Understanding the National Fire Protection Association (NFPA) 1600 standard on disaster/emergency management and business continuity programs, the NFPA 1561 standard on emergency services incident management system, and the National Emergency Management System (NIMS) is a good start for a new hospital, school or university safety professional (see Why You Should Care About NIMS and NFPA Standards for a primer on this topic). But these standards don’t provide a “How to” on their implementation.
Most novice safety professionals require a straightforward method on how to build a viable disaster/emergency management and business continuity program. Additionally, a step-by-step process can do much to alleviate the anxiety that often is part of the plan development process.
Once the basic plan is completed, the organization will be better able to determine how compliant it is to the relevant standards and how to address any shortfalls or gaps.
1) Initially Designate a Program Coordinator
To paraphrase the Department of Homeland Security (DHS) and the Federal Emergency Management Agency’s (FEMA) Principles of Emergency Management, the basic plan provides an overview of an entity’s response organization and policies. It also cites the entity’s authority for conducting emergency operations, describes the hazards the emergency operations plan is intended to address, explains the general concept of emergency operations, and assigns responsibility for emergency planning and operations.
Most people and groups tasked with writing a disaster/emergency management and business continuity program come to the conclusion that it is going to be a very daunting task. Rightly so! This realization can quickly turn to dread once the inevitable question is asked: “Where do we start?” At this point the campus safety professional should remember not to panic.
Start by determining if the organization has designated the authority to develop the program. If this is not the case, it will be necessary for the campus to formally designate a program coordinator through the proper authority (president, board of directors or other official).
Once the program coordinator is designated, the next step is to develop an advisory committee. When putting together this team, it is a good idea to have a wide variety of expertise, departments and/or backgrounds represented. This cross-functional approach helps ensure that all responsibilities, viewpoints and opinions are represented and the tough questions asked. It makes for a more robust system in the end.
Do not underestimate the value of people based on their position within the organization. Directors, department heads, community members, right through to the person who keeps the facilities clean and in working order all have a stake in the system, and their input can be invaluable.
Next, the program coordinator and advisory committee, along with input from the person or group authorizing the development, should determine the scope of the program. Based on the authorization granted by the organization, how much of the campus will the program cover? This may include properties, facilities, departments and personnel, such as staff, students, patients and visitors.
Based on the scope, the team begins the program development process by creating a vision statement. The vision statement is a declaration of the ultimate aim of the group; sort of a look at the work accomplished by the group in the future. Next, the team will develop a mission statement, which is a declaration of why the group exists right now.
It should be noted that these are some very basic definitions of a vision and mission statement, and there are a great number of articles and books dedicated to this subject. The purpose of developing the two statements is to give the group guidance and keep the development project on the right track.
2) Develop a Known Hazards and Assets Lists
Once the team has a vision and mission, it is time to start gathering information. This process begins by making two lists.
The first list is called “What We Know.” It catalogs all of the known hazards the organization faces and has some plan in place to address. This list should be broken down into categories like:
- Natural (tornados, earthquake, hurricane, pandemic, etc.)
- Human-caused (civil disturbance, hostage taking, bomb threats, accidents, etc.)
- Technological (cyber attack, utility loss, etc.)
- Radiological (radioactive material release, dirty bomb, etc.)
Breaking this list down into categories makes it easier to continue the process in one of the later phases.
The second list is called “What We Have.” It is an inventory of physical and human assets that the organization has and/or can draw on in an emergency. This list should also be broken down into categories like:
- Personnel (i.e. public safety officers, firefighting personnel, medical personnel, maintenance crews, personnel with specialized knowledge and/or skills, etc.)
- Equipment (fire fighting equipment, ambulances, security vehicles, communications equipment, ladders, trucks, cars, radios, ect.)
- Facilities (tornado shelters, secure rooms/buildings, medical facilities, etc.)
- Mutual aid (agreements with outside agencies to lend assistance, such as hazardous waste abatement companies, ambulance companies, mass transportation authorities, arenas, etc.)
- Incident plans/procedures (evacuation, shelter in place, crowd control, utility outages, severe weather warning system, etc.)
- Recovery plans/procedures (alternate facilities, continuity of operations plans, etc.)
Again, breaking the list down into categories will make the process easier to complete in the later phases.
Now we know where we are (the lists and the mission statement), and we know where we want to go (the vision statement). It is time to start building a basic plan.
3) Create Your Comprehensive All Hazards List
Starting with the “What We Know” list, the group (project coordinator, advisory committee and any additional experts who have joined the process) creates a comprehensive all hazards list by taking “What We Know” and adding any additional hazards to each category. Sources of information for additional hazards can be obtained from:
- Official sources, such as the U.S. Geological Survey (USGS), National Oceanographic and Atmospheric Administration (NOAA), Federal Emergency Management Administration (FEMA), U.S. Forest Service, Association of Dam Safety Officials, Nuclear Regulatory Commission (NRC)
- Media archives, such as local newspaper archives, local history publications at libraries
- Interviews with long-time residents, police and/or fire officials, public works officials
At this point, listing every single hazard could get excessive. It is not necessary to address extremely remote hazards like killer asteroids, planetary collisions or alien invasions. Realistically speaking, a campus in Lexington, Ky., would not expect to see a tsunami listed on its hazard list. Pandemic flu, however, should be on it.
FEMA’s Web site has a wealth of information to assist the team in quickly accomplishing this task. It will also aid in determining that all hazards have been included. The direct link is www.fema.gov/hazard/index.shtm.
4) Determine Your Campus’ Vulnerability and Risk
Once all of the hazards have been identified, it is time to look at and determine vulnerability and risk to people, property, the environment and the organization itself. Vulnerability is an exposure or the susceptibility to the hazard. For example, organizations in Florida are vulnerable to hurricane emergencies.
Risk is how vulnerable the organization is to the hazard. Organizations in tornado alley, for instance, have a high risk of tornados. Vulnerability and risk should be evaluated against some type of scale. For some organizations, a simple scale may be adequate (low, medium, high), while others may need a numerical scale that may include mathematical formulas to determine a Risk Priority Number (RPN). There are many examples and worksheets available for free on the Internet. Here are two sources for examples:
During this phase, it will be important to keep the scope, vision statement and mission statement close at hand.
5) Analyze How Hazards Will Impact Your Organization
The team now knows what the potential hazards are, the organization’s vulnerabilities and the level of risk. It is time to look at the impact each hazard will have on:
- People in the immediate affected area
- People responding to the emergency
- The operations of the organization
- The property, facilities and infrastructure
- The ability of the organization to deliver its services/product
- The environment
- The organization’s financial well being
- Any legal and contractual obligations
- The reputation of the campus
- Any national and/or international consequences or considerations
Again, these impacts should be evaluated against some type of scale. For some organizations, a simple scale may be adequate (low, medium, high); while others may need a more defined numerical scale.
6) Check the Laws That Affect Your Plan
Most organizations are very well acquainted with their legal obligations. The requirements of the Occupational Health and Safety Administration (OSHA), the Environment Protection Agency (EPA) and the like have been a standard of most organizations for years. Many organizations have a department that specializes in making the determination as to what laws apply to the organization.
In a disaster/emergency management and business continuity program, there may be requirements/laws that start at the federal level, are continued and further defined at the state level, and continue to the local jurisdiction. If the organization does not have a department with this kind of specialized expertise, or an attorney that specializes in legal compliance, other options need to be explored.
One of the best places to start is to contact the local emergency director’s office and ask for assistance. From there they can direct the team to state offices and Web sites that can give further direction.
7) Align the “What We Have” List to the Hazards
For each hazard listed, the team now includes those things from the “What We Have” list. Keep them in the same categories as when the list was initially developed.
An additional category needs to be included at this point: gaps. Gaps are elements that need to be acquired or developed to address the hazard sufficiently. This may include revisions to current procedures and instructions to fully address the incident and/or hazard.
It is important to keep the scope, vision statement and mission statement in mind when addressing these categories. The gaps section should also consider budget when determining what is needed.
At this point there is enough information for the organization to determine a preliminary budget for the program. Based on the budget, the team will have a better idea where to apply the funds to get the most value for the organization and the best impact on the program. This will also aid the team with the remaining phases of the program.
8) Define Responsibilities Via the Incident Command Structure
When an incident occurs, the first question typically asked is “Who’s in charge?” Unless this is defined, it will cause no end of confusion throughout the incident cycle. The team should determine who would be in control of the organization when an incident occurs. This may be different people depending on the size and gravity of the incident. This is where the NFPA 1600, NFPA 1561 and NIMS come into play.
Depending on the size of the organization, the incident command structure can vary widely. For a small organization, the incident commander may be a single person in command only until the legal authority arrives on site (police department, fire department, etc.).
For larger organizations, there will be a tiered system that will grow and contract throughout the incident cycle. It is important to have a good understanding of how the incident command structures works so the responsible personnel in the organization will know how to interact with the system. This will avoid confusion and misdirected efforts during an incident.
9) Plan Mitigation Activities to Reduce Exposures
At this point in the process, the team now knows what the organization is likely to face; the potential impacts on the people, property, environment, and organization; and what is in place to address the potential incidents.
Now it is time to see where the team can reduce the vulnerabilities, risks and impacts. The activities undertaken to reduce the exposures or lessen the impacts are called mitigation. This is where the gaps identified during the alignment of the hazards and the “What We Have” list will be addressed.
When developing the plans to address the gaps, it is important to keep in mind the abilities of the organization, resources and budget. Examples of mitigation projects and activities can be found on the FEMA site at www.fema.gov/about/divisions/mitigation.shtm.
10) Enhance Plan with Mutual Aid Agreements
Where the organization does not have the resources to react to or recover from a disaster/emergency, mutual aid agreements can be used to enhance the plan. Mutual aid agreements allow two or more organizations to supplement their plans by depending on the resources of the other organization.
This may be especially useful in the recovery phase of a disaster/emergency or where the budget restricts the ability to obtain the resources needed. It will be necessary to obtain these agreements in writing.
In the next article, we will explore the business continuity and recovery elements along with discussing how to take all of this information and organize it into a basic plan and emergency operations plan (EOP). We will also discuss how to evaluate the plans against the relevant standards, and complete a full disaster/emergency management and business continuity program.
A Quick Word about Budgets
Campus stakeholders may wonder if they should develop a budget to accomplish all this work while they are on step one. A budget at this point, however may be a bit premature; sort of like budgeting for a vacation before you know where you are and where you will be going.
It may be more important for the organization to know where it currently stands, where work needs to be accomplished, and where resources need to be directed. Once this is known, a more realistic budget can be developed and the program can be adjusted accordingly.
Mark A. Messler is the technical director for the National Emergency Management Registrars (NEMR), a third-party registration/certification body dedicated to private sector certification of disaster/emergency management and business continuity programs. NEMR can be reached at (800) 910-4033 or info@nemronline, or online at www.nemronline.org.
To subscribe to the unabridged print version of Campus Safety magazine, click here.