Effectively Integrating Crisis Management for Future Resilience

This is the first of a two-part article. Part 2 will be published in the May 6 eGUIDE. 

In light of the increasingly complex and diverse threats facing the United States and the world in the past two decades, tremendous resources have been spent in the public and private sectors to prevent, prepare for, mitigate, respond to, and recover from man-made and natural disasters. With successes and failures along the way, lessons have been learned and the field of community resilience/homeland security/business continuity/emergency management/disaster recovery has continued to evolve as more and more expertise takes hold. As a result, the nation has effectively combatted or mitigated myriad challenges including international terrorism, cybersecurity, infrastructure failure, and increasingly severe natural disasters. That is not to say that we can consider these threats resolved, rather it indicates that effective risk management has been applied to help the nation manage these sources of disruption to a point where they have not caused catastrophic impacts to the nation.

As we now combat the 2020 coronavirus pandemic, though, we are confronted with a situation that is exploiting the exact vulnerability our increasing doctrinal expertise has created — professional sectionalism. While we have continued to develop expertise, doctrine, and security/crisis management/emergency/resilience plans, we have failed to account for how these increasingly specialized fields integrate their efforts when faced with a catastrophic risk that spurs cascading impacts. Although the U.S. has among the best public health, emergency management, infrastructure security, and academic research capabilities in the world, marshalling them together towards a common purpose and integrating them in service of a clear, coherent strategy has proved vexing. 

One umbrella term that has been used to bring these disciplines together is preparedness. Federal policy in the U.S. has defined that as including prevention, protection, mitigation, response, and recovery. Each of these has developed their own organizational and planning frameworks as well, with increasing levels of specialization. As a result, the U.S. has broken each of these areas down to include:

• 32 core capabilities
• 5 intelligence disciplines
• 16 critical infrastructure sectors with 25 sub-sectors
• 8 National Essential Functions
• 69 Primary Mission Essential Functions
• 55 National Critical Functions
• 7 community lifelines
• 15 Emergency Support Functions
• 5 Recovery Support Functions
• 5 cybersecurity framework core functions with 22 categories and 98 subcategories

If that weren’t already overwhelming, each of these utilize a 5- or 6-step risk management process to attempt to identify priorities so that limited resources can be used where they will be most effective at reducing the potential for, or consequences of, disruption.

One emergency manager I recently spoke with told me that upon taking charge of a metropolitan emergency management agency, she was quickly briefed on the jurisdiction’s 87 risk specific plans. Taking just 20 minutes each to understand how these 87 risks are addressed according to the 362 factors outlined above would mean that emergency manager would spend the first 5 years of her job doing nothing but trying to understand the full landscape of preparedness for her jurisdiction. Even if we returned to the days of the 15 national planning scenarios, it would still take nearly an entire year for this emergency manager to understand how her jurisdiction stacks up.

Of course that’s not how any executive or enterprise risk manager wants to or does spend their time. But it highlights an even greater challenge they face. For Federal, state, and local leaders, their funding depends on developing plans and assessments based on these 362 Federally-conceived factors. For the private sector, their accreditors, regulators, insurers, and investors all look to disparate elements of these 362 factors to understand their performance and ability to deliver on promised projections. In many cases, this comes down to “checking a box” on a prescribed tool without a full understanding of what particular information is being sought or how it contributes to overall preparedness or resilience. This, in turn, creates additional incentives to report in a way that games the system for more resources.

More importantly, leaders who are responsible for managing risk to communities and organizations oversee personnel who spend increasing amounts of time completing grant applications or reports based on these 362 factors and others that are emerging. A different emergency manager I recently spoke with told me that 40% of his staff was engaged full time in grants management. Because their funding depends on developing programs that adhere to increasingly fractious doctrine, he now has more grants managers working for him than emergency managers. 

While these elements of doctrine have proven useful and have appropriately applied hard lessons learned from catastrophic incidents in recent decades, as a nation we have failed to identify how they integrate. As long as a potential or real incident stays within the confines of one of these silos, our ability to mitigate the potential risk is unparalleled. However, when a complex crisis emerges that requires simultaneous and balanced execution of pre-incident, trans-incident, and post-incident doctrine in multiple domains of expertise, we have run into significant challenges. For all the specialization that now exists in these silos, our ability to share information and coordinate in a crisis is even more important than ever.

As the current COVID-19 pandemic is proving, while the nation has a baseline level of preparedness, complex disasters that require a crisis management strategy that simultaneously responds to urgent need while preventing further calamity across multiple economic sectors presents us with seemingly immediate tradeoffs in applying needed resources. As a nation, we have spent the last 20 years preparing our leaders to juggle one or two balls and this pandemic is the equivalent of asking them to juggle six chainsaws.

That said, we arrive at a crisis with the doctrine, personnel, and resources we have, not necessarily the ones we want. While I am confident that the U.S. will withstand this crisis, it will be instructive to identify the innovation that occurs as the delicate balancing act between public health and critical economic activity unfolds. Just as the nation has invested in preparedness and resilience doctrine and capabilities over the past 20 years, we’ve also seen technological revolutions in information services and biotechnology. Harnessing the power of American innovation to leverage these developments in service of an unprecedented crisis is an opportunity for risk-informed ingenuity. Our ability to foster innovation and integrate the capabilities of these disparate disciplines in the service of reducing impacts to the nation will highlight needed reforms moving forward.

While the immediate path forward through this crisis is unclear, there will undoubtedly be calls for reform to our preparedness and response enterprise, just as there have been after other catastrophic events ranging from the Exxon Valdez, to September 11^th, to Hurricanes Andrew and Katrina. Rather than be tempted to reform the entire system and create vast new programs, though, we should be guided by two key principles that can foster collaboration and integration without sacrificing the expertise that has been generated in the past two decades:

1. Reduce programs and complexity to simplify programmatic requirements
2. Focus on leadership and practical execution

The current array of programs that fund and guide national preparedness, resilience, emergency management, public health, and infrastructure security create a labyrinth that is impenetrable to understanding or oversight. For recovery focused efforts alone, there are more than 90 programs in 20 departments and agencies that are used on a haphazard basis to allocate billions of dollars in investments over 10- to 15-year cycles that is overseen by a series of around 100 different Congressional committees and subcommittees and dozens of inspectors general. Other preparedness programs are driven by a laudable National Preparedness Goal with an associated annual report that also has vacillated over time as new “shiny objects” capture the attention of policymakers but inhibit the ability to perform meaningful long-term trend analyses. Infrastructure security assessments and risk analyses, on the other hand, have had utility for individual owners and operators but have not been widely available to resilience or preparedness planners to inform meaningful community level efforts that address interdependencies, cascading impacts, and emergent vulnerabilities.

Having served in the position on the National Security Council Staff responsible for evaluating the effectiveness of these efforts, I can attest that it is difficult under the best of conditions and that, despite meaningful efforts, appropriate metrics have not been developed and our assessment activities, exercises, investments, and corrective actions reports do not work together seamlessly to improve our national preparedness or resilience. There are simply too many power centers, entrenched constituencies, and a lack of leadership attention to make meaningful reform absent a substantial change in the operating environment. 

In the wake of this current global crisis, though, there will be substantial appetite for reform. These efforts should not spend time re-inventing the wheel. Rather, they should focus on how those wheels can be mated to strong hubs that connect to a multi-speed drivetrain and powerful motor. In doing so, they can:

• Focus efforts on anticipating and adapting to potential hazards and challenges as opposed to responding to and recovering from them. Moving to a more resilient footing requires quick and early action, yet our national mindset is to wait until the last minute to respond and then quickly surge assets and capabilities to the problem. As we’ve seen very explicitly in the COVID-19 crisis, immediate action in an uncertain environment can mitigate harm until waiting for a more certain, but increasingly dire situation.
• Substantially reduce the number of preparedness programs and pool funding to large-scale resilience investments with effective oversight and aggressive auditing
• Fully integrate planning with exercising. A plan shouldn’t exist without an exercise and vice versa. Moreover, planning should not be a domain solely for emergency managers. Rather, infrastructure security personnel and emergency planners need to work closely together to leverage the same data used to plan security and resilience investments to also develop and test effective plans for incidents and crises.
• Foster private sector led knowledge management that integrates government data and capabilities to ensure that the full range of stakeholders subject to large-scale risks are involved in planning for and addressing them.
• Leverage innovative financing to spread financial risk across the Federal, state, local, private sector, and international landscape. The current landscape of where risk is pooled and how costs are shared is informed by outdated beliefs that communities will postpone needed investments until disaster strikes rather than recognizing the financial constraints they face.
• Modeling, simulation, and analyses of disparate datasets should be at the heart of our preparedness and resilience efforts. Developing quick and responsive models to answer leadership demands in a time of crisis is vital to effectively combatting the threats of the future.
• Leadership matters more than programs and capabilities. Rather than more boxes to check, the nation needs to invest in crisis leadership training and education and ensure that officials responsible for crisis leadership have proven themselves through rigorous development. We demand this of our military leaders and we should hold our domestic crisis leaders to no shorter standard.

As the coming months unfold, there will be many questions about how we got to where we are and what could have been done differently to stave off disaster. As opposed to 9/11 Commission style efforts, though, we can be guided by the response to the 1995 Oklahoma City Bombing. Within 120 days of that tragic event, the Federal government had implemented broad and effective new standards for Federal facility security that closed the key vulnerabilities to another attack. The knowledge of what to do already existed, it just had to be focused and put to use. We have the same situation now; crisis leaders know how to effectively integrate disparate disciplines toward national resilience. They need to be at the center of fast reform efforts that deliver a clear, step by step path forward for the Federal government and all of its partners to execute. Part two of this article will set forth the priorities and specific reforms necessary to better integrate national resilience measures to address future crises.

This is the first of a two-part article. Part 2 will be published in the May 6 eGUIDE.