Though the 2020 storm season has ended, next year’s storm season will soon be upon us and, with COVID-19 still in the air, the collision between the current pandemic or a future pandemic and the ensuing storm season is inevitable.
One of the things we learned from the pandemic and last year’s storm and natural disaster season is that many of the tried-and-true protocols don’t work or can’t be enforced during a global health crisis such as COVID-19. Take, for example, evacuation measures during a hurricane, which put those affected in densely populated evacuation shelters, contrary to social distancing measures. In addition, with a global pandemic, workforce shortages, delays in supplies and materials, funding shortfalls or insufficient hospital capacity will also impact emergency response during a natural disaster.
In today’s world, enterprises must prepare and plan for an array of critical responses, including pandemics, workplace violence, and natural disasters such as wildfires, tornadoes, flooding, earthquakes, hurricanes and more. Making sure your organization’s disaster and critical response plans are continually updated and include lessons learned from COVID-19 and past incidents is imperative to preparing the enterprise for the next impactful event to minimize disruption to business operations and ensure business continuity.
Here are six tips from emergency response experts on how to revamp and evaluate your emergency and disaster preparedness plans at your organization.
Practical Advice for Evaluating Your Critical Response Plans
Organizations should be consistently evaluating their critical response plans, but for many organizations and the professionals in charge of such a task, where to start may be the most daunting part of the process.
To make it simple, says Brad Gair at Witt O’Brien’s, start with the thing you are most concerned about. “If you are most concerned about a hurricane, start with that,” he says. You can start by mirroring what’s called the “Five Day Cone” in a hurricane center. In other words, if the incident you are planning for can be detected or projected beforehand, begin a countdown for planning that starts with five days out. “If a hurricane is five days out, what should I do on day 5, then day 4, until day 1,” Gair says.
The approach is a methodical one. After focusing on the preparations, ask what you would do in the first week after a disaster hits, then the first month, etc. “Count down and then count up. It’s easier to build a plan that can be very functional without being overly complicated,” he adds.
In the case of an event such as an explosion or an earthquake where there might be no countdown time, the count up from after the disaster hits becomes very important and the planning will look different, says Bill Roche at Witt O’Brien’s. “Plan for the worst-case scenarios,” he says.
One of the important aspects of an incident response plan to evaluate is to ensure that the plans cover protection of people, property and the business. “If you organize your planning around various functions that you have to carry out [such as medical assistance, sheltering, search and rescue, provisions such as food and water], then you can build your plans around each component.” Roche says.
1. Plan for simultaneous events.
“The stacking concept is something the emergency management world doesn’t do particularly well in terms of planning,” says Brad Gair, Senior Managing Director at Witt O’Brien’s. “Most disaster planning is single focused.” Gair, who has more than 25 years of emergency management and homeland security experience, served as Deputy Commissioner of NYC Office of Emergency Management and then as founding Director of the Mayor’s Office of Housing Recovery Operations and NYC Recovery Managers, as well as NYU Langone Health’s first Vice President for Emergency Management and Enterprise Resilience.
He says that siloed plans don’t allow for mixing and matching of functions in an event such as a pandemic and a hurricane where you are dealing with quarantining and shelter plans at once. A plan that envisions multiple impacts or simultaneous events is a key lesson learned from the COVID-19 pandemic and the 2020 storm season.
“The planning field has been altered greatly,” says Bill Roche, Senior Program Manager at Witt O’Brien’s. Roche has deep-rooted experience in disaster planning, response and recovery operations, serving at Deputy Regional Administrator for the Department of Homeland Security and the Federal Emergency Management Agency (FEMA), Region IX as well as holding multiple positions while at both DHS and FEMA. Roche urges enterprises and security professionals to take a look at their “stovetop” plans that are singularly focused and revisit those plans by opening up the aperture to figure out what other situations may occur.
2. Determine responsibility.
Disaster planning is wrapped up in having the ability to know who is responsible for what actions, advises Roche. “You’ve got to have everyone singing off the same sheet of music,” he says. “It’s vital that everybody understands what their roles are.”
This takes communication and then further communication. From a planning perspective, one pitfall with any major disaster event, Roche says, is getting hung up on who is in charge of what. “You’ve got to give people a play in the play book to understand that,” he adds.
Gair says that another pitfall he sees with disaster planning is trying to restructure responsibilities during or directly after an event has occurred. “It may sound like obvious advice, but we advise that the way you operate your business everyday is the best structure to operate your business during a crisis,” he says. In fact, Gair adds, it’s a good idea for enterprises to mimic their normal operating structure as much as possible, but if people are suddenly in charge of different functions when the crisis response plan is needed, then they need to be aware and ready for that in advance. In those cases, planning for and having the ability to cross train employees and departments as needed to keep the business going is imperative.
Critical Response 101: What to Do When you Don’t Have a Plan
“If you don’t have a plan in place or what you have is insufficient, you fall back on incident-based planning,” says Brad Gair of Witt O’Brien’s. Here are three immediate steps:
1. Keep it simple. The first thing to do is identify the immediate areas that need attention. “List five priorities of what must take place in the immediate time period,” Gair suggests.
2. Identify what you need to accomplish those priorities. For example, if a facility is damaged and/or the workforce can’t come in to work, perhaps one of the highest priorities on your list is transitioning employees to working at home to ensure business continuity. “Then break it down into manageable bites to accomplish that task. Do you have the necessary work-from-home technology? Determine how many laptops or what equipment you need and focus on each,” Gair says.
3. Assign resources to each of those priorities. For example, if work-from-home technology is needed, assign IT to garner the appropriate technology or assign staff responsible for each task.
“[Not having a plan in place] is not ideal, especially when life safety is involved, but you can make up for bad planning by doing good incident planning with clear objectives, and you can probably limit some of the damage to your organization,” Gair says.
3. Get buy-in now.
“There is a natural tendency when something happens that you’ll get full attention of the C-suite, particularly if there’s been significant business loss,” Gair says. Indeed, with COVID-19 fresh in everyone’s minds, now is the time to take advantage of that focus and plan for the next crisis. To capitalize on the renewed focus on preparedness, Gair says, focus on regular drills and exercises with staff as well as community partners.
Tabletop drills and exercises not only keep plans fresh, they keep staff and organizations prepared and can help point out vulnerabilities and areas that need further assessments.
4. Focus on the next thing.
Perhaps just as imperative as communicating and training, is planning for the next event. “If you build your plans around a disaster that has already happened the only thing you are guaranteed is that you will never get the same disaster twice,” Gair says.
If your organization has been through a crisis or you’ve seen peers navigate a particular crisis, it can be helpful to use that as a backbone in planning to make sure you don’t have the same impact to your business, but planning needs to go a step further. “What tends to happen is we have seen time and again people dropping everything after an event such as 9/11 or Hurricane Katrina and planning for that again. You’ve got to focus on the next thing that will be different,” says Gair.
Take COVID-19, for example. While it’s a unique incident, it’s certainly not the only pandemic we’ve seen. There was West Nile Virus, SARS, H1N1 and Zika. Though none of these had the same global impact, the point is, you’ve got to plan for catastrophic events that may never happen in order to be prepared. Gair recommends every enterprise obtain their local county and states’ emergency plans to see what they are planning for. “They’ve already done risk analysis and planning, so you can at least see what they consider as risks and you plan from there,” he says.
5. Don’t expect outside help.
Federal help in terms of action plans or physical assistance with recovery is not a guarantee when an unexpected event hits. Both Gair and Roche advise that enterprises plan for crises without too much expectation from the federal government. Government agencies or essential non-profit organizations may qualify for federal assistance to get back on their feet after a disaster, but private organizations or non-essential non-profits probably won’t get much except perhaps low-interest loans from the Small Business Administration, Gair says. “We have found that to be a big surprise for private enterprises.”
There is the story of NYU Langone Medical Center in Manhattan, Gair says. When Hurricane Sandy came through, the organization assumed the City would tell them what to do. “When water started coming in their facilities, they called for evacuation assistance. They got one truck. They were expecting an Army,” he says.
Gair tells another story of the City of San Jose in California being affected by flooding from a local dam. Companies located in Silicon Valley were waiting for information to make business decisions about their employees or property, but they didn’t get the kind of actionable data they were looking for and needed to make those decisions internally to protect their assets. “Governments are often better at putting out situational awareness info, whereas the private sector wants actionable information on what should we do,” he says. For that, organizations need to plan on their own and develop their own communications plans to make up the difference so they aren’t sitting and waiting.
Crisis Planning Tip: Use Social Media
“Take a hard look at your communication plan,” says Bill Roche of Witt O’Brien’s. “What has changed now is different social media platforms allow you to share information quickly.” For example, he says, if in the wake of a hurricane a business needs to know what gas stations are working, instead of calling the city or trying to find news, post a social media question or text someone in the next town that may know those things. “Simple things like that can get you a lot of information a lot faster,” he says.
6. Turn to your peers.
Proactively planning and assuming responsibility in an emergency are key factors to navigating a crisis with as little disruption to business operations as possible. Another key to reassessing or revamping your emergency preparedness plans is turning to your peers and community for help. “Organizations shouldn’t be afraid to ask for help and reach out to others that have been in the foxhole,” Roche says.
One thing that so many security professionals do so well is networking and talking to others in the industry. This can be vital to share information and bounce ideas off of one another to find out what has worked, what hasn’t, what they’ve planned for, and what they haven’t planned for.
And don’t be afraid to include the community, local police, fire departments and first responders in on the planning and exercises. In late September 2020, for example, The Cybersecurity and Infrastructure Security Agency (CISA) joined with public and private-sector partners to conduct an interagency Tabletop Exercise called “National Harbor 2020 – Recovery Phase Exercise,” which tested the processes and plans required by regional government and business partners following a catastrophic incident. The exercise scenario began 24 hours after a notional catastrophic incident and concluded three months after the incident, focusing on recovery processes and plans required to support the people and facilities of National Harbor in Prince Georges County, Md., surrounding communities and associated business operations.
The key takeaways for security professionals in charge of their organization’s critical response plans are to plan, reassess and prepare. Of course, it sounds simple on paper, but preparing for events that haven’t happened is no small feat, and requires looking ahead to the unknown.
“We have to learn from these things,” Roche says. “If you think it won’t happen again or you aren’t planning for the next [incident], that’s a fatal mistake.”
