Issue 39 – June 2012
This article by Prof Ernst-Peter Döbbeling first appeared in ISO Focus+ May 2012 and is summarised here with permission from ISO.
In the public and private sectors, a key task is minimising the impact of the disasters and crises that follow natural, negligent, or intentional incidents. When major incidents occur, they regularly demonstrate the importance of an effective response. Fortunately, ISO 22320:2011 Societal security – Emergency management – Requirements for incident response, enables organisations to respond efficiently and effectively.
At first it might be surprising to see the publication of an international Standard for incident response. This is because emergency management is widely seen as a matter for public or governmental organisations operating within a legal framework.
But today, incident response has become a broader multi-organisational, multinational concern, in which private and public actors collaborate. Following business continuity analysis, many companies have identified the requirement for a response system.
ISO 22320 outlines global best practice for establishing an incident response system. While it does not touch on legal regulation, it defines minimum requirements for the single and multi-organisational collaboration of parties involved in preparing and implementing effective incident responses.
Emergency management explained
'Emergency management' can be defined differently according to the language, nationality, organisation, or legal regulations involved. For ISO 22320, emergency management is the overall approach for preventing and managing emergencies. Emergency management consists of all three phases of a disruptive event (before, during, and after) and various activities.
Incident response comprises actions to stop the causes of an imminent hazard, and/or mitigate the consequences of destabilising or disruptive events, and/or recover. These events include natural disasters, terrorist threats, poor IT security, or an industrial fire disrupting the product chain. The main activities of an incident response are:
- warning, alerting, and activation of incident response
- command and control, information, coordination, and cooperation
- the response to the incident to save lives and mitigate negative effects.
'Command and control' has its origin in military and police terminology. It is now a more generic term for target-orientated decision making in which decisions are taken under time pressure and with incomplete information. It is more effective when a structured command and control system is implemented. This ensures, for example:
- a common understanding of aims and purpose
- a common operational picture of the situation
- links with other organisations outside the line of command
- the appointment of relevant managers.
In the Standard, command and control can be organised for public emergency services and private industries.
The Standard gives examples for typical roles and responsibilities; but of course these must be adapted to the local framework of incident response and to the types of possible incident.
The Standard also describes how to:
- identify and define incident response levels
- structure command and control according to political, strategic, and tactical needs
- create a response system that is scalable to different incident types and sizes.
The command and control process follows the principle of Plan-Do-Check-Act. This process changes due to the impact of response measures (positive) or to the evaluation of the incident (negative).
Operational information provides the basis for situational assessment and decision making. The production, integration, and dissemination of operational information are essential elements in command and control. In an emergency or crisis, normal information paths can be interrupted and the information itself can be subjective, intentionally manipulated, or wrong.
ISO 22320 supports the definition and implementation of effective incident information processing. It describes the implementation of an ongoing process for providing operational information, including necessary activities. It also explains how information can be integrated, evaluated, and interpreted to create operational information that fulfils quality criteria. All professionals in incident response are aware of the high importance of information processing and documentation.
Another process in emergency management is coordination. Often, many organisations have to respond to an incident and interact. For example, public emergency services interact with private industry services, industry interacts with energy or water suppliers, and police interact with fire and ambulance services. Each organisation has its own line of hierarchy, command, and information.
Coordination is the way in which such different organisations work together to achieve a common objective. The challenge is to integrate individual responses to achieve synergy to the extent that the incident response has a unified objective and a consensus decision-making process.
Without coordination, organisations have difficulties in identifying a common incident response goal and accepting strategic implementation.
ISO 22320 covers the principles for a multi-organisational command and control process with an enhanced need for coordination and information sharing. Effective coordination is shown for the:
- setting of boundaries (geographical and areas of responsibility) between the different organisations
- interoperability of communication, geographic, and information management networks
- identification of common and transparent decision-making procedures
- implementation of an information sharing and situational awareness policy
- implementation of a communication flow plan and communication guidelines
- division of operational tasks
- preparation and implementation of a logistic support network.
Cooperation is an agreement to work or act together for common interests and values. The complexity of national and international public and private collaboration has produced new ways of working together in incident response. Private-public partnership or contract-based company partnerships have partly replaced traditional systems. An example is public emergency services combined with private services supplying food, energy or shelter.
Private companies implement mutual support to avoid service interruption and ensure business continuity. They agree in advance by contract or arrangements to contribute with their resources to incident response.
Cooperation has to be assessed, prepared, established, and tested in advance on the basis of risk analysis. This facilitates opportunities for effective and economical incident response planning. Cooperation can reduce or share costs and improve business continuity and recovery.
Benefits to all
ISO 22320 applies to all the private and public sector organisations that can be involved in incident response. An organisation can use this Standard to identify its individual performance requirements and organise decision making in crises when normal hierarchical decision making is interrupted.
A good reaction to disruption is driven essentially by information availability and information exchange. The Standard outlines the information process and the relevant quality criteria.
In incident response today, collaboration between organisations, companies, or governments is based on coordination, cooperation, and public-private partnership.
In many countries, the hierarchical structure is still the only way of handling incident response in emergency management. For them, this Standard presents a wider view for preparedness in incident response.
For developing countries, this Standard is a neutral best practice document for planning and implementing a complete, well-structured incident response system.
An ISO Standard-based incident response system offers the opportunity for trans-border collaboration. It also facilitates good incident response coordination between governmental organisations and industry.
The warning of the population at risk is a key part of incident response. An ISO Standard currently in development, ISO 22322, Societal security – Emergency management – Public warning, will cover this.
The author, Prof Ernst-Peter Döbbeling, is Professor of security and safety engineering at Furtwangen University, Germany. He is also Convenor of the International Organization for Standardization's (ISO's) technical committee ISO/TC 223, Societal security, working group WG 3, Emergency management.
Note: You can order ISO and IEC Standards from www.standards.co.nz or call 0800 782 632 during business hours or email email@example.com. Members of Standards New Zealand receive a 20% discount on all Standards. Visit our membership page for more information.
- AS/NZS 5050:2010 Business continuity – Managing disruption-related risk
- AS/NZS ISO 31000:2009 Risk management – Principles and guidelines
- ISO/IEC 31010:2009 Risk management – Risk assessment techniques
- ISO Guide 73:2009 Risk management – Vocabulary
- SAA/SNZ HB 221:2004 Business continuity management
- HB 246:2010 Guidelines for managing risk in sport and recreation organizations
- HB 266:2010 Guide for managing risk in not-for-profit organizations
- HB 327:2010 Communicating and consulting about risk
Related Touchstone articles
Emergency and risk management
- Christchurch – rebuilding from rubble system, Touchstone, June 2012
- Risk management Standard helps to manage disruptions in emergency situations, Touchstone, June 2012
- Recent disasters and ISO Standards, Touchstone, June 2011
- Understanding risk – risk management Standard sets a benchmark, Touchstone, June 2011
- New Zealand Standards and earthquakes FAQs, Standards New Zealand website, February 2011
- ISO 31000 and the Icelandic volcano crisis, Touchstone, May 2010
- New risk assessment Standard joins risk management toolbox, Touchstone, March 2010
- New Standard published for managing disruption-related risk, Touchstone, December 2010
- New risk management Standard available now, Touchstone, December 2009
- Risk management – new vocabulary Standard, Touchstone, December 2009
- Managing flood risk – new Standard available now, Touchstone, December 2008
- Business continuity – new British Published Document on supply chain continuity, Touchstone, February 2012
- Business disruption – the importance of continuity plans in the event of a natural disaster, Touchstone, August 2011
- Business continuity management – human aspects, November 2010