Mitigation and Preparedness
Rachel Derr
Abstract
Mitigation planning is an important part of the risk management process. This chapter outlines how to evaluate the level of risk starting from disaster management to risk management. This chapter outlines each of the low-impact to high-impact and low-probability to high-probability categories and the probability of each of the categories. Through this text, we have covered risk and also the hazards that each organization can have. Threat analysis is a quantitative analysis. This chapter outlines each of these areas in the whole process.
Keywords
mitigation; amelioration; mitigation planning; structural; nonstructural; preparedness; recovery; response; severity; resilience
Introduction
Mitigation is a type of long-term, predisaster planning that involves repeated expenditures on structural and nonstructural issues in an attempt to reduce or eliminate future risks. Mitigation in practice usually considers the medium- or long-term prospects of safety, and mitigation is the cornerstone of emergency management as it is practiced today. In many ways, it is the classic example of thinking ahead, using common sense, and doing whatever it takes to achieve some payoff in the future. Terminologically, mitigation is related to two other concepts of long-term planning: reconstruction and preparedness. Reconstruction means repair or rebuilding, and preparedness means getting ready or practicing to respond. Mitigation drives preparedness. Mitigation involves thinking of ways to lessen the effects of damage to certain structures and planning so that any impact of a future disaster will be ameliorated or eliminated if possible. Amelioration means to change things for the better, and impact can be understood as the consequences, or likelihood, of something happening in the first place.
Some simple examples of mitigation activities that an emergency manager might perform include promoting flood insurance, urging the structural redesign of buildings, raising or moving homes from flood zones, or just making sure there are appropriate building codes within certain communities. Mitigation planning involves an assessment of the threats facing a community, such as the likelihood of a terrorist attack, and an evaluation of possible targets. Terrorist mitigation is a somewhat controversial phrase that implies special plans and practices for terrorism need to supplement an all-hazards approach.1 Mitigation planning is an ongoing process, with continual reassessments as necessary to ensure proper preparedness. Some experts argue that there is postdisaster mitigation and that predisaster mitigation ought to be called prevention. The usual division of mitigation into two categories, structural and nonstructural,2 us intended to denote the importance of integrated planning in mitigation, that is, the kind of planning that efficiently balances a combination of engineering solutions (e.g., moving homes) with political solutions (e.g., changing the zoning abatements for a community). Some solutions only have a short window of opportunity to capitalize on public and political support. Nonstructural solutions are brought in when engineering solutions have become very costly or have not resulted in a substantial reduction in losses. Evacuation planning is considered a type of nonstructural mitigation, but evacuation, as a topic, is more suitable for a discussion about response and recovery. At this point, it might be helpful to outline the four phases of disaster management; which make up the topics for this and the subsequent lecture. These four phases are listed in Table 11.1.
Table 11.1
Four Phases of Disaster Management
| Phase | Description |
| Mitigation | The reduction or elimination of future risk |
| Preparedness | A practiced state of readiness to respond |
| Response | An immediate reaction or relief that saves lives |
| Recovery | The process of repair and restoration |
Mitigation is the buzzword that gets a city or county pass-through federal grant money every year, either under an Act of Congress that specifically mentions the word “mitigation” or any other disaster relief or performance grant. The amount of money the nation invests in mitigation is not all that great. The baseline minimum for any community is $12,000, and there are formulas for getting more depending on population size. Some communities cannot afford to have even a mitigation specialist, so they usually roll over the job function into that of a “planner” position. Often, a community invests some of its funds. Overall, the total national expenditures for mitigation are little more than $165 million per year, and this money is frequently used for all sorts of administration purposes such as conferences, scenario development, planning, exercises, Emergency Operation Center (EOC) enhancements, testing response plans, public education and outreach, and hazard or vulnerability assessment. Although many issues (including conflict of interest issues) surround the involvement of stakeholders in mitigation planning, this chapter ignores most of the politics and tries to provide some basic understanding of the theories and purposes.
A Primer on Risk
There have been many attempts at a definition of risk, but no real definition has been agreed on. Theoretically, philosophically, and historically, risk means the same thing as fortune, fate, or luck. It can be good or bad. It is an old Middle Eastern concept (introduced by Arab traders to Europeans in the Middle Ages) and even before that was symbolized by the Roman goddess Fortuna, the horoscope sign of Virgo, and certain metaphors of justice. Risk is something that is considered ubiquitous (i.e., happening all the time and every day). It represents life’s capriciousness. The idea that sometimes bad things just happen is the idea of risk. There is a certain amount of superstition embedded in the concept in that risk is supposed to govern a society’s destiny as well as its prosperity. In the field of public management, there is consensus that the government ought to be the risk manager of last resort. The concept of risk is different from the notion of fear, although the terms are closely similar. A risk is also different from a threat, the latter involving something that is always coercive and negative. Furthermore, a risk is different from a hazard, the latter being something that has the potential for causing harm or emergency.
Most people in the homeland security field regard risk as the product of danger or threat that a tangible impact could occur, the vulnerability of persons and things involved, and the degree of exposure to the consequences of the perceived danger or threat. A couple of quick definitions include risk as “the potential interaction of hazard and vulnerability for a given exposure of the items at risk” or “the likelihood of a particular threat attacking the vulnerability and the resulting impact.” There are many specialized fields of study in which the word “risk” is the an adjective that goes before some other word. For example, risk management is an integral part of what many professionals call project management, and it involves the application of control or monitoring techniques to anything that represents uncertainty or can produce failure. Such loss-control techniques are a common part of auditing and due diligence in the business community. Another term, risk assessment, refers to a more detailed application of the control techniques to a particular concrete problem, with the problem usually expressed as a quantitative or qualitative value in terms of the perceived likelihood or occurrence of an event. It is primarily a term found in the fields of safety and security engineering, although it has made inroads into forensic science (e.g., toxicology and epidemiology) as well as emergency management. Risk analysis involves a comparison of different hazards, investigation of their causes, and the context of overall risks to prevent or minimize the way they can jeopardize goal accomplishment or mission success.
Risk can be mathematically expressed as the evaluation of hazard, vulnerability, and probabilities, the likelihood of damage or loss multiplied by the number of items at risk (e.g., buildings and personnel). Mitigation of risk is a function carried out by all people because collectively and individually, we live in a risk or threat universe. Minimizing risk is the fundamental reason individuals and organizations implement security measures. All security-related activities are a part of risk management. Risk assessment is the determination of acceptable levels of risk. Any analysis that ties in specific threats to specific assets with an eye toward determining the costs and benefits of protecting that asset is called a risk assessment. Risk is usually a calculated assumption made based on past occurrences. The threat, on the other hand (as opposed to risk), is a real, instant danger. Any person, act, or object that poses a risk to security is called a threat. Any policy, procedure, or action that recognizes, minimizes, or eliminates a threat is known as a countermeasure, and if a countermeasure becomes fairly automated, it is usually called a control. Controls play a significant role in threat analysis. Risk assessment, however, is usually directed more toward vulnerabilities than threats. A vulnerability is any asset that is mission critical or essential to vital functions, and anything short of being called vulnerability is just called a weakness. Table 11.2 illustrates the various options that are laid on in a risk matrix based on degrees of impact and probability:
Table 11.2
| Low impact | High probability | High impact | |
| I. Contain and control | II. Prevent and protect | ||
| III. Safely ignore | IV. Insurance or backup plan | ||
| Low probability | |||
The above model is one way of looking at a risk assessment matrix. It is the kind of model you will find in any discipline whether business, criminal justice, or zoo keeping. Some threats are a high impact, which means they have tremendous costs (in dollars to repair or replace). Others are a low impact, which means they cannot do permanent harm. Some threats have high probability, which means they happen frequently. Others have low probability.
You will note that most control procedures are applied in Area I, reflecting a growing penchant for automated procedures with high-probability, low-impact events. Far more important, however, is the need to concentrate on Area II, where the high-probability, high-impact events occur. This area, Area II, or prevention and protection, is the area where most security and prevention efforts need to be directed. Another more common way of presenting the risk assessment matrix is shown in Figure 11.1:
However, probability (of occurrence) and (consequence) of impact severity may not be the only things to worry about. The standard risk assessment matrix is only a two-dimensional model. Time must be considered to make the model three-dimensional. This is especially important with certain kinds of threats that are detected on short notice, examples ranging from “ticking bomb” terrorism scenarios to impending asteroid collisions. In such cases, a different kind of risk matrix is needed, as illustrated in Figure 11.2
Note that when an immediately impending threat is imminent, Area IV becomes just as “risky” as Area II because we are considering how quickly a threat could appear and how fast we can deal with it. High risk can be associated with low probability as much as high probability. Prevention and protection plans should be developed for scenarios in which time inhibits both a slow and quick response. Quick response may not even be possible in some instances, but it is wise to plan for it. In many ways, this is a fundamental task of the homeland security function and requires envisioning zero-hour projects long before the need for conceiving of such projects.
Risk Analysis
Risk analysis (as opposed to risk assessment) usually involves the systematic study of risk conditions and the probable impacts of future events, incidents, and disasters. It involves comparison of different hazards, investigation of their causes, and refinement of estimates with longer term trends lines or projections. One assumption inherent in most risk analysis is that there must be some concern for the overall context of risks. In fact, those who argue that terrorist mitigation is “different” usually make the point that the context to be concerned about is the impact of counterterrorism on civil liberties. However, there are larger concerns, as any urban planner knows. An area may be susceptible to floods and landslides, but there are also risks from car accidents or aviation crashes, from specific diseases or environmental conditions, and from unemployment or crime. In fact, risks can come from different directions at any given time. A needs analysis should be done. Comparison of all the possible risks is essential in risk analysis, and comparison may reveal that certain risks are much less significant than others, no matter how important they seemed when viewed in isolation. Risks that the analyst believes are relatively insignificant and must be tolerated are called “residual” risks. Risks that the analyst believes are likely, given the absence of any event-specific intelligence, should be ranked from most to least probable. The list below shows an example of how to put together a comprehensive checklist:
Hazards have dispersed impact (sometimes called the scale or scope of impact) and are very much dependent on the type of hazard one faces. This is all the more reason to be comprehensive because a cascading effect may occur when multiple hazards impact. However, in the end, one cannot prepare for everything at once, so prioritization is needed. The example below illustrates what special event planners use to anticipate the types of threats to be considered in security preparations for the Olympic Games, for instance:
Major Event Incidents in Order of Probability (from Most to Least Probable)
3. Intellectual property rights violations
4. Crime: pickpockets, frauds, pranks
5. Vehicle and pedestrian movement problems
9. Demonstrations, some potentially violent
11. Attempts to extort sponsors
13. Bombings by individuals or groups
It is impossible to plan for everything, but it is possible to plan for a broad range of possibilities. Litman3 lists the scope of impact factors that are typically raised for a variety of hazards (Table 11.3).
Table 11.3
| Scale | Warning | Evacuation | EMS | Search and Rescue | Quarantine | Infrastructure Repair | |
| Hurricane | Very large | Days | X | X | X | X | |
| Earthquake | Large | None | X | X | X | X | |
| Tsunami | Very large | Short | X | X | X | X | |
| Flooding | Large | Days | X | X | X | X | |
| Forest fire | Small to large | Usually | X | X | X | X | |
| Volcano | Small to large | Usually | X | X | X | X | |
| Blizzard or ice storm | Very large | Usually | |||||
| Building fire | Small | Seldom | X | X | X | ||
| Explosion | Small to large | Seldom | X | X | X | X | |
| Radiation or chemical | Small to large | Sometimes | X | X | X | X | |
| Plague | Small to large | Usually | X | X | |||
| Riot | Small to large | Sometimes | X | X | |||
| War | Small to large | Usually | X | X | X | ||
| Landslide or avalanche | Small to medium | Sometimes | X | X | X | X |
Quantitative methods are frequently used to do the risk analysis. The casual investigation, simulations, and rigorous research methods may help clarify why risks exist and indicate the means by which they can be reduced. The analysis of data on risk levels can transform a vague qualitative idea of risk into a more precise quantitative, probabilistic one. A full-fledged probabilistic approach4 involves complex notions of release (rate at which the hazard strikes), exposure (vulnerability of populations per unit time), dose rate (impact per person), and background levels (inherent natural risk levels). However, simpler methods do exist that take advantage of logical extensions of most definitions of risk. The easiest method involves predictions are done with specific risks as a function of the plausibility of a hazardous event (sometimes called the threat probability) times the impact of the event (the scope of impact factor). Before we can even get to a threat probability, however, you need to know the odds of each risk.
The impact is simply calculated as the scope (how many people involved). Calculating the likelihood of a hazardous event, or its “threat probability,” is a matter of odds comparison with other risks. The result when you multiply the odds of any one risk times the expected impact size of the population at risk is something called the “relative level of risk determination” that, for double-checking purposes, is always a function of threat analysis times impact analysis (Table 11.4).
Table 11.4
Summary of Risk Assessment Formulas
| Relative risk analysis | Likelihood of hazard × Impact of an event |
| Vulnerability analysis | Likelihood of threat × Scope of impact |
| Threat analysis | Scope of impact × Source identification × Control weaknesses |
| Mitigation | Cost to mitigate × Level of risk reduction + Residual risk |
Vulnerability analysis also makes use of odds ratios or likelihoods. An essential rule of thumb is that threats are always examined on the basis of their likelihood, and impacts are always evaluated on the basis of their scope. Vulnerability is typically determined in the same way as “relative risk” except that for “threats,” the motivations and resources of an attacker (if human) must be considered along with a range of ways to circumvent security around a target. The range of attacks to be considered on a target (“what if” scenarios or penetration tests) should begin with simple “brute force” or “front door” attacks and then progress to “insider” or “sophisticated” attacks, which are not generally known. The average, or mean, the likelihood of success (across all attack scenarios) usually determines the probability of threat. A vulnerability is then simply the product of this times the expected impact (or scope).
Threat analysis involves scope but also involves calculating the likelihood of precisely knowing the threat source (source identification). There are man-made sources, natural sources, and common or combined sources of threats. Intelligence for source identification can sometimes be had using open-source methods, such as examining the media, but it behooves the threat analyst to examine as many intelligence sources as possible. Sometimes a record of previous attacks that fit the modus operandi becomes the sole basis for source identification, but more generically (and in the nonhuman context), any circumstance that has the potential to cause harm should be considered a threat source. If the threat source is already known, all that is needed is to assess the scope of impact along various vulnerabilities (called impact analysis). It should be remembered that without vulnerability, a threat source does not present a risk, so threat analysis assumes that vulnerability analysis has already been done. Threat analysis goes beyond vulnerability analysis by looking at weaknesses in the control mechanisms or countermeasures for identified threats. Control weaknesses may be technical, operational, or management related, and it might be best to admit here that assessment of control weaknesses is often a subjective matter of judgment, although in recent years, there has been a tendency to evaluate control by the principles of information assurance and security, for which there are five (availability, integrity, authentication, confidentiality, and nonrepudiation) according to National Security Agency information assurance guidelines.
Finally, the cost obviously enters into the process of deciding which mitigation efforts to pursue. The “best” mitigation plan or activity is the one that is cost effective (i.e., provides an acceptable reduction in risk at the lowest cost with the least amount of residual risk). The amount of acceptable risk to absorb is always a management decision. The amount of cost to mitigate may be something the emergency planner or manager can lobby for. After a decision has been made, the emergency planner may want to start calculating “opportunity costs” for the directions not taken. It is also a good idea to keep track of how security policies tend to change by themselves over time because sometimes these “savings” can be the impetus for pursuing even greater risk mitigation.
Resilience
Resilience is a concept usually associated with the coordination issues presented by impact, or in other words, by the notion that a system will still continue functioning in at least a rough homeostasis resembling how the system worked before an attack. Resilience is the up-and-coming buzzword in emergency management as well as terrorism prevention. It has the potential to deter terrorism. In theory, if a nation shows extreme resilience by recovering very fast, then to an outside observer (and to terrorists), it looks as if that nation was not laid low at all. Theoretically, this is supposed to demoralize terrorists. Sometime around 2005, Department of Homeland Security officials embraced the concept most likely as a way to avoid what happened in Spain during 2004 when terrorists were able to influence the elections there by the Madrid bombings. Resilience as a strategy hopes to sideline terrorists of the one thing they value most when it comes to attacks—the impact. Resilience is given prominent mention by Flynn5 and as a grand strategy by Palin.6
Related or parts of the resilience concept are many and include diversity, redundancy, efficiency, autonomy, and strength. The resilience concept acknowledges uncertainty and unpredictability in ways that closely resemble a kind of move along the reaction. Resilience is about the only game in town when it comes to preparedness for unexpected hazards and the adaptive moves of clever adversaries or enemies who will just keep attacking and attacking again. Intelligence analysis tends to take on a short-term (100-day) form under a resilience framework, and greater attention is paid to target hardening, of course. It is expected that an attack will come or that disaster will strike, but the consequences do not have to be all that tragic. Neither total success nor total failure should be expected. In fact, it is possible for a system to learn from failure more than success—and that is a crucial aspect of resilience—to absorb or buffer the attack, observe and adapt to it, and learn from it how to increase capacity before the next assault. Let’s consider some definitions of resilience provided by Armitage7: (1) “the ability of a system to absorb or buffer disturbances and still maintain its core attributes” or (2) “the ability of a system to quickly re-organize itself by improving its capacity for learning, adaptation, and change.”
Clearly, resilience has some good aspects to it, but resilience alone cannot win a war on terror. It only dissipates the impact. There are strategies for war and strategies for peace,8 and resilience as the strategy seems to be a protectionist concept with elements of self-preservation suitable for both war and peace. Time will tell if the concept has staying power.
Security and Safety Engineering
Structural engineers are building experts who are often involved in construction safety investigations. Buildings, bridges, and other man-made structures are not supposed to fail, but sometimes they do because of fire, earthquakes, high winds, errors in design and construction, flaws in materials or workmanship, or terrorist attacks. Numerous organizations are associated with structural engineering and the many contributions it can make to mitigation, particularly in the area of terrorist mitigation; The 2002 National Construction Safety Team Act, under which National Institute of Standards and Technology (NIST) operates in the homeland security realm, is modeled somewhat after the pattern by which the National Transportation Safety Board investigates transportation accidents. The field of criminal justice, by comparison, has few forensic science disciplines that match this level of expertise in engineering and failure analysis. NIST has conducted or led the investigations listed in Table 11.5.
Table 11.5
Examples of NIST Investigations
Family-based disaster planning should not be overlooked or understated. To cite just a few examples of scientific facts everyone ought to know,9 vehicles are not airtight enough to withstand a chemical hazard, certain homemade nose and mouth filters may withstand a biological attack, and some stable-looking buildings are not so stable in a nuclear attack. On some of the other topics in Table 11.5, there is little questioning that the involvement of disaster scientists in criminal justice and fire safety is a real thing. Scientific or engineering expertise is rarely brought to bear, however, on community issues. An “opportunities” approach tends to characterize the government’s pattern in this regard, as exemplified by various volunteer Community Emergency Response Team (CERT) groups and the like. However, it remains to be seen if good mitigation springs from these organizations or they simply fulfill a desire to be prepared. Nevertheless, the potential for such initiatives is great, and it is perhaps academia that is dropping the ball here because the sociologic phenomenon of civic voluntarism has yet to be jumped on by researchers. There is nothing wrong with local communities trying to improve their homeland security capabilities, and they should be assisted in as many ways as possible.
Reciprocal Aid Agreements
More extensive work is needed in the area of reciprocal aid. Reciprocal aid (or mutual aid) agreements are formal agreements with neighboring jurisdictions to furnish mutual or reciprocal aid. Reciprocal aid agreements also play a fundamental role in how civilian authorities can use military resources. A reciprocal aid agreement should specify several things very clearly and, if necessary, in a separate form for each of the jurisdictions involved. Exactly what is to he provided in given circumstances should be spelled out in terms of manpower, equipment, vehicles, and supplies, as appropriate. The duration of such external assistance should be specified along with any limitations to be placed on it. Unless the financial burden of supplying reciprocal aid is deemed to be roughly equal among the parties, arrangements may have to be spelled out for financial compensation. It may also be appropriate to state the conditions in which mutual aid is not expected to be furnished. Finally, there are cases in which mutual aid is best mapped out at a conference attended by various jurisdictions to ensure that the assistance is efficiently planned rather than provided for in a series of bilateral agreements that tend to duplicate resources or lead to imbalances. According to Alexander,10 sociologists have classified five organizations that operate in disasters:
Adapting organizations retain their original structure and complement of personnel but adapt their operations to the needs of the disaster; thus, a local government council may form a relief committee.
Expanding organizations increase their complement to cope with the disaster, perhaps by taking on volunteer workers, canceling the leave of permanent personnel, calling in consultants, or increasing the hours of part-time workers.
Extending organizations increase the range of their activities to cover needs generated by the disaster; thus, a construction company may be involved in structural mitigation and urban search and rescue activities.
Emerging organizations are born out of the situation created by the catastrophe and the emergence of people with latent gifts of organization and leadership; for example, victims and survivors may form an association to represent their needs more effectively. (Thus, what sociologists call a disaster subculture is born among the affected group.)
Redundant organizations have no role to play during a disaster and are usually abandoned by their members for the duration of the emergency. These may include sporting or cultural societies, although occasionally, they adapt their functions and find a role in the emergency.
Emergency Preparedness
Preparedness in the field of emergency management can best be defined as “a state of readiness to respond to a disaster, crisis, or other emergency situation.” General or long-term preparedness encompasses the organization of resources in the areas of prediction, forecasting, and warning against disaster events. It also involves education and training initiatives and planning to evacuate vulnerable populations from threatened areas. It often takes place against a background of attempts to increase public and political awareness of potential disasters and to garner support for increased funding of mitigation efforts. Short-term preparedness means to prepare for certain disasters after they have begun or begin to occur. In this latter sense, preparedness means to prepare as much as possible for known disasters, and the best preparations are always about what we know best. The best preparation is to get ready, plan, organize, set up, and practice some drill or test. Real preparedness means proper planning, resource allocation, and training, to include simulated disaster response exercises. It is important to conduct exercises to ensure that skills, equipment, and other resources can be effectively coordinated when an emergency occurs. Exercises also provide an excellent opportunity to identify organizational and departmental shortcomings and take corrective action before an actual event takes place.
Airports, hospitals, and other healthcare facilities must conduct an exercise once every 2 years to maintain their certification or license to operate, and many employers are required by the Occupational Safety and Health Administration (OSHA) to have an emergency action plan that is in accordance with OSHA guidelines. For example, the Nuclear Regulatory Commission requires nuclear power plants to test their disaster plans yearly and conduct a full-scale exercise every 2 years. The U.S. Department of Justice also plays a doctrinal role in how state-level departments of homeland security should engage in exercise planning and management.
Five kinds of exercises can be conducted in the name of emergency preparedness: (1) orientation, (2) drill, (3) tabletop exercise, (4) functional exercise, and (5) full-scale exercise. The difference between the last two is that a full-scale exercise usually involves people playing the role of victims, and the word “scenario” is generally applied to any exercise that has lots of enhancements or props to make it seem realistic. Proper planning for the exercise may take up to 3 months before the event, but recommendations or “lessons learned and best practices” should be finished no later than 3 weeks afterward. An exercise does not actually “end” with a fixed stopping point until the person or persons playing the role of evaluator have collected enough information.
The simplest example of a preparedness exercise is an evacuation drill, or more precisely, an orientation on the location of escape exit routes with estimated clearance times. The National Fire Protection Association sells manuals on how to conduct evacuation drills. A good drill includes the routes people should take, where stockpiles of medical supplies are stored, how emergency and medical personnel should deploy, and a test of hospital capability to handle certain patients or injuries. Advanced disaster simulations or scenarios can be done using a National Guard Bureau’s J5 (IA) Unit or any of the state National Guard units that have an elite WMD-CST (weapons of mass destruction, civil support team). The National Response Center, staffed 24 hours a day by the Coast Guard, is another place where elite training is done, and foremost among the many lessons learned from training exercises include the biannual TOPOFF (Top Officials) drills. The Federal Emergency Management Agency (FEMA) supports many simulation exercises, and, has a Master Curriculum Guide at the Emergency Management Institute’s website. FEMA also collects “Smart Practices” that exemplify good local preparedness activities. Some of the lessons learned from conducting disaster simulations at the national and international level include the following:
Expect shortages of needed supplies, parts, and vaccines.
Expect communication interoperability problems.
Do not make unified command overly complicated or formal.
Prepare to deal with issues associated with sharing of (sensitive) information.
Clearly, emergency response drills and simulation exercises are worth the effort. Exercises help evaluate an organization’s capability to execute one or more portions of its response plan or contingency plan, and research has shown that people respond to an emergency in the way that they have trained.