Preparedness Planning for Private Sector Business

¶ … organization is derived from the preparedness cycle developed by the National Incident Management System (NIMS) and utilized by the Federal Emergency Management Association (FEMA) of the U.S. Department of Homeland Security and other disaster response / emergency preparedness organizations. A primary advantage of using this proven model is that it provides a consistently implemented and commonly understood approach to disaster preparedness.

The preparedness cycle is a continuously renewing series of integrated components that enable the a state of preparedness to be achieved and maintained, and includes the following: Planning, organizing, training, equipping, exercising, evaluating, and taking corrective action ("Preparedness," 2014). The components of the NIMS preparedness cycle are shown below. Figure 1. NIMS Preparedness Cycle Organizational preparedness requires the coordinated effort of both internal and external individuals, and the engagement of agencies and resources external to the focus organization.

These external resources are dedicated to incident response and emergency management, an important aspect of which is coordination of effort. Undergirding the need for disaster readiness is the markedly more efficacious implementation of incident response activities and emergency management processes and procedures in the presence of a continuous organizational preparedness cycle. Source: National Incident Management System, FEMA. 2014 Not every component of the preparedness cycle is present in every phase of the development of a preparedness plan for an organization.

Indeed, the linkages are often of the dotted line type, which indicates a relationship more rigorous than a bookmark, say, but signals that the implementation of some components will be more fully addressed in other phases of preparedness plan development. Throughout the discussion, remarks about the role of the components of the preparedness cycle are included in each of the four main topics: 1) The identification of threats and vulnerabilities; 2) the situational and information analyses; 3) the preparation, prevention, and response; and, 4) the impact mitigation.

Note that the author has not used the first person in this proposal for an organization preparedness plan, however, it may be assumed that the author will direct the introduction and implementation of the preparedness plan as it is articulated throughout the enterprise. I. Identification of Threats and Vulnerabilities The process of identifying threats and vulnerabilities is most certainly an ongoing endeavor. Current and historical incidents and events have shown the importance of connecting the dots in a manner that reveals both expected and unexpected patterns.

Within an organization, the capacity to think outside of conventional frames is often constrained by a full court press to conform. Maverick thinking is often frowned upon, such that it is quite possible that the identification of threats and vulnerabilities can suffer from a lack of imagination -- though not on the scale of 9/11, this problem is often seen in organization governed by boards of directors, chairmen, and a full C-suite of executives who may tilt in favor of stakeholder perceptions.

The nature of an enterprise is such that it may loose track of its organizational memory, and develop a bias toward the exigencies of the immediate business landscape, wherein the collective organizational attention is directed toward what the competition is doing or perceived as about to do. This is a corollary phenomenon of the deeply experienced critical incident commander who tends to draw from past experience without fully integrating new information about current threats and vulnerabilities.

The components of the preparedness cycle that are most engaged in this phase of preparedness plan development are planning, evaluating, and corrective action ("Preparedness," 2014). To facilitate the development of enterprise preparedness plans, FEMA has developed a voluntary preparedness program for the private sector. The voluntary program offers several paths to preparedness that enterprises in the private sector can follow, including "following best practice programs, aligning to a standard or certifying to a standard" ("Private Sector," 2014).

The range of difficulties that an organization can face as a result of some catastrophe is exceedingly broad, the least of which is potential temporary disruption of operations, or worse -- high costs to restore the enterprise, and the loss or cessation of business revenue ("Private Sector," 2014). Data loss and impaired facilities are probable, and can result in business relationships being impacted or severed ("Private Sector," 2014). Worse case scenarios include complete loss of facilities and fatalities of employees and customers ("Private Sector," 2014).

The key objectives of the business preparedness plan are continuity and recovery ("Private Sector," 2014). This means that organizations must develop a preparedness plan that fosters the capacity to comprehensively address business continuity, disaster response management, emergency preparedness, and strong organizational resilience. The standard of preparedness selected for this organizational preparedness plan is based on the guide developed by ASIS, which is described as "a comprehensive management systems approach for security, preparedness, response, mitigation, business / operational continuity, and recovery for disruptive incidents resulting in an emergency, crisis, or disaster" ("ASIS," 2009, p. 3).

Articulating the scope of the preparedness plan is an early step in this phase, which consist primarily of determining whether preparedness and resilience of the entire organization will be addressed, or if certain constituent parts will be the focus ("ASIS," 2009). Within the risk scenarios determined, consideration must also be directed to mission related obligation, legal responsibilities, and critical operational goals ("ASIS," 2009).

All of these component considerations and aspects of the enterprise business will be entered into a matrix that will be used to reflect strategic weighting according to the risk assessment and impact analysis (see Appendix A -- Risk Assessment Matrix). Once the strategic weighting has been accomplished, the organization will refine (or develop, if this is an initial preparedness plan) and communicate relevant policy that appropriately reflects the current understanding of the type and size of potential threats and vulnerabilities, in conjunction with enterprise objectives ("ASIS," 2009).

Concomitant with this policy, management will disseminate a strong statement communicating the policies, the allocation of preparedness and resilience resources, the development of competencies, and the importance of achieving the preparedness plan objectives under the designated authority ("ASIS," 2009). By adopting the standards developed by the American National Standards Institute, the enterprise will ensure that objectives, procedures, and processes are established to enable the achievement of obligations defined in policy and the commitment of management to the operational resiliency ("ASIS," 2009). II.

Situational and Information Analyses The components of the preparedness cycle that are utilized the most in this phase of preparedness plan development are organizing and evaluating ("Preparedness," 2014). Key objectives of this phase are the assurance of competence and awareness, and a demonstration of conformity to the ASIS standards and applicable standards of NIMS, and the residual components of ICS that are still employed albeit in an updated NIMS format ("ASIS," 2009).

The situational and informational analysis encompasses a broadly-based survey of operational activities designed to pinpoint specific intentional and unintentional vulnerabilities and threats that have the "potential for direct or indirect impact on the organization's operations, functions, and human, intangible, and physical assets; the environment; and its stakeholders" ("ASIS," 2009, p. 7).

The organization must ensure it has the capability to connect with and support integrated multi-agency coordination systems (MACs), as conducted between local 911 Centers, local Incident Command Posts (ICPs), local Emergency Operations Centers (EOCs), and the state, regional, and federal level EOCs ("NIMS Integration Center," 2006). Memorandum of Understandings (MOUs) and Memorandum of Agreements (MOAs) will be established with the government agencies and with other private sector organizations to ensure that personnel and resources are shared in the event of an incident or disaster event so warranted ("NIMS Integration Center," 2006).

These agreements will provide information about the credentials held by the incidence response personnel ("NIMS Integration Center," 2006). An aspect of multi-agency coordination includes provisions for shared information and shared response assets ("NIMS Integration Center," 2006). To enable the mutual benefits from optimized multi-agency coordination, the organization will conduct an inventory of response assets, and will share the completed and regularly updated inventory with the local authority for emergency management ("NIMS Integration Center," 2006).

In addition, the organization will establish and promote an information system to disseminate preparedness plan information, emergency management and incident response information within the organization and with relevant stakeholders in the event of an incident ("NIMS Integration Center," 2006). Relevant stakeholders could include the media, local emergency management personnel, and other private sector enterprises with which the organization might share resources as well as information (see Appendix B -- Business Continuity Resource Requirements, and Appendix C -- Business Continuity Plan) ("NIMS Integration Center," 2006). III.

Preparation, Prevention, and Response The components of the preparedness cycle that are active during this phase of preparedness plan development are planning, organizing, training, equipping, exercising, evaluating, and taking corrective action ("Preparedness," 2014). An important but easily overlooked component of a preparedness plan is the identification of points of contact for the organization ("NIMS Integration Center," 2006). A current list of the names and contact information of the organization's points of contact needs to be shared with the local authorities for emergency management.

These lists of points of contact should be maintain in a current mode and not just updated when a batch of changes have been collected and saved for a convenient time. Incorrect information about the location of people, their responsibilities during an emergency or incident, and the network of people connected to each key point of contact must be correct at all times in order to avoid jeopardizing first responder personnel during an actual emergency situation.

An important aspect of the preparedness plan development processes and procedures is the use of plain language that is easy to understand and is common to the many stakeholders in the array of emergency management and incidence response agencies -- and in enterprises in the private sector ("ASIS," 2009). Standardized and consistent terminology is basic to the ICS and NIMS protocols; plain language continues to be a favored in emergency information management, preparedness communications, and intelligence sharing ("ASIS," 2009).

The use of plain language minimizes confusion and reduces the chance of miscommunication among first responders and decision-makers due to the expediency multiple that standardized language lends to communication and implementation ("ASIS," 2009). Key drivers of an emergency and incident response communication system are the capacity to maintain and share a common operating picture, and ensuring accessibility and interoperability ("ASIS," 2009).

Members of the emergency preparedness and incidence response teams in the organization will participate in versions of NIMS training programs or adopted full-component training programs that are conducted in conformance to the NIMS National Standard Curriculum ("ASIS," 2009). Additionally, the members of the emergency preparedness and incidence response teams in the organization will participate in NIMS exercises held at the stated, regional, tribal, and/or local levels ("ASIS," 2009).

Any employees in the organization who will be involved in incident response management will participate in realistic exercises that are multi-disciplinary and multi-jurisdictional in nature (see Appendix B -- Business Continuity Resources Requirements Worksheet, and Appendix C -- Business Continuity Plan) ("ASIS," 2009). IV. Impact Mitigation Mitigation includes the ways and means of reducing or minimizing the impact of a disruptive event ("ASIS," 2014). The components of the preparedness cycle that are central to this phase of preparedness plan development are planning, organizing, training, equipping, exercising, evaluating, and taking corrective action ("Preparedness," 2014).

The organization will provide strategic programs for prevention and deterrence of incidents that can disrupt the business of the enterprise. Efforts will be directed toward avoiding, deterring, eliminating, or preventing incidents and their consequence, including the capacity to remove physical assets or people who may be at risk ("ASIS," 2014). Impact mitigation applies to the occurrence of an incident or emergency event, as well. First responders focus on mitigating any threat of any immediate harm to people and property. During trainings, exercises,.