A New NFPA Standard for Active Shooter/Hostile Event Response

The National Fire Protection Association (NFPA) has recently published a new standard for Active Shooter/Hostile Event Response (ASHER) programs.  NFPA 3000 is consistent with other standards we’ve seen published by the organization.  They don’t dictate means or methods, leaving those as local decisions and open for changes as we learn and evolve from incidents and exercises.  What they do provide, however, is a valuable roadmap to help ensure that communities address specific considerations within their programs.  It’s important to recognize that, similar to NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs, you aren’t getting a pre-made plan, rather you are getting guidance on developing a comprehensive program.  With that, NFPA 3000 provides information on conducting a community risk assessment, developing a plan, coordinating with the whole community, managing resources and the incident, preparing facilities, training, and competencies for first responders.

NFPA standards are developed by outstanding technical committees with representation from a variety of disciplines and agencies across the nation.  In the development of their standards, they try to consider all perspectives as they create a foundation of best practices.  While the NFPA’s original focus was fire protection, they have evolved into a great resource for all of public safety.

I urge everyone to take a look at this new standard and examine how you can integrate this guidance into your program.  The standard is available to view for free from the NFPA website, but is otherwise only available by purchase.  Also available on their website is a fact sheet and information on training for the new standard.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Advertisements

Use of Pre-Developed Exercises – Proceed with Caution

I was recently asked by a client about my thoughts on pre-developed or ‘canned’ exercises.  As it turns out, I have a lot of feelings about them, most of them negative.  Pre-developed exercises, if properly understood and applied, can be a huge help, but the big problem is that we’re dealing with human nature, and some people are just damn lazy.  Garbage in, garbage out.

We need to keep in mind that exercises, fundamentally, are developed to validate plans.  Not my plans.  Your own plans.  While standards of practice mean that most plans have a high degree of commonality (i.e. a HazMat response plan for a jurisdiction in California will be largely the same as one for a jurisdiction in New York State), it’s often the deviations from the standards and the local applications that need to be tested most.  So it doesn’t do well for anyone to replicate an exercise that doesn’t test your own plans.  Similarly, the foundation of exercise design is objectives.  While the pre-developed exercise may have a theme that coincides with what you want to test, sheltering, for example, there are a lot of different aspects of sheltering.  The pre-developed exercise might not focus on what you need to exercise.  With all this, anyone who wants a quality exercise from something pre-developed is going to have to do a lot of re-development, which might be more frustrating than starting from scratch.

HSEEP1

If you want a quality exercise, you really can’t short cut the process.  Not only might HSEEP be required for whatever grant funding you are using for the exercise, but it’s a best practice – and for good reason.  So often people want to cut corners.  If you do, the final product will look like you’ve cut corners.  It might lack proper context, good reference documents, or meaningful evaluation.   The exercise planning meetings have defined purpose, and the documents help capture that process and communicate the intent to specific audiences.

On the other hand, there are proper ways to use materials from a previously developed exercise to benefit your own exercise.  The development of good questions in discussion-based exercises and injects for operations-based exercises can be a challenge.  Reviewing other exercises, especially when there might be some similarity or overlap in objectives, can be a huge help, so long as they are properly contextualized and relate back to objectives for your exercise.  This isn’t a copy and paste, though… as it all should still be applied within the exercise design process.

There are some exercises out there that might seem like exceptions to what I’ve written above.  The first that comes to mind are FEMA’s Virtual Table Top Exercises (VTTX).  The VTTX is a great program, conducted monthly, focusing on different themes and hazards.  FEMA’s Emergency Management Institute (EMI) assembles a package of materials that go to each community registered for the event, allowing a measure of local customization.  While jurisdictions may use this material differently, it is at least an opportunity to discuss relevant topics and hopefully capture some ideas for future implementation.

Similarly, my company, Emergency Preparedness Solutions, recently completed a contract with the Transportation Research Board for a project in which we developed a number of ‘generic’ exercises for airports.  These functional exercises, facilitated through a web-based tool, can be easily customized to meet the needs of most airports across the nation and are written with objectives focused on the fundamentals of EOC management within the timeline of an incident.  While specific plans aren’t directly referenced in the exercises, airport personnel are able to examine the structure of response in their EOC and can reflect on their own plans, policies, and procedures.  Similar to FEMA’s VTTX series, they aren’t a replacement for a custom-developed exercise, but they can help examine some fundamentals and start some important discussions.  I’m not able to get into much more detail on this project, as the final report has yet to be published, but look forward to future posts about it.

All in all, I tend to caution against using pre-developed exercises.  I simply think that most people don’t use them with the right intent and perspective, which can severely limit, or even skew, outcomes.  That said, there exists potential for pre-developed exercises to be properly applied, so proceed with caution and with your wits about you.  Understanding that time, money, and other resources can be scarce, emergency management has always done well with ‘borrowing best practices’.  While there is sometimes nothing wrong with that, short cutting the process will often short cut the benefits.  Do it right.  Use of a custom-developed exercise is going to maximize benefit to your community or organization.

© 2018 – Timothy Riecker, CEDP

EPS New logo

Public Health Preparedness as Part of Emergency Management

I’ve written in the past on the need for emergency managers, in the broadest definition, to become more familiar with public health preparedness.  As emergency management continues to integrate, by necessity, into and with other professions, this understanding is imperative.  We need to stop considering EMS as our only public health interface.  Public health incidents, of which this nation has yet to be truly and severely struck by in decades, require more than public health capabilities to be successfully managed – so we can’t just write off such an incident as being someone else’s responsibility.  We’ve also seen non-public health-oriented disasters take on a heavy public health role as concerns for communicable diseases, biological agents, or chemical agents become suspect.  If you are an emergency manager and you aren’t meeting regularly with public health preparedness officials for your jurisdiction, you are doing it wrong.

Aside from meeting with public health preparedness staff, you should also be reading up on the topic and gaining familiarity with their priorities, requirements, and capabilities.  (don’t skip either of those links… seriously.  They each contain more info on public health preparedness).  One of the best resources available is TRACIE.  TRACIE is a resource provided by the US Department of Health and Human Services (HHS) Assistant Secretary for Preparedness and Response (ASPR).  TRACIE stands for the Technical Resources, Assistance Center, and Information Exchange.  I’ve been digging around in ASPR TRACIE for the past several years and also receive their monthly newsletter.  I get a lot of newsletters from different sources… some daily, some weekly, some monthly.  I’ve recently unsubscribed to a bunch which seem to have information that has diminished in value, doesn’t seem to be timely, or are poorly written.  TRACIE is one of those that stays.  It has tremendous value, even if you aren’t directly involved in public health preparedness and response.  The information and resources provided here come from public health preparedness experts – these are emergency managers.

Recently, ASPR did a webinar on Healthcare Response to a No-Notice Incident, highlighting the Las Vegas shootings. Check it out.

But public health speaks a different language!  True.  So do cops, firefighters, and highway departments.  So what’s your point?  While public health certainly does have certain terminology that covers their areas of responsibility, such as epidemiology, med-surge, and others, that doesn’t mean their language is totally different.  In fact, most of the terminology is the same.  They still use the incident command system (ICS) and homeland security exercise and evaluation program (HSEEP), and can talk the talk of emergency management – they are just applying it to their areas of responsibility.  Are there some things they might not know about your job?  Sure.  Just like there are things you don’t know about theirs.  Take the time to learn, and make yourself a better emergency manager.

What have you learned from public health preparedness?  How do you interface with them?

© 2018 – Timothy Riecker, CEDP

EPS New logo

New Jersey Terrorism Threat Assessment – A Model for the Nation

Earlier in the month, the New Jersey Office of Homeland Security and Preparedness released their 2018 Terrorism Threat Assessment.  This unclassified document gives an outstanding review of matters of interest to the State of New Jersey, with relevant information no matter where you are in the US, or any other nation.  While the focus early in the document is specifically relevant to New Jersey and surrounding states, much of the document provides outstanding information and brief case studies on groups such as homegrown violent extremists (HVEs), domestic terror groups, international terror groups, and more.

Terrorism rarely pays attention to borders, especially those within the nation.  While some areas, particularly those with higher populations and higher value targets, have a greater risk profile than others, we’ve seen that terrorists, in the broadest definitions, can live, train, and execute attacks anywhere in the nation – from unincorporated lands, to small towns, to major metropolitan areas.

The document highlights the threat of HVEs, traditionally inspired, but not directly supported by larger terror groups or movements.  These tend to be lone wolves or small cells, having such a small footprint, they often leave intelligence for law enforcement to trace.  The document also mentions a changing trend in militia groups.  Several groups have been seen to change behaviors, seemingly to align with the government or law enforcement, but in actuality chasing their own vigilante agendas.

I encourage everyone who is interested to review this document.  The content is current, relevant, and informative.  I think it’s a model for states and communities around the nation, providing an excellent snapshot of the current landscape of terrorism.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Guidance for Operational Security and Access

Operational security can be a big issue, especially on prolonged incidents.  An incident occurs.  Evacuations have to take place.  A scene has to be secured.  Issues like safety and evidence preservation are priorities.  Inevitably someone says they ‘need access’.  Who are they?  Do they really need access?   Are they an evacuee?  A responder?  Media?  A government official?  A critical infrastructure operator?  When is it OK to allow someone access and under what circumstances?

While NIMS has been advocating for credentialing as an effort to identify responders and their qualifications, along with ensuring that they have appropriate identification to grant them access to an incident scene and to utilize them to the best ability, there is still a lot of work to do, and little has been done beyond first responders.  I’ve been on incidents where the perimeter was not well established and anyone could stroll in to an incident site or a command post.  I’ve been on incidents where the flash of a badge or ID was good enough to get through, even though the person at the perimeter didn’t actually examine it, much less verify it.  I’ve also been on incidents where no entry was allowed with a badge, official ID, and a marked car – even though entry was necessary and appropriate. Thankfully, I’ve also been on some incidents where identification is examined, and the access request is matched to a list or radioed in for verification.  This is how it should work.

While credentialing and access control are two separate topics, they do have a degree of overlap.  Like so many aspects in incident management, little ground has been gained on more complex matters such as these because there is little to no need for them on the smaller (type 4 and 5) incidents.  Type three (intermediary) incidents generally use an ad-hoc, mismanaged, band-aid approach to these issues (or completely ignore them), while larger (type 1 and 2) incidents eventually establish systems to address them once a need (or usually a problem) is recognized.  While every incident is unique and will require an-incident specific plan to address access control and re-entry, we can map out the primary concerns, responsibilities, and resources in a pre-incident plan – just like we do with so many of our other operational needs in an Emergency Operations Plan (EOP).  Also, like most of what we do in the development of an EOP, access control and re-entry is a community-wide issue.  It’s not just about first responders.

Here’s an example of why this is important.  A number of years ago I ran a tabletop exercise for the chief information officer (CIO) agency of a state government.  The primary purpose was to address matters of operational continuity.  I used the scenario of a heavy snow storm which directly or indirectly disabled their systems.  We talked about things like notification and warning, remote systems access (the state didn’t have a remote work policy at the time), redundant infrastructure, and gaining physical access to servers and other essential systems.  Without gaining physical access, some of their systems would shut down, meaning that many state agencies would have limited information technology access.  Closed roads and perimeter controls, established with the best of intentions, can keep critical infrastructure operators from accessing their systems.  The CIO employees carried nothing but a state agency identification, which local police wouldn’t give a damn about.  Absent a couple hours of navigating state politics to get a state police escort, these personnel would have been stuck and unable to access their critical systems.  Based upon this, one of the recommendations was to establish an access control agreement with all relevant agencies where their infrastructure was located.

Consider this similar situation with someone else.  Perhaps the manager of a local grocer after a flood.  They should be able to get access to their property as soon as possible to assess the damage and get the ball rolling on restoration.  Delays in that grocer getting back in business can delay the community getting back on their feet and add to your work load as you need to continue distributing commodities.

There are a lot of ‘ifs’ and ‘buts’ and other considerations when it comes to access control, though.  There aren’t easy answers.  That’s why a pre-plan is necessary.  Like many things we do in emergency management and homeland security, there is guidance available.  The Crisis Event Response and Recovery Access (CERRA) Framework was recently published by DHS.  It provides a lot of information on this matter.  I strongly suggest you check it out and start bringing the right people to the table to start developing your own plan.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

FEMA’s 2018-2022 Strategic Plan: The Good, the Bad, and the Ignored

FEMA recently released their 2018-2022 Strategic Plan.  While organizational strategic plans are generally internal documents, the strategic plans of certain organizations, such as FEMA, have a significant link to a broader array of stakeholders.  The community of emergency management in the United States is so closely linked, that FEMA, through policy, funding, or practice, has a heavy influence on emergency management at the state and local levels.  Here are my impressions of the 38-page document.

Picture1

Right from the beginning, this document continues to reinforce the system of emergency management and the involvement of the whole community. I’m glad these concepts have been carried forward from earlier administrations.  Far too often have we seen new administrations trash the concepts of the previous for reasons none other than politics.  Things often take time in emergency management, and it sometimes seems that just as we are getting a grasp on a good concept or program, it’s stripped away in favor of something new which has yet to be proven.

The foreword of the document, as expected, lays out the overall focus of the strategic plan.  What I’m really turned off by here is the mention, not once but twice, of ‘professionalizing’ emergency management.  Use of this phrase is an unfortunate trend and a continued disappointment.  We are our own worst enemy when statements like this are made.  It seems that some in emergency management lack the confidence in our profession.  While I’m certainly critical of certain aspects of it, there is no doubt in my mind that emergency management is a profession.  I wish people, like Administrator Long, would stop doubting that.  Unfortunately, I’ve heard him recently interviewed on an emergency management podcast where he stressed the same point.  It’s getting old and is honestly insulting to those of us who have been engaged in it as a career.

The strategic goals put forward in this plan make sense.

  1. Build a culture of preparedness
  2. Ready the nation for catastrophic disasters
  3. Reduce the complexity of FEMA

These are all attainable goals that belong in this strategic plan.  They stand to benefit FEMA as an organization, emergency management as a whole, and the nation.  The objectives within these goals make sense and address gaps we continue to deal with across the profession.

A quote on page 8 really stands out… The most effective strategies for emergency management are those that are Federally supported, state managed, and locally executed.  With the system of emergency management in the US and the structure of federalism, this statement makes a lot of sense and I like it.

Based on objective 1.2 – closing the insurance gap – FEMA is standing behind the national flood insurance program.  It’s an important program, to be sure, but it needs to be better managed, better promoted, and possibly restructured.  There is a big red flag planted in this program and it needs some serious attention before it collapses.

Here’s the big one… It’s no secret that morale at FEMA has been a big issue for years.  The third strategic goal includes an objective that relates to employee morale, but unfortunately employee morale itself is not an objective.  Here’s where I think the strategic plan misses the mark.  While several objectives directly reference improving systems and processes at FEMA, none really focus on the employees.  Most mentions of employees in the document really reference them as tools, not as people.  Dancing around this issue is not going to get it resolved.  I’m disappointed for my friends and colleagues at FEMA.  While I applaud the strategic plan for realizing the scope of external stakeholders it influences, they seem to have forgotten their most important ones – their employees.  This is pretty dissatisfying and, ultimately, is an indicator of how poorly this strategic plan will perform, since it’s the employees that are counted on to support every one of these initiatives.  You can make all the policy you want, but if you don’t have a motivated and satisfied work force, change will be elusive.

Overall, I’d give this strategic plan a C.  While it addresses some important goals and objectives and recognizes pertinent performance measures, it still seems to lack a lot of substance.  External stakeholders are pandered to when internal stakeholders don’t seem to get a lot of attention.  While, as mentioned earlier, FEMA has a lot of influence across all of emergency management, they need to be functioning well internally if they are to successful externally.  Employee morale is a big issue that’s not going to go away, and it seems to be largely ignored in this document.  I absolutely want FEMA to be successful, but it looks like leadership lacks the proper focus and perspective.

What thoughts do you have on FEMA’s new strategic plan?

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC SM