By Troy Neville, MS, CEM, CBCP, FO-III
This article originally appeared in the February 2019 edition of the International Association of Emergency Managers IAEM Bulletin
Risks and impacts are why Emergency Management (EM) and Business Continuity/Continuity of Operations (BC/ COOP) exist. We are in the bad-day business, and bad days are inevitable.
We try to prevent bad days from happening where we can, protect assets from the bad days we cannot prevent, mitigate the impacts bad days can have, respond to bad days when they happen to keep people safe and sustain critical operations, and recover from the bad days to make things as close as we can to the way they were. Everything we do in this bad day business Is based on either a risk or an impact.
The Incident Command System (ICS) is widely used in EM and BC/ COOP. While ICS training mentions the importance of continual size-up and good situational awareness, most ICS training focuses on the incident management structure and managing resources, not risks and impacts. The lack of focus on risks and impacts in our training can lead to a lack of focus on risks and impacts during an incident. This knowledge gap means we can actually end up making a bad day worse.
- In the immediate aftermath of the mass shooting in San Bernardino, California, hundreds of uninjured staff members were stranded on a golf course for three hours waiting to be transported to another site for interviews with law enforcement. There were no bathrooms and little shade. Cell phone batteries were also low or depleted.
- In Hollywood, Florida, 12 elderly residents at a rehabilitation center died after Hurricane Irma knocked out the center’s air conditioning for more than 60 hours and temperatures inside reached 99 degrees.
- After Hurricane Florence, the area around Wilmington, North Carolina, was a virtual island, with all major roads into the area closed due to flooding. Also, power was expected to be out for several more days. Water authorities found themselves running low on diesel fuel for generators, with suppliers unable to make deliveries.
- In Puerto Rico, FEMA faced significant logistical challenges in its response to Hurricane Maria. The FEMA warehouse on Puerto Rico was mostly depleted before Maria struck.
Lessons learned from these incidents did prompt changes, but mostly in regard to how we should respond to similar scenarios in the future. A larger lesson to be considered is the need for a greater focus on proactively managing risks and impacts for all scenarios.
Incident Risk Assessment
A risk is the potential for a future negative impact. In most organizations a formal risk assessment is performed. Emergency management uses the Threat and Hazard Identification and Risk Assessment (THIRA) and the Stakeholder Preparedness Review (SPR).
The risk assessment process can require weeks to analyze risks and controls and to identify additional mitigation opportunities. During an incident, we do not have days or weeks to identify and manage risks. We have hours, if not minutes. This is where the Incident Risk Assessment (IRA) comes in.
The purpose of an IRA is to provide a formal mechanism to identify and manage incident risks. The IRA collects several key pieces of information about each risk:
- a description of the risk;
- a risk category;
- the probability of the risk becoming an impact (usually low, medium or high);
- the impacts if those risks become a reality;
- controls and protective actions currently in place – if any;
- additional mitigation steps that could be implemented during the incident to further reduce the potential impact; and
- the overall priority of the risk (usually low, medium or high).
We also should consider worst-case or near worst-case scenarios during the IRA, such as a more intense storm than forecast, supply chain disruptions to critical infrastructure and key resources (CIKR) facilities, or a long-duration power outage.
Incident risks in emergency management can range from the life safety of responders, to the loss of CIKR, to public safety for the community as a whole. Incident risks also include the risks to the response–operational risks. Operational risks in emergency management include potential impacts to communications, facilities, supplies (food, fuel, etc.), and personnel availability.
Incident risks in BC/COOP can include employee safety, financial risks (loss of revenue and/or clients), and reputation risks. Operational risks in BC/COOP are usually focused on interruptions to the critical processes of the organization, including the ability to meet recovery time objectives (RTOs) and service level agreements (SLAs).
Incident Impact Assessment
An impact usually begins the response phase for an incident, although some preparedness activities, such as evacuations, also create impacts. In EM and BC/COOP, we should have as comprehensive an understanding of the impacts as possible. Blind spots and knowledge gaps make it more difficult to effectively manage the incident and ensure positive outcomes.
In EM and BC/COOP, we sometimes wait for a phone call or email from someone who has a request for assistance. This creates a reactive posture that is prone to response failures. Imagine if a fire company saw a large column of smoke down the street, but rather than investigate, they waited for someone to call 911. If we know we have impacts, we should be determining the details of those impacts.
The Incident Impact Assessment (IIA) is similar in concept to the IRA, except the IIA provides a formal mechanism to identify and manage impacts that have occurred or are occurring. A traditional damage assessment does collect some information on impacts; however, the IIA is much broader in scope. We are looking beyond the number of structures damaged and instead focusing on how the community (EM) or the organization (BC/COOP) is affected. We also want to understand the cascading impacts. If the water plant is offline, what is the impact to CIKR facilities, hospitals, nursing homes and shelters?
The IIA collects several key pieces of information for each impact:
- a description of the impact;
- a category for the impact;
- the severity of the impact (usually low, medium or high);
- the effects from the impact;
- current activities for the response to that impact; and
- the overall response priority for the impact (e.g. immediate, low, medium, high).
The IIA allows incident managers to look at impacts holistically at the community (EM) or organizational (BC/COOP) level.
Incident Management with the IRA and IIA
An approaching hurricane or ice storm has power outages as a likely risk. The IRA is a key driver for our preparedness activities.
For how many days can CIKR facilities operate on backup power? Do some facilities lack sufficient backup power, such as a nursing home? Could fuel supply chains be impacted? What additional mitigation activities can prevent a disruption of CIKR facilities? Storing fuel onsite?
Our preparedness activities naturally flow from the need to mitigate risks and prepare for impacts that we cannot prevent or sufficiently mitigate. The IRA also will need to be continually updated to ensure that new risks are properly identified.
Once the storm creates impacts, the IIA becomes a key driver for our response activities. We can prioritize and track the impacts until they have been resolved. During an incident, a risk may become an impact. If the risk was identified in the IRA, then we should be better able to understand and respond to that impact.
Using the previous storm example, power companies report that some areas could be without power for two weeks. What are the effects of that impact? What is the weather forecast? What actions do we need to take to address that impact?
When an incident occurs, it may be overwhelming to start both the IRA and the IIA from scratch. In some cases, we can develop template IRAs and IIAs for various scenarios, which contain a pre-defined list of risks and impacts.
These templates serve as a useful starting point when an incident occurs and help to ensure that incident managers consider important risks and impacts in formulating their incident action plan.
The IRA and IIA can be either high-level or very granular, depending on the complexity of the incident and the needs of the organization. The assessments also can be performed at the emergency support function or department level and consolidated into master assessments for the incident.
Nassim Taleb writes in The Black Swan: The Impact of the Highly Improbable, “Black Swan logic makes what you don’t know far more relevant than what you do know. Consider that many Black Swans can be caused and exacerbated by their being unexpected.” However, in EM and BC/COOP, we are instructed to expect the unexpected. This requires detailed information about both risks and impacts, as well as “what-if” thinking.
The IRA and the IIA give incident managers valuable tools to increase situational awareness and better support decision-making, while encouraging “what-if” thinking. This helps to ensure successful outcomes, while minimizing the potential for making a bad day worse. By using an IRA and IIA to focus on risks and impacts – the key drivers of our bad day business – we also bring a more proactive posture to incident management. The IRA and IIA also can provide a wealth of information for use during the after-action reporting and improvement planning process.
- 2017 Hurricane Season FEMA After-Action Report. (2018, July 12). Retrieved Oct. 24, 2018, from the Federal Emergency Management Agency website.
- Braziel, Rick, Frank Straub, George Watson, and Rod Hoops. 2016. Bringing Calm to Chaos: A Critical Incident Review of the San Bernardino Public Safety Response to the Dec. 2, 2015, Terrorist Shooting Incident at the Inland Regional Center. Critical Response Initiative. Washington, DC: Office of Community Oriented Policing Services.
- O’Matz, M. (2017, Dec. 28). Inside the nursing home where 12 died during Hurricane Irma. Sun Sentinel. Retrieved Oct. 30, 2018, from the Sun Sentinel website.
- Wagner, A. (2018, Oct. 30). Why CFPUA warned customers they could lose water during Florence. StarNews. Retrieved Oct. 30, 2018, from the StarNews website.
About the Author
Troy Neville is a business continuity and emergency management professional with more than 25 years of experience in preparing for and responding to disasters and emergencies, as well as designing, implementing and supporting information technology systems. He currently works as a Business Continuity Process Manager for a large financial services company. He also volunteers as Deputy Emergency Management Coordinator – Planning for Manheim Township. Troy is a Certified Business Continuity Professional (CBCP), Certified Emergency Manager (CEM) and a certified Fire Officer-III. He also has a Master’s degree in Emergency Management and a Bachelor’s degree in Computer Science from Millersville University.