Seeking Comment on Preliminary Damage Assessment Manual

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Released last week, FEMA is seeking comment from emergency managers on the draft FEMA Damage Assessment Operating Manual.  The manual establishes (much needed!) national damage assessment standards developed from historic lessons learned and best practices already in use by local, state, tribal, territorial, and federal emergency management agencies.

The draft manual and comment matrix are posted in the FEMA Library.  FEMA asks that comments be submitted no later than November 14, 2015 to Mr. Ryan Buras, Senior Program Advisor at PDAmanual@fema.dhs.gov.

Emergency managers – Be Heard!

-TR

ICS Training Sucks… So Let’s Fix It

Tim Riecker, The Contrarian Emergency Manager 8 Comments

A great many of you are familiar with the piece I wrote in June called Incident Command System Training Sucks.  In it, I identify that the foundational ICS courses (ICS-100 through ICS-400 – but especially ICS-300 and ICS-400) simply do not provide the skills training that emergency managers across all disciplines require to utilize the system efficiently, effectively, and comfortably.  ICS Training Sucks turned out to be a popular piece which had a great deal of support from the first responder and emergency management community – which I am very grateful for.  The amount of comments and feedback was indicative to me that I was on the right track and that I need to revisit the topic and explore more.

At the center of my argument stands Bloom’s Taxonomy.  Bloom’s is a learning hierarchy which helps to identify the depth of instruction and learning.  Here is Bloom’s Revised Taxonomy.  We’ll be referencing it a bit in the examples I provide.

Bloom's Revised Taxonomy

Bloom’s Revised Taxonomy

Take a moment to read through the descriptions of each of the ‘orders of thinking’ in Bloom’s.  Go ahead, I’ll wait…

Done?  Good.  Most would agree that courses such as ICS-300 and ICS-400 should attempt to convey learning at the Apply level, correct?  Unfortunately, that perception, while wildly popular, is wrong.  Most of the learning objectives of the two courses (objectives are our reference points for this) are at the Understand and Remember levels.  Yeah, I was a bit surprised, too.

In ICS Training Sucks, I provided a greater detail of the background analysis (it summarized the narrative of a Master’s research paper I wrote), so if you want more, simply go back and check it out.  While I make a few broad recommendations in that piece, there has been a need to examine our path to fixing this more closely.

In the development of curriculum, there exist several models.  The most commonly used model is the ADDIE model, which stands for Analysis, Design, Development, Implementation, and Evaluation.  The first step, Analysis, is really the most important, although often the most ignored or cut short.  People think they know what the need is, but often don’t really understand it.  If you are interested, I’ve written a piece on the topic of Analysis for Training Magazine last year.

Even though we are suggesting a re-write of the ICS curriculum, or parts thereof, Analysis is extremely important.  The roots of the current curriculum we use goes back to circa 1970s wildfire ICS courses.  These are good courses, and while I’m not sure if they fully met the need then (although they did advance us quite a bit), their evolved versions certainly DO NOT now.  There is no sense in repackaging the same product, so let’s first figure out what people need to know to do their jobs effectively.  Essentially, this leads us to identifying a list of key core competencies in ICS.  Core competencies will define the level of competence needed in a particular job or activity.  We can easily use the levels of Bloom’s as our reference point to establish common definitions for the levels of competence.  What am I talking about?

Let’s pick one key activity in ICS to examine.  Resource Management is a great example as it shows the disparity between what exists and where we need to be.  Resource Management is discussed in Unit 6 of the ICS-300 course.  I think most would agree that we expect most every jurisdiction to be able to implement sound resource management practices.  Implement is the key word.  Implementation is indicative of the Apply level of Bloom’s Taxonomy.  When looking at unit objectives in the ICS-300 course for unit 6, the key words are identify and describe.  Identify is indicative of the Remember level of Bloom’s Taxonomy, while describe is indicative of the Understand level.  Both fall short of application.  While we aren’t looking for this curriculum to create incident management teams, we still expect most jurisdictions to be able to manage resources, which is certainly a core competency of incident management.

I think the NIMS doctrine provides a good starting point for identifying core competencies.  In an effective study, there may be other competencies identified – perhaps topics such as leadership, that may not necessarily be found in a revised ICS curricula, but can be obtained through other training courses.  This could lead to an important differentiation between core competencies (those that MUST be included in ICS training) and associated competencies which can be sourced elsewhere.

Further, we can capitalize on what we have learned through implementation of the current ICS curriculum and previous iterations.  We know that multidisciplinary training is most effective since larger incidents are multidisciplinary.  We also know that training must be interactive and maximize hands-on time.  The past few updates to the ICS courses have done a great job of encouraging this, but we need more.

Making more detailed recommendations on fixing ICS training will take time and effort, as a solid Analysis must first be done.  Once core competencies can be identified and defined, then a strategy for revamping ICS training can be developed.  As mentioned in ICS Training Sucks, this approach should be multi-faceted, using both new and (good) existing courses to support it. Let’s not be bound by what currently exists.  We don’t necessarily have to create a ‘new’ ICS-300 or ICS-400 course.  Let’s create courses within a broader program that meets the needs of the emergency management community.  They may no longer be called ICS-300 and ICS-400.  Perhaps these two will be replaced by four smaller courses?  Who knows where this path will take us? The bottom line is that we need to be responsive to the needs of the learners, not bound by “the way we’ve always done it.”

As always, feedback is appreciated.  Perhaps there exists an institution that has the desire and funding to pursue this further?  I’m fully onboard!

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Community-driven Preparedness

Tim Riecker, The Contrarian Emergency Manager Leave a comment

As many of you know, September is National Preparedness Month.  The website offers a number of resources, mostly for governments, to engage citizens and community groups in preparedness.  Higher level engagement of citizens is extremely important to better enable to them to care for themselves for a period of time so they are less dependent upon government and emergency services in the event of a disaster, freeing up these services to address matters of high impact and high importance.

National Preparedness Month is a great opportunity to get information out to everyone!  Consider every facet of your community.

  • Schools and day cares
  • colleges and universities
  • nursing homes, assisted living facilities, retirement homes
  • business and industry
  • community organizations, service organizations, labor unions
  • religious organizations
  • government offices
  • travel and tourism offices and entertainment venues

What will you do to get the word out?  I’d suggest a multi-pronged approach… static information on your website is a good central point to direct people to.  Pamphlets and handouts are great to get information into people’s hands, especially at gatherings.  Social media is a great outreach tool that should be used often.  (and if you think you are OK just having a Facebook account, you really need to take a social media class!).  With organized groups, invest time to meet with them and present to them.

One of my biggest tips is to actually give people something to do, give them a mission.  Don’t just direct them to preparedness information and count on them to do something with it.  Busy people (and even non-busy ones) aren’t wired that way.  ENGAGE them!  Don’t just speak at them.  Challenge them to be prepared and give them benchmarks.  Tell them how important it is for them to be prepared, not just for themselves, but for their families, their neighbors, and their communities.

Target your message to the specific groups you are speaking to.  A senior citizens organization should be getting a vastly different message than the Chamber of Commerce.  Organizations at all levels can be encouraged to join a VOAD (if you don’t have one – form one!) or other coalition to provide services before and after disasters.  There is no longer any mission for the community that is just for one organization any more.  The demands are too high for that.  Sheltering can’t be handled by the Red Cross alone and the local humane society or ASPCA can’t handle all pets in a disaster on their own.  I’m betting even your health department could use a hand with points of distribution.

Businesses can help, too.  Along with becoming a community partner, they also need to be prepared.  The SBA, through Agility Recovery, is offering a number of webinars this month which can be found here.

Yes, all this campaigning takes some serious time and effort.  Engage others to help you, establish a strategy and a message, and get out there.  Community preparedness pays dividends.

As with most things I write about, Emergency Preparedness Solutions can help you with community messaging and engagement – any time of year!  Info below.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ 

A book of worst-case scenarios

Tim Riecker, The Contrarian Emergency Manager 3 Comments

I came across this article yesterday about US Rep Michael McCaul from Texas (who happens to chair the House Homeland Security committee) penning a book titled “Failures of Imagination: The Deadliest Threats to Our Homeland — and How to Thwart Them”.  The book, set to be published in January, will apparently outline a variety of terrorist attack scenarios against the US and how they can be stopped.

I’ve written in the past about the necessity to consider credible worst-case scenarios (natural and human-caused) which can impact your jurisdiction or organization.  Following the model outlined by Comprehensive Preparedness Guide (CPG) 201 for the Threat and Hazard Identification and Risk Assessment (THIRA) process, it’s not just enough to say you are vulnerable to flood or wild fire.  To identify what your specific vulnerabilities are (location, duration, severity), it is necessary to flesh these out into scenarios.  Identification of these vulnerabilities will then help identify impacts, such as those to infrastructure, resources, and populations.  Plans should then be based upon these impacts.

I’m doubtful that Rep McCaul’s book will provide any foundation for planning (although I don’t think it’s intended to), however the scenarios contained may be eye opening to EMHS professionals and even citizens.  Regular readers of this blog know I feel that we are on borrowed time regarding terrorist attacks.  Yes we have experienced some on US soil (and the UK, Canada, Australia, France, India, and many other nations), and they have been devastating, but we have to know that with organizations such as ISIS thriving on our planet, more will come.  Mumbai-type scenarios, with multiple coordinated simultaneous attacks can be crippling and certainly demonstrate what a credible worst-case scenario could look like.

I’m interested to see what Rep McCaul’s book contains.  I’ll be sure to publish a review once it comes out and I’ve had an opportunity to read it.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ 

Rebranding

Tim Riecker, The Contrarian Emergency Manager Leave a comment

As this blog approaches its three year anniversary, I’m feeling that it’s time for a face lift.  Over the last three years I’ve posted a total of 235 blog posts which have received over 31,000 views from nearly 19,000 visitors from 110 nations around the world (these are the WordPress stats and don’t reflect numbers of views on LinkedIn or other sites).  I’m very thankful for my followers and all viewers and especially thankful for those who have taken the time to comment on posts.

The blog has become a great platform for me to learn and grow as a professional.  It has also turned into a great communication platform for my company, Emergency Preparedness Solutions. As such, the name of blog has been changed from ‘Tim’s Thoughts’ to ‘On Emergency Management and Homeland Security’.  We wanted to make the content more obvious from the title.  The content isn’t going to change – we will continue publishing topical articles, news, and opinion pieces on emergency management and homeland security topics.  We also hope to have some guest posts from colleagues in the EM/HS field.

We hope you like the new name and the new look.  Thank you, as always, for reading.  If you like what you read, follow us and pass the site on to colleagues.

TR

What is the Top Sector at Risk for Cyberattacks?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

3D Electric powerlines over sunrise

According to this article in the Insurance Business America magazine, it’s the energy sector.  This is no surprise, even without the statistics provided in the article; although the statistics are pretty staggering.  The article states that according to DHS “more than 50% of investigated cyber incidents from October 2012 to May 2013 occurred within the energy sector”.  The advice in the article is pretty sound and coincides well with what I’ve suggested many times in this blog… be prepared!  Not only do power utilities need to have their own cybersecurity experts and the policies, plans, and infrastructure to prevent cyberattacks, they also need to be prepared for the potential success of the attackers.  They need to know who to notify (and how), and what actions to take.  Further, those that depend on electricity should have an alternate means of obtaining electricity to meet essential needs.

Threats to our infrastructure show just how interconnected we are and how interconnected our critical infrastructure is.  This is the primary reason why our energy infrastructure, which touches every other sector, is so essential.  We must ensure that we have in place prevention and protection plans, such as cybersecurity plans; hazard mitigation plans to lessen the impacts; response plans to address critical issues; and recovery plans to return to operations.  Business continuity is also an essential component of this – even if you are an NGO or government entity (continuity of government).

Along with proper planning, training, and exercises, we need to continue to promote legislation which requires measures for cybersecurity and protection of our critical infrastructure.

What are your major critical infrastructure concerns?

© 2015 – Timothy Riecker

EMERGENCY PREPAREDNESS SOLUTIONS, LLC

WWW.EPSLLC.BIZ

Adapting to the Cyber Threat – Who Holds Liability?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks.  Among the highest profile attacks are:

  • Target department stores suffered the theft of credit card holder data
  • the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
  • and just recently the theft and subsequent public release of information of Ashley Madison account holders.

While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents.  This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings.  We have recently seen some insurance companies offering cybersecurity policies.  I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack.  Presumably, the insurance  policy covers financial losses to the company and perhaps even litigation.  Consumers have a variety of protections available for identity theft offered through banks and credit cards.

With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies.  Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss.  The same can be held true for those whose data was stolen from the Target and US government hacks.  Those individuals trusted and were generally assured that their personal and financial information would be protected.  These assurances place a liability on the entity that holds their information.  However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.

I’m convinced that any system can eventually be hacked and suffer either data loss or data theft.  Unlike a natural disaster, intentional human-caused incidents include the factor of persistence.  Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts.  Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while.  While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.

Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers.  Even if the perpetrators are found and convicted, is there still a shared liability among other parties?

Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects.  We are finally shifting to a new philosophy of adaptation.  While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability.  This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans.  Incidents will occur.  While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.

While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity.  I welcome your thoughts and ideas on this.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

When is Consolidation of Public Safety Agencies a Good Idea?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

A recent effort for the consolidation of three fire departments near our office in Central New York failed.  The consolidation, discussed in earnest for nearly a year with positions both for and against, narrowly lost in a public referendum.  News article here: http://www.uticaod.com/article/20150818/NEWS/150819437.

Having worked in public safety for nearly 20 years, I’ve seen quite a few consolidation efforts.  Some successful, most voted down before they even had a chance.  Most efforts have been related to fire departments, some with EMS agencies, and a few related to law enforcement.  While I’ve seen some early in my career, it seems there has been an increase in consolidation proposals in recent years.  Why?

It seems the most significant factor in these proposals is economic.  Despite the slow upturn in the economy, government budgets are still struggling.  The need to spread the burden of common administrative costs, like insurance; ensure appropriate staffing coverage; and to address equipment issues, such as standardization for interoperability; are the top items of discussion.  In some cases there is also a need to reduce the personnel costs through consolidation by reducing the overall number of executive-level officers and support staff, and to reduce real estate costs by reducing the number of stations.  While not all of these reasons are applied all the time, these are quite commonly identified as reasons for consolidation.  The bottom line for consolidation is that it saves money while, ideally, not increasing response times or public access to services.

As for the reasons against consolidation… there are many who don’t seem to trust the promise of savings.  Certainly there have been a great number of failed attempts by government or other organizations to restructure in the name of cost savings and come nowhere near reaching their target.  Others are afraid of the loss of jobs and access to services.  Some, in my opinion, are just being territorial.

Obviously consolidation, or any change in government structure or services, needs to be carefully studied, reviewed, and if decided upon, implemented in accordance with a carefully designed plan and a watchful eye.  This especially holds true for public safety.  Just like any idea out there, it can work if carefully implemented, but it may not be suitable for everyone.

Where do you stand on public safety consolidations?  What success stories do you have?  How about failures?

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ