Last month, powerful tornadoes ripped through Oklahoma over a 12-day period, leveling buildings and killing more than 40 people in the process. Among the victims were 10 children, seven of whom were killed when a twister stuck an elementary school in the Oklahoma City suburb of Moore. Last fall, Superstorm Sandy struck the northeastern U.S., destroying numerous homes and businesses. The storm also knocked out power and communications for thousands of residents in the region.
The damage left behind in the aftermath of these acts of nature reinforces the need for organizations to incorporate comprehensive natural disaster management policies and procedures in their business continuity plans. Often times, however, security managers become so bogged down in the minutiae of every day operations that their enterprise risk management plans are neglected, rarely ever being updated of practiced.
According to Caroline Hamilton, president of Fort Lauderdale, Fla.-based security consulting firm Risk and Security, LLC, natural disaster planning should be a part of every organizations’ risk assessment regardless of their industry or location.
“Natural disasters are part of what you do when you’re doing any kind of risk assessment on a business, enterprise or facility. That’s a whole category by itself and that can be hurricanes, tornadoes or tsunamis, but it can also be simple things like flooding or chemical leaks or spills that occur in a city,” says Hamilton. “When I go in to do an assessment of something, whatever it is, the first thing I look at are the controls that they already have in place. These controls are important. They are as important as the threat analysis because the control is going to show you how to mitigate that threat - either how to reduce it or eliminate it so it doesn’t happen at all. Disaster (planning) is probably about 25 percent of what you do and making sure you can recover no matter what happens is really, really critical.”
Hamilton says one of the most frequent issues she sees in organizations is incomplete risk management plans. “That happens a lot times. Companies have good intentions and they start these plans, but they don’t finish them because they get sidetracked by some other thing,” says Hamilton. “You have to be disciplined enough to go back and finish them.”
These plans need to be updated and/or revised every year at minimum, according to Hamilton, who also recommends performing drills at least twice year. Drills for natural disasters can also reap benefits for planning and preparing for other types of emergency events.
“Something that people don’t normally associate at all with a natural disaster would be an active shooter,” says Hamilton. “But I was just at a conference where local police and DHS were there talking about how to deal with active shooters and they said having these evacuation drills and things that you do for a disaster or emergency drill in case of a fire, chemical spill or whatever, that those evacuation drills are very useful in an active shooter scenario too. A lot of security managers think, ‘active shooter, we’re going to lockdown the whole facility tight.’ They’re saying exactly the opposite in that they want to open it up completely because they want as many people as possible to exit out of that building. People remember what they practice.”
Michael Crocker, president of Houston-based security consulting firm Michael Crocker, CPP & Associates, Inc., says that organizations also need have someone from the outside review and validate crisis management plans. “I think it is really important to be peer-reviewed,” he says. “If you’re subject matter experts are in-house, you need someone out of the house to look at it and validate it.”