Joined Up Working in Crisis, Emergency, and Security Response in the Chemical Sector
The Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standard (RBPS) 9 – Response, rightly points out that the emergency response and the security response to an incident must not be confused. The two are separate, but complimentary. Whereas the emergency response, or crisis management plan deals with the broader implications of the incident, the security plan deals with the specific security issues raised by the incident at a tactical level. How do these plans fit together? How should organizations organize themselves to ensure the security operations and the wider response are coordinated? What other plans may be required to respond effectively to the impacts of a security incident?
Let’s start with some basic concepts and outline the various elements we would consider to be crucial to the successful response to a security incident. It should be noted here there is a whole world of terminology around crisis management and emergency response, with many terms used interchangeably. For purposes of clarity and for this article, we will briefly outline how we use the various key terms and what we consider to be the core elements of a successful security response.
- Crisis Management: the management of an incident in its widest sense, at a strategic level, usually at the corporate level, largely focused on the financial and reputational impacts of the incident, as well as ensuring those dealing with the tactical and operational impacts have the resources they need to carry out their role. This is underpinned by a crisis management plan.
- Emergency Management: the management of the incident at a tactical level, usually a site level. Here responders are responsible for the coordination of activities to ensure the incident is dealt with and to ensure the coordination of the wider site. This is underpinned by an emergency response plan, site response plan, or something similar.
- Incident Management: the physical response to the incident, a hands-on role where physical activities are undertaken. There may be several incident management teams. For example, one incident management team may be working on the security response, while another deals with the impacts of the security event on the operations of the site, such as containing any damage and mitigating the wider impacts. This team works at the operational level. The incident management teams are likely to work directly with other responders, such as firefighting support, medical support, hazardous spill recovery support, environmental restoration teams, and local law enforcement. Teams may deploy specific emergency standing operating procedures here or emergency operations plans.
- Business Continuity Team: whereas the crisis, emergency, and incident management teams operate to respond to the incident, the business continuity team will consider the impact the incident has on the operations of the site and determine a plan to recover those activities in line with pre-agreed resources. For example, the security incident may have deprived the site of essential supplies or may have led the site to shut down all or part of its operations. The business continuity team is responsible for ensuring there is a plan so that the site or wider company can continue to meet its obligations to its customers, regardless of the incident.
The effective response to an incident will look something like this:
Too often organizations only consider the first, or second level response at the site level. Many organizations do no enact business continuity arrangements as soon as possible. Instead of planning their recovery from the beginning, they wait until the incident is over, dealing with each stage of the incident sequentially. This leads to a prolonged recovery with the tail of the incident dragging on much longer than it should. This approach only increases the financial, reputational, and operational impacts of the incident. Failure to activate the strategic crisis management team can also leave the organization, and its executive team vulnerable. They may be caught off guard if the incident suddenly escalates or be unprepared for a media question about an incident, they know nothing about.
How then do we address this? How do we ensure a holistic, and coordinated response to a security incident?
Activation: Activation protocols are essential to ensuring the response to a security incident is swift and that all layers of the response are activated. Many organizations rely on manual call cascades for activation, where a switchboard will manually ring all of those required to respond. However, this can take a significant amount of time, drastically slowing the speed of response, which in turn will increase the impact of the incident. Other alternatives include more informal cascades, like WhatsApp or mass SMS, to activate teams. However, this approach can be hard to monitor and there is no confirmation that the individual is responding.
Mass notification tools are particularly effective at ensuring all levels of the response are activated as soon as required and providing access to all the information needed to implement their aspect of the response. Mass notification tools also allow for customized notification. For example, in a smaller scale incident, we may decide to send a notification to the crisis management team for information only – there is no need to respond at this stage. This information ensures the crisis management team are aware, should there be any media inquiries, and ensures they are ready to stand up if the incident escalates. Contact CHEMTREC to learn more about our mass notification services.
Command and Control: Command and control structures are essential to the effective coordination of an incident. FEMA’s Incident Command System (ICS) offers and excellent model upon which to build a crisis, emergency, and incident management response for your organization. This is the model that CHEMTREC’s Crisis Solutions implement when developing plans for clients. The system is flexible and scalable to the needs of the incident, providing clear links between the different plans and levels of command. It works for all incidents, regardless of their size, scope, or cause and should be implemented for coordinating an effective response to any incident which isn’t business as usual. Consider your operational lead as a primary conduit between the various command teams. Ensure your business continuity and recovery planning leads have clear feeds into the Incident Commander via the planning section or as a direct report.
Implementing an effective command and control structure with clear flows for communication between responders is essential. In a small response including three people, lines of communication are simple and there may not be any need for a structure other than to have a nominated leader, who can make any final decisions. However, as the incident and its response team grow, having clear lines of communication is essential. Look at the diagram below as an example. If the response team grows from 3 to 14 personnel, suddenly we grow from 3 to 91 different lines of communication, which is unmanageable. This situation requires a clear command and control structure, with tiered layers of communication, with each individual having between 3 and 5 direct lines of reporting. This ensures the joined-up approach.
Contact our consultants today to learn more about streamlining your communication during an incident or for a review of your organization’s command and control structures.
Training, Drills and Exercises: RPBS 9 – Response, is clear on the need for training, drills, and exercises whilst RPBS 11 outlines some specific training and drills to consider as part of a Security Awareness Training Program (SATP). However, it is vital that when developing your SATP you should ensure that both the technical and non-technical response elements of training are considered. Employees will need to train and exercise on the facility layout, specific hazards, and the specific technical response, as well as having the skills to work as part of a wider and coordinated response. Consider their ability to build up a picture of the incident – their situational awareness. Consider an employee’s ability to communicate effectively within their own team and the wider response. Additionally, ensure employees know how to make effective decisions and implement those decisions through specific leadership skills. The training and exercising of individuals should be much wider than just the technical requirements of their role; only when this takes place will the organization be able to deploy a truly coordinated response.
For more information, check out our e-learning Crisis Academy, which provides crisis management training on the foundations for an effective and coordinated response or speak to our team of specialists about face-to-face training for your organization.
There’s a lot more to the effective response to a security incident then many organizations realize. The good news is that many organizations already have the tools to launch a coordinated and effective response. By connecting crisis, emergency, incident and security management through a single command structure and activation protocol, the organization will see more coordinated and better managed incidents, which in turn will lessen both the impacts and duration of the incident. Contact our consultants today for a review of your arrangements and tips to improve your response.