Preparedness

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

September is National Preparedness Month (NPM). If your emergency management plan is collecting dust, now it the time to revisit its content. The resources listed here can help you do just that.

Books, sessions, articles, podcasts, and webinars available are available through ASIS International. The au​thors and speakers provide inspiration to revisit existing emergency management plans and refresh the content based on the probability that a natural or manmade disaster could bring a company to its knees. The ASIS Information Resources Center has a wealth of information on this topic beyond what’s highlighted here.

The NPM website, Ready.gov​, establishes hazard-focused themes and resources for each week in the month: floods, wildfire, hurricanes, and power outages. Other government websites can help jumpstart the planning process. The FEMA website, for example, provides a graphic that illustrates the life cycle of a potential crisis and gives examples of how a disaster would affect specific businesse​s.

Still need an incentive? Embrace the NPM theme: “Disasters Don’t Plan Ahead. You Can.”

» View Past Security Spotlight Topics 


Free Resources

(login may be required)

Book Excerpts
Podcasts
Recorded Seminar Sessions
Security Management Articles
Standards and Guidelines
Webinars
Council Resources
CSO Center Contributed Content
Additional Resources

Book Excerpts

Emergency Management and the Media
Soft Targets and Crisis Management: What Emergency Planners and Security Professionals Need to Know, Chapter 11
Contributor: Randall C. Duncan
Please do not distribute this excerpt.

Understanding and working with the media is an important part of an overall emergency management system. This relationship—between the emergency manager and the media—is one that has more opportunity to excel, or fail, than almost any other.


Developing Strategies for Emergency Management Programs
Soft Targets and Crisis Management: What Emergency Planners and Security Professionals Need to Know, Chapter 21
Contributor: S. Shane Stovall
Please do not distribute this excerpt.

Soft target planning is often done as part of an overal Emergency Management program or Business Continuity program. This chapter will discuss how strategies can be developed to establish or enhance these programs.


Emergency Management: Theory and Planning
Protection of Assets: Crisis Management, Chapter 1


Podcasts

Security Soft Targets
Security Management Podcast, April 2016
Host: Holly Gilbert Stowell

An expanded conversation with Jennifer Hesterman, retired U.S. Air Force Colonel, on soft targets, ISIS, the Brussels and Paris attacks, and how individuals can take a proactive approach to their own security.


Recorded Seminar Sessions

Managing Facility Expectations during a Crisis or Emergency
ASIS 2016

Speakers:
Mike Fagel, Argonne National Laboratory DIS, Infrastructure Assurance Center
Greg Benson, Elgin Community College Fire Science
Marianna Perry, CPP, ASIS
Lawrence Fennelly, Litigation Consultants

Gain valuable insights into a public safety response protocol from agencies that will be tasked with responding when a facility faces a crisis. What happens during a major event that differs from a routine call? Managing expectations at the facility and responder level will go a long way to create a keen understanding of where the gaps may be during an event. With planning, education, and exercises, each component involved in the response and recovery can help lead the event to a successful conclusion.


Risk Assessment as a Foundation for Disaster Preparedness
ASIS 2016

Speaker:
Jeffrey Slotnick, CPP, PSP, OR3M, LLC Risk Managment Services Group

The ability to competently and confidently address risks leads to enterprise longevity and stakeholder confidence. When an emergency occurs, people are looking for leadership. Take a critical look at an organization's preparedness levels. Discuss a tried-and-true practice for identifying baseline risks, creating a plan of action that addresses the most likely risks, and training the crisis management team, employees, and community partners in the plan. The result? Enterprise longevity and resiliency.


Lessons Learned Implementing an Emergency Notification System
ASIS 2016

Speaker:
Keith Bennett, Eastman Chemical Company

In 2012, Eastman Chemical implemented a new emergency notification system at their largest manufacturing facility in Tennessee. With 10,000 employees and contractors working in more than 600 buildings, a state-of-the-art system was essential. After an eighteen-month design process, a new system with eleven different devices was implemented, including a message strategy and device architecture that used different emergency categories. Hear details of actual emergencies and the lessons learned from ineffective communication. Explore steps for successful system design and implementation, the use of “branding,” and key message content guidelines. Ultimately, the system allowed Eastman to successfully communicate the right emergency information to the right people at the right time.


Effective Crisis Management
ASIS 2012

Speaker:
Lawrence Berenson, CPP, Senior Security Advisor

After defining just what constitutes a “crisis,” Berenson explains how to develop a crisis management plan in five steps:

  • Risk Assessment, or what could go wrong?
  • Impact analysis, or how will the risk affect the business?
  • Identify strategies to mitigate the risk and write the plan.
  • Test the plan.
  • Sell the plan.

When working through the second step, Berenson suggest using an impact analysis matrix that charts various risks depending on their high or low probability and high or low business disruption. Based on these results, appropriate security strategies can be implemented to mitigate the most probable and the most disruptive risks to the business. He spends the last portion of the session discussing how to sell the plan to executives, including citing “near misses” a similar business encountered, identifying the cost of a disaster with the help of corporate finance, and finding a champion for crisis management testing within the C-suite.


Evacuations: Where Is Everybody?
ASIS 2012

Speakers:
Mark Theisen, CPP, director corporate security & business resilience, Thrivent Financial
Randy Rickert, manager, security operations, Thrivent Financial

The speakers detail how they developed an automated approach to account for employees during an emergency evacuation. The mandate for change came from the company’s executives who had been involved in two previous disasters: the 9/11 terrorist attacks and the 1-35 bridge collapse. While supportive of the company’s emergency programs, they also issued a directive: improve the process for accounting for employees. The speakers evaluated the current evacuation plan and revised the process over 18 months with the following results:

  • With multiple buildings and sites in two states, the original evacuation plan took 45 minutes to complete, moving all employees to parking lots with managers accounting for their employees.
  • Noting the many flaws in that process, the two men created a vision: an integrated system for mass communication and a simple way to account for people using existing access control cards.
  • After testing and evaluating through five phases, the new system enabled 1,429 employees to clear the buildings and be checked in 7 minutes, and be back in the building in 14 minutes.

Emerging Crisis Management Trends: The Risks and Controls
ASIS 2014

Speaker:
Bruce Blythe, chairman, Crisis Management International

Recent surveys of CEOs and corporate board members ranked risk to the company’s reputation as their number one concern. These results have a major implication for security, says Blythe. If emergency plans focus on protecting the company’s reputation, security directors will get the attention of their corporate executives. Predicting which risks might affect a company’s future requires looking at prerequisites or patterns and dealing with a crisis from a strategic, not tactical, point of view. Before outlining 19 potential crises, Blythe advocates an enterprise risk management philosophy that security leaders need to address:

  • Core assets: what assets—people, reputation, intellectual property—are at risk?
  • Impacted stakeholders: how will employees, investors, competitors or others be affected?
  • Anticipation: where are the patterns leading, is the response integrated, and is the focus on the right crisis?

Learning from an Area-Wide Crisis: The Boston Blackout
ASIS 2013

Speakers:
Alan Snow, CPP, director, safety and security, Boston Properties
Paul Caruso, district manager, AlliedBarton Security Services

Using a detailed timeline and graphic videos to underscore the shock and chaos that ensued during the three-day power outage, the speakers provided first-hand accounts of h​ow they coped with this crisis. While the scope of emergency was unprecedented, the two speakers underscored the fragility the nation’s electrical grid, 70 percent of which is more than 25 years old. Both men assumed huge responsibilities during the crisis: Snow oversaw Prudential Center Boston, which accommodated 60,000 people per day. Caruso dealt with client crises as well as the compromise of the company’s regional headquarters. Explaining how the crisis unfolded in phases and lessons learned, the speakers focused on several challenges for security:

  • The nature of the crisis changed over time, from a HAZMAT event to a power outage.
  • Communication sources were unreliable but critical to executing the emergency management plan.
  • Securing buildings to prevent unauthorized pedestrians from getting in was as important as issuing shelter in place messages to employees and then evacuating them.

Security Management Articles

​​​​​​​

Standards and Guidelines

Risk Assessment, Annex F: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization


Webinars

hurricane image.png Hurricane Harvey & Hurricane Irma: What's Next?​
2017

Speakers:
James W. Satterfield
President/CEO/Founder
Firestorm Solutions

Bruce T. Blythe
Owner/Chairman
R3 Continuum, Inc.

The webinar will provide insights into the issues and solutions. What are the risks? What made Harvey a crisis? What are the lessons learned? What is the Crisis Index in the days and weeks after the storm? What do you need to do now regarding Hurricane Irma? What do you need to know now? 
 
The focus of the webinar is on the crisis impacts on employees, customers, facilities, supply chain, finances and brand. Crises are fluid over time. A crisis can escalate or deescalate causing an adjustment of the Crisis Index over time. Recognition of the escalation and source will impact and shift the responses, DECISIONS, ACTIONS AND WORDS. The lifecycle of the crisis can be documented by recognizing the changing in Crisis Index over time.

Learning Objectives

  • Understand crisis impacts and related decisions
  • Prioritize actions to be taken
  • Focus communications messages ​

Preparing Your Healthcare Facility for All Hazards
2017

Speakers:
Ron Lander, CPP, CMAS, CHEPS, PSM
James Keith Flannigan, Ph.D., CMAS

​​​In 2016, the U.S. Centers for Medicare and Medicaid Services published CMS-3178: The Final Rule for Healthcare Emergency Preparedness. The regulation aims to establish consistent emergency preparedness requirements across provider and supplier networks, establish a more coordinated response to natural and man-made disasters, and increase patient safety during emergencies.


Business Continuity Planning (BCP) and Security Management…Do They Go Hand in Hand?
2017

Speaker:
Rinske Geerlings

Security management often concentrates on preventative controls and immediate responses, as opposed to Business Continuity Management. Business Continuity Planning ensures there are plans and procedures in place to continue the core, time-critical processes of an organization; thereby ensuring the brand/reputation are safeguarded as key services continue to be delivered. This is becoming increasingly relevant as we have been seeing larger scale disasters and security threats, and an increasingly competitive market where customers easily switch brands if a product/service is unavailable.


Security and Emergency Preparedness
March 2013
Sponsored by the ASIS International Commercial Real Estate Council and BOMA International

Speakers:
Carlos Villarreal, CSP, senior vice president, SecurAmerica, LLC, Commercial Real Estate
LaNile Dalcour, security director, Brookfield Properties

The speakers explore how two types of emergencies affect a business and its employees: workplace violence, specifically active shooter incidents, and natural disasters, specifically Hurricane Sandy.

Noting that there had been twenty mass shootings per year between 1976 and 2011 and in light of recent high-profile incidents, the speakers presented a five-step response plan that employees should follow when coping with an active shooter situation, including “take note of the two nearest exits in any building,” and “if you are in an office, stay there and secure the door.” They also discussed how a weather emergency can affect all phases of a business, including its revenue, reputation, and vendors as well as its employees and their families.

A key factor in both types of incidents is a business continuity plan that focuses on the company’s access control system, which must be up to date to account for employees during an emergency. Villarreal and Dalcour recommend the following access control best practices:

  • Conduct internal audits monthly to ensure that the system is functioning to the manufacturer’s specifications.
  • Audit card numbers monthly to look for duplicates.
  • Distribute quarterly employee rosters to tenants for updating.
  • Purge the database quarterly.


​CSO Center Contributed Content​

Dear Mom And Dad: Here's What I Mean By "Business Continuity"

by Bryan Weisbard

When family and friends ask me what I do for a living, I'm almost always greeted by the same blank, confused stare when I respond with "Business Continuity." To me and others in our profession, the words seem to fit the job. However, even business-minded individuals do not always understand what business continuity means, let alone the important role it plays within organizations. To complicate matters even further, the focus of business continuity has evolved over recent years and will continue to do so as new issues such as cybersecurity and privacy compliance gain more attention. In the simplest sense, the goal of business continuity is to enable an organization to continue fulfilling its mission, vision and objectives, even during the worst of circumstances. Regardless of what Murphy's Law, mother nature, or those with bad intentions throw our way, we have prepared our organization to succeed. By now, you must be asking what it takes to build a successful Business Continuity program and how I can best explain it to my family and friends? I find that it's less about the technical details and more about the strategy explained in my 5 Steps to Success:

5 Steps to Success:

Step 1: Understand the culture and risk appetite of the organization. Each and every organization is different. This seems like a relatively simple concept, but truly understanding what makes your organization different is difficult; however, understanding its mission, vision, and culture is essential--the culture of the organization drives the risk appetite and the risk appetite drives the framework of the business continuity program. Senior leadership defines the organization's risk appetite, and the role of the business continuity professional is to build and maintain a program consistent with these risk tolerances. Notice I specifically used the term "organization" rather than "business." Not all organizations are run as businesses, and organizations like nonprofits or governments (and any other organizations who do not operate with the intention of generating profits) need to be equally prepared to respond to crisis (or even slow-burn disruptions). By recognizing the culture and risk appetite established by leadership, we can then focus on understanding the inner workings of the organization...

Step 2: Understand the inner workings of the organization. How is revenue generated (or does the organization even generate revenue)? What are the key processes that enable the organization to achieve it's mission? During the first 90 days on the job, business continuity professionals should meet with as many different teams as possible--from accounting, finance and HR to operations, engineering, and sales. Each and every department in an organization should play a role in advancing the mission (if not, why does it exist?). The thing to keep in mind is that while each team plays a role, not all functions are time critical during an unexpected emergency. Identifying which teams are time-sensitive during a disaster is crucial. It's important to note that just because a team is not time-sensitive doesn't make it any less important. For example, in a for-profit business, without sales the company will cease to exist--but generating new sales during a crisis isn't necessarily as important as meeting immediate obligations to existing customers. Next, the business continuity professional needs to understand how those time-sensitive departments operate and the key people, facilities, suppliers, and technology required to perform the supporting activities. Priority should be placed on the departments that enable core products/services and departments which enable the organization to meet its critical obligations to internal and external stakeholders (employees, investors/shareholders, customers, users, compliance/regulatory organizations etc.). By understanding these inner workings, we can build a strategic plan to drive tactical execution…

biz cont graphic.jpgStep 3: Develop a strategic business continuity plan to drive tactical execution. Risk, corporate security, and crisis management are tightly interconnected. It's impossible to anticipate or plan for every crisis scenario, so developing a strategic framework to drive and guide future tactical response is critical. Proactively building an environment to prevent or reduce the likelihood of a risk should be coupled with a reactive plan to respond to an incident.

Resources should be dedicated to trying to prevent a disruptive incident from occurring, but we can't let ego cloud our judgement. We need to recognize that Murphy's Law and uncontrollable incidents will get the best of us at times, and we need to be prepared to respond accordingly. Strategic planning should drive tactical execution, but we need to be pragmatic and thoughtful in how we allocate resources...

Step 4: Be pragmatic. When making resource decisions about the size and scope of a business continuity program, be pragmatic. Executives want to know that cost-benefit analyses are being conducted to understand the impact of potential risks (financial, reputational, legal). The investment in your business continuity program should be proportional to the risks faced by the organization and the acceptable pre-defined risk tolerances and culture. The "best" business continuity program is not necessarily the "biggest." Sure I can build you the Fort Knox of a business continuity program, but that might cost more than the worst case scenario caused by a disruptive incident. It's not worth spending $100,000 to mitigate a risk if the maximum lost value is $50,000 (should the risk even become a reality). It's perfectly acceptable to accept a risk without mitigation efforts as long as this is a conscious, pre-planned decision and not an afterthought. On the other hand, organizations might be willing to spend more than the maximum value lost to mitigate certain brand or reputational risks based on company values or culture. It might be worth paying $200,000 to avoid a negative impact to brand, even if the estimated financial losses of a risk are estimated to be $100,000. Balance is essential to obtain executive buy-in as is the ability to adapt to the changing role of business continuity...

Step 5: Adapt. The business continuity function has continued to evolve, shifting from a focus on technical aspects to a broader understanding of risk and resilience. Understanding how an organization functions from a business, operational, and risk perspective is essential to leading a business continuity program. Every organization has different operational and technical requirements, so it's impossible to have the technical skillset in every discipline. Knowing the right questions to ask and where to go to find the answers is the most important skill.

The most successful business continuity professionals understand that they are advisors, not auditors. While certain industries required compliance with specific laws and regulations, business continuity professionals should seek to advise rather than mandate. This approach will help build buy-in throughout the organization, and stakeholders (who you often rely on) will be more eager to partner with the business continuity team.

Conclusion: Sometimes complicated technical approaches tend to get in the way of progress. By taking a step back and carefully crafting a strategic business continuity program rather than pages and pages of complex details, we can be more agile in our planning and response. Afterall, who has the time to read 300 pages of documentation in the midst of a crisis? Sometimes simplicity is best. In the words of Leonardo da Vinci and Steve Jobs, "Simplicity is the ultimate sophistication."​

About the author:

bryan weisbard headshot.pngBryan Weisbard, CPA, CFE, is Head of Security Analysis, Investigations & Business Continuity at Twitter. In this capacity, Weisbard's team identifies, analyzes, and mitigates risks posed to the company from a geopolitical and corporate security perspective. Weisbard also leads all business continuity and crisis management functions globally. Prior to joining Twitter, Weisbard served in a variety of national security roles with the U.S. Government, both in the Washington D.C. area and overseas. Weisbard holds an MBA from the University of North Carolina at Chapel Hill, a Bachelor of Business Administration from the University of Miami, and a Certificate in Forensic Accounting from Georgetown University. Weisbard is a Certified Public Accountant (CPA) and a Certified Fraud Examiner (CFE). Weisbard serves on the Membership Committee of the CSO Center for Leadership & Development and is a member of The Pacific Council on International Policy and OSAC's Pan-Asia Regional Council (PARC) and Media & Entertainment Working Group (MEWG). Weisbard also serves as President of the Board of Directors for Up On Top School Program, a 501(c)(3) charity providing free educational programs to children from low-income families.​

Follow @BryanWeisbard on Twitter or Connect with him on LinkedIn​.


Council Resources

Response and Recovery Resources for Natural Disasters
The ASIS​ Crisis Management and Business Continuity Council​ has provided links to helpful resources to assist recovery for those affected by Hurricane Harvey.


Additional Resources

Information Resources Center (IRC) Security Databases & Library Catalog

Security Database & Library Catalog (members only)
The Security Database & Library Catalog of the IRC has hundreds of records on the subjects of travel security and safety, including references to books, Security Management articles, government reports, Annual Seminar recorded sessions, and other documents. Print items are available for use onsite in the O.P. Norton Information Resources Center (IRC) by ASIS International members. Some items have links to electronic versions accessible via the Internet.

To access the IRC, sign-in to the ASIS website, then go to the library webpages to navigate to the Security Datab​ase & Library Catalog. Search using the term “preparedness.”

You may also review the ASIS IRC Reference Guide on Preparedness, which lists a comprehensive review of the Standards and Guidelines, books, Security Management articles, recorded Webinars, and recorded Annual Seminar Educational Sessions available through ASIS that can assist security professionals as they prepare for and respond to emergencies in their companies and communities.


Government Resources

National Preparedness Month Toolkit
The National Preparedness Month Social Media Toolkit contains key marketing and preparedness messaging to print or share on your social media channels throughout the month of September and beyond.


2017 Voluntary Organization Partnership Day
The Federal Emergency Management Agency (FEMA) hosted more than 30 non-profit organizations at its headquarters July 26,2017, for Voluntary Organization Partnership Day, to promote and recognize the services voluntary, community and faith-based organizations provide to disaster survivors.


 ​​​​​​​​