Putting Your Plans Together
In the first two installments of our three-part series on NFPA and NIMS compliance, CS readers learned the importance of understanding the applicable codes and how to start creating their emergency/disaster management plans. This last installment shows you how to compile this information into a fully viable program.
In the last article (See “Creating a Plan: 10 Ways to Tame the Beast”), we appointed a program coordinator and advisory committee (the team) and started gathering all the information necessary to build a viable disaster/emergency management plan. We established a preliminary budget and began the mitigation activities.
Now it is time to address the continuity of operations and recovery elements, assembling a basic plan and emergency operations plan (EOP). We will also determine the compliance of the entire program to the relevant standard and/or directives.
Continuity Plans Determine Essential Post-Incident Functions
Continuity of operations addresses how the organization will continue to function and provide services in the event of a disaster or emergency situation. It involves the determination of essential functions and activities, as well as the appropriate action and implementation of the plan. Emergency personnel, plan activation and notifications, relocation procedures, accountability of personnel, operational capability, and acquisition of resources to continue essential functions and operation are also considered in the development of such programs.
The Federal Preparedness Circular, FPC 65 — Continuity of Operations (COOP), is an excellent tool for the development of these plans. It is very straightforward and a comprehensive how-to guide that can be applied to just about any business, organization or campus. The PDF of the COOP can be obtained at: /www.easc.noaa.gov/Security/webfile/erso.doc.gov/briefings/fpc67.pdf
Recovery Plans Should be Multifaceted
Recovery after a disaster or emergency situation should include both short-term and long-term recovery efforts. These can address the recovery of a network after a system crash all the way to the rebuilding of facilities after a major disaster.
Short-term efforts may include assessment of damage, structural engineering appraisals, temporary facilities, temporary utilities, clean up work and counseling. In other words, they will include what the organization will do to immediately get facilities up and running, even on a limited basis.
Long-term efforts may include the repair/rebuilding of facilities, restoration of infrastructure and re-establishment of resources. Overall, these efforts will include what the organization will do to get the operations back to a predisaster/emergency functioning level.
Developing recovery plans is one of the harder aspects of the system. Because every disaster or emergency situation is different and the resulting damage can vary widely, it pays to develop very comprehensive plans. This is where you will see the value of the all hazards list, vulnerability and risk assessment, and the impact analysis. These will be key documents in developing the recovery plans.
For each hazard and its associated vulnerability/risks and impacts, it is best to look at it from a best case/worse case scenario. As you go from one hazard to the next, you will find that many short-term and long-term efforts will rollover to many other recovery plans. As a result, most of the work will be accomplished in the early stages of planning and get easier as you go from there.
If Possible, Assign Estimated Costs of Short-, Long-term Efforts
It is also a good idea to assign estimated costs (if they can be determined) to the efforts. In this way, the organization will have a better idea of what will constitute short-term and long-term efforts. It will also give the organization a better idea of where to apply their financial resources. It is also a good idea to determine who your resources will be for accomplishing the tasks.
Let’s look at an example:
You have a campus site, and a severe thunderstorm has swept through the area. The storm has caused some minor damage and downed limbs. Your recovery plans are pretty simple.
Now with the same situation; however, the power is out and will not be restored for several days. Downed trees and limbs block streets and drives. Underground parking areas are flooded. Windows throughout the facilities have been broken.
As you can see, the same situation can require drastically different plans and resources.
As you determine where outside resources will be needed, explore from where those resources will be obtained. Try to determine more than one source to give yourself as many options as possible (two sources for environmental clean up, two sources for transportation, two sources for engineering assessments, etc.). Where possible, arrange to be a priority client for the resource.
During this part of the development, you may also find opportunities to develop mutual aid agreements with other organizations to share resources.
Develop the Emergency Operations Plan (EOP)
The emergency operations plan (EOP) is a combination of multiple documents arranged in a standard format. The basic plan, the functional annexes and hazard specific appendices make up the EOP. The sidebar on page 58 is a synopsis of the EOP as recommended by FEMA and the Department of Homeland Security.
Realistic Exercises Keep EOPs Viable, Healthy
Just as the body needs exercise to stay healthy, the EOP also needs to be exercised to ensure it is viable and healthy. Unfortunately, many exercises resemble more of a choreographed ballet than an actual exercise realistically portrayed with all the stresses involved. The organization does not do itself any favors by not placing a high priority on exercising the EOP.
There are a number of very good EOP exercise programs available such as the Incident Commander program by BreakAway Ltd. It is available through the National Criminal Justice Reference Service (NCJRS) for the cost of shipping (http://www.ncjrs.gov/App/Publications/alphaList.aspx?alpha=I).
Thoroughly Assess Entire Plan, Compare With Relative Standards
Now that you have what you believe is a good system, it is time to assess it against the relevant standard. We refer to this as a gap analysis. This is accomplished by taking each “shall” of the standard, and asking; “Where have we addressed this in our system? And, have we addressed it well enough to comply with the intent of the standard?”
If you find that you have not addressed the “shall,” or that it does not fully comply with the intent of the standard, it is determined to be a gap. A spreadsheet is the most efficient way of accomplishing the task. Since each clause of the standard may encompass multiple “shalls” or elements, it may be necessary to “unpack” each clause.
For example, in the NFPA 1600: 2007, it states in section 5.3.1*, “The entity shall identify hazards, monitor those hazards, the likelihood of their occurrence, and the vulnerability of people, property, the environment, and the entity itself to those hazards.”
An appropriate checklist might break down this clause as follows:
- Has the organization identified all hazards?
- Does the organization monitor those hazards?
- Has the organization determined the likelihood of each hazard identified?
- For each hazard identified, has the organization determined the vulnerability to:
- The environment?
- The organization itself?
Once all the gaps have been identified, the team has specific direction on where to focus its attention to close the gaps.
Auditors Must Be Experienced, Educated, Qualified
Once the disaster/emergency management and business continuity program has been developed, implemented and assessed, it is time to move into audit. Auditing the program is the most valuable and key element in keeping the program viable. Audit takes a certain amount of background, education and expertise to accomplish.
Two good options include:
- 1: Send people to a good auditor training program. You will want to evaluate the training organization’s credentials to ensure it is providing training that will enhance the organization’s program. Training that is based on the requirements of the international audit standard ISO 19011 and has practical audit exercises might be an excellent choice. It is a good idea to have more than one trained person, this way if your auditor wins the lottery and decides to retire, you are not stuck without one.
2: Hire an independent or third party auditor. With this choice, the auditor is an expert in the field and is looking at the program without any preconceived ideas or biases. The auditor’s findings are independent of any internal pressures and based solely on the objective evidence.
What ever choice is made, it is important to audit the system at a frequency that will ensure the program remains implemented and viable.
Consider Third-party Program Certification
Having the disaster/emergency management and business continuity program certified by a third party is an option that the team should seriously consider. Certification accomplishes a number of important things:
- It instills confidence in the program internally and with the public at large
- It acts as a check and balance for the program to ensure viability
- It provides direct objective evidence of due diligence on the part of the organization
- It can mitigate liability claims against the organization in the aftermath of a disaster/emergency
Following all of these steps will help to ensure your campus has a disaster/emergency management and business continuity program that will work when you really need it. As Confucius so wisely said, “The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come. Thus his person is not endangered, and his states and all their clans are preserved.”
The Emergency Operations Plan in a Nutshell
The Basic Plan
The basic plan is an organization’s emergency response structure and policies, and it provides a general overview of the organization’s emergency response system. The basic plan is laid out in this manner:
- Introductory materials, including:
- Documents giving the program coordinator, advisory committee and organization the authority to perform the tasks of the EOP
- Signature page, signed by all responsible personnel, indicating their commitment to the implementation of the EOP
- Dated title page and revision table of all documents in the EOP
- Distribution record, listing all personnel and organizations that are in possession of controlled copies of the EOP (EOP copies should be numbered and recorded)
- A table of contents
- Purpose statement comprised of a general statement of the purpose of the EOP and a synopsis of the EOP, annexes and appendices
- The signature page signed by all responsible personnel for the organization and the EOP. It demonstrates knowledge of, and commitment to, the EOP. It also proves accountability for the EOP.
Situation and assumptions clarifying why emergency operations planning is necessary. It is developed from the hazard analysis and includes:
- Hazards addressed by the plan, relative probability and impact, areas likely to be affected, vulnerable critical facilities, population distribution, special populations, inter-jurisdictional relationships and maps
The assumptions statement documenting the extent and limits of the EOP. Assumptions may include:
- What hazards are likely to occur
- Assistance that may be required
- The concept of operations (the overall approach or the what, when and by whom)
- Under what circumstances the EOP will be inactivated
- The order of actions before, during and after an event
- Any document that will be necessary to request assistance
- The responsibilities assigned by the organization to the various EOP positions
- Any shared responsibilities within the organization and with outside entities
- The organization and assignment of responsibilities section documents the lines of authorities and reporting relationships during a disaster/emergency
Administration and logistics. This section includes:
- Resources that may be needed for high-risk hazards
- Availability of resources
- Mutual aid agreements
- Statements addressing any liability issues
- Policies dealing with the management of resources (acquisition, tracking and financial record keeping)
- A policy documenting who, when and how the EOP is reviewed/revised, including the process, participants and responsibilities
- Training, exercises and review of lessons learned
- Laws, statutes, ordinances, executive orders, regulations and formal agreements relevant to the EOP
- Any reference materials (i.e: NFPA, 1600 standard, NIMS, NRP, NFPA 1561, local EOPs, etc.)
The functional annex explains how the organization carries out its EOP functions in an emergency, (i.e. warnings, recovery). Again, this is where the all-hazards list, vulnerability and risk assessment, and the impact analysis play a key role.
- The direction and control annex documents the analysis of situations to determine the best response to direct the response teams, coordinate efforts and make the best use of available resources
- The communications annex details the emergency communication system and how it will be used
- The warning annex describes how the warning systems work, and the responsibilities and procedures for using them
- The emergency public information (EPI) annex documents and explains the procedure for giving accurate, timely, and useful information and instructions during the disaster/emergency
- The evacuation annex documents and explains what provisions have been made to evacuate people threatened by the hazards
- The mass care annex documents actions taken to protect evacuees and other disaster victims
- The health and medical annex documents the policies and procedures for the management and mobilization of medical services under emergency or disaster conditions
- The resource management annex documents the process used by the organization to determine, acquire, allocate and distribute resources in a disaster/emergency
Hazard Specific Appendices
Each functional annex will have one or more appendices to address the specific hazards identified. The communications for a storm will be vastl
y different than those for a bomb threat. Developing the hazard specific appendices will take a concentrated effort by the team. The cross functionality of the team will be a great asset in developing these appendices.
It is also a good idea to include any supporting documents in the appendix or annex. These supporting documents may include standard operating procedures (SOP’s), maps, charts, tables, forms and/or checklists.
Mark A. Messler is the technical director for the National Emergency Management Registrars (NEMR), a third-party registration/certification body dedicated to private sector certification of disaster/emergency management and business continuity programs. NEMR can be reached at (800) 910-4033 or [email protected], or online at www.nemronline.
To subscribe to the unabridged print version of Campus Safety magazine, click here.