NFPA 1600/NFPA 1660 and ISO 22301 Compared

 

NFPA 1600 / NFPA 1660 & ISO 22301
A Comparison

NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management,” 2019 edition and ISO 22301 “Business continuity management systems — Requirements,” 2019 edition are the leading standards for programs or management systems for preparedness and resilience.

Brief History and Usage of NFPA 1600 and ISO 22301

NFPA 1600 is an American National Standards Institute (ANSI) accredited national standard. Its first edition was published in 1995, and 2019 is the 8th edition. It was endorsed as the USA’s “National Preparedness Standard” in PL 110 53 in 2007. NFPA 1600 was also the basis for the Emergency Management Accreditation Program’s EMAP Standard. NFPA 1660, “Standard for Emergency, Continuity, and Crisis Management: Preparedness, Response, and Recovery,” 2024 edition is a compilation of NFPA 1600 with NFPA 1616, “Standard on Mass Evacuation, Sheltering, and Re-entry Programs,” 2020 edition and NFPA 1620, “Standard for Pre-Incident Planning,” 2020 edition. Chapters 4-10 of 1600 and 1660 are essentially the same. NFPA 1600 has not been withdrawn, and all editions of NFPA 1600 are still available.

ISO 22301, 2019 edition is the second edition and cancels and replaces the first edition published in 2012. British Standard BS 25999 was the basis for the first edition.

Both standards are used extensively around the world. NFPA 1600 is predominant in the Western Hemisphere and was used as the basis of standards in Canada (Z1600) and several countries in South America. Parts of NFPA 1600 have also been incorporated into or used as the basis for emergency planning regulations in the USA. NFPA 1600 is used extensively in the Middle East and countries in East Asia. ISO 22301 is predominant in Europe and used extensively in the United States.

What are the main differences between the two standards?

ISO 22301 is one of many ISO “management systems standards.” The underlying requirements for the management system are more extensive than the program management requirements in NFPA 1600. ISO 22301 and all ISO management system standards align with the “Plan, Do, Check, Act” cycle. NFPA 1600 is written following a program management, planning, implementation, execution, training/education, exercises/tests, and maintenance/improvement process.

Click to read the full Preparedness Bulletin. 

Tools to assist with the evaluation of programs and management systems

Preparedness, LLC has compiled two self-assessment checklists--one based on NFPA 1600/1660 and the other based on ISO 22301--that provide hundreds of questions aligned with the two leading international standards. Click to download in Adobe PDF format.

NFPA 1600 +1610 +1616 = NFPA 1660

NFPA 1660, Standard for Emergency, Continuity, and Crisis Management: Preparedness, Response, and Recovery, 2024 edition has been approved by the National Fire Protection Association as an American National Standard. 

NFPA 1600, “Standard on Continuity, Emergency, and Crisis Management,” 2019 edition, NFPA 1616, “Standard on Mass Evacuation, Sheltering, and Re-entry Programs,” 2020 edition, and NFPA 1620, “Standard for Pre-Incident Planning” 2020 edition, have been consolidated into a new standard, NFPA 1660. The technical committees responsible for these standards worked together to complete the consolidation, and the three committees continue to exist at this time.

The National Fire Protection Association’s consolidation plan for its Emergency Response and Responder Safety standards with “similar content areas” is intended to “increase usability, reduce errors and conflicts, and ultimately produce higher quality standards.” 

NFPA 1600 2019 edition’s chapters 4 through 10 are almost without change within the new 1660 and have retained their numbering. Chapter 1, “Administration” has been expanded to encompass the broader scope, purpose, and application of the three predecessor standards. An expanded list of publications can be found in Chapter 2, and a much longer list of definitions can be found in Chapter 3. A new section 4.1 “Administration” encompasses the scope, purpose, and application from 1600-2019 requiring subsections to be renumbered 4.2 through 4.9. Otherwise, there are no significant changes to the text from chapters 4-10 of NFPA 1600-2019.

A digital version of the new NFPA 1660 is viewable on the NFPA website, and the printed and PDF versions will be available from NFPA on January 27.

____________

Donald L. Schmidt, CEO of Preparedness, LLC has been a member of the NFPA 1600 technical committee since 1994 and served as chair for the 2010, 2013, and 2016 editions. He has also been a member of the NFPA 1620 technical committee since 1995.

Download Preparedness, LLC’s program self-assessment checklist that is based on NFPA 1600 (and chapters 4-10 of NFPA 1660). It includes more than 200 questions to help you evaluate your preparedness program.

Emergency Operations Plans

 

An employee complains of chest pains. A delivery truck backs into the gas meter, and a strong odor of gas invades the building. A “suspicious” package is found in the unattended lobby. Gunfire erupts in the shop area, and coworkers are fleeing. A severe thunderstorm warning has been issued following an earlier tornado watch. Blocks away a group of protesters is growing larger. The power goes out on a bitterly cold day. Water is leaking through the ceiling of the server room.

Who is going to act? What actions should be taken to safeguard life and protect property? How quickly can they react? How effectively can they act? The actions taken in the critical initial minutes of an emergency often dictate the outcome.

An emergency operations plan that is risk-based, makes best use of available internal and external resources, and is executable by an organization with defined roles and responsibilities is essential.

Objectives, Priorities & Resources

The number one priority of emergency operations is to safeguard life. Other objectives include protection of property, the environment, and the organization’s reputation. Continuity of business operations benefits from effective emergency operations.

Priorities for emergency operations become apparent when conducting a risk assessment. Threats and hazards with high probability of occurrence or potential for significant impacts should be high on the list. The increasing frequency and severity of civil unrest, active shooter incidents, wildland fire, power outages, and severe weather warrants the need for enhanced planning.

Often overlooked when considering objectives and priorities is the availability and capabilities of internal and external resources. Are sufficient personnel with the required knowledge, skills, and abilities available during operational hours to respond to foreseeable threats? Are facilities protected with detection, alerting, warning, suppression, and life safety systems that have been designed, installed, and maintained in accordance with national standards? What are the capabilities of public emergency services, their knowledge of the facility and its hazards, and their response times? Answers to these questions will identify resource limitations that must be overcome for effective response to emergencies.

Planning for Emergencies

The emergency operations plan is a product of a process that includes understanding risk, the availability and capabilities of resources, and applicable regulatory and accreditation requirements. The risk assessment identifies threats and hazards that require protective actions. The resource needs assessment identifies the required personnel, competencies, systems, equipment, and supplies for response to the identified risks. The assessment also evaluates the availability and capabilities of resources and identifies limitations that must be overcome. Minimum requirements for emergency response are established by applicable Federal and state health, safety, and environmental regulations, state and local fire codes, and accreditation requirements (e.g., Joint Commission for health care facilities).

Together, the risk assessment, resource needs assessment, regulations, and accreditation requirements inform decisions about the functions of incident management teams and the actions they will take.

Download the Preparedness Bulletin "Emergency Operations Plans" to learn more about:

• Planning committee
• Regulations & standards
• Risk assessment & impact analysis
• Incident management team
• Alerting, warning, and communications 
• Incident management facilities 
• Emergency operations plan
• Concept of operations
• Incident management system
• Protective actions for life safety
• Threat or hazard-specific tactical plans
• Crisis communications
• Implementation, maintenance & continuous improvement

 Winter Weather Preparedness & Response

Arctic freeze, heavy snow, high winds, blizzard conditions, freezing rain, and flooding are winter’s challenges to maintaining a safe and operational facility. Before winter weather watches and warnings are broadcast, prepare your facility and your employees. Preparations now can save costly damage to facilities and equipment and maintain business operations.

A snowplow on the streets of Denver during a blizzard. (Photo credit: FEMA)

Winter storms caused $2.1 billion in insured losses in 2019, compared with about $3 billion in 2018, according to insurer Munich Re and reported by the Insurance Information Institute[1]. The costliest U.S. winter storm, occurring March 11-13, 1993 affecting 24 states, caused $5 billion in losses[2]. Winter storms and cold waves are the third leading cause of natural disaster losses behind severe thunderstorms and flooding. 

The impact of major snowstorms, blizzards, and ice storms on business operations can be significant. Direct costs of property damage from freeze-ups and structural failures and the cost snow removal are quantifiable. Loss of sales when manufacturing and distribution operations are shut down due to loss of utilities or supply chain disruption are harder to quantify.

Ice storms can have deadly and crippling impacts over a wide area. The January 1998 ice storm that affected Upstate New York and Northern New England resulted in 44 deaths and caused $1.4 billion damage in the U.S. and $3 billion in Canada. Ice accretion of 3 inches was reported, and widespread power outages lasted weeks. Ice storms have impacted southern states, and The Great Ice Storm of 1951 impacted a 100-mile-wide swath from Louisiana to West Virginia.[3]

Facilities are especially vulnerable to freeze-ups when planned reductions in production, shutdowns, and vacations occur. Reduced use of space heating, reduced or no heat from production equipment, and few or no personnel on-site to monitor temperature and respond to freeze conditions contribute to losses.

Read the latest Preparedness Bulletin to read more about:

• Winter Preparedness
• Preparations for Arctic Freeze and Winter Storms
• Precautions when Extreme Cold is Forecast
• Response During Winter Storms
• Safety During and After the Storm

---

[1] Facts + Statistics: Winter Storms, Insurance Information Institute, https://www.iii.org/fact-statistic/facts-statistics-winter-storms

[2] Ibid

[3] “The Nation’s Worst Ice Storms,” Weather.com, January 11, 2017

Integrated Preparedness Program

Coordinated development and implementation of program
elements can reap significant benefits.

The objectives of a preparedness program are to safeguard life, conserve property, maintain the continuity of operations, prevent environmental contamination, and protect reputations and relationships. Emergency management, business continuity, IT disaster recovery, and crisis management are common terms for programs to accomplish these objectives. Prevention and mitigation programs including occupational health and safety, fire prevention, physical/operational security, cyber/information security, environmental protection, enterprise risk management, and crisis communications also have roles achieving these objectives.

 
Significant investments in people, facilities, systems, technologies, equipment, supplies, intelligence, and time are required to establish and maintain preparedness programs. Coordinated development and implementation of program elements can reap significant benefits including an enhanced understanding and treatment of risks, enhanced response capabilities, better outcomes, reduced costs, and a reduction in duplicative efforts.

Organize to enhance coordination and to delineate roles and responsibilities

Preparedness programs of large organizations are managed at vertical levels including corporate, business units, and sites or facilities. Corporate establishes policies and manages those incidents with the potential to cause significant impacts to the corporation. Business units have responsibility for aspects of crisis management and especially for the continuity of manufacturing and service delivery integrated within their organizations. At the site or facility level, it is common for loss prevention and risk mitigation programs to be developed and managed by different internal experts. For example, security manages security risks, HR and safety manage employee risks, and IT manages technology risks.

Planning for emergencies, continuity and recovery of operations, and the protection of the organization’s reputation and relationship with stakeholders requires teams at all levels to work together. Defined roles and responsibilities for planning, development, and execution of plans and programs are essential.

Risks cross departmental boundaries and business units. Corporate’s role to monitor risk and actively manage those with potential to cause significant impacts is critical. While responsibility for crisis management may rest at the executive or corporate level, effective response is dependent on an understanding of risk, prompt incident detection, and coordinated response between and within all levels of management.

Business continuity planning must involve senior management, operations management, and leadership of the functions required to support continuity and recovery of business operations. Information technology is essential to support business operations and must be involved in business continuity planning and incident management.

When an incident occurs, the incident management team should be led by the available person with the best combination of knowledge, skills, and abilities for the type of incident. All teams must work together within a common operational framework. Defined roles and responsibilities, clear lines of authority, protocols and procedures, and resource management during an incident are essential.

Clear understanding of risk, contracts, and regulations should inform priorities for, and investment in, the preparedness program

Enterprise-wide risk assessments should inform senior management decisions about investments to achieve the goals of the preparedness program. Assessments should identify strategic risks and inform crisis management and communications programs. Business impact analyses should inform decisions to protect assets and to implement business continuity strategies. Facility risk assessments should inform decisions about accident prevention, life safety, property protection, and environmental protection.

Customer contracts may dictate business continuity priorities and requirements especially for critical suppliers. Regulations dictate minimum requirements for health and safety, environmental protection, information security, business continuity, and information technology disaster recovery.

Coordinated planning involving corporate, business units, and facilities informed by the risk profile and mindful of contractual and regulatory requirements is the best means to develop overarching preparedness program objectives and prioritize investments to achieve them.

Protocols, procedures, and technologies are essential for prompt incident response

An incident at a facility, one involving a product or service, or disruption of supply chain, infrastructure, or technology can quickly generate media attention, regulatory scrutiny, or customer dissatisfaction. Word travels fast in today’s digital world reducing reaction time.

The risk assessment should identify the types of incidents that could occur, the stakeholders potentially affected, the issues that may arise, strategies for communications, and spokespersons. Protocols defining the circumstances that require notification of management at the facility, business unit, and corporate levels must be in place. Procedures and technologies to facilitate prompt and ongoing communications should tested and ready. Roles and responsibilities for development and approval of communications to internal and external stakeholders must be defined.

Plans and procedures need to be immediately accessible, easy to use, bring together necessary resources, and initiate incident management practices

When an incident threatening life occurs, warning and protective actions must be accomplished quickly. When operations are interrupted, strategies must be implemented within predetermined recovery times to avoid unacceptable losses. Communications with stakeholders is necessary to protect relationships. Plans must provide required information in a format that will inform decision-making during the critical initial minutes of an incident.

Today’s technologies can replace the inches thick binders collecting dust on a bookshelf. Wireless access to networks provides one click access to digital information that can be formatted visually to enhance comprehension and decision-making. A click can initiate warnings, notifications, and launch multi-user forms to conduct situation assessment, develop action plans, and facilitate incident briefings. Mass notifications systems can provide real-time status of employee response to evacuation or other warnings. Multiple documents, diagrams, and resource lists can be integrated through hyperlinks to authorized persons.

Conclusion

Coordinated planning involving all levels of the organization provides the best opportunity to identify, evaluate, and prioritize risk. Risk priorities along with contractual and regulatory requirements should inform decisions about investments in a holistic preparedness program. Coordinated planning and an integrated incident management organization that defines roles and responsibilities within a common framework better informs decision-making and management of response actions, and reduces miscommunication, confusion, and blind spots.

The sum of all elements of the preparedness program is greater than the sum of the individual, disconnected pieces.

For a printable copy of this Preparedness Bulletin, go to https://bit.ly/37w3sen  

 

Civil Unrest

Amid the anxiety and angst of the worst pandemic in 100 years, the elimination of social injustice has been the rallying cry of protesters following the George Floyd incident. Peaceful demonstrations erupting into violence under the cover of darkness have been national news. Cities of all sizes have seen demonstrations—some experiencing civil unrest night-after-night for months.

 Acts of vandalism, malicious destruction of property, and arson have been perpetrated on government buildings, statues, vehicles, and other property. Public streets, highways, and public space have been blocked and barricaded to prevent the free movement of citizens and commerce. Assault, battery, and homicide have been perpetrated with bricks, stones, firearms, and other weapons. Police, protesters, counter-protesters, and innocent people have been injured. Businesses have been looted and destroyed by fire. Block after block of storefronts have been boarded up. Losses to businesses in at least 40 cities in 20 US states may come close to the costliest civil disorder in US history. [Claims Journal, June 2, 2020] 

Recent decades have witnessed protests and civil disorder surrounding issues of social injustice, world economic and trade forums, political conventions, major sporting events, and labor disputes. Riots have plagued the United States for more than half a century, and 50 countries have seen a surge in civil unrest since 2019 according to political risk consultants Verisk Maplecroft. 

Concern about protests and demonstrations like those surrounding the 2016 Presidential election have law enforcement planning for the possibility of a repeat. Directors of security worry that volatile political divisions in our society may provoke conflicts between workers escalating into acts of workplace violence. Civil unrest is now a foreseeable threat requiring preparedness. 

In this Preparedness Bulletin the following topics are covered in detail:

• Recognizing the Potential for Civil Unrest
• Weapons & Tactics
• Vulnerability & Risk Assessment
• Security, Life Safety & Emergency Planning
• Preparedness for Planned Demonstrations
• Response to Civil Unrest
• Workplace Violence 

Links to other resources are also provided to help organizations prepare for civil unrest and workplace violence.

Read the entire Preparedness Bulletin: https://bit.ly/3dNCgLd

 

Incident Management System

Florida SERT Chief briefs staff managing concurrent responses to the Covid-19 pandemic

and Hurricane Isaias.

The ongoing Covid-19 Pandemic, weeks-long civil disturbances, and numerous natural disasters emphasize the need for effective incident management. 

No longer an exclusive practice of public safety agencies, incident management system is an essential capability for all organizations to protect lives, property, business operations the environment, reputations, and stakeholder relationships. 

An incident management system (IMS) can and should be used for all incidents planned, forecast, or occurring that require activation of emergency operations, business continuity, IT Disaster Recovery, and crisis management plans. 

An incident management system is defined by NFPA 1600 as "the combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure and designed to aid in the management of resources during incidents." 

Implementation of an IMS enhances communications, coordination, efficiency, and effectiveness by organizing and bringing together the functional roles necessary to manage any incident.

Read the full September Preparedness, LLC Bulletin: https://bit.ly/36nX3my

 

Building Resilience: ISO Standard for Business Continuity Updated

Business interruption and the potential impact on revenues, profits, contracts, and customers is an ever present concern for business executives. Hurricanes, flooding, wildfires, and now preemptive power outages are in the news. An effective business continuity management capability is essential and increasingly a customer requirement.

ISO 22301, "Business Continuity Management Systems – Requirements," is one of the two leading standards for business continuity programs along with NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management,” which is published by the National Fire Protection Association.

The 2019 edition of ISO 22301 has been published by ISO and is available for purchase. ISO has also published a free publication explaining the standard: https://www.iso.org/news/ref2446.html.

Don Schmidt, CEO of Preparedness, LLC, is a long-time member of the USA’s Technical Advisory Group to ISO’s 292 and predecessor 223 committee that is responsible for ISO 22301 and related standards. He is also the past-chair of the NFPA 1600 technical committee. If you have questions about ISO 22301 or NFPA 1600, please contact us.

Cybersecurity Month

photo credit: niccs.us-cert.gov

October is Cybersecurity Month, reminding us that we must constantly protect our digital information. Businesses are constantly under attack and face potentially significant financial loss when the corporate network is compromised. Here are 10 actions to enhance cyber-security and data protection:

1.  Employee Education: Every employee (and family member) needs to be educated about cyber security. From the “C Suite” to the mail room, anyone on the network can compromise security by installing and using unauthorized software applications or browser extensions; copying files from malware infected flash drives to the network, opening phishing emails, or visiting unsafe sites. All employees should understand data protection policies and procedures. Educate employees about how personal information obtained from social media and web searches can be used by hackers to target them.

2.  Data Access: Identify confidential and company proprietary information; restrict access as needed; and verify that all confidential, proprietary, and important information is stored on drives that are backed up regularly. Educate employee and audit to verify that files are not stored on local hard drives and sharing company confidential or proprietary information with unauthorized recipients is prohibited.

3.  Physical Security: Smartphone and laptops are targeted by thieves for resale and especially for the information the devices store. Configure laptops with encrypted hard drives and ensure biometric or strong password access is enabled. Educate employees to secure laptops in hotels, meeting rooms, public places, and in vehicles. Remind employees to keep their smartphones close by and not in a position where they can be easily stolen.

4.  Network Security: Vulnerabilities in networking components including routers, switches, and wireless access points can be exploited. Inventory network hardware and sign up for notifications from vendors to be informed when vulnerabilities have been identified. Download firmware updates when they are offered. Enable the highest level of encryption for wireless connections. Restrict administrative access to the network to trustworthy technical staff.

5.  Operating System Updates: The cycle of computer and smartphone operating system updates is increasing to patch the latest known vulnerabilities. Ensure that automatic updates are enabled or ensure that your technology professionals promptly review and install patches.

6.  Passwords: Password management is a pain and overuse of simple passwords is common. Thankfully, enterprise password management can make passwords available across a company, computers, and devices. Implement password management software, restrict access to password vaults to those with a need to know; require strong, and unique passwords for each site; and promptly remove access when off-boarding employees.

7.  Software Applications: Enable multi-factor authentication whenever possible. Enable automatic updates to keep software updated or restrict software installations until security assessments have been completed. Audit software periodically to ensure the latest version has been installed, and security settings have been turned on.

8.  Malware Detection: Firewalls and malware detection software is critical and definition files must be continuously updated to protect against the latest threats. Prohibit access to the network if malware software is not enabled.

9.  Secure Connectivity for Remote Connections: All connections for employees working remotely or business partners should require encryption. Maximize security for remote management of the network and disable external access ports that are not needed.

10. Business Continuity & IT Disaster Recovery: Ensure that all important digital information is backed up. Maintain three (3) copies, each on different media (e.g., hard drive, network server, and cloud). Store one copy remote from the primary site in case of physical damage to the facility. Document hardware and software inventories; maintain current images of standard computers; and document a plan for recovery.

September is National Preparedness Month

September is National Preparedness Month.  Preparedness is defined by DHS/FEMA as "a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective action in an effort to ensure effective coordination during incident response."

Our name says it well…..

Preparedness, LLC's mission is to safeguard people, protect property, minimize business interruption, and protect reputations.  We assess hazard and operational risks and develop loss prevention and hazard mitigation strategies.

Preparedness, LLC has published a variety of Bulletins offering detailed guidance for development, implementation, and evaluation of your organization’s preparedness program. We invite you to take a look at our extensive library of bulletins providing information and guidance on how to prepare for a variety of weather related emergencies, protective actions for life safety, including from acts of violence.  Other bulletins offer guidance on helping your company become more resilient from a number of impacts, including business continuity, crisis management, reputational issues, supply chain interruptions and a host of other potential threats to an organization.

 

We also offer a self-assessment checklist of over 200 questions, based on NFPA 1600  “Standard on Continuity, Emergency and Crisis Management” 2019 Edition to help your organization assess your preparedness program.

We invite you to contact us if your organization requires assistance with assessing, managing or implementing a preparedness program.

Financial Risks of Climate Change: CFO's Should Pay Attention

National Hurricane Center, NOAA

At the Wall Street Journal’s CFO Network Annual Meeting, held on June 11, 2019, Zurich Insurance Group chief risk officer Alison Martin explained that CFO’s should take a leading role in analyzing their companies’ exposures to weather related risks.  According to a report published by CDP Worldwide, a U.K. environmental nonprofit, the world’s 500 largest companies face $1 trillion in potential financial risk from climate change.

CFO’s need to make climate risk assessments a bigger priority, and actively assess how environmental issues could affect their companies’ bottom line.  For more information, click here to read the Wall Street Journal article.

Additionally, climate change and its potential ramifications are now on the radar screen of financial institutions.  Although not a yet standard industry practice at this time, as of this publishing of this article, 26% of banks and financial firms say they have established dedicated teams for evaluating climate-related risks, and how these may affect their bottom-line. Financial institutions find they are under increased scrutiny from investors and regulators.   Click here to read the entire Wall Street Journal article.

Based on these articles, published within days of each other in the Wall Street Journal, it is evident that climate change as it relates to the financial health of an organization is becoming a hot-button issue.  More scrutiny as to the potential fall-out from these risks is sure to arise in the coming years – affecting organizational risk management, the financial bottom-line, how to evaluate these risks, and ultimately who in an organization will be tasked with the responsibility of where the buck stops.

NFPA 1600 2019 Edition: A Resource for Every Practitioner and Auditor

                                                         Risk and Resilience Hub

Don Schmidt, Preparedness, LLC CEO was recently published in Risk and Resilience Hub. In this article, Don explains how NFPA 1600, 2019 Edition, the most mature standard of its kind, defines the inter-connected elements of a preparedness program including program management, risk assessment, business impact analysis, loss prevention/hazard mitigation, emergency management, business continuity, crisis management, and crisis communications.  Read Article

Hurricane Preparedness

As the 2019 Hurricane Season is upon us, officially beginning on June 1^st, we have already had one named storm.  Storms do not check the calendar, and the “season” is an estimate of when these storms can occur.

The 2019 season is predicted to be a “near normal” season, with about 9 to 15 named storms, with 4 to 8 of these becoming hurricanes.  

However, no matter how many storms are predicted, it is important to remember that it only takes one powerful storm to hit where you or your organization are to cause catastrophic destruction and death.  So planning and preparing for hurricane season should be the same, whether it is forecasted to be a moderate or heavy season.

When we think of hurricanes, one usually thinks of winds – how strong the winds are determine if the hurricane is a category 1, 2, 3, 4 or 5.  However, according to Ken Graham, National Hurricane Center Director, history has shown that 90% of fatalities in hurricanes are in fact due to water.  In the last 3 years alone, 83% of deaths during hurricanes have been due to water.  While we think of winds, we really must focus on flooding, and how to protect property and life from the effects of flooding.  

Flooding caused by stalled storms that dump a tremendous amount of water on already soaked land can happen well inland.  Storm surge is a coastal concern of water pushed onto the land by the force of the storm.  With more people living on the coast than ever before, there are more lives vulnerable to the dangers of storm surge.

Hurricane planning includes multiple phases:

• Before Hurricane Season
• Tropical Storm or Hurricane Watch
• Tropical Storm or Hurricane Warning
• During the Storm
• After the Storm

For information on Hurricane Preparedness, take a look at the Preparedness Bulletin for detailed information on how to prepare.

Analyzing flood exposure is an important part of preparing for storm season.  Our Preparedness Bulletin, Flood Preparedness is instructive, and provides resources on where to find information specific to your region. 

A plan that accurately identifies the resources and time needed to prepare has the greatest chance for success.

Severe Weather Preparedness

Springtime brings a welcome change in seasons.  Along with blooming flowers and trees and warmer temperatures, it also marks the start of Severe Weather season. The first week in May is Severe Weather Preparedness Week.  Severe weather in warm weather months include thunderstorms and the devastation that may come from them: the potential for flooding, high winds and tornadoes.

A thunderstorm is a rain shower with thunder.  Since thunder comes from lightning, all thunderstorms have lightning.  A thunderstorm is classified as “severe” when it contains one or more of the following:  Hail (3/4 inch or greater, winds gusting in excess of 50 knots (57.5 mph) or a tornado.  On average, about 10% of thunderstorms are classified as severe.

Lightning strikes the U.S. about 25 million times each year, kills an average of 47 people annually, and injures hundreds more.^[1]  When lightning is detected, it is important to take shelter as there is no safe place outdoors when thunderstorms are in the area. “When Thunder Roars, Go Indoors”^[2]  Once the storm has passed, wait at least 30 minutes after the last thunder is heard before resuming outdoor activities.  Once the storm has passed, assess any damage to your property.  Contact local authorities if there are power lines down.

High winds can occur during a severe thunderstorm.  Winds speeds of 40 to 50 mph can produce localized damage.  “Straight-line” winds, which are not associated with any rotation, can exceed 100 mph and can cause widespread damage, and blow objects making them airborne, posing a significant threat to personal safety.  If you are outdoors, take shelter in a sturdy building.  If not near a building, take shelter in your car.  If no shelter is available, stay away from trees and power lines.

A tornado, which is spawned from a severe thunderstorm, is a violently rotating column of air extending from the base of a thunderstorm down to the ground. Tornadoes are capable of completely destroying well-made structures, uprooting trees, and hurling objects through the air like deadly missiles. Tornadoes can occur at any time of day or night and at any time of the year. Although tornadoes are most common in the Central Plains and the southeastern U.S., they have been reported in all 50 states.^[3]

If a tornado warning is issued, go to the basement or an interior room in your home/school/business, away from any windows. If you are outside, it is imperative to seek shelter in a sturdy building immediately. Once the authorities have deemed it safe and the tornado(s) has passed, carefully assess your property for damage.  Stay out of damaged buildings and contact local authorities if you see power lines down.

Flooding is caused when bodies of water (e.g. rivers, streams, lakes, oceans, etc.) overflow their normal boundaries.  Flooding can also occur as storm water runoff accumulates in normally dry areas. Read the Preparedness Bulletin on Flood Preparedness to learn more about how your organization can create an emergency plan to deal with floods, as well as how to mitigate the risk as well as recover from an unexpected flooding event. 

For more information about severe weather threats, including mitigation strategies for your organization, read Preparedness Bulletin: Thunderstorms, Lightning & Tornadoes. 

---

[1] Weather.gov; https://www.weather.gov/safety/lightning ; access date 5-8-2019

[2] Ibid

[3] National Weather Service; https://www.weather.gov/safety/tornado; access date 5-8-2019

Business Impact Analysis: Vulnerabilities, Loss Potential and Mitigation

Donald L. Schmidt spoke at RIMS2019, the Risk & Insurance Management Society's annual conference, on the value of the business impact analysis (BIA) to risk management. He explained how the BIA identifies vulnerabilities and opportunities for risk mitigation. He also addressed how the BIA provides a methodology for quantifying business interruption and prioritizing the recovery of business operations.  View the presentation.

Read Preparedness, LLC's bulletin on Business Impact Analysis for an in-depth look at this important process and how it can prepare your organization.   

NFPA 1600 2019 Edition Webinar

NFPA has published the 2019 edition of NFPA 1600, “Standard on Continuity, Emergency, and Crisis Management.” In this webinar Don Schmidt, past chair of the committee, reviewed the new and revised content in the 8th edition of this important international standard. Access this webinar to learn how you can use this tool to improve your organization’s resilience. http://bit.ly/2Xenljr

Download Preparedness, LLC’s Self-Assessment Checklist (insert picture) based on NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management” 2019 Edition.  Containing over 200 questions, this is an important tool to help your organization evaluate its preparedness program.  http://bit.ly/2ufM3B4

CFOs May Be Held Accountable for Climate Change Catastrophes that Affect a Company's Bottom Line

FM Global’s, Report Master the Disaster Report: Why CFOs Must Initiate Natural Catastrophe Preparedness in 2019 and Beyond^[1] makes the compelling case for CFOs to explore the broader financial consequences of natural disasters, and to allocate capital towards loss prevention and business interruption.

Insurance policies are implemented as they are thought to absorb most property damage and business disruption losses, however, they do not cover all economic risk.  Market share, reputation, cash-flow and even potential growth opportunities may be adversely affected by a prolonged disruption, resulting in economic hardship for an organization. 

While companies may take the gamble that unpredictable events are not likely to occur in this earning year, this is taking short-term view of profits over long-term viability.  Devastating results can be the consequence, even with a moderate natural disaster.  FM Global’s CFO Kevin Ingram says that “The buck stops with the CFO.”  If a company is unprepared for a natural disaster, wide-ranging stakeholders including institutional investors, shareholders, Wall Street analysts, consumers and regulatory agencies will be privy to this information.

FM Global reviewed 10-K filings of nearly 100 public companies that experienced damage and disruption in 2017 from Hurricanes Harvey, Irma or Maria.  Findings saw losses ranging from a few million to hundreds of millions of dollars.^[2]  The U.S. Securities and Exchange Commission has clarified their position on climate change risks, instructing companies to treat these material risks from climate change like any other business risk.  This position will likely place CFOs facing hard questions if losses are incurred and no plans have been put in place to deal with these natural disasters.

Risk managers, who typically have an inward-looking role in their organizations, are charged with planning for risks that already exist.  While this can improve vulnerability for a company, a more global view is typically needed.  The CFO, with their C-Suite vantage point and outward-looking focus, has the ability to completely eliminate some of these risks.  For example, the risk manager may allocate money to fortify a critical plant against flood exposure, whereas the CFO has the influence to change the landscape entirely by moving the plant from a flood plain to higher ground, eliminating the flooding risk completely.

The bottom line is CFO’s will be on the hot-seat if a natural disaster has negative impacts on the company’s profitability and survivability.  Natural disasters have the potential to impact global supply chain, impact cash flow, and severely impact customer relationships.

For the complete picture, read FM Global’s Master the Disaster:  Why CFOs must initiate natural catastrophe preparedness in 2019 and beyond.  Click Here

---

[1] FM Global. Master the Disaster: Why CFOs must initiate natural catastrophe preparedness in 2019 and beyond.  W00644_18 © 2019 FM Global (01/2019)

[2] Ibid

NFPA 1600 2019 Edition Published

The 2019 edition of NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management” has been published by the National Fire Protection Association. This international standard is the most mature standard of its kind in the world. Originally published in 1995, the 2019 edition is the 7^th edition. It addresses the inter-connected elements of a preparedness program including program management, risk assessment, business impact analysis, prevention/mitigation, emergency management, business continuity, crisis management, and crisis communications.

First off, the title has changed to emphasize “crisis” management content that has been introduced over the past three editions. A crisis is defined as “an issue, event, or series of events with potential for strategic implications” including impacts on brand, image, reputation, and more. A new section “crisis management” has been added to chapter 6, Implementation. This section defines a “crisis management capability,” with senior leadership involvement, signals detection, identification of issues, strategy development, and more.

Another notable change is the addition of a new chapter 7 titled “Execution.” It defines what should be obvious but is often overlooked, that is, how a program should be executed. Incident recognition, reporting and notification, activation and planning, incident management, documentation, and resource management are included in the new chapter. The chapter extracts the important elements of alerting, notification, and warning with activation of an incident management system.

The annexes, which are a treasure trove of valuable information, continue to expand. Annex J, “Social Media in Emergency Management” has been added. When an incident occurs, social media is alive before emergency, continuity, and crisis management responders are fully engaged. Therefore, integrating social media into all program activities—preparedness for a forecast event to communicating with stakeholders regarding continuity and recovery information after—is a must.

Other new annexes include Annex K Emergency Communications: Public Alerts and Warnings in Disaster Response and Annex L Emergency Management, Continuity, and Crisis Management Data Interoperability.

NFPA 1600 can be downloaded for free from the NFPA website http://bit.ly/2AOTiFF

Check out a historical review of NFPA 1600 on the Preparedness, LLC website. http://bit.ly/2UcLzt9. Be sure to download the 2019 edition of Preparedness, LLC’s program self-assessment checklist, which is based on NFPA 1600. http://bit.ly/2uUz7ma