nfpa technical committee on emergency management … · recommendation 2): regarding chapter 4,...

NFPA Technical Committee on Emergency Management and

Business Continuity

March 25-27, 2014

Hilton St. Petersburg Carillon Park

950 Lake Carillon Drive

St. Petersburg, FL 33716

First Draft Meeting Agenda

1. Starting time: 8:30 a.m., March 25, 2014.

2. Welcome (Don Schmidt, Chair)

3. Self-introduction of members and guests

4. Approval of Minutes of Pre-First Draft Meeting, Salt Lake City, 2013 Oct 22-23

5. Approval of agenda

6. NFPA staff liaison report (Orlando Hernandez)

Committee membership update

Distribution of sign-in sheets

7. Organizational reports/News related to NFPA 1600

8. Task group reports

9. Act on Public Comments to NFPA 1600. Take any other actions necessary to

complete the ROC for NFPA 1600.

10. Old business.

11. New business

12. Adjourn

Technical Committee on Emergency Management and Business Continuity

2016 Pre-first Draft Meeting

October 22-23, 2013

Cambia Health Solutions Salt Lake City, Utah

ATTENDANCE: Donald Schmidt, Chair Gregory Cybulski Michael Janko Kenneth Katz Dana Lankhorst Dean Larson Michael Morganti Susana Mueller Jason Mumbach Kelly Okolita Jo Robertson Brian Strong Steve Elliot Christian Gray Carey Loukides Gary Villeneuve Lorraine Webb Orlando Hernandez, NFPA Staff Liaison Guests: Dan Ferguson

Technical Committee on Emergency Management and Business Continuity 2016 Pre-first Draft Meeting, October 22-23, 2013

- 2 -

The meeting was called to order at 8:00 AM by Chair, Don Schmidt followed by self-introductions of members. One guest, Donald (Dan) Ferguson of Travelers Insurance was in attendance. Susan Mueller agreed to serve as meeting secretary.

The Chair reviewed the meeting agenda and asked if there were any errors or omissions from the meeting notes of the March 20-22, 2012 - Report on Comments Meeting held in Indianapolis, Indiana. A motion was carried without votes or discussion and the meeting notes were approved unanimously.

The Chair reviewed membership changes for 2012-2013 and discussed membership guidelines and voting.

The Staff Liaison report included venue safety, attendance, Robert's rules, the 2016 revision cycle dates and a review of the new NFPA Document revision process, which includes electronic voting ballots. The online electronic platform used to capture changes to the standard was demonstrated as well as how to follow document changes by registering at NFPA.org/1600. The deadlines for submission of public submittal are November 29 (paper submissions) and January 3, 2014 (online submissions). The First Draft meeting must be held by June 13, 2014, and the first draft will be balloted no later than August 22, 2014.

The ISO TAG report was provided by Don Schmidt. Recent and upcoming ISO publications. As well as, drafts under review. Specifically, ISO 22397- Guidelines for Establishing Partnering Arrangements and ISO 22315 MASS Evacuation Guidelines for Planning. Next plenary meeting will be held in Cape Town on January 13-17, 2014.

Don Schmidt also mentioned that NFPA1620, Standard on Pre-Incident Planning is in cycle for revision.

NFPA has formed a new technical committee, Chaired by Dean Larson, to review develop a standard on Mass Evacuation; MASS sheltering will not be addressed by this particular committee.

Lorraine Webb reported that the Canadian standard Z1600-13 - Emergency and Continuity Management Program is in its final approval stage.

The PS-Prep update provided by the committee Chair noted that IAEM had received a grant to address the needs of small businesses. He also reported that ANAB’s website indicates that there are only ten companies PS-Prep certified worldwide.

ASTM International’s Standard on School Emergency Preparedness for grades K-12 has been resurrected.

The following Task group reports were presented:

• Kelly Okolita - Business Process Analysis/Business Impact Analysis • Dean Larson - Competencies • Kelly Okolita - Information Technology • Gregory Cybulski - Recovery and Restoration • Ken Katz - Scalability/small and medium size entities • Jo Robertson - Social Media

Technical Committee on Emergency Management and Business Continuity 2016 Pre-first Draft Meeting, October 22-23, 2013

- 3 -

• Ken Katz - Special Needs/Functional Needs/Elderly • Kelly Okolita - Standards

Staff Liaison showcased how the committee members can make changes to the next standard revision through “Submit public input online.”

First Day meeting adjourned by the Chair at 4:30 pm after a brief review of next day's agenda.

October 23, 2013

The Chair opened the meeting at 8:00 AM and discussed possible dates and venues for the First Draft meeting in 2014. First revision electronic filing must be completed by task groups by January 3, 2014. Regarding the next meeting venue, Susan Mueller tentatively volunteered Tampa Electric Company to host next meeting in downtown Tampa. She will identify logistics and challenges and will report back to the Chair promptly.

Task Group reports continued:

• Brian Strong - Supply Chain • Don Schmidt covered the report of Usability in the absence of the Task group Chair • Gary Villeneuve - BCP vs. COOP provided his report through conference call with the

committee.

The Chair reiterated the importance of each member identifying connections with organizations and documents pertaining to Emergency Management and Business Continuity reporting back to the committee. A short discussion regarding incorporating language in the standard for "deterrence" along with "prevention” and perhaps "protection" ensued. Further review will be made by the committee as it works on the standard revision. The committee discussed whether there is a need for incorporating additional task groups and/or research and development of other topics; the committee did not recommend new task groups any additions.

The meeting was called to adjourn at 10:50 AM. Motion to adjourn by Dean Larson, and seconded by Ken Katz, approved unanimously.

Public Input No. 3-NFPA 1600-2013 [ Global Input ]

Type your content here ...Background:1) Paragraph 1.2 lists the following program components: prevention, mitigation, preparedness, response, continuity, and recovery.2) Chapter 6 contains stand-alone sub-paragraphs for Prevention (6.2), Mitigation (6.3), Emergency Operations/Response Plan (6.8), and BusinessContinuity and Recovery (6.9)Recommendation 1): For the sake of clarity and consistency, recommend that chapter 6 includes (verbatim) the 6 program components appearing in paragraph 1.2. For example:Paragraph 6.2 Prevention (no change)Paragraph 6.3 Mitigation (no change)Paragraph 6.4 Preparedness (new)Paragraph 6.5 Response (new)Paragraph 6.6 Continuity (change from Business Continuity and Recovery)Paragraph 6.7 Recovery (change from Business Continuity and Recovery)Existing information in paragraphs 6.4 through the end of chapter 6 should then be integrated into one of the above paragraphs.Recommendation 2): Regarding Chapter 4, Program Management: It would be extremely helpful to show a sample activity network diagram (AND) depicting the major project deliverables, the necessary sequence of tasks, and project's critical path. Even better, detail the AND down to the workpacket level (includes all requirements of this standard). I would suggest making reference to the AND in paragraph 4.4 and showing the details in Annex A.

Statement of Problem and Substantiation for Public Input

The first proposed change would provide clarity and an orderly sequence of topics; specifically, it would lend consistency between paragraph 1.2 and chapter 6.The second proposed change would be a great aid to planners without experience in program management by providing them visually the tasks involved in developing an emergency preparedness program. More importantly, it would provide them the critical tasks to monitor and an orderly path they could follow as they develop their programs - it would lend order to what is chaotic by nature.

Submitter Information Verification

Page 1 of 130National Fire Protection Association Report

2/20/2014http://submittals.nfpa.org/TerraViewWeb/ContentFetcher?commentParams=%28Comment...

Submitter Full Name: MICHAEL NEMETHOrganization: Street Address: City:State: Zip: Submittal Date: Tue Jun 04 10:25:06 EDT 2013




I propose adding the DHS Federal Continuity Directive 1 & 2 as resources throughout NFPA 1600 for continuity guidance especially to cross-reference.

Additional Proposed Changes

File Name Description ApprovedNFPA_document_proposal.pdf Cover Sheet


Substantial outdated and missing guidance based on NSPD 5/HSPD 20 doesn't really evaluate full requirements for COOP Planning at all.


Submitter Full Name: Heidi NelkieOrganization: Lawrence Berkeley National LabStreet Address: City: State:Zip: Submittal Date: Mon Jun 10 09:54:58 EDT 2013




Add the Plan - Do - Check - Act diagram to the Introduction in the paragraph on the 2010 Edition.


The significance of the change in the 2010 Edition is important to the user of the standard. Inserting the diagram into the Introduction provides a visual representation of the organizing "template" for the standard.


Submitter Full Name: DEAN LARSONOrganization: LARSON PERFORMANCE CONSULTINGStreet Address:City: State: Zip:Submittal Date: Fri Jan 03 22:38:32 EST 2014



Public Input No. 73-NFPA 1600-2014 [ Section No. 1.3 ]

1.3* Application.This document shall apply to public, not-for-profit, and nongovernmental organizations (NGOs) and to private entities.


Improves readability


Submitter Full Name: DEAN LARSONOrganization: LARSON PERFORMANCE CONSULTINGStreet Address: City:State: Zip: Submittal Date: Fri Jan 03 22:09:42 EST 2014



Public Input No. 26-NFPA 1600-2013 [ New Section after 3.3.7 ]

Crisis -an incident, circumstance, issue, or series of events that threatens to severely negatively impact the organization’s operations, reputation, market share, ability to do business, or relationships with key stakeholders.


Recommend addition of a new definition because the Webster's definition is cursory and not adequate.


Submitter Full Name: JO ROBERTSONOrganization: ARKEMA INC. and NFPA 1600 Technical Committee memberAffilliation: NFPA 1600 Technical Committee memberStreet Address: City:State: Zip: Submittal Date: Sun Dec 08 17:05:34 EST 2013



Public Input No. 74-NFPA 1600-2014 [ Section No. 3.3.11 ]

3.3.11 Entity.A governmental agency or jurisdiction, private or public company, partnership, nonprofit not-for-profit organization, or other organization that has emergency management and continuity of operations responsibilities.


Recommendation to improve consistency






Supply ChainA system of organizations, people, activities, information and resources involved in moving a product or service from supplier to customer.


Including a definition for supply chain to support existing and new references to supplier risk management.


Submitter Full Name: Brian StrongOrganization: BlueCross BlueShield of FloridStreet Address:City: State: Zip:Submittal Date: Tue Oct 29 12:11:22 EDT 2013




New definition3.x* Special and Functional Needs persons with conditions that may reduce the effectiveness of mitigating actions.


This PI was submitted on behalf of the Special and Functional Needs Task Group, NFPA 1600 2016 Edition.

Chapter 3 does not have a definition for Special and Functional Needs.

The NFPA 1600 Technical Committee formed a Task Group to focus on Special and Functional Needs tasked with submitted recommended changes and addition to address Special and Functional Needs.


Submitter Full Name: DEAN LARSONOrganization: LARSON PERFORMANCE CONSULTINGStreet Address:City: State: Zip:Submittal Date: Mon Dec 30 19:46:21 EST 2013




4.5.24.5.2 The entity shall establish , maintain andmaintain document a procedure(s) to comply with applicable legislation, policies, regulatory requirements, and directives.


recommendation from the task group on standards


Submitter Full Name: Kelley OkolitaOrganization: Cambia Health SolutionsStreet Address: City:State: Zip: Submittal Date: Thu Jan 02 22:51:55 EST 2014




5.1.6The entity shall include key stakeholders in the planning process , such as suppliers, in the assessment and planning processes .


A reference to suppliers has been added to emphasize this critical organizational dependency during this review cycle.





Public Input No. 45-NFPA 1600-2014 [ New Section after 5.2 ]

5.2.6 The risk assessment shall include an analysis of the essential infrastructure elements required to respond/recover from the event or prevent significant escalation of the damages and the impact on the response/recovery/damages if the operational time is not met. 5.2.7 The risk assessment shall include an analysis of the risk and severity escalation over time, showing key milestones for response/recovery to be accomplished by, and the risk/severity escalation that would occur if the response/recovery time is not met.


Major disasters, such as floods from hurricanes and earth quakes significantly disrupt normal transportation and communication lines. Relief efforts are stopped before they can get started if there is no way for them to find out where the relief is needed and how to get to the area.

Major disasters also significantly disrupt normal services, such as electrical power, natural gas, water and sewage service. How quickly relief is required before the situation becomes life threatening to the general population varies significantly due to the circumstances. In all cases the loss of water and sewage will significantly impact the general public in a matter of a few days. Health related issues due to water contamination can escalate much quicker.

For example, take the health risks due to loss of sewage pumping station. For the most part, sewage systems or pump stations are generally in the lowest surrounding area. Typically pumping stations don’t have a holding pond available. The sewer enters a wet well located at the pumping station and how much storage the wet well and incoming sewer have determines how long the pumping station can be out of service before it begins to back up into basements or overflow out of manholes. At high flows for larger pumping stations, this is generally not a huge amount of time (in some cases this may be between 15 minutes to half an hour). Backups and overflows are both health and environmental issues.

Wastewater that backs up in basements can cause significant damage to homes and is generally a significant health concern for the residents. Cleanup includes throwing away anything that cannot be safely cleaned up and disinfected. Cleanup requires proper personal protection and care in dealing with raw sewage. If the backup were to a business, the amount of damage or problems that can occur would obviously depend upon the extent of the backup (how much and how long), what kind of equipment, storage, or other use the business makes of its lower level(s), how the backup may affect the health and well being of employees and customers, and how it affects the general operation of the business itself.

Wastewater that is released into the environment can cause environmental damage, e.g., fish kills and algae blooms, and can be a significant health hazard, e.g., high levels of pathogens in swimming areas or incidental contact with raw sewage near areas of the spill.This is the joint work of Robert Schuerger, Michael Simon and Robert Arno.




Submitter Full Name: ROBERT SCHUERGEROrganization: HP CFS/EYP MCFAffilliation: IEEE IAS Power System Reliability Working GroupStreet Address: City:State: Zip: Submittal Date: Thu Jan 02 13:09:09 EST 2014



Public Input No. 13-NFPA 1600-2013 [ Section No. 5.2.2.1 ]

5.2.2.1 *Hazards to be evaluated shall include the following:

(1) Natural hazards (geologic geological , meteorologic meteorological , and biological)

(2) Human-caused events (accidental and intentional)

(3) Technology-caused events (accidental and intentional)


Corrected spelling and use of words for consistency.





Public Input No. 14-NFPA 1600-2013 [ Section No. 5.2.2.2 ]

5.2.2.2The vulnerability of people, property, operations, the environment, and theentity supply chain operations shall be identified, evaluated, and monitored.








TITLE OF NEW CONTENTThe BIA shall identify all functions, processes, infrastructure, systems, applications resources and suppliers within the scope of the program.


work from the NFPA1600 task group on BIA






TITLE OF NEW CONTENT5.3.2.1 The BIA shall identify single source and sole source suppliers and other single points of failure within the entity’s physical and technical infrastructure and human resource information and skillset.


recommendation from the task group on BIA






5.3.25.3.2 The BIA shall evaluate the potential impact resulting from interruption or a disruptionof individualof functions, processes, and applicationsinfrastructure, systems, applications, resources or suppliers on its ability to deliver its mission ..


Work from the NFPA 1600 task group on BIA






TITLE OF NEW CONTENTType your content here ...5.3.3.3 The BIA shall identify the gap between the identified RTO for functions, processes, infrastructure, systems, resources, applications and suppliers and thedemonstrated capabilities.








5.3.3 *The BIA shall identify those functions, processes, infrastructure, systems, and applications that are critical to the entity and the point in time [recovery time objective (RTO)] when the impact of the interruption or disruption becomes unacceptable to the entity. The BIA shall also evaluate to what extent theseverity escalates over time until the critical functions, processes,infrastructure, systems, and applications are restored to operation.






Wastewater that is released into the environment can cause environmental damage, e.g., fish kills and algae blooms, and can be a significant health hazard, e.g., high levels of pathogens in swimming areas or incidental contact with raw sewage near areas of the spill.




Submitter Full Name: ROBERT SCHUERGEROrganization: HP CFS/EYP MCFAffilliation: IEEE IAS Power System Reliability Working GroupStreet Address:City: State: Zip:Submittal Date: Thu Jan 02 14:53:30 EST 2014




5.3.3 *5.3.3* The BIA shall identify those functions, processes, infrastructure, systems, applications, resources and applications suppliers that arecritical to needed by the entity to deliver its mission and the point in time [recovery time objective (RTO)] when the impact of the interruption or disruption a disruption to each of those becomes unacceptable to the entity.


recommendations from the NFPA1600 task group on BIA






5.3.45.3.4 The BIA shall identify dependencies and interdependencies across functions , and processes, and applications to determine the potential for compounding impact in the event of an interruption or disruption.the infrastructure, systems, applications, resources and suppliers needed..








5.3.5 *5.3.5* The BIA shall evaluate the potential loss of information and the point in time [ the acceptable amount of data loss for physical and electronic records to identify the recovery point objective (RPO)] that defines the potential and the gap between the last backup of information and the time of the interruption or disruptiondesired RPO and the entity’s records management practices .








TITLE OF NEW CONTENTThe BIA shall identify critical supply chain operation complexities, including those having exposure to both domestic and international risks and the timeframe within which the operations become critical to the organization.








TITLE OF NEW CONTENTType your content here ...5.3.7 The results of the BIA shall be approved by the entity’s leadership








5.5 Performance Objectives.5.5.1*The entity shall establish performance objectives for the program in accordance with Chapter 4 and the elements in Chapters 5 through 9.5.5.2The performance objectives shall address the results of the hazard identification, risk assessment, and business impacts analysis.5.5.3Performance objectives shall be developed by the entity to address both short-term and long-term needs.5.5.4*The entity shall define the terms short term and long term.

5.5.5

The entity shall provide a plan for the survivability of 10-day, 30-day, and a 90 day electrical power outage.




This is a proposal that tracks as Rejected in Proposal 1600-29, Log #40 in the previous revision cycle. Hurricane Sandy (October 2012) and the extended power outages in Central Michigan in December 2013 make this proposal an under reality.

The mandatory sections of this document need more specifics to get it to the next leg of acceptance and adoption. This proposal is intended to assert an all-discipline benchmark for a community served by a typical emergency management district when utility power is not available at the transmission level for any reason. This condition permits limited use of the distribution system -- the "last mile" for example -- to be used for feeding (and backfeeding) loads on a basis limited by duration and quantity of power. Just as civil engineers benchmark their infrastructure design around 10-, 25-, and 100-year floods, emergency management professionals and power engineers should have a conversation about the range of options for survivability of power outages of this duration. Definitions of short-term and long-term are not as helpful in benchmarking community outage recovery capability. It can be as helpful as the ISO ratings of local fire departments.

Electrical infrastructure is the "infrastructure of infrastructures" in the US economy. It is important to think about the unthinkable. A program for the survivability of a 30-day power outage may not necessarily mean an extremely large expenditure in infrastructure if the 30-day benchmark starts with blocks of survivability concepts from the bottom up. Some of the features of a 30-day plan might include the following:

A. Residential -

1. Assisting homeowners in the purchase and safe operation of small residential generators and fuel storage.2. Education and assistance in the safe use of DC-AC inverters that use automobiles as a prime mover for providing limited power to individual homes.3. Providing finance programs or engineering approaches in which small generators may be safely shared by two or more homeowners.4. Encourage the purchase of small communication equipment with alternative energy charging systems. 5. Use of recreational vehicles as standby domiciles.6. Generally optimizing the prospect that our personal or commercial transportation system can safely morph into a backup power system.

B. Commercial -

7. Encourage gasoline filling stations, pharmacies and grocery stores to have on-site generation facilities -- possibly shared among them across differing ownership regimes --for the purpose of providing limited business continuity and community survivability.8. Encourage apartment complexes to re-configure utility service equipment with appropriate manual transfer switchgear so that large groups of residents can have limited power from privately owned rolling generation and fuel supplies.9. Measure total fuel reserves in the emergency management district (including all filling stations) and reconfigure the fuel supply chain and/or purchasing aggregations -- especially with respect to health care and municipal service facility priorities.10. Creation of shared, community battery charging stations for residential use.11. Adding more municipally owned mobile generators that can be used to inject power into public facilities, for public use, for 4-8 hours12. Encourage power-take-off equipment in trucks and heavy vehicles that can be moved to stationary generation equipment.

C. Industrial -

13. Small hydro, hydro-storage, or biomass plants in the range of 100-500 kW may be identified as a component in a municipal critical operations power system and thereby deploy balance sheet offsets that get them to the financial break-even point.14. Expansion of municipal biomass, hydro-storage, and wind power storage systems to release fuel for standby power for residential use.



15. Public service commission support for utility inter-ties identified as having a significant homeland security component.16. Public service commission granting utilities compensation for identifying circuit locations where mobile sources of power may be injected onto the last mile of the distribution grid in 1-2 megawatt chunks.17. The creation of, or support for small district energy systems with a critical operations power system component.

This is only a brief list of possibilities. It may be found that simple administrative measures such as knowing where power injection points may be, or how much fuel is available in the emergency management district at any given time may result in significant gains in meeting these benchmarks. In any case, the concept presented here should add new dimensions to homeland security discussions.


Submitter Full Name: Michael AnthonyOrganization: University of MichiganStreet Address: City:State: Zip: Submittal Date: Fri Jan 03 11:40:16 EST 2014




6.1.5 The entity shall insure that a representative acts as a liaison with localresponding public safety authorities during incidents that affect only theentity’s property and with local emergency management officials during major disasters affecting both the entity and surrounding areas.


It is important that entities not only establish their own EOC’s and incident management systems to coordinate their response to major incidents affecting their own property and personnel, but that they also appoint trained representatives that are familiar with the entity’s property and program to liaison with either local responding fire and police agencies or with local emergency management authorities during incidents that may only affect the entity such as a major fire or active shooter ,or during a large scale disaster affecting a wide area.


Submitter Full Name: Bill GallowayOrganization: Southern Regional Fire Code DeStreet Address: City: State:Zip: Submittal Date: Tue Oct 29 15:49:45 EDT 2013




6.2.1 *6.2.1* The entity shall develop a strategy to prevent an incident that threatens life, property, including intellectual property, privacy, technology and theenvironment..


recommendation from task group






6.2.5 The prevention strategy shall include analysis of the essential infrastructure elements required to respond/recover from the event or prevent significant escalation of the damages, and the hardening of these elements to increase the probability they will be operational or quickly restored after the event. 6.2.6 The prevention strategy shall include the use of a gradient scale in the determining how critical the facility and individual infrastructure elements within it are to both responding/recovering from the event and also in mitigating further escalationof the damages.







This is the joint work of Robert Schuerger, Michael Simon and Robert Arno.





TITLE OF NEW CONTENTType your content here ...6.2.5 The prevention strategy shall provide adequate controls to prevent the corruption or unlawful access to the entity’s data








6.4.1*The entity shall develop a plan and procedures to disseminate information to and respond to requests for information from the following audiences before, during, and after an incident:

(1) Internal audiences, including employees

(2) External audiences, including the media, special and functional needs populations, and other stakeholders



6.4.1 needed correction to adopt the term special and functional needs.

The NFPA 1600 Technical Committee formed a Task Group to focus on Special and Functional Needs tasked with submitted recommended changes and addition to address Special and Functional Needs






6.5.5Information can be disseminated through the media, social media, or other means determined by the entity to be the most effective.


The Technical Committee task group on social media believes NFPA 1600 should address social media. It is no longer a "nice to have" but a "need to have".


Submitter Full Name: Jo Robertson

Organization: Technical Committee member

Affilliation: NFPA 1600 Technical Committee member - representing the input of the social media task group

Street Address:City: State: Zip:Submittal Date: Sun Nov 03 15:42:54 EST 2013




A.6.4.2(2)A common format for gathering pertinent information (inbound messaging) and disseminating communication messages (outbound messaging) by the entity is recommended. Use of social media may provide a distinct advantage to both inbound and outbound messaging, and should be considered a basic form of communication with external and internal audiences.


The Technical Committee task group on social media believes social media is not adequately addressed in the current Annex -- and should be. Social media is no longer a "nice to have" but a "need to have".




Affilliation: NFPA 1600 Technical Committee member -- representing the input of the social media task group





6.8.2*The plan shall identify actions to be taken to protect people, including those with access special and functional needs, property, operations, the environment, and the entity.



6.8.2 needed correction to adopt the term special and functional needs.







6.9 Business Continuity and Recovery.6.9.1*The continuity plan shall include recovery strategies to maintain critical or time-sensitive functions and processes identified during the business impact analysis. 6.9.2*The continuity plan shall identify stakeholders that need to be notified; critical and time-sensitive applications; alternative work sites; vital records, contact lists, functions, and processes that must be maintained; and personnel, procedures, and resources that are needed while the entity is recovering. 6.9.3*The recovery plan shall provide for restoration of functions, services, resources, facilities, programs, and infrastructure.


recommendations from task group






6.9.3The continuity plan shall include the entire scope of planning to identify alternate operational processes to address the potential impact of interruption of the supply chain on the entities critical operations, including known, unknown, controlled, and uncontrollable risks.


Added content to support increased focus on supply chain risk.


Submitter Full Name: Brian StrongOrganization: BlueCross BlueShield of FloridStreet Address:City: State: Zip:Submittal Date: Wed Dec 04 14:34:08 EST 2013




TITLE OF NEW CONTENTType your content here ...6.10 Recovery6.11 The entity shall develop a technology and operational recovery plan6.10.1* The recovery plan shall provide for restoration of functions, services, resources, facilities, technology, equipment and infrastructure identified during the business impact analysis.6.11.2 The plan shall include• Identification and prioritization of operational and technology recovery tosupport the entity’s identified mission in alignment with the results of the BIA• Adequate controls to prevent the corruption or unlawful access to the entity’s data during the recovery • Strategies and procedures for restoring the entity’s operations and technology based on the RTO and RPO defined in the BIA• Plan testing and exercise as defined in chapter 8• Training in the entity’s technology recovery as defined in chapter 7• Plan maintenance as defined in chapter 96.11.3 Recovery strategies shall be designed based on the RTO and RPO as defined by the business impact analysis


recpmmendations from task group






TITLE OF NEW CONTENTType your content here ...6.9.1.3 Recovery strategies shall meet the RTO and RPO as defined by the business impact analysis








6.9.3 *6.9.3* The recovery plan shall provide for restoration of functions, services, resources, facilities, technology, programs, and infrastructure..


recommendations from task group






TITLE OF NEW CONTENT6.11 Technology Continuity and Recovery6.11 The entity shall develop a technology continuity and recovery plan6.11.1 The continuity plan shall include strategies for the continued operation or recovery of technology needed to support critical or time sensitive functions orprocesses identified during the business impact analysis6.11.2 The plan shall include

Identification and prioritization of technology recovery to support the entity’s identified mission as defined in the BIA

•

Adequate controls to prevent the corruption or unlawful access to the entity’s data

•

Strategies and procedures for restoring the entity’s technology based on the RTO and RPO defined in the BIA

•

Plan testing and exercise as defined in chapter 8•

Training in the entity’s technology recovery as defined in chapter 7•

Plan maintenance as defined in chapter 9•

6.11.3 Recovery strategies shall meet the RTO and RPO as defined by the business impact analysis








8.3 * Design of Exercises and Tests.Exercises shall be designed to do the following:

(1) Ensure the safety of people, property, operations, and the environment involved in the exercise or test

(2) Evaluate the program

(3) Identify planning and procedural deficiencies(4) Test or validate recently changed procedures or plans

(5) Clarify roles and responsibilities

(6) Obtain participant feedback and recommendations for program improvement

(7) Measure improvement compared to performance objectives

(8) Improve coordination among internal and external teams, organizations, and entities such as critical suppliers

(9) Validate training and education

(10) Increase awareness and understanding of hazards and the potential impact of hazards on the entity

(11) Identify additional resources and assess the capabilities of existing resources, including personnel and equipment needed for effectiveresponse and recovery

(12) Assess the ability of the team to identify, assess, and manage an incident

(13) Practice the deployment of teams and resources to manage an incident

(14) Improve individual performance


Added content to support increased focus on supply chain risks






9.1.3The program shall be re-evaluated when a change in any of the following impacts the entity's program:

(1) Regulations

(2) Hazards and potential impacts

(3) Resource availability or capability(4) Entity's organization

(5)

(6) Infrastructure, including technology environment

(7) Economic and geographic stability

(8) Entity operations

(9) Critical suppliers, including second-tier suppliers


Added content to support increased focus on supply chain risk.



* Funding changes



Public Input No. 75-NFPA 1600-2014 [ Section No. A.3.3.15 ]

A.3.3.15 Incident Management System (IMS).The incident management system is based on effective management characteristics that can be used by the public, private, and not-for-profit sectors. For an IMS to work effectively each management characteristic should contribute to the strength and efficiency of the overall system.

A description of commonly identified management characteristics follows.

Common Terminology. Common terminology allows diverse incident management and support entities to work together across a wide variety of incident management functions and hazard scenarios. This common terminology is covered in the paragraphs that follow.

Organizational Functions. Major functions and functional units with domestic incident management responsibilities are named, and defined terminology for the organizational elements involved is standard and consistent. The incident management organization establishes a process for gathering, sharing, and managing incident-related information and intelligence.

Modular Organization. The organizational structure develops in a top-down, modular fashion that is based on the size and complexity of the incident, as well as the specifics of the hazard environment created by the incident. Where needed, separate functional elements can be established, each of which can be further subdivided to enhance external organizational management and external coordination.

Comprehensive Resource Management. Maintaining an accurate and up-to-date picture of resource utilization is a critical component of domestic incident management. Resource management includes processes for categorizing,ordering, dispatching, tracking, and recovering resources. It also includesprocesses for reimbursement for resources, as appropriate. Resources are defined as personnel, teams, equipment, supplies, and facilities available orpotentially available for assignment or allocation in support of incidentmanagement and emergency response activities. Personnel and equipment should respond only when requested or when dispatched by an appropriateauthority.

Incident Facilities. Various types of operational locations and support facilities are established in the vicinity of an incident to accomplish a variety of objectives, such as decontamination, donated goods processing, mass care, and evacuation. Typical facilities include incident command posts, bases, camps, staging areas, mass casualty triage areas, and other facilities as required.Management by Objectives. Management by objectives represents an approach that is communicated throughout the entire organization. This approach includes establishing overarching objectives for the following:

(1) Developing and issuing assignments, plans, procedures, and protocols

(2) Establishing specific, measurable objectives for various incident management functional activities and directing efforts to attain them in support of defined strategic objectives

(3) Documenting results to measure performance and facilitate corrective action



Reliance on an Incident Action Plan. Incident action plans (IAPs) provide a coherent means of communicating the overall incident objectives in the context of both operational and support activities.Manageable Span of Control. Span of control is key to effective and efficient incident management. Although effective span of control varies, the span of incident management supervisory responsibility in the public sector is typically three to seven subordinates. The type of incident, the nature of the task, hazards and safety factors, and distances between personnel and resources all influence span of control considerations.

Integrated Communications. Incident communications are facilitated through the development and use of a common communications plan and interoperable communications processes and architectures. This integrated approach links the operational and support units of the various agencies involved. It is necessary to maintain communications connectivity and discipline and to enable common situational awareness and interaction. Preparedness planning should address the equipment, systems, andprotocols necessary to achieve integrated voice and data incident management communications.

Establishment and Transfer of Command. The command function has to be clearly established from the beginning of incident operations. The agency with primary jurisdictional authority over the incident designates the individual at the scene who will be responsible for establishing command. When command is transferred, the process should include a briefing that captures all essential information for continuing safe and effective operations.

Chain of Command and Unity of Command. Chain of command refers to the orderly line of authority within the ranks of the incident management organization. Unity of command means that every individual has a designated supervisor to whom he or she reports at the scene of the incident. These principles clarify reporting relationships and eliminate the confusion caused by multiple, conflicting directives. Incident managers at all levels have to be able to control the actions of all personnel under their supervision.Unified Command (UC). In incidents involving multiple jurisdictions, a single jurisdiction with multi-agency involvement, or multiple jurisdictions with multi-agency involvement, unified command (UC) allows agencies with different legal, geographic, and functional authorities and responsibilities to work together effectively without affecting individual agency authority, responsibility, or accountability.

Although a single Incident Commander normally handles the command function, an incident management system (IMS) can be expanded into a UC. The UC is a structure that brings together the incident commanders of all major organizations, which could include personnel from both private, not-for-profit, and public sectors involved in the incident, in order to coordinate an effective response while at the same time they carry out their own jurisdictional responsibilities. The UC links the organizations responding to the incident and provides a forum for the entities to make consensus decisions. Under the UC, the various jurisdictions and/or agencies and nongovernment responders blend together throughout the operation to create an integrated response team.


Improve consistency in usage throughout the document




Public Input No. 37-NFPA 1600-2013 [ New Section after A.3.3.23 ]

New Annex A section to correspond to new definition for Special and Functional NeedsA.3.x The terminology for this population continues to evolve. Over time, various terms have been used including: handicapped; disabled; access and access and special needs; access and functional needs; special needs; vulnerablepopulation; people with disabilities; functional needs; at-risk populations; people with medical dependencies;speciality care populations; vulnerable person; and, other terms. The user is referred to Annex X Special and Functional Needs.



This proposed Annex A item corresponds and expands upon the new definition for Special and Functional Needs.






Public Input No. 76-NFPA 1600-2014 [ Section No. A.4.2 ]

A.4.2It is not the intent of this standard to restrict the users to the title program coordinator. It is recognized that different entities use various forms and names for the person who performs the program coordinator functions identified in the standard. Examples of titles are emergency manager (for the public sector), and business continuity manager (for the private sector and not-for-profit sectors ). A written position description should be provided.

Certification programs for emergency managers and business continuity professionals can be found in the DRII Professional Practices for Business Continuity Practitioners and through FEMA's Emergency Management Institute and the Certified Emergency Manager (CEM) program administered by International Association of Emergency Managers (IAEM).








A.4.3.3When the representation on the program committee is being determined, consideration should be given to public sector representation on a private or not-for-proft sector committee and vice versa, which will help to establish acoordinated and cooperative approach to the program.








A.4.5.3If, through exercise or incident analysis, program evaluation, or corrective action, limitations in the necessary laws and applicable authorities are discovered, a formal process should exist to amend them. This procedure should include an understanding of the procedures to influence the necessary changes to applicable legislation, policies, directives, standards, and industry codes of practice.

In the case of public/private private, not-for-profit, and public entities,consideration should be made for periodic review of existing legislation,regulations, codes, and authorities to determine whether adequate flexibilityexists to accommodate evolving programmatic policy or if new legislation should be developed and introduced through a legislative initiative. This isparticularly relevant because program requirements change to comply withchanging roles and relationships in and among varying levels of government.

For example, the entity might have the appropriate authority to conduct emergency operations but lack authority to take action prior to an event to mitigate the occurrence or the recurrence of an incident. In other cases, additional authorities could be needed to generate the necessary revenue to sustain a viable program or to create a standing contingency fund to adequately support an emergency operation.








A.5.1.5

The vast majority of incidents that affect life, health and safety are the purview of emergency response. Planning for the normalization of operations as quickly as possible following a business disruption is the focus of business continuity. The goal of crisis management is not only to minimize disruption but to also influence the outcome of the crisis. The crisis management team is led by senior management and is responsible for the broad strategic – rather than tactical – ramifications that affect reputation or long-term consequences of a severe incident.Crises may create issues or threaten consequences that can disrupt the organization’s ability to do business. They are best mitigated by getting ahead of the incident to proactively address the issue before it has escalated to the point where it has become a crisis for the organization. Recognizing signals pointing to a problem that may develop into a crisis and proactively addressing those signals or issues can help to mitigate the reputational and financial damage that a crisis can create.When activated, the crisis management team assumes ultimate authority for thedirection of the organization’s response to the crisis. The crisis management team’s primary function is to identify, evaluate and manage the strategic issues that impact the organization on a broad basis, without becoming involved in the details of the on-site emergency response actions. The crisis management team focuses on forecasting potential consequences of the incident and is also responsible for keeping other senior managers and executives informed of current and anticipated response activities, as well as the formulation of long-term strategic response plans.Crisis management activities include:

acting as a clearinghouse for all information•

coordinating corporate support to the site of the incident•coordinating the response activities of a business group and corporate functional departments

•

coordinating the implementation of business continuity or disaster recovery plans and management of business resumption issues stemming from an incident

•

supporting executives in crisis management activities•

The Crisis Management Team should address:

consequences of operational and business disruptions•

implications of media, community, and government relationships•

concerns about inter- and intra-organizational ramifications•

impact on strategic plans•

consequences for labor and contractor relations•

legal and financial liability•insurance implications•

environmental issues•

impact on international relations•



potential for industry-wide concerns•

Roles and responsibilities of the Crisis Management Team:

communicate with board of directors•

define corporate policy•

commit corporate assets•

provide overall management and direction•

set strategic direction of crisis response•


Section 5.1.5 of the Standard does not have any accompanying material in Annex A to further explain how to implement crisis management within the organization. The proposed Annex A material was developed by / in coordination with the authors of the chapter on Crisis Management in the "Implementing NFPA 1600" handbook.


Submitter Full Name: JO ROBERTSONOrganization: ARKEMA INC. (and NFPA 1600 Technical Committee member)Affilliation: NFPA 1600 Technical Committee memberStreet Address: City:State: Zip: Submittal Date: Sun Dec 08 17:13:18 EST 2013




A.5.2Risk assessment is a process for identifying potential hazards/risk exposures and their relative probability of occurrence; identifying assets at risk; assessing the vulnerability of the assets exposed; and quantifying the potential impacts of the hazard/risk exposures on the assets. Periodic reassessment is needed when changes to the entity occur. Reassessment is also necessary because hazards/risk exposures change over time, and the collective knowledge of hazards/risk exposures develops over time.

In addition to identifying hazards that could be the primary cause of an incident, consideration should also be given to those secondary hazards or cascading events that could cause additional impact to the entity and its assets. As an example, a fire could result in injury or death, property damage, interruption of operations, contamination of the environment, and negative attention on the entity.

A comprehensive risk assessment identifies the range of hazard/risk exposures, including threats, hazards, or disruptive incidents, that have impacted or might impact the entity, the surrounding area, or the critical infrastructure supporting the entity. The potential impact of each threat, hazard/risk exposure, or disruptive incident is determined by the capabilities of the perpetrator, the magnitude of the hazard, and the scope of the incident, as well as the vulnerability of people, property, technology, the environment, and the entity’s operations to the threat, hazard, or incident and the adequacy of existing mitigation. There are multiple methods to perform a risk assessment, but the entity should adhere to the following steps for conducting a comprehensive risk assessment:

(1) Determine the methodology the entity will use to conduct theassessment and determine whether the entity has the necessary expertise to perform the assessment.

(2) Consult with internal or external experts with the expertise to assess the vulnerability of the entity’s assets from identified hazards.

(3) Identify and categorize assets (human resources, buildings, equipment, operations, technology, electronic information, suppliers, vendors, third-party service providers, etc.).

(4) Identify threats and hazards — natural, human caused (accidental and intentional), and technology caused.

(5) Evaluate hazard/risk exposures to which the entity is exposed.

(6) Assess the existing/current preventive measures and mitigation controls in place against credible threats.

(7) Categorize threats, hazard/risk exposures, and potential incidents by their relative frequency and severity. Keep in mind that there might be many possible combinations of frequency and severity for each, as well as cascading impacts.

(8) Evaluate the residual hazard/risk exposures (those that remain hazardous after prevention and mitigation activities).



Information from the risk assessment and impact analysis will help determine priorities for prevention and mitigation activities as well as prioritize development of plans and procedures. The entity should attempt to prevent, mitigate, prepare for, plan to respond to, and plan to recover from incidents that have significant potential to impact people; property; operational capabilities, including technology; the environment; and the entity itself.

A.5.2.X

The e xpert agency retained by the entity to prepare the riskassessment should have demonstrated proficiency in Monte Carlo modeling and simulation of disaster and recovery scenarios.


When its objectives are fully realized, this document will create a cadre of expert agencies to meet market demand for Disaster/Emergency Management and Business Continuity Programs. We need to have a discussion about -- and an enforceable requirement for --the qualifications of the expert agencies producing this deliverable.

Monte Carlo methods are especially useful for modeling phenomena with significant uncertainty in inputs, such as the calculation of risk in business, the likelihood of hazards or combinations of hazards. When Monte Carlo simulations have been applied in space exploration and oil exploration, their predictions of failures, cost overruns and schedule overruns are routinely better than human intuition or alternative "soft" methods.

Since Section 4..6.2of this document states,

…“There shall be a responsive financial management and administrative framework that complies with the entity’s program requirements and is uniquely linked to response, continuity, and recovery operations.”…

qualitative considerations described in this document should be informed by quantitative modeling. Monte Carlo methods in finance are often used to evaluate investments in projects such as the suite of mitigation measures described in this document. Such methods can be used to model project schedules, where simulations aggregate estimates for worst-case, best-case, and most likely durations for each task to determine outcomes for the overall project. Mastery of Monte-Carlo methods should be regarded as distinctive a measure of competence as trade union membership or professional engineering licensure.





Public Input No. 28-NFPA 1600-2013 [ Section No. A.5.2.2.1 ]

A.5.2.2.1The following is an expanded list of hazards that should be considered during the risk assessment. Many hazards can be classified in multiple categories. A wildland fire might be caused by lightning or an intentional act. A fire in a chemical plant could be caused by human error or the failure of technology, such as a malfunctioning or improperly programmed control system. Hazards that should be considered during the risk assessment include natural hazards/risk exposures (geologic, meteorologic, and biological), human-caused events (accidental and intentional), and technology-caused incidents:

(1) Geologic hazards/risk exposures

(a) Earthquake

(b) Tsunami(c) Volcano

(d) Landslide, mudslide, subsidence

(2) Meteorologic hazards/risk exposures

(a) Flood, flash flood, seiche, tidal surge

(b) Water control structure (e.g., dam, levee) failure

(c) Drought

(d) Snow, ice, hail, sleet, avalanche, arctic freeze

(e) Windstorm, tropical cyclone, hurricane, tornado, water spout, duststorm, sandstorm

(f) Extreme temperatures (heat, cold)

(g) Wildland fire

(h) Lightning strikes(i) Famine

(j) Geomagnetic storm

(3) Biological hazards/risk exposures

(a) Food-borne illnesses

(b) Pandemic disease (e.g., avian flu, H1N1)

(c) Infectious/communicable disease [e.g., plague, smallpox, anthrax, West Nile virus, foot and mouth disease, severe acute respiratory syndrome (SARS), bovine spongiform encephalopathy (BSE, or Mad Cow Disease)]

(4) Accidental human-caused events

(a) Hazardous material spill or release (flammable liquid; flammable gas; flammable solid; oxidizer; poison; explosive, radiological, or corrosive material)

(b) Nuclear power plant incident, radiological incident

(c) Explosion/fire



(d) Transportation accident

(e) Building/structure collapse

(f) Entrapment and/or rescue (machinery, confined space, high angle, water)

(g) Fuel/resource shortage

(h) Mechanical breakdown(i) Transportation incidents (motor vehicle, railroad, watercraft, aircraft,

pipeline)

(j) Untimely death of employee

(5) Intentional human-caused events

(a) Strike or labor dispute

(b) Criminal activity (vandalism, sabotage, arson, robbery, theft, fraud, embezzlement, data theft, malfeasance)

(c) Physical or information security breach

(d) Lost person, child abduction, kidnapping, extortion, hostage incident, workplace/school/university violence, homicide

(e) Product defect or contamination

(f) Disinformation(g) Harassment

(h) Discrimination

(i) Demonstrations, civil disturbance, public unrest, mass hysteria, riot

(j) Bomb threat, suspicious package

(k) Terrorism (explosive, chemical, biological, radiological, nuclear, cyber, electromagnetic pulse)

(l) Insurrection

(m) Enemy attack, war

(n) Arson

(6) Technology-caused incidents

(a) Computer systems [outages, hardware failure, data corruption, deletion, theft, loss of network connectivity (Internet or intranet), loss of electronic data interchange or ecommerce, loss of domainname server (DNS), virus, worm, Trojan horse, power surge, lightning, host site interdependencies, direct physical loss, water damage, cyber terrorism, vulnerability exploitation, botnets, hacking, phishing, spyware, malware, computer fraud, loss of encryption, denial of service, improper system use by employee, telecommunications interruption or failure, electricity brownout or blackout]

(b) Computer software or application interruption, disruption, or failure (internal/external)

(c) Loss, corruption, or theft of electronic information

(d) Utility interruption or failure (telecommunications, electrical power, water, gas, steam, HVAC, pollution control system, sewage system, other critical infrastructure)



(7) Other hazards/risk exposures, such as supply chain interruption [loss of shipping or transportation, vendor failure (single or sole source provider)], including direct and indirect effects on the supply chain based on impacts from the expanded lists of hazards included in this document


Clarifying text included to remain consistent with supply chain references in the body of the standard.


Submitter Full Name: Brian StrongOrganization: BlueCross BlueShield of FloridStreet Address:City: State: Zip:Submittal Date: Mon Dec 09 14:22:21 EST 2013



Public Input No. 79-NFPA 1600-2014 [ Section No. A.5.2.2.1 ]

A.5.2.2.1The following is an expanded list of hazards that should be considered during the risk assessment. Many hazards can be classified in multiple categories. A wildland fire might be caused by lightning or an intentional act. A fire in a chemical plant could be caused by human error or the failure of technology, such as a malfunctioning or improperly programmed control system. Hazards that should be considered during the risk assessment include natural hazards/risk exposures (geologic, meteorologic, and biological), human-caused events (accidental and intentional), and technology-caused incidents:

(1) Geologic Geological hazards/risk exposures

(a) Earthquake

(b) Tsunami(c) Volcano

(d) Landslide, mudslide, subsidence

(2) Meteorologic Meteorlogical hazards/risk exposures

(a) Flood, flash flood, seiche, tidal surge

(b) Water control structure (e.g., dam, levee) failure

(c) Drought

(d) Snow, ice, hail, sleet, avalanche, arctic freeze

(e) Windstorm, tropical cyclone, hurricane, tornado, water spout, duststorm, sandstorm

(f) Extreme temperatures (heat, cold)

(g) Wildland fire

(h) Lightning strikes(i) Famine

(j) Geomagnetic storm

(3) Biological hazards/risk exposures

(a) Food-borne illnesses

(b) Pandemic disease (e.g., avian flu, H1N1)

(c) Infectious/communicable disease [e.g., plague, smallpox, anthrax, West Nile virus, foot and mouth disease, severe acute respiratory syndrome (SARS), bovine spongiform encephalopathy (BSE, or Mad Cow Disease)]

(4) Accidental human-caused events

(a) Hazardous material spill or release (flammable liquid; flammable gas; flammable solid; oxidizer; poison; explosive, radiological, or corrosive material)

(b) Nuclear power plant incident, radiological incident

(c) Explosion/fire



(d) Transportation accident

(e) Building/structure collapse

(f) Entrapment and/or rescue (machinery, confined space, high angle, water)

(g) Fuel/resource shortage

(h) Mechanical breakdown(i) Transportation incidents (motor vehicle, railroad, watercraft, aircraft,

pipeline)

(j) Untimely death of employee

(5) Intentional human-caused events

(a) Strike or labor dispute

(b) Criminal activity (vandalism, sabotage, arson, robbery, theft, fraud, embezzlement, data theft, malfeasance)

(c) Physical or information security breach

(d) Lost person, child abduction, kidnapping, extortion, hostage incident, workplace/school/university violence, homicide

(e) Product defect or contamination

(f) Disinformation(g) Harassment

(h) Discrimination

(i) Demonstrations, civil disturbance, public unrest, mass hysteria, riot

(j) Bomb threat, suspicious package

(k) Terrorism (explosive, chemical, biological, radiological, nuclear, cyber, electromagnetic pulse)

(l) Insurrection

(m) Enemy attack, war

(n) Arson

(6) Technology-caused incidents

(a) Computer systems [outages, hardware failure, data corruption, deletion, theft, loss of network connectivity (Internet or intranet), loss of electronic data interchange or ecommerce, loss of domainname server (DNS), virus, worm, Trojan horse, power surge, lightning, host site interdependencies, direct physical loss, water damage, cyber terrorism, vulnerability exploitation, botnets, hacking, phishing, spyware, malware, computer fraud, loss of encryption, denial of service, improper system use by employee, telecommunications interruption or failure, electricity brownout or blackout]

(b) Computer software or application interruption, disruption, or failure (internal/external)

(c) Loss, corruption, or theft of electronic information

(d) Utility interruption or failure (telecommunications, electrical power, water, gas, steam, HVAC, pollution control system, sewage system, other critical infrastructure)



(7) Other hazards/risk exposures, such as supply chain interruption [loss of shipping or transportation, vendor failure (single or sole source provider)]


To change for parallel usage in sections






A.5.3The BIA provides an assessment of how key disruption risks could affect an entity’s operations and identifies capabilities that might be needed to manage the disruptions.

The BIA Process. A BIA can be undertaken using engineering analysis, mathematical modeling, simulations, surveys, questionnaires, interviews, structured workshops, or a combination thereof, to identify the critical processes, people/personnel, assets and resources, physical and nonphysical properties, and the financial and operational effects of the loss of these elements, as well as the required recovery time frames and supporting resources.

Based on the risk and vulnerability assessments, the following steps should be taken to confirm the processes and outputs of the organization:

(1) Determine the consequences of a disruption on the identified processes in financial, regulatory, customer and/or operational terms over defined periods.

(2) Identify the interdependencies with key internal and externalstakeholders, which could include mapping the nature of the interdependencies through the supply chain (both inbound and outbound).

(3) Determine the current available resources and the essential level of resources required to continue operation at a minimum acceptable level following a disruption.

(4) Identify ways to bypass problems (“workarounds”) in processes that are currently in use or are planned to be developed. It might be necessary to develop alternative processes where resources or capability might be inaccessible or insufficient during the disruption.

(5) Determine the recovery time objective (RTO) for each process, based on the identified consequences and the critical success factors for the function. The RTO represents the maximum period of time the organization can tolerate the loss of capability.

(6) Determine the rate at which the severity of the impact increases over time if the RTO is not met.

(7) Confirm the current level of preparedness of the entity’s processes to manage a disruption. This might include evaluating the level of redundancy within the process (e.g., spare equipment) or the existence of alternative suppliers, including a supplier's preparedness to manage a disruption .

The BIA processes should consist of the following three components:

(1) Identify the lines of process flow (i.e., material flow, information flow, people movement, cash flow) and time constraints. Typical output of the BIA will provide a process flow for the entire entity, identifying internal and external dependencies.



(2) Identify the interruption potentials that describe the financial, regulatory, customer, or operational impacts, including potential bottlenecks, upstream and downstream supply chains, single points of failure, long lead time or imported equipment, single-source and sole-source suppliers, time constraint processing (e.g., long batch times), and interdependencies between internal and external entities and facilities.

(3) Identify the entity’s dependency on technology infrastructure, including systems and applications, by identifying the technology needed to continue time-sensitive operational processes; correlate specific technology components with the operational processes they support and based on that information, assess the impact to the entity’s operations due to disruption of those components.

A typical BIA would supply the following information:

(1) The financial impact to the organization if the process fails to perform, for example:

(a) Loss of sales

(b) Fines or penalties incurred

(c) Overtime pay

(d) Additional costs to recover

(e) Loss of raw materials/finished products

(2) The regulatory or legal impact, for example:

(a) Failure to meet reporting requirements

(b) Failure to meet contractual commitments

(c) Potential lawsuits

(3) Customer impact, for example:

(a) How soon customers will know a problem exists and how worried they will be

(b) Impact to a customer’s supply chain

(c) Potential for a customer to take its business elsewhere

(d) Harm that could be caused to the customer

(e) Impact to brand(f) Impact to reputation

(4) Operational impact, for example:

(a) Seasonal impact(b) Backlog impact

(c) Workload changes

(d) Overtime

(e) Employee morale

(5) The RTO required for the process in order to meet the operational level acceptable to the entity

(6) Resources required to continue or resume time-sensitive processes and the escalation of resource needs over time, for example:



(a) Technology infrastructure components, systems, and applications including:

i. RTO of the required technology components

ii. Interdependency among different technology components

iii. Core infrastructure, systems, and services such as network components, directory services, etc., that are essential for recovery of other technology components

iv. Recovery point objectives (RPOs) for data (the maximum amount of acceptable data loss)

(b) Vital records requirements

(c) Equipment requirements such as printers, fax machines, scanners, mail sorters, postage meters, time stamps, forklifts, ladders, andtools

(d) Desktop requirements such as computers, telephones

(e) Supplies such as paper, envelopes, letterhead, forms(f) Regulatory reporting requirements

(g) Description of internal and external dependencies

(h) Previous disruption experience

(i) Known competitive issues analysis

The outputs of the BIA typically would include the following:

(1) Financial, operational, regulatory, customer, and other tangible and nontangible impact to the entity

(2) Identification of all time-sensitive processes and their critical resources requirements

(3) Identification of time-sensitive technology components essential to recover the operational processes

(4) Prioritization of processes to be recovered

(5) Prioritization of the technology components in alignment with operational processes

(6) Identification of key internal and external interdependencies of operational units, functions, processes, critical resources, and technology components

(7) Identification of seasonal impact to operations for each operational process

(8) Determination of resources (people, vendors, equipment, technology, data/information, funding, and time) required for resumption and recovery

(9) RTO for each process

The output information of the BIA will help to achieve the following:

(1) Identify the entity’s critical operations(2) Identify the entity’s time-sensitive operations

(3) Determine the RTO for each critical operation

(4) Determine the internal and external dependencies



(5) Determine whether the recovery of each dependent component is in alignment with process RTO

(6) Determine the critical resources (people, vendors, equipment,technology, data/information, funding, and time) required to support theentity’s mission


Added clarifying text to support increased focus on supply chain risk management referenced throughout the body of the document.






A.5.3The BIA provides an assessment of how key disruption risks could affect an entity’s operations and identifies capabilities that might be needed to manage the disruptions.

The BIA Process. A BIA can be undertaken using engineering analysis, mathematical modeling, simulations, surveys, questionnaires, interviews, structured workshops, or a combination thereof, to identify the critical processes, people/personnel, assets and resources, physical and nonphysical properties, and the financial and operational effects of the loss of these elements, as well as the required recovery time frames and supporting resources.

Based on the risk and vulnerability assessments, the following steps should be taken to confirm the processes and outputs of the organization:

(1) Determine the consequences of a disruption on the identified processes in financial, regulatory, customer and/or operational terms over defined periods.

(2) Identify the interdependencies with key internal and externalstakeholders, which could include mapping the nature of the interdependencies through the supply chain (both inbound and outbound).

(3) Determine the current available resources and the essential level of resources required to continue operation at a minimum acceptable level following a disruption.

(4) Identify ways to bypass problems (“workarounds”) in processes that are currently in use or are planned to be developed. It might be necessary to develop alternative processes where resources or capability might be inaccessible or insufficient during the disruption.

(5) Determine the recovery time objective (RTO) for each process, based on the identified consequences and the critical success factors for the function. The RTO represents the maximum period of time the organization can tolerate the loss of capability.

(6) Determine the rate at which the severity of the impact increases over time if the RTO is not met.

(7) Confirm the current level of preparedness of the entity’s processes to manage a disruption. This might include evaluating the level of redundancy within the process (e.g., spare equipment) or the existence of alternative suppliers.

The BIA processes should consist of the following three components:

(1) Identify the lines of process flow (i.e., material flow, information flow, people movement, cash flow) and time constraints. Typical output of the BIA will provide a process flow for the entire entity, identifying internal and external dependencies.



(2) Identify the interruption potentials that describe the financial, regulatory, customer, or operational impacts, including potential bottlenecks, upstream and downstream supply chains, single points of failure, long lead time or imported equipment, single-source and sole-source suppliers, time constraint processing (e.g., long batch times), and interdependencies between internal and external entities and facilities.

(3) Identify the entity’s dependency on technology infrastructure, including systems and applications, by identifying the technology needed to continue time-sensitive operational processes; correlate specific technology components with the operational processes they support and based on that information, assess the impact to the entity’s operations due to disruption of those components.

A typical BIA would supply the following information:

(1) The financial impact to the organization if the process fails to perform, for example:

(a) Loss of sales

(b) Fines or penalties incurred

(c) Overtime pay

(d) Additional costs to recover

(e) Loss of raw materials/finished products

(2) The regulatory or legal impact, for example:

(a) Failure to meet reporting requirements

(b) Failure to meet contractual commitments

(c) Potential lawsuits

(3) Customer impact, for example:

(a) How soon customers will know a problem exists and how worried they will be

(b) Impact to a customer’s supply chain

(c) Potential for a customer to take its business elsewhere

(d) Harm that could be caused to the customer

(e) Impact to brand(f) Impact to reputation

(4) Operational impact, for example:

(a) Seasonal impact(b) Backlog impact

(c) Workload changes

(d) Overtime

(e) Employee morale

(5) The RTO required for the process in order to meet the operational level acceptable to the entity

(6) Resources required to continue or resume time-sensitive processes and the escalation of resource needs over time, for example:



(a) Technology infrastructure components, systems, and applications including:

i. RTO of the required technology components

ii. Interdependency among different technology components

iii. Core infrastructure, systems, and services such as network components, directory services, etc., that are essential for recovery of other technology components

iv. Recovery point objectives (RPOs) for data (the maximum amount of acceptable data loss)

(b) Vital records requirements

(c) Equipment requirements such as printers, fax machines, scanners, mail sorters, postage meters, time stamps, forklifts, ladders, andtools

(d) Desktop requirements such as computers, telephones

(e) Supplies such as paper, envelopes, letterhead, forms(f) Regulatory reporting requirements

(g) Description of internal and external dependencies

(h) Previous disruption experience

(i) Known competitive issues analysis

The outputs of the BIA typically would include the following:

(1) Financial, operational, regulatory, customer, and other tangible and nontangible impact to the entity

(2) Identification of all time-sensitive processes and their critical resources requirements

(3) Identification of time-sensitive technology components essential to recover the operational processes

(4) Prioritization of processes to be recovered

(5) Prioritization of the technology components in alignment with operational processes

(6) Identification of key internal and external (e.g., suppliers)interdependencies of operational units, functions, processes, criticalresources, and technology components

(7) Identification of seasonal impact to operations for each operational process

(8) Determination of resources (people, vendors, equipment, technology, data/information, funding, and time) required for resumption andrecovery

(9) RTO for each process

The output information of the BIA will help to achieve the following:

(1) Identify the entity’s critical operations(2) Identify the entity’s time-sensitive operations

(3) Determine the RTO for each critical operation

(4) Determine the internal and external (e.g., suppliers) dependencies



(5) Determine whether the recovery of each dependent component is in alignment with process RTO

(6) Determine the critical resources (people, vendors, equipment,technology, data/information, funding, and time) required to support theentity’s mission


Included supply chain references to support supply chain risk management focus.






A.5.4.5Mutual aid/assistance or partnership agreements between entities are an effective means to obtain resources and should be developed whenever possible.

Agreements should be in writing, be reviewed by legal counsel, be signed by a responsible official, define liability, and detail funding and cost arrangements.

The term mutual aid/assistance agreement, as used here, includes cooperative assistance agreements, intergovernmental compacts, or otherterms commonly used for the sharing of resources. Partnerships can include any combination of public, private, and not-for-profit entities or nongovernmental organizations (NGOs).

Mutual aid/assistance and partnership agreements are the means for one entity to provide resources, facilities, services, and other required support to another entity during an incident. Each entity should be party to the agreement with appropriate entities from which they expect to receive or to which they expect to provide assistance during an incident. This would normally include neighboring or nearby entities, as well as relevant private sector and NGOs not-for-profit entities or nongovernmental organization {NGOs} . States should participate in interstate compacts and look to establish intrastate agreements that encompass all local entities. Mutual aid/assistance agreements with not-for profit entities or NGOs, such as theInternational Red Cross/Red Crescent, can be helpful in facilitating the timelydelivery of private assistance.

If mutual aid/assistance is needed, agreements should include the following:

(1) Definitions of key terms used in the agreement, including intellectual property, duration of the agreement, and duration of assistance

(2) Roles and responsibilities of individual parties

(3) Procedures for requesting and providing assistance, including mobilization and demobilization

(4) Procedures, authorities, and rules for payment, reimbursement, and allocation of costs

(5) Notification procedures

(6) Protocols for interoperable communications(7) Relationships with other agreements among entities

(8) Workers’ compensation

(9) Treatment of liability and immunity

(10) Recognition of qualifications and certifications







A.6.2.6 The prevention strategy should include the use of the following gradient scale in the determining how critical the facility and individual infrastructure elements within it are to both responding/recovering from the event and also in mitigating further escalation of the damages:Category I – Systems that have been designated to remain operational or be immediately restorable to service after the event for emergency services to function or to prevent significant escalation of the damages. Category II – Systems that have been designated to significantly contribute to the delivery of emergency services or are essential for disaster recovery or to prevent significant escalation of the damages. Category II systems are typically restorable to operation within 4 hours.Category III – Systems that have significant impact on the protection of life and property, but are not immediately essential for providing emergencyservices or to prevent significant escalation of the damages. Category IIIsystems are typically restorable to operation within 24 hours. Category IV – Critical systems that have significant impact on the protection of life and property, but are not immediately essential, as there are multiple systems or facilities providing the same function. Category IV systems are typically restorable to operation within 24 hours for the time utility power, water and sewage disposal are available to the facility.




Major disasters, such as floods from hurricanes and earth quakes significantly disrupt normal transportation and communication lines. Relief efforts are stopped before they can get started if there is no way for them to find out where the relief is needed and how to get to the area. Major disasters also significantly disrupt normal services, such as electrical power, natural gas, water and sewage service. How quickly relief is required before the situation becomes life threatening to the general population varies significantly due to the circumstances. In all cases the loss of water and sewage will significantly impact the general public in a matter of a few days. Health related issues due to water contamination can escalate much quicker.




Therefore hardening the key pieces of the infrastructure (such as 911 Call Centers) that are required for recovery from the event or to mitigate significant escalation of the damages should be specifically addressed as part of the Prevention strategy. The essential infrastructure elements should be given a priority ranking, so the most critical elements receive the most resources.

This is the joint work of Robert Schuerger, Michael Simon and Robert Arno.





Public Input No. 18-NFPA 1600-2013 [ New Section after A.6.4.2(1) ]

A.6.4.2(2)A common format for gathering pertinent information (inbound messaging) and disseminating communication messages (outbound messaging) by the entity is recommended. Use of social media may provide a distinct advantage to both inbound and outbound messaging, and should be considered a basic form of communication with external and internal audiences.


The Technical Committee task group on social media believes additional guidance would be helpful.




Affilliation: NFPA 1600 Technical Committee member -- submitted on behalf of the social media task group





A.6.5.1The entity should determine warning, notification, and communications needs based on the hazards and potential impacts identified during the risk assessment and the capabilities required to execute response, crisis communications, continuity, and recovery plans, procedures, and public education/emergency information programs.

Warning systems can include fire alarm, emergency voice communication, public address, mass notification, social media and other systems designed to warn building occupants, people on a campus, or citizens in the community that there is a threat or hazard and to take protective action. Notification systems are used to alert members of response, continuity, and recovery teams as well as external resources (public emergency services), regulators, management, and so forth. Communications needs include two-way radio systems, and wired and wireless voice and data communications, among other systems.


The Technical Committee task group on social media believes "social media" should be inserted to stress the value of social media as a communications tool during disaster communications.




Affilliation: NFPA 1600 Technical Committee member - on behalf of the social media task group





A.6.7.1An incident management system (IMS) should be used to manage an incident. The system used varies among entities and among jurisdictions within entities. In minor incidents, IMS functions might be handled by one person: the incident commander or equivalent designee.

An example of an effective public sector IMS would be the National Incident Management System (NIMS) used in the United States or its equivalent inother countries. In the Incident Command System (ICS) portion of NIMS, incident management is structured to facilitate activities in five major functional areas: command, operations, planning, logistics, and finance and administration. For private sector or not-for-profit entities, it is acceptable for the IMS to be organized in whatever way best fits the organizational structure, as long as it is clear how the entity will coordinate its operations with public sector resources arriving at the incident scene.

Figure A.6.7.1 illustrates private sector functions under the ICS. All positions would not be filled for all incidents. In addition, the number of positions reporting to any supervisor should not exceed the “manageable span of control” within the ICS. The intent of Figure A.6.7.1 is to show how positions for different scenarios would be organized under the ICS. In addition, the figure illustrates that the organization can grow as the scale of the incident and the resources needed to manage the incident expand.

It is common to find that environmental, health, and safety professionals within private industry fill positions, including “Safety Officer,” as well as positions within “Operations.” Public affairs and media relations staff would likely fill the “Public Information” position. Facilities management, engineering, and operations typically staff “Operations” as well. Personnel trained to provide first aid and administer CPR would staff the “Medical” function. Security would fill the “Security” function. Finance staff, including insurance and risk management staff, would likely fill positions under “Finance &Administration.” Supply chain personnel would have the ideal expertise to staff the “Logistics” section. “Planning” could be filled by staff with planningexpertise.

It is not the intent that Figure A.6.7.1 suggest that every entity must include all of the functions in its response, continuity, or recovery organization. Each entity is unique and should structure its teams and IMS to best fit its needs. Many of the positions can be combined and filled by a single person.

Figure A.6.7.1 Diagram of Incident Command System.




A.6.8.2Protective actions for life safety include evacuation, shelter-in-place, and lockdown and depend upon the nature and location of the threat or hazard. Action should include defining the protocols and procedures for warning people at risk or potentially at risk and with special and functional needs and the actions that should be taken to protect their safety. Special attention might be needed to address the needs of people with access special and functionalneeds (for guidance, see http://www.fema.gov/plan/prepare/specialplans.shtm). Emergency plans should address those who might have additional needs before, during, or after an incident in one or more of the following functional areas:

(1) Visually impaired

(2) Hearing impaired

(3) Mobility impaired

(4) Single working parent(5) Language competency

(6) People without vehicles

(7) People with special dietary needs

(8) People with medical conditions

(9) People with intellectual disabilities

(10) People with dementia

Persons with access special and functional needs can include those who reside in institutionalized settings, the elderly, children, and those from diverse cultures who have limited proficiency in the local language.



A.6.8.2 needed correction to adopt the term special and functional needs corrected in 6.8.2.






A.6.9.2Plans for business continuity, continuity of government, and continuity of operations are generally similar in intent and less similar in content. Continuity plans have various names in both the public and private ,private, and not-for-profit sectors, including business continuity plans, business resumption plans, and disaster recovery plans.








A.6.9.3Recovery planning for the public and private ,private, and not-for-profitsectors should provide for continuity of operations to return the entity,infrastructure, and individuals back to an acceptable level. This includesimplementation of mitigation measures to facilitate short-term and long-termrecovery.

The recovery plan should include the following:

(1) Facilities and equipment

(2) Critical infrastructure

(3) Telecommunications and cyber protection systems

(4) Distribution systems for essential goods

(5) Transportation systems, networks, and infrastructure

(6) Human resources

(7) Psychosocial services

(8) Health services

Short-term goals and performance objectives should be established and include the following:

(1) Vital personnel, systems, operations, records, and equipment(2) Priorities for restoration and mitigation

(3) Acceptable downtime before restoration to a minimal level

(4) Minimal functions, services, and resources needed to provide for the restoration of facilities, programs, and infrastructure

Long-term goals and objectives should be based on the entity’s strategic plan and include the following:

(1) Management and coordination of activities

(2) Funding and fiscal management

(3) Management of volunteers (both affiliated and spontaneous),contractual, and entity resources

(4) Opportunities for mitigation







A.7.7Information that should be included in public outreach and awareness efforts include regulatory disclosures such as those required by the SARA Title III [(Emergency Planning and Community Right-to-Know Act (EPCRA)], the Community Awareness Emergency Response (CAER), and the Clery Act (unviersities) . Other nonregulatory Nonregulatory examples of awareness that might be included in public education include severe weather outreach and alerts, shelter-in-place, and evacuation.


Change to improve clarity for this section





Public Input No. 84-NFPA 1600-2014 [ Section No. A.9.1.3(5) ]

A.9.1.3(5)Many emergency management entities and programs in both the public and private sectors ,private, and not-for-profit sectors sectors are supported in part by grants from government entities or private sources. A change in grant assistance could materially impact the entity's program, necessitating an evaluation of the program.







Public Input No. 31-NFPA 1600-2013 [ Section No. B.2 ]

B.2 Web Sites and Documents of Interest.Web sites are included here as examples of program development resources available on the Internet. Inclusion in this annex does not constitute an endorsement. The user is cautioned that web site addresses change, and a search engine might be needed to locate the correct URL.

American Waterworks Association, “Utilities Helping Utilities: An Action Plan for Mutual Aid and Assistance Networks for Water and Wastewater Utilities”:http://www.awwa.org/files/Utilities_Helping_Utilities.pdf

Congressional Research Service, “Emergency Communications: TheEmergency Alert System (EAS) and All-Hazard Warnings”:http://www.fas.org/irp/crs/RL32527.pdf

Corporate Executive Board, Risk Leadership Council: http://www.executiveboard.com/exbd/index.page ?

Crisis Communications Plan Template (Canadian Centre for Emergency Preparedness): http://www.ccep.ca/templates/ccplan.rtf

Disaster Research Center, University of Delaware: http://www.udel.edu/DRC/Emergency Management and Civil Protection Act and Regulation (Ontario): http://www.search.e-laws.gov.on.ca/en/isysquery/78ea6acf-3e22-41e7-8d1b-66282cd4213f/3/doc/?search=browseStatutes&context=#hit1

Emergency Management Assessment Program (EMAP):http://www.emaponline.org/

Emergency Management Competencies: http://training.fema.gov/EMIWeb/edu/EMCompetencies.asp

Emergency Management Institute (FEMA) IS-120 Introduction to Exercises: http://emilms.fema.gov/IS120A/index.htm

Emergency Management Institute homepage (FEMA):http://training.fema.gov/Emergency Manager Toolkit (FEMA):http://training.fema.gov/EMIWeb/IS/is1Toolkit/unit2.htm

Emergency Program Manager: Knowledge, Skills, and Abilities:http://training.fema.gov/EMIWeb/edu/EmergProgMgr.doc

Enterprise Preparedness (International Center for Enterprise Preparedness): http://www.nyu.edu/intercep

EPA Risk Assessment Portal: http://www.epa.gov/risk/

FEMA: Developing Effective Standard Operating Procedures for Fire and EMS Departments: http://www.usfa.dhs.gov/downloads/pdf/publications/fa-197-508.pdf

Hazard Mitigation Planning (FEMA):http://www.fema.gov/plan/mitplanning/index.shtm

Homeland Exercise and Security Evaluation Program:https://hseep.dhs.gov/pages/1001_HSEEP7.aspx

ICS All-Hazard Core Competencies (FEMA):http://www.fema.gov/library/viewRecord.do?id=2948



http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf

International Standards Organization (ISO): http://www.iso.org

Mitigation Best Practices Search (FEMA):http://www.fema.gov/mitigationbp/index.jsp

National Incident Management System (NIMS) Resource Center:http://www.fema.gov/emergency/nims/Natural Hazards Center, University of Colorado: http://www.colorado.edu/hazards/

New York State Department of Health (EMS) EMS Mutual Aid PlanningGuidelines: http://www.health.state.ny.us/nysdoh/ems/policy/89-02.htm

Ready Business, Federal Emergency Management Agency (FEMA):http://www.ready.gov/business

Records Managers (National Archives): http://www.archives.gov/records-mgmt/

Risk Management Standard (Australia): http://www.riskmanagement.com.au/Supply Chain Risk Leadership Council: http:// www.scrlc.com/articles/emerging Risks 2013 feb v10.pdf

Disaster Recovery Planning, University of Toronto:http://www.utoronto.ca/security/documentation/business_continuity/dis_rec_plan.htm

Washington Military Department, Emergency Management Division, MutualAid and Interlocal Agreement Handbook:http://emd.wa.gov/plans/documents/MutualAidHandbook.pdf


Added relevant references to support increased focus on supply chain risk management





Public Input No. 34-NFPA 1600-2013 [ New Section after C.1 ]

C2



NFPA 1600 is intended to meet the unique needs of all entities, regardless of size. The objective fsimply increase preparedness. The following guidance material is intended to highlight and simplifentities may wish to focus their preparedness efforts.This guidance can help the entity better identify where it needs to zero in to protect its assets (peopcontinue to provide goods and/or services; maintain cash flow; preserve competitive advantage anregulatory, financial and contractual obligations.( Key sections of NFPA 1600 are mentioned in parenthesis for easy reference .)

Program Management (Chapter 4)Leadership and commitment (section 4.1)The entity’s leadership should demonstrate commitment to its emergency management/business csmall entities, the owner or organizational leader may be responsible for the entire program.

Someone has been appointed to be responsible for developing and maintaining the organization’sprogram?

Planning (Chapter 5)Document your emergency management/business continuity plans and procedures. Plans can be

How the entity will respond to an emergency or disaster (emergency operations/response)•

What the entity needs to communicate, who the organization needs to communicate with, awith those stakeholders (crisis communications and some degree crisis management)

•

How the entity will recover from a disaster (recovery) and keep its business operations goin•

What the entity can do to prevent a disaster in the first place (prevention) or limit the damag•

How all these plans fit together and how they provide for the future of the organization (stra•

We have reviewed and documented basic steps to take in an emergency – such asevacuation route and meeting place?

We have contact lists for all employees, customers, key vendors?

We have outlined the steps for restoring the business if we lose computers /technology?



Risk Assessment (section 5.2)Identify which hazards are most likely to occur and which will have the biggest consequence/severdo occur. The intention of a risk assessment is to help the entity better allocate its resources by befocusing attention on preventing, mitigating, preparing for, and planning how to recover from the higAdditional considerations for small entities include:

Natural Hazard recognition •

Business owners/operators should be cognizant of natural hazards that their location is exposed toemergency management and insurance companies may be able to provide this information. Makeresistant to such hazards.

Exposure•

Exposure is "what's nearby that can hurt you". It could be an adjacent combustible building or wild(i.e. a chemical plant or even a gas station). It might also be a nearby river that poses flood potentthe roof and look around the facility. Then walk inside and around the facility and consider the potewiring, equipment failure that brings a manufacturer to a standstill. Finally, drive around the block oquestion: "what can hurt me or my facility?"(Refer to A.5.2.2.1 for a list of common hazards to consider – including natural hazards, human-catechnology-caused events.)

We have reviewed which hazards are most likely to occur in our area and consider these hazardswhen we do our planning?

We have reviewed the potential hazards posed by neighbors and taken that into consideration aswell?

Business Impact Analysis (section 5.3)Identify critical business operations and analyze the impact of losing them. This is helpful in betterprocedures, especially if resources are limited. Think through the steps the organization will need thazards/impacts occur.Additional considerations for small entities include:

Back-up data•

If it's critical or important to the organization, then it should be backed up. How frequently the back-can be lost without inflicting unreasonable damage to the organization (usually measured in dollars

Back-up hardware – having the backed-up data is half the equation. How will the data be pr•

We have backups of inventory records identifying how much is on hand and where it is?

We have backups of accounts receivable and accounts payable information identifying who and homuch?

We have backups of client names and contact information (e-mail, address, phone)?

We have gathered backups of other critical information to the organization – like equipment lists,drawings, specifications, etc.?

We have identified the availability of the equipment to run applications and access the data we hav

Resource Needs Assessment (section 5.4)What resources will be needed in order to get back in operation if a hazard occurs? What training i



We have identified where resources will come from if we need to get back in operation following anidentified a location where physical resources and supplies will be stored?

Additional considerations for small entities include:

Fire prevention program•

Fire is the most common and significant threat to most businesses. Owner/operators can reduce tprograms, especially if they handle flammable liquids or gasses.

Automatic sprinklers•

Locating the entity’s business or operation in buildings that are fully protected by automatic sprinklecatastrophic incident. Many natural catastrophes are often compounded by fire.

We have a fire safety program?

We have automatic sprinklers?

Adequate insurance•

Often overlooked is Business Interruption (BI) and Extra Expense (EE) coverage. "All Risk" policiesexpansive and in some cases allow for customization. In all cases, policyholders should know whacan or should be added, based on their specific needs.

If an entity’s premises are damaged as a result of a covered loss and can operate at a tempcover the costs above and beyond normal operating expenses. Among other things, it may temporary location and advertising that brings back customers or those that utilize the entity

•

Business interruption insurance (also known as business income insurance) compensates apremises due to a covered loss under the property insurance policy, such as a fire. Businesprofits that would have been earned – based on the entity’s financial records – had the evenoperating expenses, like utilities and rent on the property, that continue even though busine

•

Entities that depend heavily on suppliers should consider Contingent Business Interruption coverage. CBI and contingent extra expense coverage reimburse lost profits and extra expthe premises of a customer or supplier. It is possible to get protection against a set list of scoverage protecting any supplier’s shutdown.

•

We have adequate insurance coverage for our needs?

We have business interruption (BI) insurance?

We have extra expense insurance?

Emergency services pre-plan•

It can be very helpful to make sure in advance that local emergency services (fire rescue, police, Hentity’s operations and the challenges they might face when they arrive. It's also an opportunity to cthey have of the entity.

If we have hazards on site, or pose a potential hazard to our neighbors as a result of our operationwe have shared this information with the fire department and invited them for a meeting to discuss?

Implementation (Chapter 6)You do not need to have separate emergency response, incident management and business contiimplementing the plans should be aware of what is expected of them. Plans should focus on prevention and mitigation for the hazards, risks, vulnerabilities and impacts y

Do all employees know how to respond to any incident?



Communications (sections 6.4 and 6.5)Identify your most important audiences (employees, customers, media, investors, regulators, vendowith them following an emergency or disaster. The simplest way to determine who the entity’s keyimportant to the organization, who is most interested in the organization, or who could be hurt by pDetermine how you will notify key audiences of an emergency. Make sure there is a backup.Plan how you will provide critical information to your employees as well as key external audiences.that information to ensure it is consistent.Additional considerations for small entities include:

Employee contact info•

Ensure emergency contact information has been gathered and a means of communicating with embeen devised to make sure we can account for employees in a disaster?

Media contacts•

Most businesses or organizations use the media for promotion (TV, Radio, Print, Social Websites).from a crisis. Planning beforehand how the entity will communicate in a crisis situation is key.

Customer lists•

Every organization has clients or constituents who have an interest in the organization. Being ableallows the entity to help them understand what has happened and how it will affect them and also porganization will be there to meet their needs. These lists can be used for e-mail blasts or informat

E-mail - Here's where back-up data comes in. Blasts to the entity’s customers/constituents •

Social media - ditto•

We have employee contact lists and we have determined how to account for employees followingan emergency or disaster?

We have key customer / supplier / vendor contact lists as well and have determined how we willcoordinate a steady stream of information to them?

Emergency Operations / Response (section 6.8)Identify emergency actions to be taken to protect people and stabilize the emergency. Anyone whothe parts of the plan that pertain to them.Additional considerations for small entities include:

911/alarms•

Simple procedures such as knowing to call 911 or to activate manual alarms should be communicatraining. Fast response can mean the difference in life or death, and it can minimize property dama

Evacuation plan•

Every organization should have an evacuation plan. Exits should be well marked and kept clear. Evbasis under realistic conditions.

We have provided emergency procedure orientation as well as follow up training to all personnel?

We conduct evacuation drills on a regular basis?



Business Continuity & Recovery (section 6.9)Determine how you will recover critical or time-sensitive processes as quickly as possible after a dionly the jobs that have to be done and who will do those jobs, but also who will be in charge if the oemergency or disaster. Additional considerations for small entities include:

Location strategy•

If the entity loses its facility, where will it relocate? Do you know your building, utility and infrastructure needs?

Purchase - what is the local commercial real estate market like?•

Lease/rent - possibly on a short-term or mid-term basis•Considering a mutual aid agreement with a similar entity•

Allowing employees to work from home, when applicable•

Processing strategy•

How will the entity continue to provide goods or services to its customers/constituents?

Outsourcing - is there a way to provide goods or services through a third party vendor?•

Mutual aid - is there a similar provider who can fill the entity’s needs by agreement and the reversed?

•

We have determined where we will relocate if we are not able to operate out of our facility following

We have determined how we will continue to provide goods and services to our customers orconstituents following a disaster?

Training and Education (Chapter 7) and Exercises and Tests (Chapter 8)Regardless of the size of the entity, periodic awareness, exercises and tests can be helpful to

practice response•

validate plans/procedures•

ensure those tasked with response are clear on what is expected of them•

improve hazard awareness and•

identify any capability gaps or needed resource improvements •

For small entities, this may entail periodic testing of

IT backups to be sure they are adequately capturing information•

fire drills•

We train/drill on our plans/procedures as part of new employee orientation with annual updates?



Program Maintenance and Improvement (Chapter 9)Regularly review plans and procedures with an eye towards identifying ways the program can be mTriggers for program improvements include but are not limited to

identification of new hazards or exposures•

addition (or elimination) of regulations or resources•

budget changes•

addition (or elimination) of products or services•

personnel turnover •

We review the program at least annually to identify improvements?

ResourcesThere are free planning resources available through various sources. For example, the Metropolitaonline tool available which walks small business owners through the process. The tool provides siinformation and generates a simple printable plan tailored for the entity. [http://www.mwcog.org/secSimilarly, the Insurance Institute for Business & Home Safety has an “Open for Business®” planninBusiness EZ ® is composed of a workbook, a multi-media trainer series to help users manage thewell as some Advanced Track materials. In addition, it provides mitigation tips for protecting prope[www.DisasterSafety.org/business_protection]Ready.gov is a free planning website sponsored by FEMA. There are resources to help develop a and prepare for events.ReadyRating.org is a tool developed by the RedCross to help with preparing for emergency and dis


File Name Description Approved

NFPA_Lite_as_a_checklist_131121_REVISED.docxSmall Entity Task Group NFPA Lite Submission


Small Entity Task Group NFPA Lite Checklist - Information for Small Entities


Submitter Full Name: Kenneth KatzOrganization: Travelers Insurance CompanyAffilliation: On behalf of small entity task groupStreet Address:City: State: Zip:Submittal Date: Tue Dec 24 15:29:35 EST 2013



1

NFPA 1600 (Lite)

NFPA 1600 is intended to meet the unique needs of all entities, regardless of size. The objective for very small businesses or entities may be to simply increase preparedness. The following guidance material is intended to highlight and simplify key aspects of NFPA 1600 where very small entities may wish to focus their preparedness efforts. This guidance can help the entity better identify where it needs to zero in to protect its assets (people, property, operations); provide the capability to continue to provide goods and/or services; maintain cash flow; preserve competitive advantage and reputation; and provide the ability to meet legal, regulatory, financial and contractual obligations. (Key sections of NFPA 1600 are mentioned in parenthesis for easy reference.)

Program Management (Chapter 4) Leadership and commitment (section 4.1) The entity’s leadership should demonstrate commitment to its emergency management/business continuity program by taking an active role. In very small entities, the owner or organizational leader may be responsible for the entire program.

Someone has been appointed to be responsible for developing and maintaining the organization’s program?

Yes / / No

Planning (Chapter 5) Document your emergency management/business continuity plans and procedures. Plans can be simple but should consider:

How the entity will respond to an emergency or disaster (emergency operations/response)

What the entity needs to communicate, who the organization needs to communicate with, and how the entity will go about communicating with those stakeholders (crisis communications and some degree crisis management)

How the entity will recover from a disaster (recovery) and keep its business operations going after a disaster

2

happens (continuity)

What the entity can do to prevent a disaster in the first place (prevention) or limit the damage when a disaster does happen (mitigation)

How all these plans fit together and how they provide for the future of the organization (strategic / crisis management).

We have reviewed and documented basic steps to take in an emergency – such as evacuation route and meeting place?

Yes / / No

We have contact lists for all employees, customers, key vendors?

Yes / / No

We have outlined the steps for restoring the business if we lose computers / technology?

Yes / / No

Risk Assessment (section 5.2) Identify which hazards are most likely to occur and which will have the biggest consequence/severity for the entity if they do occur. The intention of a risk assessment is to help the entity better allocate its resources by being cognizant of and focusing attention on preventing, mitigating, preparing for, and planning how to recover from the highest risk threats. Additional considerations for small entities include:

• Natural Hazard recognition Business owners/operators should be cognizant of natural hazards that their location is exposed to such as floods, hurricanes, earthquakes. Local emergency management and insurance companies may be able to provide this information. Make sure the building's construction and location is resistant to such hazards.

• Exposure

Exposure is "what's nearby that can hurt you". It could be an adjacent combustible building or wildfire exposure or a hazardous occupancy nearby (i.e. a chemical plant or even a gas station). It might also be a nearby river that poses flood potential. To evaluate the entity’s exposure, go up on the roof and look around the facility. Then walk

3

inside and around the facility and consider the potential hazards – an oven fire in a restaurant, faulty wiring, equipment failure that brings a manufacturer to a standstill. Finally, drive around the block or area that borders the facility. Mentally ask the question: "what can hurt me or my facility?"

(Refer to A.5.2.2.1 for a list of common hazards to consider – including natural hazards, human-caused events, and technology-caused events.)

We have reviewed which hazards are most likely to occur in our area and consider these hazards when we do our planning?

Yes / / No

We have reviewed the potential hazards posed by neighbors and taken that into consideration as well?

Yes / / No

Business Impact Analysis (section 5.3) Identify critical business operations and analyze the impact of losing them. This is helpful in better prioritizing the development of plans and procedures, especially if resources are limited. Think through the steps the organization will need to take in order to continue to operate if identified hazards/impacts occur. Additional considerations for small entities include:

• Back-up data If it's critical or important to the organization, then it should be backed up. How frequently the back-up occurs is dictated by the amount of data that can be lost without inflicting unreasonable damage to the organization (usually measured in dollars, reputation, etc.).

• Back-up hardware – having the backed-up data is half the equation. How will the data be processed or accessed?

We have backups of inventory records identifying how much is on hand and where it is?

Yes / / No

We have backups of accounts receivable and accounts payable information identifying who and how much?

Yes / / No

4

We have backups of client names and contact information (e-mail, address, phone)?

Yes / / No

We have gathered backups of other critical information to the organization – like equipment lists, drawings, specifications, etc.?

Yes / / No

We have identified the availability of the equipment to run applications and access the data we have backed up?

Yes / / No

Resource Needs Assessment (section 5.4) What resources will be needed in order to get back in operation if a hazard occurs? What training is needed?

We have identified where resources will come from if we need to get back in operation following an incident and we have identified a location where physical resources and supplies will be stored?

Yes / / No

Additional considerations for small entities include:

• Fire prevention program Fire is the most common and significant threat to most businesses. Owner/operators can reduce the probability of fire by implementing fire safety programs, especially if they handle flammable liquids or gasses.

• Automatic sprinklers Locating the entity’s business or operation in buildings that are fully protected by automatic sprinklers significantly reduces the entity’s exposure to a catastrophic incident. Many natural catastrophes are often compounded by fire.

We have a fire safety program?

Yes / / No

We have automatic sprinklers?

Yes / / No

• Adequate insurance

5

Often overlooked is Business Interruption (BI) and Extra Expense (EE) coverage. "All Risk" policies should be considered as well, as they are more expansive and in some cases allow for customization. In all cases, policyholders should know what is included in their policy and determine what can or should be added, based on their specific needs.

• If an entity’s premises are damaged as a result of a covered loss and can operate at a temporary location,

extra expense coverage may cover the costs above and beyond normal operating expenses. Among other things, it may cover the cost of relocation, rent for that temporary location and advertising that brings back customers or those that utilize the entity’s services.

• Business interruption insurance (also known as business income insurance) compensates an entity for lost income if it has to vacate the premises due to a covered loss under the property insurance policy, such as a fire. Business interruption coverage may compensate for the profits that would have been earned – based on the entity’s financial records – had the event not happened. It also covers continuing operating expenses, like utilities and rent on the property, that continue even though business activities have come to a temporary halt.

• Entities that depend heavily on suppliers should consider Contingent Business Interruption (CBI) insurance and Contingent Extra Expense coverage. CBI and contingent extra expense coverage reimburse lost profits and extra expenses resulting from an interruption of business at the premises of a customer or supplier. It is possible to get protection against a set list of suppliers or in some cases to purchase blanket coverage protecting any supplier’s shutdown.

We have adequate insurance coverage for our needs?

Yes / / No

We have business interruption (BI) insurance?

Yes / / No

We have extra expense insurance?

Yes / / No

• Emergency services pre-plan It can be very helpful to make sure in advance that local emergency services (fire rescue, police, Hazmat if applicable) become familiar with an entity’s operations and the challenges they might face when they arrive. It's also an opportunity to clarify any expectations the entity has of them or they have of the entity.

6

If we have hazards on site, or pose a potential hazard to our neighbors as a result of our operations, we have shared this information with the fire department and invited them for a meeting to discuss?

Yes / / No

Implementation (Chapter 6) You do not need to have separate emergency response, incident management and business continuity/recovery plans, but those who have a role in implementing the plans should be aware of what is expected of them. Plans should focus on prevention and mitigation for the hazards, risks, vulnerabilities and impacts you have identified.

Do all employees know how to respond to any incident?

Yes / / No

Communications (sections 6.4 and 6.5) Identify your most important audiences (employees, customers, media, investors, regulators, vendors, etc.) and pre-determine how to communicate with them following an emergency or disaster. The simplest way to determine who the entity’s key stakeholders are is to consider who is most important to the organization, who is most interested in the organization, or who could be hurt by problems that befall the organization. Determine how you will notify key audiences of an emergency. Make sure there is a backup. Plan how you will provide critical information to your employees as well as key external audiences. Figure out how to coordinate dissemination of that information to ensure it is consistent. Additional considerations for small entities include:

Employee contact info Ensure emergency contact information has been gathered and a means of communicating with employees has been established. Has a process been devised to make sure we can account for employees in a disaster?

• Media contacts

Most businesses or organizations use the media for promotion (TV, Radio, Print, Social Websites). These same

7

media can be used to help recover from a crisis. Planning beforehand how the entity will communicate in a crisis situation is key.

• Customer lists Every organization has clients or constituents who have an interest in the organization. Being able to communicate very quickly after an incident allows the entity to help them understand what has happened and how it will affect them and also provides an opportunity to reassure them that the organization will be there to meet their needs. These lists can be used for e-mail blasts or informational mailings.

o E-mail - Here's where back-up data comes in. Blasts to the entity’s customers/constituents lets them know the entity’s status

o Social media - ditto

We have employee contact lists and we have determined how to account for employees following an emergency or disaster?

Yes / / No

We have key customer / supplier / vendor contact lists as well and have determined how we will coordinate a steady stream of information to them?

Yes / / No

Emergency Operations / Response (section 6.8) Identify emergency actions to be taken to protect people and stabilize the emergency. Anyone who is tasked with a role will need to get a copy of the parts of the plan that pertain to them. Additional considerations for small entities include:

• 911/alarms Simple procedures such as knowing to call 911 or to activate manual alarms should be communicated to all personnel via orientation and follow-up training. Fast response can mean the difference in life or death, and it can minimize property damage.

• Evacuation plan Every organization should have an evacuation plan. Exits should be well marked and kept clear. Evacuation drills

8

should be conducted on a regular basis under realistic conditions.

We have provided emergency procedure orientation as well as follow up training to all personnel?

Yes / / No

We conduct evacuation drills on a regular basis?

Yes / / No

Business Continuity & Recovery (section 6.9) Determine how you will recover critical or time-sensitive processes as quickly as possible after a disaster. Stipulate roles and responsibilities – not only the jobs that have to be done and who will do those jobs, but also who will be in charge if the owner or manager is not available during an emergency or disaster. Additional considerations for small entities include:

• Location strategy If the entity loses its facility, where will it relocate? Do you know your building, utility and infrastructure needs?

• Purchase - what is the local commercial real estate market like? • Lease/rent - possibly on a short-term or mid-term basis • Considering a mutual aid agreement with a similar entity • Allowing employees to work from home, when applicable

• Processing strategy

How will the entity continue to provide goods or services to its customers/constituents? • Outsourcing - is there a way to provide goods or services through a third party vendor? • Mutual aid - is there a similar provider who can fill the entity’s needs by agreement and the entity would

reciprocate if the roles were reversed?

We have determined where we will relocate if we are not able to operate out of our facility following a disaster?

Yes / / No

We have determined how we will continue to provide goods and services to our customers or Yes / / No

9

constituents following a disaster?

Training and Education (Chapter 7) and Exercises and Tests (Chapter 8) Regardless of the size of the entity, periodic awareness, exercises and tests can be helpful to

practice response

validate plans/procedures

ensure those tasked with response are clear on what is expected of them

improve hazard awareness and

identify any capability gaps or needed resource improvements For small entities, this may entail periodic testing of

IT backups to be sure they are adequately capturing information

fire drills

We train/drill on our plans/procedures as part of new employee orientation with annual updates?

Yes / / No

Program Maintenance and Improvement (Chapter 9) Regularly review plans and procedures with an eye towards identifying ways the program can be made better. Triggers for program improvements include but are not limited to

identification of new hazards or exposures

addition (or elimination) of regulations or resources

budget changes

addition (or elimination) of products or services

personnel turnover

We review the program at least annually to identify improvements? Yes / / No

10

Resources There are free planning resources available through various sources. For example, the Metropolitan Washington Council of Governments has an online tool available which walks small business owners through the process. The tool provides simple directions for plugging in appropriate information and generates a simple printable plan tailored for the entity. [http://www.mwcog.org/security/security/continuity/intro.asp] Similarly, the Insurance Institute for Business & Home Safety has an “Open for Business®” planning toolkit, available free of charge. Open for Business EZ® is composed of a workbook, a multi-media trainer series to help users manage their time and walk through the planning process, as well as some Advanced Track materials. In addition, it provides mitigation tips for protecting property from natural hazard events. [www.DisasterSafety.org/business_protection] Ready.gov is a free planning website sponsored by FEMA. There are resources to help develop a business continuity plan and information to plan and prepare for events. ReadyRating.org is a tool developed by the RedCross to help with preparing for emergency and disasters.

http://www.mwcog.org/security/security/continuity/intro.asp

http://www.disastersafety.org/business_protection

Public Input No. 32-NFPA 1600-2013 [ Section No. C.1 ]

C.1Table C.1 shows a self-assessment tool that is intended to assist entities in determining conformity with the requirements of NFPA 1600. The table includes a list of hazards from Annex A and also repeats text from the body of the standard where needed to make the self-assessment tool more user friendly. Users of this self-assessment tool can indicate conformity, partial conformity, or nonconformity as well as evidence of conformity, corrective action, task assignment, a schedule for action, or other information in the Comments column.Table C.1 Self-Assessment Tool for Conformity with the 2013 Edition of NFPA 1600.



NFPA 1600ProgramElements Conforming

PartiallyConforming Nonconforming Comments

Chapter 4 Program Management4.1* Leadership and Commitment.4.1.1 The entity leadership shall demonstrate commitment to the program to prevent, mitigate the consequences of, prepare for, respond to, maintaincontinuity during, and recover from incidents.4.1.2 The leadership commitment shall include the following:(1) Support the development, implementation, and maintenance of theprogram(2) Provide necessary resources to support the program(3) Ensure the program is reviewed and evaluated as needed to ensure programeffectiveness(4) Support corrective action to address program deficiencies4.1.3 The entity shall adhere to policies, execute plans, and follow proceduresdeveloped to support the program.





4.2* Program Coordinator. The program coordinator shall be appointed by the entity's leadership andauthorized to develop, implement, administer, evaluate, and maintain theprogram.4.3* Program Committee.4.3.1* A program committee shall be established by the entity in accordance with its policy.4.3.2 The program committee shall provide input, and/or assist in thecoordination of the preparation, development, implementation, evaluation, and maintenance of the program.4.3.3 * The program committee shall include the program coordinator and others who have the expertise, the knowledge of the entity, and the capability to identify resources from all key functional areas within the entity andshall solicit applicable external representation.4.4 Program Administration.4.4.1 The entity shall have a documented program that includes thefollowing:





(1) Executive policy, including vision, mission statement, roles, andresponsibilities, and enabling authority(2) Program scope, goals, performance objectives, and metrics for programevaluation(3) Applicable authorities, legislation, regulations, and industry codes ofpractice as required by Section 4.5(4) Program budget and schedule, including milestones(5) Program plans and procedures that include the following:(a) Anticipated cost(b) Priority(c) Resources required(6) Records management practices as required by Section 4.7(7) Change management process4.4.2 The program shall include the requirements specified in Chapters 4 through 9, the scope of which shall be determined through an “all-hazards” approach and the risk assessment.





4.4.3* Program requirements shall be applicable to prevention, mitigation,preparedness, response, continuity, and recovery.4.5 Laws and Authorities.4.5.1 The program shall comply with applicable legislation, policies, regulatoryrequirements, and directives.4.5.2 The entity shall establish and maintain a procedure(s) to comply withapplicable legislation, policies, regulatory requirements, anddirectives.4.5.3* The entity shall implement a strategy for addressing the need for revisions to legislation, regulations, directives, policies, and industry codes of practice.4.6 Finance and Administration.4.6.1 The entity shall develop finance and administrative procedures to support the program before, during, and after an incident.4.6.2* There shall be a responsive finance and administrative framework that doesthe following:





(1) Complies with the entity's program requirements(2) Is uniquely linked to response, continuity, and recovery operations(3) Provides for maximum flexibility to expeditiously request, receive,manage, and apply funds in a nonemergency environment and in emergencysituations to ensure the timely delivery of assistance4.6.3 Procedures shall be created and maintained for expediting fiscal decisions in accordance with established authorization levels, accountingprinciples, governance requirements, and fiscal policy.4.6.4 Finance and administrative procedures shall include thefollowing:(1) Responsibilities for program finance authority, including reportingrelationships to the program coordinator(2)* Program procurement procedures(3) Payroll(4)* Accounting systems to track and document costs(5) Management of funding from external sources





(6) Crisis management procedures that coordinate authorization levels and appropriate control measures(7) Documenting financial expenditures incurred as a result of an incident and for compiling claims for future cost recovery(8) Identifying and accessing alternative funding sources(9) Managing budgeted and specially appropriated funds4.7* Records Management.4.7.1 The entity shall develop, implement, and manage a records managementprogram to ensure that records are available to the entity following anincident.4.7.2 The program shall include the following:(1) Identification of records (hard copy or electronic) vital to continue theoperations of the entity(2) Backup of records on a frequency necessary to meet program goals and objectives(3) Validation of the integrity of records backup





(4) Implementation of procedures to store, retrieve, and recover recordsonsite or offsite(5) Protection of records(6) Implementation of a record review process(7) Procedures coordinating records accessChapter 5 Planning5.1 Planning and Design Process.5.1.1* The program shall follow a planning process that develops strategies, plans, and required capabilities to execute the program.5.1.2 Strategic planning shall define the entity's vision, mission, and goals of the program.5.1.3 A risk assessment and business impact analysis (BIA) shall develop information to prepare prevention and mitigation strategies.5.1.4 A risk assessment, a BIA, and resource needs assessment shall develop information to prepare emergency operations/response, crisiscommunications, continuity, and recovery plans.





5.1.5 Crisis management planning shall address issues that threaten thestrategic, reputational, and intangible elements of the entity.5.1.6 The entity shall include key stakeholdersin

, such as suppliers in the planning process.5.2* Risk Assessment.5.2.1* The entity shall conduct a risk assessment to develop required strategies and plans.5.2.2 The entity shall identify hazards and monitor those hazards and thelikelihood of occurrence.5.2.2.1* Hazards to be evaluated shall include the following:(1) Natural hazards (geological, meteorologic

meteorological , and biological)Geologic hazards/risk exposures– Earthquake– Tsunami– Volcano– Landslide, mudslide, subsidenceMeteorologic



Meteorological hazards/risk exposures– Flood, flash flood, seiche, tidal surge– Water control structure/dam/levee failure– Drought– Snow, ice, hail, sleet, avalanche, arctic freeze– Windstorm, tropical cyclone, hurricane, tornado, water spout, dust/sandstorm– Extreme temperatures (heat, cold)– Wildland fire– Lightning strikes– Famine– Geomagnetic stormBiological hazards/risk exposures– Food-borne illnesses– Pandemic disease (avian flu, H1N1, etc.)– Infectious/communicable disease [plague, smallpox, anthrax, West Nilevirus, foot and mouth disease, severe acute respiratory syndrome (SARS),BSE (Mad Cow Disease)](2) Human-caused events (accidental and intentional)Accidental– Hazardous material spill or release (explosive, flammable liquid,flammable gas, flammable solid, oxidizer, poison, radiological, corrosive)– Nuclear power plant incident, radiological incident– Explosion/fire– Transportation accident– Building/structure collapse– Entrapment and or rescue--machinery, confined space, high angle, water– Fuel/resource shortage– Mechanical breakdown– Transportation incidents (motor vehicle, railroad, watercraft, aircraft,pipeline)– Untimely death of employee–Supply chain disruptions (from suppolier, manufacturing, logistics, information techonology and customer)

Intentional– Strike or labor dispute– Criminal activity (vandalism, sabotage, arson, robbery, theft, fraud,embezzlement, data theft, malfeasance)– Physical or information security breach– Lost person, child abduction, kidnapping, extortion, hostage incident,workplace/school/university violence, homicide– Product defect or contamination– Disinformation– Harassment– Discrimination



– Demonstrations, civil disturbance, public unrest, mass hysteria, riot– Bomb threat, suspicious package– Terrorism (explosive, chemical, biological, radiological, nuclear, cyber,electromagnetic pulse)– Insurrection– Enemy attack, war– Arson(3) Technology-caused events (accidental and intentional)– Computer systems (outages, hardware failure, data corruption, deletion, or theft, loss of network connectivity (internet or intranet), loss of electronic data interchange or ecommerce, loss of domain name server (DNS), virus, worm, Trojan horse, power surge, lightning, host site interdependencies, direct physical loss, water damage, cyber terrorism, vulnerability exploitation, botnets, hacking, phishing, spyware, malware, computer fraud, loss of encryption, denial of service, improper system use by employee, telecommunications interruption or failure, internet service provider, electricity brownout or blackout)– Computer software or application interruption, disruption or failure(internal/external)– Loss, corruption, or theft of electronic information– Utility interruption or failure (telecommunications, electrical power, water, gas, steam, HVAC, pollution control system, sewage system, other critical infrastructure)Other hazards/risk exposures– Supply chain interruption (loss of shipping or transportation, vendorfailure (single- or sole-source provider)5.2.2.2 The vulnerability of people, suppliers, property, operations, the environment, and the entity shall be identified, evaluated, and monitored.5.2.3 The entity shall conduct an analysis of the impacts of the hazardsidentified in 5.2.2 on the following:(1) Health and safety of persons in the affected area(2) Health and safety of personnel responding to the incident(3)* Continuity of operations(4)* Property, facilities, assets, and critical infrastructure(5) Delivery of the entity’s services(6) Supply chain(7) Environment(8)* Economic and financial condition(9) Regulatory and contractual obligations(10) Reputation of or confidence in the entity5.2.4* The analysis shall evaluate the potential effects of regional, national, or international incidents that could have cascading impacts.5.2.5 The risk assessment shall evaluate the adequacy of existing prevention and mitigation strategies.5.3* Business Impact Analysis.5.3.1 The entity shall conduct a business impact analysis (BIA).5.3.2 The BIA shall evaluate the potential impacts resulting from interruption or disruption of individual functions, processes, andapplications.



5.3.3* The BIA shall identify those functions, processes, infrastructure,systems, and applications that are critical to the entity and the point in time (recovery time objective) when the impact of the interruption or disruption becomes unacceptable to the entity.5.3.4 The BIA shall identify dependencies and interdependencies acrossfunctions, processes, and applications, to determine the potential forcompounding impacts in the event of an interruption or disruption.5.3.5* The BIA shall evaluate the potential loss of information and the point in time (recovery point objective) that defines the potential gap between the last backup of information and the time of the interruption ordisruption.5.3.6* The BIA developed in Section 5.3 shall be used in the development of recovery strategies and plans to support the program.5.3.7 * The BIA shall identify critical supply chain complexities, including those having exposure to both domestic and international risks.5.3.8 The analysis of impacts required by 5.2.3 and the BIA required by Section 5.3 shall be conducted jointly or separately.5.4 Resource Needs Assessment.5.4.1* The entity shall conduct a resource needs assessment based on the hazards identified in Section 5.2 and the business impact analysis in Section 5.3.5.4.2 The resource needs assessment shall include the following:(1)* Human resources, equipment, training, facilities, funding, expertknowledge, materials, technology, information, intelligence, and the timeframes within which they will be needed(2) Quantity, response time, capability, limitations, cost, and liabilities5.4.3* The entity shall establish procedures to locate, acquire, store,distribute, maintain, test, and account for services, human resources,equipment, and materials procured or donated to support the program.5.4.4 Facilities capable of supporting response, continuity, and recoveryoperations shall be identified.5.4.5* The need for mutual aid/assistance or partnership agreements shall be determined.5.4.5.1* If needed, agreements shall be established and documented.5.5 Performance Objectives.5.5.1* The entity shall establish performance objectives for the program inaccordance with the requirements in Chapter 4 and the elements in Chapters 5 through 9.5.5.2 The performance objectives shall address the results of the hazardidentification, risk assessment, and business impact analysis.5.5.3 Performance objectives shall be developed by the entity to address both short-term and long-term needs.5.5.4* The entity shall define the terms short term and long term .Chapter 6 Implementation6.1 Common Plan Requirements.6.1.1* Plans shall address the health and safety of personnel.6.1.2 Plans shall identify and document the following:(1) Assumptions made during the planning process(2) Functional roles and responsibilities of internal and external agencies,organizations, departments, and positions



(3) Lines of authority(4) The process for delegation of authority(5) Lines of succession for the entity(6) Liaisons to external entities(7) Logistics support and resource requirements6.1.3* Plans shall be individual, integrated into a single plan document, or a combination of the two.6.1.4* The entity shall make sections of the plans available to those assigned specific tasks and responsibilities therein and to key stakeholders as required.6.2 Prevention.6.2.1* The entity shall develop a strategy to prevent an incident that threatens life, property, and the environment.6.2.2* The prevention strategy shall be based on the information obtained from Section 5.2 and shall be kept current using the techniques of information collection and intelligence.6.2.3 The prevention strategy shall be based on the results of hazardidentification and risk assessment, supplier failure, an analysis of impacts, program constraints, operational experience, and cost benefit analysis.6.2.4 The entity shall have a process to monitor the identified hazards andadjust the level of preventive measures to be commensurate with the risk.6.3 Mitigation.6.3.1* The entity shall develop and implement a mitigation strategy that includes measures to be taken to limit or control the consequences, extent, or severity of an incident that cannot be prevented.6.3.2* The mitigation strategy shall be based on the results of hazardidentification and risk assessment, an analysis of impacts, programconstraints, supplier failure, operational experience, and cost benefit analysis.6.3.3 The mitigation strategy shall include interim and long-term actions toreduce vulnerabilities.6.4 Crisis Communications and Public Information.6.4.1* The entity shall develop a plan and procedures to disseminate information to and respond to requests for information from the following audiences before, during, and after an incident:(1) Internal audiences, including employees(2) External audiences, including the media, functional needs population, and other stakeholders6.4.2* The entity shall establish and maintain a crisis communications or public information capability that includes the following:(1)* Central contact facility or communications hub(2) Physical or virtual information center(3) System for gathering, monitoring, and disseminating information(4) Procedures for developing and delivering coordinated messages(5) Pre-scripted information bulletins or templates(6) Protocol to clear information for release6.5 Warning, Notifications, and Communications.6.5.1* The entity shall determine warning, notification, and communications needs.



6.5.2* Warning, notification, and communications systems shall be reliable, redundant, and interoperable.6.5.3* The entity shall develop and test warning, notification, andcommunications protocols and procedures to alert stakeholders potentiallyat risk from an actual or impending incident.6.5.4 Procedures shall include issuing warnings through authorized agencies if required by law.6.6 Operational Procedures.6.6.1 The entity shall develop, coordinate, and implement operational procedures to support the program.6.6.2 Procedures shall be established and implemented for response to and recovery from the impacts of hazards identified in 5.2.2.6.6.3* Procedures shall provide for life safety, property conservation, incident stabilization, continuity, and protection of the environment under the jurisdiction of the entity.6.6.4 Procedures shall include the following:(1) Control of access to the area affected by the incident(2) Identification of personnel engaged in activities at the incident(3) Accounting for personnel engaged in incident activities(4) Mobilization and demobilization of resources6.6.5 Procedures shall allow for concurrent activities of response, continuity, recovery, and mitigation.6.7 Incident Management.6.7.1* The entity shall develop an incident management system to direct, control, and coordinate response, continuity, and recovery operations.6.7.1.1* Emergency Operations Centers (EOCs).6.7.1.1.1* The entity shall establish primary and alternate EOCs capable of managing response, continuity, and recovery operations.6.7.1.1.2* The EOCs shall be permitted to be physical or virtual.6.7.1.1.3 On activation of an emergency operations center (EOC), communications and coordination shall be established between incident command and the EOC.6.7.2 The incident management system shall describe specific organizational roles, titles, and responsibilities for each incident management function.6.7.3 The entity shall establish procedures and policies for coordinatingmitigation, preparedness, response, continuity, and recovery activities.6.7.4 The entity shall coordinate the activities specified in 6.7.3 withstakeholders.6.7.5 Procedures shall include a situation analysis that incorporates a damage assessment and a needs assessment to identify resources to support activities.6.7.6* Emergency operations/response shall be guided by an incident action plan or management by objectives.6.7.7 Resource management shall include the following:(1) Establishing processes for describing, taking inventory of, requesting,and tracking resources(2) Resource typing or categorizing resources by size, capacity, capability,and skill



(3) Mobilizing and demobilizing resources in accordance with the established IMS(4) Conducting contingency planning for resource deficiencies6.7.8 A current inventory of internal and external resources shall bemaintained.6.7.9 Donations of human resources, equipment, material, and facilities shall be managed.6.8 Emergency Operations/Response Plan.6.8.1* Emergency operations/response plans shall define responsibilities for carrying out specific actions in an emergency.6.8.2* The plan shall identify actions to be taken to protect people including those with access and functional needs, property, operations, theenvironment, and the entity.6.8.3* The plan shall identify actions for incident stabilization.6.8.4 The plan shall include the following:(1) Protective actions for life safety in accordance with 6.8.2(2) Warning, notifications, and communication in accordance with Section6.5(3) Crisis communication and public information in accordance with Section6.4(4) Resource management in accordance with 6.7.7(5) Donation management in accordance with 6.7.96.9.1* The continuity plan should include recovery strategies to maintaincritical or time-sensitive functions and processes identified during thebusiness impact analysis.6.9.2* The continuity plan shall identify stakeholders that need to be notified; critical and time-sensitive applications; alternative work sites; vitalrecords, contact lists, functions, and processes, that must be maintained;and personnel, procedures, and resources that are needed while the entityis recovering.6.9.3* The recovery plan shall provide for restoration of functions, services, resources, facilities, programs, and infrastructure.6. 9.4* The continuity plan shall include the entire scope of planning for and recovery from the potential impact of the supply chain on the entity'soperations, including know and unkown, controllable and uncontrollablerisks.6. 10* Employee Assistance and Support.6.10.1* The entity shall develop a strategy for employee assistance and support that includes the following:(1) Communications procedures(2)* Contact information, including emergency contact outside anticipatedhazard area(3) Accounting for persons affected, displaced, or injured by the incident(4) Temporary, short-term, or long-term housing, and feeding and care of those displaced by an incident(5) Mental health and physical well-being of individuals affected by theincident(6) Pre-incident and post-incident awareness6.10.2 The strategy shall be flexible for use in all incidents.



6.10.3* The entity shall promote family preparedness education and training for employees.Chapter 7 Training and Education7.1* Training and Education Curriculum. The entity shall develop and implement a competency-based training and education curriculum that supports all employees who have a role in the program.7.2 Goal of the Curriculum. The goal of the curriculum shall be to create awareness and enhance the knowledge, skills, and abilities required to implement, support, and maintain the program.7.3 Scope and Frequency of Instruction. The scope of the curriculum and frequency of instruction shall be identified.7.4 Incident Management System Training. Personnel shall be trained in the entity’s incident management system (IMS) and other components of the program to the level of their involvement.7.5 Recordkeeping. Records of training and education shall be maintained as specified in Section 4.7.7.6 Regulatory and Program Requirements. The curriculum shall comply with applicable regulatory and program requirements.7.7* Public Education. A public education program shall be implemented to communicate:(1) Potential hazard impacts(2) Preparedness information(3) Information needed to develop a preparedness planChapter 8 Exercises and Tests8.1 Program Evaluation.8.1.1 The entity shall evaluate program plans, procedures, training, andcapabilities and promote continuous improvement through periodic exercises and tests.8.1.2 The entity shall evaluate the program based on post-incident analyses, lessons learned, and operational performance in accordance with Chapter 9.8.1.3 Exercises and tests shall be documented.8.2* Exercise and Test Methodology.8.2.1 Exercises shall provide a standardized methodology to practice procedures and interact with other entities (internal and external) in a controlled setting.8.2.2 Exercises shall be designed to assess the maturity of program plans, procedures, and strategies.8.2.3 Tests shall be designed to demonstrate capabilities.8.3* Design of Exercises and Tests.8.3.1 Exercises and tests shall be designed to:(1) Ensure the safety of people, property, operations, and the environmentinvolved in the exercise or testing(2) Evaluate the program(3) Identify planning and procedural deficiencies(4) Test or validate recently changed procedures or plans(5) Clarify roles and responsibilities(6) Obtain participant feedback and recommendations for programimprovement



(7) Measure improvement compared to performance objectives(8) Improve coordination between internal and external teams, organizations, and entities , such as critical suppliers(9) Validate training and education(10) Increase awareness and understanding of hazards and the potential impact of hazards on the entity(11) Identify additional resources and assess the capabilities of existingresources, including personnel and equipment needed for effective response and recovery(12) Assess the ability of the team to identify, assess, and manage anincident(13) Practice the deployment of teams and resources to manage anincident(14) Improve individual performance8.4 Exercise and Test Evaluation.8.4.1 Exercises shall evaluate program plans, procedures, training, andcapabilities to identify opportunities for improvement.8.4.2 Tests shall be evaluated as either pass or fail.8.5* Frequency.8.5.1 Exercises and tests shall be conducted on the frequency needed toestablish and maintain required capabilities.Chapter 9 Program Maintenance and Improvement9.1* Program Reviews. The entity shall maintain and improve the program by evaluating its policies, program, procedures, and capabilities using performance objectives.9.1.1* The entity shall improve effectiveness of the program through evaluation of the implementation of changes resulting from preventive and corrective action.9.1.2* Evaluations shall be conducted on a regularly scheduled basis, and when the situation changes to challenge the effectiveness of the existingprogram.9.1.3 The program shall be re-evaluated when a change in any of the following impacts the entity's program:(1) Regulations(2) Hazards and potential impacts(3) Resource availability or capability(4) Entity’s organization(5)* Funding(6) Infrastructure, including technology environment(7) Economy and geopolitical stability(8) Entity operations( 9 ) Critical suppliers, including second-tier suppliers9 .1.4 Reviews shall include post-incident analyses, reviews of lessons learned, and reviews of program performance.9.1.5 The entity shall maintain records of its reviews and evaluations, inaccordance with the records management practices developed under Section 4.7.9.1.6 Documentation, records, and reports shall be provided to management for review and follow-up.



9.2* Corrective Action.9.2.1* The entity shall establish a corrective action process.9.2.2* The entity shall take corrective action on deficiencies identified.9.3 Continuous Improvement. The entity shall effect continuous improvement of the program through the use of program reviews and the corrective action process.


Added clarifying text throughout this section to support supply chain risk management references in the body of the standard.





Public Input No. 85-NFPA 1600-2014 [ Section No. F.3.3.11 ]

F.3.3.11 Entity.A governmental agency or jurisdiction, private or public company, partnership, nonprofit not-for-profit organization, or other organization that has emergency management and continuity of operations responsibilities. [3.3.11]







Public Input No. 86-NFPA 1600-2014 [ Section No. F.3.4.1.1 ]

F.3.4.1.1 Organization.Person or group of people that has its own functions with responsibilities, authorities, and relationships to achieve its objectives (F.3.4.1.4).

NOTE The concept of organization includes, but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, publicor private , private, and not-for-profit .







Public Input No. 41-NFPA 1600-2013 [ Section No. F.7.4.2.1 ]

F.7.4.2.1The entity shall develop a plan and procedures to disseminate information to and respond to requests for information from the following audiences before, during, and after an incident: [6.4.1]

(1) Internal audiences, including employees

(2) External audiences, including the media, special and functional needs population populations , and other stakeholders



F 7.4.2.1 (2) needed correction to adopt the term special and functional needs.






Public Input No. 42-NFPA 1600-2013 [ Section No. F.8.6.2 ]

F.8.6.2The plan shall identify actions to be taken to protect people including those with access special and functional needs, property, operations, the environment, and the entity. [6.8.2]



F.8.6.2 needed correction to adopt the term special and functional needs.






Public Input No. 70-NFPA 1600-2014 [ New Section after F.10.3 ]

ANNEX F-1 Explanatoy Material for Annex FContent to be developed by Task Group revising Annex F



What_Is_A_Management_System.docAn unpublished article from Graeme Jannaway explaining a Management System Standard.


Annex A serves a valuable purpose by including explanatory information from the technical committee. Annex F provides the standard in the format for a Management System Standard but an equivalent "annex a" is not part of the 2013 Edition.

The start of an explanatory material to support Annex F was uploaded, an article from Graeme Jannaway explaining a Management System Standard.





Public Input No. 33-NFPA 1600-2013 [ New Section after G.2.2 ]

G.2.3The Supply Chain Council (SCC) has identified diagnostic tools that measure total supply chain performance. This includes delivery and order fulfillment performance, production flexibility, warranty and returns processing. coast, inventory, asset turns and other factors to evaluate the effective performance of the supply chain.


Included reference to a maturity model in support of other supply chain risk management references contained in the body of the standard.





Public Input No. 43-NFPA 1600-2013 [ Section No. I.1 ]

I.1Family preparedness is an ongoing process to educate and train individuals to plan for, understand, and be able to implement the steps they need to take in the event of an emergency. The process must consider not just what it takes to be ready but also the elements that build capabilities to recover rapidly and improve resilience. An organization must plan for protective actions and recovery of individuals at a personal level before establishing recovery time objectives (RTOs) and dispensing duties. The organizational plan must include adequate education and training to ensure that individuals have prepared, can communicate, and know their family’s status in order to function with full effectiveness. The training and education provided to employees should include preparations needed for the evacuating and sheltering of families, as well as the unique needs of populations with special and functional needs, before reporting for duty and include redundancy of the information needed to aid in personal recovery. A plan must ensure that affected populations understand and are prepared for self-sufficiency for periods of time ranging from 72 hours to 14 days.

Following the standard “Plan-Do-Check-Act” (PDCA) model, family preparedness actions can be integrated.



I 1 needed correction to adopt the term special and functional needs.






Public Input No. 87-NFPA 1600-2014 [ Section No. I.2.2 [Excluding

any Sub-Sections] ]

Implement a program that educates and trains individuals to be informed of risks, community and individual protective actions, and skills required for effective response in an emergency or disaster situation. Individuals have specific responsibilities outside of their professional obligations. By taking personal preparedness measures, such as an individual risk assessment, family preparedness planning, and developing personal readiness kits, individuals will be able to respond to an emergency with a greater level of confidence that will help them meet their individual and household responsibilities as well as fulfill their professional duties and obligations.

The preparedness and resiliency of employees from all sectors is a requirement for both public and private , private, and not-for-proft sector continuity and an emerging priority for resilience at all levels. It requires a specific focus on the education and training for individual and family preparedness that builds resiliency at a granular level.







Public Input No. 44-NFPA 1600-2013 [ New Section after I.2.4 ]

NEW Annex X Special and Functional NeedsType your content here ...



New_Annex_on_Special_and_Functional_Needs.docxNew Annex X Special and Functional Needs



The TG believes a new annex devoted to Special and Functional Needs is needed.






1

Annex X Special and Functional Needs

This annex is not a part of the requirements of this NFPA document but is included for informational purposes only.

Identification of Special and Functional Needs populations

Federal and state organizations active in disaster management have identified the importance of including vulnerable populations in the pre-disaster planning undertaken by local government.

Some researchers have identified four domains of persons most vulnerable to disaster to include socioeconomic, household composition/disability, minority status/language, and housing/transportation.

Defining the parameters of a vulnerable population has yet to be identified in guidance documents provided to emergency managers for pre-disaster planning. This vagueness leads to inconsistencies in identifying this critical population.

Local emergency managers utilize a variety of methodologies to identify and prepare for vulnerable populations in their emergency planning. This flexibility identification and planning for vulnerable populations can result in shortcomings or gaps from one community to another.

Four categories:

1. Health a. Persons with Disabilities that include: Sensory Impaired, Physically

Impaired, Mental or Behavioral Impaired, Developmentally Disabled

b. Specialty Care Populations: Dialysis, Community based – Life Saving

Technology Dependent)

2. Economic c. Migrant

d. Community Populations

e. Latchkey Kids

f. Unemployed

g. Displaced

h. Welfare

2

i. Single parent families

3. Social j. Pregnant Women

k. Infants

l. Veterans

m. Homeless Adults – Families -juveniles

n. Battered Spouses

4. Linguistic o. Non Native Language Speaking

Five things organizations can do to better prepare Special and Functional Needs

populations for an emergency:

1. Reach out to new and existing partners and ask for help in case of an evacuation.

Ensure that you look for appropriate alternate accommodation that can address

seniors' specific needs if they are frail and need extra supports, as evacuation

centers are not often appropriate for longer-term stays.

2. Keep an up-to-date contact list of service partners in a readily available, central

and virtual location

3. Practice, practice, practice - it is far easier to evacuate during an emergency if

evacuation drills are part of your regular planning and operations.

4. Ensure that staff contact information is up-to-date and easily accessible to those

who need it. A centralized and web-based timetable and staff schedule is an

excellent idea to keep everyone synchronized and in the right place at the right

time. Use new social media technologies (Facebook, Twitter, etc.) to help keep

everyone updated.

5. Ensure emergency contact information is updated regularly, as details can change

often.

Sample list of resources:

ADA Best Practices Tool Kit for State and Local Governments - Chapter 7 Emergency Management: http://www.ada.gov/pcatoolkit/chap7emergencymgmt.htm

http://www.ada.gov/pcatoolkit/chap7emergencymgmt.htm

3

ADA Best Practices Tool Kit for State and Local Governments: http://www.ada.gov/pcatoolkit/chap7emergencymgmt.htm

ADA National Network: http://www.dbtac.vcu.edu/

ADA Regulations Implementing Title II and Title III - Revised 2010 August 03: http://www.ada.gov/regs2010/ADAregs2010.htm

ADA Standards for Accessible Design 2010: http://www.ada.gov/2010ADAstandards_index.htm

ADA.gov - Information and Technical Assistance on the Americans with Disabilities Act: http://www.ada.gov/index.html

Assisting Persons with Disabilities During an Emergency: http://cphp.sph.unc.edu/training/HEP_DIS3/certificate.php

CDC Releases Older Adult Preparedness Portal: http://www.cdc.gov/Features/EmergencyOlderAdults/?s_cid=ccu060412_006

Community Planning Toolkit for State Emergency Preparedness Managers: http://www.hhs.gov/od/disabilitytoolkit/index.html

Developing a Disaster Ready Organization - Inclusion Research Institute: http://www.inclusionresearch.org/OL/

Disability Preparedness Resource Center - DHS: http://www.disabilitypreparedness.gov/

Disability.gov - Emergency Preparedness: https://www.disability.gov/emergency_preparedness

DisabilityPreparedness.gov: http://www.disabilitypreparedness.gov/

DisabilityResources.org Disaster Preparedness for People with Disabilities: http://www.disabilityresources.org/DISASTER.html

Disaster Resources for People with Disabilities, Disability-related Organizations and Emergency Managers: http://www.jik.com/disaster.html

Emergency Management National Council on Disability: http://www.ncd.gov/policy/emergency_management

Emergency Preparedness - Disability.gov: http://www.disability.gov/emergency_preparedness

http://www.ada.gov/pcatoolkit/chap7emergencymgmt.htm

http://www.dbtac.vcu.edu/

http://www.ada.gov/regs2010/ADAregs2010.htm

http://www.ada.gov/2010ADAstandards_index.htm

http://www.ada.gov/index.html

http://cphp.sph.unc.edu/training/HEP_DIS3/certificate.php

http://www.cdc.gov/Features/EmergencyOlderAdults/?s_cid=ccu060412_006

http://www.hhs.gov/od/disabilitytoolkit/index.html

http://www.inclusionresearch.org/OL/

http://www.disabilitypreparedness.gov/

https://www.disability.gov/emergency_preparedness

http://www.disabilitypreparedness.gov/

http://www.disabilityresources.org/DISASTER.html

http://www.jik.com/disaster.html

http://www.ncd.gov/policy/emergency_management

http://www.disability.gov/emergency_preparedness

4

Emergency Preparedness and Individuals with Disabilities - U.S. DOT: http://www.dotcr.ost.dot.gov/asp/emergencyprep.asp

Emergency Preparedness and People with Disabilities - U.S. DOL Office of Disability Employment Policy: http://www.dol.gov/odep/programs/emergency.htm

Emergency Preparedness Initiative - National Organization on Disability: http://nod.org/index.cfm?fuseaction=Page.viewPage&pageId=1564

Emergency Preparedness Resources for those with Special Needs - Wisconsin Board for People with Developmental Disabilities: http://www.wi-bpdd.org/disasterpreperation/index.cfm

Emergency Response for People who have Access and Functional Needs - St. Petersburg College: http://terrorism.spcollege.edu/SPAWARAFN/guide.html

Emergency Response for People Who Have Access and Functional Needs A Guide for First Responders: http://terrorism.spcollege.edu/SPAWARAFN/index.html

Emergency Response for People Who Have Access and Functional Needs: http://terrorism.spcollege.edu/SPAWARAFN/video.html

Employers’ Guide to Including Employees with Disabilities in Emergency Evacuation Plans - Job Accommodation Network: http://www.jan.wvu.edu/media/emergency.html

Evacuation and Transportation Planning Toolkit for People with Functional Needs - CA EMA: http://www.nusura.com/media/projects/Cal_EMA_Toolkit/resources5.html

Evacuation Documents - ORNL CSEPP Protective Action Toolkit: http://emc.ornl.gov/CSEPPweb/data/html/Evacuation_Documents.html

Evacuation Preparedness Guide - Resources and References - Center for Disability Issues and the Health Professions: http://www.cdihp.org/evacuation/resources.html

Federal Employment of People with Disabilities - Reasonable Accommodation: http://www.opm.gov/disability/ReasonableAccommodation.asp

FEMA Office of Disability Integration & Coordination: http://www.fema.gov/office-disability-integration-coordination/office-disability-integration-coordination/office-1

Inclusion Research Institute - Developing a Disaster Ready Organization: http://inclusionresearch.org/OL/

http://www.dotcr.ost.dot.gov/asp/emergencyprep.asp

http://www.dol.gov/odep/programs/emergency.htm

http://nod.org/index.cfm?fuseaction=Page.viewPage&pageId=1564

http://www.wi-bpdd.org/disasterpreperation/index.cfm

http://terrorism.spcollege.edu/SPAWARAFN/guide.html

http://terrorism.spcollege.edu/SPAWARAFN/index.html

http://terrorism.spcollege.edu/SPAWARAFN/video.html

http://www.jan.wvu.edu/media/emergency.html

http://www.nusura.com/media/projects/Cal_EMA_Toolkit/resources5.html

http://emc.ornl.gov/CSEPPweb/data/html/Evacuation_Documents.html

http://www.cdihp.org/evacuation/resources.html

http://www.opm.gov/disability/ReasonableAccommodation.asp

http://www.fema.gov/office-disability-integration-coordination/office-disability-integration-coordination/office-1

http://www.fema.gov/office-disability-integration-coordination/office-disability-integration-coordination/office-1

http://inclusionresearch.org/OL/

5

Inclusive Preparedness Center for People with Disabilities: http://www.inclusivepreparedness.org/

Inclusive Preparedness Center: http://www.inclusivepreparedness.org/

Individuals with Access & Functional NeedsReady.gov: http://www.ready.gov/individuals-access-functional-needs

Meeting the Needs of Vulnerable Populations Equity in Emergency Response: http://www.apctoolkits.com/vulnerablepopulation/

National Dissemination Center for Children with Disabilities: http://nichcy.org/

National Organization on Disability: http://www.nod.org/

National Resource Center on Advancing Emergency Preparedness for Culturally Diverse Communities: http://www.diversitypreparedness.org/

Obtaining and Using Employee Medical Information as Part of Emergency Evacuation Procedures: http://www.eeoc.gov/facts/evacuation.html

People with Disabilities and Other Access and Functional Needs - FEMA: http://www.fema.gov/plan/prepare/specialplans.shtm

PrepareNow.org - Supporting Special Needs and Vulnerable Populations in Disaster: http://www.preparenow.org/prepare.html

Project Safe EV-AC EVacuation and ACcommodation of People with Disabilities: http://evac.icdi.wvu.edu/library/

Resources on Emergency Evacuation and Disaster Preparedness - U.S. Access Board: http://www.access-board.gov/evac.htm

Safe Escape - Emergency Preparedness for Children with Health Care Needs and Disabilities: http://www.escapesafe.org/

Safe Escape: http://www.escapesafe.org/

Toolkit Resources Guidance - California Emergency Management Agency: http://www.nusura.com/media/projects/Cal_EMA_Toolkit/resources3.html

http://www.inclusivepreparedness.org/

http://www.inclusivepreparedness.org/

http://www.ready.gov/individuals-access-functional-needs

http://www.apctoolkits.com/vulnerablepopulation/

http://nichcy.org/

http://www.nod.org/

http://www.diversitypreparedness.org/

http://www.eeoc.gov/facts/evacuation.html

http://www.fema.gov/plan/prepare/specialplans.shtm

http://www.preparenow.org/prepare.html

http://evac.icdi.wvu.edu/library/

http://www.access-board.gov/evac.htm

http://www.escapesafe.org/

http://www.escapesafe.org/

http://www.nusura.com/media/projects/Cal_EMA_Toolkit/resources3.html

6


https://www.fema.gov/access-and-functional-needs-organizations

http://www.fema.gov/pdf/about/odic/fnss_guidance.pdf

http://m.fema.gov/individuals-access-functional-needs

http://www.phe.gov/Preparedness/planning/abc/Pages/funcitonal-needs.aspx

http://www.calema.ca.gov/ChiefofStaff/Pages/Access-and-Functional-Needs.aspx

http://www.calema.ca.gov/PlanningandPreparedness/Pages/Access-and-Functional-Needs-Planning-.aspx

http://emergency.portal.texas.gov/en/Pages/Access-and-Functional-Needs.aspx

http://community.fema.gov/connect.ti/ACCESS_COP/groupHome

http://www.domesticpreparedness.com/Industry/Private_Sector/Community_Resilience_%26_Functional_Needs/


https://www.fema.gov/access-and-functional-needs-organizations

http://www.fema.gov/pdf/about/odic/fnss_guidance.pdf

http://m.fema.gov/individuals-access-functional-needs

http://www.phe.gov/Preparedness/planning/abc/Pages/funcitonal-needs.aspx

http://www.calema.ca.gov/ChiefofStaff/Pages/Access-and-Functional-Needs.aspx



http://emergency.portal.texas.gov/en/Pages/Access-and-Functional-Needs.aspx

http://community.fema.gov/connect.ti/ACCESS_COP/groupHome



Public Input No. 71-NFPA 1600-2014 [ Section No. J.1.2.5 ]

J.1.2.5 ISO Publications.International Organization for Standardization, 1, ch. De la Voie-Creuse, Case postale 56, CH-1211 Geneva 20, Switzerland.

ISO Guide 72, Guidelines for the Justification and Development ofManagement System Standards.

Draft ISO Guide 83, High Level Structure and Identical Text for Management System Standards and Common Core Management System Terms and Definitions.

ISO/TC 223, Societal Security.ISO 22398:2013 Societal security - Guidelines for exerices

ISO 22301:2012 Societal security - Terminollogy

ISO 22301:2012 Societal security - Business continuity management systems - Requirements

ISO 22311:2012 Societal security - Video-surveillance - Export interoperability

ISO 22313:2012 Societal security - Business continuity management systems - Guidance

ISO 22320:2012 Societal security - Emergency management - Requirements for incident response

ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational continuity management.

J.1.2.5.1 U.S. National adoption of ISO on risk management

ANSI/ASSE/ISO Guide 73 (Z690.1-2011) Vocabulary for Risk Management

ANSI/ASSE/ISO 31000 (Z690.2-2011) Risk Managment Principles and Guidelines

ANSI/ASSE/ISO 31010 (Z690.3-2011) Risk Assement Techniques


Updates for Annex J Informational Resources increases the usability of the information contained.




Public Input No. 48-NFPA 1600-2014 [ Section No. J.2 ]

J.2 Informational References.The following documents or portions thereof are listed here as informational resources only. They are not a part of the requirements of this document.

The American Red Cross Community Disaster Education provides information organized for home and family, workplace and employees, and school and students. See http://www.redcross.org/surveys/capss/cde

The U.S. Federal Emergency Management Agency Community Emergency Response Team (CERT) program provides information on disaster preparedness, fire safety, disaster medical operations, light search and rescue, disaster psychology, and terrorism. See:https://www.citizencorps.gov/cert/

ARMA International, 11880 College Blvd, Suite 450, Overland Park, KS 66210.

ANSI/ARMA 5-2010, ARMA TR22–2012, Vital Records: Identifying,Managing, and Recovering Business-Critical Records, ARMA International,2012.

National Incident Management System (NIMS). NIMS Resource Center, http://www.fema.gov/emergency/nims/.National Incident Management System (NIMS),http://www.fema.gov/pdf/emergency/nims/NIMS_core.pdf.

Contingency Planning Guide for Information Technology (IT) Systems, National Institute of Standards and Technology, NIST Special Publication 800-34, http://csrc.nist.gov/publications/nistpubs/800-rev1/sp800-34-rev1_errata-Nov11-2010.pdf

Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, Recommendations of the National Institute of Standards and Technology, Special Publication 800-84, http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf.Building an Information Technology Security Awareness and TrainingProgram, National Institute of Standards and Technology, Special Publication800-50, http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf.

Information Security Handbook: A Guide for Managers, National Institute of Standards and Technology, SP 800-100,http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf.

Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology, SP 800-30,http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.Generally Accepted Principles and Practices for Securing Information Technology Systems, National Institute of Standards and Technology, SP 800-14, http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf.

An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology, SP 800-12,http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf.

“Emergency Preparedness for People with Disabilities,” 2001.



Emergency Evacuation Planning Guide For People with Disabilities, National Fire Protection Association,http://www.nfpa.org/assets/files/PDF/Forms/EvacuationGuide.pdf.

People with disabilities, online resources from the National Fire Protection Association, http://www.nfpa.org/categoryList.asp?categoryID=824.

Saving Lives: Including People with Disabilities in Emergency Planning, National Council on Disability Emergency Procedures for Employees with Disabilities in Office Occupancies, U.S. Fire Administration,http://www.ncd.gov/rawmedia_repository/fd66f11a_8e9a_42e6_907f_a289e54e5f94?document.pdf

“Reliability Engineering Applied to Critical Operations Power Systems (COPS)” Michael Anthony, Robert Arno, Mark Beirne Patrick Saad Saba, Robert Schuerger PE, IEEE Industry Applications Society, March/April 2013


Electrical power security is essential to public safety and emergency and disaster management. It is important to evaluate alternatives in a quantitative fashion. This paper was given the Prize Paper by the IEEE in 2012 and is one of only a few that deal with quantitative assessment methods for Critical Operations Power System.


Submitter Full Name: Michael AnthonyOrganization: University of MichiganStreet Address: City:State: Zip: Submittal Date: Thu Jan 02 14:34:08 EST 2014





Saving Lives: Including People with Disabilities in Emergency Planning, National Council on Disability Emergency Procedures for Employees with Disabilities in Office Occupancies, U.S. Fire Administration,http://www.ncd.gov/rawmedia_repository/fd66f11a_8e9a_42e6_907f_a289e54e5f94?document.pdf

IEEE Industrial Applications Society 3006 Series on Power Systems Reliability


The IEEE “Gold Book” (493), and its successor document, the so-called "3006-Dot Books" are the most comprehensive document on quantitative methods for electrical power system reliability in the world. Since reliable power systems are as important to life safety as homeland security, all NFPA committees should have this book as a reference document in order to become more familiar with the terms of art of reliability engineering. For the first time, this reference document appeared in the 2011 National Electrical Code in Chapter 7:







Saving Lives: Including People with Disabilities in Emergency Planning , National Council on Disability Emergency Procedures for Employees with Disabilities in Office Occupancies, U.S. Fire Administration,http://www.ncd.gov/rawmedia_repository/fd66f11a_8e9a_42e6_907f_a289e54e5f94?document.pdf


Resources for Special and Functional Needs are contained in the propose new annex.



