260 likes | 597 Views
Public – Private Coordination for Emergency Preparedness and Response. Joseph Sarkis Center for Risk and Security Seminar Series. Why?. Why is joint planning important to the public sector?
E N D
Public – Private Coordination for Emergency Preparedness and Response Joseph Sarkis Center for Risk and Security Seminar Series
Why? • Why is joint planning important to the public sector? • Recognizes that media exposure of critical incidents has developed high public expectations on how emergency response efforts should be handled. • Assists in understanding private sector requirements and resources. • Helps obtain the commitment of the private sector to become a part of the overall community emergency response planning process. • Enhances communication with the private sector prior to an incident informing them of available community resources. • Heightens awareness that the private sector may not be able to control everything inside the fence line and may need to involve others outside the fence line during recovery. • Reduces liability and insurance costs through joint planning with the private sector (SOURCE CIP, 2000: Critical Incident Protocol – Public/Private Partnership). Center for Risk and Security - Clark University - Marsh Institute
Why? • Why is joint planning important to the private sector? • Provides the private sector with community contacts and develops an understanding of the support available from the public sector. • Educates the public sector on why the bottom line is important to the private entity and how it affects the community. • Creates an understanding of why rapid business resumption is important and what basic community infrastructure may be needed to support business resumption following a disaster. • Develops an accurate understanding of public sector resources and private sector responsibilities until public support is available. • Develops recognition of how the loss of one business may affect and impact other businesses in the community. • Promotes involvement in the public sector’s establishment of priorities. • Develops understanding that during a critical incident, no company is an island unto itself. Total cooperative efforts are needed and there can be no secrets. (SOURCE CIP, 2000: Critical Incident Protocol – Public/Private Partnership). Center for Risk and Security - Clark University - Marsh Institute
The Need “There has never been a formal or systematic way for government and the private sector to interact day-to-day or even during a crisis. This issue came into focus during preparations for Y2K when there was a lot of interaction between business and government.” – Richard Andrews (member of HS Task Force). Center for Risk and Security - Clark University - Marsh Institute
Integrated Concerns(source: Milliman et al. 2004, EQM) Center for Risk and Security - Clark University - Marsh Institute
Federal Information Sharing Federal government's Information Sharing and Analysis Centers on the Web. From Homeland Security site (To help develop ways of better protect our critical infrastructures and to help minimize vulnerabilities, and allow critical sectors to share information and work together to help better protect the economy): • Agriculture: None at this time • Food: Food Industry ISAC • Water: Water ISAC • Public Health: (An ISAC is in development.) • Emergency Services: Emergency Fire Services ISAC ; Emergency Law Enforcement ISAC • Government:State Government • Defense Industrial Base: None at this time • Information and Telecommunications: Information Technology ISAC, Telecommunications ISACResearch and Education Network ISAC • Energy: Electric Power ISAC (NERC) ; Energy ISAC (Oil & gas) • Transportation: Surface Transportation ISAC (Rail & non-rail surface transportation) • Banking and Finance: Financial Services ISAC • Chemical Industry and Hazardous Materials: Chemical Industry ISAC • Postal and Shipping: None at this time • Real Estate: Real Estate ISAC Center for Risk and Security - Clark University - Marsh Institute
Federal Regs. Center for Risk and Security - Clark University - Marsh Institute
Federal Requirements • OSHA gives facilities an option between providing an Emergency Action Plan, if they won't respond to spills, and an emergency response plan, if they will respond to emergencies. Since many larger organizations have their own Hazardous Material (HazMat) teams and fire brigades, they fall under the requirements of an Emergency Response Plan. Center for Risk and Security - Clark University - Marsh Institute
OSHA Emergency Action Plan • An emergency action plan (EAP) is a written document required by particular OSHA standards. The purpose of an EAP is to facilitate and organize employer and employee actions during workplace emergencies. The elements of the plan must include, but are not limited to: • Evacuation procedures and emergency escape route assignments. • Procedures to be followed by employees who remain to operate critical plant operations before they evacuate. • Procedures to account for all employees after an emergency evacuation has been completed. • Rescue and medical duties for those employees who are to perform them. • Means of reporting fires and other emergencies. • Names or job titles of persons who can be contacted for further information or explanation of duties under the plan. (Let’s take a look at site… http://www.osha.gov/SLTC/emergencypreparedness/general.html Center for Risk and Security - Clark University - Marsh Institute
Local Level Example • Boston’s EMA developed a plan to start communicating with private Corps. http://www.boston-consortium.org/events/emt_docs/BEMA-CEAS_10-3-03.ppt Center for Risk and Security - Clark University - Marsh Institute
Private Practice • Lots of titles – Numerous Jurisdictions • Business Continuity Management • Contingency Planning • Disaster Recovery Planning • Emergency Response • Safety Planning • Security Planning • Occupational Hazards Management • Corporate Risk Management • Environmental Health and Safety Programs Center for Risk and Security - Clark University - Marsh Institute
Private Practices • Deloitte & Touche survey: 50 percent of respondents have implemented corporate-wide business continuity and disaster recovery plans (up 20 percent from five years ago): • Barriers: • Most organizations lack a senior level business continuity management champion that can influence both the company’s culture and financial resources. • Business units are reluctant to spend the time and money to implement “optional” programs. • Creating an enterprise-wide BCM program can seem overwhelming to many organizations that are already resource-constrained. • Corporate executives may operate under the belief that “it will never happen to our organization.” Center for Risk and Security - Clark University - Marsh Institute
More Private Practice Issues • A common trend in organizations is that the environmental and safety departments view their response plans as mutually exclusive documents and Silos. • Requirements of OSHA and EPA response plans are interrelated and overlap in several areas. • Departments need to be aware of their respective inspection, maintenance, and response duties. • Integrated Contingency Planning is way to go. Center for Risk and Security - Clark University - Marsh Institute
Private Security Measures • Organizational Security programs (Thatcher, 2002): • screening and background checks for personnel; • training security professionals and in-house staff; • preventing unauthorized entry and controlling access; • actively and effectively safeguarding and protecting sensitive materials; • periodically inspecting security controls and audits; • establishing levels of accountability, enforcement and authorization; • controlling chemical disposal efforts; • developing access restrictions and controlling movement within the facility; • continuously evaluating and monitoring personnel in sensitive areas; • developing education programs in information security; and • applying security techniques, devices, procedures and policies. Center for Risk and Security - Clark University - Marsh Institute
Security Management Systems (Thatcher, 2002) • Risk assessment and prevention strategies • Security policies • Collaboration with other corporate departments and with local law enforcement agencies, local emergency planning committees, etc. • Incident reporting systems • Employee training and security awareness • Incident investigations • Emergency response and crisis management • Periodic reassessment of the security plan for physical security, including access control, perimeter protection, intrusion detection, security officers, ongoing testing and maintenance and backup systems • Employee security measures (including prudent hiring and termination practices) • Workplace violence prevention and response • Information, computer and network security. Center for Risk and Security - Clark University - Marsh Institute
Private Practices • Morgan Stanley Planning Process: 1. Business Impact Analysis--assesses risk and the need for business continuity planning. 2. Business Unit Specific Plans--business continuity planning is owned by the business units, while developed in conjunction with the core team. These plans are developed using enterprisewide planning software. 3. Awareness and Training--Web sites and mandatory Web casts educate all employees about the program. 4. Crisis Management--the internally managed process for managing incidents including: contacts and procedures in paper documents and Web format; 24-7 crisis management conference lines; rapid notification systems; and employee and client hot lines with situation updates and information. 5. Data and Application Recovery--strategies to recover critical data and applications. 6. Work Area Recovery--alternate workspace strategies for recovery-essential staff. (Other employees work remotely.) 7. Testing--failover strategies and crisis management processes should be tested at least once per year. The testing process also includes fire and evacuation drills. Center for Risk and Security - Clark University - Marsh Institute
Private Practices • Lessons Learned at Morgan Stanley for business contingency plan: • expanding capabilities for working at home; • advanced planning with employee counselors; • striving to get people back to work earlier; • enhanced communications plans between employees, the press and senior management; • strategies for temporary housing, transportation, communication (such as rumor control) and other services such as grief counseling. • Other items: awareness, training, diversification of operations. Center for Risk and Security - Clark University - Marsh Institute
Private Practice • Many other examples exist from large retailers to chemical manufacturers to hospitality providers. Center for Risk and Security - Clark University - Marsh Institute
Private Practice - BCMM • Business Continuity Maturity Matrix (UK) – Levels of Maturity • Level 1 - Self-Governed - Business continuity management has not yet been recognized as strategically important by senior management. • Level 2 - Supported Self-Governed - At least one business unit or corporate function has recognized the strategic importance of business continuity and has begun efforts to increase executive and enterprise-wide awareness. • Level 3 - Centrally-Governed - Participating business units and departments have instituted a rudimentary governance program, mandating at least limited compliance to standardized BCM policy, practices and processes to which they have commonly agreed. • Level 4 - Enterprise Awakening - All critical business functions have been identified and continuity plans for their protection have been developed across the enterprise. • Level 5 - Planned Growth - Business continuity plans and tests incorporate multi-departmental considerations of critical enterprise business processes. • Level 6 - Synergistic - All business units have a measurably high degree of business continuity planning competency. Complex business protection strategies are formulated and tested successfully. Center for Risk and Security - Clark University - Marsh Institute
Private Practice - BCMM • Competencies, Performance Measures. • Leadership - The commitment and understanding demonstrated by executive management regarding the implementation of a scaled, enterprise-wide business continuity program. As well, the degree to which the "business case" for implementing sustainable business continuity has been articulated to and understood by executive management. • BC Awareness - The breadth and depth of business continuity conceptual awareness throughout all staff levels of the organization including consideration for the quality and sustainability of the BC training and awareness program. • BC Program Structure - The scale and appropriateness of the business continuity program implemented across the enterprise. The degree to which the BCM Program matches the articulated "business case". • Program Pervasiveness - The level of business continuity coordination between departments, functions and business units. The degree to which business continuity considerations have been incorporated in other business initiatives/programs. • Metrics - The development and monitoring of BCM Program performance. The establishment and tracking of a business continuity competency baseline. • Resource Commitment - The application of sufficient, properly trained and supported personnel, financial and other resources to ensure the sustainability of the BCM Program. • External Coordination - Coordination of business continuity issues and requirements with external community including customers, vendors, government, unions, banks, etc. Insuring that critical supply chain partners have adequate BCM Programs of their own in place. Center for Risk and Security - Clark University - Marsh Institute
Emergency Response Brokers -Third Party Service Providers • Send Word Now is a leading emergency and routine notification service provider designed to extend public and private sector emergency preparedness, business continuity and contingency planning capabilities. • Allows an account holder to send a message to reach multiple people and their familiar communication devices (i.e. cell, work and home phone numbers, email, pager, and other text messaging devices) at the same time. Center for Risk and Security - Clark University - Marsh Institute
Third Party Service Providers • USFA's (U.S. Fire Administration) Emergency Management and Response-Information Sharing and Analysis Center (EMR-ISAC). • The EMR-ISAC serves both public and private emergency managers and responders at no cost by facilitating the two-way exchange of information in order to analyze and disseminate current intelligence on threats, attacks, vulnerabilities, anomalies, and security best practices Center for Risk and Security - Clark University - Marsh Institute
Third Parties • National Center for Crisis and Continuity Center for Risk and Security - Clark University - Marsh Institute
Summary of Players • Government –Public – Communities • Private Organizations • Third-Party Service Providers Center for Risk and Security - Clark University - Marsh Institute
Practical Concerns (from CIP, 2000) • Type of resources (personnel, equipment, or other support) to be furnished • Contacts and procedures for requesting resources • Financial or reimbursement arrangements Use of equipment— • How will it be delivered? • How will it be returned? • Will personnel be furnished? • Payment for lost or damaged resources • Labor and legal considerations or restraints • Confidentiality issues (source CIP 2000) Center for Risk and Security - Clark University - Marsh Institute
Emerging Issues Center for Risk and Security - Clark University - Marsh Institute