During the past 20 years emergency management and business continuity programs have evolved from focusing simply on how to respond to an emergency to realizing that the best way to respond has to include prevention, preparedness, response, and recovery. Over time these elements have taken on many forms and emphasis depending on the type of emergency that the organization has experienced, can reasonably expect to experience, or is currently experiencing with national news media attention.
Historically, guidance has been provided through the Federal Emergency Management Agency, insurance companies, professional organizations, and others. Recently the National Fire Protection Association (NFPA) issued a revision to the NFPA 1600 guidance document to include more emphasis on business continuity. We have referred to all of these documents over the years and try to combine the best of their guidance along with our own extensive experience. However, the critical element in any emergency management program is the organization itself. What are its goals, resources, commitments, and time constraints? We believe that every organization needs to have an active comprehensive emergency/risk management program that consists of four phases: prevention, preparedness, response, and recovery. Only through a program that addresses the four phases with written documentation, training, drills and exercises, facilities, equipment, community interfaces, intracompany coordination, and periodic reviews can the organization ensure successful response to and recovery from any emergency.
Publicly traded corporations must meet numerous federal regulations; among them are the risk management elements within Sarbanes Oxley (SOX). The Security and Exchange Commission is expected to accelerate the growth and practices of enterprise risk management over the next few years, meaning that these corporations will have to be actively addressing operational risk, reputation risk, financial risk, physical risk, and security risk. Additionally, they will need to be providing this information to their board of directors on at least an annual basis.
Terminology seems to change depending on which word is being used by a news outlet or the current “expert,” so the terms disaster, incident, event, crisis, emergency, and others are used interchangeably, frequently resulting in confusion and misunderstanding. For the purposes of our work we use the following definition of “emergency,” which comes from the Federal Emergency Management Agency’s “Emergency Management Guide for Business and Industry” (written by one of our staff):
“An emergency is any unplanned event that can cause deaths or significant injuries to employees, customers or the public; or that can shut down your business, disrupt critical operations, cause physical or environmental damage, or threaten the facility’s financial standing or public image.”
This definition permits Prudential Associates’ clients to plan for, respond to, and recover from a wide variety of potential emergencies, and it recognizes the importance of the corporate brand to the continued success of the company.
Every organization needs to create and maintain an emergency management program that is based on how it normally operates, is easily understood, is incorporated throughout the entire company, interfaces with community emergency response organizations, is practiced, and is maintained and updated. While there are many elements that go into creating an effective emergency management program, the overriding principle must be relative simplicity. In the midst of the emergency response individuals don’t need, and won’t use, thick documents, won’t react in ways they haven’t been trained for, and won’t recognize how their actions and decisions will affect recovery efforts if they aren’t aware of their responsibilities.
The challenge companies face is how to create, deploy, and maintain a consistent, effective risk management program that includes emergency management and business continuity throughout all of its facilities. Each facility may have its own unique set of vulnerabilities, capabilities, and responsibilities, and to be comprehensive each risk management program must combine those unique characteristics with best practices for security, emergency management, and business continuity.
The best analogy is to view the U.S. Constitution as the overall corporate risk management program and each of the individual locations (states) as developing their own unique plan while meeting the criteria and requirements of the constitution. If we use this approach, clients will be able to meet the goals of:
- Creating an effective risk management program throughout the organization.
- Providing consistency in application and requirement for each facility.
- Providing continuity, ensuring that the risk management program is implemented in every location.
- Providing a comprehensive approach so that all of the essential elements of a risk management program are included in every facility’s risk management plan.
- Minimizing redundancy where appropriate and simplifying as much as possible to improve potential for successful implementation.
Observation and Precaution
Having a written document— a plan—is not a guarantee that an organization can effectively respond to and recover from an emergency. Our observation is that there are many plans within most large companies but the lack of training, exercising, and knowledge of the content of these plans leaves the company in a very vulnerable position.
Many of our new clients have implemented or have attempted to implement numerous risk mitigation-related solutions/plans/protocols. Some have definitely produced usable and meaningful plan material that should be built upon. Usually there is no need to re-create the wheel to move the company forward, but the first order of business is an objective and honest assessment of the current state of the program.
Risk Management Program Needs Assessment
When Prudential Associates performs a risk management program needs assessment for a new client company, we use the following basic questions as guidelines for inquiry and evaluation:
- Is there a coherent, properly organized, consistent with standards and best practices risk/emergency management program in place with all of the correct policy and plan elements?
- Is the program fully implemented and functioning effectively so that the company enjoys a tangible risk reduced state of operations?
- Is an effective training, retraining and testing schedule in place and being delivered for all necessary participants?
The assessment generally results in the identification of both strengths and weaknesses. Company-wide there are usually numerous plans and documents relating to risk/emergency management and business continuity contingency procedures. These plans may contain valuable material on which program improvements can be built. However, often there are significant deficiencies relating to consistency, acknowledged leadership (lack of authoritative organization) and policy influence, corporate policy ambiguity, lack of plan and policy awareness by staff, inadequacy or absence of training, and plan redundancy.
The observations and recommendations made by Prudential Associates during an assessment are intended to assist the client company in markedly improving its risk management program.