Incorporating Four Elements

A crisis strikes. It could be anything… a health pandemic, an active shooter, a bomb threat, a loss of electrical power, a flooded building or a severe weather event. Who on your campus responds? What needs to be done? Who makes the decisions and who needs to be contacted? These, and many more decisions need to be made, and made quickly. But, crisis events are difficult to manage without some sort of structure and plan in place. Each college or university, regardless of size, should have a general emergency operations plan, as well as more specific incident type emergency action plans in place for these or other emergencies.

First, what is a crisis? It is an event which alters the normal operations of the organization or threatens/is causing harm to the organization or its’ students, employees and visitors. It may be slow moving/evolving, such as a weather event. Or, it can be an immediate incident such as a loss of utilities or an active shooter threat.

An Emergency Operations Plan (EOP) is more about a definition of a structure to deal with all types of hazards and less about procedures. Many EOPs follow the FEMA National Incident Management System (NIMS) design. This describes the Incident Command System (ICS) structure. The advantage to using this design is that it is the concept used by public first responders, as well as FEMA. Therefore, a college or university could have their ICS easily align with a public response entity. There is also a great deal of training on line from FEMA which is free and available to all: .

The EOP Should Include Several Other Components:

  • The kinds of events that warrant an ICS response.
  • Who can, and how to, initiate the assembly of an ICS team.
  • The location of a meeting place for the ICS. There should be at least one main location and perhaps, if possible, alternate locations.
  • It should identify who would fill each of the roles. These should be identified by a job position, not by a name. It should also address the minimum level of training required for each position.
  • A format for developing the specific Incident Action Plan (IAP). An IAP formally documents incident goals (known as control objectives in NIMS), operational period objectives, and the response strategy defined by incident command during response planning. This is a critical aspect in managing a crisis, keeping the team focused.
  • Job action sheets for each position. These are guidelines that define what tasks each position is responsible for and perhaps even when they should be undertaken.
  • A communications plan which should be aligned with the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) requirements for Timely Warning and Emergency Notification. This is the federal law which, among many other items, requires campuses to issue immediate alerts about any emergency situation that is a threat to the health or safety of students and employees.
  • Resources available for the ICS team, which include, but not be limited to emergency contact information, both internal and external, supplies and sources for additional supplies, maps or drawings of facilities on campus, and critical infrastructure and utility locations.

Once there is a good EOP, every university should identify potential action plans for the types emergencies that are most likely. OSHA standards [29 CFR 1910.38(a)] require these EAPs for fire, evacuation and “other” emergencies.

How do you know what types of incidents should be addressed? Each campus should conduct a hazard and vulnerability analysis or risk assessment. It is recommended that this be done at least annually, since needs change over time.

Below are two examples of assessment scoring using publicly available tools that can help with evaluating severity and ranking for priority consideration. The first graph was developed by Kaiser Permanente, the second is from Children’s Hospital in Colorado. While the tools have been developed for and by healthcare, these can also be used for university HVA.

The key is to have subject matter experts provide good input. It never hurts to share and compare your HVA with peer organizations and public response resources. Their input can make the evaluation more reliable and accurate.

The types of incidents to consider should include weather events such as snow, cold, tornado, hurricane; natural disasters, such as floods, earthquakes and landslides; health events, such as pandemics; chemical, biological or radioactive leaks or releases.

You should also consider utility disruptions to power, water or air conditioning and heat; technology interruptions, including cyber attacks; incidents of criminal activity and violence, such as bomb threats or an active shooter threat;cCivil unrest or protest that may make access to the campus difficult or unsafe; and strikes, work stoppages or labor availability issues.

Keep the EAPs broad enough to be adaptive to changing elements, and try to follow similar action steps for people as much as possible. Don’t make it a step-by-step list for a person to follow. Remember that people will not be reading these as the emergency is occurring. For example, prior to COVID-19, some healthcare institutions had a plan for what is called a High Consequence Infectious Disease (HCID) program, to address any kind of disease that could cause a pan- demic. They did not create individual plans for EBOLA, COVID, H1N1, etc. The same holds true for fire emergencies. Don’t direct people to a specific fire stairwell, direct people to use the closest available fire stairwell instead.

An emergency action plan must be in writing, kept in the workplace, and available to employees for review. The intent is that the EAP is to be provided to employees and students as a quick guide of action steps to be taken in the response to an event. For emergency managers, an EAP should have a parent document that is more comprehensive and formatted to address the four elements of the Emergency Management Continuum.

Prevention and mitigation should address steps to take in order to avoid the emergency event. It is always better to do this rather than have to deal with the consequences. An example may be having security present where there is a high potential for violence. It may involve training on subjects such as how to safely work on an electrical system to avoid electrocution and loss of power. As shown in the HVA process, to mitigate the probability and magnitude of impact, prevention can help reduce the risk.

Preparedness involves having resources, relationships, plans and operations ready in the event of an incident. During the COVID- 19 pandemic, for example, some emergency managers already had plans and resources in place to obtain face masks and hand sanitizer. Preparedness means that plans should be in place on how to communicate to students and staff, ensuring the mass notification system is in place and works.

Another example involves a recent snow event when universities closed to avoid putting students in danger during their travel to classes. The plan was triggered when certain conditions were met, eliminating the inevitable academic debate about what is unsafe as the weather approached.

Preparedness may mean having alternative sites to use for class meetings, if the usual classroom building is rendered unsafe. It means conducting evacuation drills, so that students know what to do in a real emergency. Don’t believe that people will step up to a challenge without proper training and exercise; this is an important consideration in preparedness. Ensure that exercises and drills are conducted to provide muscle memory responses when needed.

Recently, there has been a lot of work done to prepare for cyberattacks. It seems that the adaptive aggressors are devising devious methods to deny services and demand ransom. Is your university prepared? Are you willing to pay the ransom? Do you have a response team? Are you covered by insurance? If needed, do you have access to bitcoin?

Response after/during the incident. Certain actions should occur automatically. These steps should be part of the EAP that is distributed to student and employees. The senior subject matter expert on duty should be empowered to execute these steps. This includes whatever is necessary to ensure the safety of people involved, evacuation (if appropriate), ensuring medical response can be facilitated, keeping others from entering an unsafe area and initiating emergency notification messages.

Once it is safe, the ICS should be activated. By design, the NIMS ICS structure allows the Incident Commander to activate some or only part of the ICS team, based on need. Once assembled, the first step for the ICS team is to develop the IAP. Keep this short, don’t bite off too much. The number of objectives should be no more than three priorities. In many cases, time is of the essence, so do not allow paralysis by over analysis. Sometimes a good plan executed on time is better than a perfect plan implemented too late. Do not think a crisis will follow a procedure, consider best options and then look at what occurs next. A good Incident Commander can take input from various sources, synthesize the information and make good decisions quickly. The Incident Commander “herds the cats” in the right direction, allowing the opportunity for good ideas to evolve through critical thinking during the crisis.

Recovery is too often the forgotten or under-resourced step. It sometimes becomes part of the response phase, but it should be handled as separate phase. People may be exhausted from fighting the metaphoric fires during the response phase, so consider bringing in fresh troops to work through the resumption of operations. Recovery is putting into play your business continuity plan (BCP). Once it is safe, how do you resume operations? As a part of preparedness, a BCP should be developed.

If you managed through the crisis because of your preparation, congratulations. Everyone is safe, business is resuming, classes are back in session and the cafeteria is serving their meals again. But, before you high five everyone in the Incident Command and take that some well deserved time off, you have one more task. It is called an After Action Review or AAR. This is the opportunity to learn from the incident to better prepare your campus for the next one. Were your assumptions correct? What went well? Want needs improvement? What should be done differently? Conduct an AAR as soon as it is feasible, while the events are still fresh in everyone’s mind

You should capture these comments and modify your EOP and EAPs accordingly. Never miss an opportunity to learn and improve. It means that you will better prepared for the next, inevitable, emergency.

This article originally appeared in the November December 2020 issue of Campus Security Today.


  • California School District Modernizes Surveillance System

    i-PRO Co., Ltd. (formerly Panasonic Security), a provider of professional security solutions for surveillance and public safety, recently announced that the Murietta Valley Unified School District (MVUSD) in Riverside County, CA, has undertaken a project to modernize its first-generation surveillance system to new high-resolution i-PRO network cameras, and the i-PRO Video Insight video management system (VMS). Read Now

  • RAD Makes History with First Robotic Dog Deployed to Taylor Police Department

    Robotic Assistance Devices, Inc. (RAD), a subsidiary of Artificial Intelligence Technology Solutions, Inc., recently announced that it has delivered a RADDOG LE to the Taylor, Michigan Police Department. The delivery of RADDOG LE to the Taylor Police Department marks a historic moment in the integration of technology within law enforcement. This milestone underscores RAD’s commitment to revolutionizing the landscape of security and public safety through cutting-edge AI-powered, robotic solutions. Read Now

  • Passing the Test

    The discussion about secured access and access control for higher education and K-12 is continuously expanding and evolving. That is a good thing. The more knowledge we gain and the more solutions that become available, linked and interoperable, the better and higher the level of security and safety. Read Now

  • Driving a Major Shift

    One of the driving forces for change has been the high demand for unified solutions. Users are asking their vendors for a way to manage all their security systems through a single interface, from a single pane. This has led to a flurry of software development to seamlessly integrate access control systems with video surveillance, intrusion detection, visitor management, health monitoring, analytics with artificial intelligence (AI), and more. Read Now