The company has just hired a new security director.

He reports to work bright and early for his first day, gets the usual welcome tour, and begins to acclimate himself. At his first meeting with his assistant, they talk about the company’s priorities and problems the department is currently working on. Among the many questions he asks is: “Do we have an emergency plan?”

“Sure,” the assistant says. After digging around for a minute or so, he finds a large bound volume in the back of a file cabinet. The new executive has just realized that the emergency plan is probably the organization’s best-kept secret. Not a good sign.

Emergency response and disaster management plans must be updated and rehearsed regularly if they are to be of any value. Unfortunately, as in this case, they are often filed away until someone asks about them or until the day when they are really needed.

Cities and companies that take emergency planning and business continuity seriously know better. They conduct exercises regularly, usually rotating between simple tabletop simulations and full-blown exercises, culminating with interactive exercises that involve other agencies.

 Let’s look at how security managers can go about setting up an exercise for their own company. For the sake of our discussion, we’ll assume that staff has had the appropriate training during the year. The objective of the exercise is to test both the effectiveness of staff training and the plan itself. Because frequency is the best way to achieve that objective, training should occur in some form at least once every three months.

Exercises do not have to be time-consuming. Employees learn better in short, lively training sessions. Short sessions are also easier to fit into everyone’s schedule. All employees, including upper management, should be involved. Each department should write its own specific training manual and schedule exercises to rehearse it.

Senior management needs to be aware of its responsibilities in an emergency. Human resources, legal, IT, and finance directors as well as the CEO will all have different roles to play.

What to Test

Whether the company develops the plan internally or with a consultant, there are eight major areas that need to be tested. Let’s take a brief look at each.

Internal communications. Communication deficiencies are the most cited problem in real emergencies. Because communications are so critical to a good response, any deficiency can have far-reaching ramifications.

Internal communication falls into two categories. First is the human factor; here, the issue is whether protocols are in place to ensure that critical information is shared among the appropriate personnel and departments. The second factor is technological: whether the appropriate equipment is on hand to facilitate the desired information relays.

External communications. While businesses recognize the importance of internal communications, they often forget or downplay the need to communicate information beyond the parties directly involved in the rescue operations, such as family members, neighboring communities, and the public at large.

Companies aren’t anxious to broadcast bad news and in an emergency, they instinctively want to block media access. But a disaster is news, and it’s better for a company to take a proactive approach to the reporting of the event. Businesses need to designate who the media contacts will be and to train them in dealing with media. They also must make sure that the plan addresses how media reports will be provided and where reporters will be housed. The media center should not, for example, be so close to the operations center that reporters can overhear unfiltered reports.

Similarly, there must be a plan for getting timely reports to family members and to the immediate community (the local media can aid in this).

The company should have people play all of these roles when the plan is practiced to ensure that none of these issues is overlooked and that the plans work as management intended.

Planners must ensure that communications systems operate smoothly. Sometimes it requires thinking outside the box.  For example, when an earthquake hit California State University at Northridge, the only way to communicate with the off-university world was to station a person at an off-campus pay phone with a roll of quarters. Emergency responders all had radios, but they had overlooked a collapse in the phone system linking the college to the outside world.

Resources. What assets does the organization have at its disposal? What will it need in an emergency in terms of material and professional staff, including doctors, nurses, and technicians such as electricians? These issues need to be addressed as a part of the plan, and the solutions should be tested in the exercise. If something has been overlooked, better that it be revealed in a mock scenario than when lives are at stake.

Systems. The exercise should test not only life-saving capabilities but also business continuity. How quickly can the company get back to normal with systems such as payroll, billing, purchasing, and customer service? The company may want to test how IT departments would handle a disruption or a need to relocate. The objective is to ensure not only that systems can be brought back online quickly, but also that data is backed up and that operations can proceed from another location with remote access to systems and data if necessary.

Safety. The focus in an emergency is on saving lives, and sometimes that may cause first responders or volunteers to forget about their own safety. It is important to establish guidelines to prevent injuries to workers during recovery. There won’t be the same level of urgency in an exercise, so there won’t be the same tendency to ignore safety, but the company should be mindful of the need to raise awareness about this issue during the test.

Coordination. In addition to knowing what resources and personnel are needed, the company must be able to coordinate logistics to ensure that resources are deployed effectively and efficiently. Tracking personnel as they carry out their duties in an emergency will obviously be harder than during a regular working day. For example, planners must ensure that emergency workers get rest and time off in the absence of normal workday shift changes. The company must also be prepared for the fact that emergencies attract a large number of untrained volunteers. They will need clear instructions and close supervision.

Another issue is the staging and deployment of equipment, which is a full-time job that should not be left to chance. In addition, there will be copious donations of food and clothing that must be managed carefully. Emergencies also create quantities of debris and garbage that must be hauled away, usually a major expense. Planners can simulate garbage disposal in an exercise by writing this into their scenarios. Participants need to be aware that they will need resources and money to remove trash and debris.

Record keeping. In a real event, maintaining clear, accurate documentation is critical. The data collected after an incident should include information such as where it began and when the alert was sounded, as well as who responded and how quickly. Precise, thorough record keeping will help companies process insurance claims, file applications for Federal Emergency Management Agency aid, and handle any potential litigation.

Documentation will also form the basis of any postmortem analysis. That information will be used to determine the effectiveness of the response, identify problems, and propose improvements in the plan. In the event of problems, the data collected may be the basis for the company’s defense of its actions. Given the importance of accurately documenting everything, data collection protocols must be tested in an exercise.

Legal. In the chaos of a real emergency, there may be a tendency to take shortcuts that could create legal concerns later, which could prove as costly as the disaster itself. By thinking of these issues ahead of time and making them part of the planning and testing process, companies can minimize their exposure.

Emergencies pose many legal land mines, especially for private organizations. Volunteers must never be allowed to work without supervision, for example. Also, organizations should consider how to process legal paperwork in a crisis. For example, should they obtain legal releases before inoculating people at risk of infectious diseases like smallpox?

There are also legal considerations unique to the testing itself. Companies should use common sense and not expose workers to danger merely for the sake of making the exercise realistic.

How to Test

Once you know what you want to test, the next question is how to develop the test. There are two ways to proceed: Hire a third-party to conduct a turnkey exercise or develop your own exercise. Many companies choose consultants because it is by far the easiest route.

Unfortunately, many training companies base everything on prepared scripts, which they adapt after just a couple of interviews with a client. This approach generally does not directly test all of the company’s own specific procedures. Instead, it can lead to jarring inconsistencies during the exercise. For instance, one exercise that I am familiar with simulated a poison gas leak in access tunnels that could not have affected the buildings in which the exercise took place. Although these inconsistencies might seem harmless, they often stand out in the minds of participants and undermine the sense of realism the event is meant to create.

Hiring consultants may also increase costs dramatically. And that could be enough to sour senior management on the concept.

The alternative is the do-it-yourself approach. I have conducted or participated in every type of emergency exercise, and based on that firsthand experience, I strongly recommend self-produced events. Not only are they less costly, they are more educational, because participants gain knowledge by developing the exercise, rather than just carrying it out.

Don’t get me wrong, the preparation is time-consuming and most producers go through increasing stages of panic as the event draws near. But real emergencies are panic-inducing situations too. Learning to deal with events as they occur and relying on your team to get the job done is an invaluable experience.

Teamwork. Anyone developing an emergency exercise must understand that they are the producer, not the star of the show. Therefore, the first step is to form a planning committee. Committee members can be rotated at each exercise. Planners should consider which aspect of the plan is to be tested and recruit committee members from the departments to be included in the exercise.

Key committee members will also come from engineering, IT, human resources and finance departments as well as the security director. A senior executive, usually the chief financial officer, should also be present since upper management will inevitably be involved in handling a crisis. Executives must know what is expected of them in such a situation. An alternate should also be nominated in case the executive is traveling.

Test parameters. The team must first decide on a disaster or series of disasters that will test the selected part of the plan. Planners should avoid exotic emergencies and select an event that could occur. It makes no sense to simulate a volcano eruption in New Mexico or a tsunami hitting Kansas, for example.

Test format. Once you have a scenario and test objectives in mind, the next question is what type of test format to use. I recommend that a would-be producer start small by suggesting that the committee begin with a tabletop exercise, which can be managed more easily.

Tabletop exercises. A tabletop exercise is a scripted scenario led by a facilitator, who presents a number of incidents to which participants respond. The exercise, which usually lasts two to three hours, is conducted in a low-stress environment. Its purpose is to familiarize participants with the workings of the emergency plan and to identify deficiencies.

Although development of the training scenario and planning for the event remain as they would be for a more elaborate role-playing exercise in the field, the tabletop session is usually kept simple. Most are presented using PowerPoint slides that set the scene with the disaster event and various outcomes. Depending on the number of participants, the exercise may not literally be conducted at a table. Some of these tests are even held via teleconferencing when participants are located in different cities or countries.

More elaborate tabletop exercises incorporate interactive elements, including props and models. Miniature buildings and model cars, armored vehicles, and helicopters represent locations and responding agencies. These sessions usually involve fewer people since they are usually gathered around a table.

The security manager may ask participants questions to get them involved in the action. Then injections (a technical term for emergencies or problems that emerge making recovery more difficult) are introduced and need to be resolved. A discussion should follow the formal exercise to deal with any additional questions, problems, or deficiencies.

Tactical exercises. Tactical exercises are the next step up the ladder. The scenario format in this case remains the same, but participants become “players,” with hands-on involvement. The test is usually very narrowly focused on one aspect of the plan.

One exercise I was involved in was set up to test a new call service. All participants received a telephone message at 4:00 a.m. telling them to respond to the Emergency Operations Center (EOC) as soon as possible with their official identification. This gave us an idea of how long it would take to assemble the group. We had the EOC already set up, with coffee and donuts ready.

This type of exercise takes four to six hours to conduct. It also requires at least an hour of critique time. Including a working lunch can reduce the playing time.

Each organization will need to develop its own training materials, but planners can get guidance from FEMA manuals or checklists. These can be adapted to meet each company’s needs or the objectives of each individual exercise.

Full-scale exercises. Full-scale exercises are the most complex format since they involve more people, more planning, and higher production costs. Specific incidents are staged. Actors play the parts of reporters, spouses, and the injured.

Partnerships, resources.  Full-scale exercises require exhaustive, far-reaching planning. To make production more manageable, the company could partner with another organization that has successfully conducted exercises in the past. A company with similar resources and challenges would make a suitable partner.

Another way a security director can produce an outstanding exercise is to volunteer the company (with management support, of course) as the focal point of an upcoming state or local government-run exercise. Government officials get a building, participants, and a chance to interact in a realistic situation. The company benefits from professional planning and logistical help, which will produce a well-organized, realistic exercise. These types of pooled efforts often provide a more in-depth understanding of the challenges a company would face in an emergency.

Another excellent resource is the state’s homeland security agency. In my experience, state governments are willing to help develop scenarios, and they offer excellent ideas on how to carry out a successful exercise. They can also support all types of emergency training. These agencies are more likely to participate fully if the company’s plot scenario involves terrorism and/or weapons of mass destruction.

Government agencies recognize that real large-scale emergencies involve citizens, companies, and private resources, and they are incorporating these elements into their planning and training. Emergencies like Hurricane Katrina, the Florida wildfires, and the Virginia Tech massacre have reinforced the fact that government agencies are more successful when they are interacting with people at the emergency site.

Nongovernmental agencies, such as the Red Cross, Salvation Army, and other members of National Voluntary Organizations Active in Disaster (NVOAD) can also help plan an exercise. They can provide valuable advice and practical knowledge because they and their legions of volunteers are usually present at every major emergency, giving them a broad perspective.

Don’t forget to reach out to colleagues at your local ASIS International chapter. Many have conducted emergency exercises and can give you excellent advice. They also make superb observers who can later offer insights and feedback on how your exercise went.

Planning an event may seem a daunting task, but it is no harder than planning a well-executed company picnic. The advantages of a self-produced event include tighter control, company-specific training, better teambuilding, and lower cost. Try one and see for yourself. 

---

E. Floyd Phelps, CPP, is vice chairman of ASIS International’s Fire & Life Safety Council. He holds a lifetime ASIS membership and is a member of ASIS’s Quarter Century Club. He is a frequent contributor to Security Management.