As a business leader, you may have a few questions that are answered below with respect to establishing your company’s business resilience program: How does my company identify its vulnerabilities?
Risk is the probability of occurrence of a given threat combined with the severity of the consequence caused by the threat. So for example, a high-magnitude earthquake may have severe consequences in terms of property damage, but its occurrence is relatively rare. Thus, when occurrence and severity are combined, it may result in only a moderate risk. Risks are normally expressed as a function of cost, and a company’s risk tolerance is usually expressed as a cost threshold.
In this vein, Takouba recommends an all-hazards approach to evaluating the environmental threats that your buildings face. We use a layered defense approach to evaluate how your building would protect against these known threats. Any gaps identified in these inherent defenses create what are called vulnerabilities. Takouba uses a cost basis approach to defining the consequences created by these vulnerabilities. Using the cost approach allows business leaders to use a cost basis to evaluate the severity of the risk relative to their business’ risk tolerance.
How do I use elements of risk to design my exercise?
Risks that cross a company’s risk tolerance threshold should be addressed straight away. Although many risks can be reduced by making some form of structural improvement to a building, or adding physical security features such as cameras or guards, sometimes risks cannot be reduced through prevention. Risks such as these, force the business more into managing consequences; therefore, creating response and recovery capabilities. Response and recovery capabilities are strategies, plans, technologies and training used by people to mitigate the consequences of a risk. By understanding the nature of the risk, realistic training and exercises can be designed around scenarios that drive people into the appropriate mind set.
Why should business units conduct regular exercises?
Regular exercises help your leaders develop confidence in the capabilities they have devised to mitigate the consequences of a given risk. Exercises test the effectiveness of these capabilities. A prepared company would start with discussion based exercises and expand into operational exercises with evaluation on at least an annual basis. The results of the evaluation should then be used to identify gaps, and create a corrective action plan. Understanding the risk and how the consequences of the risk grow over time, give planners the ability to devise effective strategies to effectively mitigate the consequences.
Capabilities assessment – how do you measure the effectiveness of your organization’s response to a crisis?
Capabilities are actions by people, technologies, or other physical means a business has to mitigate a risk. While physical means such as a vehicle barrier can be assessed by straightforward measurements, actions by people are much more difficult to assess. Actions by people are governed by less tangible things such as judgment and knowledge. A business should capture each of these actions by people as observable tasks. Often, in critical situations, organizations develop plans and checklists and other tools to ensure people respond effectively in a stressful situation. These plans and checklists are then used as a basis for a capabilities assessment. During an exercise, evaluators are used as independent observers that look at the effectiveness of actions taken in context to a simulated situation. Upon conclusion of the exercise, evaluators use a collaborative after action review. They work with exercise participants to gather feedback about what was supposed to happen, what actually happened, what went as planned, and what didn’t go as planned? The feedback is then documented against the tasks that were to be performed by exercise participants. Gaps are identified and recorded in a Corrective Action Plan. Through successive exercises, the capability is refined and in some cases expanded. As people are trained again and again, they become much better at fulfilling their responsibilities in the response and recovery process.
Exercise promotes good health – What is an exercise, and what types are there?
We often hear that exercise promotes excellent health. Regular aerobic exercise combined with a good diet is shown to improve one’s survivability over the long term. The same is true for companies. Regular exercise reinforces essential relationships between responding entities. Regular exercise promotes a fundamental understanding of response and recovery process among people responsible for these functions. It also shows line employees that the company is prepared and cares about the welfare of its employees.
An exercise is a form of collective training where groups of people are subjected to a realistic, simulated scenario, to which they are to respond. Exercises are normally evaluated and feedback used in a learning context to improve the capability of the organization to manage the consequence of the risk. Exercises should NEVER be used as a part of an employee performance evaluation.
There are several types of exercises that range in degrees of complexity. The simplest exercise is a discussion based “tabletop” exercise. The most complex exercise is the “full-scale” exercise. The most dynamic variation of these exercises is called a “game.”
In a tabletop exercise, stakeholders involved in the response or recovery effort sit around a table with a facilitator and an evaluator. A scenario is provided with consequences that are developed over time. The stakeholders then respond with the actions in anticipation of the consequences. Tabletop exercises are normally used as a way to rehearse plans and determine if there are any glaring deficiencies.
A full-scale exercise and its lesser cousin the “functional” exercise are designed to train entire organizations. Functional exercises focus on a single function, such as a security response by an armed guard organization. In contrast, a full-scale exercise contains several functions that must be coordinated by a leader. For example, a building evacuation could involve the building management (engineers), the leaders of the business units on each floor of the building, and the responding guard force. It might also involve the use of technology such as closed circuit TV, radios, alarms and sensors, IT systems and evacuation devices.
The most dynamic form of exercising is called “gaming.” Gaming uses a thinking threat, versus a scripted consequences timeline. Since the threat is thinking, it creates more possibilities in outcomes; therefore, much greater uncertainty. Games are normally used to develop leaders by reinforcing the use of their decision making processes.
Why does repetitive training prepare employees for a crisis?
Not knowing what to do in a crisis creates confusion and chaos. In the confusion and chaos people have a tendency to act in survival mode and depend on their brain’s limbic system (lizard brain) to get them out of the crisis. By drilling employees regularly, a company helps employees to desensitize to the situation, maintain the use of the thinking part of the brain and thereby improve their survivability because they don’t panic and respond as they were trained.
Do you know who is coming to save you? – The importance of good relationships with first responders
As citizens in the United States, we have become accustomed to help arriving within 3 to 5 minutes of dialing 911. The US without question enjoys one of the best funded, most up-to-date emergency response systems in the world. This isn’t the case, necessarily, in other parts of the world that your company may be doing business.
Even in the US, it is important to involve your local first responders as a part of your exercise programs. Most public first responder organizations such as fire and police are willing to participate in exercises when invited by private companies. It helps them to understand your capabilities and determine if their capabilities are adequate on your premises.
Looking overseas, standards can vary widely with respect to training and expertise of first responders. Our experience in developing countries would indicate that the relative sophistication of their responders is much lower than what we have in the US. Therefore, an international company with locations overseas should evaluate the abilities of the local first responders by involving them in an exercise. Through the exercise process, the company may make a risk informed decision to supplement the abilities of the first responders with some other means.
Why is it important to use independent evaluation?
Independent evaluators are more objective than in-house evaluators. Independent evaluators normally have more experience in the emergency management field and are often the source of suggestions for improvement. Also, you are guaranteed an honest opinion from an independent evaluator, after all, since there is no potential conflict of interest.
Exercise planning organization – do you have the right people on board?
Most companies do not employ individuals who have experience necessary to organize, plan, coordinate and conduct an exercise. Most of these resources are in the public sector as fire fighters, police, military or government workers who have been specially trained in emergency management and recovery.
How does my company sustain capabilities over time? – how time and turnover affects capabilities
Many companies promote employees, sometimes lay them off, they quit or leave for a variety of reasons. So the question remains, how does this turnover affect your ability to respond to an emergency situation over time? Factors such as skill “shelf life” and turnover directly affect the ability of an organization to respond to a crisis. Skill shelf life is the normal forgetting curve an individual suffers when they don’t reinforce a skill periodically. A good example of this is that cardiopulmonary resuscitation (CPR) training. It should be retrained every 24 months. When you exercise an organization collectively, people form relationships and fulfill roles within the response organization. When they are promoted, reassigned or otherwise moved out of the trained organization, this negatively affects the competence of the organization.
What is a corrective action plan? – How to implement improvement suggestions as the results of your exercise.
The corrective action plan is the culmination of an exercise event. Evaluators gather together after-action review comments from participants, and combine them with their own observations. These observations in the form of improvement recommendations are recorded on a register called a “corrective action plan” (CAP). The CAP identifies each task that was evaluated, and what comments are gathered against each one. The evaluator evaluates each task the organization performed and determines whether they are fully competent, or require more training to succeed at the task. The comments are then negotiated with business leaders and corrective actions are planned and assigned. The CAP register is then used as a device to track the completion of all items that require improvement. Often, these items are repeated in the next exercise to validate the corrective action works.