Accounting for the Critical Variable in Emergency Response — People | 2012-05-22

In the post 9-11 era, a majority of medium-to-large organizations in both the public and private sectors − at the urging of the government and out of self-interest − have developed and deployed emergency response plans. Many of these organizations have extended this proactive preparedness to include planning for the unique requirements of disaster recovery and business continuity.

Yet, despite the expenditure of billions of dollars and the efforts of emergency planners, it has become painfully evident in the aftermath of catastrophes like Hurricane Katrina on the Gulf Coast, where 770,000 people were displaced, and the more recent Joplin, Missouri tornadoes that even the most anticipatory and robust emergency plans can suffer from a fatal omission: the critical role played by individual employees, whether uniformed first responders, utility workers, healthcare workers or workers in other sectors of the economy that deliver critical manufacturing or support services.

Most organizational resilience plans currently in place start the clock running in the aftermath of a disaster with the incorrect assumption that employees can typically be relied upon to report to work promptly and begin to implement emergency response procedures. But what if this assumption is fundamentally wrong? What if phones and desks remain unmanned, response vehicles remain silent in their garages, and other critical responsibilities remain unmet because there simply aren’t enough employees on hand to fulfill the organization’s missionwhen a major disruption occurs? Tragically, this scenario has played itself out numerous times throughout the country in recent years.

But this conundrum is not inevitable and can be ameliorated over time through the deployment of robust and user-friendly new technologies and methodologies that address the “fatal omission” of personal resilience. This article endeavors to explain how organizational resilience is strategically linked to the personal preparedness of any organization’s employees. It will demonstrate how increased employee availability has become the linchpin to rapid recovery and organizational survival, especially in today’s climate of asynchronous threat.

Nature is part of the threat we face every year. According to FEMA, there were 99 major disaster declarations around the country in 2011, with 12 that exceeded a billion dollars in costs. These figures represent the tip of the iceberg. For example, the 2011-adjusted estimate of damage from Hurricane Katrina alone is $145 billion. How much of this cost could have been avoided is theoretical. However, in these tough economic times, it is axiomatic that most organizations, both in the public and private sectors, are working under severe budget and fiscal constraints, so this article will also demonstrate a robust business continuity planning model that will help organizations maximize their return on investment and the synergy between personal preparedness and continuity of operations.

Since 9/11, when both the government and private sectors began to keep rigorous statistics on disaster management, rapid recovery has become a leading indicator of organizational survival and post-incident viability. For example, statistics from the last 10 years show that:

25 percent of businesses do not reopen following a major disaster.
75 percent of organizations without a business continuity plan fail within three years.
Companies not up and running within 10 days face low odds of surviving.
43 percent of those without a continuity plan never reopen, and
Of those that reopen, only 29 percent are still around two years later.

The National Infrastructure Advisory Council was formed shortly after 9/11. The NIAC comprises of 30 bipartisan members from both the public and private sectors. The council’s job is to advise the President on how to safeguard America’s 18 Critical Infrastructure Key Resources. In September, 2009, the NIAC published a rigorous definition of infrastructure resilience and recommended to the President that public-private sector collaboration is the only way to protect this country’s Critical Infrastructure Key Resources.

Among the many contributions the NIAC has made, perhaps the most useful has been the definition of resilience, commonly referred to as “the 3Rs:”

1. Robustness: the ability to maintain critical operations and functions in the face of crisis

2. Resourcefulness: the ability to skillfully prepare for, respond to and manage a crisis or disruption as it unfolds

3. Rapid Recovery: the ability to return to and/or reconstitute normal operations as quickly and efficiently as possible after a disruption

As can be seen, people are the ultimate foundation to the 3Rs. It is also easy to see why rapid recovery has become a leading predictor, and plays such a critical role, in organizational resilience. In this regard, it can be asserted that people are America’s 19th Critical Infrastructure Key Resource, undergirding the U.S. economy and safeguarding our way of life.

fig1_enews So let’s look at the current typical planning model for business continuity protection. (See fig. 1) Most emergency planners have gone through each step from Risk Analysis to Testing and Evaluation. Whether organizations conduct this last step as a tabletop exercise or actual drill, testing is typically done under conditions where, psychologically, the employee knows his family is safe and secure, and he is not worried about his own ability to recover and rebuild. Under these conditions, testing frequently produces a false positive about organizational resilience, as measured by the 3Rs. The fallacy is in assuming that people assigned to execute will be available.

Uniformed first responders constitute a meager one percent of the U.S. population. But statistics after Katrina, Joplin and other disasters show that this tiny fraction of our population, entrusted with carrying the day for the rest of the 99 percent of us in the event of a disaster, first check on their own families in the immediate aftermath of the event. Who can blame them? The survival instinct is innate in each of us, and the impulse to first protect one’s own is the product of a million years of evolution and thousands of years of human ethics and religious tradition. At the end of the day, we are defined more by our private lives − our families and our homes − than we are by our employment, however noble and proud the traditions of our jobs might be.

According to the American Red Cross, only seven percent of Americans have any plan for their own personal recovery, effectively delaying the time it takes them to be available to the organizations that rely on them, especially when they, themselves, are victims of a disaster. When a delay in the time it takes a key employee to respond occurs, or when the focus he can apply to his duties is diminished, mission success is jeopardized.

It is important to note, too, that so much sophisticated technology is deployed nowadays that we tend to forget that this technology is wholly dependent upon the cadre of employees trained to use it. Without these key individuals at their stations, even the best laid plans simply cannot be executed. Organizational resilience inevitably depends upon the personal preparedness of individuals, and their availability to “execute,” both during and after an event.

Presidential Policy Directive 8: National Preparedness (PPD-8), issued in March of 2011, established a national mandate to create a plan for shared responsibility amongst all levels of government, the private sector and individual citizens to safeguard the nation from harm. PPD-8 follows a spate of federal directives designed to help standardize continuity management across agencies, including: National Security Presidential Directive-51/Homeland Security Presidential Directive-20 (NSPD-51/HSPD-20), National Continuity Policy Implementation Plan of 2007, and Federal Continuity Directives 1 and 2 (FCD 1/2) of 2008.

FCD 1 was developed to guide governmental continuity planning efforts and to share best practices based on lessons learned with private sector stakeholders. This planning requirement includes a provision for individual preparedness, as follows: “…provide support and guidance to all staff in developing family support plans which will increase personal and family preparedness throughout the organization and support employee availability during a continuity event.”

Significantly, the ASIS Organizational Resilience Standard states: “It is no longer enough to draft a response plan that anticipates disasters or emergency scenarios. Today’s threats require the creation of an on-going, dynamic and interactive process that serves to assure the continuation of an organization’s core activities, before, during and – most importantly – aftera major crisis.”

In an All-Community environment, the lack of individual preparedness, whether in the case of a first responder or a corporate employee, can profoundly jeopardize the 3Rs, or the ability of a community to recover overall. The ultimate goal of the employer is to implement a plan that optimizes the employee’s ability/desire to report to work under adverse circumstances. Theemployee ultimately has the same goal: return to work and make money. But that’s both the opportunity and the rub − what an employee needs to do to recover in his individual life and what he needs to do to get to the point he feels able to report to work areexactly the same.

Before he feels capable of responding to work, an individual needs to accomplish a set of key personal requirements like providing for basic needs, arranging temporary shelter and making an insurance claim. This is why the standards have evolved to include planning aftera major crisis. In other words, how long it takes an employee to conduct these personal recovery activities is what impacts his organization’s workforce productivity and related costs.

An improved model for creating Organizational Resilience will incorporate two additional steps: fig2_enews

– Risk Analysis, to include the impact of family preparedness on the individual’s ability to execute; and

– Individual Preparedness of critical team members. (See fig. 2) In other words: a “People Continuity Plan,” akin to a “Business Continuity Plan,” specific to an individual’s role and responsibility both at home andat work.

To read more about how to serve your employees best in the event of a disaster, look for part two of this article in the June 12 Security eNewsletter.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.