As a security executive overseeing a college campus, the range of things that can go wrong is extensive. And when your primary job is protecting a huge amount of people, many of them students, you better be ready for anything — from an active shooter, to an approaching tornado, to a nearby chemical spill or just about anything in between.
In the past, emergency and crisis management consisted mainly of adverse weather scenarios that were generally focused toward tornadoes and hurricanes, and ultimately took into consideration the wildfires in the West and Midwest — ultimately resulting in the creation of the incident command system. Today, with so many threats— campus security executives must have a crisis management plan in place and ready to go at a moment’s notice.
The trend I’m seeing is a movement away from a simple, baseline crisis management program that emphasizes emergency management and disaster recovery, to a more robust and diversified approach that integrates business continuity and enterprise risk management to create a holistic crisis plan and overall view of operations.
Peeling the Onion: Layers of Notification
Most events can be grouped into two levels: routine emergencies and crisis emergencies. The question is, at what juncture the routine emergency becomes a special event or crisis emergency, and who makes that distinction.
Baseline crisis management response plans should be focused on the deployment of “layers of notification” — this is necessary to ensure the full saturation of a potentially life-saving emergency message. You must be able to communicate with the entire facility and/or the entire constituents, and if the first method is unsuccessful, there must be a second, third and fourth option.
Many different modes of communication can be used based on the emergency situation (routine emergency or crisis). Let’s peel the layers of the “notification onion”:
E-mail only is sufficient only from a “routine emergency” standpoint where immediate notification is not a requirement — such as a broken water pipe.
Emergency Notification, either through SMS text messages, voice cell messages and e-mail, can apply to all occupants in a timely fashion (depending on the number of phone numbers), using a hosted delivery system. For example, at Kennesaw State University, Blackboard’s ConnectED system can send an SMS text message to approximately 30,000 recipients within two minutes. An additional voice cell message can be sent along with the text for backup notification, and e-mail can be a third layer. Additionally, the Kennesaw State University alert pop-up system enables a message to be sent to any computer on our network, regardless of location. This also serves as a redundancy in case cell phone messaging fails due to “dead zones,” etc. Messages sent via this system will remain on the computer screen until the office of Strategic Security and Safety removes the message.
Mass Communications Systems include siren and giant voice systems, and digital signage, among others. Individual siren systems at Kennesaw State are used for specific sheltering-in situations only, such as an active shooter scenario, tornado warning or hazardous material spill. The warning signal is distinct, and we have educated our students, faculty and staff what to do if they hear the sirens — seek refuge. There is a voice message directing people to seek shelter that follows the siren activation, but we greatly discourage anyone from going back outside to hear what the message is saying. At the same time, digital scrolling messages relative to the emergency alert is being sent to specific large-screen monitors throughout the campus buildings. This allows for notification to those who are moving between buildings.
Additional mass communications systems include fire alarm and fire panel notification interfaces. Fire annunciators now include a voice speaker that allows for a message to be sent throughout the entire facility on the same annunciator that alerts to evacuation procedure. This is a new part of NFPA 72, called the emergency voice alarm communications network —and it is a major change that allows sounds other than the tone to be sent for fire alarm evacuation. Some fire panels also include the ability to use a microphone to make announcements.
Of course, crisis management goes beyond technology. A critical layer of the onion is your relationship with local, state and even federal law enforcement — those who will ultimately assist you in your emergency response. Being introduced to the local police chief, sheriff or federal emergency management agency head at the time of an incident is not ideal. The relationship should be cultivated and pre-agreements made to ensure that their response plans fit into your plan of operations and emergency notifications. Of course, since many incidents are dynamic in nature, exact procedures need to be flexible in order to meet the ever-changing demands once different organizations are involved in an incident.
Organizational Survival: Ensuring Business Continuity
The baseline crisis management plan covers immediate response, and it must be accomplished prior to any discussion or movement into the business continuity and enterprise risk management areas of crisis management. Let’s face it, if you don’t know how to mitigate a crisis situation on your campus, you probably won’t know which critical systems and processes need to be immediately resumed in order to survive the catastrophe.
Business continuity, once called continuity of operations plans (COOP), are designed to identify those operations that are critical to your organization’s survival. A good example of this was the pandemic planning phase initiated some years back in order to ensure enough people were available to maintain operations during periods where many are sick. This effort actually revealed vulnerabilities with data systems, storage and retrieval systems, as well as the threat of cyber-attack on individual networks.
Our business continuity efforts at Kennesaw State began by contacting individual campus departments and entities to determine their critical components and vulnerabilities in sustaining operations. Critical components may include financial and payroll distribution, internal database systems and supply chain disruption issues—of course it depends on the individual situation.
Once the critical components and the personnel assigned to them are identified, plans should be put in place to ensure at least two others are trained to operate those systems, if necessary.
Since business continuity is an ongoing effort, the ability to track and maintain up-to-date information is critical, and there is different software that can be used. One of the main benefits of the software is the ability to cross reference individual efforts and personnel to ensure proper conflict/crisis resolution. The software can also prompt users to update any changes in personnel or their function as related to the business continuity plan.
At Kennesaw State, we use an application called BOLD Solutions to analyze previous business continuity information requests from 2006, 2009 and the present effort. This solution included training for personnel inputting the original data, as well as system administration training for the security personnel in the Strategic Security and Safety Department.
Bringing it all Together: Enterprise Risk Management
So how does enterprise risk management and its processes integrate with the overall emergency, crisis management and business continuity plan? A logical approach will ensure the identification of risk and continuity of operations. The diagram on the right depicts this concept at Kennesaw State. It illustrates the basic plans and procedures (at the bottom) and then moves up into the enterprise risk management directive, were all risks are identified and pushed up to the appropriate management level for a decision on mitigation or acceptance.
The process begins by identifying every department or entity on campus, potential off-site locations and any area that can affect campus operations. At Kennesaw State, this number represented approximately 200 individual units (called the Working Group). Many of the same people who were involved in the business continuity effort also became members of the enterprise risk management initiative.
One of the main issues identified was the interpretation and understanding of what each department’s objectives actually were. It took some time to make all the stakeholders understand that their individual objectives were going to be supported by the university’s overall strategic plan and goals, but once they did, we categorized them as strategic, operational, financial, compliance and reputational. This process is not easy — it took nearly six months to identify five individual risks for each of the five separate areas of concern. Since most of the personnel were unfamiliar with the enterprise risk management concept, education became a major component of the process.
Once we had a framework to identify and categorize different risks, each member of the working group was interviewed one-to-one to identify all individual risks and internal process concerns by department. More than 900 individual risks were identified; however, a vast majority could be compiled into a single risk affecting the entire university. When the weeding-out process was finished, there were approximately 100 substantial/addressable risks were then submitted for review by an Advisory Group that included representative from academics, operations, athletics, the KSU Foundation, student success, university relations, legal and IT. The Security Department was the interface and acted as the Project Manager.
The Advisory Group was tasked with reviewing the final risk areas and determining whether the risks were university-wide risks or department-level risks — and it was intense and sometimes heated. Those risks classified as department management issues were categorized as low to medium risk/probability, and were sent back to the department level for mitigation. Risks identified as medium to high risk/probability were referred to the enterprise risk coordinator for final determination as to whether the risk should be mitigated or accepted at the university-wide level.
Both risk levels continue to be monitored and mitigated through interaction with both the individual departments and upper management. By our protocol, medium to high risks were submitted by the enterprise risk coordinator to the President’s Cabinet for concurrence and to the University System of Georgia’s Board of Regents.
The Holistic View
The results of this entire process were enlightening. It illustrated how integrating a baseline emergency management, business continuity, disaster recovery and crisis management plans can help everyone in the organization identify overall safety and security objectives and how to mitigate risk; thus giving everyone a holistic view of the university’s operations.
For some, emergency and crisis management may be the primary goals to a safe and secure environment; however, being able to identify those risks through a specific process also provides justification and awareness for where more resources may be needed or a different approach should be adopted — benefits that can be realized by security executives in any market.
Robert Lang is Chief Security Officer for Strategic Security & Safety for Kennesaw State University in Georgia.