Though the 2020 storm season has ended, next year’s storm season will soon be upon us and, with COVID-19 still in the air, the collision between the current pandemic or a future pandemic and the ensuing storm season is inevitable.
One of the things we learned from the pandemic and last year’s storm and natural disaster season is that many of the tried-and-true protocols don’t work or can’t be enforced during a global health crisis such as COVID-19. Take, for example, evacuation measures during a hurricane, which put those affected in densely populated evacuation shelters, contrary to social distancing measures. In addition, with a global pandemic, workforce shortages, delays in supplies and materials, funding shortfalls or insufficient hospital capacity will also impact emergency response during a natural disaster.
In today’s world, enterprises must prepare and plan for an array of critical responses, including pandemics, workplace violence, and natural disasters such as wildfires, tornadoes, flooding, earthquakes, hurricanes and more. Making sure your organization’s disaster and critical response plans are continually updated and include lessons learned from COVID-19 and past incidents is imperative to preparing the enterprise for the next impactful event to minimize disruption to business operations and ensure business continuity.
Here are six tips from emergency response experts on how to revamp and evaluate your emergency and disaster preparedness plans at your organization.
1. Plan for simultaneous events.
“The stacking concept is something the emergency management world doesn’t do particularly well in terms of planning,” says Brad Gair, Senior Managing Director at Witt O’Brien’s. “Most disaster planning is single focused.” Gair, who has more than 25 years of emergency management and homeland security experience, served as Deputy Commissioner of NYC Office of Emergency Management and then as founding Director of the Mayor’s Office of Housing Recovery Operations and NYC Recovery Managers, as well as NYU Langone Health’s first Vice President for Emergency Management and Enterprise Resilience.
He says that siloed plans don’t allow for mixing and matching of functions in an event such as a pandemic and a hurricane where you are dealing with quarantining and shelter plans at once. A plan that envisions multiple impacts or simultaneous events is a key lesson learned from the COVID-19 pandemic and the 2020 storm season.
“The planning field has been altered greatly,” says Bill Roche, Senior Program Manager at Witt O’Brien’s. Roche has deep-rooted experience in disaster planning, response and recovery operations, serving at Deputy Regional Administrator for the Department of Homeland Security and the Federal Emergency Management Agency (FEMA), Region IX as well as holding multiple positions while at both DHS and FEMA. Roche urges enterprises and security professionals to take a look at their “stovetop” plans that are singularly focused and revisit those plans by opening up the aperture to figure out what other situations may occur.
2. Determine responsibility.
Disaster planning is wrapped up in having the ability to know who is responsible for what actions, advises Roche. “You’ve got to have everyone singing off the same sheet of music,” he says. “It’s vital that everybody understands what their roles are.”
This takes communication and then further communication. From a planning perspective, one pitfall with any major disaster event, Roche says, is getting hung up on who is in charge of what. “You’ve got to give people a play in the play book to understand that,” he adds.
Gair says that another pitfall he sees with disaster planning is trying to restructure responsibilities during or directly after an event has occurred. “It may sound like obvious advice, but we advise that the way you operate your business everyday is the best structure to operate your business during a crisis,” he says. In fact, Gair adds, it’s a good idea for enterprises to mimic their normal operating structure as much as possible, but if people are suddenly in charge of different functions when the crisis response plan is needed, then they need to be aware and ready for that in advance. In those cases, planning for and having the ability to cross train employees and departments as needed to keep the business going is imperative.
3. Get buy-in now.
“There is a natural tendency when something happens that you’ll get full attention of the C-suite, particularly if there’s been significant business loss,” Gair says. Indeed, with COVID-19 fresh in everyone’s minds, now is the time to take advantage of that focus and plan for the next crisis. To capitalize on the renewed focus on preparedness, Gair says, focus on regular drills and exercises with staff as well as community partners.
Tabletop drills and exercises not only keep plans fresh, they keep staff and organizations prepared and can help point out vulnerabilities and areas that need further assessments.
4. Focus on the next thing.
Perhaps just as imperative as communicating and training, is planning for the next event. “If you build your plans around a disaster that has already happened the only thing you are guaranteed is that you will never get the same disaster twice,” Gair says.
If your organization has been through a crisis or you’ve seen peers navigate a particular crisis, it can be helpful to use that as a backbone in planning to make sure you don’t have the same impact to your business, but planning needs to go a step further. “What tends to happen is we have seen time and again people dropping everything after an event such as 9/11 or Hurricane Katrina and planning for that again. You’ve got to focus on the next thing that will be different,” says Gair.
Take COVID-19, for example. While it’s a unique incident, it’s certainly not the only pandemic we’ve seen. There was West Nile Virus, SARS, H1N1 and Zika. Though none of these had the same global impact, the point is, you’ve got to plan for catastrophic events that may never happen in order to be prepared. Gair recommends every enterprise obtain their local county and states’ emergency plans to see what they are planning for. “They’ve already done risk analysis and planning, so you can at least see what they consider as risks and you plan from there,” he says.
5. Don’t expect outside help.
Federal help in terms of action plans or physical assistance with recovery is not a guarantee when an unexpected event hits. Both Gair and Roche advise that enterprises plan for crises without too much expectation from the federal government. Government agencies or essential non-profit organizations may qualify for federal assistance to get back on their feet after a disaster, but private organizations or non-essential non-profits probably won’t get much except perhaps low-interest loans from the Small Business Administration, Gair says. “We have found that to be a big surprise for private enterprises.”
There is the story of NYU Langone Medical Center in Manhattan, Gair says. When Hurricane Sandy came through, the organization assumed the City would tell them what to do. “When water started coming in their facilities, they called for evacuation assistance. They got one truck. They were expecting an Army,” he says.
Gair tells another story of the City of San Jose in California being affected by flooding from a local dam. Companies located in Silicon Valley were waiting for information to make business decisions about their employees or property, but they didn’t get the kind of actionable data they were looking for and needed to make those decisions internally to protect their assets. “Governments are often better at putting out situational awareness info, whereas the private sector wants actionable information on what should we do,” he says. For that, organizations need to plan on their own and develop their own communications plans to make up the difference so they aren’t sitting and waiting.
6. Turn to your peers.
Proactively planning and assuming responsibility in an emergency are key factors to navigating a crisis with as little disruption to business operations as possible. Another key to reassessing or revamping your emergency preparedness plans is turning to your peers and community for help. “Organizations shouldn’t be afraid to ask for help and reach out to others that have been in the foxhole,” Roche says.
One thing that so many security professionals do so well is networking and talking to others in the industry. This can be vital to share information and bounce ideas off of one another to find out what has worked, what hasn’t, what they’ve planned for, and what they haven’t planned for.
And don’t be afraid to include the community, local police, fire departments and first responders in on the planning and exercises. In late September 2020, for example, The Cybersecurity and Infrastructure Security Agency (CISA) joined with public and private-sector partners to conduct an interagency Tabletop Exercise called “National Harbor 2020 – Recovery Phase Exercise,” which tested the processes and plans required by regional government and business partners following a catastrophic incident. The exercise scenario began 24 hours after a notional catastrophic incident and concluded three months after the incident, focusing on recovery processes and plans required to support the people and facilities of National Harbor in Prince Georges County, Md., surrounding communities and associated business operations.
The key takeaways for security professionals in charge of their organization’s critical response plans are to plan, reassess and prepare. Of course, it sounds simple on paper, but preparing for events that haven’t happened is no small feat, and requires looking ahead to the unknown.
“We have to learn from these things,” Roche says. “If you think it won’t happen again or you aren’t planning for the next [incident], that’s a fatal mistake.”