Updated IS-100 Course: Missing the Target

Earlier this week, FEMA’s Emergency Management Institute (EMI) released course materials, including student manual, handouts, instructor guide, and visuals, for the updated IS-100/ICS-100: An Introduction to the Incident Command System.  Note that this update (IS-100.c) has been available online since the summer.  The release of materials, however, included no errata, so absent comparing the previous version to this, I can’t speak specifically to what the changes include, though I’m aware from their release of the online course several months ago that there were adjustments to account for some of the revised content of the third edition of the NIMS doctrine, released in October of last year.

Those familiar with my running commentary for the past few years of ‘ICS Training Sucks’ are aware that much of my wrath was focused on the ICS-300 and ICS-400 courses.  That said, with the release of the third edition of NIMS (my review of the document can be found here), there were some needed additions to incident management fundamentals and my realization that the ICS-100 and ICS-200 courses are ignoring a significant population of professionals in their content.  While ICS itself was largely built for field personnel working within a command (vice coordination) structure, over the years, the prevalence of various forms and types of emergency operations centers (EOCs) has grown significantly.  One of the biggest additions in the most recent version of the NIMS document was, in fact, the inclusion of much more meaningful content on EOCs and their potential organizational models.  While still a minority compared to first responders, there is a significant audience of people taking ICS-100 because of their assignment to a local, county, state, or organizational EOC.  Yet, the ICS-100 materials have scantly more than ONE SLIDE talking about EOCs.

Yes, we do have courses such as the ICS/EOC Interface course and others that dive deeper into EOC operations and how they coordinate with each other and with command structures, but the introduction to all of this is often the ICS-100 course, which all but ignores EOCs and the audiences who primarily serve in them.  In fact, there are many jurisdictions that require EOC personnel to have ICS training (smartly), which starts with the ICS-100 course (why?  Because it’s the best/only thing generally available to them), but I’m sure many people taking the course are a bit confused, as it doesn’t speak at all to their role.  While I feel that ICS training for EOC personnel is important, an introductory course like this should include a bit more on EOCs.

As with my original writing on ICS Training Sucks, I bring this back to the fundamentals of instructional design, which is focused on the AUDIENCE and what THEY NEED TO LEARN.  It’s evident that these fundamentals are being ignored in favor of a quick update, which might change some content but does not improve quality.  Let’s actually look at who are audience groups are and either incorporate them all into the course, or develop another course and curriculum to meet their specific needs (aka EOC-100).  Otherwise, they are simply ignoring the fact that what is currently available is like fitting a square peg into a round hole.  Sure it fills a lot of space, but there are also some significant gaps.

While a number of jurisdictions have identified this need and developed their own EOC training, there are a lot of standards and fundamentals that could be addressed by FEMA in a national curriculum.  This is certainly a missed opportunity, and one that makes many of our responses less than what they should be.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Advertisements

Reviewing The 2018 National Preparedness Report

The 2018 National Preparedness Report was released last week.  For the past few years, I’ve provided my own critical review of these annual reports (see 2017’s report here).  For those not familiar with the National Preparedness Report (NPR), it is mandated by the Post-Katrina Emergency Management Reform Act (PKEMRA).  The information is compiled by FEMA from the State Preparedness Reports (SPR), including the Threat and Hazard Identification and Risk Assessment (THIRA) data submitted by states, territories, and Urban Area Security Initiative (UASI) – funded regions.  The data presented is for the year prior.  The SPRs and NPR examine the condition of our preparedness relative to the 32 Core Capabilities identified in the National Preparedness Goal.

Overall, the NPR provides little information, certainly nothing that is really shocking if you pay attention to the top issues in emergency management.  Disappointingly, the report only covers those Core Capabilities identified for sustainment or improvement, with no more than a graphic summary of the other Core Capabilities.

Core Capabilities to Sustain

Operational Coordination was identified as the sole Core Capability to sustain in this year’s report.  I’ve got some issues with this right off.  First of all, they summarize their methodology for selecting Core Capabilities to sustain: ‘To be a capability to sustain, the Nation must show proficiency in executing that core capability, but there must also be indications of a potentially growing gap between the future demand for, and the performance of, that capability.’  To me, what this boils down to is ‘you do it well, but you are going to have to do it better’.  I think most EM professionals could add to this list significantly, with Core Capabilities such as Planning; Public Information and Warning; Public Health, Healthcare, and EMS; Situational Assessment; and others.  Distilling it down to only Operational Coordination shows to me, a severe lack of understanding in where we presently are and the demands that will be put on our systems in the future.

Further, the review provided in the report relative to Operational Coordination is pretty soft.  Part of it is self-congratulatory, highlighting advances in the Core Capability made last year, with the rest of the section identifying challenges but proving little analysis.  Statements such as ‘Local governments reported challenges with incident command and coordination during the 2017 hurricane season’ are put out there, yet their single paragraph on corrective actions for the section boils down to the statement of ‘we’re looking at it’.  Not acceptable.

Core Capabilities to Improve

The 2018 report identifies four Core Capabilities to improve:

  • Infrastructure Systems
  • Housing
  • Economic Recovery
  • Cybersecurity

These fall under the category of NO KIDDING.  The writeups within the NPR for each of these superficially identifies the need, but doesn’t have much depth of analysis.  I find it interesting that the Core Capability to sustain has a paragraph on corrective actions, yet the Core Capabilities to Improve doesn’t.  They do, instead, identify key findings, which outline some efforts to address the problems, but are very soft and offer little detail.  Some of these include programs which have been in place for quite some time which are clearly having limited impact on addressing the issues.

What really jumped out at me is the data provided on page 9, which charts the distribution of FEMA Preparedness grants by Core Capability for the past year.  The scale of their chart doesn’t allow for any exact amounts, but we can make some estimates.  Let’s look at four of these in particular:

  • Infrastructure Systems – scantly a few million dollars
  • Housing – None
  • Economic Recovery – Less than Infrastructure Systems
  • Cybersecurity – ~$25 million

With over $2.3 billion in preparedness funding provided in 2017 by FEMA, it’s no wonder these are Core Capabilities that need to be improved when so few funds were invested at the state/territory/UASI level.  The sad thing is that this isn’t news.  These Core Capabilities have been identified as needing improvement for years, and I’ll concede they are all challenging, but the lack of substantial movement should anger all emergency managers.

I will agree that Housing and Cybersecurity require a significant and consolidated national effort to address.  That doesn’t mean they are solely a federal responsibility, but there is clear need for significant assistance at the federal level to implement improvements, provide guidance to states and locals, and support local implementations.  That said, we can’t continue to say that these areas are priorities when little funding or activity is demonstrated to support improvement efforts.  While certain areas may certainly take years to make acceptable improvements, we are seeing a dangerous pattern relative to these four Core Capabilities, which continue to wallow at the bottom of the list for so many years.

The Path Forward

The report concludes with a two-paragraph section titled ‘The Path Forward’, which simply speaks to refining the THIRA and SPR methodology, while saying nothing of how the nation needs to address the identified shortcomings.  Clearly this is not acceptable.

~~

As for my own conclusion, while I saw last year’s NPR as an improvement from years previous, I see this one as a severe backslide.  It provides little useful information and shows negligible change in the state of our preparedness over the past year.  The recommendations provided, at least of those that do exist, are translucent at best, and this report leaves the reader with more questions and frustration.  We need more substance beginning with root cause analysis and including substantial, tangible, actionable recommendations.  While I suppose it’s not the fault of the report itself that little improvement is being made in these Core Capabilities, the content of the report shows a lack of priority to address these needs.

I’m actually surprised that a separate executive summary of this report was published, as the report itself holds so little substance, that it could serve as the executive summary.  Having been involved in the completion of THIRAs and SPRs, I know there is information generated that is simply not being analyzed for the NPR.  Particularly with each participating jurisdiction completing a POETE analysis of each Core Capability, I would like to see a more substantial NPR which does some examination of the capability elements in aggregate for each Core Capability, perhaps identifying trends and areas of focus to better support preparedness.

As always, I’m interested in your thoughts.  Was there anything you thought to be useful in the National Preparedness Report?

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Expanding Hazard Mitigation Plans to Truly Address All Hazards

Planning efforts and documents are incredibly central to everything we do in preparedness.  When we look at the spectrum preparedness elements of Planning, Organizing, Equipping, Training, and Exercises (POETE), ‘planning’ being first should be a reminder that everything goes back to planning.  Our organizations, equipment, training, and exercises should all reflect back on plans.  These aren’t just emergency operations plans, either, but should include all plans.

A fundamental plan for many jurisdictions is the hazard mitigation plan.  Most responders tend to ignore this plan as it’s not about response, but it has a great deal of valuable information.  Hazard mitigation plans are built on a lot of research and data analysis, trends, and science behind a variety of hazards that could impact the area.  For as much as hazard mitigation plans can get neck-deep into science, they are not only good references but can be built into good, actionable plans.  The leadership of practically every agency in a jurisdiction should be involved in the development and update of hazard mitigation plans and be knowledgeable of what they contain.  That said, there are a couple of issues I have with how hazard mitigation plans are done.

First of all, they should be developed to be more than a catalog of information, which is how many are built.  We should be able to do something with them.  FEMA’s standards for hazard mitigation planning have gotten better and better through the years, thankfully.  While their standards include the identification of potential projects for a jurisdiction to address hazards, I’ve seen many plans (and the firms that develop them) cut this section particularly short.  I’ve seen plans developed for major jurisdictions having only a handful of projects, yet I’ve had experience developing plans for much smaller jurisdictions and identifying a significant list of prioritized projects.  While the onus is ultimately on the stakeholders of the jurisdiction to identify projects, consulting firms should still be actually consulting… not just regurgitating and formatting what stakeholders provide them.  A good consultant will advise, suggest, and recommend.  If your consultant isn’t doing so, it’s probably time to find someone else.

The second issue I have with hazard mitigation plans is that so many truly aren’t ‘all-hazard’.  Many hazard mitigation plans address natural hazards and some human-caused hazards, such as damn failures and hazardous materials incidents.  Rarely do we see hazard mitigation plans addressing hazards such as cyber attacks or active shooter/hostile event response (ASHER) incidents.  There are some obvious issues with this.  First, the hazard mitigation plan is generally looked upon to have the best collection of data on hazards for the jurisdiction.  If it excludes hazards, then there is no one good place to obtain that information.  This is particularly dangerous when other plans, such as EOPs, may be based upon the hazards identified in the hazard mitigation plan.  As I mentioned at the beginning, if something isn’t referenced in our planning efforts, it’s likely not to be included in the rest of our preparedness efforts.  Second, if these other hazards aren’t in our hazard mitigation plans, where are we documenting a deliberate effort to mitigate against them?  While hazards like cyber attacks or ASHER incidents are generally seen to be mitigated through actions labeled ‘prevention’ or ‘protection’, they should still be consolidated into our collective mitigation efforts.  Those efforts may transcend traditional hazard mitigation activities, but why would we let tradition impede progress and common sense?  A fire wall should be listed as a hazard mitigation project just as flood control barrier is.  And bollards or large planters are valid hazard mitigation devices just as much as a box culvert.

Let’s be smart about hazard mitigation planning.  It’s a foundational element of our comprehensive preparedness activities.  We can do better.

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

NIMS Alert: NQS Qualifications and Task Books for Recovery, Mitigation, and Incident Evaluation

The National Integration Center (NIC) has been busy with developing more National Qualification System (NQS) tools for incident management.  Here are the titles for the latest release open to public comment:

  • Damage Assessment Coordinator
  • HM Community Education and Outreach Specialist
  • HM Community Planner Specialist
  • HM Engineering and Architect Specialist
  • HM Floodplain Management Specialist
  • EHP Environmental Specialist
  • EHP Historic Preservation Specialist
  • Incident/Exercise Evaluator
  • Public Assistance
  • State Disaster Recovery Coordinator

There may be some incident management and response purists out there wondering why they should care about these particular titles.  I’ll agree that most of them aren’t used in a life-saving response capacity, but these are the people you want to have backing you up – otherwise you may never get away from the incident and you will find yourself in a very foreign land where complex requirements from FEMA and other federal agencies are the rules of play.

Having worked disaster recovery for some massive incidents, such as Hurricane Sandy, I can personally attest to the value so many of these people bring to the table.  It’s great to see qualification standards being established for them, just as they are for core incident management team personnel and resources.  While my experience with most of these is ancillary, however, I’ll leave specific commentary on them to those functional experts.

There is one role in here that I’m particularly pleased to see and will comment on, and that’s the Incident/Exercise Evaluator.  I wrote last year on this topic specifically and have reflected on its importance in other posts.  I see the inclusion of an Incident Evaluator in the NQS as being a huge success and the beginning of a conscious and deliberate shift toward evaluation and improvement in what we do.  Looking at the resource typing definition, I’m pretty pleased with what the NIC has put together.

What I like… I appreciate that they include a note indicating that personnel may need additional training based upon the nature or specialization of the incident or exercise.  They include a decent foundation of NIMS/ICS, exercise, and fundamental emergency management training across the various position types (although most of these are FEMA Independent Study courses -which I think are great for introductory and supplemental matter, but shouldn’t be the only exposure personnel have), including a requirement of completion of the Homeland Security Exercise and Evaluation Program (HSEEP) for a Type 1.

What I feel needs to be improved…  Considering that the Type 1 Incident/Exercise Evaluator is expected to lead the evaluation effort, I’d like to see more than just HSEEP training being the primary discerning factor.  Just because someone has completed HSEEP doesn’t mean they can plan a project, lead a team, or extrapolate HSEEP exercise evaluation practices to be effective for incident evaluation.  I suggest HSEEP should be the requirement for the Type 2 position (which would correlate well to the position description), with additional training on project management and leadership supporting the Type 1 position.  While the note is included re: the potential need for additional training, there is nothing in this about operational experience, which I think is rather important.  Lastly, this seems to identify a need for course and/or guidance specific to incident evaluation, which can and should use the principals of HSEEP as its foundation, but identify the differences, best practices, and approaches to applying them to an incident or event.

I’d love to hear your thoughts on incident evaluation as well as the other positions being identified in the NQS. Do you participate in the national engagements and provide feedback?

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC™

 

 

FEMA’s 2017 Hurricane Season AAR

A few days ago, FEMA published its after action report (AAR) for the 2017 hurricane season.  Unless you’ve been living under a rock, you probably know that last year was nothing short of devastating.  The major hurricane activity revolved around Hurricane Harvey (Texas), Hurricane Irma (Caribbean/South Atlantic coast), and Hurricane Maria (Caribbean), but domestic response efforts were also significantly dedicated to a rough season of wildfires in California.  While each of these major disasters was bad enough on its own, the overlap of incident operations between them is what was most crippling to the federal response.  Along with these major incidents were the multitude of typical localized incidents that local, state, and some federal resources manage throughout the year.  2017 was a bad year for disasters.  I don’t think any nation could have supported disaster response as well as the US did.

No response is ever perfect, however, and there were certainly plenty of issues associated with last year’s hurricane responses. Politicians and media outlets made issues in Texas and Puerto Rico very apparent.  While some of these issues may rest on the shoulders of FEMA and other federal agencies, state and local governments hold the major responsibility for them.

This FEMA AAR contains good information, perspective, and reflections.  There are a lot of successes and failures to address.  While I’m not going to write a review of the entire document, which you can read for yourself, but I will discuss a few big-picture items and highlight a few specifics.

First, is the overall organization of the document.  The document is organized through reflection across each of five ‘focus areas’.  I’m not sure why this was the chosen approach.  The doctrinal approach should be a reflection on Core Capabilities, as outlined in the National Preparedness Goal.  Some of these focus areas seem to easily align with a Core Capability, such as ‘Sustained Whole Community Logistics Operations’, which gives me reason to wonder why Core Capabilities were not referenced.  While we use Core Capabilities as a standard in exercises, the purpose for them being part of the National Preparedness Goal is so that we have a standard of reference throughout all preparedness activities.  Any AAR – incident, event, or exercise – should bring us back to preparedness activities.

The second issue I have with the document is the focus.  While it’s understood that this is FEMA’s AAR, not a wholistic federal government AAR, it’s almost too FEMA-centric.  The essence of emergency management is that emergency management agencies are coordination bodies, as such, most of their work gets accomplished through coordinating with other agencies.  While it’s true that FEMA certainly has a significant work force and resources, the AAR seems to stop at the inside threshold of FEMA headquarters, without taking the additional step to acknowledge follow-on actions from a FEMA-rooted issue that may involve other agencies.

Among the positive takeaways were some of the planning assumptions outlined in the report.  There is a short list of planning assumptions on page 9, for example, that provide some encouraging comparisons between planning assumptions and reality.  This is a great reminder for local and state plans to not only include numbers and percentages in their planning assumptions, which will directly lead to identifying capability and resource gaps, but to also reality check those numbers after incidents.

Page 10 of the repost highlights the success of FEMA’s Crisis Action Planning groups.  These groups identified future issues and developed strategies to address these issues.  This is actually an adaptation of an underutilized function within the ICS Planning Section to examine potential medium and long-term issues.

Pages 11 and 12 highlight how Threat and Hazard Identification and Risk Assessment (THIRA) data from states and UASIs can inform response.  It’s encouraging to see preparedness data directly inform response.  I hope this is something that will continue to evolve.

Pages 22 and 23 discuss the staffing issues FEMA had with massive overlapping deployments.  Along with their regular full time workforce, FEMA also deployed a huge volume of their cadre personnel.  They also tapped into a pilot program called State Supplemental Staffing.  While there were some administrative and bureaucratic difficulties, it seems to have been considerably successful.

Overall, this is a good document citing realistic observations and recommendations.  While the document is FEMA-centric, the way of FEMA is the way of emergency management in the US, so it’s always worth keeping an eye on what they are doing, as many of their activities have reach to state and local governments we as other federal agencies.

What important concepts jumped out at you?

© 2018 Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC™

Updated NIMS and ICS Courses

Be sure to head over to https://training.fema.gov/is/ to check out the updated IS-100.c (Introduction to the Incident Command System) and IS-700.b (Introduction to the National Incident Management System).  These courses have been updated to reflect the ‘refreshed’ NIMS doctrine, which includes some information on EOC structures, among other things.  For my review of the NIMS refresh, check out this article.

©2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC ™

An Updated Comprehensive Preparedness Guide 201 (THIRA/SPR)

In late May, FEMA/DHS released an updated version of Comprehensive Preparedness Guide (CPG) 201.  For those not familiar, CPG 201 is designed to guide communities and organizations through the process of the Threat and Hazard Identification and Risk Assessment (THIRA).  This is the third edition of a document that was originally released in April 2012.  This third edition integrates the Stakeholder Preparedness Review (SPR) into the process.  Note that ‘SPR’ has commonly been an acronym for State Preparedness Report, which is also associated with the THIRA.  The goal of the Stakeholder Preparedness Review appears to be fundamentally similar to that of the State Preparedness Report which some of you may be familiar with.

Picture1

First of all, a few noted changes in the THIRA portion of CPG 201.  First, FEMA now recommends that communities complete the THIRA every three years instead of annually.  Given the complexity and depth of a properly executed THIRA, this makes much more sense and I fully applaud this change.  Over the past several years many jurisdictions have watered down the process because it was so time consuming, with many THIRAs completed being more of an update to the previous year’s than really being a new independent assessment.  While it’s always good to reflect on the progress relative to the previous year, it’s human nature to get stuck in the box created by your reference material, so I think the annual assessment also stagnated progress in many areas.

The other big change to the THIRA process is elimination of the fourth step (Apply Results).  Along with some other streamlining of activities within the THIRA process, the application of results has been extended into the SPR process.  The goal of the SPR is to assess the community’s capability levels based on the capability targets identified in the THIRA.  Despite the THIRA being changed to a three-year cycle, CPG 201 states that the SPR should be conducted annually.  Since capabilities are more prone to change (often through deliberate activities of communities) this absolutely makes sense. The SPR process centers on three main activities, all informed by the THIRA:

  1. Assess Capabilities
  2. Identify and Address Gaps
  3. Describe Impacts and Funding Sources

The assessment of capabilities is intended to be a legacy function, with the first assessment establishing a baseline, which is then continually reflected on in subsequent years.  The capability assessment contributes to needs identification for a community, which is then further analyzed for the impacts of that change in capability and the identification of funding sources to sustain or improve capabilities, as needed.

An aspect of this new document which I’m excited about is that the POETE analysis is finally firmly established in doctrine.  If you aren’t familiar with the POETE analysis, you can find a few articles I’ve written on it here.  POETE is reflected on several times in the SPR process.

So who should be doing this?   The document references all the usual suspects: state, local, tribal, territorial, and UASI jurisdictions.  I think it’s great that everyone is being encouraged to do this, but we also need to identify who must do it.  Traditionally, the state preparedness report was required of states, territories, and UASIs as the initial recipients of Homeland Security Grant Program (HSGP) sub-grants.  In 2018, recipients of Tribal Homeland Security Grant Program funds will be required to complete this as well.  While other jurisdictions seem to be encouraged to use the processes of CPG 201, they aren’t being empowered to do so.

Here lies my biggest criticism…  as stated earlier, the THIRA and SPR processes are quite in-depth and the guidance provided in CPG 201 is supported by an assessment tool designed by FEMA for these purposes.  The CPG 201 website unfortunately does not include the tool, nor does CPG 201 itself even make direct reference to it.  There are vague indirect references, seeming to indicate what kind of data can be used in certain steps, but never actually stating that a tool is available.  The tool, called the Universal Reporting Tool, provides structure to the great deal of information being collected and analyzed through these processes.  Refined over the past several years as the THIRA/SPR process has evolved, the Universal Reporting Tool is a great way to complete this.  As part of the State Preparedness Report, the completed tool was submitted to the FEMA regional office who would provide feedback and submit it to HQ to contribute to the National Preparedness Report.  But what of the jurisdictions who are not required to do this and wish to do this of their own accord?  It doesn’t seem to be discouraged, as jurisdictions can request a copy from FEMA-SPR@fema.dhs.gov, but it seems that as a best practice, as well as a companion to CPG 201, the tool should be directly available on the FEMA website.  That said, if the THIRA/SPR is being conducted by a jurisdiction not required to do so, the tool would then not be required – although it would help.

Overall, I’m very happy with this evolution of CPG 201.  It’s clear that FEMA is paying attention to feedback received on the process to streamline it as best they can, while maximizing the utility of the data derived from the analysis.  A completed THIRA/SPR is an excellent foundation for planning and grant funding requests, and can inform training needs assessments and exercise program management (it should be used as a direct reference to development of a Training and Exercise Plan).

For those interested, EPS’ personnel have experience conducting the THIRA/SPR process in past years for a variety of jurisdictions and would be happy to assist yours with this updated process.  Head to the link below for more information!

© 2018 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC ™