The 2019 National Preparedness Report, or ‘How Are We Measuring Preparedness?’

FEMA recently released the 2019 National Preparedness Report.  Simply put, I’m confused.  Nothing in the report actually lines up with doctrine.  It leaves me wondering how we are actually measuring preparedness.  So what’s the issue?

While the National Preparedness Report is initially structured around the five mission areas (Prevention, Protection, Mitigation, Response, and Recovery), the only full inclusion of the Core Capabilities in the report is a table on page 9, outlining usage of grant funds per Core Capability.  After this, the Core Capabilities for each mission are listed in the title page for each mission area within the detailed findings for those mission areas.  No detail of progress within these Core Capabilities is provided, however.  With the absence of this analysis, we are not seeing data on the progression of preparedness, which, per the National Preparedness Report, is measured through the lens of each of the Core Capabilities.

This is further confused on pages 45 and 48, in particular, where tables list the Community Lifelines with some sort of correlated ‘capabilities’ (noted with a lowercase ‘c’… thus not the Core Capabilities).  These capabilities are not from any doctrine that I can find or recall, including the components and subcomponents for each Community Lifeline provided in the Community Lifelines Toolkit.  For each of these they provide some analytical data, but it’s unclear what this is based upon.  The methodology provided early in the document does nothing to identify why this change in format has occurred or where these specific data sets come from, much less why they are deviating from the previous format and the standards provided through the National Preparedness Goal.

Some perspective… It would seem logical that the National Preparedness Report would be assessing our national state of preparedness relative to the National Preparedness Goal, as it has since its inception.  The National Preparedness Goal is structured around the five mission areas and the 32 Core Capabilities.  With the emergence of the Community Lifelines and their inclusion in the recent update of the National Response Framework, it makes sense that we will see Community Lifelines further integrated into standards, doctrine, and reports, but they have yet to be integrated into the National Preparedness Goal (the current version is dated 2015).  We have not yet seen a comprehensive crosswalk between the Community Lifelines and the Core Capabilities, but it should be recognized that there are certain aspects, even if you just examine the Response Mission Area, that don’t match up.

In an unrelated observation on the National Preparedness Report, the trend continues with citing after action reports from the year, but not actually providing any analysis of lessons learned and how those are being applied across the nation.

Bottom line… while there are some valuable nuggets of information included in this report, I find most of it to be confusing, as it lacks a consistent format on its own, as well as inconsistency with the existing standard of measurement as defined by the National Preparedness Goal.  Why is this a big deal?  First, it’s a deviation from the established standard.  While the standard may certainly have room for improvement, the standard must first be changed before the metrics in the reporting can be changed.  Second, with the deviation from the standard, we aren’t able to measure progress over time.  All previous National Preparedness Reports have provided data within the scope of Core Capabilities, while this one largely does not.  This breaks the possibility of any trend analysis.  Third, there is no reasoning provided behind the capabilities (lowercase ‘c’) associated with each of the Community Lifelines in the report.  It’s simply confusing to the extent that it becomes irrelevant because the information provided is not within the existing lexicon which is used for measurement of practically everything in preparedness.

Simply put, this year’s report is even more disappointing than those provided in previous years.  In fact, since it doesn’t conform with the current standard, I’d suggest it’s not even valid.  This should be far better.

Thoughts?

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

 

 

A New CPG-101 is Coming

FEMA has recently announced an upcoming update to CPG-101.  CPG-101 is short hand for the “Community Preparedness Guide 101: Developing and Maintaining Emergency Operations Plans” document.  CPG 101 is a legacy document, which through its own versions and previous iterations has for decades has served as the standard guidance for emergency operations planning in the US.  The last update to CPG 101 was released in November of 2010.  That update introduced some best practices and lessons learned of the time, but with more recent changes to NIMS, better inclusion of EOC structures and function, the addition of Community Lifelines, updates to the National Preparedness Goal, National Response Plan, National Recovery Plan, and other lessons learned and best practices realized, an update to CPG 101 will be significant.  If you are looking for more information on CPG 101, here are a few articles I’ve written that reference it.

FEMA is soliciting input through direct feedback and a series of webinars.  Information on that can be found here: https://www.fema.gov/plan.  The deadline for feedback is January 14, 2020.  I heavily encourage participation in this effort by stakeholders across all of emergency management, public safety, and homeland security.

  • TR

An Updated Community Lifelines Toolkit and Relationships to Incident Management

Earlier this year, FEMA released guidance on the Community Lifelines.  I wrote a piece in the spring about integrating the concept into our preparedness and response activities.  Last month, FEMA issued updated guidance for Community Lifeline Implementation through Toolkit 2.0.  In this update, FEMA cites some lessons learned in actually applying the Lifeline concept in multiple exercises across the nation, as well as from feedback received by stakeholders. Based on these lessons learned and feedback, they have made some adjustments to their toolkit to reflect how they understand, prioritize, and communicate incident impacts; the structure and format for decision-making support products. And planning for these impacts and stabilization prior to and during incidents.  They have also made some changes based upon the updated National Response Framework.  The documents associated with the updated Community Lifelines all seem to reflect an inclusion in the efforts of the National Response Framework.  It’s great to see FEMA actually tying various efforts together and seeking to provide grounded guidance on application of concepts mentioned in doctrine-level documents.

The biggest addition to the Community Lifelines update is the inclusion of the FEMA Incident Stabilization Guide.  The ‘operational draft’ is intended to serve as a reference to FEMA staff and a resource to state, local, and tribal governments on how “FEMA approaches and conducts response operations”.  It’s a 77-page document the obviously leans heavily into the Community Lifelines as a standard for assessing the impacts to critical infrastructure and progress toward restoration, not only in response, but also into recovery operations.  It even reflects on bolstering Community Lifelines in resilience efforts, and ties in the THIRA and capability analysis efforts that states, UASIs, and other governments conduct.  I’m not sure the document is really a review of how FEMA conducts operations, as they say, but it does review the ideology of a portion of those operations.  Overall, there is some very useful information and references contained in the document, but this brings me to a couple of important thoughts:

  1. The utility of this document, as with the entire Community Lifelines concept, at the state and local level is only realized through integration of these concepts at the state and local levels.
  2. We finally have guidance on what ‘incident stabilization’ really entails.

To address the first item… In my first piece on Community Lifelines, I had already mentioned that if states or communities are interested in adopting the concept of Community Lifelines, that all starts with planning.  An important early step of planning is conducting assessments, and the most pertinent assessment relative to this initiative would be to identify and catalog the lifelines in your community.  From there the assessment furthers to examine their present condition, vulnerabilities, and align standards for determining their operational condition aligned with the Community Lifelines guidelines.  I would also suggest identifying resiliency efforts (hopefully these are already identified in your hazard mitigation plan) which can help prevent damages or limit impacts.  As part of your response and short-term recovery lexicon, procedures should be developed to outline how lifeline assessments will be performed, when, and by who, as well as where that information will be collected during an incident.

As for my second item, the concept of incident stabilization has an interesting intersection with a meeting I was invited to last week.  I was afforded the opportunity to provide input to an ICS curriculum update (not in the US – more on this at a later time), and as part of this we discussed the standard three incident priorities (Life Safety, Incident Stabilization, and Property Conservation).  We identified in our discussions that incident stabilization is incredibly broad and can ultimately mean different things to different communities, even though the fundamental premise of it is to prevent further impacts.  This Incident Stabilization Guide is focused exclusively on that topic.  In our endeavor to make ICS training better, more grounded, less conceptual, and more applicable; there is a great deal of foundational information that could be distilled from this new document for inclusion in ICS training to discuss HOW we actually accomplish incident stabilization instead of making a one-off mention of it.

Going a bit into my continued crusade against the current state of ICS training… I acknowledge that any inclusion of this subject matter in ICS training would still be generally brief, and really more of a framework, as implementation still needs to be grounded in community-level plans, but this document is a great resource.  This also underscores that “learning ICS” isn’t just about taking classes.  It’s about being a professional and studying up on how to be a more effective incident manager.  ICS is simply a tool we use to organize our response… ICS is NOT inclusive of incident management.  Not only are we teaching ICS poorly, we are barely teaching incident management.

While I’ve been away for a while working on some large client projects, I’m looking forward to ending the year with a bang, and getting in a few more posts.  It’s great that in my travels and interactions with colleagues, they regularly mention my articles, which often bring about some great discussion.  I’m always interested in hearing the thoughts of other professionals on these topics.

© 2019 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®

A New National Response Framework

Yesterday FEMA announced the release of an updated National Response Framework (the fourth edition).  The most notable changes in this version of the NRF are the inclusion of Community Lifelines and a change to Emergency Support Function (ESF) #14.  Previously, ESF #14 was Long-Term Community Recovery.  With efforts to further engage and coordinate with the private sector in disaster response, ESF #14 has been changed to Cross-Sector Business and Infrastructure.

So what of Long-Term Community Recovery?  The National Disaster Recovery Framework (2016) outlines Recovery Support Functions (RSFs), which, at the federal level, are organized as coordinating structures along with the ESFs.  There are six RSFs, which generally align with the Core Capabilities for the Recovery Mission Area.  For anyone who has worked with FEMA in disaster recovery operations, you know these can be massive organizations, so why create an even large organization?  This structure should support the ESFs in focusing on immediate needs, while the RSFs can address long-term recovery.  When the Federal disaster response organization is initially set up for a disaster, the ESFs are immediately put to work to support state and local emergency needs.  In this phase, the RSFs are able to organize, gather data, and plan for eventually being the lead players as response transitions to recovery.  Recovery is very much a data-driven operation.  As this transition occurs, with the RSFs taking over, many of the ESF resources can be demobilized or tasked to the RSFs.

What does this mean for states and locals?  Fundamentally, nothing.  States simply need to have an appropriate interface with the new ESF #14.  Do states and locals need to mirror this organization?  No, and in fact most of the time when I see an organization centered around ESFs, I tend to cringe.  The ESF/RSF system works for the federal government because of the multitude of federal agencies that have responsibility or involvement in any given function.  Fundamentally, ESFs/RSFs are task forces.  Recall the ICS definition of a task force, being a combination of resources of varying kind and type.

Certainly, most local governments, aside from perhaps the largest of cities, simply don’t have this measure of complexity and bureaucracy.  It can work for some state governments, but for many it may not make sense.  Let’s consider ESF #1 – Transportation.  How many state agencies do you have that have responsibility and assets related to transportation?  In some states, like New York, there are many, ranging from State DOT, NYS Parks, the Thruway Authority, and the multitude of other bridge, road, and transit authorities in the State. Smaller states may only have a State DOT.  One agency doesn’t make a task force.  There are other options for how you organize your emergency operations plan and your EOC that can make more sense and be far more effective.  Essentially what I’m saying is to not mirror the way the feds organize because you think you have to.  All plans must be customized to YOUR needs.

On to the integration of community lifelines.  The goal of the new ESF #14 is to not only engage the private sector, but also coordinate cross-sector operations for stabilizing community lifelines.  I’m interested to see how this plays out, since the community lifelines are already addressed by other ESFs, so I suspect that once the new framework is tested, there may be some supplemental materials that come out to balance this.  That said, the integration of community lifelines is a good thing and I’m glad to see this gaining more traction and truly being integrated rather than existing as a good idea that’s never actually tasked.  Integration of community lifelines is something that every state and local government can at least track, if not take action on, depending on their capability and resources.  The updated NRF added some additional context to community lifelines, with information that supports integrating this concept into planning, response, and recovery.  I happen to appreciate this community lifeline focused timeline that is in the NRF.

While the focus of the NRF is on how the federal government will response, it is intended to be reflective of a whole community response.  It doesn’t necessarily provide guidance (nor should it) on planning, but it certainly serves as a reference.  Since it seems the feds are going all in on the community lifeline concept, I urge state, local, tribal, and territorial governments to examine how they can integrate them into your operations.  That all starts with planning.  It may begin as a function of situational awareness, but then what actions should a jurisdiction take when lifelines are impacted?  Even if a jurisdiction doesn’t have the capabilities to address the root cause, they still need to address the affects.

What thoughts do you have on the NRF update?

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

EOC Management Organization

FEMA recently released a draft Operational Period Shift Brief Template for EOCs, open to public comment.  The document is fine, though there was one glaring issue… it assumes an ICS-based model is in use in the EOC.

With the release of the NIMS refresh, we were given some ‘official’ options for EOC management structures.  Unfortunately, we aren’t seeing much material that supports anything other than an ICS-based structure.  An ICS-based structure may certainly be fine, but every organization should examine their own needs to identify what works best for them.  Story time…

We recently completed a contract that included the development of a plan for a departmental operations center for a state agency.  The plan had to accommodate several considerations, including interaction with regional offices and operations, interaction with the State EOC, and integration of a call center.  When we talked to people, examined form and function, and looked at fundamental needs, the end result was an ICS-based organization.  While accommodations had to be made for translating their own agency structure and mission, it fit rather well.

For a contract we are currently working on, we are developing an EOC plan for a private utility.  Again, we reviewed documents, talked to people, and identified the fundamental needs of the company and the EOC organization.  The end result is shaking out to be something a little different.  At a glance, it’s largely ICS-based, but has some aspects of the Incident Support Model, while also having its own unique twists.  One particular observation was that their company’s daily structure has functions combined that we would normally break up in traditional ICS.  Breaking these functions up for an incident would be awkward, disruptive, and frankly, rather absurd.  Not only would personnel be dealing with something out of the ordinary, they would be changing the flow of corporate elements that have been placed together by necessity in their daily operations, which would detract from their efficiency during the incident.

My third example is a contract we are just getting started on.  This project involves developing an EOC plan for a municipality.  While we’ve had some initial discussions, we aren’t sure what the end result will be just yet.  The client isn’t set on any particular structure and is open to the process of discovery that we will be embarking on.  As I’ve thought about their circumstances and the recent and current work we’ve done on this topic, there are a few things that have come to mind.

  1. While NIMS is all about standardization and interoperability, the range of utility of emergency operations centers, in any form, and the mission, organization, an innate bureaucracy of the ‘home agency’ have a heavy influence on what the EOC’s organization will look like.
  2. While there still should be some standard elements to an EOC’s organization, there is generally less fluidity to the composition of an EOC, especially as it compares to a field-level incident command where the composition of the responding cadre of organizations can radically differ.
  3. Consider the doctrinal core concepts of ICS as really core concepts of incident management, thus we can apply them to any structure. These concepts are fundamental and should exist regardless of the organization used.  Some examples…
    1. Unity of Command
    2. Modular organization
    3. Manageable span of control
    4. Consolidated action plans
    5. Comprehensive resource management
  4. We need to acknowledge that the full benefit of organization standardization, exhibited by the ability of incident management personnel to be assigned to a new EOC and be able to immediately function, is potentially compromised to an extent, but that can be largely mitigated by adherence to the core concepts of ICS as mentioned previous. Why?  Because the system and processes of incident management are still largely the same.  These new personnel need just a bit of an orientation to the organizational structure being used (particularly if they are to be assigned in a leadership capacity at any level).

The most important consideration is to develop a plan.  That will provide extensive benefit, especially when done properly.  Follow the CPG 101 guidance, build a team, do some research, and weigh all options.  The end goal is to identify an organizational structure that will work for you, not one that you need to be forced into.  Bringing this around full circle, we need to know that with whatever system you decide to use, expect that you will need to develop your own training, job aids, and other support mechanisms since they largely don’t exist for anything outside of an ICS-based structure.  Note that even for an ICS-based model, there are needs… consider that there is no ‘official’ planning P for EOCs (one that is less tactics-focused), and, of course, that ICS training alone isn’t enough to run your EOC by.

I don’t place any blame for this need… consider that FEMA, with finite resources just like the rest of us, tries to produce things that are of the greatest utility to as much of the nation as possible, and right now, most EOCs are run on an ICS-based model.  While I hope this will expand over time, every entity will still be responsible for developing their own training on how they will organize and respond.  No training developed by a third party for a mass audience can ever replace the value of training designed specifically to address your plans.

I’m interested in hearing what changes are being made to your EOC organizations and how you are addressing needs.

© 2019 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

A Deeper Review of FEMA’s E/L/G 2300 EOC Intermediate Course

A couple months ago I got my hands on the materials for the ELG 2300 EOC Intermediate course.  Back in early June I gave an initial review of this course, based on information from a webinar and the course’s plan of instruction.   Unfortunately, upon reviewing the actual course materials, my initial concerns have been reinforced.

First, I’ll start off with what I think are the positives of this course. The course doesn’t stray from NIMS, and applies a practical integration of the NIMS management concepts, which we are mostly used to seeing in ICS, into the EOC environment.  This is 100% appropriate and should always be reinforced.  The course also references the EOC National Qualification System skillsets.  It’s great to see the NQS referenced in training as they otherwise receive very little attention, which actually brings about a lot of concern as to their overall adoption.  Two units within the course provide some incredibly valuable information.  Those are Unit 5 (Information and Intelligence Management) and Unit 7 (EOC Transition to Recovery).

On to the down side of things… As mentioned in my review a couple months back, the course objectives simply don’t line up with what this course needs to do – that is, it needs to be teaching people how to work in an EOC.  So much of the content is actually related to planning and other preparedness activities, specifically Units 3, 4, and 8. Unit 3 dives into topics such as position tack books, organizational models, EOC design, staff training and qualifications, exercises and more.  Though, ironically enough, there is little to no emphasis on deliberate PLANNING, which is what all this relates to.  This isn’t stuff to be thinking about during an EOC activation, but rather before an activation.  Unit 4, similarly, gets into triggers for activation, how to deactivate the EOC, and other topics that are planning considerations.  Unit 8 dives more into design, technology, and equipment.  While it’s valuable for people to know what’s available, this is, again, preparedness content.

There is a lot of repetitive content, especially in the first few units, along with some typos, which is really disappointing to see.  There are also some statements and areas of content which I wholeheartedly disagree with.  Here are a few:

  • There is ‘no common EOC structure’.   There are actually a few.  Hint: they are discussed in the NIMS document.  I think what they are getting at with this statement is that there is no fixed EOC structure.
  • ‘EOC leaders determine the structure that best meets their needs’. False. Plans determine the structure to be used.  While that organizational model is flexible in terms of size of staff and specific delegations, the lack of context for this statement seems to indicate that the EOC Manager or Director will determine on the fly if they will use the ICS-based model, the Incident Support Model, or another model.
  • One slide indicates that use of the ICS-based model doesn’t require any additional EOC training beyond ICS for EOC staff. Absolutely false!  In fact, this sets you up for nothing but failure.  Even if the model being applied is based on ICS, the actual implementation in an EOC is considerably different.  I’ve written about this in the past.
  • The Incident Support Model ‘is not organized to manage response/recovery efforts’. Wrong again.  With the integration of operations functions within the Resource Support Section, response and recovery efforts can absolutely be managed from the EOC.

There is another area of content I take particular exception with.  One slide describes ‘incident command teams’, and goes on to describe the Incident Command Post (which is a facility, not a team), and an Incident Management Team, with the formal description of a rostered group of qualified personnel.  Not only is this slide wrong to include an Incident Command Post as a ‘team’, they are fundamentally ignoring the fact that ‘incident command teams’ are comprised every damn day on the fly from among responders deploying to an incident.  These are the exact people I espouse the need to train and support in my discussions on ICS.

My conclusions… First of all, this course does not do as it needs to do, which is training people how to work in an EOC.  While the preparedness information it gives is great, operators (people assigned to work in an EOC) will be taking this course expecting to learn how to do their jobs.  They will not learn that.  I’ve advocated before for most training to be set up similar to HazMat training, utilizing a structure of Awareness, Operations, Technician, Management, and Planning focused courses which are designed to TEACH PEOPLE WHAT THEY NEED TO KNOW based upon their function.  Largely, this course is a great Planning level course, that is it’s ideal for people who will be developing EOC operational plans, standard operating guidelines, position qualification standards, and other preparedness material.  I think that Operations, Technician, and Management level training is going to be left to jurisdictions to develop and implement, as it certainly isn’t found here.

I urge a lot of caution to everyone before you decide to teach this course.  Take a look at the material and decide if it’s really what your audience needs.

What are your thoughts on this course?  Will your jurisdiction get use out of it?

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®

A New Vision for ICS Training

Yep, I’m still at it.  It seems with every post about the condition of Incident Command System training as we know it, I’m able to draw more people into our cause (aka the Crusade).  While I’ve never espoused there to be an easy solution, the training that we currently provide for ICS falls well short of doing us any favors.  People walk out of each subsequent training course with a marginally increased understanding of the system and how to use it.  And that’s really the fundamental problem, isn’t it?

Perhaps at some point, someone had the idea of developing ICS 100-400 to be knowledge-based courses, with position-specific training to be more about application.  Unfortunately, that’s a significant disservice to responders and the populations they serve, which was further exacerbated by the NIMS training requirements, creating a type of a false sense of security in which people believed that they have ‘been trained in ICS’, therefore all is well in the world.  Responders, in the broadest sense, at supervisory levels within every community should be trained not only in what ICS is but also how to implement it.  Not every community, for a variety of reasons, has reasonable access to position-specific training, so the core ICS curriculum absolutely MUST do a better job in teaching them how to implement the system.

This also goes further than just training.  ICS, like so many other things, is a knowledgebase that tends to degrade over time.  Without practice, you tend to lose the skills.  This is how people who are on Incident Management Teams or those who work regularly in an ICS-based Emergency Operations Center are so well practiced in the system.  In the absence (hopefully!) of actual incidents, planned events and exercises go a long way to keeping skills sharp.  Even those, however, can get costly and time-consuming to design and conduct.  Enter the hybridization of scenario-based training, which is something I’ve written on in the past.  Not only do we need to include more scenario-based training in everything, we need to include a scenario-based ICS skills refresher course as part of the core ICS curriculum.

While I continue to have various thoughts on what there is to be done with the ICS curriculum as a whole, here is my current vision…

ICS-100: (What is ICS?)  Pretty much keep this as is, with options for on-line and classroom delivery.  The purpose of this course is to serve as an introduction to ICS concepts for those who are likely to come into contact with it and work in lower levels within the system.  This is levels one (knowledge) and two (comprehension) of Bloom’s taxonomy.  It shall serve as a prerequisite to further ICS classes as it provides much of the fundamental terminology.

ICS-200: (How do I work within the system?)  Tear down/burn down/nuke the on-line version and never look back.  Simply making it ‘more accessible’ doesn’t mean that it’s good (it’s not).  The purpose of this course is to expand on knowledge and begin to approach functionality.  I expect content to reach deeper than what is currently within the course.  Without looking at specific content areas, I envision this course to be mostly level two (comprehension) of Bloom’s taxonomy with some touches on level three (application).  Perhaps the only level one content that should be introduced in this course are some fundamentals of emergency management.  Some of the content areas currently in the ICS 300 absolutely need to be moved into the ICS 200 to not only make the ICS 200 more impactful, but to also set up the ICS 300 as being fully focused on implementation of the system.  Expanded content may mean taking this course to a duration of up to three days (it even feels taboo writing it!). ICS 100 (taken within six months) is a prerequisite.

ICS-300: (How do I manage the system?) The most recent update of the ICS 300 course begins to approach the vision for what we need, but more work needs to be done.  This course needs to be much less about the system and more about how to IMPLEMENT and MANAGE the system.  This course is firmly rooted in level three (application) of Bloom’s taxonomy, with perhaps some level four objectives, which gets into analysis (troubleshooting and creative solutions… because that’s what emergency management is really all about!).  Much of this course is scenario-based learning centered on implementation and management of an incident through the use of ICS.  Less instruction, more guidance.  And because, at this point, ICS isn’t the only thing at play in real life, concepts of broader incident management are also applied.  ICS 200 is naturally a prerequisite, and should have been taken within a year.

ICS Implementation Refresher Course: This would be designed as a post- ICS 300 course, taken every year or two.  Reasonably, this can be accomplished in a day of intensive scenario-based training.

ICS-400: (A prerequisite for position-specific training).  Eliminate this from the core curriculum.  Seriously.  Most of the current content of this course is not needed in the core ICS curriculum.  Time is better spent in a more intensive ICS 300 course than teaching people about some (largely) obscure applications of ICS which are usually only ever performed by incident management teams.  The current content is largely fine, it just has such little impact on local implementation of ICS and is really rather awkward within the continuity of the curriculum.

Thoughts and feedback are always appreciated.  If we are to succeed and build a better mouse trap, it will be through dialogue and sharing of ideas.

© 2019 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC®