Be sure to head over to https://training.fema.gov/is/ to check out the updated IS-100.c (Introduction to the Incident Command System) and IS-700.b (Introduction to the National Incident Management System). These courses have been updated to reflect the ‘refreshed’ NIMS doctrine, which includes some information on EOC structures, among other things. For my review of the NIMS refresh, check out this article.
©2018 – Timothy Riecker, CEDP
In late May, FEMA/DHS released an updated version of Comprehensive Preparedness Guide (CPG) 201. For those not familiar, CPG 201 is designed to guide communities and organizations through the process of the Threat and Hazard Identification and Risk Assessment (THIRA). This is the third edition of a document that was originally released in April 2012. This third edition integrates the Stakeholder Preparedness Review (SPR) into the process. Note that ‘SPR’ has commonly been an acronym for State Preparedness Report, which is also associated with the THIRA. The goal of the Stakeholder Preparedness Review appears to be fundamentally similar to that of the State Preparedness Report which some of you may be familiar with.
First of all, a few noted changes in the THIRA portion of CPG 201. First, FEMA now recommends that communities complete the THIRA every three years instead of annually. Given the complexity and depth of a properly executed THIRA, this makes much more sense and I fully applaud this change. Over the past several years many jurisdictions have watered down the process because it was so time consuming, with many THIRAs completed being more of an update to the previous year’s than really being a new independent assessment. While it’s always good to reflect on the progress relative to the previous year, it’s human nature to get stuck in the box created by your reference material, so I think the annual assessment also stagnated progress in many areas.
The other big change to the THIRA process is elimination of the fourth step (Apply Results). Along with some other streamlining of activities within the THIRA process, the application of results has been extended into the SPR process. The goal of the SPR is to assess the community’s capability levels based on the capability targets identified in the THIRA. Despite the THIRA being changed to a three-year cycle, CPG 201 states that the SPR should be conducted annually. Since capabilities are more prone to change (often through deliberate activities of communities) this absolutely makes sense. The SPR process centers on three main activities, all informed by the THIRA:
The assessment of capabilities is intended to be a legacy function, with the first assessment establishing a baseline, which is then continually reflected on in subsequent years. The capability assessment contributes to needs identification for a community, which is then further analyzed for the impacts of that change in capability and the identification of funding sources to sustain or improve capabilities, as needed.
An aspect of this new document which I’m excited about is that the POETE analysis is finally firmly established in doctrine. If you aren’t familiar with the POETE analysis, you can find a few articles I’ve written on it here. POETE is reflected on several times in the SPR process.
So who should be doing this? The document references all the usual suspects: state, local, tribal, territorial, and UASI jurisdictions. I think it’s great that everyone is being encouraged to do this, but we also need to identify who must do it. Traditionally, the state preparedness report was required of states, territories, and UASIs as the initial recipients of Homeland Security Grant Program (HSGP) sub-grants. In 2018, recipients of Tribal Homeland Security Grant Program funds will be required to complete this as well. While other jurisdictions seem to be encouraged to use the processes of CPG 201, they aren’t being empowered to do so.
Here lies my biggest criticism… as stated earlier, the THIRA and SPR processes are quite in-depth and the guidance provided in CPG 201 is supported by an assessment tool designed by FEMA for these purposes. The CPG 201 website unfortunately does not include the tool, nor does CPG 201 itself even make direct reference to it. There are vague indirect references, seeming to indicate what kind of data can be used in certain steps, but never actually stating that a tool is available. The tool, called the Universal Reporting Tool, provides structure to the great deal of information being collected and analyzed through these processes. Refined over the past several years as the THIRA/SPR process has evolved, the Universal Reporting Tool is a great way to complete this. As part of the State Preparedness Report, the completed tool was submitted to the FEMA regional office who would provide feedback and submit it to HQ to contribute to the National Preparedness Report. But what of the jurisdictions who are not required to do this and wish to do this of their own accord? It doesn’t seem to be discouraged, as jurisdictions can request a copy from FEMA-SPR@fema.dhs.gov, but it seems that as a best practice, as well as a companion to CPG 201, the tool should be directly available on the FEMA website. That said, if the THIRA/SPR is being conducted by a jurisdiction not required to do so, the tool would then not be required – although it would help.
Overall, I’m very happy with this evolution of CPG 201. It’s clear that FEMA is paying attention to feedback received on the process to streamline it as best they can, while maximizing the utility of the data derived from the analysis. A completed THIRA/SPR is an excellent foundation for planning and grant funding requests, and can inform training needs assessments and exercise program management (it should be used as a direct reference to development of a Training and Exercise Plan).
For those interested, EPS’ personnel have experience conducting the THIRA/SPR process in past years for a variety of jurisdictions and would be happy to assist yours with this updated process. Head to the link below for more information!
© 2018 – Timothy Riecker, CEDP
This week the world lost two celebrities to suicide. These losses are absolutely tragic, and even if you didn’t know them personally, it raises awareness of mental health matters. In the last few days the world also lost many people to suicide that so many of us don’t know, but they were a son, daughter, father, mother, brother, sister, aunt, uncle, cousin, friend, spouse, lover… Some of those were also responders, dispatchers, doctors, nurses, or others that deal with tragedy every day and make our communities safer. They may have been a coworker or colleague. A brother or sister on the line.
Despite a lot of efforts to change perspectives, depression, PTSD, and suicide are still labels that are associated with shame and weakness. There is nothing shameful or weak about them. They are a reality of life. If you haven’t been effected by them directly, you know someone who has.
When you work in public safety, you deal with some pretty bad shit. Not just once, but over and over. You see people at their worst. Your see death and devastation. You see hopeless and desperate people. Broken people. Sadness and anger. We see more than most people do. On top of that, we deal with our own personal issues. Maybe a divorce, illness of a family member, or death of a pet. Finances might be tight.
How do we deal with it? We build walls. We make it impersonal. We stay professional and work in the moment, focusing on what needs to be done. But what do you think about after the call? Or the next day? Or even years after? Sometimes it doesn’t hit you right away. Sometimes it’s something completely different that triggers memories and emotions. What then? Maybe we shrug it off, or maybe we shut down for a while and have a bad day. But that bad day turns into another and another. Soon you may not be able to remember happiness.
What should we be doing? Talk to people. Maybe a coworker, a friend, or a mental health professional. If you are in a paid service, you may have an employee assistance program. Fuck the stigma, the shame, and the macho bullshit. This is as serious as cancer or a heart condition. You can’t ignore it and expect it to go away.
Maybe it’s not you, but a friend or coworker. You notice changes. Irritability. A lack of focus. Dramatic loss or gain of weight. Alcohol and drug abuse. Talk to them. Find a professional to talk to them. Yeah, it’s a tough call to make, but it could save their life.
Depression, PTSD, and suicide suck. We can’t ignore their impact on society and on public safety professionals. We need to work harder to end the stigma and ensure better access to services so people can get the help they need and stop suicides.
©️ 2018 – Timothy Riecker, CEDP
Harris County, Texas has recently released their After Action Report (AAR) for Hurricane Harvey that devastated the area last year. I applaud any AAR released, especially one for an incident of this magnitude. It requires opening your doors to the world, showing some incredible transparency, and a willingness to discuss your mistakes. Not only can stakeholders in Harris County learn from this AAR, but I think there are lessons to be learned by everyone in reviewing this document.
First, about making the sausage… The AAR includes an early section on the means and methods used to build the AAR, including some tools provided in the appendix. Why is this important? First, it helps build a better context for the AAR and lets you know what was studied, who was included, and how it was pulled together. Second, it offers a great example for you to use for future incidents. Developing an AAR for an incident has some significant differences from developing an AAR for an exercise. Fundamentally, development of an AAR for an exercise begins with design of the exercise and is based upon the objectives identified for that exercise. For an incident, the areas of evaluation are generally identified after the fact. These areas of evaluation will focus the evaluation effort and help you cull through the volumes of documentation and stories people will want to tell. The three focus areas covered in the AAR are Command and Control, Operations, and Mass Care and Sheltering.
Getting into the Harvey AAR itself… My own criticism in the formatting is that while areas for improvement in the AAR follow an Issue/Analysis/Recommendation format, identified strengths only have a sentence or two. Many AAR writers (for incidents, events, or exercises) think this is adequate, but I do not. Some measure of written analysis should be provided for each strength, giving it context and describing what worked and why. I’m also in favor of providing recommendations for identified strengths. I’m of the opinion that most things, even if done well and within acceptable standards, can be improved upon. If you adopt this philosophy, however, don’t fall into the trap of simply recommending that practices should continue (i.e. keep doing this). That’s not a meaningful recommendation. Instead, consider how the practice can be improved upon or sustained. Remember, always reflect upon practices of planning, organizing, equipping, training, and exercises (POETE).
As for the identified areas for improvement in AAR, the following needs were outlined:
If anything, for these reasons alone, the AAR and the improvement planning matrix attached should be reviewed by every jurisdiction. Many jurisdictions that I encounter simply don’t have the POETE in place to be successful in addressing these areas.
What is your biggest take away from this AAR?
© 2018 – Timothy Riecker, CEDP
The Incident Command System (ICS) provides an important foundation to incident management. ICS grounds us in standards, providing structure and processes which help mitigate against the fact that all incidents themselves are unique. While ICS may not be perfect, and I have been and continue to be highly critical of ICS training, the Incident Command System has proven to be effective – when properly implemented. One of our biggest stumbling blocks with the implementation of ICS is the human factor – something else I’ve written about on a few occasions. The other obstacle to effective incident management is relying too heavily on ICS. ICS is not the solution to incident management – it’s a tool. For incident management to be truly effective, we need to think beyond ICS.
So aside from ICS, what do incident managers need to know and do to be more effective? (Note that I’m not using the term ‘incident commander’ here, as incident management, fundamentally, is a team sport. I’m using the term ‘incident managers’ as a collective term for all personnel involved in the higher echelons of incident management).
First, good incident managers should have proven leadership and management skills. I’m not going to go at this one in length… there are no fewer than a gazillion books written on leadership and management and the importance of effectively leading organizations. Just like any other organization, someone in a position of incident management who can’t properly lead is not only going to fail themselves, but also the organization.
Second, good incident managers need to have a grasp of emergency management. Not just an application of public safety, such as the fire service or law enforcement, or whatever field they happen to be performing response in (i.e. public health, transportation, etc.). They should have a solid awareness of what each major participant in emergency management does and the major processes of emergency management.
Next, incident managers should understand the fundamentals of project management. This one is really important. The tactics we execute in our response to an incident are really a series of projects. Not that a Gantt chart needs to be developed for each incident (although I’ve actually done this for prolonged incidents – and it is seriously insightful), but an understanding of tactical timeframes, progress toward completion, and what activities can be done simultaneously versus those that should be done in sequence can be a huge help. It’s a great visual tool that can be easily developed with the help of ICS 204s. Progress toward completion (i.e. how much of a tactic have we accomplished as part of the whole) helps us to measure effectiveness, gauge how long we continue to need certain resources, and will answer the questions ‘how are we doing?’ and ‘are we there yet?’. In larger incidents (NIMS Type 3 and larger) this is incredibly important. What’s the progress on evacuation? How much longer until all the boom is deployed? How much debris has been cleared? Etc. These aren’t just pain the ass questions asked by elected officials and the media… these are questions you should be asking as well.
Continuing on with project management (that’s how important I think it is), I’ll make a few more notes here. First of all, field observers are really important to monitoring progress. Don’t rely on the tacticians to do this. First of all, the tacticians are too busy. They need to be focused on getting things done. Also, they may be too close to the situation to give an objective assessment (or in the case of the use of contractors, it’s simply good contract management). Digging into your ICS knowledge, recall that field observers are an actual position (although one not used often) within the Planning Section assigned to the Situation Unit. Their job is to monitor and report on tactical progress and other situational information. Also consider that if you see issues with a slower than expected progress toward completion, that means that either your initial estimates were wrong or something is slowing down the operation. This may justify a root cause analysis to determine why things are not progressing as they should be. Perhaps there was more to accomplish than anticipated, or the wrong resources are being applied?
Next, the highest members of incident management (i.e. incident command, unified command, EOC manager, etc.) need to have some separation from the rest of the incident management staff, agency representatives, and tactical operations. They can’t be ‘in the pit’, ‘on the floor’, ‘in the trenches’, or whatever other lingo you might use in your command post, EOC, or field operations – at least not as their usual place to be. Yes, some measure of ‘management by walking around’ is good, but I’ve been in plenty of command posts, EOCs, and departmental operations centers that have command right in the mix of everything. These places get noisy and there are a lot of distractions. You can’t hold a productive meeting in this environment, much less concentrate. People are also inclined to go directly to command with issues and problems… issues and problems that are likely best solved by someone else. Even in the field, an IC shouldn’t be too close to the tactics on a large incident. Pull back and think about incident management, not tactics.
That’s the list that I have for now. It’s a topic I’ve been thinking about for a while, so I plan on adding to it in the future. I also expect to be doing some presentations in the near future as well. What thoughts do you have on this? What can we do to improve on incident management?
© 2018 – Timothy M. Riecker, CEDP
The National Fire Protection Association (NFPA) has recently published a new standard for Active Shooter/Hostile Event Response (ASHER) programs. NFPA 3000 is consistent with other standards we’ve seen published by the organization. They don’t dictate means or methods, leaving those as local decisions and open for changes as we learn and evolve from incidents and exercises. What they do provide, however, is a valuable roadmap to help ensure that communities address specific considerations within their programs. It’s important to recognize that, similar to NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs, you aren’t getting a pre-made plan, rather you are getting guidance on developing a comprehensive program. With that, NFPA 3000 provides information on conducting a community risk assessment, developing a plan, coordinating with the whole community, managing resources and the incident, preparing facilities, training, and competencies for first responders.
NFPA standards are developed by outstanding technical committees with representation from a variety of disciplines and agencies across the nation. In the development of their standards, they try to consider all perspectives as they create a foundation of best practices. While the NFPA’s original focus was fire protection, they have evolved into a great resource for all of public safety.
I urge everyone to take a look at this new standard and examine how you can integrate this guidance into your program. The standard is available to view for free from the NFPA website, but is otherwise only available by purchase. Also available on their website is a fact sheet and information on training for the new standard.
© 2018 – Timothy Riecker, CEDP
I was recently asked by a client about my thoughts on pre-developed or ‘canned’ exercises. As it turns out, I have a lot of feelings about them, most of them negative. Pre-developed exercises, if properly understood and applied, can be a huge help, but the big problem is that we’re dealing with human nature, and some people are just damn lazy. Garbage in, garbage out.
We need to keep in mind that exercises, fundamentally, are developed to validate plans. Not my plans. Your own plans. While standards of practice mean that most plans have a high degree of commonality (i.e. a HazMat response plan for a jurisdiction in California will be largely the same as one for a jurisdiction in New York State), it’s often the deviations from the standards and the local applications that need to be tested most. So it doesn’t do well for anyone to replicate an exercise that doesn’t test your own plans. Similarly, the foundation of exercise design is objectives. While the pre-developed exercise may have a theme that coincides with what you want to test, sheltering, for example, there are a lot of different aspects of sheltering. The pre-developed exercise might not focus on what you need to exercise. With all this, anyone who wants a quality exercise from something pre-developed is going to have to do a lot of re-development, which might be more frustrating than starting from scratch.
If you want a quality exercise, you really can’t short cut the process. Not only might HSEEP be required for whatever grant funding you are using for the exercise, but it’s a best practice – and for good reason. So often people want to cut corners. If you do, the final product will look like you’ve cut corners. It might lack proper context, good reference documents, or meaningful evaluation. The exercise planning meetings have defined purpose, and the documents help capture that process and communicate the intent to specific audiences.
On the other hand, there are proper ways to use materials from a previously developed exercise to benefit your own exercise. The development of good questions in discussion-based exercises and injects for operations-based exercises can be a challenge. Reviewing other exercises, especially when there might be some similarity or overlap in objectives, can be a huge help, so long as they are properly contextualized and relate back to objectives for your exercise. This isn’t a copy and paste, though… as it all should still be applied within the exercise design process.
There are some exercises out there that might seem like exceptions to what I’ve written above. The first that comes to mind are FEMA’s Virtual Table Top Exercises (VTTX). The VTTX is a great program, conducted monthly, focusing on different themes and hazards. FEMA’s Emergency Management Institute (EMI) assembles a package of materials that go to each community registered for the event, allowing a measure of local customization. While jurisdictions may use this material differently, it is at least an opportunity to discuss relevant topics and hopefully capture some ideas for future implementation.
Similarly, my company, Emergency Preparedness Solutions, recently completed a contract with the Transportation Research Board for a project in which we developed a number of ‘generic’ exercises for airports. These functional exercises, facilitated through a web-based tool, can be easily customized to meet the needs of most airports across the nation and are written with objectives focused on the fundamentals of EOC management within the timeline of an incident. While specific plans aren’t directly referenced in the exercises, airport personnel are able to examine the structure of response in their EOC and can reflect on their own plans, policies, and procedures. Similar to FEMA’s VTTX series, they aren’t a replacement for a custom-developed exercise, but they can help examine some fundamentals and start some important discussions. I’m not able to get into much more detail on this project, as the final report has yet to be published, but look forward to future posts about it.
All in all, I tend to caution against using pre-developed exercises. I simply think that most people don’t use them with the right intent and perspective, which can severely limit, or even skew, outcomes. That said, there exists potential for pre-developed exercises to be properly applied, so proceed with caution and with your wits about you. Understanding that time, money, and other resources can be scarce, emergency management has always done well with ‘borrowing best practices’. While there is sometimes nothing wrong with that, short cutting the process will often short cut the benefits. Do it right. Use of a custom-developed exercise is going to maximize benefit to your community or organization.
© 2018 – Timothy Riecker, CEDP
Yesterday, the National Integration Center (NIC) issued a NIMS Alert announcing a national engagement period for several new documents. These documents include:
All in all, I find these to be solid documents. I appreciate the guidance assembled for the EOC Director position (although it still bothers me that it’s not called an EOC Manager) and find it to be well thought through and informed by experience. My only issue with the position task book for EOC Director is that the Typing is based upon staffing numbers for the EOC. While that is certainly one of the nuances of complexity, I think the resource typing should be a reflection of experience relative to the overall complexity of the incident, rated best by incident type. The chart linked to shows the common benchmarks used to categorize an incident based on overall complexity. This is a NIMS standard. While there is a correlation between incident complexity and EOC staffing, those of us experienced in incident management, especially at the EOC level, have seen over-staffing and under-staffing of EOCs, as well as EOC-types of facilities (such as departmental operations centers), which may oversee their agency’s operations for incredibly complex incidents with a relatively small staff. Of course, smaller jurisdictions can deal with highly complex incidents, without having a large number of staff to support an EOC. I’ve also seen very capable EOC managers from smaller jurisdictions (who might, under this guidance be rated as a Type 3 EOC Director) step in through mutual aid to run EOCs in larger jurisdictions with far more staff (a Type 1 EOC Director position). Their relative success in doing so is based largely upon experience with incidents of greater complexity, not numbers of staff.
I’m really happy with the Skillsets documents published by the NIC for EOC Director. I think these are outstanding references, which not only help drive a more detailed evaluation of a candidate as their position task book is being reviewed, these can also act as benchmarks for preparedness activities. Documents like this strongly support jurisdictional guidance for EOC activity, training standards for EOC personnel, and exercise evaluation guides (EEGs) for exercises. When reviewing these Skillsets documents in detail, the only potential pitfall that I find is that some individual items may not be as relevant to an EOC Director in some jurisdictions or some incidents, especially if the individual’s regular job is not at the policy level. As such, jurisdictional policy matters will be imposed upon the position rather than the position dictating policy. That said, these documents are guidance, and should be handled as such. They can be subject to modification by agencies and jurisdictions as needed.
While I did do a quick review of the Division and Group Supervisor materials, I really don’t have much comment on them. These positions are long-established in the ICS lexicon, with a fair amount of supporting materials being provided on them through the years.
Be sure to check out the original website I linked to for access to the documents and information on the webinars scheduled this month to review these documents, as well as the feedback mechanism for the engagement period itself.
I’m interested in hearing your thoughts on these documents. What do you think is done well? What should be improved upon?
© 2018 Timothy Riecker, CEDP
I’ve written in the past on the need for emergency managers, in the broadest definition, to become more familiar with public health preparedness. As emergency management continues to integrate, by necessity, into and with other professions, this understanding is imperative. We need to stop considering EMS as our only public health interface. Public health incidents, of which this nation has yet to be truly and severely struck by in decades, require more than public health capabilities to be successfully managed – so we can’t just write off such an incident as being someone else’s responsibility. We’ve also seen non-public health-oriented disasters take on a heavy public health role as concerns for communicable diseases, biological agents, or chemical agents become suspect. If you are an emergency manager and you aren’t meeting regularly with public health preparedness officials for your jurisdiction, you are doing it wrong.
Aside from meeting with public health preparedness staff, you should also be reading up on the topic and gaining familiarity with their priorities, requirements, and capabilities. (don’t skip either of those links… seriously. They each contain more info on public health preparedness). One of the best resources available is TRACIE. TRACIE is a resource provided by the US Department of Health and Human Services (HHS) Assistant Secretary for Preparedness and Response (ASPR). TRACIE stands for the Technical Resources, Assistance Center, and Information Exchange. I’ve been digging around in ASPR TRACIE for the past several years and also receive their monthly newsletter. I get a lot of newsletters from different sources… some daily, some weekly, some monthly. I’ve recently unsubscribed to a bunch which seem to have information that has diminished in value, doesn’t seem to be timely, or are poorly written. TRACIE is one of those that stays. It has tremendous value, even if you aren’t directly involved in public health preparedness and response. The information and resources provided here come from public health preparedness experts – these are emergency managers.
Recently, ASPR did a webinar on Healthcare Response to a No-Notice Incident, highlighting the Las Vegas shootings. Check it out.
But public health speaks a different language! True. So do cops, firefighters, and highway departments. So what’s your point? While public health certainly does have certain terminology that covers their areas of responsibility, such as epidemiology, med-surge, and others, that doesn’t mean their language is totally different. In fact, most of the terminology is the same. They still use the incident command system (ICS) and homeland security exercise and evaluation program (HSEEP), and can talk the talk of emergency management – they are just applying it to their areas of responsibility. Are there some things they might not know about your job? Sure. Just like there are things you don’t know about theirs. Take the time to learn, and make yourself a better emergency manager.
What have you learned from public health preparedness? How do you interface with them?
© 2018 – Timothy Riecker, CEDP
Earlier in the month, the New Jersey Office of Homeland Security and Preparedness released their 2018 Terrorism Threat Assessment. This unclassified document gives an outstanding review of matters of interest to the State of New Jersey, with relevant information no matter where you are in the US, or any other nation. While the focus early in the document is specifically relevant to New Jersey and surrounding states, much of the document provides outstanding information and brief case studies on groups such as homegrown violent extremists (HVEs), domestic terror groups, international terror groups, and more.
Terrorism rarely pays attention to borders, especially those within the nation. While some areas, particularly those with higher populations and higher value targets, have a greater risk profile than others, we’ve seen that terrorists, in the broadest definitions, can live, train, and execute attacks anywhere in the nation – from unincorporated lands, to small towns, to major metropolitan areas.
The document highlights the threat of HVEs, traditionally inspired, but not directly supported by larger terror groups or movements. These tend to be lone wolves or small cells, having such a small footprint, they often leave intelligence for law enforcement to trace. The document also mentions a changing trend in militia groups. Several groups have been seen to change behaviors, seemingly to align with the government or law enforcement, but in actuality chasing their own vigilante agendas.
I encourage everyone who is interested to review this document. The content is current, relevant, and informative. I think it’s a model for states and communities around the nation, providing an excellent snapshot of the current landscape of terrorism.
© 2018 – Timothy Riecker, CEDP
The Contrarian Emergency Manager 