Z1600-08 Emergency management and business continuity programs

Z1600-08 Emergency management and business continuity programs

Legal Notice for Standards Canadian Standards Association (CSA) standards are developed through a consensus standards development process approved by the Standards Council of Canada. This process brings together volunteers representing varied viewpoints and interests to achieve consensus and develop a standard. Although CSA administers the process and establishes rules to promote fairness in achieving consensus, it does not independently test, evaluate, or verify the content of standards. Disclaimer and exclusion of liability This document is provided without any representations, warranties, or conditions of any kind, express or implied, including, without limitation, implied warranties or conditions concerning this document s fitness for a particular purpose or use, its merchantability, or its non-infringement of any third party s intellectual property rights. CSA does not warrant the accuracy, completeness, or currency of any of the information published in this document. CSA makes no representations or warranties regarding this document s compliance with any applicable statute, rule, or regulation. IN NO EVENT SHALL CSA, ITS VOLUNTEERS, MEMBERS, SUBSIDIARIES, OR AFFILIATED COMPANIES, OR THEIR EMPLOYEES, DIRECTORS, OR OFFICERS, BE LIABLE FOR ANY DIRECT, INDIRECT, OR INCIDENTAL DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES, HOWSOEVER CAUSED, INCLUDING BUT NOT LIMITED TO SPECIAL OR CONSEQUENTIAL DAMAGES, LOST REVENUE, BUSINESS INTERRUPTION, LOST OR DAMAGED DATA, OR ANY OTHER COMMERCIAL OR ECONOMIC LOSS, WHETHER BASED IN CONTRACT, TORT (INCLUDING NEGLIGENCE), OR ANY OTHER THEORY OF LIABILITY, ARISING OUT OF OR RESULTING FROM ACCESS TO OR POSSESSION OR USE OF THIS DOCUMENT, EVEN IF CSA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, INJURY, LOSS, COSTS, OR EXPENSES. PORTIONS OF NFPA 1600, STANDARD ON DISASTER/EMERGENCY MANAGEMENT AND BUSINESS CONTINUITY PROGRAMS, 2007 EDITION (NFPA 1600), HAVE BEEN USED IN THIS DOCUMENT BY PERMISSION OF THE NATIONAL FIRE PROTECTION ASSOCIATION (NFPA ). THE CONTENT OF THIS DOCUMENT, HOWEVER, HAS BEEN EXCLUSIVELY DETERMINED BY AND THROUGH THE CONSENSUS STANDARDS DEVELOPMENT PROCESS OF CSA. THE NFPA BEARS NO RESPONSIBILITY FOR THE USE, SELECTION, OR ADAPTATION OF ANY MATERIAL FROM NFPA 1600 THAT MAY BE CONTAINED HEREIN AND HEREBY DISCLAIMS ANY LIABILITY WHATSOEVER WITH RESPECT TO THIS DOCUMENT. FOR MORE INFORMATION CONCERNING NFPA CODES AND STANDARDS AND IMPORTANT NOTICES AND DISCLAIMERS WITH RESPECT TO THEIR USE, SEE WWW.NFPA.ORG/DISCLAIMERS. In publishing and making this document available, CSA is not undertaking to render professional or other services for or on behalf of any person or entity or to perform any duty owed by any person or entity to another person or entity. The information in this document is directed to those who have the appropriate degree of experience to use and apply its contents, and CSA accepts no responsibility whatsoever arising in any way from any and all use of or reliance on the information contained in this document. CSA is a private not-for-profit company that publishes voluntary standards and related documents. CSA has no power, nor does it undertake, to enforce compliance with the contents of the standards or other documents it publishes. Intellectual property rights and ownership This document is a derivative work adapted by the Canadian Standards Association (CSA) from NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs (2007 edition), the rights to which were licensed to CSA by the National Fire Protection Association. Copyright to this document is held by the National Fire Protection Association. CSA is the owner of all trademarks (except as otherwise noted to the contrary). Without limitation, the unauthorized use, modification, copying, or distribution of this document may violate laws that protect NFPA and CSA, as authorized licensee, and may give rise to a right in NFPA and/or CSA to seek legal redress for such use, modification, copying, or distribution. To the extent permitted by licence or law, CSA and the NFPA reserve all intellectual property rights in this document. Patent rights Attention is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. CSA shall not be held responsible for identifying any or all such patent rights. Users of this standard are expressly advised that determination of the validity of any such patent rights is entirely their own responsibility. If you do not agree with any of the terms and conditions contained in this Legal Notice, you may not load or use this document or make any copies of the contents hereof, and if you do make such copies, you are required to destroy them immediately. Use of this document constitutes your acceptance of the terms and conditions of this Legal Notice.

CSA Standards Update Service Z1600-08 August 2008 Title: Emergency management and business continuity programs Pagination: 50 pages (viii preliminary and 42 text), each dated August 2008 Automatic notifications about any updates to this publication are available. To register for e-mail notifications, and/or to download any existing updates in PDF, enter the Online Store at www.shopcsa.ca and click on My Account on the navigation bar. The List ID for this document is 2020155. To receive printed updates, please complete and return the attached card. Name Organization Address City Province/State Country Postal/Zip Code E-mail I consent to CSA collecting and using the above information to send me updates relating to this publication. Visit CSA s policy on privacy at www.csagroup.org/legal to find out how we protect your personal information. Z1600-08

Affranchir suffisamment Place Stamp Here ASSOCIATION CANADIENNE DE NORMALISATION BUREAU CENTRAL DE L INFORMATION 5060, SPECTRUM WAY, BUREAU 100 MISSISSAUGA ON L4W 5N6 CANADA CANADIAN STANDARDS ASSOCIATION CONSOLIDATED MAILING LIST 5060 SPECTRUM WAY, SUITE 100 MISSISSAUGA ON L4W 5N6 CANADA

CSA Standard Z1600-08 Emergency management and business continuity programs Published in August 2008 by Canadian Standards Association A not-for-profit private sector organization 5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N6 1-800-463-6727 416-747-4044 Visit our Online Store at www.shopcsa.ca

100% The Canadian Standards Association (CSA) prints its publications on Rolland Enviro100, which contains 100% recycled post-consumer fibre, is EcoLogo and Processed Chlorine Free certified, and was manufactured using biogas energy. To purchase CSA Standards and related publications, visit CSA s Online Store at www.shopcsa.ca or call toll-free 1-800-463-6727 or 416-747-4044. ISBN 978-1-55436-712-2 Technical Editor for CSA: Ron Meyers 2008 National Fire Protection Association All rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission of the Canadian Standards Association (CSA), as authorized licensee of the National Fire Protection Association. National Fire Protection Association and NFPA are registered trademarks of the National Fire Protection Association, Quincy, Massachusetts, USA.

Emergency management and business continuity programs Contents Technical Committee on Emergency Management and Business Continuity v Preface viii 1 Scope 1 2 Reference publications 2 3 Definitions 2 4 Program management 3 4.1 Leadership and commitment 3 4.2 Program coordinator 3 4.3 Advisory committee 3 4.4 Program administration 3 4.4.1 General 3 4.4.2 Policy 4 4.4.3 Program goals and objectives 4 4.4.4 Program plan and procedures 4 4.4.5 Program budget 4 4.4.6 Records management 4 4.4.7 Program review 4 4.5 Laws and authorities 4 4.6 Financial management 4 5 Planning 5 5.1 Hazard identification, risk assessment, and business impact analysis 5 5.1.1 Hazard identification 5 5.1.2 Risk assessment 5 5.1.3 Business impact analysis (BIA) 5 5.2 Planning process 5 5.3 Common plan requirements 6 6 Implementation 6 6.1 Prevention and mitigation 6 6.1.1 General 6 6.1.2 Prevention 6 6.1.3 Mitigation 7 6.2 Resource management 7 6.3 Mutual aid/mutual assistance 7 6.4 Emergency response 8 6.4.1 Strategy 8 6.4.2 Plan 8 6.5 Incident management 8 6.6 Communications and warning 8 6.6.1 Assessment and coordination 8 6.6.2 Systems 8 6.6.3 Procedures 8 6.6.4 Public warning 8 6.6.5 Public awareness 9 6.6.6 Emergency information 9 August 2008 iii

Z1600-08 6.6.7 Crisis communications capability 9 6.7 Operational procedures 9 6.8 Facilities 10 6.9 Training 10 6.10 Business continuity 10 6.11 Recovery 10 7 Exercises, evaluations, and corrective actions 11 8 Management review 11 Annexes A (informative) Commentary 12 B (informative) Emergency management and business continuity resources 30 iv August 2008

Emergency management and business continuity programs Technical Committee on Emergency Management and Business Continuity G. Jannaway Jannaway & Associates, Toronto, Ontario Chair J. Ash Paramedic Association of Canada, Ottawa, Ontario J. Bates Federation of Canadian Municipalities, Ottawa, Ontario L. Benini Benini Consulting Ltd., Victoria, British Columbia L. Biblow Calgary Disaster Services, Calgary, Alberta Associate C. Blair Alberta Emergency Management Agency, Ministry of Alberta Municipal Affairs and Housing, Edmonton, Alberta S. Brindley Independent Electricity System Operator, Toronto, Ontario B. Burrell Canadian Association of Fire Chiefs, Calgary, Alberta G. Burrill Teegor Consulting Inc., Fredericton, New Brunswick R. Fitzner Canadian Association of Petroleum Producers, Calgary, Alberta M. Fournier Public Safety Canada, Ottawa, Ontario M. Genyk MTS Allstream Inc., Winnipeg, Manitoba A. Gordon Canadian Centre for Emergency Preparedness, Burlington, Ontario P. Harkness British Columbia Ministry of Transportation, Burnaby, British Columbia D. Harrison Georgian Emergency Management and Associates, Wasaga Beach, Ontario Associate Associate August 2008 v

Z1600-08 B. Holowachuk Manitoba Emergency Measures Organization, Winnipeg, Manitoba Associate D. Johanis Greater Toronto Airports Authority, Toronto, Ontario P. Kovacs Institute for Catastrophic Loss Reduction, Toronto, Ontario Associate E. Ladouceur Transport Canada, Ottawa, Ontario D. Lancaster Emergency Management Ontario, Toronto, Ontario J. Lavery British Columbia Ministry of Health, Victoria, British Columbia Associate J. Lindsay Department of Applied Disaster and Emergency Studies, Brandon University, Brandon, Manitoba K. Lundy Association of Canadian Port Authorities, Toronto, Ontario E. MacGillivray Emergency Measures Organization, Government of New Brunswick, Fredericton, New Brunswick W. MacKay MacKay Emergency Management Consulting Inc., New Hamburg, Ontario N. McCormick Corporate Health Works Inc., Winnipeg, Manitoba T. Mehes Vale Inco Ltd., Copper Cliff, Ontario A. Normand City of Brampton, Brampton, Ontario Representing Ontario Association of Emergency Managers B. Porrier Royal Canadian Mounted Police, Ottawa, Ontario M. Salib The Zeta Group, Ottawa, Ontario D. Shropshire Canadian Red Cross, Ottawa, Ontario S. Smith Greater Toronto Airports Authority, Toronto, Ontario Associate vi August 2008

Emergency management and business continuity programs M. Soegtrop Bank of Montreal Group of Companies, Toronto, Ontario Representing Business Continuity Institute I. Stronach Alcan Inc., Montréal, Québec L. Webb Emergency Management Ontario, Toronto, Ontario Associate Associate M. Wilson Ontario Association of Fire Chiefs, Courtice, Ontario J. Yamniuk TELUS Corporate Business Continuity, Calgary, Alberta R. Meyers Canadian Standards Association, Mississauga, Ontario Project Manager August 2008 vii

Z1600-08 Preface This is the first edition of CSA Z1600, Emergency management and business continuity programs. This new Canadian Standard outlines the requirements for a comprehensive emergency management program. The goal of this Standard is to establish the elements of a continuous improvement process to develop, implement, maintain, and evaluate emergency management and business continuity programs that address the functions of prevention and mitigation, preparedness, response, and recovery. The National Fire Protection Association (NFPA) has allowed the CSA Technical Committee on Emergency Management and Business Continuity to use and adapt NFPA 1600, Standard on Disaster/Emergency Management and Business Continuity Programs, 2007 edition, for the purpose of developing this Canadian Standard. The agreement between NFPA and CSA to use NFPA 1600 in developing this Standard grew out of the strong commitment of both organizations to work collaboratively to promote awareness, knowledge, and application of Standards and industry best practices in the community and the workplace. NFPA 1600 incorporates a risk-based, all hazards approach that integrates emergency management and business continuity programs for a total program approach. This approach provides both opportunity and rationale for collaboration among diverse stakeholders. Canadian public and private sector stakeholders have a strong interest in ensuring that Canadian and American emergency management and business continuity systems and Standards evolve to be truly binational in scope and application. Because these Canadian and American Standards are generally consistent, they provide a common focus and platform for emergency management and business continuity programming and serve as a model for any organization or institution, private or public. They also provide an effective benchmark to allow organizations to evaluate their emergency management and business continuity programs. Annex A provides further information on some of the clauses in the body of this Standard. These clauses are identified by an asterisk (*) beside the clause number in the body. This Standard was prepared by the Technical Committee on Emergency Management and Business Continuity, under the jurisdiction of the Strategic Steering Committee on Community Safety and Well-Being, and has been formally approved by the Technical Committee. August 2008 Notes: (1) Use of the singular does not exclude the plural (and vice versa) when the sense allows. (2) Although the intended primary application of this Standard is stated in its Scope, it is important to note that it remains the responsibility of the users of the Standard to judge its suitability for their particular purpose. (3) This publication was developed by consensus, which is defined by CSA Policy governing standardization Code of good practice for standardization as substantial agreement. Consensus implies much more than a simple majority, but not necessarily unanimity. It is consistent with this definition that a member may be included in the Technical Committee list and yet not be in full agreement with all clauses of this publication. (4) CSA Standards are subject to periodic review, and suggestions for their improvement will be referred to the appropriate committee. (5) All enquiries regarding this Standard, including requests for interpretation, should be addressed to Canadian Standards Association, 5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N6. Requests for interpretation should (a) define the problem, making reference to the specific clause, and, where appropriate, include an illustrative sketch; (b) provide an explanation of circumstances surrounding the actual field condition; and (c) be phrased where possible to permit a specific yes or no answer. Committee interpretations are processed in accordance with the CSA Directives and guidelines governing standardization and are published in CSA s periodical Info Update, which is available on the CSA Web site at www.csa.ca. viii August 2008

Emergency management and business continuity programs Z1600-08 Emergency management and business continuity programs 1 Scope 1.1* This Standard establishes a common set of criteria for emergency management and business continuity programs. 1.2* This Standard establishes the elements of a continuous improvement process to develop, implement, maintain, and evaluate emergency management and business continuity programs that address prevention and mitigation, preparedness, response, and recovery. The elements of a continuous improvement process included in this Standard are (a) program management; (b) planning; (c) implementation; (d) evaluation; and (e) management review. 1.3* This Standard covers programs in which the functions of prevention and mitigation, preparedness, response, and recovery are considered independently or in combinations. 1.4 The elements of programs covered by this Standard address the functions (prevention and mitigation, preparedness, response, and recovery) commensurate with the risks established by the entity s hazard identification, risk assessment, and business impact analysis. 1.5 This Standard applies to public, not-for-profit, and private entities. 1.6 In CSA Standards, shall is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the standard; should is used to express a recommendation or that which is advised but not required; may is used to express an option or that which is permissible within the limits of the standard; and can is used to express possibility or capability. Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material. Notes to tables and figures are considered part of the table or figure and may be written as requirements. Annexes are designated normative (mandatory) or informative (non-mandatory) to define their application. August 2008 1

Z1600-08 2 Reference publications This Standard refers to the following publications, and where such reference is made, it shall be to the edition listed below, including all amendments published thereto. CSA (Canadian Standards Association) CAN/CSA-Z731-03 Emergency preparedness and response CAN/CSA-Q850-97 (R2007) Risk management: Guideline for decision-makers Government of Canada An Emergency Management Framework for Canada, Emergency Management Policy Directorate, Public Safety and Emergency Preparedness Canada, 2006 NENA (National Emergency Number Association) NENA 56-003 (2004) NENA Minimum Standards for Emergency Telephone Notification Systems NFPA (National Fire Protection Association) NFPA 1221-2007 Standard for the Installation, Maintenance, and Use of Emergency Services Communications Systems NFPA 1561-2005 Standard on Emergency Services Incident Management System NFPA 1600-2007 Standard on Disaster/Emergency Management and Business Continuity Programs 3* Definitions The following definitions apply in this Standard: Business continuity an ongoing process supported by senior management and adequately funded to ensure that the necessary steps are taken to identify the impact of potential losses and maintain viable recovery strategies and recovery plans for the continuity of services and operations, or continuity of government, following a disruptive event. Business impact analysis (BIA) a process that identifies, quantifies, and qualifies the business impact on an organization of a loss, interruption, or disruption of business processes and provides the data from which appropriate continuity strategies can be determined. Emergency management an ongoing process to prevent, mitigate, prepare for, respond to, and recover from an incident that threatens life, property, operations, or the environment. Entity a governmental agency or jurisdiction, private or public company, partnership, non-profit organization, or other organization that has emergency management and business continuity responsibilities. Incident management system (IMS) a system that defines the roles and responsibilities of personnel and the operating procedures to be used in the management and direction of emergencies and other events. Mitigation actions taken to reduce the risks and impacts posed by hazards. 2 August 2008

Emergency management and business continuity programs Mutual aid/mutual assistance agreement* a pre-arranged agreement entered into by two or more entities whereby the parties to the agreement undertake to render assistance to one another. Preparedness* measures taken in advance of an emergency to ensure an effective response and recovery. Prevention* measures taken to avoid an incident or stop an emergency from occurring. Recovery* activities and programs designed to return conditions to a level that is acceptable to the entity following an emergency or other event. Resource management a process for identifying and managing available resources to enable timely and unimpeded access to the resources needed to prevent, mitigate, prepare for, respond to, or recover from an incident. Response* actions taken during or immediately after an emergency to manage its consequences. Situation analysis the process of evaluating the severity and consequences of an incident. Stakeholder any individual, group, or organization that might affect, be affected by, or perceive itself to be affected by an emergency. 4 Program management 4.1* Leadership and commitment Senior management shall provide leadership and assume overall responsibility, accountability, and authority for the program. 4.2* Program coordinator The program coordinator shall be appointed by the entity and authorized to administer the program and keep it current. 4.3 Advisory committee 4.3.1* An advisory committee shall be established as required by the entity s policy. 4.3.2 The advisory committee shall provide input to or assist in coordinating the preparation, implementation, evaluation, maintenance, and revision of the program. 4.3.3* The advisory committee shall include the program coordinator and others who have the appropriate expertise, knowledge of the entity, and the capability to identify resources from all key functional areas within the entity. Applicable external representation shall also be included. 4.4 Program administration 4.4.1 General The entity shall have a documented program that includes the components described in Clauses 4.4.2 to 4.4.7. August 2008 3

Z1600-08 4.4.2 Policy The entity shall establish a policy that includes a vision, mission statement, roles and responsibilities, and enabling authority. The policy should be approved by the executive of the entity. 4.4.3* Program goals and objectives The entity shall establish program goals and objectives. 4.4.4* Program plan and procedures The entity shall establish program plans and procedures for the functions of prevention and mitigation, preparedness, response, and recovery. 4.4.5 Program budget The entity shall establish a program budget and schedule that includes milestones. 4.4.6* Records management The entity shall (a) document and maintain logs and records of activities and decisions related to the program; and (b) establish an effective records management process. 4.4.7 Program review The entity shall establish program validation, evaluation, change management, and continuous improvement processes. Note: See Clause 8 for information on management review. 4.5 Laws and authorities 4.5.1* Compliance The program shall comply with applicable legislation, policies, regulatory requirements, and directives. 4.5.2 The entity shall know and understand the procedures of the various levels of government and other decision-making authorities so that it can influence or recommend changes to applicable legislation, policies, regulatory requirements, directives, standards, and industry codes of practice. 4.6* Financial management 4.6.1 The entity shall develop financial procedures and controls to support the program before, during, and after an emergency. 4.6.2 Financial procedures shall be created and maintained for expediting fiscal decisions in accordance with established authorization levels and fiscal policy. 4.6.3* Financial procedures shall include the following: (a) establishment and definition of responsibilities for the program finance authority, including its reporting relationships to the program coordinator; (b) program procurement procedures; (c) payroll for personnel involved with the program; (d) accounting systems to track and document costs; and (e) management of funding from external sources. 4 August 2008

Emergency management and business continuity programs 5 Planning 5.1* Hazard identification, risk assessment, and business impact analysis 5.1.1* Hazard identification The entity shall identify and monitor the hazards that can have an impact on its operations or areas of responsibility. Hazards from the following categories shall be considered: (a) natural; (b) human-caused; and (c) technological. 5.1.2 Risk assessment 5.1.2.1* The entity shall conduct a risk assessment. 5.1.2.2 The risk assessment shall include evaluating the likelihood of a hazard or combination of hazards occurring, taking into account factors such as threat analysis, frequency, history, trends, and probability. 5.1.2.3* The risk assessment shall include data on the impact of the risk event on the entity and on people, property, and the environment. 5.1.3* Business impact analysis (BIA) 5.1.3.1 The entity shall conduct a business impact analysis. 5.1.3.2 The business impact analysis shall (a) take the entire entity into consideration when the critical business functions, associated resource requirements, and interdependencies are identified; (b) build on the findings from the risk assessment; and (c) consider possible events and how they could affect the entity over time. 5.2 Planning process 5.2.1 The entity shall follow a planning process to develop and maintain its emergency management and business continuity program. 5.2.2 The planning requirements shall depend on the program s objectives and results of the hazard identification, risk assessment, and business impact analysis described in Clause 5.1. 5.2.3 The planning process shall result in the development and documentation of a single integrated plan or multiple plans. August 2008 5

Z1600-08 5.2.4 The entity shall engage in the planning process on a regularly scheduled basis, or when the situation has changed in such a way that the existing plan(s) is put into question. 5.2.5 The entity shall include key stakeholders in the planning process where applicable. 5.3 Common plan requirements 5.3.1 Plans shall have clearly stated objectives. 5.3.2 Plans shall identify the functional roles and responsibilities of internal and external agencies, organizations, departments, and positions. 5.3.3 Plans shall identify lines of authority for internal and external agencies, organizations, departments, and positions. 5.3.4 Plans shall identify logistics support and resource requirements. 5.3.5 Plans shall identify the process for managing activities. 5.3.6 Plans shall identify the process for managing the communication and flow of information, both internally and externally. 5.3.7 The entity shall make appropriate sections of the plans available to those assigned specific tasks and responsibilities therein and to other stakeholders as required. 6 Implementation 6.1* Prevention and mitigation 6.1.1 General The entity shall develop and implement prevention and mitigation strategies. 6.1.2* Prevention 6.1.2.1 The entity shall develop and implement a strategy to prevent incidents that threaten people, property, and the environment. 6.1.2.2 The prevention strategies shall be based on the information obtained from the hazard identification, risk assessment, and business impact analysis outlined in Clause 5.1 and shall be kept current. 6 August 2008

Emergency management and business continuity programs 6.1.2.3 The entity shall have a system to monitor the identified hazards and adjust the level of preventative measures commensurate with the risk. 6.1.2.4 The prevention plan shall establish interim and long-term actions to eliminate hazards that could impact the entity. 6.1.3* Mitigation 6.1.3.1 The entity shall develop and implement mitigation strategies to limit or control the consequences, extent, or severity of an incident that cannot be reasonably prevented. 6.1.3.2 The mitigation strategies shall be based on the results of the hazard identification, risk assessment, and business impact analysis described in Clause 5.1, as well as program constraints, operational experience, and cost-benefit analysis. 6.1.3.3 The mitigation plan shall establish interim and long-term actions to reduce the impact of hazards that cannot be eliminated. 6.2* Resource management 6.2.1* The entity shall establish resource management objectives consistent with the overall program goals and specific objectives for the hazards identified. 6.2.2* The entity shall establish resource management procedures to ensure that adequate human, physical, informational, and financial resources are provided. 6.2.3 An assessment shall be conducted to identify the resource capability shortfalls and the steps necessary to address them. 6.2.4 A current inventory of internal and external resources shall be maintained. 6.2.5* The entity shall determine if donations could be forthcoming and, if required, establish objectives and procedures to manage donations of solicited and unsolicited goods, services, personnel, facilities, and money. 6.3* Mutual aid/mutual assistance 6.3.1 The entity shall determine the need for mutual aid/mutual assistance. August 2008 7

Z1600-08 6.3.2* The entity shall establish mutual aid/mutual assistance agreements as required. 6.3.3 Mutual aid/mutual assistance agreements shall be referenced in the program plan. 6.4 Emergency response 6.4.1 Strategy The entity shall develop and implement a strategy to respond to emergencies that threaten people, property, and the environment. 6.4.2 Plan The entity shall develop an emergency response plan that establishes immediate actions to respond to emergencies. 6.5 Incident management 6.5.1* The entity shall establish an incident management system to direct, control, and coordinate operations during and after an emergency. 6.5.2 The incident management system shall assign specific organizational roles, titles, and responsibilities for each incident management function. 6.5.3 The entity shall establish procedures for coordinating response, continuity, and recovery activities. 6.6 Communications and warning 6.6.1* Assessment and coordination The entity shall determine communication needs to support the program. The entity shall coordinate communications activities with key stakeholders in accordance with the incident management requirements of Clause 6.5. 6.6.2* Systems Telecommunication and other communication systems shall be established and regularly tested. The entity shall address the need for redundancy, interoperability, and security of communication systems. 6.6.3* Procedures Communication procedures shall be established and regularly exercised. 6.6.4* Public warning 6.6.4.1 Emergency communication and warning systems to alert people potentially impacted by an actual or impending emergency shall be developed and periodically tested. 8 August 2008

Emergency management and business continuity programs 6.6.4.2* Emergency communication and warning procedures to advise the public of threats to people, property, and the environment, either directly or through authorized agencies, shall be developed and exercised. 6.6.4.3* Communication procedures shall include protective action guidelines for emergencies where potentially impacted populations can be advised to shelter-in-place, evacuate, or take any other action as directed. 6.6.5 Public awareness 6.6.5.1* Public awareness and public education programs shall be implemented where the public is potentially impacted by a hazard. 6.6.5.2* Procedures shall be developed to disseminate public awareness and education information and respond to requests from internal and external audiences, including the media, for pre-incident information. 6.6.6* Emergency information The entity shall establish and maintain procedures to provide emergency information that includes the following: (a) a central point of contact for the media; (b) procedures to gather, monitor, and disseminate emergency information; (c) pre-scripted information bulletins; (d) procedures to coordinate and approve information for release; (e) procedures to communicate with special needs populations; and (f) protective action guidelines/recommendations (e.g., shelter-in-place or evacuation). 6.6.7* Crisis communications capability The entity shall establish and maintain the capability to provide crisis communications during an incident. 6.7 Operational procedures 6.7.1* The entity shall develop, coordinate, and implement operational procedures to support execution of the plan. 6.7.2* Procedures shall be established and implemented for response to and recovery from the consequences of those hazards identified in Clause 5.1.1. These procedures shall address health and safety, incident stabilization, operational/business continuity, minimization of property damage, and protection of the environment under the jurisdiction of the entity. 6.7.3* Procedures shall be in place to conduct a situation analysis that includes a damage assessment and identification of the resources needed to support response and recovery operations. 6.7.4 Procedures shall allow for recovery and mitigation activities to be carried out concurrently during emergency response. August 2008 9

Z1600-08 6.7.5 Procedures shall be established for succession of leadership during an event. 6.8* Facilities The entity shall establish primary and alternative emergency operations centres (EOCs), physical or virtual, capable of managing continuity, response, and recovery operations. 6.9 Training 6.9.1* The entity shall develop, implement, and maintain or provide a competency-based training and educational curriculum to support the program. 6.9.2 The objective of the curriculum shall be to create awareness and enhance the skills required to develop, implement, maintain, and execute the program. 6.9.3 Frequency and scope of training shall be identified. 6.9.4 Training records shall be maintained. 6.10* Business continuity 6.10.1 The entity shall develop and implement business continuity strategies to continue critical operations following an emergency. 6.10.2 The business continuity strategies shall be based on the results of the business impact analysis described in Clause 5.1.3. 6.10.3 The business continuity strategies shall include the identification of time-sensitive critical functions and applications, associated resource requirements, and interdependencies. 6.10.4 The business continuity plans shall be developed based on the business continuity strategies. 6.11 Recovery 6.11.1* The entity shall develop and implement a recovery strategy to support short-term and long-term priorities for recovery of functions, services, resources, facilities, programs, and infrastructure. 6.11.2 The recovery strategy shall be based on the results of hazard identification and risk assessment, business impact analysis, program constraints, operational experience, and cost-benefit analysis. 10 August 2008

Emergency management and business continuity programs 6.11.3 The recovery strategy shall include interim and long-term actions to ensure entity recovery and continuity capability to respond to the consequences of those hazards identified in Clause 5.1.1. 6.11.4 The recovery strategy shall include measures to reduce vulnerability of the entity during the recovery period. The measures should be linked to mitigation strategies, as described in Clause 6.1.3. 6.11.5 The recovery plans shall be developed based on the recovery strategy. 6.11.6* The recovery plans shall provide for short-term and long-term priorities for restoration of functions, services, resources, facilities, programs, and infrastructure. 7 Exercises, evaluations, and corrective actions 7.1 The entity shall evaluate program plans, procedures, and capabilities through periodic review, testing, and exercises. 7.2* Exercises shall be designed to test individual essential elements, interrelated elements, or the entire plan(s). 7.3* Additional evaluations shall be based on post-incident analyses and reports, lessons learned, and performance evaluations. 7.4 Corrective action Procedures shall be established to take corrective action on any substantive deficiency identified during the evaluation. 8 Management review 8.1* The entity shall conduct a periodic management review of the program based on the goals, objectives, and evaluation of the program. 8.2 Continuous improvement Management shall assess opportunities to continuously improve the program. August 2008 11

Z1600-08 Annex A (informative) Commentary Notes: (1) This Annex is not a mandatory part of this Standard. (2) This Annex provides an explanation of and a rationale for the requirements of this Standard. (3) The clause numbers in this Annex correspond to the clauses in this Standard. A.1 Scope A.1.1 The emergency management and business continuity community consists of many different entities, including the different levels of government (e.g., federal, provincial, territorial, Aboriginal and/or First Nations, and municipal), business and industry, non-governmental organizations, and individual citizens. Each of these entities has its own focus, unique missions and responsibilities, varied resources and capabilities, and operating principles and procedures. Each entity can have its own definition of emergency or disaster depending on its circumstances and situation. Examples of emergency or disaster definitions used by entities include the following: an occurrence or imminent threat to the entity of widespread or severe damage, injury, loss of life, or property loss resulting from natural, human, or technological causes an incident that is beyond the normal capabilities of the entity and requires the response of outside resources and assistance for recovery a suddenly occurring or unstoppable event that causes loss of life, suffering, loss of valuables, or damage to the environment; overwhelms local resources or efforts; and has a long-term impact on social or natural life that is negative in the beginning. A.1.2 An overview of the principles and general policy concepts of emergency management in a Canadian context that have been agreed on by the federal, provincial, and territorial ministers responsible for emergency management can be found in the publication, An Emergency Management Framework for Canada. A.1.3 Program elements cross boundaries of the functions of prevention and mitigation, preparedness, response, and recovery. The elements should be considered interrelated and can be considered concurrently. The use of the terms phases, elements, or components varies from program to program. A.3 Definitions Entities should strive to use standard definitions and terminology to facilitate improved understanding and integration of their programs with supporting programs. Mutual aid/mutual assistance agreement the term mutual aid/mutual assistance agreement includes cooperative agreements, partnership agreements, memoranda of understanding, intergovernmental compacts, and other terms commonly used to describe the sharing of resources. 12 August 2008

Emergency management and business continuity programs Preparedness examples of preparedness activities include the following: procuring supplies and resources (e.g., to operate an EOC, provide an emergency stockpile, or ensure system redundancy) developing plans exercises and training. Prevention activities, tasks, programs, and systems intended to avoid emergencies or stop such events from occurring. Prevention can apply to human-caused events (e.g., terrorism, vandalism, sabotage, or human error), technological events, and naturally occurring events. Note: Prevention of human-caused events can include applying intelligence and other information to a range of countermeasures such as deterrence operations heightened inspections improved surveillance and security operations investigations to determine the nature and source of the threat law enforcement operations directed at deterrence, pre-emption, interdiction, or disruption. Recovery recovery programs and activities assist victims and their families, restore entities to suitable economic growth and confidence, rebuild destroyed property, and reconstitute government operations and services. Recovery actions often extend long after the incident itself and can include activities designed to avoid damage from future incidents. Response the response of an entity to a disaster or other event that might have a significant impact. The response can include activities, tasks, programs, and systems that help preserve life, meet basic human needs, preserve business operations, and protect property and the environment. A response can include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to restore an entity to a more stable status. A.4.1 Leadership and commitment Senior management designates a specific representative(s) of management who, irrespective of other responsibilities, has defined roles, responsibilities, and authority for ensuring that an emergency management and business continuity program is established, maintained, and reviewed in accordance with the requirements of this Standard. A.4.2 Program coordinator The program coordinator ensures the preparation, implementation, evaluation, maintenance, and revision of the program. Note: It is not the intent of this Standard to restrict the users to program coordinator titles. It is recognized that different entities use various forms and names for the functions identified in this Standard. A.4.3 Advisory committee A.4.3.1 The purpose of an advisory committee is to provide guidance and advice to improve the program. The committee may include representation from public, private, and non-governmental sectors. Consideration should be given to including other stakeholders and community representation. It is suggested that provision be made for cross-sector representation on the committee. A list of those who should be included in any one sector depends on the size and complexity of the entity. A.4.3.3 Though the program coordinator has final authority in deciding the course of the program through its day-to-day administration, major decisions should be made in consultation with the advisory committee. The program coordinator and the advisory committee should be in agreement concerning priorities and resource allocation in the day-to-day operation of the program. August 2008 13

Z1600-08 Decisions made and actions taken in the day-to-day administration of the program crucially affect the ultimate implementation of the program in emergencies. Therefore, because the advisory committee is made up of representatives from key functional areas, the program coordinator and the advisory committee should consult on important administrative matters to ensure that the goals of the program are met. Clause 4.4.2 requires the entity to have a policy. This policy will determine the need for an advisory committee. The entity can determine that an advisory committee is not required or appropriate because of legal restrictions, size of the organization, or other factors. It is then assumed that the leadership and direction of the advisory committee will be fulfilled by other means. A.4.4.3 Program goals and objectives The objectives developed from these goals include measurable activities that should be accomplished within identified time frames. A.4.4.4 Program plan and procedures The program plan identifies the long-term goals, using broad general statements of desired accomplishments. The program includes A strategic plan: The strategic plan defines the vision, mission, goals, and objectives of the program. An emergency operations/response plan: The emergency operations/response plan assigns responsibilities for carrying out specific actions in an emergency. A prevention plan: The prevention plan establishes interim and long-term actions to eliminate hazards that impact the entity. A mitigation plan: The mitigation plan establishes interim and long-term actions to reduce the impact of hazards that cannot be eliminated. A recovery plan: The recovery plan provides for short-term and long-term priorities for restoration of functions, services, resources, facilities, programs, and infrastructure. A continuity plan: The continuity plan identifies stakeholders that need to be notified, critical and time-sensitive applications, alternative work sites, vital records, contact lists, processes, and functions that are to be maintained, as well as the personnel, procedures, and resources that are needed while the entity is recovering. The plans developed can be either individual or integrated, or a combination of the two. A.4.4.6 Records management The organization should establish and maintain records to demonstrate conformity with the program administration requirements set out in Clause 4.4 and to document the effective operation of the emergency management and business continuity programs. Records should remain legible, readily identifiable, and retrievable. Procedures should be established to define the controls needed for the identification, secure storage, protection, retrieval, retention time, and disposition of records. Records can include those kept for the implementation of the emergency management and business continuity programs events and actions taken to mitigate, prepare for, respond to, and recover from an incident legal requirements training and monitoring activities, including the results of monitoring changes or improvements made to prevention, mitigation, preparedness, response, and recovery strategies. A.4.5.1 Compliance Privacy legislation, industry codes of practice, and guidelines should also be considered. A.4.6 Financial management There should be a responsive financial management and administrative framework that complies with the entity s program requirements and is linked to emergency management. The framework should provide 14 August 2008

Emergency management and business continuity programs for maximum flexibility to request, receive, manage, and apply funds expeditiously in both non-emergency environments and emergencies to ensure the timely delivery of assistance. The administrative process should be documented. The program should also be capable of capturing financial data for future cost recovery, as well as identifying and accessing alternative funding sources and managing budgeted and specially appropriated funds. A.4.6.3 Financial management procedures should include the following components: Financial authorization may be delegated to the program team members, but adherence to generally accepted accounting practices must be ensured through planning. Pre-approved vendor and service provider lists should be established with a clear understanding of what products and services are pre-authorized, to whom, and under what authority. A streamlined payroll system can be required to accommodate immediate needs, but this must be planned in advance of an emergency; ensure strict adherence to employment standards. Accounts should be established during the planning stage in anticipation of expenses to be incurred. Loss or delay of revenue during and after an event should be considered. Consideration should be given to grants from government entities or private sources that are available to emergency management programs in both the public and private sectors. A.5.1 Hazard identification, risk assessment, and business impact analysis A comprehensive risk management plan includes a process of hazard identification, risk assessment, and business impact analysis. Note: See CAN/CSA-Q850 for additional information and guidance. A.5.1.1 Hazard identification This Standard groups hazards into three categories: natural, human-caused, and technological. The following list provides examples in each of these categories. Naturally occurring hazards geological hazards: earthquake tsunami volcano landslide, mudslide, subsidence glacier, iceberg meteorological hazards: flood, flash flood, seiche, tidal surge drought fire (e.g., forest, range, urban, wildland, and urban interface) snow, ice, hail, sleet, avalanche windstorm, tropical cyclone, hurricane, tornado, water spout, dust/sand storm extreme temperatures lightning strikes famine geomagnetic storm biological hazards: diseases that impact humans or animals (e.g., plague, smallpox, anthrax, West Nile virus, foot and mouth disease, severe acute respiratory syndrome (SARS), influenza pandemic, bovine spongiform encephalopathy (BSE)) animal or insect infestation or damage August 2008 15

Z1600-08 Human-caused events unintentional events: hazardous material spill or release (e.g., explosive, flammable liquid, flammable gas, flammable solid, oxidizer, poison, radiological, corrosive) explosion/fire transportation accident building/structure collapse energy/power/utility failure fuel/resource shortage air/water pollution, contamination water control structure/dam/levee failure financial issues, economic depression, inflation, financial system collapse communications system interruptions misinformation intentional events: terrorism (e.g., explosive, chemical, biological, radiological, nuclear, cyber) sabotage civil disturbance, public unrest, mass hysteria, riot enemy attack, war insurrection strike or labour dispute disinformation criminal activity (e.g., vandalism, arson, theft, fraud, embezzlement, data theft) electromagnetic pulse physical or information security breach workplace violence Technology-caused events computers, hardware, software, or application (internal/external) malfunction or breakdown ancillary support equipment telecommunications energy/power/utility failure A.5.1.2 Risk assessment A.5.1.2.1 A comprehensive risk assessment identifies the range of possible hazards and threats that might have an impact on the entity and surrounding area, or the critical infrastructure supporting the entity. The potential impact of each hazard or threat is determined by the degree of its severity, taking into account the vulnerability of the entity, as well as people, property, and the environment. Risk assessments should categorize hazards and threats by their frequency, history, and severity, keeping in mind that there could be many possible combinations of frequency and severity for each. Using the results of a risk assessment, an entity can prevent, mitigate, prepare for, respond to, or recover from the identified potential risks. There are a number of risk assessment methodologies and techniques that range from simple to complex. A.5.1.2.3 Risk events are analyzed by quantifying the most significant risk event impacts on business operations, community, and associated stakeholders. This analysis should give a clear idea of what entity facilities, functions, or services would be affected and their level of vulnerability. Examining the entity s tolerance for the threats or hazards should help prioritize these risk events. Those identified as high-risk events require further development of risk strategies to prevent, mitigate, accept, or transfer the risk events. The results of the risk assessment can be used as input for conducting a business impact analysis. 16 August 2008

Emergency management and business continuity programs Special attention in emergency planning should focus on the demographic composition of the community and the needs of vulnerable populations. Vulnerability is created by limited social, physical, and economic capabilities. These populations include people with disabilities or compromised health, seniors and children, people living in poverty, and those living in close proximity to a hazard. A.5.1.3 Business impact analysis (BIA) The BIA identifies the importance of each business function as it applies to the entity s mission. The BIA results become the cornerstone in establishing the continuity and recovery processes for an entity. It is the reason for creating the business continuity plan, and it defines the entity s perceived value. The BIA builds on the findings from the risk assessment by addressing what could happen should an event occur, and how it could affect the entity over time. The BIA must take into consideration the entire entity when identifying the most critical business functions. To identify time-sensitive business functions, it is necessary to first understand the business and what activities or processes are essential to ensure continuity of business to a level acceptable to management. To determine the business impacts, these questions should be asked: What are the objectives of the entity? How are the business objectives achieved? What are the products and services of the entity? Who is involved both internally and externally in the achievement of the business objectives (i.e., interdependencies)? What are the time imperatives (i.e., time sensitivity) on the delivery of the products and services? What are the minimum resource requirements (e.g., personnel, equipment, infrastructure, records, facilities, specialty items) to sustain these products and services? What are the quantitative and qualitative impacts of not continuing these products and services? Note: Quantitative losses can be identified in quantities, percentages, or factor of standard that can be described in monetary terms. Qualitative losses are intangible losses that have an operational impact but cannot be quantified in monetary terms or described in terms of financial impact. To assess these impacts on the entity, the following should be considered: health and safety of all persons communication with internal and external stakeholders reputation/credibility property, facilities, and infrastructure delivery of products and services environmental impacts economic and financial condition Note: There is a need to determine the potential economic or financial loss resulting from disruption of the functions, processes, or services over time. The purpose of an economic and financial impact analysis is to arrive at a general loss expectancy that demonstrates what is at risk and to guide measures to mitigate the effects of an emergency and the recovery time objectives (e.g., lost revenue, lost interest on float, fines and penalties, contractual or legal costs, regulatory (federal, provincial, local), interest paid on loans, lost opportunity costs, lost trade discounts, or lost productivity). regulatory and contractual obligations regional, national, and international considerations Note: It is important to consider the regional, national, or international impacts of a hazard or threat on communities. Border communities must consider cross-border hazards and threats. other stakeholder interdependencies (e.g., customers, vendors) and protocols/processes for managing incidents. Once the data are collected from all business function representatives through methods such as questionnaires, interviews, or workshops, the analysis begins by prioritizing the most critical or essential business functions in order of magnitude over time (e.g., < 2 hours, < 8 hours, 24 hours, 72 hours). The qualitative and quantitative impacts must also be considered as part of this analysis. This data should be grouped by severity from the highest impact to the lowest. The priority list indicates the ranking of critical August 2008 17

Z1600-08 business functions by importance and recovery time objective. Importance is based on time and impact. The recovery time objectives are driven by management s tolerance for loss. The findings from the BIA should be presented to management for approval to proceed with continuity and recovery strategy development. It is also important to verify executive buy-in and acceptance of the relative ranking of business functions. A.6.1 Prevention and mitigation The components of a program (i.e., prevention and mitigation, preparedness, response, and recovery) may be addressed independently or in combination. Prevention and mitigation activities frequently overlap, and entities may consider these together. A.6.1.2 Prevention A prevention strategy refers to measures taken by an entity to prevent a threat from occurring or completely avoiding the impacts of such a threat. Examples of prevention measures include redesign of systems, operations, and infrastructure relocation of systems, operations, and infrastructure use of alternative material, systems, operations, and infrastructure institution of new or redesigned controls institution of new or upgraded protection and security measures such as controlled access, quarantine, permits, and clearances. A.6.1.3 Mitigation Examples of mitigation strategies include adopting current building codes in development proposals appropriate land-use practices recognizing, removing, or reducing the potential consequence of the hazard establishing hazard warning and communications systems protecting proprietary information and vital records providing protective systems to safeguard information technology integrating risk mitigation strategies into the design of program initiatives for those assumptions with the highest risk rating reallocating resources to deal with these strategies. A.6.2 Resource management The key principles of resource management are as follows: Planning: Entities work together in advance of an incident to develop plans for managing and employing resources in a variety of possible emergencies. Resource identification and ordering: Entities use standardized processes and methodologies to order, identify, mobilize, dispatch, and track the resources required to support incident management activities. Categorizing resources: Resources are categorized by size, capacity, capability, skill, or other characteristics. Use of agreements: Mutual aid/mutual assistance agreements and pre-incident agreements among all parties providing or requesting resources are necessary to enable effective and efficient resource management during incident operations. Effective management of resources: Resource managers use validated practices to perform the following key resource management tasks systematically and efficiently: Acquisition procedures: used to obtain resources to support operational requirements. Management information systems: used to collect, update, and process data; track resources and display their readiness status. Ordering, mobilization, dispatching, and demobilization protocols: used to request resources, prioritize requests, activate and dispatch resources to incidents, and return resources to normal status. 18 August 2008

Emergency management and business continuity programs To the extent practical and feasible, an entity should categorize resources according to established definitions. Resources for program administration as well as emergency operations should be specifically identified. These resources include the following: equipment (e.g., heavy duty, protective, transportation, monitoring, decontamination, response, and personal protective equipment) supplies (e.g., medical, personal hygiene, consumable, administrative) sources of energy (e.g., electrical, fuel) emergency power production (e.g., generators) communications systems food and water technical information clothing facilities (e.g., personnel shelters, resource staging areas, reception, and operation centres) specialized personnel (e.g., medical, religious, emergency management staff, employee assistance program representatives, utility workers, morticians, and private contractors) non-governmental organizations or volunteer groups (e.g., Red Cross, Salvation Army, amateur radio, religious relief organizations, charitable agencies) federal, provincial, territorial, and local agencies. A.6.2.1 Resource management objectives should address the following: personnel, equipment, training, facilities, funding, expert knowledge, materials, technology, information, intelligence, and the time frames within which they will be needed quantity, response time, capability, limitations, cost, and liability connected with using the resources resources and any partnership essential to the program. A.6.2.2 Resource management should include the following tasks: establishing processes for describing, inventorying, requesting, and tracking resources activating these processes prior to and during an incident dispatching and utilizing resources prior to and during an incident deactivating or recalling resources during or after incidents contingency planning for shortfalls of resources. A.6.2.5 Procedures related to donations should include managing on-the-day volunteers who offer their services without prior formal processing. A.6.3 Mutual aid/mutual assistance The term mutual aid/mutual assistance agreement includes cooperative assistance agreements, service level agreements, intergovernmental compacts, or other terms commonly used for the sharing of resources. Mutual aid/mutual assistance agreements between entities are an effective means to obtain resources and should be developed whenever possible. Mutual aid/mutual assistance agreements are the means for one entity to provide resources, facilities, services, and other required support to another entity during an incident. Each entity should be party to a mutual aid/mutual assistance agreement with appropriate entities from which they expect to receive, or to which they expect to provide, assistance during an incident. This normally includes all neighbouring or nearby entities, as well as relevant government, private sector, and non-governmental organizations. August 2008 19

Z1600-08 A.6.3.2 Mutual aid/mutual assistance agreements should be developed in consultation with the parties involved, be in writing, be reviewed by legal counsel, define liability, detail funding and cost arrangements, and be signed by responsible individuals. At a minimum, mutual aid/mutual assistance agreements should include the following elements or provisions: definitions of key terms used in the agreement roles and responsibilities of individual parties procedures for requesting and providing assistance procedures, authorities, and rules for payment, reimbursement, and allocation of costs notification procedures protocols for interoperable communications relationships with other agreements among entities employment standards/occupational health and safety/workers compensation coverage treatment of liability and immunity recognition of qualifications and certifications sharing agreements, as required. A.6.5 Incident management A.6.5.1 Examples of incident management systems can be obtained from federal, provincial/territorial, or municipal emergency management organizations or from organizations specializing in incident management system training. Procedures for incident management should take into consideration stakeholders directly involved in response, continuity, and recovery operations appropriate authorities and resources, including activation and deactivation of plans. An incident management system is designed to enable effective and efficient incident management by integrating a combination of facilities, equipment, personnel, procedures, and communication operating within a common organizational structure. An incident management system should be able to effectively manage multi-jurisdictional and multi-agency events by being applicable to a wide range of incidents, including pre-event planning for large gatherings, demonstrations, etc. naturally occurring, human-caused, or technological incidents integrating flexibility and scalability clearly designating roles and responsibilities, including command, lines of authority, and supporting roles employing effective, scalable communication systems, which feature common frequencies, language, and terminology integrating risk management into the regular functions of incident command* implementing an ongoing planning system, which accounts for the organizational structure, availability of resources, deployment of resources, and situation status reports*, including the use of incident action plans implementing service and support systems for all the organizational components involved in the incident, including facilities, transportation, supplies, equipment maintenance, fueling, feeding, communications, and medical services/responder rehabilitation* including a standard approach for the collection, evaluation, dissemination, and use of information* providing finance/administrative services where necessary* 20 August 2008

Emergency management and business continuity programs effectively managing resources as follows: including those from different entities recording and tracking assignments deploying/demobilizing equipment and services designating facilities, both on-site and off-site (e.g., an emergency operations centre) implementing and maintaining an accountability/tracking system. *For additional information, see NFPA 1561. A.6.6 Communications and warning A.6.6.1 Assessment and coordination A communications assessment should be conducted to identify key audiences (individuals and groups) and their communications needs. The communication assessment should also consider the needs of vulnerable populations as noted in Clause A.5.1.2.3. The hazard identification, risk assessment, and impact analysis for the overall program should be used to help identify persons who might be affected by an emergency incident, thereby considering their communication needs. Understanding the strategies that can be used in the other functions of the program (i.e., prevention and mitigation, preparedness, response, and recovery) helps to identify the internal and external communication needs and messages to be developed, approved, and disseminated. The communications assessment involves understanding the critical internal and public information and messages that must be sent and received, along with the communication channels that are most effective for each. The communication assessment should address both the emergency management and business continuity needs of the entity. A.6.6.2 Systems Telecommunication and other communication systems should support all components of the program and can include the following: wireline, wireless, and satellite telephones pagers fax machines computer systems and networks, including personal digital assistants (PDAs) automated, purchased, or hosted systems and services that can simultaneously send and or verify receipt of messages to telephone and computer devices two-way radios operating on public, private, or amateur radio frequencies public radio and television systems, including provision for interrupting broadcasts with emergency messages or superimposing messages on current programming sirens and other outside warning devices computerized incident management systems for sharing operational communications. For assistance in designing emergency communications systems and selecting communications and emergency communications equipment, Industry Canada, the federal government department responsible for telecommunications, should be consulted for guidance on current standards and available technologies. Note: NFPA 1221 should also be consulted. A.6.6.3 Procedures Procedures for operating communication systems employed to support the program should include procedures for the use, maintenance, and testing of systems for internal and other operational communications within the incident management system and communication with key stakeholder groups. Documented procedures should include procedures for the technical operation, maintenance, and testing of each type of equipment. They should also include procedures that describe the schedule, frequency, and format for communications to effectively integrate with and support the planning cycles, meetings, and briefings that take place within the incident management cycle. Because there can be some overlap between communication procedures and incident management procedures, appropriate cross-references should be included to ensure that important procedural details are not overlooked. August 2008 21

Z1600-08 Incident command system (ICS) field operation guides, incident management handbooks, and training materials provide good examples of procedures for response communications. These procedures can also be used effectively within other functions of an emergency management and business continuity program. For assistance in developing communication procedures, Industry Canada should be consulted for guidance on current standards and available technologies. Publications are available on the licensing and operation of various two-way radio-telephone systems and amateur radio emergency service messagehandling procedures. Note: NENA 56-003 provides guidance on emergency public notification procedures. A.6.6.4 Public warning Emergency communications/public notification or alerting systems should involve a number of means of alerting those impacted or potentially impacted by a threat. Business continuity emergency communications can include employees, customers, suppliers, etc. The following are some of the technologies employed to notify potentially impacted members of the public: Broadcast announcements: Provide good general information but not well suited for delivering information to targeted populations or where confirmation of receipt of a message is required. Door-to-door notification: Good for targeting a small number of specific individuals. Not practical for notifying larger numbers of individuals because of the number of personnel required. Not suitable where the situation puts personnel doing the notification at risk. Emergency telephone notification systems: Good for delivering a specific message(s) to small and large groups of individuals via telephone, short message service (SMS) messaging, e-mail, pager, etc. Can provide summary and detailed reports of each individual contacted, including message delivery time, confirmation of message receipt, and feedback from the person who received the message. Sirens: Good to alert persons within hearing distance. Public needs to be aware of required action prior to the emergency for sirens to be effective. Weather alert radios: Provide good geographic coverage, can target populations within the range of a specific weather radio transmitter. Only a small percentage of the general public has receivers to receive weather alert messages. Other communication devices: Other technologies such as the Internet, fax machines, PDAs, and cell phones can be used as a primary means of alerting specific population groups or in combination with other technologies. Consideration should be given to using the Canadian Common Alerting Protocol (CAP), which provides bilingual Canadian location and event codes and facilitates issuing simultaneous alerts through multiple communication systems. Regulations and guidelines for alerting the public to incidents involving specific hazards, such as those presented by nuclear installations, should also be consulted. For assistance in developing emergency communications and warning capability, Industry Canada should be consulted for guidance on procedures. Assistance can also be obtained by contacting a provincial emergency management organization (see Clause B.1.2). Note: NENA 56-003 provides guidance on emergency public notification procedures. A.6.6.4.2 Procedures for operating systems employed for the purpose of alerting should include procedures for the maintenance and operation of the systems be capable of communicating reliably with potentially affected populations consider communication with special needs populations include the authority and decision-making process for issuing emergency public alerts or notifications include procedures for regular testing of the systems under operational conditions, with the results documented and deficiencies noted and addressed in a continuous improvement program. This testing should take place at least once a year. 22 August 2008

Emergency management and business continuity programs For assistance in developing emergency communications and warning capability, Industry Canada should be consulted for guidance on procedures. Assistance can also be obtained by contacting a provincial emergency management organization (see Clause B.1.2). Note: NENA 56-003 provides guidance on emergency public notification procedures. A.6.6.4.3 Public warning procedures should include criteria for selecting and implementing the most appropriate protective action. For example, in situations where response strategies include both shelter-in-place and evacuation to protect residents from a hazard, protective action guidelines should include both options. A.6.6.5 Public awareness A.6.6.5.1 A public awareness program provides generic information to the broader public to raise awareness about emergency management, emergency plans, and general ways in which the public can reduce its risk in the event of an emergency. A public education program is risk-based and provides focused information to target audiences in order to teach them how to reduce their risk of injury, death, property loss, or environmental damage in the event of an emergency. Special attention should be paid to the needs of vulnerable populations. A.6.6.5.2 Educational programs should be established to reach populations that could be impacted by an emergency. The entity should establish procedures and a communication schedule to disseminate information to educate and inform its own members and the public, as applicable. The public needs to know about the hazard, how they will be notified of an emergency, the potential impact of the hazard, and how to protect themselves from the impact of the hazard. Information should be tailored to the appropriate audience or population. Procedures should be established to respond to internal and external requests for information about the hazard and the programs in place to prevent, mitigate, respond to, and recover from an incident involving that hazard. These procedures should identify the positions within the program that are responsible for responding to information requests. Requests for information should be logged and tracked for effective handling and to enable analysis of the data. Sample resource materials such as pamphlets, publications, and Internet web links that provide awareness about protection from natural hazards and on recovery from natural disasters are available from provincial/territorial emergency measures organizations and Public Safety Canada. Resource materials for industrial and transportation-related incidents are available from industry associations. Technology solutions for disseminating information and for logging and tracking the handling of information requests are available from commercial suppliers. A.6.6.6 Emergency information In an emergency that involves an urgent need to provide information to the public and stakeholder groups, responsibilities should be assigned and procedures should be established for providing information in a timely manner. This is required for the effective management of a crisis. Managing the operational response to an emergency and managing the provision of emergency public information must be effectively integrated and coordinated within an incident management system. Procedures, when implemented, should ensure delivery of understandable, timely, accurate, and consistent information to the public. Procedures should also involve supporting incident management with accurate information about media coverage. To most effectively manage a crisis, information from both public and private sector entities regarding an incident should be coordinated and delivered in a consistent manner. Strategies such as implementation of unified command and establishing a joint information centre should be considered to achieve the required level of integration and coordination. A central point of contact should be identified with responsibility for developing and releasing information to the news media and other agencies and stakeholder groups. This position is often identified August 2008 23

Z1600-08 as the information officer within an incident management system. The responsibilities of an information officer are included in incident command system documentation. A joint information centre should be established when multiple entities are involved in the response to an incident to provide a central contact location. A joint information centre is a facility, normally established near an incident command post, where an information officer and public affairs staff from organizations involved in the response can develop, coordinate, and provide information about the incident to the public, media, and other agencies. A single joint information centre is preferable, but there should be provision for satellite locations in complex incidents spanning a wide geographic area. To effectively provide emergency public information, systems and procedures should first be developed to obtain accurate information about the emergency, understand the expected response, and have up-to-date information regarding implementation of that response. An effective incident management system is required to provide this information in a timely manner. The organizational structure, roles, responsibilities, and procedures incorporated within the incident management system should be used to effectively gather and process this information. Procedures are also required to monitor information provided by the media and stakeholder groups to ensure that reports are accurate and to identify any communication issues that need to be addressed. An organizational structure and procedures should be established for disseminating emergency information. ICS field operations guides and incident management handbooks contain useful examples. Pre-scripted information bulletins and templates that can be modified to include incident-specific information should be developed in advance and should address identified hazards. Review and approval procedures to ensure that information is accurate and supports response and crisis management objectives should be implemented. To allow information to be delivered in a timely manner during the initial stages of an incident, general information or media releases should be developed and pre-approved. Procedures to communicate with special needs populations should be developed to address issues and populations identified during the communication assessment. Guidelines should reflect information and procedures outlined in Clause 6.6.4.3. A.6.6.7 Crisis communications capability Crisis communications capability addresses a significantly increased requirement for communication in response to a crisis. A crisis can be described as an incident that is escalating in intensity or attracting increased attention from the public, media, government, or interest groups to the extent that the incident can jeopardize the image of the entity and negatively impact its operations. A.6.7 Operational procedures A.6.7.1 Procedures should include control of access to the area affected by the emergency identification of personnel engaged in activities at the incident site accounting for personnel engaged in incident activities accounting for people and animals affected, displaced, or injured by the emergency mobilization and demobilization of resources provision for temporary, short-term, or long-term housing, feeding, and care of people displaced by the emergency recovery, identification, and safeguarding of human remains provision for the mental health and physical well-being of people affected by the emergency provision for managing critical incident stress for responders documentation of decisions and steps taken in response to the emergency. A.6.7.2 The procedures should address health and safety, incident stabilization, operational/business continuity, minimization of property damage, and protection of the environment under the jurisdiction of the entity. 24 August 2008

Emergency management and business continuity programs A.6.7.3 Documented processes are available to assist responders in conducting a situation analysis. An example of one process is the Disciplined Approach to Emergency Response referenced in CAN/CSA-Z731. Although different processes can be equally effective, it is important for responders who will be working together to be trained and proficient in the situation analysis process used by their entity. Damage assessment is an appraisal or determination of the effects of the disaster/emergency on human, physical, economic, and natural resources. A.6.8 Facilities Emergency operations centres (EOCs) represent the physical location at which the coordination of information and resources to support incident management activities normally takes place. The incident command post (ICP) located at or in the immediate vicinity of an incident site, although focused primarily on the tactical on-scene response, can perform an EOC-like function in smaller-scale incidents or during the initial phase of the response to larger, more complex events. EOCs activated to provide support in larger, more complex events are typically set up in a more central or permanently established facility within a jurisdiction. The physical size and equipping of an EOC depends on the size of the jurisdiction, resources available, and anticipated incident management workload. Facilities should be capable of accommodating any combination of essential representatives identified in the entity s plan. Facilities should have adequate workspace, communications, and back-up utilities and should meet other basic human needs for each representative. Facilities should be located so that they are not impacted by the event. It should also be noted that there is a movement toward mobile and virtual capabilities. This type of capability should still meet the criteria in this section. Note: Other terms may be used in place of emergency operations centre, such as emergency coordination centre. A.6.9 Training A.6.9.1 Those who perform tasks are expected to be competent as a result of appropriate education, training, and experience. Training or instruction should be conducted at all levels of the organization, including senior management, and be specific to emergency management and business continuity duties and responsibilities, as determined by a training needs assessment. Regular duties and responsibilities can include voluntary or additional responsibilities assumed on behalf of the organization. A.6.10 Business continuity Plans for business continuity, continuity of government, and continuity of operations are generally similar in intent and less similar in content. Note: Continuity plans have various names in both the public and private sectors, including business continuity plans, business resumption plans, disaster recovery plans, and so on. In addition, within the public sector, continuity of operations plans might use business impact analysis to identify critical governmental functions. Recovery planning for the public sector normally includes bringing infrastructure and individuals back to pre-disaster conditions, including implementation of mitigation measures, to facilitate short- and long-term recovery. Business continuity planning in the private sector incorporates both the initial activities to respond to an emergency and the restoration of the business and its functions to pre-disaster levels. Specific areas to consider in continuity plans include the following: Succession: To ensure that the leadership continues to function effectively under emergency conditions. When practical, there is a designation of at least three successors for each position. Provisions have been made to deal with vacancies and other contingencies, such as absence or inability to act. August 2008 25

Z1600-08 Pre-delegation of emergency authorities: To ensure that sufficient enabling measures are in effect to continue operations under emergency conditions. Emergency authorities have been enacted that specify the essential duties to be performed by the leadership during the emergency period. Such authorities also enable the leadership to act if other associated entities are disrupted and to re-delegate with appropriate limitations. Emergency action steps: Actions that facilitate the ability of personnel to respond quickly and efficiently to disasters/emergencies. Checklists, action lists, and/or standard operating procedures (SOPs) have been written that identify emergency assignments, responsibilities, and emergency duty locations. Procedures should also exist for alerting, notifying, locating, and recalling key members of the entity. The SOPs and notification procedures should be integrated. Primary emergency operations centre: A facility or capability from which direction and control is exercised in an emergency. This type of centre or capability is designated to ensure that the leadership can direct and control operations from a centralized facility or capability in the event of an emergency (see Clause A.6.8). Alternative emergency operations centre: An alternative facility or capability from which direction and control is exercised in an emergency if the primary centre becomes unavailable or if it is determined that the alternative facility or capability is a more appropriate location from which to handle the emergency. Alternative operating or back-up facilities: Provisions also exist for an alternative site(s) for departments or agencies having emergency functions or continuing operations. Vital records: The measures that are taken by the entity to protect vital records (e.g., financial data, personnel records, and engineering drawings) that it should have to continue functioning during emergency conditions and to protect its rights and interests. Procedures have been put in place to ensure the selection, preservation, and availability of records essential to the effective functioning of the entity under emergency conditions and to maintain the continuity of operations. Protection of records should comply with applicable laws. Protection of resources, facilities, and personnel: The measures that are taken to deploy resources and personnel in a manner that provides redundancy to ensure that the entity can continue to function during emergency conditions. Plans and procedures are in place to ensure the protection of personnel, facilities, and resources so that the entity can operate effectively. The entity should have the ability to allocate needed resources and restore functions during and after disasters/emergencies. Plans should address deployment procedures to relocate/replicate resources or facilities, increase protection of facilities, and inform and train personnel in protective measures. Preparedness should be increased based on the threat level. A.6.11 Recovery A.6.11.1 The recovery strategy should include identifying recovery options that support recovery of the services and functions of the entity. Each recovery option is then assessed for suitability based on risk mitigation and cost benefit to determine an optimum mix of potential strategies. Detailed recovery plans containing short-term and long-term actions are then developed based on the recovery strategy. The entity s recovery strategies should consider workforce facilities supporting technologies information and data equipment and supplies human welfare (e.g., physical, psychological, and financial) stakeholders partners. 26 August 2008

Emergency management and business continuity programs A community s recovery strategies should consider essential services (e.g., water, gas, electricity, waste management, and telecommunications) cyber systems distribution systems or networks for essential goods (e.g., food, clothing, personal supplies, and services) transportation systems, networks, and infrastructure built environment (e.g., residential, commercial, and industrial uses) social services health services continuity of leadership economic recovery. A.6.11.6 Plans should be aligned with long-term goals and objectives, including the following: the entity s strategic plan management and coordination of activities funding and fiscal management management of volunteer, contractual, and entity resources opportunities for disaster mitigation. In developing plans, short-term goals and objectives should be established, including the following: vital personnel, systems, operations, records, and equipment (see Clause 6.2) priorities for restoration and mitigation acceptable downtime before restoration to a minimum level minimum resources needed to accomplish the restoration critical infrastructure (e.g., water, gas, electricity, and waste management) telecommunications and cyber systems distribution systems or networks for essential goods (e.g., food, clothing, personal supplies, and services) transportation systems, networks, and infrastructure built environment (e.g., residential, commercial, and industrial) psychosocial services health services continuity of governance systems. A.7 Exercises, evaluations, and corrective actions A.7.2 Exercises should be designed using specific objectives to validate plans, test systems, and provide personnel with an opportunity to practice assigned roles in the plan. Exercise results identify plan gaps and limitations and are used to improve and revise the plans. An exercise plan that schedules future exercises should be developed to ensure that participation is maximized, the number of exercises is optimized, and teamwork and partnerships are fostered. The exercise schedule should be based on organizational needs and legislative requirements. Exercises should be conducted when additions, deletions, or revisions are made to the plan there have been significant changes in key personnel responsible for implementing the plan there have been changes to physical resources (e.g., facilities, equipment) identified in the plan there have been changes in the nature or type of risks that can have an effect on the type of response. August 2008 27

Z1600-08 Exercises should be planned and conducted taking the following into consideration: The scenario should reflect reality as far as is practicable. The scenario should be based on the risk assessment. Key stakeholders should participate. Resources can be deployed or simulated. The EOC can be activated. Equipment and procedures identified in the emergency plan can be used. Linkages with other organizations and agencies can be included. Debriefing sessions should be included at the end of the exercise. Lessons learned should be documented. Typical exercise types include the following: Tabletop exercise: A method of exercising plans in which participants review and discuss the actions they would take in response to a specific scenario, as presented by a facilitator. Specific actions are not performed. Functional exercise: A method of exercising plans in which participants perform some or all of the actions they would take in the event of plan activation to respond to a specific scenario. Full operational exercise: A method of exercising plans in which the participants suspend normal operation and activate the plans as if the event were real. Guidance on exercise program design, planning, and evaluation is available from the federal and provincial departments with responsibility for emergency management and from private sector organizations that specialize in providing exercise training and offer exercise design and evaluation services. A.7.3 A corrective action plan is a process that follows an actual occurrence or exercise to identify program shortfalls and necessary corrective actions to address those shortfalls. The corrective action plan provides the techniques to manage the capabilities improvement process. The corrective action plan generally begins following the after-action discussion/critique of the incident or exercise. The corrective action plan can also begin during the incident if a lengthy or extended event is being managed. During the evaluation, process deficiencies that require improvement are noted. Some corrective actions might not be taken immediately because of constraints such as budgets, staffing, or contracts, and might be deferred as a part of the long-range project. However, temporary actions should be taken to implement the desired option. Typically, deficiencies fall within one or more of the program elements covered by this Standard. There are three categories, as follows: plan or standard operating procedures (SOP) revisions training equipment additions or modifications and facilities. The following should be addressed in the corrective action plan: State the problem and identify its impact. Review the history of corrective action issues and identify solutions. Select a corrective action strategy and prioritize the actions to be taken as well as an associated timeline for completion. Provide authority and resources to the individual assigned to implementation so that the designated change can be accomplished. Identify the resources required to implement the strategy. Check on the progress for completing the corrective action. Forward problems that need to be resolved by higher authorities to the level of authority that can resolve the problem. Validate the solution. 28 August 2008

Emergency management and business continuity programs A.8 Management review A.8.1 Program evaluation serves to confirm that an emergency management and business continuity program is fully implemented and meets its objectives. A periodic evaluation is beneficial to program management, authorities, and other stakeholders who have an interest in the program by confirming where the program is working correctly and where improvements are required. Information compiled from an evaluation can be used to assess program performance and aids in setting priorities for program improvements. Program evaluation helps to provide justification for recommended changes to a program and supports continuous improvement. Resources available to assist an entity with program evaluation range from self-assessment tools up to those processes that can result in a formal declaration of conformity with the requirements of this Standard. A number of program evaluation alternatives are available. They include checklists to assist in conducting internal self-assessments, peer assessments involving subject matter experts familiar with the business processes and risks, and comprehensive evaluations using trained independent evaluators and documented assessment protocols. A program evaluation can provide a confidential internal report for program management or result in a formal declaration of conformity of the program by a certified emergency management/business continuity professional or organization recognized in these fields. Program evaluation can also be conducted on a continual basis through the implementation of a management system approach that is oriented to continuous improvement. The scope of program evaluation can depend on the type of emergency management and business continuity program, the perceived risk to the public, and public or organizational sensitivity to past events. The type of program evaluation can also depend on the stage of the program in its development cycle. For example, it can be more cost-effective to use a self-evaluation or internal evaluation approach during the early stages of program development unless a more comprehensive evaluation or more extensive review is warranted. The implementation of a management system approach allows for continuous improvement through the life of the emergency management and business continuity program. Resources for emergency management and business continuity program evaluation can be divided into three categories for the purposes of demonstrating conformity with this Standard: making a self-determination and self-declaration seeking confirmation of the self-declaration by a party external to the organization seeking certification/registration of the emergency management and business continuity program by an external organization. The frequency of program evaluations must, at a minimum, meet legislated requirements and/or other standards applicable to the entity. For example, some jurisdictions require an annual review of municipal and departmental programs mandated by legislation. In any case, some type of program evaluation should be conducted annually. Some entities conduct annual reviews, with a more comprehensive or external review conducted at a lesser frequency of three to five years. Program management should specify the program review frequency or formulas for determining review frequency based on other program performance indicators and include these requirements in program documentation. The exercises, evaluations, and corrective actions covered in this Standard support and complement periodic program evaluation by providing additional opportunities to evaluate the program and identify continuous improvement criteria through tests, exercises, and analysis of responses to actual incidents. August 2008 29

Z1600-08 Annex B (informative) Emergency management and business continuity resources Note: This Annex is not a mandatory part of this Standard. B.0 Introduction The purpose of this Annex is to direct emergency management and business continuity professionals and other users of this Standard to the websites of relevant organizations. These organizations can provide resources and additional information that the reader will find useful, or represent the various sectors that engage in emergency management activities. The organization s name and URL are provided. In some cases, additional specific pages are also given to facilitate locating the most relevant information. Canadian sites are given priority. Where there is a nationwide organization, it is listed rather than the related provincial, territorial, or regional organizations. Readers are encouraged to use these sites as a first step to connecting with their local organizations. Major international sites are also included when possible. A large number of consulting firms and companies that provide goods and services to the emergency management community are not included in this list. Private companies are only included where there is no other public or not-for-profit organization or governing body engaged in similar activities. Inclusion of a private company in this Annex does not represent an endorsement of services. B.1 Canadian government organizations B.1.1 Federal government Canadian International Development Agency (CIDA) www.acdi-cida.gc.ca/index-e.htm Canada Mortgage and Housing Corporation (CMHC) www.cmhc-schl.gc.ca/en/co Canadian Nuclear Safety Commission www.nuclearsafety.gc.ca/eng/ Environment Canada www.ec.gc.ca Meteorological Service of Canada (MSC) www.msc-smc.ec.gc.ca/index_e.cfm Public Weather Warnings for Canada www.weatheroffice.gc.ca/warnings/warnings_e.html Fisheries and Oceans Canada www.dfo-mpo.gc.ca/home-accueil_e.htm Canadian Coast Guard www.ccg-gcc.gc.ca/main_e.htm Maritime Search and Rescue (SAR) in Canada www.ccg-gcc.gc.ca/sar/program/index_e.htm 30 August 2008

Emergency management and business continuity programs Foreign Affairs and International Trade Canada www.international.gc.ca/index.aspx Emergencies www.voyage.gc.ca/main/sos/emergencies-en.asp Indian and Northern Affairs Canada www.ainc-inac.gc.ca/index-eng.asp Emergency Preparedness: First Nations Emergency Services Society www.ainc-inac.gc.ca/bc/proser/fna/ccp/tlrsc/cpcpdm/emp_e.html Health Canada www.hc-sc.gc.ca/index_e.html Canada Health Portal www.chp-pcs.gc.ca/chp/index_e.jsp Emergencies and Disasters www.hc-sc.gc.ca/ed-ud/index_e.html Human Resources and Social Development Canada Federal Fire Protection www.hrsdc.gc.ca/en/labour/fire_protection/index.shtml Industry Canada Emergency Telecommunications www.strategis.ic.gc.ca/epic/site/et-tdu.nsf/en/home Library and Archives Canada Emergency Preparedness: Guide on Emergency and Disaster Control www.collectionscanada.ca/012/015/012015-100-e.html National Defence Canada www.forces.gc.ca/site/home_e.asp Emergency Management www.ndol.forces.gc.ca/report/2003/04report_e.htm National Energy Board Emergency Management Program www.neb.gc.ca/clf-nsi/rsftyndthnvrnmnt/mrgncymngmnt/mrgncymngmnt-eng.html National Search and Rescue Secretariat Canada www.nss.gc.ca/ Natural Resources Canada www.nrcan.gc.ca Earthquakes Canada www.earthquakescanada.nrcan.gc.ca/index_e.php Explosives www.nrcan-rncan.gc.ca/com/subsuj/expexp-eng.php Canadian Forest Service Forest Fires in Canada fire.cfs.nrcan.gc.ca/index_e.php Natural Hazards www.nrcan-rncan.gc.ca/com/subsuj/natris-eng.php Volcanoes of Canada gsc.nrcan.gc.ca/volcanoes/index_e.php August 2008 31

Z1600-08 GeoConnections Public Safety & Security/Public Health/Environment www.geoconnections.org/en/index.html Public Health Agency of Canada www.phac-aspc.gc.ca/new_e.html Emergency Preparedness www.phac-aspc.gc.ca/ep-mu/index.html Centre for Emergency Preparedness and Response www.phac-aspc.gc.ca/cepr-cmiu/index.html Public Safety Canada www.publicsafety.gc.ca/index-en.asp Canada Public Safety, Security and Emergency Preparedness: Information and Resources Portal www.safecanada.ca/ Canadian Disaster Database www.publicsafety.gc.ca/res/em/cdd/index-eng.aspx Public Safety Canada Emergency Management www.ps-sp.gc.ca/thm/em/index-eng.asp Public Safety Canada Family Preparation www.getprepared.ca/index_e.asp Emergency Preparedness Week www.emergencypreparednessweek.ca/faq_e.asp Royal Canadian Mounted Police Emergency Response Team www.rcmp.ca/ert/ert_e.htm Canadian Police Information Centre (CPIC) www.cpic-cipc.ca Transport Canada www.tc.gc.ca/en/menu.htm Emergencies www.tc.gc.ca/emergencies/menu.htm CANUTEC Canadian Transport Emergency Centre www.tc.gc.ca/canutec/en/menu.htm Transportation Safety Board of Canada (TSB) www.tsb.gc.ca/en/index.asp B.1.2 Provincial and territorial government Note: The primary provincial and territorial government emergency management sites are provided first, followed by sites for major cities and related organizations in each province and territory. B.1.2.1 Alberta Government of Alberta Alberta Emergency Management www.aema.alberta.ca Alberta Alert www.gov.ab.ca/home/336.cfm 32 August 2008

Emergency management and business continuity programs Alberta Shock Trauma Air Rescue Society (STARS) www.stars.ca/bins/index.asp City of Calgary Disaster Social Services www.calgary.ca/portal/server.pt/gateway/ptargs_0_0_780_237_0_43/http%3b/content.calgary.ca/ CCA/City+Hall/Business+Units/Community+and+Neighbourhood+Services/Disaster+Social+Services Capital Region Emergency Preparedness Partnership (C-REPP) www.c-repp.ca/main.html B.1.2.2 British Columbia Government of British Columbia Ministry of Health Emergency Management Branch www.health.gov.bc.ca/emergency/index.html British Columbia Ambulance Service (BCAS) www.hlth.gov.bc.ca/bcas Ministry of Public Safety and Solicitor General www.gov.bc.ca/pssg Provincial Emergency Program (PEP) www.pep.bc.ca/index.html Emergency Social Services (ESS) www.ess.bc.ca/index.htm City of Vancouver Emergency Preparedness www.city.vancouver.bc.ca/corpsvcs/emerg Neighborhood Emergency Preparedness Program (NEPP) www.city.vancouver.bc.ca/corpsvcs/emerg/nepp City of Victoria Victoria Emergency Management Agency www.victoria.ca/cityhall/departments_vep.shtml Peninsula Emergency Measures Organization (PEMO) Saanich Peninsula www.pemo.ca Regional District of Nanaimo Protective Services/Emergency Planning www.rdn.bc.ca/cms.asp?wpid=141 B.1.2.3 Manitoba Government of Manitoba Emergency Measures Organization (Manitoba EMO) www.gov.mb.ca/emo/ Manitoba Health Office of Disaster Management www.gov.mb.ca/health/odm/branch.html Office of the Fire Commissioner Manitoba www.firecomm.gov.mb.ca City of Brandon Emergency Preparedness Program (EPP) www.brandon.ca/main.nsf/pages+by+id/663 City of Winnipeg Emergency Preparedness Program www.winnipeg.ca/epp Winnipeg Fire Paramedic Service (WFPS) www.winnipeg.ca/fps/ August 2008 33

Z1600-08 B.1.2.4 New Brunswick New Brunswick Emergency Measures Organization (NB EMO) www.gnb.ca/cnb/emo-omu/index-e.asp City of Saint John Emergency Management Organization (SJEMO) www.saintjohn.ca/services_emergency_emo.cfm St. John s Ambulance New Brunswick (SJANB) www.sjanb.ca/index.php?menid=01&mtyp=3 B.1.2.5 Newfoundland and Labrador Emergency Measures Organization (Newfoundland and Labrador EMO) www.ma.gov.nl.ca/ma/fes/emo/ City of St. John s www.stjohns.ca/index.jsp B.1.2.6 Northwest Territories Territorial Emergency Management www.maca.gov.nt.ca/emergency_management/index.htm City of Yellowknife Public Safety Department www.yellowknife.ca/city_hall/departments/public_safety.html B.1.2.7 Nova Scotia Nova Scotia Emergency Management Office (NS EMO) www.gov.ns.ca/emo Halifax Regional Municipality Emergency Planning www.halifax.ca/emo/before.html Emergency Health Services Nova Scotia (EHSNS) Disaster Management www.gov.ns.ca/health/ehs/ground_ambulance/disaster_management.htm B.1.2.8 Nunavut Government of Nunavut Emergency Management cgs.gov.nu.ca/en/nunavut-emergency-management City of Iqaluit www.city.iqaluit.nu.ca B.1.2.9 Ontario Government of Ontario Emergency Management Ontario www.mcscs.jus.gov.on.ca/english/pub_security/emo/about_emo.html Ministry of Health and Long-Term Care www.health.gov.on.ca Emergency Health Services Branch www.health.gov.on.ca/english/public/program/ehs/ehs_mn.html Emergency Preparedness and Disaster Management www.health.gov.on.ca/english/public/program/ambul/emplan.html Emergency Planning and Preparedness www.health.gov.on.ca/english/public/program/emu/emu_mn.html 34 August 2008

Emergency management and business continuity programs Ontario Office of the Fire Marshal www.ofm.gov.on.ca/ Ministry of the Environment Emergency Management www.ene.gov.on.ca/en/emergency/index.php City of Brampton Brampton Emergency Measures Office www.city.brampton.on.ca/emergency_measures/index.tml City of Mississauga Mississauga s Emergency Plan www.mississauga.ca/portal/residents/mississaugasemergencyplan City of Ottawa Office of Emergency Management www.ottawa.ca/city_hall/charts/cps/emu_en.html Ontario Provincial Police www.opp.ca/english.htm Specialized Response Services www.opp.ca/specresteams/index.htm City of Toronto Office of Emergency Management (OEM) www.toronto.ca/wes/techservices/oem/index.htm Toronto Emergency Medical Services www.toronto.ca/emerg/index.htm B.1.2.10 Prince Edward Island Emergency Measures Organization (Prince Edward Island EMO) www.gov.pe.ca/cca/index.php3?number=1002515 City of Charlottetown Emergency Measures www.city.charlottetown.pe.ca/residents/emergency_measures.cfm B.1.2.11 Québec Government of Québec Ministry of Public Security www.msp.gouv.qc.ca/index_en.asp Civil Protection www.msp.gouv.qc.ca/secivile/index_en.asp Ministry of Sustainable Development, the Environment, and Parks www.mddep.gouv.qc.ca/ministere/rejoindr/urgence-en.htm Ministry of Health and Social Services Emergency Preparedness www.msss.gouv.qc.ca/en/sujets/organisation/emergency_preparedness.php Le système ambulancier au Québec (French) www.colba.net/~paramed/systeme.html City of Montréal Emergency Preparedness (French): Centre de sécurité civile de la Nouvelle ville de Montréal ville.montreal.qc.ca/portal/page?_pageid=2776,3108220&_dad=portal&_schema=portal Québec City Bureau de la sécurité civile (French) www.ville.quebec.qc.ca/fr/ma_ville/securite_civile/index.shtml August 2008 35

Z1600-08 B.1.2.12 Saskatchewan Government of Saskatchewan Corrections, Public Safety, and Policing Saskatchewan Emergency Management Organization (SaskEMO) www.cpsp.gov.sk.ca/saskemo City of Regina Emergency Preparedness www.regina.ca/content/info_services/emergency_services/index.shtml City of Saskatoon Emergency Measures Organization www.city.saskatoon.sk.ca/org/fire_protective/emo/index.asp B.1.2.13 Yukon Emergency Measures Organization (Yukon EMO) www.community.gov.yk.ca/emo/index.html City of Whitehorse www.whitehorse.ca B.2 International organizations Centers for Disease Control and Prevention (CDC) Emergency Preparedness & Response www.bt.cdc.gov/ National Oceanic and Atmospheric Administration (NOAA) www.noaa.gov/ Disaster Recovery World (Business Continuity Planning & Disaster Recovery Planning Directory) www.disasterrecoveryworld.com/index.htm Disaster Resource Guide www.disaster-resource.com/index.htm Emergency Management Australia www.ema.gov.au Federal Emergency Management Agency (FEMA) (This site provides links to a wide range of emergency management organizations and activities in the United States.) www.fema.gov Global Disaster Information Network (GDIN) www.gdin.org/ International Charter Space and Major Disasters www.disasterscharter.org/main_e.html International Institute for Sustainable Development (IISD) www.iisd.org/ National Academy of Engineering (NAE) www.nae.edu/nae/naehome.nsf National Fire Protection Association (NFPA) www.nfpa.org/ 36 August 2008

Emergency management and business continuity programs National Geophysical Data Center (NGDC) www.ngdc.noaa.gov/ National Environmental Satellite, Data, and Information Service (NESDIS) www.nesdis.noaa.gov/ New Zealand Ministry of Civil Defence and Emergency Management www.civildefence.govt.nz/memwebsite.nsf Proceedings of the National Academy of Sciences of the United States of America (PNAS) www.pnas.org/ Relief Web (A global hub for time-critical humanitarian information on complex emergencies and natural disasters sponsored by the United Nations) www.reliefweb.int United Kingdom Emergency Management www.ukresilience.info/ www.preparingforemergencies.gov.uk World Conference on Disaster Management (WCDM) www.wcdm.org/ World Health Organization (WHO) www.who.int/en B.3 Non-governmental, non-profit, and voluntary organizations Adventist Development and Relief Agency Canada (ADRA Canada) www.adra.ca/ Canada Safety Council www.safety-council.org/index.html Canadian Fire Safety Association (CFSA) www.canadianfiresafety.com/home/default.asp Canadian Centre for Emergency Preparedness (CCEP) www.ccep.ca Centre for Excellence in Emergency Preparedness www.ceep.ca/home.htm Red Cross International Committee of the Red Cross (ICRC) www.icrc.org International Federation of the Red Cross and Red Crescent Societies (IFRC) www.ifrc.org Canadian Red Cross www.redcross.ca American Red Cross www.redcross.org August 2008 37

Z1600-08 Disaster Recovery Information Exchange (DRIE) www.drie.org Institute for Catastrophic Loss Reduction (ICLR) www.iclr.org/index.htm National Directory of Emergency Services www.emergencyservices.ca Radio Amateurs of Canada (RAC) www.rac.ca/ Amateur Radio Emergency Service (ARES) www.rac.ca/fieldorg/racares.htm St. John Ambulance Canada (SJA) www.sja.ca/splash.aspx Salvation Army in Canada www.salvationarmy.ca Standards Council of Canada (SCC) www.scc.ca SMARTRISK (Organization for injury prevention and saving lives) www.smartrisk.ca/ United Way of Canada www.unitedway.ca/splash/index.htm Victim Assistance Online (VA Online) www.vaonline.org/index.html Volunteer Canada www.volunteer.ca B.4 Associations Associations representing emergency managers, first responders, and related practitioners are provided. Canada-wide associations, either with formal chapters, or with links to related provincial/territorial associations, are given priority. Association de sécurité civile du Québec (ASCQ) (French) www.ascq.org/index.htm Association des médecins d urgence du Québec (AMUQ) (French) www.amuq.qc.ca Association of Campus Emergency Response Teams (ACERT) www.acert.ca Association of Public-Safety Communications Officials (APCO Canada) www.apco.ca/ Canadian Association of Emergency Physicians (CAEP) www.caep.ca Canadian Association of Fire Chiefs (CAFC) www.cafc.ca/ 38 August 2008

Emergency management and business continuity programs Canadian Association of Chiefs of Police (CAPC) www.cacp.ca/ Canadian Manufacturers & Exporters (CME) www.cme-mec.ca Canadian Police Association (CPA) www.cpa-acp.ca/home/index_e.asp Canadian Search Dog Association www.canadiansearchdogs.com/ Canadian Telecommunications Emergency Preparedness Association (CTEPA) ctepa.sasktelwebhosting.com Centre for Excellence in Emergency Preparedness www.ceep.ca Conseil pour la réduction des accidents industriels majeurs (French) craim.ca/fr/default.asp Council of Canadian Fire Marshals and Fire Commissioners (CCFM & FC) www.ccfmfc.ca Civil Air Search and Rescue Association (CASARA) www.casara.ca Disaster Conferences Inc. Disaster Forum Association www.disasterforum.ca/about.html Disaster Preparedness and Emergency Response Association (DERA) www.disasters.org/index.htm EMS Chiefs of Canada www.emscc.ca/default.aspx The International Emergency Management Society (TIEMS) www.tiems.org International Association of Emergency Managers (IAEM) Canada www.iaem-canada.ca International Association of Fire Fighters www.iaff.org/index.asp International Police Association Canada (IPA Canada) www.ipa.ca/welcome.php National Emergency Nurses Affiliation (NENA) www.nena.ca Ontario Association of Emergency Managers (OAEM) www.oaem.ca/ Paramedic Association of Canada (see Chapters for local associations) www.paramedic.ca August 2008 39

Z1600-08 Risk and Insurance Management Society (RIMS) www.rims.org/ Réseau d échange en continuité des operations (RECO-Québec) (French) www.reco-quebec.org World Association for Disaster and Emergency Medicine (WADEM) wadem.medicine.wisc.edu/ B.5 Educational institutions Post-secondary providers of emergency management and closely related programs are listed. Many universities and other providers have related programs (e.g., emergency medicine, urban planning, geography, geology, public administration, sociology, or civil engineering) that can also be useful sources of information for emergency managers. There are several private education providers, such as career colleges and private consulting and training companies, which offer courses related to the emergency services. Brandon University Department of Applied Disaster and Emergency Studies www.brandonu.ca/academic/ades Public Safety Canada Canadian Emergency Management College www.publicsafety.gc.ca/prg/em/cemc/index-eng.aspx Disaster Recovery Institute Canada (DRI Canada) www.dri.ca Fleming College Emergency Management Program www.flemingc.on.ca/full-time/programdisplay.cfm?programcode=emp Federal Emergency Management Agency Higher Education Project (Lists emergency management university programs and other education resources) training.fema.gov/emiweb/edu/ George Brown College School of Emergency Management coned.georgebrown.ca/section/emrg.html Manitoba Emergency Services College www.firecomm.gov.mb.ca/mesc_introduction.html Sheridan Institute Emergency Management Program www1.sheridaninstitute.ca/programs/0708/pemgd/ École Polytechnique de Montréal Centre risque & performance (CRP) (French) www.polymtl.ca/crp/ York University School of Administrative Studies, Emergency Management www.yorku.ca/akevents/academic/sas/em/index.html Northern Alberta Institute of Technology Emergency Management Diploma Program www.nait.ca/program_home_17975.htm Royal Roads University School of Peace and Conflict Management, Disaster and Emergency Management www.royalroads.ca/programs/faculties-schools-centres/faculty-social-applied-sciences/ peace-conflict-management/demgmt-ma/ 40 August 2008

Emergency management and business continuity programs University of British Columbia School of Community and Regional Planning, Disaster and Risk Management Planning (DRMP) www.scarp.ubc.ca/aoc_drmp.htm B.6 Periodicals and publications Australasian Journal of Disaster and Trauma Studies www.massey.ac.nz/~trauma/ Australian Journal of Emergency Management www.ema.gov.au/ajem Business Continuity Journal www.businesscontinuityjournal.com/ Disaster Management Canada ccep.ca/ccepdmc.html Disaster Management & Response www.sciencedirect.com/science/journal/15402487 Disaster Prevention and Management www.emeraldinsight.com/info/journals/dpm/dpm.jsp Disaster Recovery Journal www.drj.com/ Disasters: The Journal of Disaster Studies, Policy and Management www.blackwellpublishing.com/journal.asp?ref=0361-3666&site=1 Environmental Hazards (former title: Global Environmental Change Part B: Environmental Hazards) www.elsevier.com International Journal of Emergency Management www.environmental-expert.com/magazine/inderscience/ijem/index.asp International Journal of Mass Emergencies & Disasters (IJMED) www.ijmed.org/ Journal of Business Continuity & Emergency Planning www.henrystewart.com/jbcep/index.html Journal of Contingencies and Crisis Management www.blackwellpublishing.com/journal.asp?ref=0966-0879 Journal of Emergency Management www.pnpco.com/pn06001.html Journal of Emergency Medical Services (JEMS) www.jems.com/jems/ Journal of Homeland Security and Emergency Management www.bepress.com/jhsem/ Journal of Natural Disaster Science (JNDS)/Japanese Group for the Study of Natural Disaster Science wwwsoc.nii.ac.jp/jsnds/contents/jsdn_back_number/jsdn_jnds.html August 2008 41

Z1600-08 Journal of Prehospital and Disaster Medicine pdm.medicine.wisc.edu/ Journal of Risk and Uncertainty www.springer.com/content/0895-5646 Natural Hazards www.springer.com/content/0921-030x Natural Hazards Review www.colorado.edu/hazards/publications/review.html Risk Analysis springerlink.metapress.com/content/112113/ Risk Management Magazine www.rmmag.com B.7 Canadian legislation Federal, provincial, and territorial legislation can be accessed via the respective government s website. The federal government s primary page for consolidated Acts and Regulations of Canada is: laws.justice.gc.ca/en/index.html The federal government s primary page for bills proceeding through Parliament is: www.parl.gc.ca/legisinfo/index.asp?language=e CanLII, a non-profit organization managed by the Federation of Law Societies of Canada, has made Canadian law accessible for free on the Internet: www.canlii.org/en/index.html 42 August 2008

Proposition de modification N hésitez pas à nous faire part de vos suggestions et de vos commentaires. Au moment de soumettre des propositions de modification aux normes CSA et autres publications CSA prière de fournir les renseignements demandés ci-dessous et de formuler les propositions sur une feuille volante. Il est recommandé d inclure le numéro de la norme/publication le numéro de l article, du tableau ou de la figure visé la formulation proposée la raison de cette modification. Proposal for change CSA welcomes your suggestions and comments. To submit your proposals for changes to CSA Standards and other CSA publications, please supply the information requested below and attach your proposal for change on a separate page(s). Be sure to include the Standard/publication number relevant Clause, Table, and/or Figure number(s) wording of the proposed change rationale for the change. Nom/Name: Affiliation: Adresse/Address: Ville/City: État/Province/State: Pays/Country: Code postal/postal/zip code: Téléphone/Telephone: Télécopieur/Fax: Date: J accepte que la CSA conserve et utilise les renseignements ci-dessus afin de faciliter la réception de mes suggestions et commentaires. I consent to CSA collecting and using the above information to facilitate the collection of my suggestions and comments. Consultez la politique CSA en matière de confidentialité au www.csagroup.org/legal pour savoir comment nous protégeons vos renseignements personnels. Visit CSA s policy on privacy at www.csagroup.org/legal to find out how we protect your personal information.

PRINTED IN CANADA The Canadian Standards Association (CSA) prints its publications on Rolland Enviro100, which contains 100% recycled post-consumer fibre, is EcoLogo and Processed Chlorine Free certified, and was manufactured using biogas energy. IMPRIME AU CANADA ISBN 978-1-55436-712-2 100%