Public Area Security National Framework

The Transportation Security Administration (TSA) recently released this report in cooperation with a variety of stakeholders which provides information and guidance on preparedness, prevention, and response activities to strengthen the public spaces of transportation venues.  While the focus of the document is on airports, the information in the document is great not only across all transportation venues, but other public spaces as well.  I think there are great takeaways for other areas of vulnerability, such as malls, convention centers, event spaces, and others.

To be honest, there is nothing particularly earthshattering in this document.  The document is brief and identifies a number of best practices across emergency management and homeland security which will help agencies and organizations prevent, protect, prepare, and respond to threats, particularly attacks.  That said, the document does accomplish providing concise information in one document on key activities that absolutely should be considered by entities which control public-access spaces.  I would also suggest that this document is still 100% relevant to those which have some access controls or entry screenings.

Information in the document is segmented into three key tenets: Information Sharing, Attack Prevention, and Infrastructure and Public Protection.  Within these tenets are found recommendations such as relationship building, communication strategies, vulnerability assessments, operations centers, planning, training, and exercises.  Most of the recommendations provide examples or leading best practices (although no links or sources of additional information, which is a bit disappointing).

The framework is worth a look and can probably serve as an early foundation of activity for those who haven’t yet done much to prepare their spaces for an attack.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Advertisements

Can we Require Preparedness?

The City of Pittsburgh recently lost an effort to require emergency preparedness training for security officers and building service employees.  The Commonwealth Court ruled that the City did not have the authority to require such an ordinance.  This is just another example we’ve seen with difficulties across the US with requirements for preparedness measures.  Why is it so challenging?  It often comes down to the legality of the requirement.

When it comes to the interface of local jurisdictions with states, we often see the concept of home rule providing one of the greatest challenges.  Some interpretations of home rule laws identify that states can’t require local (often to include county) jurisdictions to conduct certain activities, such as have certain plans, attend training, or conduct exercises.  In some states, we see law or regulation that states that if a jurisdiction is to have an emergency plan, then there is a required format of said plan.  But if there is no stick, there is often a carrot.

If requirements can’t be established, then incentives are often the best alternative.  Again, in the local/state relationship, states have grant allocations which can be provided to local governments.  Grant rules can be established that identify certain requirements as conditions of funding.  This tends to be highly effective, especially when funding is expected to continue year after year, and the grants continue to reinforce sustained maintenance on these requirements, such as periodic updates to emergency plans.  Generally, I see no down side to this alternative, so long as the required initiatives are well thought out and realistic given the amount of funds the jurisdiction is receiving.  To ensure effectiveness, however, there must be accountability and quality control measures in place to monitor execution of these requirements; such as reviewing plans, After Action Reports, and auditing training programs. This same methodology is typically how DHS/FEMA is able to get states and funded urban areas (UASIs) to comply with their wishes for various initiatives.

Outside of government, requirements can still be difficult.  While regulations may be put into place for certain industries and under certain conditions, we often have to rely on other, more practical, means of getting businesses, industry, and even not for profits on board.  This often comes with certifications.  An example would be ISO certifications, which some businesses and industry need to compete in certain markets.  Yes, there is even an ISO standard for emergency management.

Unfortunately, many entities, be they public, private, or even individuals, don’t want to be bothered with preparedness.  Most will agree that it’s a good idea, but it takes time, money, and effort.  It’s long been said that you can’t legislate preparedness, and that is often true.  Even if a requirement is able to be established, the extent of implementation can range widely, depending on the internal motivations and resources available to the entity.  Establish whatever requirements you want, but I guarantee there are some that will barely meet those requirements, and in doing so likely not meet the actual intent of the requirement; while others who are believe in the requirement and have available resources, will exceed the requirement.  Largely, organizations are motivated by funding and certification standards.

I’m interested in the perspectives you have on requiring preparedness, both in the US as well as other nations.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Customization of ICS

Even since before the National Incident Management System (NIMS), I’ve seen individuals and organizations have a desire to customize the Incident Command System (ICS).  This has always been troubling to me, as customization is fully contradictory to using a standardized system.

ICS offers an abundance of flexibility.  If you are familiar enough with the system, its foundational features, and the intent of the roles and responsibilities within the system, you can meet practically every need utilizing these functions and features.  Is ICS perfect?  No.  Is it the best we have?  Yep, it sure is.  Having many years as a practitioner, trainer, and evaluator of ICS, I’m confident that it can meet 95% of needs that an organization will have.

Generally, I find the argument that many organizations who insist on customization put forward is that the rigidity of ICS does not accommodate their needs, structure, and culture. On the occasion that I’ve had to sit down with the organization’s personnel and ask questions about what they are trying to accomplish, it becomes quite clear that they simply don’t have a good understanding of ICS.  Some can be fairly obvious, such as moving the Safety Officer position to Operations.  Others require a bit more analysis, such as creating an element in the Operations Section to address security needs of their own facility.  Security of your own facility is actually a responsibility of the Facilities Unit within Logistics, not an Operations responsibility.

Foundationally, let’s consider the main purpose of ICS – interagency coordination.  ICS is a standardized system which supports integration, cooperation, and unity of effort between and among multiple organizations.  One of the main reasons I see organizations struggling to fit elements into an ICS organization chart is because some simply don’t belong there.  If you have functions internal to your own agency, even if they are used during emergency operations, but don’t interact with others, I honestly couldn’t care if you organize them within ICS, so long as they are accounted for within your own organization’s own chain of command.  There is no doctrine or best practice that requires organizations to account for every internal function within an ICS org chart.

The other reason, which I eluded to earlier, for organizations trying to customize ICS for their purposes, is a lack of understanding of ICS.  While I’m aware that some people who have done this might only have taken ICS 100, giving them only a scratched surface of ICS knowledge, which they easily misapply since they don’t have a good understanding of the fundamental concepts of ICS.  However, I’m aware of plenty of individuals who have taken ICS 300 and possibly ICS 400 who still fall into this trap.  I feel this situation stems from a result of misapplied learning, which ultimately comes from poor ICS curriculum.  (If you want to read more on my opinions on how ICS Training Sucks ⇐visit here).

ICS training should not only provide learning to support operational implementation of ICS concepts, but also adequate preparedness activities, such as integrating ICS into plans, policy, and procedures.  Current training leaves many people feeling they know enough about ICS to integrate it into these important documents, but they feel compelled to be creative, when not only is creativity generally not required, it flies in the face of a standardized system.  ICS has an abundance of flexibility which can accommodate a multitude of functions; one just has to relate these to the fundamental features of ICS to identify where they might go.  I’m not opposed to creating a new organizational element, just make sure that it fits appropriately, without duplicating efforts, usurping responsibility from another standard element, or violating span of control.

Consider this: will your organization chart integrate with others?  If so, how?  Is there operational integration or is it through an agency representative?  If the answer is the latter, there is less concern, but if there is an expectation for operational integration or shared functions, such as Planning or Logistics, sticking to the standards is even more important.

I’m interested to hear your thoughts on ICS customization, the reasons behind it, and the ramifications of it.  Fire away!

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

My DHS Idea Campaign

No, it’s not my DHS Idea.  It’s theirs.  DHS’, that is.  The ‘My DHS Idea Campaign’ has been developed to solicit input from the private sector about homeland security matters that concern them and what they view as priorities.  This information will help inform the legally required 2018 Quadrennial Homeland Security Review, which is slated to be provided to Congress in December of 2017.

Information on the campaign is provided below.  From the link provided, you can browse ideas submitted by others and submit your own ideas.  If you are a member of the private sector, please take a look and provide your input.

-TR

 

download

My DHS Idea Campaign

The U.S. Department of Homeland Security (DHS) would like to hear from you about the homeland security issues that concern you and your community.

DHS is in the process of completing a major strategic review of the Department’s programs and priorities, and will deliver its finished product – the 2018 Quadrennial Homeland Security Review – to Congress in December 2017.  As part of the review, DHS is inviting members of the private sector to participate in the online “My DHS Idea” campaign.

These are some of the important missions staff of DHS performs every day:

  • Counterterrorism;
  • Border security;
  • Immigration enforcement;
  • Trade enforcement and facilitation;
  • Drug interdiction;
  • Disaster preparedness and response; and
  • Cyber security.

What homeland security issues do you care about?  What areas should DHS prioritize?  What are the most pressing risks facing your community and the nation as a whole?

Using the IdeaScale platform, you can post your own ideas to address the homeland security challenges that are important to you and your community, comment on other people’s ideas, and vote on the issues and approaches you think are the most important for DHS to consider.  This interactive format allows everyone on the site to see the issues that are most important to other participants, and which ideas generate the most interest and support.  The Department’s Office of Policy staff will moderate and contribute to discussions on an occasional basis incorporating key ideas into the strategy review process as appropriate.

You can find the link to the DHS IdeaScale site at https://homelandsecurity.ideascale.com/.  Registration is quick and easy.

Supporting a Public Safety Training Program

Today happens to be National Teacher’s Day.  Be sure to show some appreciation for the teachers and professors who have influenced you and provide quality experiences for your kids.  Also consider expanding the definition of ‘teacher’.  In the public safety professions, we do a lot of training.  Some of us have structured academies, and while others may not, there are a lot of training opportunities provided locally, state-wide, and nationally.  Depending on the size and scope of your agency, you may run your own training program for internal, and potentially external stakeholders.

For a few years, I ran the training and exercise program of a state emergency management agency.  We delivered training programs state-wide to a variety of stakeholders.  We also developed some training programs to address needs which curricula from FEMA or other national providers could not meet.  Fundamentally, delivering training is easy, but properly managing a training program can have challenges.  Some thoughts…

  • Find the right people for the job. While we hired some personnel full time to be trainers, we also used people from elsewhere in the agency, as well as personnel from partner agencies, and hired some as 1099 employees.  There are a lot of highly qualified individuals in public safety – if you don’t know any, just ask, and they will be sure to tell you!  Assuming their qualifications are valid, are the most experienced and knowledgeable people always the best instructors?  Absolutely not.  While they may be subject matter experts, it doesn’t mean they have good presentation skills, much less comfort in doing so.  On the flip side, you might also have someone with little experience who has great delivery skills.  That might be a person to develop.
  • Quality control. When people are delivering training, peek in once in a while.  I traveled around the state regularly, and once in a while would see if one of our courses was being held somewhere along my route.  If I had the time, I would stop in and see how things were going.  While the visit was a surprise, our instructors knew this is something that might happen.  There are a few things this accomplishes.  First of all, it gives you an opportunity to observe and provide feedback.  Everyone can improve, and hopefully they can handle some constructive feedback.  Evaluation, formal or informal, is positive for the instructor and the program.  Look for consistency of practice (see the next bullet point) and professionalism.  On one of my surprise visits, I found an instructor wearing jeans and a sweatshirt.  When I discussed it with him, his response was that he was ‘retired’ (teaching for the agency was a retirement job for him) and that he could do whatever he wanted to.  After that discussion was happy to retire him further. Stopping in also shows support for your instructors and for the program as a whole.  Weather traveling across the state or down the hall, instructors want to know they are being supported.  A big part of support is simply being present.
  • Consistency counts. Training programs should be consistent.  While we might change around some examples or in-class scenarios, training delivered in one location by instructor a should largely match the training delivered another day, in a different location by instructor b.  Coming up through the ranks as a field trainer, I was part of a group that wanted to heavily modify the courses we delivered.  As I rose to management, I realized how detrimental this was.  If improvements are warranted, work with your instructors to integrate those improvements into the course.  Make sure that improvements are in line with best practices, not only in instructional design (remember: content must match objectives), but also with the subject matter.  Consistency not only ensures that all your learners are provided the same information, but also makes your curriculum and instructors more legally sound.  Too often we see instructors ‘going rogue’, thinking that they know a better way.
  • Programs need systems. A big part of building and maintaining a program is having adequate systems in place.  Systems require policies, procedures, and tools.  This is largely the behind the scenes stuff of a training program.  This includes annual curriculum reviews, performance reviews of instructors, selection/hiring and firing of instructors, maintaining instructors (see the next bullet), ordering course materials, maintaining training records, posting a course, course registrations, course cancellations, and so much more.  While it sounds bureaucratic, there should be a piece of paper that covers every major activity, identifying how it’s done, by who, with what approvals, and at what time.  Systems make sure that things aren’t missed, give you a basis of performance to evaluate the system and to train new staff, and help ensure consistency.  Systems contribute to your professionalism and are also good practices for business continuity.  Lots of credit to Cindy who was highly dedicated to establishing systems!
  • Keep instructors engaged. With either a large or small training shop, it’s important to maintain contact with your instructors.  Not just in handing them assignments and shuffling paperwork, but to really engage them.  We established twice a year ‘instructor workshops’, bringing our instructors together for two days.  From a management and administrative perspective, we used some of this time to express appreciation for their work, and provide information on curriculum updates and other information.  We encouraged much of the workshop agenda to be developed by the instructors themselves, with professional development provided by their peers.  This could include instructor development, after action reviews of incidents, case studies, and a variety of other activities and information.

Those are just a few tips and lessons learned.  I’m sure you may also have some to add to the list – and please do!

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Emergency Alerting – A Case Study

Two days ago, much of the northeast was subject to a powerful storm front, which brought high winds, torrential rains, lightning, and several yet to be confirmed tornadoes.  Corresponding with these threats, areas saw a variety of National Weather Service warnings and watches.  Needless to say, when this emergency alert came up on my phone in the midst of these storms, I assumed the shelter in place order was weather related.  Well, you know what they say about assuming things… and of course I should have known better.

While the area of the alert didn’t impact me, Whitestown is just a couple of towns over, so after a few minutes I figured I should do a bit of research to see if whatever prompted the alert might eventually impact my area.  Unfortunately, ‘pressing for more’, as the alert message indicates, gave no further information.  News media in my area is notoriously slow and uninformative for a period of time, something that held true with this event as well.  Approximately 20 minutes later, a local news outlet Tweeted a message about law enforcement activity in that area related to an armed suspect.

Public information and warning is a big deal.  When we don’t communicate clearly and concisely with the public, we can suffer unintended consequences. While I’m not aware of any severe unintended consequences from the lack of any additional information from this emergency alert, officials must understand that the public (and other public safety professionals) want additional information.  They may also need it so they can make better decisions.

This particular example certainly should have included some brief context as to why the alert was issued.  Given the standing tornado watch which was in place at the time, I’m sure there were plenty of others who assumed this was for a tornado or other storm activity.  Such an occurrence would give me cause to gather my family in the basement for safety, rather than locking my doors, closing my blinds, and ensure that no family members left the house.  Shelter in place can mean a lot of things to different people and adding context could have assisted with ensuring better public safety.  There was also no follow up to this alert lifting the shelter in place message.  (Note: the ‘No longer in effect’ tag is my own, as an effort to be responsible with the image)

While I applaud the use of public alerting tools, issues such as this are seen far too often.  Jurisdictions should have public information and warning components to their emergency operations plans, with specific procedures outlined for not only how to activate an alert, but the proper messaging which should be included to maximize message effectiveness.  Sure, you do it, but do you do it well?

What do you do to ensure effectiveness of your messaging?

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC