​

EMERGENCY RESPONSE personnel generally agree that companies and governments alike need to take an all-hazards approach to emergency preparedness and response, rather than narrowly targeting efforts toward the threat du jour.

Doing so requires five plans, according to the National Fire Prevention Association (NFPA) 1600 standard, issued together with the U.S. Department of Homeland Security, the National Emergency Management Association, and the International Association of Emergency Managers. NFPA 1600 calls for a prevention plan, an all-hazards emergency operations plan (EOP), a mitigation plan, a recovery plan, and a continuity-of-operations plan (COOP).

And each of those plans—like any element of a security program—should be based on risk assessment that considers all hazards: not only high-consequence, low probability events, such as terrorism and extreme natural disasters but also lower consequence, higher probability events, such as power outages and cyberattacks—and everything in between.

These assessments need not be overly complicated and quantitative, notes Lucien G. Canton, CPP, CEM (Certified Emergency Manager), CBCP (Certified Business Continuity Professional), and author of Emergency Management: Concepts and Strategies for Effective Programs. They may be simple and qualitative, charting the likelihood and consequences of possible events along two axes using a simple three-level threat scale, such as high, medium, and low.

While it’s important to assess which threats a company is likely to confront, the value of an all-hazards emergency plan lies in its focus on emergency functions—most of which apply in all or most incidents—rather than the events themselves. Per federal guidelines, such as the Federal Emergency Management Agency (FEMA) State and Local Guide (SLG) 101: Guide for All-Hazard Emergency Operations Planning, the heart of an EOP concerns needed support functions such as warning, evacuation, communications, and management. For many businesses, a plan will likely address not only evacuation but also shelter-in-place options.

How the support functions are applied to specific events (which are the threats in the risk assessment) should be laid out in separate sections annexed to the plan.

And just as that approach strives for economy by applying common functions to different events, planners should incorporate what plans and procedures their organizations already have in place, or as SLG 101 recommends, “Don’t reinvent the wheel.”

If an organization already has a COOP, for example, management should build other plans that accommodate it. If an organization’s operations require compliance with federal safety requirements for hazardous materials, the bulk of an EOP may already be in place.

Discussion of planning often turns to a quote from one of history’s most successful planners, Dwight Eisenhower, who said that “plans are useless, but planning is indispensable.”

Canton reminds planners that the document is not an end in itself. It must be used, but to be useful, it must be usable. While some level of detail is essential, too much can be deadly. If it is as thick as a phone book, it may never even be read, let alone consulted during a crisis.

The lesson, Canton says, is to keep it simple. Focus on responsibilities rather than methods, and mandate completion of straightforward checklists for every support function. He also quotes Eisenhower’s subordinate, George Patton, who said, “Never tell people how to do things. Tell them what to do, and they will surprise you with their ingenuity.”