Emergency preparedness: Compliance, care and the long view

Sept. 29, 2010
Learning from risk events can improve preparedness and resiliency

Our current fluid global risk cannot be read in the carefree faces of children at play. They are blissfully unaware of foreboding hazards that endanger them and their protectors. In fact, the multi-trillion-dollar all-hazard landscape - most vividly rendered by the World Economic Forum's 2010 Global Risk Report - remains unknown to many (The report, which outlines some of the issues most likely to come to the fore of the global risks landscape and describes their interconnectedness, can be downloaded from www.weforum.org/en/initiatives/globalrisk/Reports/index.htm). Those with insight into these risks have a duty to help increase others' awareness of them and to measure mitigation progress.

If we hope to lead our organizations through this complex global risk landscape, we must learn what we can from man-made and natural risk events to improve preparedness and resiliency. Effective risk mitigation requires investments of time, money and mindshare. We must assess our current capabilities and close the gap on the people, process and technology resources we need to ensure a more resilient future.

Clearly, even the most aware and prepared family, institution, community and nation state is not immune to catastrophes such as accidents, crime, terror, severe weather and tectonic events. Yet, our relative individual preparedness and nimble cross-sector response to imminent threats can mitigate far more serious consequences to our emotional, physical and fiscal health.

Compliance Is a Partial Solution

Those of us who are skeptical about our organizational leadership's commitment to all-hazards preparedness may be heartened by evolving liability and regulatory recommendations. In June, the U.S. Department of Homeland Security announced final standards for the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep). A recommendation of the 9/11 Commission, this program attempts to improve private-sector preparedness for disasters and emergencies. The adopted standards include those of the National Fire Protection Association, the British Standards Institution and ASIS International.

Each standard is valuable and merits serious review. Collectively, they are helpful to those who have not yet undertaken an all-hazards risk mitigation assessment or plan. Others will find them useful for formulating gap analyses. But for those who are inclined to think that preparedness is now the law of the land, I urge caution.

While PS-Prep is a step forward, it is still a voluntary program. Because of the recent near-collapse of the global financial system - with its arguable failure of risk oversight and resulting contraction of resources - security planners and their cross-functional risk mitigation teams face an uphill struggle. Even organizations that are inclined to comply with PS-Prep or to advance preparedness in other ways may be constrained by smaller purses, downsized capacity and skeptical program supporters who have witnessed billions of dollars in global security investment since 2001 with little persuasive return on investment. Add to those concerns the reality that these voluntary standards will compete with other government mandates, including state and federal requirements around commercial and healthcare information protection including PCI and HIPAA.

Compliance alone is only a partial solution. We must help our organizational leaders find deeper motivation for improved preparedness by focusing on stakeholder confidence and shareholder value.

Culture of Care

Corporate entities, governments and not-for-profits all depend on stakeholder confidence. Customers, citizens, donors, employees, investors, suppliers and their dependents have increasing expectations of care. Cared-for and engaged stakeholders are more productive in core process performance. People-care can also protect brand reputation - when an event does occur, companies that have shown a high standard of care for their people are more likely to enjoy the "benefit of the doubt" in the public mind.

Responsible leaders heed these expectations of care, as well as the increasing relevance of board-level risk, which has been shown through research and articulated by the Security Executive Council. Some of their concerns are illustrated in the graphic on page 55.

More influential metrics on this issue may persuade leadership toward a path of sustainable resilience. Ultimately, "the metric" for private-sector stakeholder confidence is market valuation. Company worth before and after major catastrophic events is instructive.

One recent calamity, the BP/Transoceanic accident, supports the point. CNN Money reported on June 15 that "Fitch Ratings downgraded BP for a second time this month to just above junk status, as the news just keeps getting worse for the oil giant. Fitch said it lowered its senior unsecured rating to BBB from AA, in response to increasing estimates of spilled oil in the Gulf of Mexico and increasing pressure on the oil giant to establish an escrow account to pay for damages"

Value metrics like this must be made clear to organizational leadership. The stakes for emergency preparedness go beyond compliance fines and sanctions. Leadership will be judged on people-care. In the court of public opinion, the organizational outcomes for apparent negligence before, during and after a disaster bodes additional peril, if not doom.

Drs. Rory Knight and Deborah Pretty conducted decade-long research of 74 firms following their involvement in aviation disasters, fires and explosions, seismic catastrophes and terrorist attacks. Their findings are informative for both worst-case and other types of disasters.

Here is a summary of their main findings:

1. Mass casualty events have double the impact on shareholder value.
2. The market makes a rapid judgment on whether it expects reputation to be damaged or enhanced ... in the case of mass fatality events...it takes... on average, 100 trading days to emerge prominently.
3. As with non-fatal reputation crises for firms... value recovery relates to the ability of senior management to demonstrate strong leadership and to communicate at all times with honesty and transparency.
4. ...the sensitivity and compassion with which the chief executive responds to victim's families and the logistical care and efficiency with which response teams carry out their work is paramount.
5. Irrespective of whose responsibility is the cause... a sensitive managerial response is critical to shareholder value.

Our relative success as asset protection professionals and risk mitigators will likely be determined by our organizational leadership performance. We have the opportunity to influence.

Taking the Long View

We know the long view and a diverse data set are required to calculate catastrophic impacts. Similarly, longer views are required for forward-looking, cross-functional risk mitigation teams. To that end, Bob Hayes, managing director of the Security Executive Council, recently introduced an initiative called "Security 2020." He says: "Board-level risk requirements for people, critical process and asset protection are increasingly complex and require a new, collaborative and performance-based approach with practitioners, manufacturers and service providers."

Our aim must be to persuasively influence continuous solutions innovation with return on investment and risk mitigation improvement through the next decade.

No single entity can own emergency preparedness. Process and technology convergence guided by organizational mission will enable intra-departmental strategic plan execution with oversight by executive risk committees and the board of directors.

Communications Promote Confidence

Our ability to execute a cross-functional, operational plan with cost efficiencies, loss avoidance and prevention earns both leadership and stakeholder confidence.

Importantly, efforts that produce results will fund additional programming. Even when prevention or mitigation efforts fail, we will be given the "benefit of the doubt" when we have transparently communicated risk with relevant mitigation resources before an event and act responsibly thereafter.

Ultimately, our success will be measured by our influence for improved preparedness on the job, at home and in the community. For cultures that care, and all their stakeholders, that is something to smile about.
Francis J. D'Addario is a Principal of Crime Prevention Associates. He is also Emeritus Faculty member for Strategic Influence and Innovation for the Security Executive Council. He served as the vice president of Partner and Asset Protection for Starbucks Coffee (1997-2009). Mr. D'Addario's most recent publication is "Not a Moment to Lose: Influencing Global Security One Community at a Time," available through the Security Executive Council (https://www.securityexecutivecouncil.com/nmtl).

About the Author

Francis D'Addario | Francis D'Addario, Bob Hayes and Kathleen Kotwica

Francis J. D’Addario is Emeritus Faculty member for Strategic Influence and Innovation for the Security Executive Council. He served as the vice president of Partner and Asset Protection for Starbucks Coffee (1997-2009). His most recent publication is: Not a Moment to Lose: Influencing Global Security One Community at a Time. Bob Hayes is Managing Director of the Security Executive Council. He has more than 25 years of experience in security, including eight years as the CSO at Georgia Pacific and nine years as security operations manager at 3M. Kathleen Kotwica, PhD, is EVP and Chief Knowledge Strategist for the Security Executive Council. She develops strategies and processes to identify, store, understand, build upon, and disseminate the Council’s Collective Knowledge and insights.