Emergency response the weakest link in organizational resilience

I think of organizational resilience as a chain that links security, emergency management (EM), disaster recovery, business continuity management (BCM) and crisis management. A resilient organization deploys appropriate security, has an IT disaster recovery plan, exercises its business continuity plan and has a separate crisis management plan.

But most organizations do not make EM plans, in my experience. EM in the private sector is the weakest link in the resilience chain. That may be because there are substantial differences between EM and BCM in scope, scale and skills.

Scope
One difference between EM and BCM is methodological: in any disaster, EM (actually, emergency response) comes before BCM. Emergency response precedes disaster recovery, crisis management and business continuity. When the fire alarm starts ringing, when your building starts shaking, or when water begins to cover your shoes, it's an "emergency". It's more than an incident, but not yet a catastrophe. There is immediate danger to life and health (IDLH) in an emergency that differentiates it from a "crisis".

Business continuity, on the other hand, covers the period after the fire is out, after the building has stopped swaying, after the flood recedes--after the emergency has been managed. Historically, the scope of BC planning included only disaster recovery for computers; it gradually expanded to include business processes recovery or continuity.

EM, however, is still outside the scope of every BC plan I've ever read. BC plans may address risks of earthquake, terrorism, fire and power failure, but one kind of risk that's never listed in a BCP is an "emergency".

My observation is that companies that have BC plans don't have EM plans, and vice versa. Companies in manufacturing and process industries have EM plans and EM staff, often under an environmental health and safety (EH&S) department. Companies in banking and other service businesses, however, have BC plans, but no designated emergency manager. Some organizations have elements of both: hospitals and retail stores come to mind.

EM and BCM have different objectives, and therefore differences in scope: EM aims to protect lives and property, while BCM aims to protect a commercial entity. A BC plan assumes that most of the people who must execute it will be alive and safe, competent for active duty. An EM plan assumes there probably will be injuries or casualties. The basic premise of a business continuity plan is that an organization will somehow have enough human resources to continue, sooner or later. The basic premise of an emergency plan is that business is secondary to life, health and safety.

BCM is commercially-driven and EM is politically-driven. In the public sector, EM funding is driven by political considerations (for example, building levees in New Orleans). BCM funding decisions may also be "political", but the motivations are primarily commercial (to protect stakeholder value) and regulatory. BCM is still an optional activity in most parts of the private sector; EM is mandatory in the public sector. EM is your tax dollars at work; BCM is your investment dollars at work.

Scale
To greatly simplify, BCM is for companies, and EM is for communities. BCM is private-sector, EM is public-sector. Companies have business continuity managers; cities, provinces and federal governments have emergency managers. Yes, some factories and process industries have emergency managers, as I suppose there must be towns somewhere that have business continuity managers. I don't know of a single bank with an emergency manager, but every bank has a business continuity manager.

Emergency managers assess large-scale natural hazards like typhoons and earthquakes, within a designated territory. BC managers assess risks like power failure, computer crashes and denial-of-access at a designated location. The 15 National Planning Scenarios for which U.S. emergency managers are required to prepare include anthrax, CBRNE and food supply contamination. You don't see those in business risk assessments, and you don't see many BC plans that address them, either.

A BC plan focuses on one company, sometimes just one building, often just an office. No matter how large the company, its BC plan covers the people, processes and infrastructure of only that company. An EM plan coordinates the responses of multiple agencies providing emergency response, communication, medical care, water, food, shelter, power, sanitation, victim assistance, management of volunteers, search-and-rescue, debris removal, identification of casualties, mortuary service, site security and forensic investigation over an area as large as the Irrawady region of Burma, or as small as Kuta in Bali.

Emergency managers coordinate the responses of people who have different bosses, different budgets and different briefs. BC managers coordinate the responses of individuals who, whatever the differences in their responsibilities, ultimately have the same boss, are working under the same budget, and have the same company name on their business cards.

In EM, there is at least one widely-accepted American system (and several international variants) called the Incident Command System (ICS) for scaling up headcount as the scale of an emergency increases. There is no single, internationally-accepted structure in BCM.

In fact, completely missing from both public and private sector planning are links between them. Have a look at this diagram of the ICS structure. Who in that organizational structure tells the property manager of your building when it's safe for your IT staff to get in to assess the damage? Now have a look at your own company's business continuity plan. If you're in a multi-tenant building, like many companies in Asia, your BCP says the property manager is the liaison to the first responders. So, if someone in your IT department is missing after an evacuation, who can the property manager ask-–who can you ask?-–to find out if your IT person has been taken to the hospital, and if so, which hospital?

After the threat of terrorism manifested itself in the West, public sector officials and private sector executives suddenly realized how much they needed each others' help, so a fountain of public-private partnership initiatives has erupted in North America. Similar initiatives have not yet started bubbling in most of Asia.

Skills
A BC manager has to understand "the business"; an emergency manager has to understand "the territory". BC managers manage impact; emergency managers manage consequences. An emergency manager learns first to assess the situation; a business continuity manager learns first to notify someone.

An emergency manager assumes there is no way to avoid the consequences of a sudden, unplanned, severe event--no matter how much time and resources he spends. A business continuity manager assumes there is some way, given sufficient time, money and thought, for a business to continue to function through any incident--no matter how severe the impact.

An emergency manager focuses on the human consequences of an event: water, food, shelter, medical care, sanitation and casualty management. A BC manager routinely delegates those concerns to a Human Resources department that is nearly always under-staffed, under-trained and under-equipped to provide any of those. I don't meet many HR professionals who could bandage a wound, give CPR, provide psychological first aid or tell an employee's next-of-kin that the employee died at work. An HR professional is no substitute for an Emergency Medical Technician (EMT).

A business continuity manager, by comparison, focuses on commercial impact: lost sales, failed transactions, broken supply chains, crashed computers, network failures and unhappy customers. Understanding information technology is probably essential for most BC managers; understanding human psychology is probably essential for most emergency managers.

Emergency managers have often worked for police or fire agencies, or were in the military. Business continuity managers often worked in IT and migrated to the business side (voluntarily or involuntarily). As a further sweeping generalization, a BC manager is likely to be a university graduate; an emergency manager might very well not be, although that is changing.

There are well-established professional credentials for both professions: MBCI and CBCP for business continuity professionals, CEM for emergency managers. As in many professions, on-the-job experience is more valuable than a professional credential, although it seems that those with recognized credentials may get paid more than those who don't have credentials.

Forging stronger links
Every disaster requires EM--no matter who provides it--and every disaster causes business impact of some kind, no matter how large or small the affected businesses are. The scale of the community and business impact, in people and dollars, will simply be greater in the high-density urban centers of Asia than in rural areas. A stronger EM link in the resilience chain will help companies, communities and resilience professionals everywhere.

Employees and their families often turn first to employers for assistance in a disaster, and they have come to expect those employers to be able to respond quickly. No one in Europe or North America called the Phuket (Thailand) police department for help finding family members after the 2004 Indian Ocean tsunami. Instead, they called companies where their loved ones were employed. That's not business continuity, that's EM.

Organizations provide their employees with healthcare, retirement planning, insurance coverage, even income tax withholding. Whole businesses have developed in the last 20 years to help companies monitor threats around the world, to provide instant alerts, and to advise, track and rescue traveling employees; that scope will eventually include appropriate elements of emergency management, too. Resilient organizations will begin to aim for self-sufficiency in emergencies, because first responders simply do not--and will not--have the resources to manage consequences alone in a widespread disaster event, neither in New Orleans nor in Nepal.

Communities may conduct awareness campaigns, acquire disaster equipment, train their first responders and cajole their citizens to be prepared, but to be genuinely resilient, communities need companies to do some of the heavy lifting. The financial and human resources available in the private sector dwarf those of the public sector. The tents, tools and toilets that comprise the basics of emergency response are purchased from or donated by the private sector. Even if those resources are donated by non-governmental organizations (NGOs), they are manufactured by companies.

A community's first need in the recovery phase of EM is restoration of economic (that is, business) activity: jobs, building materials, investment. Those come from the private sector; they will come faster and more effectively if companies can understand how they can "plug in" to the community's recovery effort. The Corporate First Responder Scheme (CFRS) in Singapore is just a first manifestation of public-private partnerships in Asia linking emergency management and business continuity. There will be many more.

Silos of expertise ensure resilience professionals are competent in security, disaster recovery, business continuity or emergency response, but specialization also inherently slows an organization's response to an emergency, and it can limit a professional's prospects for advancement. If resilience means linking professions, it also means improving the skills of resilience professionals. Skills in emergency management seem to me a logical extension of skill in security, IT disaster recovery, business continuity, crisis management and disaster relief.

A basic organizational imperative is an "urge to merge" responsibilities: BCP and IT disaster recovery, EM and EH&S, security and BCM, operational risk and other kinds of enterprise risk. The results of such combinations have not always been copacetic, in part because of the differences I have described.

How will resilience professionals in the private sector advance their career in the future? By increasing their scope, scale and skills to move up an organizational ladder. How will resilience professionals in the public sector advance their career in the future? By increasing their scope, scale and skills to move up an organizational ladder--or by moving into the private sector. The more they each know, the easier it will be for them to land the resilience jobs of the future.

A BC manager who understands human impact, and an emergency manager who understands business impact: they would both be good for any community.

Postscript: I wrote down a great quotation to use in this article: "Organizational preparedness requires that responders become teachers." I cannot find the citation for that quotation, however. If you're the author of that quote, or you know who is, I'd like to attribute it to the correct person. Please send me a note.

Disclosure: I am President of the Asia Council of the International Association of Emergency Managers, and a member of the Business Continuity Institute, both mentioned in this article.

• Talkback (1)
• Print
• E-mail
• Share
• Alerts

Slashdot

Digg this

close this

Talkback 1 comments

• Singapore BCM Standard SS540: TR19 with a facelift
• Emergency excitement online
• Templates published for mass fatality incidents
• Emergency response the weakest link in organizational resilience
• Asia earthquakes heighten BCP need

• Internationally-recognized BCM certifications for BCP professionals
• Transportation Silliness at Airports
• Tuning out supply chain risk
• Getting credit for having a BCP
• Sink or swim? DRII struggling in Asia

2009

2008

2007

2006

• The Internet as the medium
• May the new year bring good tech-ings
• High tech undone by low tech failings
• Reflections of an eternal optimist
• Thanks for a great 2008

Nathaniel Forbes

Nathaniel Forbes is the director of Forbes Calamity Prevention, a Singapore-based consulting firm providing business continuity, crisis management and emergency response advice and training to multinational companies, with a focus on companies with offices in Asia. The firm is 10 years old. FCP's current and past clients include Singapore Exchange Ltd, OCBC Bank, AXA Insurance, The Gillette Company, Siemens and ABN Amro Bank. A former President of the Singapore Computer Society’s Business Continuity Group, Nathaniel passed the DRII’s Certified Business Continuity Planner (CBCP) examination in 1997. He has lived, traveled or worked in Asia since 1973.