Extreme Emergency Management

For most of us in business and government, 9/11 was dramatic not just for the enormity of the acts committed against innocent civilians, but for the reality check it brought to our inconsistent application of emergency management. No doubt, there were some pioneers out there pushing their organizations to embrace comprehensive evacuation plans, bomb threat responses, suspicious package protocols and even weather-related disaster preparedness. But despite the first attacks on the World Trade Center buildings in 1993, the development of these types of plans was erratic. In fact, even in my organization, which is based in New York City, the charge by senior management to develop these plans was agreed to only reluctantly in the months leading up to 9/11.

I was in my office that morning six years ago. During a regular call my wife explained that some type of aircraft had flown into one of the World Trade Center towers and that she was watching Good Morning America to get updates. I advised our senior management team appropriately but cautiously. I found it hard to believe that someone could have crashed a plane mistakenly into one of the towers on such a beautiful day. On my second call home my fears were confirmed, as my wife explained in horror that the television had broadcast the story of a second plane crashing into the other tower.

What happened in the hours succeeding that call became the foundation for many of the emergency response efforts embraced by our company. We had no comprehensive emergency response plan and no predetermined managerial hierarchy to make decisions during a crisis. As a result, we had no formal means to communicate our company’s plan for maintaining operations that day or in the days that followed. Frankly, we looked disorganized as departments made decisions independently from other departments, sending some people home and creating confusion. While I commend our senior management team for the steps it took that day and after, its most important decision during the morass of that day was to call for the immediate development of an emergency response plan.

Opportunities and Obstacles

With every call to action, and specifically with respect to emergency response management, there are opportunities and traps. The obvious opportunity enabled security to assume responsibility and develop an emergency response plan. In cases where a plan already existed, security transitioned it into a living document, dealing with the modern challenges of moving employees to safety, either through evacuation from a facility or through “invacuation”—moving employees to an internal safe zone away from an external threat. Security was also motivated to expand the application of emergency response to address other events that could disrupt business, such as suspicious packages (particularly after the anthrax issues), civil disorder and incidents involving industry-specific hazardous material. One aspect of emergency response that our organization addressed was power outages. At the time, a protocol to address power outages was considered extreme by some of the company’s management team until the August 2003 blackout occurred in New York City.

However, I believe it was the more subtle opportunities that most dramatically impacted security’s credibility within the organization. Let’s face it, security does not always engender positive characterizations. This opportunity gave us the ability to provide a positive service to employees in a visible and tangible way. Moving people to safety during a crisis or enabling a business to manage effectively through a disruptive event is wonderful internal PR for a support organization like security. Additionally, emergency response planning built interdependencies between security and human resources, operations, sales and real estate services. Security leveraged this responsibility to open the door to all facets of the business, even the resistant ones. Security even developed metrics and reporting around emergency response, so that it could provide process improvement data. For example, in one of our operations, security was able to quantify the impact of false alarms by landlord-owned life safety systems. The information drove our real estate attorneys to address the topic more specifically in our leases.

This period also has presented certain traps in emergency response planning that could have negatively impacted security departments. Unquestionably, there was an emotional ingredient to planning that affected security executives. The pendulum swung, and the positioning to plan for all emergencies or incidents threatened to take precedence over scalability. At its worst, planning for all extremes translated into security seeking sizable budget increases to support resource needs that in the long run were not sustainable. The planning-for-all-extremes position may make others see security managers as fearmongers. When security’s planning is out of touch with the true risks to the business and employees, they will not be welcomed at the budget table or in the employee lounge.

To me, nothing exemplifies this issue of scalability better than the planning and posturing surrounding the Asian bird flu pandemic. Some businesses, such as those in the financial world, need to build robust emergency response plans because the financial markets must be maintained. But if the pandemic does become reality, do luxury retailers or theme park owners really need to develop a plan to keep their doors open for customers, rather than simply planning to bridge the financial gap for their employees during the outbreak?

Sticking to Your Principles

Successful emergency response is completed by keeping to some very basic principles. First, the plan must have the full endorsement of the company’s senior management. This will give security the proper funding to execute the plan correctly, and it will allow for an understanding of the plan’s decision-making hierarchy during times of crisis. For example, our plan required us to establish an executive decision team made up of the top three executives available during an emergency. Our senior management team members were required to force-rank themselves so that an executive decision team could be created quickly. Had this procedure been in place on 9/11, we could have removed much ambiguity and reached decisions that affected our employees and business operations much more quickly.

Second, the size of the emergency response plan must be scalable and relative to the risks. Business or security has to avoid the trap of taking a plan too far. For example, at considerable expense we instituted emergency communication hubs and safe havens on every floor of our New York City campuses. As excessive as it sounds, it was agreed that each department and floor on our campuses needs to be able to go to one place for access to news, to receive direction from our emergency management teams and to evacuate if necessary. As a strategic executive, it is the CSO’s responsibility to know his organization and to scale plans appropriately.

Third, the plan to move people to safety during an incident must be in place, communicated to all employees at every company location and drilled consistently and comprehensively. Typically this is the organization’s fire evacuation plan, but there are other conditions where evacuation is not the preferred response. If a company’s decision is to create only one plan, then this “life safety” plan is it and no other plan should precede its development. When an organization commits to an emergency response plan, whether it is limited to a life safety component or with protocols to address various types of emergencies, the organization must commit the proper resources to support it. For example, we’ve committed to placing emergency information centers on every floor of every facility, in employee lounges and copy centers, with detailed response guidelines for employees, as well as detailed graphics of evacuation routes and assembly areas. Additionally, we’ve placed evacuation cards at the fire exits at every facility for employees or visitors to grab on their way out the door.

Last, I will combine the communication network with training and testing because, in my opinion, both these components require a single organization to be responsible and accountable for their development and maintenance. And I believe strongly that security is the ideal team to be responsible and accountable.

The communication network is a living document that is readily updated and incorporates all the necessary contact numbers for the members of the organization who participate in the plan. It’s key that it be kept current. Security should work closely with the organization’s IT team to introduce a call network technology that prompts the participants in the plan to update their information regularly; this will be available through the company’s intranet and also via an Internet portal. Right now, our communication network has contact information for more than 300 participants around the world, who update their data monthly through a Web-based tool.

With respect to training and testing, security must ensure that the entire population go through training at least twice a year and that participants in the plan go through training quarterly. The training must be scenario-driven. My team develops generic tabletop exercises for every division on a quarterly basis. These tabletops allow us to validate and improve all aspects of our emergency response plan.

An old business axiom says you must have the right product, at the right time and at the right place. Emergency response planning is no different. There is no greater product that security can provide to an organization than a life safety plan.

CSO Undercover is written anonymously by a real CSO. Send feedback to csoundercover@cxo.com.

Copyright © 2007 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.