Prepare for the Next Wave of BC Planning
- Published on January 3, 2008
- Written by REINHARD KOCH & CRAIG MARKS, CEM, CERP
After the terrorist attacks of Sept. 11, 2001, the Department of Homeland Security (DHS) looked around for a standardized method of dealing with “incidents” and settled on ICS. Since 2004, ICS is the official DHS methodology for dealing with any type of incident, whether that is a terrorist attack, chemical spill, fire, tornado, hurricane, flooding, or any other type of event. The DHS has a goal of having every fire and police department, and every county and state emergency response office, to be trained in ICS. By now, every public emergency will be managed using ICS. To make that a reality, DHS has decreed that every first responder in the nation must be trained on ICS by Sept. 30, 2006, or their departments will lose federal grant funding.
While it is important to realize there are many different management
systems, and many may lead to the same result, ICS is the system of
choice in the first responder community and should your facility be
involved in an emergency or disaster, ICS is what will be used to respond
to and overcome your adversity. To find out more, go to www.fema.gov/nims/.
FEMA would like some private entities to become familiar with NIMS and ICS. The NIMS FAQ section states:
Question: Do private industrial emergency response teams – those involved in off-site incident response – need to take IS-700? (ICS training course)
Answer: Private industrial emergency response teams most likely (will) be working with local emergency response agencies when it comes to large emergency incidents. By the end of FY06 (September 2006), federal/state/local/tribal/private sector and non-governmental first responders and disaster workers at the entry level must take FEMA’s “IS-700 NIMS, An Introduction” and “ICS-100, Introduction to ICS” or its equivalent.
If the handwriting is not on the wall, it is certainly on your browser screen. Business continuity planners need to become knowledgeable and involved in NIMS. Most “corporate disasters” are public events. A strictly technical disaster such as a virus attack or a network outage can be simply an internal problem for one corporation. But, in many cases, the corporate disaster is in the form of regional destruction from weather. Even a fire that only affects one corporate building is still a public event because police and fire departments will not only be at the scene, they will take command of the scene. The question to you is, do you want to integrate or abdicate?
How ICS Works
This is only the briefest outline of ICS. The purpose is just to give you enough information that you can investigate the system on your own. There is a wealth of information available on the Web. Just type “incident command system” into your search engine. Keep in mind that ICS does not occur in a vacuum. Your ICS team will interact with fire, law enforcement, EMS, emergency management, and others. Relationships are a key to success, and having those relationships prior to disaster is essential.
At the highest level there are a leader and three staff positions:
- An incident commander, who leads the response to the incident. This is not an executive-level person – this is an operational professional.
- A liaison officer for dealing with any outside agencies.
- A public information officer for controlling information to the public.
- A safety and security officer.
Reporting to the incident commander are four groups. Below this level of four groups there is room for customization, but every incident command system has these four groups. They are:
- Finance – responsible for controlling costs, reporting on costs, procurement, and so on.
- Logistics – transportation, water, sanitation, facilities, resources, etc.
- Operations – tactical execution of the plan. This group can be customized to meet the structure of your organization. The bulk of corporate business continuity functions would fit into operations.
- Planning – situation status, incident action plan.
Remember, if you don’t want your disaster response
to be a flop, use FLOP (finance, logistics, operations, planning).
The Incident Action Plan (IAP) is a key component of ICS. The IAP is a very short-range plan for dealing with events in the following 4-24 hours. This is a formal process, and forms for creating and reporting on IAPs are available. The plan lays out the goals and strategies for the next “operational period.” It is a plan of action to logically continue progress towards resolving the incident. Along with the incident action plan, another key component of the system are job action sheets. These are short (about one page), prioritized, and preplanned activities or tasks for every function on the team. The sheet shows to whom you report and some generic, essential, and critical tasks during the first hours of an incident for that particular team member.
There is a variant of ICS becoming accepted by hospital emergency planners called HEICS (Hospital Emergency Incident Command System). By comparing how hospitals have modified the system from the basic ICS standard to meet their unique needs, you can learn how to modify ICS to meet a particular vertical industry, such as banking or manufacturing. HEICS has incorporated the particular or structure of hospitals, such as “medical care director” and “laboratory unit leader” without losing the overall finance-logistics-operations-planning structure of ICS. There is a move to develop a similar standardized (but customizable) variant for the private sector.
The Emergency Management Accreditation Commission, an independent commission, having alliances with both the International Association of Emergency Managers (IAEM) and the National Emergency Managers Association (NEMA), uses “NFPA-1600 – Standard on Disaster/Emergency Management and Business Continuity Programs” (2004) as the guideline for accreditation of state and local government emergency management agencies. The commission’s vision is to also offer accreditation to the private sector within the next several years. While the guideline calls for the use of an “incident management system” (Chapter 5), that system for the public sector is ICS.
The Benefits of ICS
Here are some of the reasons that you should implement ICS in your organization:
n Widely used – NIMS and ICS are mandated for use by every federal, state, and local emergency response agency, including public health, public works, and non-first responding but important agencies. It is widely used within hospital systems and is now mandated by the Joint Commission on Accreditation of Healthcare Organziations (JCAHO). It is becoming a standard within private industry, as railroads, shipping companies, and major corporations adopt the standard.
- Flexible organizational structure – The system has a basic structure that is identical in all implementations. But the individual units of the structure can be customized to meet your needs.
- Minimally disruptive – The organizational units and job descriptions will be parallel to or match existing job functions in your organization. There is no need for a unique structure for the sole purpose of managing an incident.
- Scalable – Depending on the scope of the incident, only a few positions, or the entire structure, can be mobilized to deal with the incident. As an incident escalates, more positions can be mobilized to meet the challenge. If multiple organizations are involved (such as tenants in a skyscraper or an office park, they can cooperate in their response). Scalability works all the way up to a regional or national emergency.
- Easy transfer of resources – When multiple organizations are involved in an incident and all of them are using ICS, it is easy to cooperate, it is more efficient, and it is easy for people to move from one organization to another for maximum effectiveness.
- Prioritized tasks for each emergency response function – Every position on the ICS organizational chart has a predefined and prioritized job action sheet that aid in executing functions.
- Thorough documentation – The system includes forms for documenting all actions, which may help with cost control and cost recovery, while decreasing liability.
- Long-range benefits – As more and more organizations implement ICS, new employees will come on board already knowing the system. The benefits to private industry will accumulate continuously over time.
- The system is in the public domain – The federal standard can be borrowed, modified, and implemented without paying any fees.
Traditional Corporate Responses to Incidents
The history of business continuity in the corporate setting is of developing methodologies for dealing with isolated and severe incidents. This began with hot site disaster recovery plans for mainframes. Slowly, a layer of business department recovery evolved on top of the technology recovery plans. A third, but rarer layer of planning, is crisis response. Crisis response attempts to deal with any severe event, such as the death of an employee, product tampering, and so on. One problem common to all these traditional planning methodologies is that they view disasters as rare and severe events. A “minor” problem does not cause activation of the response teams. If the minor problem mushrooms into a major disaster, precious hours are wasted because no one, or not the right people, are dealing with the event.
As anyone who has paid attention to business continuity can attest, business disruptions are common and frequent events. Viewing them as outside the scope of normal business is a major flaw in thinking. Simply put, every organization needs to have a formal business process for dealing with “incidents” so as to minimize their impact on normal operations.
If you need such a system, then why not use the one being used by every
federal, state, and local emergency response workers? If you already
have a crisis response team, then the benefits of modifying it to meet
NIMS standards are obvious.
Remember the early 1980s? There were dozens of word processing systems available, such as mainframe SCRIPT, mini-computer systems like Wang, WordStar, Microsoft Word, and even typewriters. Today, it is presumed you are capable of using Microsoft Word. The same consolidation around one standard may soon impact business continuity planning.
Business Continuity Using the ICS Model
The key to your success is executive support. ICS spans your entire organization. A steering committee or governance committee made up of the top executives of your organization needs to support NIMS and ICS. When the incident commander gives a command across departmental boundaries, it requires rapid response, not hesitancy or outright refusal to cooperate.
To implement ICS you will need to reorganize your recovery planning groups to fall into one of the four main ICS organizational groups. This is important so that if you need to coordinate with any outside agency you are in a parallel structure to them. You will need to implement the procedures for managing incidents.
You will need training from an expert to make it work. There will be resistance on your organization’s part during an incident if they have not been trained on the process. Lack of experience can cause the incident response to collapse. The ICS model can be incorporated into a myriad of non-disaster/emergency situations. For any situation requiring control, oversight, and response to uncertainty, it fits. That includes the company summer picnic or your family Thanksgiving feast.
Why should your organization implement the NIMS and the ICS in particular? Primarily, it is an accepted and proven methodology for dealing with incidents of any type. It has become a standard across all public agencies. The hospital industry has accepted ICS, and your industry should, too.
If an incident involves coordination with a public agency such as FEMA or your local fire department, you will be more likely to be accepted if you speak the same language. Your organization’s incident response can work smoothly with the public agencies supporting you.
NIMS and the ICS are in the public domain. There is a wealth of resources
available on the Web. You can modify your own business continuity plan
or crisis response plan to match ICS without paying any licensing or
When disaster strikes do you really want to step aside (or be pushed aside) as first responders unfamiliar with your building, your processes, and your needs move in to take control?
Contrast that with the vision of your corporate incident commander meeting with the battalion chief or FBI agent in charge of the response and working alongside these public sector responders with your incident management team, extending relationships made long ago in times of tranquility, and now paying dividends in time of crisis.
It is your choice. You can integrate as part of the team or you can
abdicate and hope for the best. “Hope,” we’ve found,
is not an effective operational strategy.
Reinhard Koch is a business communications consultant with Avaya, Inc. He has been a business continuity planner for 20 years, serving a wide variety of clients in all industries. He has assisted clients through several major disasters. He can be reached at firstname.lastname@example.org.
Craig Marks is president of Blue Horizons Consulting, helping local governments and the private sector become better prepared through training, exercises, and planning. Marks is a retired Green Beret having responded to crisis, both military and natural, around the world. He can be reached at Craig@BlueHorizonsLLC.com.