DEVELOPING ACTIONABLE

Transcription

1 M LIS DE DI M W G TE A TY RI N PR O FE SS NA TIO CA IO OR K DEVELOPING ACTIONABLE AND EFFECTIVE CONTINGENCY PLANS: THINK IT THROUGH! by ITG Consultants, Inc All rights reserved. IN TE

2 CONTENTS INTRODUCTION 2 HISTORY 2 ISSUES AND MAINT POINTS 4 BEST PRACTICES 6 THE SECURITY PLANNING PROCESS 6 CONCLUSION 9 ABOUT ITG CONSULTANTS, INC. 10 INTRODUCTION Benjamin Franklin said, By failing to prepare, you are preparing to fail. When it comes to contingency planning, this is often the case. Many organizations rely on publically available templates instead of developing a custom plan, tailored to their unique operational needs. Both government and private-sector entities produce myriad templates and guidelines that can serve as the basis for a contingency plan. However, these templates are typically conceptual and don t delve deeply enough to address site-specific, issue-specific hazards in actionable and effective ways. There is no one-size-fits-all template adequate for all hazards contingency planning. The Federal Emergency Management Agency (FEMA) asserts its Guide for All-Hazard Emergency Operations Planning is merely a toolbox and stipulates, Each community s [emergency operations plan] must reflect what that community will do to protect itself from its hazards with the resources it has or can obtain. In fact, templates can leave an organization with a false sense of security and preparedness unless additional site- and issue-specific detailed steps are thoroughly considered and documented. Inevitably, situations arise that require the use of contingency plans. In those instances, if an organization is relying on plans that amount to no more than conceptual templates, there will be little time (not to mention resources) to formulate issue-specific responses to help mitigate, respond and recover from the crisis. Having a well-documented, detailed protocol reduces both the stress of making important decisions quickly and the lapsed time in implementing the response. HISTORY Like no other event in recent history, the tragic events that unfolded on September 11, 2001, highlighted the necessity of having detailed plans with which to respond to emergencies. The United States government has subsequently urged both individuals and organizations to develop preparedness plans for dealing with all types of crises. In 2004, FEMA declared the month of September National Preparedness Month to encourage individuals, businesses and communities to ready themselves for all manner of disasters. In most circumstances, preparedness is a state of being ready to face an event or situation, having adequate resources to bear up under that situation in advance of its occurrence. For contingency planning purposes, preparedness is a prescribed set of actions to be taken as precautions against potential crises. Contingency planning is an essential part of a comprehensive security plan that occurs after the initial assessment phase. During the assessment phase, potential risks, threats, and vulnerabilities are identified and evaluated. Once those assessments have been completed and the results prioritized, the contingency 1 U.S. Department of Homeland Security, Federal Emergency Management Agency, Guide for All-Hazard Emergency Operations Planning, Washington DC, September U.S. Department of Homeland Security, Federal Emergency Management Agency, National Preparedness Month Factsheet, Washington DC,

3 The most common mistake made in this era of government-urged contingency planning is for organizations to rely too heavily on agencygenerated templates. planning commences to establish a response for each prioritized risk category identified in the assessments. Based on the risk assessment, a contingency plan establishes protocol and action steps with which to respond to the identified, prioritized risks should they develop into full-blown incidents. Appropriate responses can only be formulated once the possibility of an event has been identified. For example, one doesn t need the same resources to respond to an earthquake as compared to data theft; each situation warrants a different response. Contingency plans are incident-specific in nature and are utilized in three distinct phases: pre-incident, during the incident and post-incident. Pre-incident. Before an incident occurs (but after it s been identified by an assessment), is when a contingency plan is created. The plan hones in on the primary objectives in responding to that incident. Is the chief purpose to keep personnel safe or does inventory need to be preserved? Furthermore, the plan will identify what resources are necessary to execute the desired response and how to best recruit them. Do additional vehicles need to be enlisted to transport staff? How will staff be notified? Additionally, a command chain should be established during this phase of planning so that all parties know from whom to expect information and to whom to defer. During the incident. When a crisis occurs, the contingency plan comes to life. All appropriate parties are notified and the plan is activated. Active incident management takes place, according to the plan s prescribed details, and damage is mitigated. Post-incident. A contingency plan will also account for what follows an incident once the crisis has begun to subside. Are there casualties? What medical triage needs to take place? How will affected persons be reunited with their families? What information needs to be communicated, with whom, and how? Recovery and resumption of normal activity, as expediently as possible, are the chief objectives in the post-incident phase. The most common mistake made in this era of government-urged contingency planning is for organizations to rely too heavily on agency-generated templates. Plan development is frequently delegated to an individual who lacks sufficient knowledge in safety and security matters. Thus, many organizations develop their contingency plans from a template and then errantly assume they are adequately prepared to face an event that requires one. The templates provide a helpful starting point and foundation for contingency planning and satisfy the legal requirement to have one but aren t sufficiently detailed or customized to provide actionable guidance when an incident occurs. Perhaps the greatest obstacle to overcome in contingency planning is the pervasive, it won t happen here mentality. Assuming that crises will only occur within other organizations is both naïve and irresponsible. Furthermore, operating from this posture forces one to respond from a reactive stance, eliminating the benefits of a proactive approach. 3

4 Perhaps the greatest obstacle to overcome in contingency planning is the pervasive, it won t happen here mentality. ISSUES AND MAIN POINTS Planning a crisis response is a challenging effort, complicated by innumerable variables. Even after a plan has been developed, additional issues affect their efficacy, which means maintaining a proactive posture in all aspects is of utmost importance. In order to develop a robust and effective plan, it is essential to address and evaluate the following issues: The OODA loop An effective contingency plan is an actionable plan, one that contains incident-specific steps designed to mitigate loss and aid recovery. When an incident occurs and the plan contains merely conceptual notions, the organization and its leaders are forced into what is known as the OODA loop. The OODA loop is comprised of four cyclical steps: observe, orient, decide, and act. In it, responders are reliant on their powers of observation about how the situation is affecting their organization. They must then orient themselves to their chief objectives within the situation in order to make a decision and then act upon it. The OODA loop is an iterative process that takes precious time in the midst of a crisis and is engaged in during a highly stressful situation that inevitably limits the quality of decision-making due to emotional strain. The OODA loop cannot be completely eliminated since observations and decisions will need to be made in any crisis situation, but a robust plan will allow the loop to be utilized for only those elements that could not be anticipated in the planning process. Reactionary planning An incident portrayed in the news or even occurring to the organization itself often incites a flurry of planning to respond to future incidents of similar nature. While this planning is certainly of value, especially if such events are likely to repeat themselves, it is too narrow in scope to adequately serve as preparation. Merely planning to respond to a similar incident errantly assumes exposure to only one type of risk. Best practices warrant a more comprehensive approach that assesses all the potential risks and formulates responses specific to each. Compilation and storage The detailed nature of an effective, actionable contingency plan will result in a substantially-sized document. If all the associated papers are merely stacked in a box or haphazardly placed in a three-ring binder, they will not be useful in the midst of a crisis due to the user s inability to navigate them efficiently. A tabbed binder will facilitate quick access to the pertinent material and, therefore, a faster response to the identified crisis. Similarly, any visual support contained in the plan in the form of graphics, tables and charts must be simple and clear to best enable the user to put the depicted plan into action. If the document is housed electronically, having a table of contents, with internal hyperlinks, will allow the reader to access the right information rapidly. 4

5 Determining where to keep a contingency plan is part of developing a good plan. If only one copy of the plan exists and happens to be stored in a location inaccessible perhaps because of the crisis itself, that one copy will be altogether ineffectual except to the degree the staff recollects it. Having multiple copies, housed in strategic locations or electronically accessible, is a more prudent approach. USE MULTIPLE STORAGE LOCATIONS A contingency plan is only as good as it is actionable. Training and maintenance A contingency plan is only as good as it is actionable. When organizations establish pre-determined, specific steps to be taken in anticipated scenarios, those entities empower a speedy and effective response when a crisis arises. The fullest benefit is achieved when those responses are already embedded into the knowledge base of the responders. To that end, training and drills are of paramount importance. Such exercises should be conducted on a regular basis, no less frequently than annually and ideally quarterly. Scheduled reviews of the plan to account for any changes in the organization that would warrant plan revisions serve to ensure it remains actionable and also refreshes the staff on the material. The role of emergency responders While some crises do not require law enforcement, fire or emergency medical personnel, most do. Accounting for the role of those professionals in a contingency plan is often overlooked and handicaps the best possible outcomes. For example, distance from those services will increase response time, which, in turn, places a heavier burden on the entity to be more self-reliant in mitigating negative impacts, and therefore may necessitate different resources when a crisis occurs. The means of making information accessible to emergency responders is another variable in contingency planning. Are site plans on file with the county? Are closed-circuit television feeds accessible remotely by law enforcement? What back-up communication channels exist? Though the public agencies frequently often do not aid in developing contingency plans for myriad reasons, factoring their services (and limitations) into the planning process is vital. 5

6 BEST PRACTICES The ideal path to mitigating damage in a crisis and speeding recovery is forged with a customized, specific, and actionable contingency plan. Conducting a full panel of assessments to identify the hazards an organization faces, and then developing specific responses to each scenario, is the best practice. No two plans will be alike, as every entity and situation is different. The development process will include the following components. The plan will only be as useful as the lowest level of training that is fully ingrained in the minds of the team. Training Some organizations have dedicated safety and security professionals to whom the task of contingency planning is appointed. When such a position does not exist, another staff member is selected for the job in addition to his/her regular duties. Often that individual does not have the background or skill set with which to conduct the assessments and formulate the ideal responses. In such instances, contracting the services of a security professional to educate and train the staff member(s), or perhaps facilitate the entire process, is warranted for the benefit of the entire organization. Furthermore, a contingency plan will have key roles to be filled when a crisis arises. Examples include an incident commander, a communication chief, a transportation officer, and a media/public relations staffer. Each of the persons slated to fill such roles (and their replacements) needs to be trained to fulfill the duties assigned to them. Conducting training scenarios and drills with regularity will ensure each member of the contingency response team is equipped for his role. In addition, training serves as a validation of the existing plan (or reveals gaps to be remediated). The plan will only be as useful as the lowest level of training that is fully ingrained in the minds of the team, making training a worthwhile investment. Components As previously stated, no two contingency plans are alike due to the specific, customized nature of every organization. Similarly, every risk requires its own detailed plan. To begin to formulate that plan, one must ask and answer a myriad of W and H questions surrounding the crisis, including but not limited to: Who serves as the incident commander? If that person is unable to serve during the incident, who is the authorized backup? What (or who) is the highest priority in this crisis? Who can aid in the response and how? What is needed to bring the situation to resolution? What physical resources can be deployed to help and where are they located? What technological resources can offer support? 6

7 Every risk requires its own detailed plan. When can emergency responders arrive? Where can safety be assured? Where will different parties convene? How will the response be executed? What limitations exist? CONTINGENCY PLAN COMPONENTS LOGISTICS ROLES ASSEMBLY AREAS COMMUNICATIONS REPATRIATION MEDIA RELATIONS TRAINING RESOURCES CONTINGENCY PLAN Many plans will contain some of the following general elements, though not all will be required in every scenario: A list of roles, naming the person slated to fill each, also specifying a backup in the event someone is away for personal or professional reasons. This list should also detail the command structure to prevent confusion over decision-making authority. Communication strategies for notifying and relaying information to appropriate parties: emergency responders, staff, families of staff, stakeholders, others affected due proximity. The plan should also specify alternative methods of communication in the event the primary channels are interrupted due to the crisis. A protocol for communicating with media to moderate the content and timeliness of information. A compilation of resources available for use in response to a specific scenario, factoring variances due to time of day or year. A logistics management plan, including the identification of any element that may need a surge capacity: human resources, transportation or other equipment requirements. Assembly areas or rendezvous points for all parties affected, as applicable. Potential repatriation requirements. Prescribed intervals for training exercises, and plan review/update. 7

8 Process The prerequisite to contingency planning is conducting a full panel of assessments to identify the organization s exposure to risk. Only once the risks have been determined can plans be developed to respond to them. The following steps assume a comprehensive risk assessment has been completed. Developing a contingency plan without identified risks is an exercise in futility and is strongly discouraged. 1. Identify the risk for which a response is being formulated. Focus specifically on it and avoid the temptation to generalize a response to address anything more than that risk. Should that crisis arise, the response must be tailored to it. 2. Think through the entire life cycle of the event. What happens first (what is the crisis onset)? What happens next? Follow the course of events through to resolution, envisioning all the iterations. Once the chain of events has been considered, determine what response is required at each juncture in the life cycle, based on the answers to the W and H questions. 3. Establish priorities and related responses. What most needs protecting: people, inventory, data or something else? Plot a course of action driven by the priority list. 4. Identify the resources available to meet the needs of the priority. Assess whether limitations on those resources exist based on time, season, or location. 5. Establish structure. Assign roles to staff, prescribe a chain of command, and establish a method of communication. 6. Analyze and adapt the plan. Vet the proposed plan with what if scenarios and modify accordingly. 7. Codify the plan into a cohesive document. Ensure the plan is easy to navigate with labels, tabs, illustrations, or, in the case of an electronic document, hyperlinks. 8. Train and drill the plan. Remediate gaps in skill level and areas the plan failed to address. 9. Conduct After-Action Reviews following training or drilling sessions. Incorporate lessons learned into the plan. 10. Relate appropriate information to applicable parties. Share information with law enforcement, other city or county emergency responders, and any non-government agencies whose services are warranted (e.g. Red Cross). 11. Schedule dates for re-evaluation and amendment. Follow the entire process again, especially steps seven through ten to ensure the plan reflects relevant changes and thus remains actionable. Conduct assessments bi-annually, or more frequently if needed, to identify new risks. 8

9 True preparedness requires spending the time and resources to develop a wellthought-out contingency plan Technology considerations Technology proves to be a double-edged sword in contingency planning. It offers the benefits of cloud-based document storage in addition to off-site backup for business continuity and recovery. This is especially pertinent in contingency plans when risks of cyber-attack or natural/man-made disasters have been identified. However, when contingency plans are housed electronically, power interruption or corrupted systems can hamper access to the document. Having multiple (paper or electronic) copies is recommended to avert being unable to access the plan when it is most needed. Technology can also be leveraged as a tool for a crisis response. Software can be utilized to communicate en masse in a highly efficient manner. Remote access to video surveillance feeds can enable emergency responders to begin formulating their tactics while still en route to the scene. Satellite telephones can work when all other communications infrastructure fail. CONCLUSION Assessing risks, vulnerabilities, and threats is of vital importance to any organization. However, for maximum protection, the job doesn t stop there. Without developing actionable, effective contingency plans to respond to potential incidents, the organization will not achieve its fullest return on the time and fiscal investments made in establishing a comprehensive security plan. Detailed contingency plans help organizations respond more prudently to crises and foster better decision-making in extremely stressful situations. Because so much is at stake during a crisis, relying on generic, conceptual templates is simply unwise. True preparedness requires spending the time and resources to develop a well-thoughtout contingency plan, tailored to the organization s specific needs and issues. In many cases, the expertise to do this internally simply doesn t exist and assistance from an external security planning professional can be a wise investment in the future of the organization. 9

10 ABOUT ITG CONSULTANTS ITG Consultants, Inc. is a Veteran-owned small business based in Pennsylvania providing training, consulting and security management services. David L. Johnson, president of ITG, is certified in Homeland Security Level V, by the American Board for Certification in Homeland Security, previously served on its Executive Advisory Board and also serves as Chairman of The American Board for Certification in Dignitary and Executive Protection. Gale R. Ericksen, vice-president of ITG, is a Certified Protection Professional by the American Society of Industrial Security and is certified in Homeland Security Level III. Together, the leadership team of ITG Consultants has nearly 6 decades of experience in international law enforcement, executive and dignitary protection and training. For more information or a no-obligation discussion, visit our website at or call (866) 904-4ITG. PROFESSIONALISM DEDICATION INTEGRITY TEAMWORK BBB RATING: A+ 10