Archive for Emergency Response

Your Plandemic – The Plan to Plan Plan

Now that the Ebola virus has made its way to the United States and we enter the traditional US Flu season, companies are beginning to revisit and/or develop Pandemic Plans to address this scare.  But, Pandemic Planning is a little bit different than your standard business continuity plan development process.  I have often chastised organizations for saying they have business continuity or disaster recovery “plans” when all they really have are plans to create plans, but, in the case of pandemic planning, I think, that is actually the right approach to take.

The reason why it is so important to have well developed and relatively detailed business continuity plans, strategies and solutions in place today is that most disasters occur without warning and do not provide the luxury of time to figure out what to do after the incident occurs.  Pandemics represent an evolving threat that comes in various shapes and sizes and does afford us a luxury (if that word really applies here) to construct a response plan based on the particular pandemic that poses the threat.

The “Pandemic Influenza Risk Management / WHO Interim Guidance” published by the World Health Organization in 2013 (click here to read this document) states:

“Member States had prepared for a pandemic of high severity and appeared unable to adapt their national and subnational responses adequately to a more moderate event.”

And recommends,

“a risk-based approach to pandemic influenza risk management and encourages Member States to develop flexible plans, based on national risk assessment, taking account of the global risk assessment”

I think this applies to individual company plans, as well.  The Pandemic Plans that now sit on the shelves of most companies today include the best practices recommended for addressing the Avian Flu or Swine Flu or H1N1 – whichever scare was prevalent at the time they wrote their plan.  Although these plans may still contain lots of terrific practices for any epidemic or pandemic, it will probably need to be adjusted to address whatever pandemic actually occurs in their area.  It is for this reason that I believe the best approach to pandemic planning is to establish an environment in which you “plan to plan” for whatever pandemic might present itself.

The recommended, new WHO Pandemic Model has been simplified to include only 4 Pandemic Phases:

“Interpandemic phase: This is the period between influenza pandemics.

Alert phase: This is the phase when influenza caused by a new subtype has been identified in humans. Increased vigilance and careful risk assessment, at local, national and global levels, are characteristic of this phase. If the risk assessments indicate that the new virus is not developing into a pandemic strain, a de-escalation of activities towards those in the interpandemic phase may occur.

Pandemic phase: This is the period of global spread of human influenza caused by a new subtype. Movement between the interpandemic, alert and pandemic phases may occur quickly or gradually as indicated by the global risk assessment, principally based on virological, epidemiological and clinical data.

Transition phase: As the assessed global risk reduces, de-escalation of global actions may occur, and reduction in response activities or movement towards recovery actions by countries may be appropriate, according to their own risk assessments.”

I recommend that your Pandemic Program establish actions to take during each of these phases.

During the Interpandemic Phase, your Business Continuity Department (or Human Resources or Health Department, perhaps) should monitor WHO, CDC and local Health Agencies tracking of developing health risks and threats.

Should a situation occur where the Pandemic Level is raised to the Alert Phase, you should begin to develop more specific Prevention, Response and Contention strategies based on the health organization’s recommendations for the particular health risk that causes the alert.  You will likely be able to leverage many of the solutions developed in your previous pandemic plan, but your final plan will be geared towards this particular threat.

Should this threat result in either a regional epidemic or world-wide pandemic, you then put that plan into action.

Once the threat has been normalized and we enter the Transition Phase, your course of action should be to remain poised for a second wave of this particular pandemic while also documenting lessons learned to be considered should another threat develop.  You then “shelve” this particular plan and return to your tracking and monitoring position in the Interpandemic phase.

So, in effect, your Pandemic Program provides the basis for you to wait for a threat to develop and then jump into action developing the “plan” for this particular threat – in other words, you plan to plan.

Now, of course, there is also that part of the plan in which you must consider continuity of operations given that your work force is depleted or immobilized and/or given that key senior management have been impacted (ill or even died).  This is where you would deploy contingencies you have in place for such impacts.  (See the “Scenario Based vs Impact Based Planning” blog for more discussion on contingency planning.)

This approach will not work for other common business interruption risks and threats, but, I think, is the appropriate approach for addressing Pandemic Planning.

Meanwhile, promote day-to-day health and sanitation practices in your work environment – always a good way to combat any seasonal flu or more serious health risks.

Good luck, and stay healthy.

Scenario Based vs Impact Based Planning

I have participated in a number of conversations where people argue what the basis for business continuity plans should be.  Some people say you should have plans designed for specific threats inherent in your environment and others say that “what” happens is not important; plans should be based on the impacts of what happened and not the event itself.  I say, they are both right, in a way.

Business continuity planning, I think, has evolved over time and has expanded in scope of what it tries to achieve.  I’m not sure why we have gotten away from the term “contingency plans”, but I think Business Continuity Planning today includes both emergency response components and contingency planning components.

Considering these two components of the overall program, I think the Emergency Response part, that part that addresses how an organization responds to an incident should, in fact, have scenario specific components for the known risks and threats in the area where you do business.  If you have facilities in hurricane regions, you absolutely should have Hurricane Preparedness Plans.  Same goes for if you have facilities on fault lines; in flood plains; near active volcanoes; near nuclear power plants; etc.  When specific threats arise, like pandemics, for example, your organization should develop a scenario specific plan for prevention and contention techniques for that exact threat.

But, on the contingency side of things, the focus should be on the impact.  Contingency plans should be developed based on impacts, such as: loss of access to the building; loss of access to technology tools, applications and data; interruptions in workflow; depleted or immobilized work force; etc.

Then the entire program should allow a cross mapping of the two plan components.  The threats, for which you have specific plans, could result in any or all of the impacts for which you have contingencies.  Take Pandemic Plans for example.  Many companies attack this issue as if it is an entirely new challenge and try to develop Pandemic Plans as holistic, stand-alone, programs.  Once you realize that the impacts of a Pandemic might be a depleted or immobilized work force and interruptions to critical workflows, you realize that you should be able to leverage those contingency plans already developed and focus on the health and safety of your work force and work environment for the particular pandemic that poses the threat.  The pandemic response might be unique to this threat, but the contingencies could be leveraged for any event that impacts your work force availability, such as; transit strikes; civil unrest in the area; etc.

So, if you are responsible for developing plans that address both response and contingency components of the overall program, I suggest that you will be doing both – developing scenario specific and impact based policies, procedures, strategies and solutions.  Then, you may even create a matrix that identifies which contingencies might come into play under each specific scenario.  I do, however, think you still need that generic response plan to handle those scenarios for which specific response plans have not been created.  These plans should focus on the logistics for getting decision makers together to address the challenges of an unplanned for interruption in an effective and efficient manner and adequately communicating decisions and instructions to the impacted parties.

Good luck.  No one said this job was going to be easy.

R U O K?

Many business continuity, disaster recovery, emergency response and crisis management programs currently utilize some sort of automated notification tool to alert employees of an incident and/or to call them to action following a disaster.  I have written past blogs about being careful with what you say in the recorded message being used for this notification because you can never be quite sure who is listening to the message – but, now, I want to know if you are making sure you also use this tool to ask, “Are you okay?”

I often hear business continuity and disaster recovery planners remind employees that job one is to ensure the health and welfare of employees and job two is to recover business operations and the tools to support them.  I think it is important to practice what we preach and to construct our emergency messages in the same vain.  I think it would be nice to first put in some information on how the company can help the employee, if they need, prior to asking the employee to help the company by engaging their recovery plans.

And, this does not just apply to messages being recorded (or typed) for the automated notification systems.  If your program still relies on phone call trees, I think it is a good idea to include this verbiage in a suggested script to be used for these calls.

Furthermore, I think it is important to keep the “Are you okay?” mantra going throughout the recovery effort.  I think it is important to do more than just make sure that employees know how to contact the Employee Assistance Program (EAP), but to also make that ask throughout the effort.  Not only should you help keep the employee okay by enforcing shift limits and making sure no one over does it in their anxiety to help the company through a tough time – but you need to make the ask.  Ask them if they are okay before they show signs that indicate otherwise.

And, finally, that same ask should be made after the incident is over.  There are many emergency response programs that require a mental health recovery period following participation in an incident.  You may want to consider a similar policy for certain members of your emergency response, crisis management, business continuity and/or disaster recovery teams.

Making sure the employees are okay during and throughout an emergency may require more than what your EAP has to offer.  There are companies out there that provide at time of disaster mental health assistance that can be on-site to help identify problems and help resolve issues when they arise.  You should consider including these types of companies in your program directories.  One such company, Empathia, is included in the My Links section of this blog page – but there are others, as well.

Just a thought.  And, I hope this blog finds you OK!

Another Day, Another Headline

So, if you and/or the organization you work for are not yet convinced that you need complete and well-rehearsed Emergency Response, Disaster Recovery, Business Continuity and Crisis Management Plans in place today – I am not sure that you will ever be convinced.

In the past few days we have seen an example of an emergency caused by a direct and willful act to cause harm and destruction in the incident at the Boston Marathon; and, an example of an emergency caused through accidental means in West, Texas.  These events occurred as some companies continue to assess their responses to and management of the disruptions caused by Superstorm Sandy – an example of an emergency caused by nature.

Unfortunately, we don’t have to go very far back in our recent history to discover other compelling examples of why we need to be prepared for these types of emergencies and catastrophes.

It has been less than two weeks ago since I delivered a final Findings and Recommendations Report to a large international company with numerous physical locations in the Northeastern United States that were impacted by the carnage caused from Superstorm Sandy.  This analysis included the evaluation of other, like sized companies, in the region and how they responded to and managed this incident.  One of the not-so-surprising conclusions reached was that the ability to efficiently and effectively respond to this event was directly related to the amount of pre-planning and plan exercising that had been completed in the years prior to the storm.  This is a common finding following most of these types of incidents.  Those organizations that prepare for and practice their responses to emergencies fare better during these events than those that do not.  This only makes sense.

What stops many organizations from preparing and exercising is their belief that they are not susceptible to these types of events.  The headlines of the past few days, few months and few years, suggest that that is just not true.  Everyone is at risk.  Even if you are not in an area that experiences violent weather events, floods or earthquakes; even if you operate in an area that is relatively secure and isolated, the Boston Marathon and West, Texas incidents should prove – that it just doesn’t matter.

Bad things can and will occur.  Be prepared.  You owe it to your employees, your customers and family.  If you think otherwise now, you are just not paying attention.  Hoping that nothing happens is no longer a valid strategy.

Once again – our thoughts and prayers go out to yet another community in West, Texas, having to deal with the tragic loss of lives and homes.  I hate to think about what the next headline might bring.

The Boston Marathon Tragedy

I am always hesitant to immediately write about lessons to be learned from a tragedy such as what occurred during the recent Boston Marathon for fear that it might come across as an ambulance chasing kind of attempt to garner attention or attract more business.  But, on the other hand, it is when the news is news and people are focused on the incident and the meaning behind it, that the lessons can most readily be learned.

First of all, let me make it clear that my first thoughts are always with the victims of such a tragedy.  I cannot imagine the horror and pain suffered by those who were so horrendously impacted by this heinous act of cowardice.  To be enjoying what should be a moment of pride and celebration for just crossing or nearing the finish line with your loved ones waiting to share the accomplishment with you and to have it all interrupted in an instant of violence is simply devastating.  Even though I work in emergency preparedness and crisis management, I cannot help but shed tears every time I watch these events unfold.

There will be many so-called “lessons learned” that come from this incident.  Some of them valid; some of them, simply, the wrong conclusions.  The news media is and will continue to step all over each other trying to get the better story and trying to out-analyze the other channels in an attempt to gain greater market-share.  There is still much to assess and much to learn.  Most of the real, valid conclusions are still weeks away – when, unfortunately, some other news story will steal the headlines and those of us that were not directly impacted will have moved on with our lives.

At this point in time, I can merely speculate on what will be discovered, but I do have some of my own opinions.  I think that this event shows us that the U.S., that for such a long time, has been somewhat void of the risks and threats of terrorism when compared to many of our international friends, must now acknowledge that we are susceptible to these types of risks.  And, in my opinion, I think we will learn that this type of terrorism does not require a sophisticated, organized and well-financed group with a political agenda to carry out such an incident with relatively large impact (considering the numbers of people injured).  No, I think we will learn that any idiot with access to the internet and with evil in their heart can pull off this type of terror.  What this means is – everyone, everywhere is fair target for such a tragedy.

There are already many people, and there will be more, second-guessing the security at this event and calling for more stringent security for future, similar events.  I, personally, don’t think that is the answer.  There is always more we can do to try to prevent these occurrences, but, I think this incident shows us that there is always an opening for terrorism.  Where ever you have mass gatherings, there is an opportunity for someone(s) to do damage.  Yes, we need to do everything we can to prevent these tragedies but there is a point where prevention starts to hinder our freedoms.  The other side of the equation is to be prepared.

I have already heard many people suggest that we need to keep on living, and I agree.  But, we can keep on living with a higher level of preparedness.  I think the people of Boston responded pretty well to the tragedy.  The level of preparedness they had for foreseen medical issues resulting from running a marathon were leveraged to help respond to this unforeseen incident.  The people they had in place managing the event were the right people for responding to this tragedy and, I think, they responded admirably.

There are other things we can do as individuals to be better prepared for incidents such as this.  Having pre-established meeting areas – including virtual meeting places via common people to call – is just one example.  There are others that I am sure you have already read about in other articles.  I am just going to go way outside my area of expertise and way outside the considerations of business continuity and suggest that one way we can help prepare ourselves for these types of tragedies is to remember to say our “I love you”s before we are impacted by these types of events.

I am about to board a plane to the Continuity Insights Management Conference in San Diego.  I am sure the Boston Marathon tragedy will be vastly discussed, formally and informally, by the many professionals that will be in attendance.  I am sure to hear a wide variety of opinionated causes and corrections – some, I will learn from; some, I will shake my head at.  What I am going to make sure I do, however, is to say my “I love you”s before getting on the plane.  That is one lesson we should never forget.

Out with the Old In with the New

Well, we are now several weeks into the new year and, as crisis management and business continuity professionals, we are happy to see 2012 in our rear view mirrors.  Maybe it is just the relative recentness of Hurricane Sandy, or the fact that she devastated such a wide and highly populated area in the United States, but 2012 seemed to have been a very busy year for business continuity planners.  And, this is not just in terms of responses to a number of disasters, but also in terms of preparing for high-risk events such as the London Olympics, the US Presidential Party Conventions and several Political Summits throughout the region.

I guess some of the reasons we were so busy are good reasons.  I am witnessing a much higher level of awareness for the potential of business interruptions occurring from mass gathering events.  I have been somewhat impressed with the levels of preparedness from both the public and private domain for events such as the Olympics and the Conventions.  It seems people are starting to realize the benefits of the private and public sectors working together in preparation for these events.  Coordinating work schedules and being aware of commuting challenges and potential mass gatherings, coupled with work from home solutions and proactive strategies for shifting work-flows and employees away from the congestion during the most active event times, seem to all have helped businesses and communities cope with the challenges of hosting such events.

And, I think, by planning for these kind of scheduled interruptions, our programs have been strengthened and improved, allowing us to better respond to the unscheduled interruptions that seem to be happening at an alarmingly more frequent rate with a much wider footprint.

This article from Huffington Post does a pretty good job in summarizing the challenges we experienced in 2012 caused by disaster.  Even though there are a number of “disasters” associated with wildfires in the US this past year, there are enough other events that support my statement that 2012 was a busy year.

The one quote that stands out to me in the Huffington Post article is from the acting director of the U.S. National Weather Service, Laura Furgione, who states, “The normal has changed, I guess. The normal is extreme.”  Well, if extreme is our new normal, it is up to all of us to make sure that “prepared” is our new posture.

Whereas, I am glad to put 2012 behind us, I am also anxious to make sure that we, as planners, have grown and applied the lessons learned from these events in our 2013 and beyond plans.  Do not fall into the trap of believing what we learned from Hurricane Sandy only prepares us for the next Hurricane.  Focus on the impacts.  Some of the lessons learned from Sandy are applicable for any event that immobilizes a large portion of our workforce, or forces closure of a number of our key facilities, or results in widespread power outages, and on and on.

The German writer, artist, politician Johann Wolfgang van Goethe once said, “The greatest tragedy in all of life is to experience the pain but miss the lesson.”   I hope that the pain experienced in 2012 was not for nothing.

Now, bring on 2013.  I can’t wait to see what she has in store for us.

Business Continuity Planning in 140 Characters or Less

As I have mentioned in some recent blogs, I am now immersed in the world of Twitter.  The challenge of tweeting is trying to get a message across in 140 characters or less.  This is especially difficult when much of your audience does not know your jargon and you need to spell out many of the words to make a coherent point.

At first, I tried to find famous quotes from others about planning or disasters or emergencies and response.  I found a few, many of which I had posted earlier in this article on “planning”.  But, after a while, I had to challenge myself to come up with some business continuity, emergency response, crisis management, and disaster recovery related tweets of my own.

In this blog, I am simply going to share those tweets that I have come up with so far – and, if I must say so myself, I think a few of them are pretty good for 140 characters or less, but I will let you be the judge of that.  I tweet a lot about current events and other topics; this blog only includes general quotes about the field in which we practice.  I hope you find one or two you like.

And, if you do like them – re-tweet them.  And, please feel free to follow me on Twitter, @jpflach

Joe Flach Tweets from Past Weeks:

Planning ahead is important; practicing ahead is vital. A script w/out rehearsals doesn’t prepare you for opening night.

Knowing how to respond before the disaster strikes saves precious time in figuring out how to respond after it strikes.

Disasters happen. Recoveries have to be orchestrated.

I believe in the power of prayer – except when it comes to business continuity, then I believe in the power of planning.

How you respond to a crisis may adversely impact your company more than the crisis itself. Add Communications & PR teams to your plans.

The disaster that impacts your company may also impact employee’s homes – make sure continuity plans include alternate workforce options.

There r heroes who rush into burning buildings to save ppl and heroes who improve fire prevention and evacuation plans. The latter is easier

If you are not worried about the impacts of a disaster on your company, then who in your company is?

The fear of failing a business continuity test results in masking many a program’s weakness and promoting a false sense of security

It takes 1 to plan, many to be prepared. Train, educate and exercise your programs.

There is no one right way to prepare for a disaster – but, not preparing for one is clearly the wrong way!

There is a thin line between being unprepared for a disaster and being negligent. Don’t put it to the test: be prepared.

When the fire alarm sounds, people do not reach for the “Fire Alarm Response Manual”. Same should be true when you “Declare” a disaster.

If disasters strike when least expected, then make sure you always expect one.

Risk mitigation programs do allow for calculated risks. That is why most cars have only 1 spare tire instead of 4.

Business Continuity Planning is not about preventing any loss following disaster; it is about limiting losses to a defined, acceptable level

The only “failed” emergency response test is one in which you do not discover ways to improve your program

The best way to handle a disaster is to stop it from happening. Create Disaster Prevention and Risk Mitigation Plans.

“The good Lord willing and the creek don’t rise” is a fun colloquial saying and does not a good business continuity plan make.

Continuity Plans are like backup parachutes – hardly ever needed but you don’t want to operate without one.

Many people experiencing a crisis simply freeze because they have not been conditioned how to respond. Break the ice and conduct training.

Incidents become disasters for those who are not prepared.

The only thing worse than having no emergency response plan is thinking you have one when you don’t. Be honest: don’t promote false security


There are more, but I think that is enough for now.  Did you find one you like?

The World of Twitter

As mentioned in the previous article, thanks to the persuasion of my daughter, I have re-entered the world of Twitter.  I actually signed up for a Twitter account two years ago but never really embraced the application.  I maybe sent out one or two tweets, got one or two followers, but grew tired of it after a day or two and moved on.

But, for the last few months, as I have been actively trying to promote this blog page, the Safe Harbor Consulting website and our facebook page, my daughter has been telling me that I have got to start tweeting to increase SHC’s visibility.  Torrie has been successfully using this tool to promote the company she works for and has been trying to convince me of its value.  So, finally, I gave in.

I have been actively tweeting now for just over one week.  My followers have grown a whopping 700% from 2 to 14 (if there was a sarcastic font, I would have used it there).  But, once I got over the shame of having no one jump at the chance to follow me, I finally realized the value to be gained from those I follow.

To me, this is a valuable tool for tracking and monitoring threats and unfolding events.  I have already added these accounts to my following list:  FEMA; NTSB; NFPA; NYC OEM; UNISDR; NHC; UN SPIDER: NOAA; USGS; American Red Cross; and others.  Now I realize you may not recognize all those acronyms, but they provide varying information on risks and threats around the world.

I also realize that I am in danger of reaching “information overload”, but, so far, I am finding that these sights do not over-tweet and, once I start managing and organizing my use of this tool, I am sure I will whittle it down to the most relevant accounts for me.

I also do realize the limitations and potential pitfalls in this tool and would not recommend it as the sole source for this type of information, but I am finding it a good source for informing me of breaking news events that I can get more information on elsewhere.

I am just wondering – does or should this tool have further use in a business continuity / emergency response / crisis management program?  Do any of you have this tool formally included in your program to either monitor or send out information regarding risks, threats or responses in your environments?

You can tweet me with your answers @jpflach ;-)

And, thanks Torrie – got any more advice for your old man?

Failure and Rescue

So, even though I opened a Twitter account about 2 years ago, this week I decided to start really using it.

I tweeted a thing or two to the 3 people following me.  It was fun, but a lot like talking to myself, which, I sometimes do.

Then, I started looking for people and organizations that I wanted to follow.  Some in sports, some in entertainment, a few friends I found, and even some in the field of business continuity and crisis management.  I also found Eric Greitens whose book, “The Heart and the Fist” I had recently just finished reading – a read I highly recommend to all.

Today, one of Eric’s tweets included a link to this article in The New Yorker – “Failure and Rescue”.  I think this article has a profound message for everyone in all walks of life, but I also think it has significant meaning to business continuity, disaster recovery and emergency response planners.

I recently posted a few blogs about the need to have plans that are flexible and provide the framework for decision makers to change the plan when needed – which, in my mind, will be always for any situation that occurs.  In this article, Atul Gawande, presents this message much better than I ever could.  His concept of rescuing the plans is, in my mind, brilliant.

There is no need for me to try to recap the article for you; I would “fail” miserably in my attempt.  So, I simply suggest you read it for yourself.  I believe you will be glad you did.

And then, to thank me, you can “follow” me on Twitter @jpflach.  ;-)

The “Stand-Down” Employee – An Outside the Box Idea

Every business continuity program includes a number of employees who do not support time sensitive business functions.  These employees are not assigned seats in the alternate recovery site; are not expected to work from home; and, are not targets to relocate to other locations.  In general, these employees are asked to “stand-down” during the business interruption event until such time as an interim work location is established or the production facility is restored and ready for re-occupancy.

Many programs will note that these employees may be called upon to perform other emergency response and/or restoration activities to help the company respond to and recover from the event that caused the business interruption.  And some programs go as far as to include information in their employee databases regarding special skill-sets or other attributes (such as, whether or not they have four-wheel drive vehicles) to consider on how to possibly re-deploy these individuals to help in this regard.

I also like to caution management not to forget about these employees as they will soon be concerned about their status in the company; whether or not they still have a job; and, what their compensation status is while they “stand-down”.  History has shown that if management does not keep these individuals informed of their status and periodically communicate with these individuals they will start calling in and hunting you down to give them the answers and reassurances they are looking for.

Most HR plans fall short of defining an absolute policy with regards to how these employees will be addressed during an outage, other than to establish it as a task that they evaluate the situation, make a case-by-case determination as to how the situation will be handled and define the tools and means to communicate that to the employees.  All in all, I believe that this is a valid strategy and position to take.

I am working with one organization that is considering taking this to another level with a program that, I think, is very creative and resourceful.  This organization is considering establishing a position in their Crisis Management Program responsible for organizing a Community Response and Relief Team to provide whatever assistance and relief they can to others in the community that may have been impacted by the event that caused their business interruption.  This team would be comprised of “stand-down” employees who volunteer to be members of this program.  This type of program may be similar to and could possibly draw upon the practices employed by airlines’ CARE programs for responding to an aviation disaster and providing compassionate assistance to impacted families from the incident.

This idea is still just on the drawing board but it is an idea that I thought others might wish to consider and, perhaps, something others have already implemented.  If anyone is willing to share their ideas on this or can share examples of where it has been implemented, we would love to hear from you.

I, for one, would like to see this idea come to fruition at this organization and would love for it to catch on at others.  I will start exploring this option at other organizations I work with should the opportunity present itself.