Emergency planning and response are needed capabilities within organizations to safeguard profitability. Organizations are faced with increased costs for responding to and recovering from natural, technological and human-caused events. Approximately 30 percent of businesses do not reopen their doors after a natural disaster. As of May 18, 2018, 100 mass shootings have occurred in the U.S. — nearly one per day — and cyber incidents are up 27.4 percent in 2017 from 2016; both of these are events that could cripple an organization’s productivity and endanger its staff.
In order to mitigate these risks, organizations should pay close attention to both strategic and tactical emergency planning. Those who build the capability to handle specific risks will increase overall resiliency to incidents.
Threat Hazard Identification Risk Assessment
A Threat Hazard Identification Risk Assessment (THIRA) should be conducted to understand all risk — natural, technological or human-caused — that may affect an organization. A guide from the Department of Homeland Security (DHS) and Federal Emergency Management Agency (FEMA) provides a framework for this assessment. It includes a four-step process described in more detail below.
Identify Threats and Hazards
Natural incidents include weather-related events, pandemics or other similar events; technological hazards involve accidents or failure of systems and structures; human-caused events are the result of deliberate actions by an adversary. Analyzing historical records such as weather patterns and crime statistics, or information from intelligence sources can add value to threat identification. Special attention should be given to an incident’s likelihood, as well as its potential impact.
Give Threats and Hazards Context
Adding context to the threat allows organizations to comprehend the challenges they may encounter during an incident. For example, if assessors identified active shooter incidents as threats to the organization, a trend analysis may indicate this event would likely take place on a weekday morning. This detail could affect the number of victims; more workers would be in the area at this time and more vehicular traffic, both at and around the site, would increase response time from local authorities. Other details to consider in any scenario that may add context include time, climate, adverse conditions (wind direction), demographics, community infrastructure and the built environment where the incident could take place. An example of a context description is as follows, “Flash flooding is expected to impact the Texas Gulf Coast with a flood warning in Harris and Montgomery counties for a duration of 36 hours.”
Establish Capability Targets
There are 32 capabilities listed in the National Preparedness Goal, a document that assists communities in understanding what it means to be prepared. Once threats and hazards have been identified and given context, preparedness activities should be mapped to each core capability to understand internal capability and any gaps. If capability gaps are discovered, either internal capability can be developed or external resources will be needed. In the private sector, external resources could be obtained through developing relationships with the public sector or through third-party contracts. A common example of this can be seen in the electric industry during storm response, when mutual aid is organized and shared from utility to utility.
Apply the Results
The final step is to link all information together and conduct planning activities to reach all capability targets that are not supported by existing internal capability. This is done by a Planning Organizing Equipping Training Exercising (POETE) analysis. This analysis looks at capability targets and catalogs how gaps will be overcome. For example, if the capability target was to provide notification to all employees within 30 minutes of an incident, then a method to notify would be needed if this was not already in place. To remedy this gap, solutions would be listed in each POETE category. Over the course of this analysis, changes to the plan and training may be listed, and an exercise target may be listed to test the method and success of the new notification system.
THIRA’s four-step process makes it easier to conceptualize the impact of risk, as well as identify specific threats and hazards specific to an organization. This allows an organization to focus on building capability that will mitigate its unique concerns. Additionally, when considering likelihood and impact of each threat, a risk-based approach — instead of an ad-hoc process — will motivate action.
Identification of the most likely and impactful threats and hazards, and realization of internal capability, allow organizations to update emergency management plans using a best practice (for more information on this process, see DHS and FEMA’s full Comprehensive Preparedness Guide on developing a THIRA). Identified threats and hazards should also be used to select training topics in tests and exercises that will further build capability and reduce known gaps.
Given the many modern-day risks facing organizations, consider applying this to yours. You’ll protect your people and your operational continuity – as well as your profit.