Just because a natural, man-made or other type of disaster has never happened within your enterprise doesn’t mean it never will, but it can be challenging to convince the C-Suite to invest heavily in planning for the unknown. So where should you start? Ideally, according to Diane Mack, CEM, CHPP, University Director of Emergency Management and Continuity for Indiana University, you should start at the top.
“Between our campuses, across the state, we have business continuity plans for each and every department – more than 900 plans in all,” she says. “If we didn’t have top-down support, departments 100 miles away from the emergency management team wouldn’t pay any attention to us. This is a massive effort that will never be fully completed – personnel, policy and politics all change frequently, and having leadership willing to stick with emergency planning and enforce training and response planning throughout those changes is key.”
The Indiana University System is currently undergoing FEMA’s Disaster Resistant University process, which helps higher education institutions identify specific campus risks, develop a risk assessment and build a platform for an all-hazards preparedness program. Mack is taking this even further, both developing a comprehensive response framework for all campuses and different annex plans for individual locations. For example, an active shooter incident in the main downtown Indianapolis campus, IUPUI, would be handled differently than a more remote campus like IU East, due to the geography, student levels and resources available.
“Planning for emergencies or incidents affecting the enterprise is a massive task, and planning with the proper stakeholders is absolutely essential. A CSO or security director can’t do this on his or her own,” says John Rendeiro, Vice President of Global Security and Intelligence for International SOS, a firm that provides medical, clinical and security services to international enterprises, as well as emergency response program planning. “You have to make the business case for continuity planning – get your stakeholders involved by showing them how an incident, even a seemingly disconnected one to your enterprise, can affect the business and the brand.”
Even from an insurance standpoint, having a strong business continuity plan makes an enterprise easier to insure, according to Brent Escoubas, Vice President of Risk Control for Alliant Insurance Services, headquartered in Newport Beach, California.
“You never know where the next loss is going to happen – it could be your IT department or your fleet,” Escoubas says, “so it’s critical to have all areas of your organization involved in business continuity and emergency management planning. Ideally, it should be driven and owned at the executive level. If you’re having trouble getting buy-in, that’s because your executives haven’t seen it from the right perspective yet.
“Insurance doesn’t cover all losses, so that can’t be an excuse for avoiding continuity planning and response. There are non-reimbursable costs of interruption, not the least of which is the loss of customers or relationships,” he says.
“Companies that do best have frequent third-party assessments,” Escoubas continues. “Bringing in another set of eyes helps. You should also learn as much as you can from outside incidents. Take the Boston Marathon bombing for example – you should think: ‘What if this happened outside my building? Do I have the ability to communicate with my employees and decision-makers?’ If you don’t know the answers to these questions, it’s time to develop a plan.
“Continuity and emergency planning should focus on protecting people first, then property. Eestablishing an overall company culture of safety helps to keep employees safe and aware of possible hazards, from maintaining accurate phone trees or instructing commuters on what to include in earthquake survival kits for their cars. Creating that overall culture builds buy-in for other, larger projects and drills,” he says.
“The worst possible scenario is to be not prepared,” says Kelly Jenkins, Director of Emergency Management for Lawnwood Regional Medical Center and Heart Institute in Fort Pearce, Florida. “We drill for catastrophes not just in our facility but in the community – we’re a healthcare provider, so local emergencies inevitably involve us.”
“We drill for active shooter incidents, nuclear power plant exposure or meltdown, and even tanker incidents from the major interstate and turnpike nearest our facility,” says Lawnwood Security Director James Tobin. “We also have multiple processing plants and research facilities, so we drill on responses to events in these facilities too, such as decontamination training or bomb explosions.”
"We prefer using frequent full-scale drills and training to tabletop exercises,” adds Jenkins. “With real-life training, our G4S security officers and in-house staff get more comfortable and involved in the situation, which aids retention. We want the responses to be second nature during an actual event, almost like muscle memory,” she adds.
At Indiana University, Mack is working to ensure her stakeholders can follow that muscle memory as well: “We’re building incident management teams on each campus, including the decision-makers in various areas, including law enforcement, facilities, housing, student health services, student affairs, the chancellor’s office… From there, we want to address the common question: ‘What do I do in an emergency?’ We will have 22 exercises on our campuses this calendar year, including three active shooter exercises on each of six campuses, a radiological incident exercise, and weather emergencies. We primarily work in three stages, from a workshop, to a tabletop exercise and finally a full-scale exercise. We want to do everything we can to help our staff understand their roles and responsibilities.”
Even on game days, when 60,000 people can flood onto the Indiana University Bloomington campus, Mack is working with her team to prepare not just for the game itself but all of the “what ifs.” “We use a hurricane analogy,” she says. “We prepare for the worst Category 5, and then if anything less than a Category 5 happens, you’re well-prepared to handle it.”
Enterprises also shouldn’t solely look outside their organizations for assistance weathering that Category 5 emergency – a recent outbreak of mumps on The Ohio State University campus led security and emergency management personnel to discover that a national leader on mumps was a member of the university faculty.
“Even cities tend to look outside the organization, if only to qualify what they already know, but you shouldn’t overlook that ‘hidden gem’ expert within your enterprise,” says Bob Armstrong, Director of Emergency Management for The Ohio State University.
“Keep your three ‘C’s in mind: Com-munication, Cooperation and Collaboration,” adds Richard Morman, Deputy Chief of University Police for The Ohio State University. “Especially when grant money is at stake, you can’t afford to have multiple departments working on the same problem in silos, competing for the same funding.”
Ohio State’s emergency management plan was completely rewritten as of 2013, changing the framework to address emerging issues and OSU structure or title changes. Armstrong’s team also built up 20 different emergency operations center (EOC) groups within the university. During an incident or preparing for a specific event, such as a football game or a presidential visit, the emergency management department can pick and choose which emergency operations center groups need to be primarily involved.
Those EOC groups train during actual events, simulating incidents during football games (including a loss of the stadium command center, shifting control to a backup group off-site), as well as annual tabletop exercises to find weaknesses in the system.
Jay Beighley, Vice President of Corporate Security at Nationwide Insurance, based in Columbus, Ohio, holds one full-scale surprise tabletop exercise every year, just to test for those weaknesses.
“We have a full-time training division within our security department, so we continually revise business disruption policies, and we run a quarterly training schedule,” Beighley says. “This quarter is weather emergencies and bomb threats, and employees have two full-scale drills per year, plus periodic online training and a safety liaison on each floor to keep associates up to date with recent procedure changes or risks. But once a year, company leadership will get the call: ‘This is a drill. There has been an incident, and this is the situation. Please act accordingly and follow your emergency response protocols.’ From these experiences, we can track where our hang-ups are and try to fix them.”
According to Byron Boshell, Director of Security for Oklahoma-based INTEGRIS Health, “We’re not lacking for experience in emergency management – Oklahoma is known for its disasters. And in all regards, this is our greatest strength. We have firsthand experience with many of our biggest risks, so we build on our strengths and weaknesses, and we drill on a variety of possible incidents and scenarios. We stay well-stocked with supplies for multiple casualties that may come to the hospital during an emergency. Just knowing that we have access to a significant number of beds, water, food and even additional staff, helps ensure we can handle a disaster.
“Working with the clinical staff is also a major help to us,” he says. “Clinical staff will remain at the facilities during an emergency. They won’t leave their patients. So we have to provide emergency security procedures to help them continue to provide service and care for their patients.”
Boshell is working on that goal by leveraging technology, as well as training, to prevent putting hospital employees or patients in harm’s way. Security staff can now lock down patient floors in several of their facilities with a press of a single button. In the event of an armed intruder, the patients should be safe. Other areas such as surgery also lock down so medical procedures would not be interrupted creating an additional risk to the patients.
"Our goal is to limit the areas available to an armed intruder. We can’t do anything about the floor/wing he’s in, except to respond and confront the situation. We can however keep him from moving to other areas,” Boshell says. “We have armed security officers who can secure floors, and all Oklahoma Police Officers have ID badges that grant them access to our facility during a lockdown.
“It will always be chaos,” he adds. “That’s a common mistake, thinking that you can avoid chaos in this type of an emergency, but being prepared allows you to reduce it somewhat and get the situation under control quicker.”
Alliant Insurance Services is working with a smartphone application company In Case of Crisis to make emergency management protocol binders a thing of the past by using cloud-based technology. “Especially with next-generation employees, they don’t grab a manual or paper checklist during a fire alarm,” says Escoubas. “Employees grab their smartphone and their car keys. A tool like this app means that people now have the emergency management manual on their phone as they evacuate.”
To keep information on the app current, Escoubas works with security, safety and risk management representatives in each department to provide changes and updates of contact lists, policy and procedures as well as other important security and safety information.
“Continually updating plans is essential to achieving the best results,” he adds.
At The Ohio State University, more than one million visitors stepped foot on the campus in the month of March alone, and during the average football game, up to 20,000 tailgaters could be in the parking lot at one time. Now, while spectators inside the stadium could be alerted of incidents or incoming severe weather, Armstrong and Morman faced a different challenge when it came to reaching those parked outside.
“We realized that 99 percent of those tailgaters are watching the game, so if there’s an emergency, we can walk from our command center over to the TV booth and reach most of them directly with news,” says Armstrong.
For day to day notifications, Ohio State has two dozen ways of notifying students, staff and visitors, including a robust text messaging system that can reach 67,000 people in less than five minutes.
The emergency management department’s Twitter page is seen as the official voice of the university during emergencies, and students typically follow the account, as that is where they would learn about class cancellations.
“When you’re working with social media, as soon as an incident occurs, you’re already behind,” says Mack of Indiana State University. “Post-incident, social media is often about rumor control, so we have developed hashtags before any incidents on campus to establish our Twitter handle as the authority on correct information. Our goal is to be first, be right, and be credible, which requires an internally and externally coordinated and unified response.”
Training Security Volunteers
Not all security volunteers are at events – hospitals are often helped immensely by volunteer groups, and hospital security can be helped by civilians and staff who help out in emergencies. However, those emergency personnel cannot be asked to aid security staff without any training.
Marilyn Hollier, CHPA, CPP, is the Director of Hospitals and Health Centers Security for the University of Michigan Division of Public Safety and Security, and the 2014 President of the International Association of Healthcare Security and Safety (IAHSS). While her department does not employ volunteers for security tasks on a regular basis, in disaster situations – such as lockdowns – they can be indispensable.
The University of Michigan’s hospital system encompasses three hospitals, multiple ambulatory buildings and a large campus, which is a lot of ground to cover. In a lockdown, for example, other departments’ staff would be called to stand by doors or screen people entering areas. To ensure volunteers and other hospital staff are ready for a variety of emergency protocols and “are familiar with our world,” Hollier’s staff directs the “Security Academy” – a 12-module education program, which could take between two and three hours for staff.
Employees who pass the course are given a pin and a certificate of completion, and then Hollier’s staff gets a list of everyone who completed the course, “so if we were to have an incident where we need additional people to supplement my staff, we would be able to pull people from this list (pending an approval by their department head). We pulled people from the IT department during a regional blackout to help us verifying access and credentials at doors.”
They are trained for Yellow Card (silent duress signal); Code Silver (active shooter); Code Pink (infant abduction); identity theft prevention; missing or stolen items; managing aggressive, disruptive or potentially violent situations; crisis intervention (“calling us before the situation escalates so we could hopefully help solve it,” Hollier adds); prisoner patients; and responsibilities during emergencies.
“Every hospital in America should have a dedicated hospital security force, just by the nature of the environment and the regulations,” says Hollier. “Then, start educating your community about how they can help security be successful, and how they could be called upon to help security in emergencies. I know most hospitals barely have enough security officers to cover their shifts – it would be helpful for them to put together an academy or a course or a training program and try to fire up staff to sign up. This would make hospital staff smarter about security and how they can help security and themselves. This is where they work, and they want to be safe.
“Nurses are the number-one victims of workplace violence, because head-injury patients, psychiatric patients, combative detox-type patients can sometimes lash out. We run a whole education program based around early intervention. As soon as they see a patient starting to act violently, they can get security involved and we’ll put together a threat management team and come up with a plan to try and control the situation. Letting staff know that there is a team out there to help them is important.”
The program doesn’t cost the hospital system much more than time, Hollier says. The in-house security officers teach the classes, which can be provided in a single session or spread out in 15- or 20-minute segments in regular department meetings. Officers will often “adopt” their department, she adds. They can act as the security liaison in, for example, the emergency department, so staff can start building trust with security, and they know to whom they should report suspicious activity or concerns.
“It’s good for us to have people out there who are smarter about security and know what to do.”