As guardians of the nation’s critical infrastructure, we cannot wait for a critical event to occur before we take action. We must be proactive in developing well-vetted plans as well as preparing and rehearsing standard operating procedures. Only a few months ago, Hurricane Irene wreaked havoc across the Northeast. We were extremely lucky that major cities were not under water. Imagine sump pumps being inoperable during a hurricane due to inadequate maintenance or a lack of either utility or back-up power systems. With weather trends showing increases in the frequency and severity of storms, we must develop and perfect our disaster response plans, and more specifically, improve how we collaborate and communicate with first responders.
There are newly developed guidelines, methodologies, and standards that provide some collaboration and communication tools. Building on the 2003 “Interagency Paper on Sound Practices to Strengthen the Resilience of the US Financial System,” the U.S. Department of Homeland Security developed the National Incident Management System or NIMS in 2008. NIMS is a comprehensive, flexible methodology for incident management that is scalable at all levels and across many disciplines, providing an organized group of operational structures to facilitate coordinated actions between various organizations during emergency planning. While not a detailed plan in and of itself, NIMS enhances the cooperation among levels of government, the private sector, and the public at large and ensures interoperability among first responders and important stakeholders during a disaster. NIMS focuses on five key components:
• Preparedness: Ongoing preparation, organization, training, exercising, and evaluation of emergency management plans utilizing partnerships between the government and private sector.
• Communications: Use of flexible communications and information systems allowing emergency management and first responders to employ a common operating picture. It stresses the use of interoperability, reliability, scalability, and portability to streamline communication between various entities.
• Resource management: Efficient use and management of critical resources during emergencies.
• Command and management: Provides a flexible, uniform structure for incident management.
• Ongoing management and maintenance: Continuous improvement and integration of best practices and lessons learned.
NIMS provides some methodology, but in today’s complex regulatory environment, firms must be compliant with current policies and regulations in order to operate efficiently and ensure that their critical infrastructure is prepared for any emergency. The National Fire Prevention Association’s (NFPA) Standard 1600 on Disaster/Emergency Management and Business Continuity Programs establishes a “total program approach” for disaster management planning with first responders. It suggests that a disaster recovery plan should address the following specific areas: First, organizations should align their incident management systems to allow cooperation with first-responder agencies. Second, the plan should ensure that communication systems within the facility are tested and maintained such as radios, telephones, and internet notification systems. Finally, the standard recommends that first responders should be provided with adequate training, clothing, and equipment when responding to a facility emergency.
In addition to NIMS, Presidential Policy Directive 8 (PPD-8) calls for an integrated, layered, and all-of-nation preparedness approach. It calls for concrete, measurable, and prioritized objectives for mitigating risks. Frameworks include prevention, protection, mitigation, response, and recovery for particular threats and scenarios and provide recommendations for supporting preparedness planning for businesses, communities, families, and individuals. The goal of this directive is to address the largest amount of people as possible to mitigate the effects of a disaster.
A recent Heritage Foundation white paper analyzed Japan’s response to the early 2011 earthquake and tsunami and highlighted three “lessons to be learned” by the U.S. and the Department of Homeland Security. First, it suggested the adoption of a more decentralized emergency response and called for an end to “over-federalization” of decision making at the congressional level. Secondly, it highlighted the fact that community awareness and the effective communication of risk saved more lives in Japan than their extensive technological protection devices. Finally, it stressed the need for resilience of critical infrastructure, in particular its most “vital” element—the electric grid.
Excellent examples for powerful tools to manage situations such as this can be seen at the Rio de Janeiro command center and in VCORE Solutions fourDScape (see figure 1). The command center brings together data from 30 of the city’s agencies on multiple screens and allows the city to quickly coordinate and mange responses to crisis shortly after they occur. fourDScape integrates numerous sensor and video feeds into a virtual environment that can be accessed vertically throughout a chain of command from managers to upper level decision makers as well as horizontally throughout emergency response teams. This keeps all involved parties up to date with critical information, as it is available through an intuitive dynamic virtual user interface.
In recent years, we have experienced record-breaking earthquakes, floods, drought, lethal tornados, snowstorms, and the third most chaotic hurricane season ever recorded. In fact, the first half of 2011 saw $265 billion in economic losses, well above the previous record of $220 billion for 2005, the year Hurricane Katrina struck (see table 2).
These events established that the efficient interaction and communication with first responders is critical for an effective response to any disaster. When any emergency threatens our nation’s critical infrastructure, the situation becomes more and more dire. As mission-critical professionals we must ask ourselves the following questions:
• Do our plans include a contact list of emergency responders, such as police, fire, and EMT?
• Has a liaison for communications with emergency services and first responders been assigned?
• Does the plan define how to interface with first responders, utility companies, and other infrastructure and public authorities?
• Have we prepared a list of “critical facilities” to include any location where a critical operation is performed?
• Are any internal corporate risk and compliance policies applicable?
Developing a disaster response and business continuity plan is a cooperative task involving input and coordination from all departments within your organization, including key personnel from IT, facilities, human resources, and security, as well as vendors, external stakeholders, and corporate suite. Outside consultants should also be engaged to provide feedback and conduct peer reviews of new plans. Adequate budgets must also be allocated, with a financial plan that ensures funds are well spent.
A business continuity plan serves as a tool to effectively guide a company’s personnel through the impact and recovery of a disaster. Training and exercises should be conducted on a routine basis not only to test the plan but to ensure that key personnel are aware of their roles and responsibilities in regard to the plan. Now is a good time to ask: Have you determined which information from your continuity plan is needed by first responders in case of an emergency? Will your personnel know where/how to locate this information during a disaster? This may include building plans, electrical one-line diagrams, emergency operating procedures, and other emergency response plans. Once this information is compiled, it must be stored and maintained in a dedicated application hosted in a secure environment. This allows your personnel to support first responders by quickly providing the critical logistical information required during an emergency.
The questions highlighted in this article are among some of the more important ones to consider when preparing your organization for an emergency; however there are many more that should also be considered. Today, there is no business that is immune to disasters. Adequate preparation and training will allow the industry to benefit from firsthand emergency responder experience. While only one percent of our infrastructure might be classified as “critical,” it is imperative that first responders and mission-critical personnel identify this one percent and establish effective disaster recovery plans that will put it back in operation as soon as possible should disaster strike. Most of America’s critical infrastructure is operated by the private sector; are we prepared to protect it during an emergency?
Reprints of this articleare available by contacting Jill DeVries at devriesj @bnpmedia.com or at 248-244-1726.