Rod Propst is the Principal Terrorism and Security Analyst at Analytic Services Inc. in Arlington, VA. He conducts threat, criticality, vulnerability, and risk assessments; writes antiterrorism and all-hazards plans; provides antiterrorism and combat skills training; and designs antiterrorism and red-team exercises for government enterprises around the world. A retired U.S. Army officer, he conducted special operations forces, field clandestine, controlled collection, counter-drug, and counter-terror operations around the world; and he was a defense attaché at the U.S. Embassy in Mexico City. He has advanced degrees in strategic studies (unconventional warfare), homeland security, and international relations (Mexican studies).

At the heart of every enterprise’s efforts lies the ability to sustain operations in all conditions, regardless of the challenges imposed by the environment. Unfortunately, too many businesses approach this complex requirement haphazardly, with at times indifferent involvement by corporate leaders. Sustaining business productivity, then, relies on hit-and-miss approaches without a proper focal point to provide direction for continuity. Regardless of the nature of the corporate endeavor, a well-led, focused program that enhances mission sustainment is achievable by even the smallest entities, in any operational environment.

An interlocking continuum of eight mutually supportive, building-block continuity-of-operations tasks is requisite to achieving a stable mission output.

Step 1: All-Hazards Threat Assessment

Every step in the all-hazards continuity-of-operations continuum builds on a thorough understanding of the threats to the uninterrupted flow of business. Years of experience—much of it negative—demonstrate our inability to communicate across multiple organizational levels and across organizations that only rarely work together, usually in a disaster. It was bad enough that we had means of communications that were mutually incompatible; worse, we have been hamstrung by our inability to speak the same continuity-of-operations language in response to challenges to sustaining business when the test begins. The government has begun sweeping changes to leap this communications hurdle. While many of the documents introduced are specifically directed at governmental entities, a thoughtful, responsible executive can see the benefit of incorporating these communications guidelines into a business’s continuity-of-operations program.

The foundation for governmental guidance for homeland security and continuity of operations appears in Homeland Security Presidential Directive 5 (February 2003). This simple yet far-reaching directive states that all homeland security efforts will address “all hazards.” The present model offered here is based on that unequivocal guidance. This guidance applies to all threats—weather, geophysical, accident, criminal, and even terrorist. Thus, as a first step, a business entity must identify the specific threats to its facilities and personnel—which may be geographically dispersed and require different hazard planning for disparate sites. In later steps of this model, additional doctrinal documents—the National Response Plan, the National Incident Management System, and the Incident Command System—will be highlighted.

While weather and geophysical events are outside our control, the human threat is manageable by an aggressive corporate team with singular vision and leadership.

The wonderfully insightful Thomas Friedman in The World Is Flat (2005) said that only a technological breakthrough in communications was required to give human threats greater viability in attacks—on nations, on governments, and on private enterprise. In times past, tribes geographically separated by only a few miles but by a substantial physical barrier—such as a mountain—could develop different dialects, perhaps even disparate cultures. Later, the great nations’ reach was measured by their sea power—the Portuguese, the Spanish, the Dutch, the English, and later Germany and the United States being prime examples; as a nation’s sea power grew or diminished, so followed that state’s global importance. With the growth and penetration of the Internet, the glowing embers of a communications revolution burst into flame as the century turned. Now mountains and seas offered no barrier to those human elements whose threats to civilization were set to be more fully realized. The Internet is one of the key features of our “flat world” as described by Friedman. This offers at least a partial explanation for the growth of terrorism.

For the business planner interested in sustaining operations, the recognition of the entire range of threats—all-hazards—is, then, essential. All subsequent steps in our model flow from an accurate definition of the entire range of threats—human and otherwise—that menace the continuity of operations.

Using key interrogatives, we can begin the use of the continuum by asking simple questions:

• Who threatens us?
• What threatens us?
• When are we most threatened?
• Where is the threat most dangerous to continuity?
• Why do these threats exist?
• How—precisely—is our business threatened by this diverse array of hazards to continuity?

We can brainstorm these straightforward questions, then transpose them into a simple statement of the potential all-hazards threat to our business entity, regardless of size or dispersion. We call this simple statement of hazards a design-basis threat; that is, we will design, in later steps, a protective profile focused on precise mitigation of the hazards we identified in step 1.

Step 2: All-Hazards Criticality Assessment

One of the main challenges to initial application of any continuity-of-operations paradigm is a determination of precisely what elements of the enterprise are important and why they are central to continuity.

Many methods exist to box and bin critical functions or elements of an entity. We recommend a three-box method for assigning criticality. First and foremost, an enterprise rests on the caliber and sustainability of the workforce. Any place or any time that people are at risk to any of the hazards identified in step 1, we must identify those elements. It might be the corporate cafeteria, the day care center, the training room, the conference facility, the communications node—any place where staff congregates and could be negatively exploited by human threats or made more vulnerable to accidents, weather, or geophysical events.

Second, we can box those elements that produce the output of the corporate entity—whether they are information, product, or analysis, for example. Mechanical points of failure are easily identifiable using a range of tools to identify locations or means without which the enterprise cannot move forward doing its business; informational or analysis nodes are more difficult to identify and require corporate focus to enhance their protective profile.

Third, we can easily identify the critical infrastructure upon which the entity rests. This may be electricity or other power, raw materials feeds, water, gas, or any other resource that forces infrastructural breakdown once compromised.

It is essential, once we have the threat focus, to understand all the elements of our entity that are at risk from those carefully identified hazards. Once criticality is known and understood, we can apply the third step in the continuum.

Step 3: All-Hazards Vulnerability Assessment

Once we understand the critical elements (step 2) of the business, we can apply a known threat as it appears in the design-basis threat statement (step 1) to determine what hazard or threat creates a window of vulnerability to what critical business component.

As we apply this paradigm, it is important to complete a criticality scrub before identifying vulnerability. Once explained, the reasons for this approach are amply clear. Clearly, to understand vulnerability, we must first know the threat—otherwise there exists no foundation against which to measure vulnerabilities. In addition, it is a reasonable technique to attempt to reduce the number of critical aspects of the enterprise prior to planning. We have several boxes in which assets are described—allowing the continuity-of-operations lead to focus energies. If we try to protect everything all of the time, we will protect nothing any of the time. That is never more accurate than in this instance.

By examining vulnerability separately, we are not tempted to directly link loss to criticality. That process delivers a pure look at weakness linked to hazards.

In the second half of this step, we can then link criticality and vulnerability. With this second-phase linkage, we can develop a rough order of merit for the protection of assets.

Examining the first and second boxes, we see that these particular assets (people, mission, or material) are rated as low criticality; by that measure, why protect them until all assets of higher criticality have been protected? In the third numbered box, we see an asset that remains important, but—for whatever reason—has been previously identified and a better protective profile already established; while it remains important to the assessment leader, it is secondary to the fourth asset, which is critical and remains vulnerable. Meaningful attention to the critical, vulnerable assets should be the first priority. Note that any number of criticality and vulnerability tools exist; we should pick one that works for and is understood by the corporate entity and go with that solution for racking and stacking assets.

Step 4: All-Hazards Risk Assessment

Clearly, not all assets are created equal. Even so, often previous inattention to all-hazards protection, a change in mission, or an expansion into a different environment (of production or even a different physical environment) may mean that the analysis yields a long slate of highly critical and vulnerable assets. Since it is understood that attempting to protect every asset from every hazard at all times is a losing proposition—or at best probably not cost-effective for most businesses—then a reduction in the slate is not only desirable but likely requisite.

This role should, in most cases, be fulfilled by the chief executive officer—in whose hands the corporate life of an enterprise ultimately rests. In cases where the size of the enterprise makes this impractical, the chief of operations—or perhaps the chief of information operations of chief of security operations, given the corporate focus—may be a suitable, if less desirable, alternative.

At any rate, the goal of the fourth step in this model continuum is a simple assessment to accept risk for certain assets and provide an enhanced protective profile for other assets. This represents a potentially complex balancing act—where limited resources (time, people, money) can be best focused in order to enhance the enterprise’s protective profile and where the lack of overall resources requires that some assets be left less protected. This risk acceptance will be individual and corporate centric (some leaders are more risk averse than others, while some leaders are comfortable living on the edge of the risk precipice). The result will be a shortened list—manageable within the fiscal and other constraints that apply to the enterprise—against which a plan to enhance the corporate assets will emerge.

Step 5: All-Hazards Planning

Planning should never occur before completion of the four-step assessment cycle described above. To do so means that the measures taken to confront the challenges identified in the all-hazards threat assessment step 1 may not match the design-basis threat, against which the continuity-of-operations plan should be written. It may mean that less-vital enterprise nodes go unprotected because their importance is not fully appreciated by a criticality assessment (step 2). It may mean that inappropriate planning steps are applied, if a vulnerability assessment (step 3) is not accomplished that carefully, thoroughly links threat, criticality, and vulnerability. Finally, a plan may not be executable because resources do not cover all critical or vulnerable assets or nodes—indicating the need for a scope reduction via a risk assessment (step 4).

On the other hand, once your enterprise determines the threat specific to your operation, the critical nodes of your business, the vulnerabilities inherent to the critical nodes given the stated threat, and where senior enterprise leadership has assigned limited protective assets via risk assessment, then you are perfectly positioned to write a protective plan.

A proper protective plan should address all hazards (all threats). That means that the plan will have measures to ensure enterprise operational sustainment in the case of adverse weather, an adverse geophysical event, accidents, criminal acts, or acts of terrorism. That plan will be responsive to all-hazards protective enhancements. The plan should also include all actors—both your enterprise and any hostile actors, human or natural—that threaten continuity. The plan should cover a thorough timeline—from pre-incident ramp-up preparations (for example, protective steps we can take as severe weather systems form) through trans-incident actions (some incidents’ effects are immediate but of enduring impact, such as a bombing, and some incidents may take days to play out, such as severe weather or epidemics) through post-incident response and recovery. The post-incident recovery may take an extended period, such as infrastructure rebuilding in the wake of a tornado. The desired goal of recovery, and it should be so stated in your plan, is reestablishment of the same operational profile after the incident recovery phase that you had before the incident.

It is important that your enterprise all-hazards manager understand the (potential) impact of some key U.S. Government documents on your planning. The overarching document is Homeland Security Presidential Directive 5. It required the establishment of a National Incident Management System, tasked to “provide a consistent nationwide approach for Federal, State, and local governments to work effectively and efficiently together to prepare for, respond to, and recover from domestic incidents, regardless of size, cause, or complexity.” An understanding of the National Incident Management System is invaluable in developing an enterprise all-hazards plan. Homeland Security Presidential Directive 5 also directed revision of the National Response Plan and broader application of the Incident Command System. In concert, these several documents provide key guidance on preparation, the U.S. Government’s role, and how individual enterprises may benefit from this linked system. Homeland Security Presidential Directive 5 directs that the National Response Plan be written so that it is operational for “different threats or threat levels.”

Regardless of the size or business focus of your enterprise, a thorough understanding of Homeland Security Presidential Directive 5, the National Incident Management System, the National Response Plan, and the Incident Command System is vital to all-hazards planning. There is some simple good news here. Basic, introductory courses covering each of these documents are readily available through FEMA’s Emergency Management Institute. They are online and user-friendly, and the cost (free) is perfect regardless of your needs.

Once you understand the U.S. Government framework for potential help to your enterprise, and once you know which assets or nodes are to be protected (as a result of step 4, risk assessment), then you are prepared to write a plan.

Simple steps guide the plan.

Step 5A: Keep it simple. Not all people will exercise these responsibilities every day, so the precise tasks must be apparent and executable.

Step 5B: Build pre-incident action sets for predictable events (such as extreme weather during certain times of the year). An action set is a single task that requires the efforts of several individuals or corporate entities to get the job done. The best way to write an action set is to specify one actor, one task, clearly stated in active voice, for each action in the set. (For example, the action set “Evacuate the building during a tornado alert” might have the security manager check that all doors are locked, a floor monitor check that all rooms are empty, a communications specialist ensure that all computers are logged off, a human resources specialist account for personnel after evacuation, etc.) The key is one task, one person, active voice—“Mr. Smith, check all doors on Floor Seven.”

Step 5C: Build trans- and post-incident synchronization matrices. Because some situations are predictable—some severe weather, for example—we can often act in advance to reduce or eliminate those events’ impact on the enterprise. However, sometimes we must react to an incident as it develops (a criminal act, terrorist act, or fire, for example). During an attack, the actions of the enterprise—and often of a wide range of other entities with which a business has minimal regular contact—must be synchronized.

Firemen are no less brave today than they have ever been, yet they do not blindly rush into buildings—where terrorists may have developed a sucker punch to kill responders. They have synchronized steps to take before entering a hot location: setting up perimeters, setting up access points, setting up decontamination stations, and setting up medical stations, among others. That means that some actions must be ordered to have the greatest effect at the point of synchronization. Once the enterprise’s planner understands the importance of synchronization—which is nothing more complex than intelligently ordering the tasks and deconflicting the tasks—then the individual tasks can be written to be synchronized in the same active voice, one-person, one-task manner used for action set development.

The planning action sets should follow a basic test for inclusion and format: Are they clear, concise, and comprehensive? Do they use active voice? Following those simple measures will ensure that even the less experienced corporate planner rises to the occasion when developing your enterprise’s all-hazards contingency plan.

Step 6: All-Hazards Training

It has been the unfortunate experience of many enterprises that they see a void and immediately say, “We need training,” and they attack the problem mid-stream. The skilled trainer understands that you must have a plan first, then train to the standards expressed in the plan. Too often the required foundation (steps 1-5) has not been laid to allow for proper training. The best-case result is unfocused training. The worst case is that you will train all of your enterprise’s personnel and then have to retrain when the proper application of the preceding steps clearly demonstrates that your trained actions do not yield the desired, anticipated result. Now, the enterprise has invested those precious, rare resources—time, people, and money—and discovers that critical, vulnerable assets remain largely unprotected because it jumped to the planning step without the required groundwork.

We recommend an approach that answers basic questions and prompts or guides the planner through robust plan completion.

Step 6A: List all hazards applicable to your enterprise (weather, geophysical, accidents, criminal, terrorist). Note that the sharp practitioner will already have done this in step 1.

Step 6B: List all critical nodes—whether they be critical from a production standpoint or from an employee protection standpoint. The sharp practitioner will have done this in step 2.

Step 6C: Know for every critical node whether there exists a single point of failure—one place where any hazard can cause the enterprise’s loss of production. This is an extension of step 2.

Step 6D: Identify how these nodes or points of failure are linked to the range of hazards. (This is step 3.)

Step 6E: Link criticality and vulnerability using a quantitative tool of the enterprise’s choice to assist in a rack-and-stack of assets requiring sustainment for the enterprise’s output.

Step 6F: Reduce the overall list of nodes to one that the enterprise can manage—given the range of available resources—using step 4, risk management.

Step 6G: Write the plan in simple pre-incident action sets and trans- and post-incident synchronized action sets. These should state precisely who does which task and in what building-block (synchronized) order.

Step 6H: Check the plan to make sure it remains clear, concise, and comprehensive. Above all, resist the urge to write in passive voice, which confuses the reader.

Step 7: All-Hazards Exercising

Exercising is little understood, seldom planned appropriately, and largely a waste of resources. Clearly, an enterprise of any size can surmount these obstacles. It simply requires thought and planning.

The temptation often is “Let’s just exercise this and see where we are.” Sounds good; it isn’t. Exercises must be carefully scripted—something beyond the scope of this article—based on careful planning. Most important, an enterprise should base its exercises on a solid plan (back to step 5) that has been properly trained for (back to step 6). An enterprise does itself an injustice—and wastes resources—if it exercises before completing steps 1-6.

The proper exercise must be made of building blocks and focused. It should start with a management tabletop exercise. This has two principal benefits: First, it gets management involvement and buy-in. Second, it uses the least amount of resources to work out potential kinks with the fewest players. Second, a limited-scope mix of tabletop and enterprise field exercises is appropriate. This allows the leaders to work through actual execution problems with key staff. This works out the next level of planning kinks. Finally, you can move to a more enterprise-inclusive exercise involving all corporate players.

That sounds simple enough. But when you think of the range of hazards, you can see that repetitive iterations of exercises may be required—each iteration focused on one hazard-reduction exercise. The smart enterprise exercise planner does not mix and match hazard scenarios, such as a terrorist attack during a tsunami; rather, the planner uses discrete exercises. Exercises focused on single hazards yield more by establishing good response habits to discrete events.

The goal of the best exercise is always to do one task or one set of tasks well—to practice doing the response correctly, versus overwhelming all actors with situations that engender bad habits.

Step 8: All-Hazards Program Management

It is evident that each of the first seven steps requires an investment in resources—time, people, or money. It is equally clear that these continuity-of-operations (disaster management) actions compete for resources with other enterprise demands. The most successful programs balance the pressing need for preparedness with the everyday demands of the enterprise. That is why the enterprise’s highest executive level of leadership must be engaged in designing the all-hazards continuity-of-operations program.

The corporate manager of the all-hazards continuity-of-operations program can ensure success by application of one simple concept: engagement. The program works best—in many cases, it is the only manner in which the program can work at all—only when the enterprise’s leadership is engaged in all steps of the program. Leaders must agree as to the threat. They must concur as to the location and vulnerability of critical enterprise nodes. Above all, leaders own the program’s risk assessment and must understand the entire continuum in order to properly assess risk, in turn establishing the direction for enhancing the enterprise’s protective profile. Those at the helm must then ensure that, once assessed, a proper plan—sufficiently trained for and exercised—is established.

The final element you must understand to best use the continuum is its continuing application. The steps as described are indeed sequential. Each does build successively on the preceding steps. However, the user must exercise caution—understanding that, once the cycle is completed for the first time, the cycle continues, unbroken and continually being enhanced in its application.

The steps remain sequential, in the same order, but once step 8 is completed, the job is not done. Hazards change. Enterprise business profiles change. The protective profile for an upgraded set of critical nodes changes. New leaders may alter the risk assessment. Planning, training, and exercising to achieve currency and efficiency in the use of the continuum are requisite. The steps remain numbered, but once the cycle has been completed once, then careful, thoughtful adaptation of the steps (sometimes out of sequence) is possible.

The best planners and enterprises that choose to apply the all-hazards continuity-of-operations continuum described here understand the flexibility of the continuum while appreciating the structured approach it offers.

This proven methodology will work for your enterprise, regardless of its size or business focus. Its use in many government agencies ensures that shared understanding is achieved when it is most needed—during the real-time application of the continuum in response to an emergency.