Webinar presenter Dr. Jeff Fox, PhD answered a number of your questions after his presentation, Continency Planning: Continuity of Operations, Planning, Resiliency, Redundancy, Disaster Recovery, and Crisis Communications. Here are just a few of his responses.
Audience Question: Is contingency planning similar to, or related, or the same as strategic planning. I know a number of people were kind of asking the same question. So, can you kind of juxtapose what’s the difference between these types of plans?
Dr. Jeff Fox, PhD: Yes. Yes, No, and maybe is the answer. Yes, I am not a lawyer (humor), but actually, it is an essence, but it really is unique. There are all sorts of plans out there. You know, there are specific plans for specific events. There are emergency operations plans, all sorts of different plans that you get. But really contingency planning or continuity of operations planning is specifically focused on the page we talked about. But it is strategic in nature. I would say, really if you think, well, strategic planning. You almost have to apply, it is a concept more than anything else to me, you almost have to apply that to a particular topic. So, it is very strategic in nature. So, in essence, it is, but it is really continuity of operations planning. Which is strategic if that makes sense.
Audience Question: What do we do if we aren’t sure that there’s a substantive contingency plan in our agency or having sat through your webinar by now if there are things that our agency hasn’t considered? An example of that is a lot of people had not considered COVID-19 before 2020. So, what do we do when we go through your webinar and we realize we might have some gaps in our life?
Dr. Jeff Fox, PhD: Well, first, I appreciate you saying that, and that is a likelihood for anybody, because it’s hard to think about all of different contingencies. That is why I say when students are like, “Well, we don’t really have any threat or hazard.” We live in such a dangerous world, that are there, so many. I mean, almost everything on that list is a threat or a hazard just, about everywhere you go. Like I said, unless you are talking about a hurricane or tornado or a flood, you know there are certain places they might happen. But I would go back, first. Hopefully, you have a team they put together, and that team needs to meet periodically. Every six months, once a year, never, less than once a year, hopefully. And go back and look at it, and say: and you can take this material, or other material, and look at it, and compare and go. Are we comprehensive enough? If you are not, then adjust it. It is not like it is etched in stone, and you can’t adjust it. So, I would do that. I always go back and re-evaluate it on a regular basis. And once you get new information it is good to do that. And you can tweak it up. Now, you may have to send it back out to different agencies, in different groups to get more information and that is fine. Because things are going to change anyway. But really what you are looking at, or maybe we did not hit all potential hazards and threats. And it is not so much about the hazard or threat. Now for this point now, for risk mitigation, it is all about the hazards and threats because you mitigate those differently. But here it is, if you are building, is not usable. It really does not matter a whole lot when it is not usable. It is just not usable, whether an earthquake took it down or missile took it down, or fire took it down, the fact of the matter is, it is down. You cannot use it anymore. That is why I talked about the risk assessment and mitigation that comes before all this. But if that is not up and running then it does not matter why to a degree. Another part about it is once you’ve done that and you’ve sat down and you tweaked it and you go, okay, I think we have got it covered better and we put all this other stuff in go back and test it again. You would go back and test it. Or you can skip all the other stuff and just test it anyway. But I would recommend you do it all, but you do not want to set people up for failure if you know it is not where it should be. Then go ahead and fix it first, and then test it. But, again, it takes a little bit of work to get that testing done. You can hire somebody outside, or you can do it internally, if you have the right people. But you got to have the leadership support you. And it is good. It is always good to stress test it, and do not do the same stress tests every time. It might be…? You do not have to do, you know, the whole building collapse. You can do. without lost power that is easy enough to come back for a couple of days. You can do we have lost our cyber connectivity. You know it could be an EMP. It can be all sorts of stuff. It could be civil unrest. So, I hope that helps. But I would do both of those. Go back and tweak it, look at it as a group, and then stress test it at some point again.
Audience Question: How does the National Incident Management System, or incident command system, relate to this contingency planning and continuity of operations, etc.?
Dr. Jeff Fox, PhD: Really great question. The NIPP, National Infrastructure Protection Plan relates to it a lot. There is a cyber plan that relates to it a lot. The NRF, relates to it. It is like a first cousin, or brother, or sister. The NIMS relates to it in the same fashion. And ICS relates to it a little bit more because you have that response. And you are going to have all of that going on at the same place. So, here is the thing. You can almost have, I’m not saying you have to, but it may not be a bad idea, because like I said, most of the time what we think about just want to help we are going out and helping everybody else. And when we go out and help everybody else, we are using NRF and NIMS and ICS. All of that kicks in 100%. Now we are here our own place is under siege. Our own place has all these issues. So, in that respect, all that still applies, and mainly in the response and recovery, you know what I mean, and the management of the event, but this is a little bit different than the management of the event of getting that, okay. This is about getting the people out. This is about continuing operations. So that’s kind of why we covered that a little bit. So, it is related. But it is kind of almost like a parallel saying to some degree, there is some elements you could pull out and you can use. But when you look at contingency operations planning and what goes into that manual, it’s going to be a lot more stuff in there that you would normally find or different stuff that you would normally find in NIMS and ICS interoperability and all that stuff. So, there is some crossover. But they are somewhat a little bit different animal if that makes sense.
Audience Question: How often should be updating our contingency plans, revising them and practicing them. And to be honest, in your experience, are we updating and practicing them enough?
Dr. Jeff Fox, PhD: I was really happy to see the results I saw today. I think and I do not know for sure. I think that maybe higher, because most of you are from public safety agencies, government agencies, of some sort. And so, there’s probably some more mandates, and there is some money there for that. And you understand you have to keep functioning. On the private side I would be surprised if it were anywhere near that high. I would hope it would be, but I doubt if it is, because it costs money. And ROI, return on investment, if you cannot show people what the return on investment is in the private sector, they do not want to do it. I am not trying to beat them up. So that’s part of it. The other part of it is, I will say no less than once a year. You need to sit down, review your plan and make sure everything is good to go. Twice a year, you should be okay. You do not need to do it every month. I do not think you need to do it quarterly. Unless, you have a really unique weird situation with a massive amount of change and turnover. But every six months, you might just look at your call list, your calling tree. That would not be a bad idea. You know, your contacts and your vendors. About once a year, probably be enough to do a good review of the plan. It depends on, right now, people are focused on just trying to survive, quite frankly, in a lot of ways. But as far as doing the testing, I kind of like to see what you are saying, but there are all sorts of ways to do that. You do not have to go full blown. You can do tabletops. You can do many exercises. You can do a lot of different things. You can do the different parts of the organization at different times. Every other year will be fantastic. I would not want to go much more than that on testing and stress testing. But if you have made a lot of changes I would test after that.
Audience Question: Well Jeff, you brought up a really good point. I mean, so many of our audience here on the on the call today are in public safety, so they are more aware. How can we help our communities? All those small business owners, how can we help our communities understand? Hey, you need to be prepared, as well. How can we change that dynamic, help them understand, and encourage them to be a little better?
Dr. Jeff Fox, PhD: I think there is, there is a lot of ways that goes with a lot of different things. Whether it is crime prevention, whether it is, you know, health issues, I think, COVID19 probably did a better job doing that than anybody else has ever done or could do. And if that does not wake people up, I am not sure what will. Fire departments can take a role on that. Education, so your agencies, a lot of times, your emergency management if they have money that they can put out for awareness programs. Insurance companies would like to see things like that. Insurance premiums and that sort of thing. If you have a mom and pop garage, you are going to have a hard time. You know, you are not going to get them to buy in that completely because they do not, they are not going to hire somebody to do that. You know? But, if you are a company that has 20 different garages around the state, that changes things a little bit, you know? So, a lot of it is going to depend on the size of the organization and what their mission is. If you are a mom and pop restaurant, you might not be thinking this way. But if you own a chain of 30 or 40 restaurants like this, you had better be thinking this way, you know? So, if you can show it in that, yes, it is going to cost a little bit of money. But in the long run, it is going to save you a lot of money, you know, and there’s always that liability monkey hanging over your head.
Audience Question: Who activates the contingency plan? Is it the governor? Is it the Mayor? How does that happen?
Dr. Jeff Fox, PhD: It depends on what you’re talking about. For our purposes, we’re talking about the single agency. So, now you may have a protocol set up if you have the city government, where the mayor or city manager may want to do that. I would hope they would relate that to the individual agency, because in all likelihood, aeronaut city where my wife works, there’s multiple city agencies that are spread around the city, not one spot. Police Department had an issue, that may not, doesn’t mean that the public works for fire stations have to shut down. So, I like to give that authority to the chief of police. Now he may, he or she may designate somebody. I like for it to work that way. It started from the top down to all the agencies. This is a unique situation here that we’re seeing with COVID19 is a pandemic across the whole state. So, you do see governors, who are kind of mandating. They’re really mandating a lot of stuff we’re talking about now that people can argue all day long. Well, what authority do they have, or don’t have, and you almost had to go back to health codes. Other than that, you really don’t have a lot of authority. Other than in martial law to do certain things are being done. Unless you make an executive orders, they don’t have a lot of weight to them. So, it just depends. I do like to make it agency independent, personally. And then the agency, the chief or manager of an agency or their designee is the best person to do that. And if they’re not around, you know, you shouldn’t have to wait for which is this midnight shift. Is the person in charge. You know what I mean? It doesn’t mean, as a person who’s going to stay with it, doesn’t mean that the chief can’t say, Oh, well, I don’t want to do this. You know, I talked about who needs to be that CCOP team and how much role do they have to play? I liked the idea that, then, working with the rest of the executive staff, do you really want your executive staff worrying about contacting the vendors and worried about contacting we need these hotels, we need this building or that building, you know what I mean. That’s kind of brute work. If you asked me, that’s not being a derogatory. But these are the people who handle, these are people who made the plan. That work on a plan.
Audience Question: Some agencies have unrealistic expectations or responses even with testing. How do we reel people in and help them make more realistic plans?
Dr. Jeff Fox, PhD: I think we have asked what we have told, we have over promise people in public when it comes to the government. And people rely too much on the government and some people are going to slay me for saying that. But we had to be able to be reliable and dependent upon ourselves. And when the government says, you got to take care of yourself on 72 hours. That’s just how it is, you know, you can’t expect everybody to rescue you on any sooner than that. But I think some people in society figure, you have people coming from McDonald’s if they don’t get the French fries now, they call 911. Well, we don’t want that. That’s an unreasonable expectation. Are we talking about Hash Browns? That’s a different story. But french fries is different. But really, you know, it’s about educating them, it’s about doing these exercises. It’s about communicating, there is no easy answer to that. You’ve got to be able to talk to them and explain to them. And when you do these exercises, as some people, I’m going to tell you. Some people don’t want to do these. Because they don’t want to be tested, because they don’t want to be made to look bad. And it’s not about making people look bad. And you got to realize that, if you’re a person who set this up and doing the testing, believe me, I’ve been there and done that. You have people who avoid going to do this because they don’t want to look bad, because they haven’t kept up. And that’s why the agency, executive staff and the top person needs to say, I believe in this, this is what we’re going to do. And everybody’s going to be there to do it. And it’s not about beating anybody up or embarrassing anybody. It’s a learning process. And then, when we’re done, we’re going to talk about it, and we’re going to see, you know, and this. And that’s also where you make those expectations understood and they need to be reasonable. You know, this is a, this is a bad situation, It’s not going to be perfect. There’s going to be followed (?) in the middle of the chaos.
Click Here to Watch a Recording of Continency Planning: Continuity of Operations, Planning, Resiliency, Redundancy, Disaster Recovery, and Crisis Communications.