Public – Private Coordination for Emergency Preparedness and ...

Public – Private Coordination for Emergency Preparedness and Response

Joseph SarkisCenter for Risk and Security

Seminar Series

Center for Risk and Security - Clark University - Marsh Institute

2

Why? Why is joint planning important to the public sector?

Recognizes that media exposure of critical incidents has developed high public expectations on how emergency response efforts should be handled.

Assists in understanding private sector requirements and resources.

Helps obtain the commitment of the private sector to become a part of the overall community emergency response planning process.

Enhances communication with the private sector prior to an incident informing them of available community resources.

Heightens awareness that the private sector may not be able to control everything inside the fence line and may need to involve others outside the fence line during recovery.

Reduces liability and insurance costs through joint planning with the private sector

(SOURCE CIP, 2000: Critical Incident Protocol – Public/Private Partnership).


3

Why? Why is joint planning important to the private sector?

Provides the private sector with community contacts and develops an understanding of the support available from the public sector.

Educates the public sector on why the bottom line is important to the private entity and how it affects the community.

Creates an understanding of why rapid business resumption is important and what basic community infrastructure may be needed to support business resumption following a disaster.

Develops an accurate understanding of public sector resources and private sector responsibilities until public support is available.

Develops recognition of how the loss of one business may affect and impact other businesses in the community.

Promotes involvement in the public sector’s establishment of priorities. Develops understanding that during a critical incident, no company is

an island unto itself. Total cooperative efforts are needed and there can be no secrets.

(SOURCE CIP, 2000: Critical Incident Protocol – Public/Private Partnership).


4

The Need

“There has never been a formal or systematic way for government and the private sector to interact day-to-day or even during a crisis. This issue came into focus during preparations for Y2K when there was a lot of interaction between business and government.” – Richard Andrews (member of HS Task Force).


5

Integrated Concerns(source: Milliman et al. 2004, EQM)


6

Federal Information SharingFederal government's Information Sharing and Analysis Centers on the Web. From Homeland Security site (To help develop ways of better protect our critical infrastructures

and to help minimize vulnerabilities, and allow critical sectors to share information and work together to help better protect the economy):

Agriculture: None at this time Food: Food Industry ISAC Water: Water ISAC Public Health: (An ISAC is in development.) Emergency Services: Emergency Fire Services ISAC ; Emergency Law Enforcement ISAC Government: State Government Defense Industrial Base: None at this time Information and Telecommunications: Information Technology ISAC,

Telecommunications ISAC Research and Education Network ISAC

Energy: Electric Power ISAC (NERC) ; Energy ISAC (Oil & gas) Transportation: Surface Transportation ISAC (Rail & non-rail surface transportation) Banking and Finance: Financial Services ISAC Chemical Industry and Hazardous Materials: Chemical Industry ISAC Postal and Shipping: None at this time Real Estate: Real Estate ISAC


7

Federal Regs.


8

Federal Requirements OSHA gives facilities an option between

providing an Emergency Action Plan, if they won't respond to spills, and an emergency response plan, if they will respond to emergencies. Since many larger organizations have their own Hazardous Material (HazMat) teams and fire brigades, they fall under the requirements of an Emergency Response Plan.


9

OSHA Emergency Action Plan An emergency action plan (EAP) is a written document required by

particular OSHA standards. The purpose of an EAP is to facilitate and organize employer and employee actions during workplace emergencies. The elements of the plan must include, but are not limited to:

Evacuation procedures and emergency escape route assignments. Procedures to be followed by employees who remain to operate

critical plant operations before they evacuate. Procedures to account for all employees after an emergency

evacuation has been completed. Rescue and medical duties for those employees who are to perform

them. Means of reporting fires and other emergencies. Names or job titles of persons who can be contacted for further

information or explanation of duties under the plan.(Let’s take a look at site…

http://www.osha.gov/SLTC/emergencypreparedness/general.html


10

Local Level Example

Boston’s EMA developed a plan to start communicating with private Corps.

http://www.boston-consortium.org/events/emt_docs/BEMA-CEAS_10-3-

03.ppt


11

Private Practice Lots of titles – Numerous Jurisdictions

Business Continuity Management Contingency Planning Disaster Recovery Planning Emergency Response Safety Planning Security Planning Occupational Hazards Management Corporate Risk Management Environmental Health and Safety Programs


12

Private Practices Deloitte & Touche survey: 50 percent of

respondents have implemented corporate-wide business continuity and disaster recovery plans (up 20 percent from five years ago):

Barriers: Most organizations lack a senior level business

continuity management champion that can influence both the company’s culture and financial resources.

Business units are reluctant to spend the time and money to implement “optional” programs.

Creating an enterprise-wide BCM program can seem overwhelming to many organizations that are already resource-constrained.

Corporate executives may operate under the belief that “it will never happen to our organization.”


13

More Private Practice Issues A common trend in organizations is that the

environmental and safety departments view their response plans as mutually exclusive documents and Silos.

Requirements of OSHA and EPA response plans are interrelated and overlap in several areas.

Departments need to be aware of their respective inspection, maintenance, and response duties.

Integrated Contingency Planning is way to go.


14

Private Security Measures Organizational Security programs (Thatcher, 2002):

screening and background checks for personnel; training security professionals and in-house staff; preventing unauthorized entry and controlling access; actively and effectively safeguarding and protecting sensitive

materials; periodically inspecting security controls and audits; establishing levels of accountability, enforcement and

authorization; controlling chemical disposal efforts; developing access restrictions and controlling movement within

the facility; continuously evaluating and monitoring personnel in sensitive

areas; developing education programs in information security; and applying security techniques, devices, procedures and policies.


15

Security Management Systems(Thatcher, 2002) Risk assessment and prevention strategies Security policies Collaboration with other corporate departments and with local law

enforcement agencies, local emergency planning committees, etc. Incident reporting systems Employee training and security awareness Incident investigations Emergency response and crisis management Periodic reassessment of the security plan for physical security,

including access control, perimeter protection, intrusion detection, security officers, ongoing testing and maintenance and backup systems

Employee security measures (including prudent hiring and termination practices)

Workplace violence prevention and response Information, computer and network security.


16

Private Practices Morgan Stanley Planning Process:1. Business Impact Analysis--assesses risk and the need for business

continuity planning. 2. Business Unit Specific Plans--business continuity planning is owned by the

business units, while developed in conjunction with the core team. These plans are developed using enterprisewide planning software.

3. Awareness and Training--Web sites and mandatory Web casts educate all employees about the program.

4. Crisis Management--the internally managed process for managing incidents including: contacts and procedures in paper documents and Web format; 24-7 crisis management conference lines; rapid notification systems; and employee and client hot lines with situation updates and information.

5. Data and Application Recovery--strategies to recover critical data and applications.

6. Work Area Recovery--alternate workspace strategies for recovery-essential staff. (Other employees work remotely.)

7. Testing--failover strategies and crisis management processes should be tested at least once per year. The testing process also includes fire and evacuation drills.


17

Private Practices Lessons Learned at Morgan Stanley for

business contingency plan: expanding capabilities for working at home; advanced planning with employee counselors; striving to get people back to work earlier; enhanced communications plans between

employees, the press and senior management; strategies for temporary housing, transportation,

communication (such as rumor control) and other services such as grief counseling.

Other items: awareness, training, diversification of operations.


18

Private Practice

Many other examples exist from large retailers to chemical manufacturers to hospitality providers.


19

Private Practice - BCMM Business Continuity Maturity Matrix (UK) – Levels of Maturity

Level 1 - Self-Governed - Business continuity management has not yet been recognized as strategically important by senior management.

Level 2 - Supported Self-Governed - At least one business unit or corporate function has recognized the strategic importance of business continuity and has begun efforts to increase executive and enterprise-wide awareness.

Level 3 - Centrally-Governed - Participating business units and departments have instituted a rudimentary governance program, mandating at least limited compliance to standardized BCM policy, practices and processes to which they have commonly agreed.

Level 4 - Enterprise Awakening - All critical business functions have been identified and continuity plans for their protection have been developed across the enterprise.

Level 5 - Planned Growth - Business continuity plans and tests incorporate multi-departmental considerations of critical enterprise business processes.

Level 6 - Synergistic - All business units have a measurably high degree of business continuity planning competency. Complex business protection strategies are formulated and tested successfully.


20

Private Practice - BCMM Competencies, Performance Measures.

Leadership - The commitment and understanding demonstrated by executive management regarding the implementation of a scaled, enterprise-wide business continuity program. As well, the degree to which the "business case" for implementing sustainable business continuity has been articulated to and understood by executive management.

BC Awareness - The breadth and depth of business continuity conceptual awareness throughout all staff levels of the organization including consideration for the quality and sustainability of the BC training and awareness program.

BC Program Structure - The scale and appropriateness of the business continuity program implemented across the enterprise. The degree to which the BCM Program matches the articulated "business case".

Program Pervasiveness - The level of business continuity coordination between departments, functions and business units. The degree to which business continuity considerations have been incorporated in other business initiatives/programs.

Metrics - The development and monitoring of BCM Program performance. The establishment and tracking of a business continuity competency baseline.

Resource Commitment - The application of sufficient, properly trained and supported personnel, financial and other resources to ensure the sustainability of the BCM Program.

External Coordination - Coordination of business continuity issues and requirements with external community including customers, vendors, government, unions, banks, etc. Insuring that critical supply chain partners have adequate BCM Programs of their own in place.


21

Emergency Response Brokers -Third Party Service Providers Send Word Now is a leading emergency and

routine notification service provider designed to extend public and private sector emergency preparedness, business continuity and contingency planning capabilities.

Allows an account holder to send a message to reach multiple people and their familiar communication devices (i.e. cell, work and home phone numbers, email, pager, and other text messaging devices) at the same time.


22

Third Party Service Providers USFA's (U.S. Fire Administration) Emergency

Management and Response-Information Sharing and Analysis Center (EMR-ISAC).

The EMR-ISAC serves both public and private emergency managers and responders at no cost by facilitating the two-way exchange of information in order to analyze and disseminate current intelligence on threats, attacks, vulnerabilities, anomalies, and security best practices


23

Third Parties National Center for Crisis and Continuity


24

Summary of Players

Government –Public – Communities Private Organizations Third-Party Service Providers


25

Practical Concerns (from CIP, 2000)

Type of resources (personnel, equipment, or other support) to be furnished

Contacts and procedures for requesting resources Financial or reimbursement arrangements Use of equipment—

How will it be delivered? How will it be returned? Will personnel be furnished?

Payment for lost or damaged resources Labor and legal considerations or restraints Confidentiality issues(source CIP 2000)


26

Emerging Issues

Public – Private Coordination for Emergency Preparedness and ...

Documents

Transcript of Public – Private Coordination for Emergency Preparedness and ...