What if…? You came to your office for the beginning of the week and, because of some unforeseen event, there were no employees, no working telephones, no functioning computers, no utilities. You’re a senior executive. What would you do? Where would you start?
Unquestionably, this is a crisis. Remember, you have access to almost none of your normal support tools. If this had been an actual incident, such as many people experienced during the Chicago flood in April 1992, it would already have been too late to concern yourself with developing an “All Hazards” program.
Consider this: BP’s Deepwater Horizon costs total $62billion. BP said that it expects the pre-tax cost of its 2010 Deepwater Horizon explosion and oil spill on the Gulf Coast to total $61.6 billion. The 1989 Exxon Valdez oil spill costs exceeded $7 billion. At market close July 25, 2018, Facebook Inc. was worth $630 billion. A day later: $510 billion. The roughly $120 billion loss in market capital tops the list of biggest one-day routs in recent stock market history (by $30 billion). Combined, BP and Exxon only amount to a rounded $68 billion – a seemingly paltry number compared to the Facebook one-day loss.
You’ve got to have a program in place to ensure continuity of operations, but what kind of a program? You might ask yourself, “What level of disruption will cause my institution to fail?” For our purposes, the following definition will be used: “A disruptive event can be defined as any unplanned event, occurrence, or sequence of events that has a specific undesirable consequence.”
Failure to have a workable “All Hazards” program is akin to making a high-stakes gamble with the lives of your employees and your organization. Let’s look at some basic objectives of an “All Hazards” program. An “All Hazards” program allows you to provide for:
- Effective coordination of activities, internally and externally among organizations;
- Early warning and clear instructions to all concerned if a disruptive event occurs;
- Continued assessment of actual and potential consequences of the event;
- Continuity of operations during and immediately after the event.
You may think that it’s too difficult and time consuming to develop an “All Hazards” program. However, when broken down into its basic elements, an “All Hazards” program consists of four basic elements:
- Training and resource development
- Information management
Although no two “All Hazards” programs will ever be exactly alike, these four elements form the basis for any “All Hazards” program. A brief synopsis of the common weaknesses in programs lacking the “All Hazards” approach may prove helpful. As you read the discussion on the four basic elements, keep these weaknesses in mind. You may also want to assess your current program against these weaknesses. The most common weaknesses in programs lacking the “All Hazards” approach are:
- No systematic collection of planning information. This includes: risk, threat and hazard analysis, organizational information, regulatory guidance, policies, procedures, and location specific data.
- No systematic dissemination of planning information. You’ve assembled a wealth of information (or lack of) and have not shared it with those who have a responsibility to implement the program.
- Failure to identify and establish an incident command structure. This is a common pitfall, as many planners try to fit their organization into a standard incident command system not designed around their needs.
- No, or minimal, coordination with affected entities. Poor communications with local public and private sector support entities (fire, police, hospitals, etc.) can lead to confusion and chaos. A simple issue, such as who is the primary contact for offsite agencies, can cause major disruption during an incident.
- Lack of, or poorly defined, organizational responsibilities. Failure to provide clear, concise procedures defining a person’s functions, duties and tasks during a disruptive event. Worse yet, you didn’t train anyone on their role and responsibilities. This weakness can lead to finger pointing: “It’s not my responsibility!” “I thought it was yours!”
- Once developed, the program is not or is, at best, poorly maintained. Your program has no provision for continued evaluation and periodic update of materials. Frequently changed materials, such as telephone numbers, are buried in various paragraphs throughout your documentation.
- The material you developed is not user‑friendly. Your documentation contains information – lots of it. But you did not provide an index or a quick reference guide.
- You did not disseminate the documentation to the proper authorities. Failure to include appropriate parties on the distribution list most often leads to failure on their part to respond in the hoped-for manner.
You cannot forecast the materialization of a disruptive event. Impacts are inconsistent from event to event, from institution to institution. The impacts are always different for each institution. Continuity of operations depends on early recognition of risk, threat and hazard materialization: recognizing direct and indirect impacts, and direct and indirect consequences. Quick and effective targeting of direct and indirect consequences, to reduce their effect on the ability to maintain institutional integrity, is essential.
An effective system for compliance can be developed only if you know which laws and regulations pertain to your operation. In order to accomplish this task, a survey of all operations should be undertaken. The survey should include:
- General administrative information
- Management awareness and control programs
- Identification of risk, threats, hazards/potential disruptive events
- Organizational characterization
Once the survey program has been developed and implemented, it must be evaluated and kept up-to-date. This can be accomplished by reviewing actual responses and by conducting periodic program audits.
Preparedness, used in the broadest context, means any and all measures taken to prevent, prepare for, respond, mitigate, and recover from disruption. Preparedness consists of four critical aspects:
Preparation and Prevention: Activities that prevent disruption, reduce the chance of an event occurring, or reduce the damaging effects of an event. Preparation and prevention activities include, but are not limited, to:
- Development and implementation of the “All Hazards” program and supporting documentation, such as implementing procedures
- Development and implementation of “All Hazards” program training
Detection and Incident Classification: Actions taken to identify, assess and classify the severity of an event. Detection and classification activities include, but are not limited, to:
- Activation of “All Hazards” program and implementing procedures
- Activation of the “All Hazards” management/response organization
Response and Mitigation: Actions taken to save lives, prevent further damage, and reduce the effects of disruption. Response and Mitigation activities include, but are not limited, to:
- “All Hazards” management/response organization operations
- Affiliated organizations’ operations (generally external entities)
- Continuity of operations
Reentry, Recovery, Restoration and Resumption: Actions taken to return to a normal or an even safer state following the disruption. Activities include, but are not limited, to:
- Activation of the reentry, recovery and restoration organization
- Coordination with affiliated recovery organizations
- Activation of the business resumption plan (generally a supporting document within the “All Hazards” planning approach)
TRAINING AND RETRAINING
Training of personnel is the third component of the “All Hazards” approach. Training of staff, etc., is a critical success factor.
In addition to the formal training program, a program of proficiency demonstration is also needed. This can be accomplished by establishing a program that supplements the training with drills and exercises. The drill and exercise program can vary in degree of complexity and focus. It is wise to vary the frequency and focus of the drill and exercise program to facilitate greater understanding of the risks, threats, and hazards faced by the institution.
The need to establish and maintain an ongoing dynamic “All Hazards” program is essential. In order to facilitate planning requirements, a record of all initiatives should be retained. Administration and staff must be kept well informed. Information is an institutional asset. It must be shared and managed effectively. Information management is also critical during a disruptive event. The need for active systems to provide information on materials, personnel, capabilities information on materials, personnel, capabilities, and processes is essential. It is extremely important to have a system (and adequate back-up systems) in place that serves to identify, catalog, set priorities, and track issues and commitments relating to “All Hazards” activities.
In almost every instance of successful response to a disruptive event, activities consisting of sound operating execution coupled with superior communication predominate. Operational response is essential. It is the one that saves lives, property and other assets. The ability to communicate is no less important. It’s the one that saves the business. The simple fact is: perception is reality. Public perception of your institution’s reaction to a disruptive event is as important as your operating response.
Few disruptive events will be as dramatic your own. When your event occurs, the hardest part of dealing with it can involve answering the public call for information – a call personified by a television correspondent or newspaper reporter who shows up at your doorstep or on your telephone line to get the story. How well you have responded to the crisis depends on how well you have prepared.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.