Disaster Management 101
IN our post-9/11 climate, today more than ever, security professionals are being asked to take the lead on disaster management programs, as well as business continuity plan development and implementation. A recent Internet search shows more than 34 million hits on disaster management and 23 million hits on business continuity planning.
Some of these sites charge for a step-by-step plan. Others provide detailed check lists and flow charts that map out what should be done during the disaster, recovery and business continuity phases. Keeping the process as simple as possible is key to ensuring your plan gets approved and implemented. The Department of Homeland Security and National Fire Protection Association provide complimentary publications on disaster management that guide you through the basics of developing a disaster management program.
After endless meetings and intensive specialized training, senior management finally agrees that your company requires a disaster management plan that includes business continuity. As a newly appointed "expert" in disaster management, what should you deliberate on as you put together the disaster plan?
Having managed disaster management plans for a nuclear power plant, as well as corporate America, my recommendations outline the importance of creating a detailed plan.
Many disaster management programs have secondary sites selected for continued business operations. You likely will have two locations to protect with limited budgetary considerations.
Have you surveyed the prospective secondary site? What are your challenges in keeping the employees safe while still protecting the assets of the company in both places? This process should have started long before or in concurrence with your disaster management program.
Furthermore, as you prepare to upgrade your security technology (cameras, digital video, access control and door alarms), consideration should be given to not only the security plan, but the disaster management program, as well.
Do your systems have an open structure such that you can add or move at will? Are you able to remotely monitor your video? Is there room on your system to add cameras? Does your electronics supplier carry these items in stock? Do they have a loaner program or a buy back program? Are they willing to sign a contingency contract which will guarantee delivery within your plan time frames?
Hazard Identification, Risk Assessment/Impact Analysis
As a security professional, I can engage enough security personnel to repel a small army, but how do I know what the production team requires to keep running or the data group to keep data processing? Since no one person can be the expert in so many divergent areas, it's vital that a multi-disciplined team be assembled.
When all the hazards identified, implement a strategy to eliminate hazards and mitigate the effects of hazards that cannot be eliminated. Consider the following:
1. The use of applicable building construction standards.
2. Hazard avoidance through appropriate land-use practices.
3. Relocation, retrofitting or removal of structures at risk.
4. Removal or elimination of the hazard.
5. Segregation of the hazard from that which is to be protected.
6. Reduction or limitation of the amount or size of the hazard.
7. Modification of the basic characteristics of the hazard.
8. Control of the rate of release of the hazard.
9. Provision of protective systems or equipment for both cyber or physical risks.
10. Establishment of hazard warning and communication procedures.
11. Redundancy or duplication of essential personnel, critical systems, equipment, information, operations or materials.
With so many audiences and different types of actions to be taken, different plans, including a strategic plan, an emergency operations/response plan, a mitigation plan, a recovery plan and a continuity plan should all be develop.
A disaster management plan should feature the following elements:
Strategic plan. This defines the vision, mission, goals and objectives of the disaster management program.
Emergency operations/response plan. This plan assigns responsibilities to organizations and individuals for carrying out specific actions at projected times.
Mitigation plan. This establishes interim and long-term actions to eliminate hazards.
Recovery plan. This plan is developed to identify short-term and long-term priorities, processes, vital resources and time frames for restoration of the business.
Continuity plan. This plan identifies the critical and time-sensitive applications, vital records, processes and functions that need to be maintained, and identifies the necessary personnel and processes.
you prepare plans, identify hazards, the likelihood of their occurrence and the vulnerability of people, property, the environment and the business itself to those hazards. At a minimum, consider: natural hazards (geological, meteorological, and biological) and human-caused events (accidental and intentional).
Determine the resources needed to address other remaining hazards. When developing resource management objectives, consider: personnel, equipment, training, facilities, funding, expert knowledge, materials and the time-frames within which they will be needed. Also consider quantity, response time, capability, limitations, cost and liability connected with using the involved resources.
Communications and Evaluations
A communication system and procedure needs to be developed to ensure the notification of personnel, as well as a method to alert emergency response personnel. This system also needs to be periodically tested to ensure program compliance.
Develop and implement a training program that creates awareness for everyone that may be affected by the program. Remember to maintain accurate training records and conduct exercises to test the entire plan. Be sure that corrective action is taken on any deficiency identified during the exercise.
Since 9/11, our industry has gone through a significant increase in awareness of security issues. Technological advancements have given us better tools that take care of the day-to-day operations and can be used in a proactive manner to ensure the continued safety of employees after a significant event occurs.
Keeping to the basics, taking the time to develop comprehensive plans and then communicating those plans via policies, procedures, announcements, and actually conducting exercises are the necessary activities that will ensure the health and safety of your employees and emergency responders.