Preparedness, LLC: National Preparedness Month

September is National Preparedness Month

National Preparedness Month serves as an annual reminder to review your organization's preparedness program-- loss prevention and hazard mitigation, emergency preparedness, business continuity, information technology disaster recovery, and crisis management including crisis communication.

Ten Critical Preparedness Program Elements

1. Program Management: Senior management commitment, direction and support is critical for any program. Management must have a clear understanding of risk, identify/confirm preparedness priorities, ensure that adequate and capable resources are available, and ensure the program can be executed on a moment's notice. Those vested with the authority for all aspects of the program must also have knowledge, skills and abilities to undertake this task.

2. Risk Assessment: Understanding hazard, operational, and reputation risk is essential to plan loss prevention, hazard mitigation, response and recovery efforts. A comprehensive risk assessment should identify hazards, their potential magnitudes, assets at risk and their vulnerabilities, and potential impacts on people, property, business operations, the environment, and your reputation and relationships. Comprehensive guidance is provided in our Preparedness Bulletin: Risk Assessment.

3. Business Impact Analysis: Prioritizing business processes by revenue, profit, or importance to the organization's mission helps define the scope of business continuity planning. Costs and impacts on customers, along with identification of the people, facilities, systems, equipment, technologies, information, and supply chain required to execute priority processes defines the requirements for continuity strategies. Guidance is offered in our Preparedness Bulletins Business Impact Analysis as well as Supply Chain Risk.

4. Resource Needs Assessment: AEDs, emergency generators, alerting, warning and communications systems are examples of resources. People are your most important resource. Information gleaned from the risk assessment and business impact analysis, regulations, and decisions about the level of response and recovery time for priority operations should help define resource needs. Without adequate resources, response and recovery efforts will be delayed or may fail.

5. Prevention & Mitigation: A fire that is quickly detected and suppressed by automatic systems should not jeopardize life safety and should minimize business interruption. Multiple, protected connections to internet service providers that enter the property and building from opposite directions can provide high availability of connectivity to applications and data in the cloud.

Prevention and mitigation begin with land use planning, building and process design and protection, and validation of proper installation. Safety, including physical, operational, and information security, and environmental protection programs are essential. Ongoing inspections, testing, maintenance, and training of these systems are critical to maintain up-time and minimize failure and downtime.

6. Emergency Preparedness: Emergency preparedness requirements vary based on location, type and size of building, hazards within or on-site, and many other factors and variables. Different threats or hazards require different capabilities. Protective actions for life safety (e.g., evacuation, sheltering, lockdown, and "run, hide, fight") vary based on the nature and location of the threat or hazard. Determining whether it is necessary to organize and train teams for medical response, firefighting, and hazardous materials response depends on regulations, severity of the threat or hazard, and the availability, capability and response time of assistance. Read Preparedness Bulletin: Protective Actions for Life Safety.

7. Business Continuity: Does your business continuity plan prioritize the recovery of your business processes? Are the resources required for executing continuity strategies available when needed, and will they support the strategy to the extent needed? Does the plan define strategies for prompt reporting of an incident, alerting of team members, declaring a "disaster," and executing the plan-- -at any time day or night? Are there manual workarounds to be employed when technology fails? Guidance on these issues is provided in Preparedness Bulletin: Business Impact Analysis.

8. Information Technology Disaster Recovery Planning: Is all vital information backed up? Are employees complying with your information security policy? IT disaster recovery planning begins with ensuring all vital records are backed up and restorable in the event the facility is destroyed. Vulnerabilities and potential failures of computing and information backup strategies should be assessed. Physical protection and security of server rooms, equipment, and information is essential. Protection of infrastructure supporting server rooms including power, connectivity, and climate control should be commensurate with the importance of the technology to the organization's mission.

9. Crisis Management and Crisis Communications: A crisis is a low frequency, high impact situation with many potential causes-- a physical incident at a site, allegation, employment practices, product or service issue, criminal activity, information security breach, geopolitical events, or litigation. A crisis has the potential to cause very significant impacts on the corporation, its security, financial standing, reputation, and relationships with stakeholders. Are processes in place to identify and report issues that surface as well as events that occur? What are the potential issues and what are the current and potential impacts on stakeholders? Who constitutes the crisis management team? How will the crisis be managed, including the execution of communications strategies?

10. Testing, Training & Exercises: If a major incident were to occur, would employees know how to protect their own safety? Would team members be able to carry out their assigned responsibilities? Would the resources and procedures for continuity and recovery work? Testing of continuity and recovery strategies for IT and business processes as well as testing of any physical resource (e.g., a generator) is essential to ensure reliability in time of need. Basic training for all employees to protect their safety and security as well as protect the organization and its physical, digital, and intellectual property is essential today. Every team member needs training so they can execute their job on emergency, continuity, or crisis management team. Exercises are needed to evaluate plans and capabilities, and familiarize those responsible for executing the plan.

Help make your organization more resilient, conduct a self-assessment of your preparedness program using our Comprehensive Self-Assessment Checklist.

This checklist is based on NFPA 1600, our National Preparedness Standard, and references important regulations.