Tips to Enhance Survival During an Active Shooter Incident

"Active Shooter" actor from a full-scale exercise
(photo by Preparedness, LLC)

Lieutenant Colonel (ret.) Mike Wood’s article “What cops need to tell their families about active shooters,” (PoliceOne.com) should be read by everyone venturing out into public.

• Maintain situational awareness
• Know where the exits are
• Get off the floor.
• Don’t volunteer to be deaf and blind
• Limit alcohol consumption in public
• Have a plan
• Be careful with your communication devices
• Know how to act when the police arrive
• Learn first aid basics.
• Be prepared

Personal preparedness is essential. When a hostile event unfolds, no one is going to direct you to exits, concealment, or cover. It’s up to you.

Organizations have a lot of work to do, too. Human resource practices, effective physical and operational security, threat detection, warning and communication systems, and many more elements of a preparedness program should be implemented. Read the Preparedness Bulletin “Acts of Violence” for detailed guidance.

Resilience

November is National Critical Infrastructure Security and Resilience Month. Critical infrastructure is the physical and cyber systems and assets that are so vital that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.

There are 16 critical infrastructure sectors including commercial facilities, manufacturing, financial services, food and agriculture, healthcare, information technology, transportation, communications, energy, emergency services, and more. Every organization depends on critical infrastructure and many are a part of, or support, the critical infrastructure sectors.

What is resilience?

You hear the word resilience more and more—often after a major disaster or utility outage. Merriam-Webster defines resilience as the “ability to recover from or adjust easily to misfortune or change.” Resilience is not a finish line, rather it is a continuous process that engages safety, security, human resources, operations, engineering, supply chain, IT, risk management, and others. It begins with identifying assets that are critical to the success of the organization—people, operations, facilities, supporting infrastructure and technologies, machinery and equipment, supply chain, and more. Resilience should also encompass reputation and relationships with stakeholders.

Resilience is a continuous process to gain and maintain a current understanding of:

• threats, hazards, and perils that could impact life and physical, digital, intellectual, operational, and reputational assets
• operational criticalities (production or service delivery priorities),
• vulnerabilities of assets and resources (weaknesses) that would make them more susceptible to damage or loss, and
• potential impacts to life, property, operations, the environment, and the organization’s reputation and relationships with stakeholders.

Resilience also includes the development of strategies to manage risk and capabilities to promptly respond to and recover from whatever has happened.

What does it take to achieve resilience?

Since the risk environment is not static, continuous gathering of information and the development of actionable intelligence about credible threats, foreseeable hazards, and potential impacts to critical assets is essential. THIRA (threat and hazard identification and risk assessment) and BIA (business impact analysis) are the processes that engage internal and external experts to identify hazards, their probabilities of occurrence, and assets at risk; to evaluate the adequacy of prevention and mitigation capabilities; and to develop strategies for risk management.

Strategies for loss prevention, deterrence, and hazard mitigation should begin even before a building is built. By selecting a geographic site that has limited exposure to natural hazards and crime and one with reliable infrastructure and public safety services, the need and costs for building design, construction, redundant utilities, and on-site response capabilities may be reduced. Design and construction that is compliant with building codes and standards and industry best practices also can enhance resiliency. Periodic inspection, testing, and maintenance of protection systems and equipment are essential to ensure reliability.

Ongoing programs to manage risk are essential. Internal professionals including human resources manage employee risks through pre-employment screening, onboarding processes, threat assessment, critical employee backups, training, employee communications, and wellness programs.

Environmental, health and safety (EH&S) professionals partnering with human resources, operations, engineering, and others play an instrumental role with job hazard analysis, process safety, fire prevention, accident prevention, and environmental protection.

Security professionals and facilities management staff implement CPTED (crime prevention through environmental design) practices, surveillance and detection technologies, and operational security practices to deter, detect, and respond to potential threats. Communication and coordination with law enforcement is needed to promptly learn about developing threats and to increase security commensurate with the threat level.

EH&S professionals along with security, facilities, human resources and other staff must work together to develop and implement emergency response capabilities to safeguard employees, protect facilities, and prevent environmental contamination from the threats and hazard identified during the risk assessment.

Information Technology must manage the technology environment balancing access, efficiency, reliability, information security, and costs. Connectivity between internet service providers, worksites, networks, servers, and users must be reliable and have sufficient bandwidth to meet business needs. Digital information must be protected and promptly recoverable along with user applications to minimize production and service delays and unacceptable customer impacts. Information security laws require compliance. Conformity to standards and best practices for the protection of data centers and supporting infrastructure reduces exposure to loss and interruption. IT disaster recovery plans must be developed and tested to validate the ability to meet recovery time objectives.

Production managers and engineers must identify vulnerabilities in production methods, machinery and equipment, supporting infrastructure and technologies and develop strategies to overcome loss scenarios. Supply chain managers must continually assess the ability of suppliers to meet demand and logistics capabilities to deliver supplies where and when needed. Strategies for loss or damage to equipment, unavailability of essential personnel, and supply chain interruption must be developed.

Operations personnel working together with managers, supervisors, and others within the organization that possess the institutional knowledge of operations and resources must work together to complete the business impact analysis and develop business continuity strategies and documented plans for use when critical processes are interrupted or required resources are unavailable.

Role of Leadership

Resilience is elusive because of the broad spectrum of hazard, operational, financial, and strategic risks. It can be fleeting because of the short duration of institutional memory and human nature that “it can’t happen to us” or “it will never happen again.” A concerted, ongoing effort is required to understand and manage risk. Ultimately, senior management must embrace resilience as a core value of the organization and strive to embed risk management within its culture.

Reaching a threshold of “resilience” means that the organization has a clear understanding of risk and has implemented controls to manage operational, financial, and reputational risk to an acceptable level. Compliance with laws and regulations is the minimum. Meeting customer requirements is essential. Protecting the business, its employees and facilities by implementing and maintaining a mature preparedness program is no longer a luxury. There is no finish line.

From the National Cyber Awareness System: Major Online Ad Fraud Operation

https://www.us-cert.gov/ncas/alerts/TA18-331A

Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses.

Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Solution

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:

• Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
• Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
• Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
• Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
• Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.

Practical Tips for Continuity Planning

Don Schmidt presented “Practical Tips for Continuity Planning: From Impact Analysis to Executable Strategies and Plans” to the Safe+Ready Institute’s 2018 Virtual Summit.

Tips (and lessons learned) from decades of business continuity planning were shared including:

• Importance of management support and Identifying who needs to be involved in the planning process
• Planning Scope, Assumptions, Limitations, and Scenarios
• Tools & Techniques for Business Impact Analysis (BIA)
• Risk Assessment: It’s not just for emergency planning
• Continuity Strategies: Focus on Priorities
• Resources, Resources, Resources
• Continuity Plan: Putting it all together
• Incident Management: Concept of Operations
• Training, Testing & Exercises
• Program Development Resources

The presentation can be viewed here, and the recorded webinar can be viewed on the Safe+Ready Institute’s website here. While you’re visiting the Preparedness, LLC website, be sure to check out the program development resources and Preparedness Bulletins.

Suspicious Packages

Suspicious Packages

Over the past week, U.S. politicians, high profile individuals, and CNN were targeted with suspicious packages/letters at their homes or places of business.  These packages, each appearing to contain a bomb, were a coordinated attempt to spread fear, injure the intended recipients, and cause destruction. Since the days of the "Unabomber" in 1978 and the anthrax containing letters sent to members of Congress in 2001, the potential dangers of threats perpetrated by mail have been realized.

What is a suspicious item?

A suspicious item is any article (e.g. package, envelope, bag, vehicle, etc.) that is reasonably believed to contain explosives, an improvised explosive device (IED), or other hazardous material that requires a bomb technician and/or specialized equipment to further evaluate it. Examples that could indicate a bomb include unexplainable wires or electronics, other visible bomb-like components and unusual sounds, vapors, mists or odors.   Anything that is Hidden, Obviously suspicious, and not Typical (HOT) should be deemed suspicious. In addition, potential indicators for a bomb are threats, placement, and proximity of the item to people and valuable assets. The term Improvised Explosive Device (IED) has long been associated with war, but easy access to instructions and ingredients has resulted in numerous incidents involving the use of IEDs in the United States. IED attacks remain the primary tactic for terrorists seeking a relatively uncomplicated, inexpensive means for inflicting mass casualties and maximum damage. A series of bombings in Seaside Park, NJ and New York City in September, 2016 targeted a charity race and a Manhattan neighborhood. Unexploded devices including a pressure cooker were found at both the New Jersey and New York City bombing sites.

Differentiating Between Unattended and Suspicious

Not all unattended items are suspicious. An unattended item is an item of unknown origin and content where there are no obvious signs of being suspicious.  If not suspicious, there is no need for facility search or evacuation. Evaluate the item using the U.S. Postal Service "Suspicious Mail" poster (below) to determine if it meets "suspicious" criteria. Consider the placement of the package and its proximity to people and valuable assets and the current threat environment. Consider the following factors: Was any suspicious activity reported when the package was left or discovered? Have any threats to the receiving organization or similar organizations been reported? Is the unattended package or bag consistent with those normally expected to be found in the building? Does the unattended package or bag have any external indicators consistent with a suspicious package? If package is not considered an immediate threat to health or safety, record the name and address of the addressee and sender; post office codes, stamps, and cancellation date; and any other markings or labels. Contact the addressee to determine if the package was expected.

Figure 1. Suspicious Mail Poster 84 (U.S. Postal Service)

Emergency Response to Suspicious Packages

If a package is deemed "suspicious," the following action should be taken: Notify security that a suspicious package has been detected. Alert everyone in adjacent areas that a suspicious letter or package has been found and direct them to clear the area.  If the suspicious item is believed to be a bomb, evacuate the building.  Anyone in contact with any powder or substance believed to have been released from the package should seek decontamination immediately and should segregate from others not exposed. Shut down the building's ventilation system if shutdown can be done safely. If package is not deemed an immediate threat to health or safety, document the reasons for identifying the package as suspicious. Without making direct contact with the suspicious item, record all available information from all sides including name and address of addressee and sender, post office codes, stamps, and cancellation date, any other markings or labels found on the item, any other peculiarities (stains, tears, tape, flaps not glued). If possible, photograph from all sides without moving. Contact the addressee to determine if package was expected. If the package cannot be verified as legitimate within a reasonable period, notify police.

Emergency operations plans should include instructions for employees as well as those responsible for managing emergencies. Procedures should be clear and concise and align with your organization's incident management system. Figure 2 is an example from Preparedness, LLC's flowchart-based emergency operations plans. Flowcharts, hazard precautions, and defined roles and responsibilities are compiled in hard-copy and digital format with hyperlinks for quick navigation to all related guidance.

Figure 2. Emergency procedures flowchart from Preparedness, LLC's emergency operations plan.

National Preparedness Month

September is National Preparedness Month     National Preparedness Month serves as an annual reminder to review your organization's preparedness program-- loss prevention and hazard mitigation, emergency preparedness, business continuity, information technology disaster recovery, and crisis management including crisis communication.    Ten Critical Preparedness Program Elements   1. Program Management: Senior management commitment, direction and support is critical for any program. Management must have a clear understanding of risk, identify/confirm preparedness priorities, ensure that adequate and capable resources are available, and ensure the program can be executed on a moment's notice.  Those vested with the authority for all aspects of the program must also have knowledge, skills and abilities to undertake this task.   2. Risk Assessment:  Understanding hazard, operational, and reputation risk is essential to plan loss prevention, hazard mitigation, response and recovery efforts. A comprehensive risk assessment should identify hazards, their potential magnitudes, assets at risk and their vulnerabilities, and potential impacts on people, property, business operations, the environment, and your reputation and relationships.  Comprehensive guidance is provided in our Preparedness Bulletin: Risk Assessment.   3. Business Impact Analysis: Prioritizing business processes by revenue, profit, or importance to the organization's mission helps define the scope of business continuity planning. Costs and impacts on customers, along with identification of the people, facilities, systems, equipment, technologies, information, and supply chain required to execute priority processes defines the requirements for continuity strategies. Guidance is offered in our Preparedness Bulletins Business Impact Analysis as well as Supply Chain Risk.   4. Resource Needs Assessment: AEDs, emergency generators, alerting, warning and communications systems are examples of resources. People are your most important resource. Information gleaned from the risk assessment and business impact analysis, regulations, and decisions about the level of response and recovery time for priority operations should help define resource needs. Without adequate resources, response and recovery efforts will be delayed or may fail. 5. Prevention & Mitigation: A fire that is quickly detected and suppressed by automatic systems should not jeopardize life safety and should minimize business interruption. Multiple, protected connections to internet service providers that enter the property and building from opposite directions can provide high availability of connectivity to applications and data in the cloud.    Prevention and mitigation begin with land use planning, building and process design and protection, and validation of proper installation. Safety, including physical, operational, and information security, and environmental protection programs are essential. Ongoing inspections, testing, maintenance, and training of these systems are critical to maintain up-time and minimize failure and downtime.  6. Emergency Preparedness: Emergency preparedness requirements vary based on location, type and size of building, hazards within or on-site, and many other factors and variables. Different threats or hazards require different capabilities. Protective actions for life safety (e.g., evacuation, sheltering, lockdown, and "run, hide, fight") vary based on the nature and location of the threat or hazard. Determining whether it is necessary to organize and train teams for medical response, firefighting, and hazardous materials response depends on regulations, severity of the threat or hazard, and the availability, capability and response time of assistance. Read Preparedness Bulletin: Protective Actions for Life Safety. 7. Business Continuity: Does your business continuity plan prioritize the recovery of your business processes? Are the resources required for executing continuity strategies available when needed, and will they support the strategy to the extent needed? Does the plan define strategies for prompt reporting of an incident, alerting of team members, declaring a "disaster," and executing the plan-- -at any time day or night? Are there manual workarounds to be employed when technology fails?  Guidance on these issues is provided in Preparedness Bulletin: Business Impact Analysis. 8. Information Technology Disaster Recovery Planning: Is all vital information backed up? Are employees complying with your information security policy? IT disaster recovery planning begins with ensuring all vital records are backed up and restorable in the event the facility is destroyed. Vulnerabilities and potential failures of computing and information backup strategies should be assessed. Physical protection and security of server rooms, equipment, and information is essential. Protection of infrastructure supporting server rooms including power, connectivity, and climate control should be commensurate with the importance of the technology to the organization's mission.  9. Crisis Management and Crisis Communications: A crisis is a low frequency, high impact situation with many potential causes--  a physical incident at a site, allegation, employment practices, product or service issue, criminal activity, information security breach, geopolitical events, or litigation. A crisis has the potential to cause very significant impacts on the corporation, its security, financial standing, reputation, and relationships with stakeholders. Are processes in place to identify and report issues that surface as well as events that occur? What are the potential issues and what are the current and potential impacts on stakeholders? Who constitutes the crisis management team? How will the crisis be managed, including the execution of communications strategies?  10. Testing, Training & Exercises: If a major incident were to occur, would employees know how to protect their own safety? Would team members be able to carry out their assigned responsibilities? Would the resources and procedures for continuity and recovery work? Testing of continuity and recovery strategies for IT and business processes as well as testing of any physical resource (e.g., a generator) is essential to ensure reliability in time of need. Basic training for all employees to protect their safety and security as well as protect the organization and its physical, digital, and intellectual property is essential today. Every team member needs training so they can execute their job on emergency, continuity, or crisis management team. Exercises are needed to evaluate plans and capabilities, and familiarize those responsible for executing the plan.   Help make your organization more resilient, conduct a self-assessment of your preparedness program using our Comprehensive Self-Assessment Checklist.  This checklist is based on NFPA 1600, our National Preparedness Standard, and references important regulations.   For further guidance read our Preparedness Bulletin: Auditing Your Preparedness Program.   Be sure to check out the hundreds of curated links to preparedness resources provided on our Resources Page.

 

 

Crises On The Rise

Is your organization prepared?

Deloitte conducted a survey [1] of over 500 senior crisis management, business continuity and risk executives.  Findings from this survey indicate respondents believe that crises are on the rise, necessitating the need for them to be ready to respond quickly and appropriately.  This includes plan implementation, testing and rehearsing for these threats.

From the “less visible” events such as cyber-attacks, financial fraud and corruption, and internal safety concerns, to the visually alarming emergencies caused by weather-related events, facility disasters or terrorist events, 80% of organizations have had to mobilize their crisis management teams at least once in the past 2 years.

These crises can have a devastating effect on a company’s financial performance, employee morale, sales and reputation.  Thanks to the proliferation of social media, what was once an accident or minor incident, is now displayed, sometimes within minutes of an incident, for all the world to see.  It is important for an organization to get out in front of an occurrence to maintain the confidence of all stakeholders.

But are organizations truly prepared to implement a crisis communication plan?  While the vast majority of those who responded to this survey do have some sort of crisis management plans in place, it is clear more needs to be done.  Findings from the survey revealed that:

• Confidence outstrips preparedness.  Companies are more confident in their ability to manage a crisis than their level of preparedness indicates.  Nearly three quarters of the survey respondents felt confident in their organizations’ ability to deal with a crisis, yet only half of these companies have plans in place, and just under a third have run simulation exercises.
• Experiencing a crisis drives organizations to avoid them.  Nearly 90% of the survey respondents indicated they have conducted internal reviews following a crisis.  They recognize the need to respond to threats before they happen by detecting the early warning signs, investing more effort in prevention and to identify potential crisis scenarios.
• Leaders need more development for crisis management.  Leading during a crisis is vastly different than leading during normal times.  It is critical that strong leadership skills and situational awareness are well developed.
• Being prepared significantly reduces the negative impact of a crisis.  Having board members and senior management committed and involved in the creation of a crisis management plan and participating in simulations/exercises increases effectiveness of the implementation.  Overall, about a third of organizations with a crisis plan in place report finances have been negatively impacted during a crisis, while that number jumps to nearly half of the organizations surveyed if no plan is in place.
• While third parties may be part of the problem, they can also be part of the solution.  Many crises may be triggered by suppliers or other partners.  And these critical service providers should be involved in crisis planning.  Bringing in outside advisors, identified in advance of any crisis, such as lawyers, PR firms, or other specialists, can help in managing a crisis.

The frequency and causes of crises are not likely to diminish.  There are a constant barrage of potential attacks from a variety of sources just waiting to pounce on the next victim.  Preparing your organization to be ready for any crisis is best handled when the board of directors and senior management is committed and initiates the need for planning.  The appropriate personnel must then be tasked with executing the planning, implementation and conducting simulated exercises, testing those in the organization who would be involved in an actual crisis.  Most organizations must overcome several challenges to be ready to navigate a crisis, however following these recommendations will go a long way towards making your organization more resilient and able to handle these crises as they arise.

Preparedness, LLC has many solutions to help your organization create and implement a crisis management program.  Visit our Crisis Management page to learn more about what we can do to help your firm plan for the unexpected.

Preparedness, LLC also offers capabilities to help your organization evaluate your preparedness program.  Download our Self-Assessment Checklist and check-out our comprehensive solutions to prepare your organization.

[1] Dent, Peter; Woo, Rhonda; Cudworth, Rick. 2018/06/18. Stronger, Fitter, Better. Deloitte Insights.https://www2.deloitte.com/insights/us/en/topics/risk-management/crisis-management-plan-resilient-enterprise.html?mod=djemRiskCompliance?id=us:2el:3es:4di_gl:5eng:6di

National Lightning Safety Awareness Week June 24-30

"When Thunder Roars, Go Indoors" Illustration how threat of lightning increases as a thunderstorm approaches. The exposure to risk reaches a peak when the storm is overhead, and then gradually diminishes as the storm moves away. According to the National Weather Service, 16 Americans were killed by lightning in 2017. This is the fewest annual deaths by lightning strike since tracking these deaths began in the 1940's. That is the good news.  The bad news is that while 10% of people who are struck by lightning are killed, the remaining 90% usually suffer life-long debilitating effects.  Clearly campaigns such as Lightning Safety Awareness Week are having a positive effect on society's recognition of the danger of thunderstorms. As a result of this awareness, policies surrounding sports and recreational organizations have changed for the safer.           There is no such thing as a safe place outdoors when thunderstorms are in the area. The only safe thing to do is to go indoors and wait out the storm. If you can't shelter inside, sheltering in a motor vehicle with windows up is the next best option.  Avoid parking under trees.  If thunderstorms are forecast, have a plan in place so that you have an indoor venue to retreat to, then continue to watch the sky for signs of an impending storm. Once inside, avoid corded phones, electrical appliances and plumbing, as these can conduct electricity in case of a lightning strike. Read more about how to prepare for these storms by protecting your property and people in the Preparedness Bulletin Thunderstorms, Lightning and Tornadoes

Tropical Storm Harvey Bearing Down on Texas Coast

Tropical Storm Harvey is bearing down on the Texas Gulf coast. Heavy rainfall reminiscent of Tropical Storm Allison is forecast along with coastal storm surge and high winds.

Cascading impacts from damage to critical infrastructure including electrical power, telecommunications, and transportation are possible. 

Hazard mitigation can substantially reduce the damage caused by hurricanes. Property insurer FM Global compared the loss history of its policyholders that implemented its loss prevention recommendations with those with outstanding recommendations to complete. FM found that those policyholders that fully implemented its preparedness recommendations had on average 75% to 85% lower dollar losses than those policyholders that did not implement such measures. 

Preparedness, LLC’s 7-page Preparedness Bulletin provides extensive guidance for mitigating hurricane hazards, organizing a team for storm preparedness and response, developing a preparedness and recovery plan, and planning for business continuity and family support. 

Program Development Resources: All Preparedness Bulletins are posted to our website. Be sure to check out the hundreds of links to program development resources and download the program self-assessment checklist based on NFPA 1600.

Hurricane Preparedness

NOAA's updated 2017 Atlantic Hurricane Season Outlook indicates that an above-normal hurricane season is most likely, with the possibility that the season could be extremely active. Hurricane season began on June 1, and the statistical peak of activity is mid-September.

No matter the forecast for number of storms, major hurricanes, and land-falling hurricanes, it only takes one storm to cause many deaths and billions in damages. "Superstorm" Sandy was not technically a hurricane when it made landfall, but it caused billions in damages. Recovery efforts continue years later.

Hurricane hazards include damaging wind, hurricane-spawned tornadoes, flooding from heavy rainfall, and coastal flooding from storm surge. Cascading impacts result from damage to critical infrastructure including electrical power, telecommunications, and transportation. Hurricane Katrina proved that these cascading impacts include widespread supply chain disruption.

Hazard mitigation can substantially reduce the damage caused by hurricanes. Property insurer FM Global compared the loss history of its policyholders that implemented its loss prevention recommendations with those with outstanding recommendations to complete. FM found that those policyholders that fully implemented its preparedness recommendations had on average 75% to 85% lower dollar losses than those policyholders that did not implement such measures.

This 7-page Preparedness Bulletin provides extensive guidance for mitigating hurricane hazards, organizing a team for storm preparedness and response, developing a preparedness and recovery plan, and planning for business continuity and family support.

Program Development Resources: All Preparedness Bulletins are posted to our website. Be sure to check out the hundreds of links to program development resources and download the program self-assessment checklist based on NFPA 1600.

Protective Actions for Active Shooter and Other Acts of Violence

Emergency plans for acts of violence should be established following national standards such as NFPA 1600 and applicable regulations including OSHA and state and local fire codes. Plans should include protective actions for life safety, threat and hazard specific procedures, defined roles and responsibilities, lines of authorities, an incident management system, and the identification and assessment of required resources. Implementation of plans should be accomplished through training, drills, and exercises.

Protective Actions for Life Safety

The emergency operations plan should define actions to protect life safety from foreseeable hazards. Terminology for protective actions has changed over time complicating common usage and understanding essential to prompt action. Review and agree upon common terminology within your organization, with building management and tenants, and with public safety responders.

The three basic protective actions for acts of violence are:

EVACUATION when there is a hazard such as a fire, bomb threat, or suspicious package inside the building and you must move to a safe location usually outside the building. “run” is the protective action to escape an armed perpetrator or active shooter inside a building.

LOCKDOWN (“hide”) when there is an armed perpetrator in the building or believed to be inside, but a safe path to escape is not available. This option may also be referred to as “Shelter-in-Place.” The term shelter-in-place was originally used to describe protection from a hazardous materials release outside a building. The term may also be used to describe sheltering from any hazard outside.

COUNTER (“fight”) when confronted with an armed perpetrator and you must take physical action to take down or distract a perpetrator to protect your safety or the safety of others.

For more information on prevention and deterrence of acts of violence as well as emergency response and recovery planning, read the Preparedness Bulletin: Acts of Violence. Be sure to check all of the Preparedness Bulletins, our lengthy list of curated hyperlinks to preparedness resources on the internet, and our comprehensive program self-assessment checklist. It includes more than 200 questions to help you evaluate your preparedness program.


If you have any questions or comments, please leave a comment along with your email address.

Workplace Violence Prevention

There are many policies and procedures that if implemented can reduce the risk of violence in the workplace. Anti-harassment and discrimination, substance abuse, business conduct, and electronic communications/computer use policies can help to eliminate behaviors and acts that cause workers to violently react to coworkers who they believe are bullying, abusing, or threatening. Any work environment that tolerates threatening or abusive behavior is at risk.

Related policies that establish an employer’s right to access an employee’s workplace computer, desk, locker, and other items may be necessary to investigate a credible complaint.

Risk factors that may expose employees to higher incidence of violence include working at night, working alone (on or off-premises), handling cash; and interacting with persons under the influence of drugs or alcohol. Workers in night retail establishments, healthcare institutions (especially emergency departments), and social services agencies are particularly at risk.

Circumstances or stressors such an impending layoffs or organizational change that elevate tension, stress, or conflict in the workplace should be recognized and appropriate measures taken to mitigate risk.

Termination of employment can be the cause for workplace violence, so planning in advance may be warranted. Planning should begin with a threat assessment; provision of assistance for terminated employees to transition to the next phase of their life, and security measures during and following the termination meeting.

Establishing a threat assessment team to evaluate threatening behaviors and incidents is a good practice and common in public schools and higher education. Suggested team members include human resources, security, legal, safety, union representative, employee assistance program (EAP) provider, outside mental health professionals, and law enforcement.

For more information on prevention and deterrence of acts of violence as well as emergency response and recovery planning, read the Preparedness Bulletin: Acts of Violence. Be sure to check all of the Preparedness Bulletins, our lengthy list of curated hyperlinks to preparedness resources on the internet, and our comprehensive program self-assessment checklist. It includes more than 200 questions to help you evaluate your preparedness program.