Now That You Have a Plan, Are You Testing It?

As someone who has been engaged by consulting clients and full-time employers to conduct threat assessments and write security and emergency preparedness plans, I am often left puzzled by how many organizations go to great lengths to assess their vulnerabilities and create plans to address them, but almost never test their ongoing effectiveness. In the safety space, workplaces almost never think twice about regular fire drills and shelter-in-place exercises. However, many employers, often out of a desire to “not alarm” their occupants, rarely test their security or disaster plans – presenting a circumstance where their plans may be set up for failure.

After the 9/11 attacks, the US government started to look at the issue of practicing the intricate relationships between federal, state and local police, fire and medical response agencies to simulated large-scale disasters, culminating with the hulking multi-state TOPOFF exercises of the mid-2000s. However, in the second decade of the millennium, these exercises started to wane and the private sector saw even fewer real-time disaster or security breach drills, despite the lessons learned by the modern surge of active shooter incidents like those seen in Parkland, Las Vegas and Orlando.

Last year, New York State’s Division of Homeland Security and Emergency conducted counter terrorism exercises at 1,000 locations across New York in 2018, demonstrating a 56-percent increase in these operations since 2016. In doing so, the Office of Counter Terrorism partnered with more than 400 law enforcement personnel from more than 100 agencies statewide to conduct exercises in every county, as mandated by Gov. Andrew Cuomo (D), for  a wide range of businesses that offer products or services that could be used in a myriad of potential terrorist plots.

More importantly, New York’s strategy of conducting exercises aimed at simulated planning, casing, or suspicious activities at various businesses was aimed at security and the prevention of possible attacks, to increase heightened awareness to effectively identify and report suspicious activity that leads to arrests. Teams assessed 172 truck rental locations, 134 hardware stores, 111 hotels, 75 drone retailers, 69 gun stores, and a number of other large retailers and businesses that sell chemicals or components used in the construction of explosive devices.

Traditionally, exercises were conducted at monuments and mass-gathering locations including stadiums, transit hubs, malls, colleges and hospitals. In addition to these 1,000 exercises, New York also partnered with federal, state and local law enforcement agencies in the DHS-funded "Operation NY-SECURE" to conduct counter terrorism and incident response exercises along Amtrak routes and MTA commuter lines to improve coordination and response between the agencies responsible for each station, and the law enforcement agencies that respond to emergencies there.

New York’s recent examples beg the question: what are you doing to test your security and emergency management plans? Put more simply, how can a security leader be 100-percent confident that your organization is able to handle a security incident or major emergency if it were to happen today if they aren’t running practical, regular tests of their plans?

If you’re one of the many organizations that don’t regularly conduct exercises to test their security and/or emergency plans, here are some basic steps to follow in making sure your plans include the right kinds of training and testing to maintain facility safety and security.

As the former Director, Office of Investigations for the American Board of Internal Medicine, I was grateful to have the majority of my stakeholders functioning under the Emergency Preparedness Rule (EPR), a Center for Medicare & Medicaid Services rule which went into effect in November 2017 intended to ensure that healthcare facilities are prepared for natural, technology, infrastructure, or man-made threats. The EPR serves as a good baseline for organizational preparedness and encompasses the following four primary training and exercise tasks, which include:

1. EMERGENCY TRAINING. Organizations are expected to develop comprehensive disaster training programs and communicate them to their employees.
2. ONGOING RETRAINING. Employees should receive no less than annual refreshers on emergency procedures and should be retrained to demonstrate knowledge as necessary.
3. ORGANIZATIONAL EXERCISES (DRILLS). Set up in-house drills that test staff response to various threats. Observe failure points and immediately address them.
4. COMMUNITY DRILLS. Collaborate with community groups and agencies to conduct regional-level exercises that test your response as part of the community. This is especially important in multi-jurisdictional environments where emergency response and evacuation responsibilities add transit and port authorities, special purpose agencies and private organizations to the traditional fire, police and EMS agency response.

It’s important to note that part of the healthcare emergency preparedness rule is being able to prove that providers are demonstrating community outreach in their plans. This demonstrates a national best practice to ensure that organizations work hand-in-hand with first responders to preserve safety and security as well as a continuity in vital operations. Most importantly, healthcare facilities covered by this rule must demonstrate the completion of two training exercises per year, and the plan itself must be updated annually at a minimum. Furthermore, contractors and subcontractors are also required to be trained on the emergency plan, just as employees are to demonstrate compliance with federal and state law.

Therefore, when you develop and conduct exercises for your organizations, cast as wide a net as possible to include community stakeholders. The larger-scale your mock disaster exercise, the bigger its chance for success. Remember, the threat assessment and planning process never “ends.” Regular assessments and exercises are the key to identifying and eliminating emerging risks. Each time you run through a disaster scenario, you will discover new issues to be addressed where training and security measures may be needed. A success in this regard is an organization with comprehensive plans in place, which takes the steps required to ensure its validity amid a changing threat landscape.