One can't pick up a newspaper or tune into a television news broadcast without reading or hearing a story about a fire, flood,tornado, act of violence or other "disaster." News stories, photographs and video depict the casualties and show some of the property damage. However, the long-term economic impact of the event is generally not discussed. Businesses that are unprepared to respond to an incident can suffer serious and long-term consequences. Those who are unprepared to deal with the media scrutiny following an incident can suffer additional damage - to their carefully crafted image.

Most businesses know they have to be prepared. They are aware of health and safety regulations that require employers to protect their employees, visitors, contractors and others. Property insurers may conduct surveys and make recommendations for property protection and to reduce the possibility of business interruption. Customers also ask for proof that their suppliers have plans in place. However, many businesses, particularly small- and medium- sized, are uncertain what preparedness entails.

There are many names used to describe plans - "disaster plan," "contingency plan," "emergency action plan" and"disaster recovery plan." These plans are components of what should be an integrated emergency management and business continuity program. A program is needed, not just plans and procedures. The program should be based on national standards- specifically NFPA 1600.¹ NFPA 1600 has been adopted by the U.S. Department of Homeland Security,² recommended by the 9-11 Commission,³ recommended within Title VII of the National Intelligence Reform Act of 2004, and most recently has been referenced within Title IX of the "Implementing Recommendations of the 9/11 Commission Act of 2007."⁴ NFPA 1600 is often referred to as the "National Preparedness Standard."

NFPA 1600 is not a "how-to guide" that provides pages of prescriptive requirements. Rather, it defines the essential elements and the relationship of those elements within an emergency management and business continuity program.This article will discuss many of these essential elements.

GETTING STARTED

Development, implementation and maintenance of an effective emergency management and business continuity program begins with management commitment. NFPA 1600, section 4.1, requires the program to include an "executive policy including vision, mission statement, roles and responsibilities, and enabling authority." This includes multiyear funding support, commitment to engage the people and resources within the organization, and direction for the program so it is consistent with the vision of the senior management team. Management should articulate its support by signing an executive policy statement and distribute it throughout the organization.

An advisory committee should be formed to provide guidance and assist with development of the program,as specified in NFPA 1600, section 4.3. The advisory committee should include representatives of all important departments of the organization. Outside agencies including fire, law enforcement, emergency medical services and emergency management agencies should be consulted. A program coordinator should be appointed to lead the advisory committee and program development activities

Initial efforts should also include an evaluation of any existing program. This program evaluation, specified in NFPA 1600: 4.4.2, should include a review of people organized to respond to emergencies, maintain critical business functions and recovery facilities and operations. The review should also include plans, procedures and an assessment of the availability and capabilities of resources that are needed for preparedness, response, business continuity and recovery. The purpose is to build on the strengths of the existing program and prioritize actions to address identified deficiencies.

Laws and regulations that define what must be done.

Regulations that may apply include OSHA standards, building codes, fire codes, life safety codes, environmental regulations, home-land security regulations and many more. Similarly, best practices should be reviewed, such as NFPA standards and recommended practices, and professional practices for business continuity.

RISK ASSESSMENT

Risk assessment is often overlooked when plans and procedures are developed. Conducting a thorough risk assessment is important to identify hazards and the hazard scenarios that a facility or business organization may face. A risk assessment is also required by NFPA 1600, section 5.3. An understanding of the nature of a hazard, its probability of occurrence and the potential impact of the hazard on people, facilities, systems, equipment, business operations and the environment is needed to determine priorities for prevention, mitigation and plan development. Hazards that are probable, or whose impacts maybe significant, should be studied further. Experts should be engaged to conduct a vulnerability analysis to identify weaknesses in infrastructure, buildings, systems and equipment.

One of the goals of the program should be to prevent hazards that can be prevented. Fire prevention, employee safety and health, security and environmental management programs all include aspects of prevention or deterrence (NFPA 1600:5.4). Recognizing that some hazards, in particular natural hazards, cannot be prevented, professionals should be engaged to identify opportunities to mitigate the impacts of these hazards (NFPA 1600:5.5). Land use practices to locate new buildings away from earthquake faults, flood zones and attractive terrorist targets are a few examples. Designing and building to withstand maximum expected wind or seismic forces can help mitigate the impacts of hurricane-force winds and earthquake-induced ground shaking.

Hazards to be considered should include

• Injury
• Illness
• Food-borne illness (mass)
• Explosion
• Fire
• Bomb explosion
• Rescue from confined space, high angle or entrapment
• Hazardous material spill or release
• Radiological accident
• Hazmat incident off-site
• Nuclear power plant incident
• Natural gas leak
• Flooding
• Dam/Levee failure
• Severe thunderstorm
• Tornado
• Windstorm
• Hurricanes and tropical storms
• Winter storm (snow/ice)
• Tsunami
• Earthquake
• Landslide
• Subsidence/Sinkhole
• Volcano
• Labor strike
• Demonstrations
• Civil disturbance (riot)
• Bomb threat
• Lost/Separated person(s)
• Child abduction
• Kidnap/Extortion
• Hostage incident
• Workplace violence
• Robbery
• Sniper incident
• Terrorism
• Arson
• Utility Interruption or failure
• Resource management

NFPA 1600, section 5.6.6, requires compilation of an inventory of resources. Periodically, an evaluation of the availability and capability of personnel, facilities, systems, equipment and supplies needed to support the program should be conducted. Outside agencies and service providers should also be evaluated to determine gaps or shortfalls.

NFPA 1600, section 5.12.1, requires that each "entity shall establish a primary and an alternate emergency operations center (EOC), physical or virtual, capable of managing continuity, response and recovery operations." The backup EOC is required in case the primary EOC is unusable or inaccessible. Many larger corporations have well-appointed EOCs, whereas small businesses can equip a conference room with additional communications capabilities and planning tools. Virtual EOCs that use telephone conferencing and computer networking capabilities now enable collaboration between staff scattered between distant offices.

PLAN DEVELOPMENT

Detailed plans for emergency response, business continuity, crisis communications and recovery should be written to define the organization, roles, responsibilities and hazard-specific actions to take when an incident occurs.

The minimum emergency response plan should include protective actions for life safety, including evacuation, sheltering-in-place and lockdown (NFPA 1600:5.11.3). Evacuation teams should be organized and plans should be developed in compliance with fire prevention and life safety codes, and OSHA regulations for scenarios including fire, bomb threats, hazardous materials spills and other hazards. Shelter-in-place plans should be developed to protect building occupants when there is an exterior airborne hazard, such as a hazardous materials incident or act of terrorism. Lock down procedures should be established to protect occupants when there is a security threat outside the building or when there is a security threat such as an armed perpetrator within a building.

Information gleaned from the risk assessment and the resource management processes may also identify scenarios that warrant organizing and equipping emergency response teams and development of hazard-specific plans. Organization of a medical response team with personnel certified to administer first aid, perform CPR and utilize automated external defibrillators may be appropriate if public emergency services cannot respond promptly. A medical capability may also be required by OSHA standards if a medical facility is not in near proximity. Additional teams may be warranted for firefighting, rescue or containment of hazardous materials. If so, OSHA regulations and applicable NFPA standards should be consulted to determine minimum requirements and best practices for staffing, plans, training and equipment.

Plans should be developed for hazards with a high frequency of occurrence or whose severity of impact maybe significant. This includes natural hazards, such as flooding, earthquake, hurricane, tornado and severe weather. Staff should be organized and procedures should be documented for response to security threats, including bomb threats, suspicious packages, protests, disturbances and acts of violence.

Facilities and business operations are highly dependent upon critical infrastructure, which includes electricity, telecommunications, potable water, natural gas and steam. Loss of utilities may be an inconvenience if short in duration or could develop into an emergency if the duration of the outage is lengthy.

Today, businesses operate in a world of just-in-time manufacturing, computer-controlled processes and a high dependence on telecommunications and data processing functions. The quest for high efficiency and maximum profitability has eliminated duplication and redundancy that provided a measure of resiliency when something went wrong. Business continuity and information technology disaster recovery planning have become essential to maintain critical business functions during interruptions or disruptions.

The challenge in developing business continuity strategies and defining the requirements to implement those strategies is one of cost. To ensure a high level of resiliency and the ability to overcome any outage would require a totally redundant facility that operates in parallel. The cost to run a parallel facility is prohibitive in most cases and can only be justified by firms such as those in the financial services sector processing millions of dollars in transactions every hour.

Before business continuity strategies can be developed and the requirements to support them defined, businesses must conduct a business impact analysis (BIA), as specified in NFPA 1600, section 5.3.3. The BIA must identify critical business processes and functions, the maximum time that a process or function can be down before the impact on the organization reaches an unacceptable level, and the resource requirements to restore the critical process or function to a minimum acceptable level.

Completion of the BIA should identify the operational and financial impacts of the interruption or disruption of business functions. Graphing the financial impact over time (e.g., 8 hours, 1 day, 2 days, 3 days, 1 week, 1 month, etc.) makes it easier to understand when the financial impact of an outage become too great for the organization to accept.This point becomes the Recovery Time Objective - the point in time when a process or business function must be restored before the impacts are unacceptable.

Determination of the financial impact for loss of critical functions over time provides justification for prevention and mitigation strategies, and helps determine how much capital should be invested in recovery strategies.

Development of business continuity strategies and identification of the required facility, systems, equipment, personnel, materials, supplies and other resources needed to implement the strategy should be developed next (NFPA 1600:5.6.3). Strategies could include use of another company-owned facility to manufacture a product or house staff that provides a specific service. Other strategies could include use of vendor or partner resources to produce a product or provide a service. Formal agreements should be formalized for any mutual aid or partnership arrangements (NFPA 1600:5.7).

Information is the life blood of business, and information is stored on electronic media such as tapes, servers, individual computer hard drives and even portable devices. Vital records are also essential to running a business and rebuilding a business that suffers damage. Vital records include legal documents, drawings and specifications for facility production machinery, equipment and processes. Protection of electronic information and vital records should be evaluated during the risk assessment process and protected as much as economically justified. Secure backups of electronic information should be maintained offsite, and the backup schedule must be frequent enough so the amount of data lost between backups is not significant
(NFPA 1600:5.6.3(1)). Today, the cost for data mirroring and online data backup has dropped to become affordable for even small businesses.

Recovery plans should also address the human impact of emergencies and disasters. The provision of counseling services available from employee assistance providers or other mental health service providers should be defined in the plan. Protocols and procedures for supporting family members of employees should also be included.

TRAINING, DRILLS AND EXERCISES

Training is essential to ensure that everyone knows about plans and procedures and their role and responsibilities (NFPA 1600:5.13.2). This includes all employees. At the very least, all employees should be aware of basic identify and protect business information including computer networks and electronic media. Everyone should know emergency plans including evacuation, shelter-in-place and lock down procedures.

Members of emergency response teams, business continuity teams and those who are responsible for communications during an incident must receive a higher level of training. A training curriculum should be established in accordance with NFPA 1600, section 5.13.1, that covers the organization, policies, procedures and all aspects of the program. In addition, members of emergency response and business continuity teams should be trained on the use of the entity's incident management system as specified in NFPA 1600, section 5.13.4. Within the United States, the National Incident Management System/Incident Command System has been codified by Homeland Security Presidential Decision Directive 5⁵ as the incident management system to be used within the public sector.

Evacuation, shelter-in-place and lock down drills should be conducted at least annually, or more frequently if required by regulations. Members of emergency response and business continuity teams should participate in drills to hone individual skills. Drills that involve hands-on operation of occupant warning systems, communications systems, fire protection systems and manual firefighting equipment are recommended and may be required by regulations.

NFPA 1600, section 5.14.1, requires that each "entity shall evaluate program plans, procedures and capabilities through periodic reviews, testing and exercises." Exercises are an excellent means to evaluate the program. They include tabletop exercises that familiarize team members with plans, challenge them to assess hypothetical situations and determine how to protect people, property, operations and the environment. Functional exercises require more planning and require team members to act in their assigned roles and follow prescribed plans to manage a simulated incident. Full-scale exercises are the most extensive and costly type of exercise and involve the physical movement of people and equipment in response to a staged emergency incident.

PROGRAM EVALUATION AND REVISION

Periodic evaluation of the emergency management and business continuity program is required by NFPA 1600, section 4.4. There are numerous triggers that would necessitate a program review. Whenever hazards change or the knowledge of hazards changes, the risk assessment and program elements that depend upon the risk assessment should be updated. Construction or substantial renovation of buildings, changes or additions to major processes or systems, and changes to rosters of emergency response and business continuity teams are all reasons for program evaluation. Post-incident critiques and published lessons learned from major events may also trigger program evaluation.

Whenever deficiencies are identified, deficiencies should be resolved through a corrective action program (NFPA 1600:5.14.4). Program elements should be revised or updated, and action should be taken to ensure capable resources are available when needed.This continuous improvement process is needed to ensure that when the time comes, the emergency management and business continuity program will be able to protect people, property, business operations, the environment and the organization itself.

Donald L. Schmidt is with Preparedness, LLC.

References:

1. NFPA 1600, Standard for Disaster/Emergency Management and Business Continuity, National Fire Protection Association, Quincy, MA, 2008.
2. U.S. Department of Homeland Security Science & Technology Standards, http://www.dhs.gov/xfrstresp/standards/editorial_0420.shtm
3. The 9/11 Commission Report, p. 398, http://govinfo.library.unt.edu/911/report/911Report.pdf
4. Implementing Recommendations of the 9/11 Commission Act of 2007, p. 106.
5. Homeland Security Presidential Directive/HSPD-5, "Management of Domestic Incidents," The White House, Washington, DC, 2003.