Free1970 - stock.adobe.com
Sooner or later, organizations of all sizes will face adversarial events. Emergency managers must plan for all sorts of potential hazards and the risks that they bring, ranging from flood damage to cyber attacks. They must also seek to minimize new risks that materialize and respond to threats that arise.
Emergencies can happen at any time, and two or more emergencies may present themselves at once. Knowing what actions to take prior to, leading up to, during or and after an emergency can save business, time, money and -- in some cases -- human lives.
The National Governors Association released an emergency management guide in 1979 that coined the four phases of emergency management: mitigation, preparedness, response and recovery.
Since then, the idea of emergency management has evolved: Some new guidance adds or consolidates phases, or even moves to mission areas instead of phases, such as in FEMA's National Preparedness Goal. However, some municipalities and businesses still structure emergency management plans with the four-phase structure, as it still provides a solid framework of activities that ensure the organization is ready to handle, mitigate against and recover from an emergency.
Some phases may occur simultaneously. For example, patching a building may be considered a response and a recovery activity. These phases are not always sequential.
Mitigate risks to prevent emergencies, lessen impact
The mitigation/prevention phase of emergency management is an ongoing process. Organizations must always look at how to reduce the impact of any given emergency that may occur, or find ways to prevent certain emergencies altogether.
Unlike the second phase of emergency management -- preparedness, which is highly operational in nature and prepares staff and stakeholders to respond to an emergency when one does happen -- mitigation aims to lessen the effects of any given emergency that occurs. Continuously examine ways to prevent incidents, and if they cannot be avoided, take actions to minimize their impact.
The types of hazards businesses may face generally fall into three categories, according to Ready.gov: human-caused, technological or natural. Organizations may face one or more of these threats at one time. Threats that can cause emergencies include the following:
- cyber attacks and other incidents of data loss, whether malicious, accidental or due to negligence;
- natural disasters, including hurricanes, floods, tornadoes and others;
- fires, whether natural or malicious, such as arson;
- chemical emergencies;
- theft; and
For physical threats to facilities or personnel, such as severe weather, ensure that personnel, property and facilities are protected. For example, if an organization's facility is in a hurricane-prone location, look at ways to fortify facilities from wind, water or fire.
Organizations can conduct property inspections to find out how to better protect their facilities, according to facility management software vendor AkitaBox Inc. Set up security measures to monitor facilities and ensure only authorized individuals can gain access to them to lessen the likelihood of external malicious threats, such as theft.
For data and networks, set up extensive cybersecurity controls to better prevent data leaks or deletion, and implement measures such as multifactor authentication and zero-trust networks. Secure any gaps in network security through firewalls, VPNs, data encryption or other methods and consider off-site or cloud services for storage or backups.
To find the pain points of the overall organization, conduct risk assessments for data and infrastructure to assess any threats and implement plans to address them. Use these assessments to determine what measures to take.
Organizations can also delegate mitigation and risk management to third-party vendors, or delegate risk through insurance policies. Business impact analyses can also help determine how disruptive an event or emergency may be, enabling organizations to better prepare for it.
Prepare for events that may be unpreventable
No matter how much money, time or effort an organization invests to mitigate risks, there are some threats that organizations may not be able to avoid. That's where preparedness comes in.
To prepare for emergencies, craft detailed plans for how to handle any given threat, including delegated responsibilities and steps to take when an emergency occurs. Plan for all types of incidents and review these plans on a regular basis, updating them as business needs change or as threats evolve. Legal and finance departments should also be prepared to handle any downfalls from an incident.
It's also important to identify the resources that are available for use to respond to an emergency safely and efficiently. This can include plans on how to coordinate with local law enforcement, first responders or internal departments that can assist in managing any given emergency. In addition, to be prepared for any incident, ensure contact data is updated regularly. Resources such as emergency generators, fire extinguishers and floor plans should also be made available for a response.
Delegate responsibilities based on the type of emergency and document the discrepancies of given roles based on what the emergency is. For example, IT staff has a very different role in responding to a ransomware attack than a fire. Set up communications plans for dealing with media or public attention. Also, delegate communications responsibilities to keep employees, the public and stakeholders updated on an emergency or incident that may unfold.
No good plan can stand without practice, so conduct tabletop exercises and simulations in this phase for any given emergency. Exercises provide an opportunity to identify areas of improvement and enable organizations to refine those plans. Tabletop exercises can also help personnel better understand their roles and how to navigate their responsibilities in the event of an actual emergency.
IT should also test backups and restores and ensure they can meet recovery point objectives and recovery time objectives.
Before an incident occurs is also the best time to assemble business continuity and disaster recovery (BCDR) teams that will work to restore operations and ensure minimal, at most, business interruption due to an incident. Have updated and detailed disaster recovery plans available and be sure to rehearse them; prepare failover sites if needed.
Conduct the response based on prior planning and type of emergency
When an emergency occurs, prior planning springs into action. How an organization responds to an emergency depends on a variety of factors, such as what the emergency is and its severity.
Above all else, safety should be the top priority when an emergency occurs. As the incident or emergency unfolds, ensure safety of all personnel, then assess the situation to determine priorities and a course of action.
After assessing the situation, the individuals or teams responsible for coordinating the response should begin response operations. They should also deploy and communicate with teams on how to proceed throughout the response. Those tasked with emergency response duties should continue to monitor the situation and adjust the response based on how the emergency evolves.
Communications teams should continuously update stakeholders on situation through the proper channels to ensure everybody that may be affected is in the know. Media inquiries might also need to be handled if the event is large enough to attract media attention. As response teams work to resolve the situation, BCDR teams should work to ensure minimal disruption to business activities and an efficient, safe recovery.
Recover and return to normal
The recovery phase takes place after an emergency has occurred but is often partially concurrent with response. Recovery activities include any actions to return to normal operations.
Safety is always the top priority, so make sure it is safe to return to normal operations before doing so. Once the emergency has been handled, assess any damage the emergency has levied upon the organization to identify the proper steps to recover. Some damages may be very easy to find -- such as structural damage from a storm -- while some may be more abstract, such as the effects of data loss or reputational damage that may affect sales.
Take the short-term actions needed to return to business as usual, or as close to it as possible, and begin planning for longer-term recovery. Short-term activities may include technological measures such as re-securing networks, in addition to infrastructure repair, such as repairing walls or broken windows. For insurance, legal and financial purposes, be sure to document damages and keep track of expenses. This will help when filing insurance claims.
Responding to an emergency may also present legal, business or regulatory ramifications, such as breaching compliance regulations or SLAs. Legal and finance teams should prepare to and proceed with plans to manage any legal issues. Public relations or communications teams should also liaise with media, the public, employees and other stakeholders throughout the recovery process.
Review the incident and use it as a learning experience to see where improvements can be made in overall emergency management plans. Although no organization wants to have an emergency, these incidents can help inform organizations of areas of improvement and further mitigation efforts that are not found through tabletop exercises or other review.