This can be achieved by applying ISO 31000:2009, Risk management – Principles and guidelines, to the development of emergency preparedness plans and processes.

Disruption-related risks are a result of natural, biological, technological, industrial and other human activities, and can lead to significant social and economic costs for individuals, organizations, municipalities, regions and countries. Specific effects include : damage to property, infrastructure and facilities ; financial costs and indirect economic losses; fatalities, injuries and illness ; impairment of ecosystems and loss of biodiversity ; and social and cultural losses. To respond effectively to these challenges, effective emergency preparedness plans must :

  • Understand what the body developing the plan must achieve – the critical objectives
  • Identify possible barriers or interruptions in trying to achieve these objectives
  • Test and measure the probable outcome of controls and other mitigation strategies (identifying and quantifying residual risk)
  • Determine how the organization will continue to achieve these objectives should additional disruption-related risks occur.

These key aspects apply to all private and public organizations required to develop an effective emergency preparedness programme.

With little modification, these same aspects can be applied to address the needs of even the smallest organization or municipality. There is no need to approach emergency preparedness as a monolithic programme. More than solely the writing of a plan, emergency preparedness is an organization’s proactive provision of resources to ensure that critical societal or business objectives continue to be met in the face of any disruption-related risk.

Resource, time and capability constraints will usually mean that any plan has to focus its emergency preparedness plans on key deliverables. This may mean the disruption of critical activities for defined periods. Following this, other objectives and more extended disruption timelines can be addressed.

Risk-assessment methodology

Those charged with producing emergency preparedness plans and processes therefore need to develop a risk assessment methodology to clearly understand the objectives that need to be addressed by the emergency preparedness plan. There are sound practical, social and economic reasons for having such an approach to the conduct of emergency risk assessments. These include :

  • Improving the understanding of emergency risk issues and ensuring that risk treatment measures provide a sound return on investment in terms of knowledge, skills and resources (for example, capital, time, people, processes, systems and technologies)
  • Standardizing risk assessments and the development of alternative risk reduction proposals so that all involved speak the same language of risk
  • Increasing transparency so that assessment processes can be followed easily, checked or modified in the light of improved knowledge or information
  • Improving consistency to allow meaningful comparisons between different disruption-related risks.

To meet the challenges of disruption-related risks, the above objectives must be addressed in the development of emergency preparedness plans. In this way, individual, organizational, municipal, regional, national and global needs can be met.

Understanding risk

To achieve these goals, responsible organizations should develop an appropriately contextualized emergency risk assessment methodology consistent with ISO 31000.

Given the complexity and severity of possible outcomes as a result of emergency events, the guidelines need to generate an integrated, comprehensive and objective understanding of emergency risks. This will inform the emergency preparedness plans required.

Outputs from risk assessments undertaken using the resultant methodology must seek to improve decision making about the allocation of scarce resources for risk treatment and emergency preparedness plans and procedures.

The emergency risk assessment methodology developed must be scalable, capable of being used for assessing emergency risks arising from any hazard and able to be used from an individual to a global level. Depending on the context of its application, any study conducted using the methodology will necessarily focus on particular hazards of significance and impact for the community in question.

Such a document will be used by : those responsible for emergency preparedness policies, plans and procedures ; those accountable for ensuring disruption-related risk is effectively managed in a community or organization ; specialist risk practitioners who must apply the methodology ; those who evaluate the effectiveness of emergency preparedness practices ; and other stakeholders.

The methodology needs to focus on emergency events and be concerned with the risk assessment of events that require the development of effective emergency preparedness plans. Although the focus should not be on risk management, risk mitigation or addressing business continuity processes and practices, these can benefit from the methodology’s outputs.

There is no need to address the entire risk management framework or the risk management process as outlined in ISO 31000. However, because the focus is on the assessment of risks from emergency events, the management of emergency risks is directed towards, and in line with, International Standards for risk management. The resulting document should produce a risk assessment methodology that :

  • Facilitates a focus on risks in small (e.g., organizational or municipal) or large (regional and/or national and/or global) areas
  • s useable for both risk from and risk to (e.g., risk from flood, typhoon, tsunami and wildfire; and risk to buildings or nfrastructure from all or specific sources of disruption-related risk)
  • Uses a scenario-based approach
  • Samples risk across a range of credible consequence levels
  • Identifies current risk under existing controls, and residual risk assuming implementation of additional controls or control improvements
  • Provides base-line qualitative risk assessments and triggers for more detailed analysis
  • Allows risk evaluation at varying levels of confidence
  • Provides comparable outputs which rate risk and suggest ways to reduce risk.

Applicable to all emergencies

In many jurisdictions, emergency preparedness planning focuses on the sudden onset of natural hazards. These include earthquake, flood, storm, hurricane, storm surge, debris flow, tsunami and wildfire. Of course, not all emergency events are caused by nature. However, consequences from emergency events may be similar, regardless of the trigger involved. It is therefore imperative that the final document adopt an all-hazards approach and provides a method that is suitable for considering other sources of risk. These include disease (human, animal and plant), insect/vermin plague, and those risks arising from technological and other human sources, unless specific risk assessment techniques have been developed for the detailed analysis of particular hazards.

ISO 31000 states that the success of risk management depends on “…the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels”.

An appropriate methodology ensures that information on disruption-related risks will be adequately reported and used at relevant levels in decision making with respect to emergencies and the development of effective emergency preparedness plans. These are to protect individuals, organizations, municipalities, regions and countries, and are also applicable globally, as required.

It ensures that those charged with developing, testing and implementing emergency preparedness plans have the required mandate and commitment from top management to facilitate their activities.

Defining scope

The scope of the risk assessment needs to be adequately considered to define the required data. Because the management of risks from emergencies could involve multiple hazards, the definition of scope must address the range of hazards for a single event or multiple events, the relevant community including its geographical or jurisdictional boundaries, and relevant timelines. Accordingly, consideration needs to be given to determine : the emergency event(s) ; the sources of risk (describing the hazards) ; and the impact categories (describing the elements at risk).

Consideration may also be given to the fact that emergencies can have beneficial long-term consequences for the relevant community, which might (partially) offset immediate or short-term detrimental impacts. Also, consequences beyond the region or jurisdiction of concern may increase or reduce those within the region. In general, any issue raised during the risk identification process – including concerns – can be considered, captured in the risk register and assessed through to the risk evaluation.

Above all, effective emergency preparedness requires a fundamental cultural change in a society or organization, including an acceptance of uncertainty and imperfection. People and organizations need to appreciate that risk is inherent in every decision and activity, and that part of this risk has the potential to create disruption. As a result, they need to consider how they will manage any resultant disruptions to their activities.

There is no single solution for engendering the required cultural change, although appropriate communication certainly helps to achieve success.

Kevin W. Knight
Kevin W. Knight
Chair, ISO/PC 262, Risk management