SWS-2 Incident Management Plan Maturity Assessment Sunday September 11, 1:30-4:30 PM David Ziev, MBCP, MBCI Ken Schroeder, CBCP Deidrich Towne MBCP, MBCI AGENDA Introductions Module 1 Incident Management Planning Basics Module 2 Incident Management Plan Components Module 3 PPBI Maturity Model Overview Module 4 Assessing Your Plan Module 5 Review and Conclusions Page 2
Introductions We learn best when we share backgrounds and knowledge. Share with each other o Your Name o Position/Role o Level of Incident Mgmt Plan experience o Exchange business cards Page 3 Module I Incident Management Planning Basics
An Incident Page 5 Do You Have A Plan For. Page 6 Page 6
What is an Incident Management System? An integrated set of processes, tools and responsibilities that allow effective, efficient and economical management of any event that could (or does) impact normal business operations. An integrated set of processes, tools and responsibilities that allow effective, efficient and economical management of any event that could (or does) impact normal business operations. AC 3 Assemble the decision i makers Coordinate response, recovery & restoration efforts Collect all incident related information Channel communications appropriately Page 7 Outlined in the plan Solidified d during Planning & Exercising Emergency Operation Center and Infrastructure Documented Procedures and Guidelines Emergency Management database & recovery plans 24 x 7 Instant Meeting Line Training / Rehearsal drills Incident Command Systems (ICS) Incident Commander Safety Officer Public Information Officer Liaison Officer Operations Section Chief Planning Section Chief Logistics Section Chief Finance/Adm Section Chief Intelligence Section Chief Page 8
Channel Communications Facilities, Safety, Security & Insur. Finance & Purchasing IT Executive Management EOC Employees Customers HR Media Legal Agencies AC 3 Agencies Shareholders Media Page 9 Why do Incident Management Planning? Effectively, Efficiently and Economically manage all aspects of a disruptive event throughout its lifecycle o Links Technology Recovery and Business Recovery o Enhance alignment - Private and Public Sectors o Follows BC/DR Professional Practices o Enhanced Life Safety; No additional staff required o Protects company value; Prudent Management Page 10
The Quick Test What will happen when your people are required to operate during a disaster? o Use the telephone and signature test Page 11 Module 2 Incident Management Maturity Model Overview
The Dimensions of the Plan - AC 3 A - Assemble the Decision Makers C - Coordinate Response, Relocation and Restoration Efforts C - Collect all Incident-related Information C - Channel Incident-related Communication Page 13 Page 13 Incident Management Maturity Model PPBI Program Maturity NFPA 1600 Self Assessment Level 1 = Inadequate Level 2 = Marginal Level 3 = Acceptable Level 4 = Outstanding Comments Nonconforming Partially conforming Conforming Refer to the handout containing the PPBI Incident Management Maturity Matrix. Page 14
PPBI Incident Management Plan Maturity Model Functional Category Level 1 Inadequate Level 2 Marginal Level 3 Acceptable Level 4 Outstanding Assemble Inadequate notification process. Limited / outdated contact information. Expanded contact information updated within 12 months. Comprehensive contact information with automated process and response capabilities updated monthly. Coordinate Just in time assignments; inhouse only. Emergency responsibilities preassigned with limited training. Coordination with appropriate emergency staff of opposite sector. ICS organization implemented. EOC equipped. Cross section leadership briefings. Functionally exercised command system within 6 months. Defined interrelationships between command staff and tactical operations. Cross sector stakeholders involved during rehearsals. Collect Limited staff to Staff trained in handle incoming situation monitoring. calls (ad-hoc). I/P from multiple sources. Incident Action Plan process utilized. Documentation system in place. Electronic version of action plan and documentation system. Channel Timely information not shared with appropriate stakeholders. Information disseminated/release d upon request at irregular intervals. Communicating to selected stakeholders regularly: PIO established. Announced / scheduled media briefings to multiple stakeholders. Publicize known information. Trained PIO staff. Page 15 The Drill Starts Now Page 16
Corporate Readiness BIO Corporation manufactures high end cosmetics. Nationwide distribution as healthy, eco-friendly. Excellent reputation. Considered corporate leader in industry. Everything except manufacturing in this building: Accounting, Sales, Labs, IT, Corp HQ. Marketing, HR. Current business continuity plans are mainly limited to data center/it. The plans use a recovery center, with plans to send IT staff to recover infrastructure. Estimated recovery time 24 hours from disaster, but are highly dependent on when during the day a disaster strikes and availability of travel. We ll get to a full business continuity program in two years, said the EVP-Operations. Page 17 SITREP Typical Monday afternoon, mild temperatures, slight breeze. 14:15 PM FedEx Delivers a package to corporate mail room. While sorting for delivery mailroom intern notices: White powder everywhere Page 18
Immediate Response What would you do first given this information? 1. 2. 3. Page 19 First Response Building evacuation Local L l TV media arrive with HAZMAT Employee makes film with video camera. Posts to YouTube. Video Goes viral. Page 20
Powder Identified HAZMAT initial field test indicates Bacillus Anthracis, or Anthrax, a biological agent http://www.bt.cdc.gov/agent/anthrax/needtoknow.asp Page 21 News picked up by wire services - Nationwide interest Page 22
Panic Sets In What steps must be taken upon the receipt of this new information? 1. 2. 3. Who is in charge of the scene; the facility? 1. 2. 3. Page 23 Containment Police set up inner and outer perimeters County C t Mobile Command Center arrives Fire department cuts building power. Emergency Generator for IT starts up. Fire department cuts generator to kill HVAC and stop the spread of White Powder, especially out of building. Page 24
IT Operations Threatened How does this additional information pose a threat to the IT/IS operation? 1. 2. 3. What steps become more important with this new information? 1. 2. 3. Page 25 Staff Exposed, Casualties Reported Page 26
Employee s Affected 12 staff directly exposed. All taken to hospital. 120 possible minor exposure. 157 unaffected. DHS declares building a crime scene, occupancy not expected for at least three weeks until investigation complete. Local TV station receives phone call.list the grievances: o Not eco-friendly o Uses animals for testing o People with side effects bought off for silence Of 12 direct exposures: 3 critically ill, 7 have controlled, but serious symptoms. Page 27 Notification & Response Page 28
Live Eye What s your position? September 11, 2011: At 1450 hours EST, FBI officials reported that WUTR Television received a phone call at its home office in Utica from someone claiming to be a member of AlterNOT. The caller claimed credit for AlterNOT in mailing the Anthrax laced package. The caller said that other such packages have been mailed to multiple locations across the US, but didn t say where. Page 29 Who is downwind? Your Town Wind Direction Page 30
Decisions On what information can you base decisions at this point? 1. 2. 3. Who has the authority to make these decisions? 1. 2. 3. Page 31 Additional Issues Board of Directors schedules emergency meeting. They want to know what we are doing? After 14 days, DHS returns the building to the company, but company must apply for certificate of occupancy AFTER cleanup completed. Acme Anthrax Attackers, Inc estimates it will take 7 weeks to clear the building and render it safe for occupancy. Neighboring corporations and residential communities extremely agitated, worried. Page 32
What Staff Is Needed? How do you protect IT Services under these conditions? 1. 2. 3. Who addressed the media concerns? 1. 2. 3. Page 33 The Problem It is the first hour of response. Based on the preceding representative events, consider what actions and decisions you would be making during this period. Discuss your actions with the class. Page 34
Debrief Discuss the entire incident. What lessons might you have learned? 1. 2. 3. What steps will you take going forward? 1. 2. 3. Page 35 Do you have an Incident Management Plan? What would you like to see included in an Incident Management Plan? Who would author the plan in your organization? How would the chain of command differ from the chain used in normal business? Let s examine some recommendations. Page 36
Module 3 Incident Management Plan Components NFPA 1600 2010 Edition Disaster/Emergency Management and Business Continuity Programs Notices and Disclaimers Noted Additional Detail More Input from more stakeholders Page 38
Common Elements Comparison by Discipline Page 39 Common Elements of An Incident Management Plan* Functional Roles and Responsibilities Lines of Authority shall be established. Direction, Control, and Coordination Communications and Warning Operations and Procedures Logistics and Facilities Training Exercises, Evaluations, and Corrective Actions Crisis Communications, Public Information Finance and Administration * (NFPA 1600, 2010 Edition, Chapters 4, 5, 6, 7, 8) Page 40
Functional Roles and Responsibilities Identify the functional roles and responsibilities of the following during Mitigation, Preparedness, Response and Recovery: Internal and External Agencies Organizations Departments Individuals Page 41 Laws & Authorities The disaster/emergency management program shall comply with applicable legislation, regulations, directives, policies and industry codes of practice. The entity shall implement a strategy for addressing needs for legislative and regulatory revisions that evolve over time. Page 42
Direction, Control, and Coordination Develop the capability to direct, control, and coordinate response and recovery operations. Utilize an Incident Management System. Identify specific organizational roles, titles, and responsibilities for each management function as specified in the Emergency Operations Plan. Determine the level of implementation of the plan according to the magnitude of the incident. The Incident Management System shall be communicated to and coordinated with all stakeholders. Established procedures for coordinating response, continuity, and restoration while complying with applicable regulations. Page 43 Communications and Warning Communications systems and procedures shall be established and regularly tested. Develop and maintain a reliable capability to alert officials and emergency response personnel. An emergency communications and warning process/procedure shall be developed and periodically tested to alert customers or citizens of an actual or impending emergency. Page 44
Operations and Procedures Develop, coordinate, and implement operational procedures to support the Incident Management Plan. Particular attention shall be paid to considerations of life safety. Standard Operating Procedures are developed for identified credible hazards. Situation Analysis is conducted to include damage assessment and resources needed. Establish procedures for maintaining continuity of response via the Incident Management Plan. Page 45 Logistics and Facilities The organization shall establish procedures to locate, acquire, distribute, and account for services, personnel, resources, materials, and facilities procured or donated to support the response to the incident. A facility capable of supporting response and recovery operations shall be established, equipped, periodically tested, and maintained. Page 46
Training The organization shall perform an assessment of training needs, develop and implement a training/education program to support the Incident Management Plan. Personnel shall be trained in the organization s incident management system. Training records and documentation shall be maintained. Page 47 Exercises, Evaluations, and Corrective Actions The Incident Management Plan shall be evaluated through periodic reviews, testing, after-action reports, and exercises. Exercises shall be designed to test individual essential elements, interrelated elements, or the entire plan. After-action or lessons learned debrief sessions shall be conducted to ensure that corrective action is taken on any deficiency identified. Page 48
Crisis Communications, Public Information The organization shall develop procedures to disseminate and respond to requests for pre-disaster, disaster, and post-disaster information, including providing information to the media and to deal with their inquiries. Where the public may be impacted by a hazard, a public education program shall be implemented. Page 49 Finance and Administration The organization shall develop financial and administrative procedures to support the Incident Management Plan before, during, and after an emergency or a disaster. Page 50
Module 4 Assessing Your Plan PPBI Incident Management Plan Assessment Tool Use the tool to evaluate your organization s Incident Management capabilities. Take 15 minutes to assess your plans against the common elements of an Incident Management Plan Page 52
Assessment Tool Discussion How did you do in each of the categories? What improvements would you like to see? How would you propose to make those improvements? Take these lessons learned and apply them to our next exercise Page 53 Module 5 Review and Conclusions
Not a Question of If, but When Business and the Government are placing greater emphasis on being prepared. 1. http://www.ready.gov/business/index.html 2. Includes a Crisis Communications Plan Your customers will demand resiliency. Your shareholders will depend on it. Our enemies know how much it matters to us. Page 55 We All Have Plans Have we evaluated them against standards? Can the PPBI Incident Management Assessment tool help you evaluate your plan? Have you exercised your plan in real time? Page 56
Discussion How do you feel your plan will fare in light of the considerations of the Incident Management Maturity Model from PPBI? What are the strengths of your plan? What are the areas for improvement? How would you create an Improvement Plan? Page 57 It s Important to Have a plan. Assess your plan against approved standards. Practice or exercise your plan in real time with your employees participating. Understand that fear, time, and quality will be issues during a disaster. Page 58
Who has the next question? Please complete the evaluation form for this course. We take your comments very seriously to improve our courses. Please visit our website at PPBI.Org, and keep in touch via e-mail to: Mail@PPBI.org Page 59