Free1970 - stock.adobe.com
The 4 phases of emergency management
To effectively recover from a disruptive incident, IT and DR teams must have a plan in place. This guide breaks down the four phases of an emergency management plan.
IT leaders must be prepared to deal with unplanned incidents. When a disruptive event threatens the organization's operations, there should be a plan in place to assess the event and determine its potential impact. Once that process is complete, IT staff and upper management can determine the next steps to handle the disruption. This is an incident response plan.
Incident response is just the first part of dealing with a major disruption. Once the incident has been assessed and management has determined that it is serious, the next step is to launch emergency management activities. These critical activities will determine how well an organization recovers after a crisis.
According to the Emergency Management Accreditation Program (EMAP), the four phases of emergency management are mitigation, preparedness, response and recovery. An organization's readiness to recover from a crisis is determined by how well it executes these four phases.
Several activities should occur within each phase and are ideally included as part of an overall emergency management plan. The goal is to return to steady-state operations as quickly as possible.
The role of emergency management in a disaster
Emergency management is part of a series of activities that deal with an unplanned event and how to respond to it. The chart below shows where emergency management sits on a timeline for managing a disaster.
Initial responses to the situation are handled by an incident management process, which is usually part of an emergency management program. Incident management actions assess the incident and determine its severity and potential for elimination, containment, or expansion.
If the incident is not likely to be quickly suppressed and is likely to continue and possibly expand, the organization should launch the emergency management program. These activities are designed to minimize incident severity, duration and impact. They are supported by trained emergency teams, communications systems to keep all relevant employees informed and other resources as needed. The goal is to manage the event through to its containment and resolution and a return to business as usual.
However, in more serious events, it might be necessary to activate additional plans, such as business continuity (BC) and disaster recovery. A DR plan typically recovers systems, data, networks and other information services. BC plans recover business functions and ensure that employees are safe and able to resume work. Members of the emergency management team should coordinate with senior management to decide if and when to activate these additional plans.
Emergency management standards
Two national standards for emergency management delineate the activities that are part of the emergency management process. The first is the National Fire Protection Association standard No. 1660, and second is the EMAP standard. This article will use the EMAP standard as the foundation for an emergency management program and its associated plans.
The EMAP document is a scalable yet rigorous national standard for public sector organizations, such as state/territorial, local, regional and tribal government emergency management programs. Developed in collaboration with various working groups of emergency management leaders from government, business and other sectors, the EMAP standard today has 66 elements addressing emergency management.
The EMAP standard builds upon and uses existing standardized documents, such as the National Incident Management System and Incident Command System, to create an emergency management framework.
Disaster recovery and IT teams can use the four phases of emergency management outlined in the EMAP standard to build a comprehensive action plan for disruptive events.
1. Mitigation
Mitigation activities reduce or eliminate risks to persons or property and to reduce the effects of an unplanned event. Mitigation measures might be implemented prior to, during or after a disaster, depending on how the event progresses. Mitigation measures are often based on lessons learned from prior disasters. They can include ongoing actions to reduce exposure to, probability of, or potential loss from hazards.
A risk assessment is an important part of the mitigation phase. It identifies risks, threats and vulnerabilities that can exacerbate a disaster. The analysis looks at two important factors: the likelihood of an incident occurring and the severity of the event if it does materialize. Risk assessment teams might create a risk map, such as the one below, to determine the severity the risk presents.
Risk assessment results can help focus emergency management teams on preparing for the situations most likely to occur and those that could be the most damaging. Results can also be used to prioritize response and recovery actions.
In alignment with a risk assessment, a business impact analysis (BIA) can help identify the mission-critical functions needed to sustain the business. Data gathered from the risk assessment -- risks, threats and vulnerabilities -- can then be mapped to business functions to identify mission critical activities and their priority when it comes to response and recovery activities.
To determine which IT systems, networks and other resources may be needed in an emergency, a DR plan should be developed. Recovery of critical business functions can be addressed by BC plans.
2. Preparedness
Preparedness builds on data gathered from the mitigation phase. It is an ongoing activity that identifies critical tasks and activities necessary to build, improve and sustain the organization's operational capability to prevent, protect against, minimize the severity of, respond to and recover from disasters.
Key criteria to address during the preparedness phase include the development of plans and policies, employee training programs, communications resources and emergency supplies.
3. Response
Included within emergency management plans, policies and procedures are specific activities to minimize the short-term direct effects of an incident threatening life, property, environment or critical systems. These activities are launched when the incident management team determines that the nature of the event is sufficiently challenging that they must initiate the emergency management plan. This might require authorization from senior management.
Response activities are designed to manage the event with the goal of stabilizing the situation and helping to de-escalate it such that a determination of next steps can be made. Decisions made at this time can be used to initiate recovery phase activities.
4. Recovery
Once the effects of a disruption have been stabilized and/or brought under control, businesses can launch the recovery phase. Activities in this phase include the planning, development, coordination, and execution of plans for the restoration of impacted facilities, communities, and business and government operations. These goals can be achieved through a partnership of individuals, private-sector, non-governmental and public assistance agencies.
Recovery phase activities must be flexible and adaptable to the aftermath of a disruptive event. It is often a good idea to establish emergency management programs -- especially recovery activities -- with an "all hazards" approach to be adaptable to a broad range of events. A comprehensive list of potential vendors, service companies and contractors can help facilitate the recovery process.
Levels of readiness
The only true way to determine an organization's readiness for emergency management is to experience the event and see what happens. Lessons learned from the experience can identify what the IT and recovery teams need to obtain better results in a future recovery. Exercises are the next best way to evaluate readiness.
There are four levels of readiness organizations fall into: basic, intermediate, advanced and expert.
Level 1: Basic readiness
The organization has a fundamental awareness and understanding of potential hazards and their impacts. Level 1 organizations have primary preparedness measures in place, including access to emergency contact information and basic supplies. Organizations at this level have minimal training on emergency procedures and no formal emergency management plan.
Level 2: Intermediate readiness
The organization has enhanced awareness and understanding of specific hazards, especially those that might occur locally, such as natural disasters. The business has a basic supply of emergency supplies, as well as awareness of evacuation routes and shelter locations. Employees at Level 2 organizations participate in and conduct emergency exercises, and the organization has a minimally detailed emergency management plan in place.
Level 3: Advanced readiness
Advanced organizations have highly detailed knowledge of local hazards, risks and threats as well as a basic knowledge of potential vulnerabilities. Level 3 organizations have a good supply of emergency resources, including medications, critical documents and specialized items. Employees regularly participate in community emergency response programs. Organizations at this level have a detailed emergency management plan.
Level 4: Expert readiness
Level 4 organizations possess expertise in emergency management and response, such as through FEMA training or local exercises. These businesses have thorough knowledge of local and regional risks, threats and vulnerabilities. They have a large and extensive supply of emergency resources, as well as a strong of knowledge of BCDR and its role in emergency management.
Expert readiness organizations hold leadership roles in community emergency planning and conduct frequent training in incident command systems, evacuation management and emergency response. They have a comprehensive emergency management plan and regularly run exercises and simulations to maintain readiness.
How to build an emergency management plan
Following is a list of activities outlining how the four phases of emergency management fit into an overall plan.
Mitigation
- Establish an emergency management project team.
- Secure approval from senior management.
- Designate an emergency program manager.
- Establish an emergency management committee to administer the program.
- Perform a risk analysis and develop preventative activities.
- Perform a BIA.
- Develop incident management and BCDR plans in conjunction with emergency management.
Preparedness
- Develop incident-specific guidance.
- Ensure that sufficient communications resources are available.
- Ensure that emergency notification systems are in place.
- Establish protocols for coordinating with external entities.
- Schedule and conduct training for emergency teams and employees.
- Schedule and conduct exercises of critical plans.
- Ensure that supplies and resources needed for response and recovery are available.
Response
- Ensure that evacuations are carried out according to plan.
- Ensure that the incident response plan can trigger emergency management activities.
- Monitor and manage response activities according to the established plans.
- Determine when the event has successfully been addressed and is no longer a threat to the organization.
- Communicate with employees and stakeholders on response activities.
- Establish links to transition from response to recovery activities.
Recovery
- Review recovery activities with senior management and the appropriate teams.
- Communicate with employees and stakeholders on recovery progress.
- Determine when the recovery has made it possible to resume business operations.
- Commence plans for repatriating employees to their offices.
- Conduct a post-event program review and evaluation.
- Review and update plans, procedures and policies based on lessons learned from the incident.
- Provide a briefing to senior management on the event.
- Launch a plan and schedule for periodic emergency management program reviews, audit preparation and continuous improvement.
Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.