In the first article in this series, we explored the first step of the High Alert Institute’s four-step approach to disaster/business continuity risk assessment, planning, mitigation, training, and evaluation:
Step 1: Collate an All-Hazards list of planning scenarios
This article will explore Step 2: Use free government software to help you identify risks, mitigation, and write your plan. In this step, you will accomplish the following:
- Score the planning scenarios identified in Step 1
- Build a plan based on your risk scores
- Complete any special business continuity documentation required by those reviewing your plan
Visit the Institute Training Library Contingency Planning Section to download the software packages and resources detailed in this article.
Following the 9/11 terror attacks, a series of Presidential Executive Orders known as the Homeland Security Presidential Directives (HSPDs) mandated that every department and agency of the federal government develop and deploy All-Hazards disaster plans, tools, software, and training. Over the 21 years since these HSPDs were issued, most of these taxpayer-funded resources have been made available to the public online through the websites of the authoring agency. These same resources subsequently have become the foundation for disaster/continuity plans across many businesses and organizations.
To the average user, these disaster resources often appear very industry-specific. But remember that very different industries in the same locale are part of the same business ecosystem. Vulnerability scores and consequence scores for the same disaster scenario will vary from industry to industry. The tools to assess risk or write disaster plans, though, may be applicable across industries within the same federal, state or local region. This principle of transferable disaster readiness knowledge is especially true of the planning scenarios discussed in the last article and of the software tools we are discussing here.
The Administration for Strategic Preparedness & Response Risk Identification and Site Criticality Toolkit – or ASPR RISC Toolkit – currently is written to be specific to the Healthcare and Public Health (HPH) sector. However, this same objective and data-driven all-hazards resource can be used by any public or private organization to inform emergency preparedness planning, risk management activities, and resource investments. The ASPR RISC Toolkit provides users with nationally recognized standards-based evaluation criteria in an easy-to-follow, guided format.
Contained in the ASPR RISC Toolkit are three self-assessment modules written as Microsoft Excel workbooks (.xlsx). This allows users to achieve the tasks, as below:
- Identify external threats and internal hazards specific to their site by using objective national-level data
- Assess the vulnerability of their site based on industry standards and guidance
- Evaluate the criticality of and consequences to their site in the event of an incident
- Compare multiple facilities across systems, coalitions, and regions to identify dependencies and interdependencies in a consistent and repeatable method
- Quantitate the relative risk of hazards and threats to business operations
To use the ASPR RISC Toolkit, a non-HPH business needs only to answer questions as if the business is an administrative or federal office (not a hospital) and to answer any questions about “patients” as if the question were asking about “customers” or “animals in your care.” The ASPR RISC Toolkit is under continuous development and review in collaboration with government and private sector experts in emergency management, physical security, and cybersecurity. Reports from the ASPR RISC Toolkit will be used for the second half of Step 2 – answering risk and vulnerability questions in the Department of Homeland Security (DHS) Business Continuity Software Suite.
The DHS Business Continuity Planning Software Suite was developed to lead businesses through the process of writing a combined business continuity plan (BCP) and disaster response plan (DRP), including recovery of information technology systems. Functionally, the DHS Suite is similar to the guided question-and-answer model used in automated tax preparation.
Each industry sector has regulators, inspectors, and/or insurers who impose disaster/continuity planning requirements. Many of these third parties provide documentation for reporting the required plan, associated training, and exercises/evaluations. The DHS software is able to export the plan as a Microsoft Word (.docx) document that can be spelling and grammar checked, as well as used to complete such specialty documents. Simply cut and paste sections from the plan into the corresponding section of the specialty reporting form.
In the final component of the DHS software, there is a self-directed exercise for testing the newly implemented BCP and DRP. We will discuss this feature in the final article of this series. For more specific instructions and training on how to maximize your use of the DHS Suite, you can visit the DHS YouTube channel maintained for this purpose.
We are ALWAYS stronger together!
Future articles in this series will explore:
Step 3: Set up mutual aid relationship with your staff and vendors
Step 4: Conduct disaster exercises and after-action reviews
Visit the Institute Planning4Good Page for more information.