Most organizations do a good job when it comes to developing plans to protect their staff in the event of an emergency. However, there are several other key tasks that often go overlooked.
In today’s post we’ll look at the six tasks that every organization should address in the plans it draws up to be in readiness for when an emergency strikes.
There is a right and wrong time for an organization to figure out how it’s going to respond to various types of emergencies. The wrong time is in the seconds after the fire alarm goes off, or trouble announces itself in some other way.
Responsible organizations plan ahead of time for emergencies, considering the different types of problems likely to occur and developing ways of dealing with them. They think about categories of an event (rather than specific problems), and they produce their plans in simple checklist form, excluding policy statements (or consigning such statements to the back). This is so their plans consist of simple steps that can be readily understood, taken, and checked off in the heat of an emergency. They also stage frequent drills, so their staffs are familiar with where the plans are and know their role in carrying them out.
Furthermore, every plan should address six basic emergency tasks. They are:
Task No. 1: Protect Onsite Personnel
The first and foremost task of any emergency response is to protect the people who are on the premises. For this reason, your response plan should include (in the recommended checklist form) steps about dealing with immediate human needs in terms of medical, evacuation, triage, evaluation, and search and rescue. Your larger plan should include response sub-plans that address the following different categories of safety event:
- Evacuation. When all personnel must leave the building.
- Health and medical. Personal medical issues such as someone having a seizure.
- Active shooter. When one or more armed individuals are on the premises intentionally inflicting harm.
- Individual or group safety. Threats to personnel arising from bullying, assault, or other aggressive behaviors. These might arise from personal grudges or be initiated by disgruntled or terminated employees. Also, domestic violence that intrudes into the workplace.
It’s also important, from the viewpoint of protecting personnel, to have plans about communicating to first responders about issues affecting staff.
In addition, different organizations might require advanced medical, rescue, or other skills based on their business or requirements.
Task No. 2: Contain the Incident
The next most important task, after protecting personnel, is to prevent expansion of the impact of the event. Therefore plans should be developed toward that end. Efforts to contain the incident should address the following areas:
- Safety and facility. These plans might include steps on gracefully shutting down equipment and processes, or protecting assets.
- Cyber event. The plans for this area might include trip lines for shutting down access to applications, internet, servers, and so on. These are typically formulated as, “If X happens, do Y.” An example of X might be, discovering an unrecognized thumb drive in a computer. An appropriate Y for that situation might be, sealing the exits and prohibiting anyone from leaving the building until the matter is investigated.
- Noncyber IT. Refers to application outages, such as the ERP or payment processing being down.
- Brand impact. Have plans for dealing with matters that might harm the organization’s brand and reputation. These should address the following areas:
- Ethical. An executive of the firm is accused of illegal business practices.
- Customer safety. The organization was involved in a service-related incident that lead to a customer being harmed.
- Product safety. A product the organization makes was tied to a customer suffering an injury.
- Personnel (management and non-management). Employees are accused of non-work-related illegal conduct.
Task No. 3: Implement Command and Control
After making sure that people safe and containing the impact of the event, the organization can convene its emergency response and crisis management teams. This typically takes place between 30 minutes after the event and the close of the following day.
Your emergency response team (ERT) should have defined roles and responsibilities for team members. Each person should clearly know the bounds of their authority and to whom they should turn to help for escalation of issues.
ERT members should receive training on all aspects of the job they’ll be expected to perform in an emergency. Training is critical to ensure team members’ safety and effectiveness in an emergency. For example, if team members are expected to fight small fires by using fire extinguishers, they should be trained on how to use a fire extinguisher and on how to fight fires. This includes safety procedures as well as methods for fighting different types of fires.
The type of training required depends largely on your company, the nature of its business, and the geographical location. It is important to identify the types of emergency response team training that would be helpful for your staff. Use them to develop training plans to ensure training occurs periodically. And remember, skills should be tested, rehearsed, and refreshed from time to time.
Emergency response training may include:
- Relocation and evacuation safety and techniques
- Firefighting equipment, safety, and techniques
- Search and rescue safety and techniques
- Hazardous material handling
- Chemical spills or leaks
- CPR, first aid, and emergency medical skills
- Water safety and rescue
- Cold weather survival
- Emergency shut off/shutdown procedures
- Damage assessment and control
Read more about emergency response teams, and what characteristics your crisis management team should have in our post on Crisis Management Team Characteristics.
Task No. 4: Create an Emergency Operations Center
An emergency operations center (EOC) is a physical place where all communications of the recovery effort are focused. It is sometimes called the “war room.”
The EOC is the place where all interested parties can report on the status of a recovery. It provides communication to stakeholders such as executives, the general public, suppliers, and customers that are most likely external to the recovery process.
It also provides administrative support to the recovery effort, such as public relations, safety, purchasing, and site security. Because there is not usually time or availability to announce where the Emergency Operations Center will be after disaster strikes, it is crucial for it to be “a known place” ahead of time. It should be a logical place where people would turn for information and/or assistance. A few options include the facilities security office, if available, or the data center’s help desk.
The Emergency Operations Center has three essential functions:
- Command and Control. This is where you will find the person in charge of the containment and recovery efforts. They will set objectives and priorities and have overall responsibility at the incident.
- Operational Control. An hour-by-hour control should be exercised from here by various functional areas including security, HR, purchasing, communications, logistics, etc.
- Recovery Planning. Will begin at the EOC but quickly transfer to its own office. This is separate from emergency containment.
Task No. 5: Assess the Impact
Once the initial response is complete and immediate safety is addressed, assess the impact of the event across the following areas:
1. People. Assess the condition of the organization’s onsite personnel.
- Identify further actions needed for personnel safety (think about evacuation during winter in the Midwest and if it will be longer than a few minutes, where will people congregate, especially if there was not time to take heavy coats).
- Identify communication needs for personnel and emergency contacts.
- Identify potential personnel privacy issues that need to be addressed.
- Identify which skillsets remain available. The event might have sidelined individuals who are unique in possessing critical skills.
2. Facility. Determine physical facility state. This may require outside resources. May be delayed until first responders complete their activities and determine that it is safe.
3. Technical. Includes IT and also non-IT-related equipment and machinery.
4. Communication. Assess your capability to communicate internally and externally. Identify what information you are required to communicate to insurance, regulatory, or law enforcement entities.
5. Functional impact. Based on the facility, equipment, technology, communication, and people impacts, identify the current state of business functions. Determine any communication, internal or external, needed.
Task No. 6: Keep People Informed
Information about the event and its impact should be disseminated in a thoughtful, intentional, and controlled manner. It should also be done promptly and proactively, in most cases.
How will information be provided to staff? Will policies on the sharing of company information on social media be reiterated?
Consider how information about the event should be shared with the media, your customers, third parties, and regulatory agencies.
Someone should monitor news media and social media to see what messages are going out about the event.
The End is the Beginning
So those are the six tasks every emergency plan should consider.
However, as I mentioned in the beginning, creating a good emergency response plan is not the end of the process. It is the beginning. The next thing to do is drill the staff in the use of the emergency plan so they know of its existence and where it can be found, and are familiar with their own roles and responsibilities.
Emergencies can strike for reasons outside our control. One thing that is in our control is making sure we are prepared to deal with them.
By creating plans that address the six areas described above, and training your staff or colleagues in their use, you can do as much as is humanly possible to protect your colleagues and company against the unexpected.
For more information on this and other hot topics in business continuity and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: