MITIGATION AND PREPAREDNESS

These class notes were composed by Dr. Tom O'Connor for his class on Homeland Security at NORTH CAROLINA WESLEYAN COLLEGE, original documents can be found here

MITIGATION AND PREPAREDNESS
"In the long run luck is given only to the efficient" (Helmuth von Moltke)

Mitigation is a type of long-term, pre-disaster planning which involves sustained expenditures on structural and non-structural efforts to reduce or eliminate future risks. Mitigation plans and activities are, in practice, usually medium to long term, and mitigation is the cornerstone of emergency management since it is an example where thinking ahead pays off in the long run. Terminologically, mitigation is related to two other concepts of long-term planning: reconstruction and preparedness. Reconstruction means repair or rebuilding, and preparedness means getting ready or practicing to respond. Mitigation means to lessen the effects or take action toward the building and putting together of certain structures and plans so that the impact of any future disaster will be ameliorated, or eliminated, if possible. Amelioration means to change things for the better, and impact can be understood as the consequences, or the likelihood of something happening in the first place, if the latter is theoretically possible.

Some simple examples of mitigation activities that an emergency manager might do include: promoting flood insurance, urging the structural redesign of buildings, raising or moving homes from flood zones, or just making sure there are appropriate building codes within certain communities. Mitigation planning involves an assessment of the threats facing a community, such as the likelihood of a terrorist attack, and an assessment of possible targets. Terrorist mitigation is a somewhat controversial phrase which implies special plans and practices for terrorism need to supplement an all-hazards approach (Bullock et. al. 2005; also see FEMA antiterrorism page). Mitigation planning is an ongoing process, with continual reassessments as necessary to ensure proper preparedness. Some experts argue that there is such as thing as post-disaster mitigation, and that pre-disaster mitigation ought to be called prevention. The usual division of mitigation into two (2) categories -- (1) structural and (2) non-structural (Alexander 2002) -- is intended to denote the importance of integrated planning in mitigation; that is, the kind of planning which efficiently balances a combination of engineering solutions (like moving homes) with political solutions (like changing the zoning abatements for a community). Some solutions only have a short window of opportunity to capitalize on public and political support. Non-structural solutions are often brought in when engineering solutions have become very costly and/or have not resulted in a substantial reduction in losses. Evacuation planning is sometimes considered a type of non-structural mitigation, but evacuation, as a topic, is covered under a subsequent lecture on response and recovery. At this point, it might be helpful to outline the four phases of disaster management (along with their definitions) which make up the topics for this and the subsequent lecture.

Mitigation is the buzzword that gets a city or county pass-through federal grant money every year. Under the Disaster Mitigation Act of 2000 (which amends the Robert T. Stafford Disaster Relief & Emergency Assistance Act, enacted in 1988), FEMA (in conjunction with DHS) administers what is called the EMPG program (Emergency Management Performance Grants). The baseline minimum for any community is $12,000 and there are formulas for getting more depending upon population size. Matching grants are also available if a community invests some of its own funds. State-by-state, it adds up to about $165 million per year, and can be used for administration purposes, planning, exercises, EOC enhancements, testing response plans, public education and outreach, and hazard or vulnerability assessment. The trick to successful grant-writing for mitigation purposes involves two essential ingredients: (1) involving a wide range of community stakeholders into the planning process; and (2) carrying out a comprehensive risk and vulnerability assessment. While there are many issues (including conflict of interest issues) surrounding the involvement of stakeholders in mitigation planning, this lecture will concentrate primarily on risk assessment.

There are many definitions of risk. Risk is the product of danger or threat that a physical impact would occur, the vulnerability of the people, buildings threatened, and their degree of exposure to perceived danger. A couple of quick definitions include risk as “the potential interaction of hazard and vulnerability for a given exposure of the items at risk" or "the likelihood of a given threat attacking a vulnerability and the resulting impact." Risk analysis involves a comparison of different risks, investigation of their causes, and the context of overall societal risks. Risk can be mathematically expressed as the evaluation of hazard, vulnerability and probabilities, the likelihood of damage or loss multiplied by the number of items at risk; e.g., buildings and personnel. Mitigation of risk is a function carried out by all people since collectively and individually we live in a risk/threat universe.

Minimizing risk is the fundamental reason why individuals and organizations carry out security measures. All security related activities are a part of risk management. Risk assessment is the determination of acceptable levels of risk. Any kind of analysis that ties-in specific threats to specific assets with an eye toward determining the costs and/or benefits of protecting that asset is called RISK ASSESSMENT. Risk is usually a calculated assumption made based on past occurrences. Threat, on the other hand (as opposed to risk), is constant. Any person, act, or object that poses a danger to security is called a THREAT. Any kind of policy, procedure, or action that recognizes, minimizes, or eliminates a threat is called a countermeasure, and if a countermeasure becomes fairly automated, it is usually called a control. Controls play an important role in threat analysis. Risk assessment, however, is directed more toward vulnerabilities than threats. VULNERABILITY is any kind of asset that is mission-critical or essential to vital functions, and anything short of being called a vulnerability is just called a weakness. The following diagram illustrates the commonsense foundations of risk assessment in risk management.

The above model is your standard RISK ASSESSMENT matrix. It's the exact same model you'll find in any discipline, whether business, criminal justice, or zookeeping. Some threats are High impact, which means they have tremendous costs (in dollars to repair or replace). Others are Low impact, which means they can't do permanent harm. Some threats have High probability, which means they happen frequently. Others have Low probability. You'll note that most control procedures are applied in Area I, reflecting a growing penchant for automated procedures with high probability/low impact events. Far more important, however, is the need to concentrate on Area II, where the high probability/high impact events occur. This area, Area II, or Prevention and protection is the area where most security and prevention efforts need to be directed.

RISK ANALYSIS is the systematic study of risk conditions and the probable impacts of future events, incidents and disasters. It involves comparison of different risks, investigation of their causes and refinement of estimates with longer-term or more precise data. One assumption inherent in most risk analysis is that there must be some concern for the overall context of societal risks. In fact, those who argue that terrorist mitigation is "different" usually make the point that the context to be concerned about is the impact of counterterrorism on civil liberties. However, there are larger concerns, as any urban planner knows. An area may be susceptible to floods and landslides, but there are also risks from car accidents or aviation crashes, from specific diseases or environmental conditions, and from unemployment or crime. A needs analysis should be done. Comparison of all the possible risks is essential in risk analysis, and comparison may reveal that certain risks are much less significant than others, no matter how important they seemed when viewed in isolation. Risks that the analyst believes are relatively insignificant and must be tolerated are called "residual" risks. The following is a checklist for various hazards that pose risks.

A Checklist of Hazards

o	Airplane crash	o	Sustained power failure
o	Dam failure	o	Terrorism
o	Drought	o	Tornado
o	Epidemic (biological attack)	o	Train derailment
o	Earthquake	o	Tsunami
o	Fire/Firestorm	o	Volcanic eruption
o	Flood	o	Wildfire
o	Hazardous material spill/release	o	Winter storm
o	Hostage/Shooting	o	Workplace violence
o	Hurricane	o	Other ______________________
o	Landslide/Mudslide	o	Other ______________________
o	Mass fatality incident	o	Other ______________________
o	Radiological release	o	Other ______________________

Quantitative methods are frequently used to do risk analysis. Casual investigation, simulations, and rigorous research methods may help clarify why risks exist and indicate the means by which they can be reduced. The analysis of data on risk levels can transform a vague qualitative idea of risk into a more precise quantitative, probabilistic one. A full-fledged probabilistic approach (Bedford & Cooke 2001) involves sophisticated notions of release (rate at which the hazard strikes), exposure (vulnerability of populations per unit time), dose rate (impact per person), and background levels (inherent natural risk levels). However, simpler methods exist which take advantage of logical extensions on most definitions of risk. For example, most calculations are done with specific risks as a function of the likelihood of a hazardous event (sometimes called the threat probability) times the impact of the event (the scope of impact factor). The likelihood of a hazardous event is the most important factor to have rigorous data on because impact is often simply calculated as scope (how many people). Calculating the likelihood of a hazardous event, or its "threat probability," is a matter of odds-comparison with other risks (see Risk Quiz at Harvard's Center for Risk Analysis). What you end up with when you multiply the odds for any one risk times the expected impact size of the population at risk is something called the "Relative Level of Risk Determination" which, for double-checking purposes, is always a function of threat analysis times impact analysis. [see explanatory table below]

Vulnerability analysis also makes use of odds-ratios or likelihoods. A basic rule of thumb is that threats are always examined on the basis of their likelihood, and impacts are always evaluated on the basis of their scope. Vulnerability is essentially determined in the same way as "relative risk" except that for "threats," the motivations and resources of an attacker (if human) must be considered along with a range of ways to circumvent security around a target. The range of attacks to be considered on a target ("what if" scenarios or penetration tests) should begin with simple "brute force" or "front door" attacks and then progress to "insider" or "sophisticated" attacks which are not generally known. The average, or mean, likelihood of success (across all attack scenarios) usually determines the likelihood of threat. Vulnerability is then simply the product of this times the expected impact (or scope).

Threat analysis involves scope but also involves calculating the likelihood of precisely knowing the threat source (source identification). There are man-made sources, natural sources, and common or combined sources of threats. Intelligence for source identification can sometimes be had using open-source methods, like examining the media, but it behooves the threat analyst to examine as many intelligence sources as possible. Sometimes, a record of previous attacks that fit the modus operandi become the sole basis for source identification, but more generically (and in the non-human context), any circumstance that has the potential to cause harm should be considered a threat-source. If the threat-source is already known, all that's needed is to assess the scope of impact along various vulnerabilities (and this is called impact analysis, by the way). It should be remembered that without a vulnerability, a threat-source does not present a risk, so threat analysis assumes that vulnerability analysis has already been done. Threat analysis goes beyond vulnerability analysis by looking at weaknesses in the control mechanisms or countermeasures for identified threats. Control weaknesses may be technical, operational, or management-related, and it might be best to admit here that assessment of control weaknesses is often a subjective matter of judgment, although in recent years, there has been a tendency to evaluate control by the principles of information assurance and security, for which there are five (availability, integrity, authentication, confidentiality, and non-repudiation) - see NSA Information Assurance FAQ website.

Finally, cost obviously enters into the process of deciding which mitigation efforts to pursue. The "best" mitigation plan or activity is the one that is cost-effective; i.e. provides an acceptable reduction in risk at the lowest cost, with the least amount of residual risk. The amount of acceptable risk to absorb is always a management decision. The amount of cost to mitigate may be something the emergency planner or manager can lobby for. Once a decision has been made, the emergency planner may want to start calculating "opportunity costs" for the directions not taken. It's also a good idea to keep track of how security policies tend to change by themselves over time, as sometimes, these "savings" can be the impetus for pursuing even greater risk mitigation.

Structural engineers are building experts who are often involved in construction safety investigations. Buildings, bridges, and other man-made structures are not supposed to fail, but, sometimes they do, because of fire, earthquakes, high winds, errors in design and construction, flaws in materials or workmanship, or terrorist attacks. There are numerous organizations associated with structural engineering and the many contributions it can make to mitigation, particularly in the area of terrorist mitigation; e.g., ACI, AISC, ASCE, IFMA, NAE, NFPA, SEA, the U.S. Army's ERDC, and DoD's DTIC to name a few, but at least since 2002, one agency stands out as an investigator of major structural failures -- NIST (National Institute of Standards and Technology). The 2002 National Construction Safety Team Act, under which NIST operates in the homeland security realm, is modeled somewhat after the pattern by which the NTSB (National Transportation Safety Board, now called the Office of Transportation Disaster Assistance) investigated transportation accidents. The field of criminal justice, by comparison, has few forensic science disciplines (see Arson/Explosives; Forensic Reconstruction; NLETC) that match this level of expertise in engineering and failure analysis. NIST has conducted or led the following investigations:

Recent NIST Investigations

Building, Fire & Structural Failures

Natural Disasters

Nightclub fire, W. Warwick, Rhode Island, 2003
Terrorist attack, Pentagon, 2001
Apartment fire, New York City, 1998
Terrorist bombing, Murrah Federal Building, 1995
Building fire, Happyland Social Club, Bronx, 1990
Tank failure, Ashland Oil Co., Pittsburgh, 1988
Building fire, First Interstate Bank Building, Los Angeles, Calif., 1988
Building fire, Dupont Plaza Hotel, San Juan, 1986
Highway ramp failure, East Chicago, 1982
Condominium collapse, Cocoa Beach, 1981
Cooling tower collapse, Willow Island, W.Va., 1978
Apartment building collapse, Bailey’s Crossroads, Va., 1973

Earthquake, Kocaeli, Turkey, 1999
Tornado, Oklahoma City, Okla., 1998
Hurricanes Mitch (Central America) and Georges (Caribbean), 1998
Earthquake, Kobe, Japan, 1995
Earthquake, Northridge, Calif., 1994
Hurricane Andrew, Florida, 1992
Loma Prieta Earthquake, Santa Cruz, Calif., 1989
Earthquake, Armenia, 1988
Earthquake, Mexico City, Mexico, 1985

Besides conducting neutral, "third-party" investigations into disasters like the WTC tragedy, the basic pattern of the government model for the services of a federal disaster assistance agency like NIST can be to provide guidance and "best practices" on topics like the following:

Granted, much in the above list draws agencies like NIST into areas of non-structural mitigation, but indeed, there are important scientific facts every individual, family member, first responder, and community ought to know. Family-based disaster planning should not be overlooked or understated. To cite just a few examples of scientific facts everyone ought to know (Bullock et. al. 2005), vehicles are not airtight enough to withstand a chemical hazard, certain homemade nose and mouth filters may withstand a biological attack, and some stable-looking buildings are not so stable in a nuclear attack. On some of the other topics in the list above, there is little question that the involvement of disaster scientists in criminal justice, criminalistics, and fire safety is a good thing. Scientific or engineering expertise is rarely brought to bear, however, on community issues. An "opportunities" approach tends to characterize the government's pattern in this regard, as exemplified by the mega-agency known as the Corporation for National and Community Service, which is part of a White House initiative known as Freedom Corps. Opportunities are somewhat matched to interests and talents in many Freedom Corps organizations, like Peace Corps, Citizen Corps, AmeriCorps, Senior Corps, and the newly-launched Fire Corps, but it remains to be seen if good mitigation springs from these agencies or they simply fulfill a desire to serve. Learn & Serve grants are available for "service learning" projects involving academia and presumably help prepare people for responsible citizenship, but other than steering volunteers toward how to join or form a FEMA CERT (Community Emergency Response Team), most non-structural homeland security mitigation has simply been steering people toward existing programs, like the National Sheriff Association's Neighborhood Watch, the International Chief of Police' Volunteers in Police Service, or the Boy Scouts. Nevertheless, the potential for such initiatives is great, and it is perhaps academia who is dropping the ball here, as the sociological phenomenon of civic voluntarism has yet to be jumped on by researchers. There is nothing wrong with local communities trying to improve their homeland security capabilities, and they should be assisted in as many ways as possible.

One area where more extensive work is needed is the area of reciprocal aid. Reciprocal aid (or mutual aid) agreements are formal agreements with neighboring jurisdictions to furnish mutual or reciprocal aid. A reciprocal aid agreement should specify several things very clearly and, if necessary, in separate form for each of the jurisdictions involved. Exactly what is to he provided in given circumstances should be spelled out in terms of manpower, equipment, vehicles and supplies, as appropriate. The duration of such external assistance should be specified, along with any limitations to be placed on it. Unless the financial burden of supplying reciprocal aid is deemed to he roughly equal between the parties, arrangements may have to be spelled out for financial compensation. It may also be appropriate to state the conditions in which mutual aid is not expected to be furnished. Finally, there are cases in which mutual aid is best mapped out at a conference attended by various jurisdictions, in order to ensure that the assistance is efficiently planned, rather than provided for in a series of bilateral agreements that tend to duplicate resources or lead to imbalances. According to Alexander (2002), sociologists have classified five (5) organizations that operate in disasters:

Preparedness in the field of emergency management can best be defined as "a state of readiness to respond to a disaster, crisis, or other emergency situation." General, or long-term preparedness encompasses the marshalling of resources in the areas of prediction, forecasting and warning against disaster events. It also involves education and training initiatives, and planning to evacuate vulnerable populations from threatened areas. It often takes place against a background of attempts to increase public and political awareness of potential disasters and to garner support for increased funding of mitigation efforts. Short-term preparedness means to prepare for certain disasters once they have begun or begin to occur. In this latter sense, preparedness means to prepare as much as possible for known disasters, and the best preparations are always about what we know best. The best preparation is to get ready, plan, organize, set up, and practice some drill or test. Good preparedness means proper planning, resource allocation, training, and simulated disaster response exercises. It is important to conduct exercises to ensure that skills, equipment, and other resources can be effectively coordinated when an emergency occurs. Exercises also provide a good opportunity to identify organizational and departmental shortcomings and take corrective action before an actual event takes place.

Airports, hospitals, and other healthcare facilities must conduct an exercise once every 2 years to maintain their certification or license to operate, and many employers are required by OSHA (Occupational Safety and Health Administration to have an emergency action plan that is in accordance with OSHA Guidelines for Emergency Response in the Workplace. The NRC (Nuclear Regulatory Commission) requires nuclear power plants test their disaster plans yearly, and conduct a full-scale exercise every two years. The U.S. Department of Justice - Office for Domestic Preparedness maintains HSEEP (Homeland Security Exercise & Evaluation Program) which is "both policy and doctrine" for how state-level Departments of Homeland Security ought to engage in exercise planning and management.

There are five (5) kinds of exercises that can be conducted in the name of emergency preparedness: (1) orientation; (2) drill; (3) tabletop exercise; (4) functional exercise; and (5) full-scale exercise. The difference between the last two is that a full-scale exercise usually involves people playing the role of victims, and the word "scenario" is usually applied to any exercise which has lots of enhancements or props to make it seem realistic. Good planning for the exercise may take up to three months prior to the event, but recommendations or "lessons learned & Best Practices" should be finished no later than three weeks afterwards. An exercise doesn't really "end" with a fixed stopping point until the person or persons playing the role of evaluator have collected enough information.

The simplest example of a preparedness exercise would be an evacuation drill, or more precisely, an orientation on the location of fire escape exits. The NFPA (National Fire Protection Association) sells manuals on how to conduct evacuation drills. A good drill would include the routes people should take, where stockpiles of medical supplies are stored, how emergency and medical personnel should deploy, and a test of hospital capability to handle certain patients or injuries. Advanced disaster simulations or scenarios can be done utilizing the National Guard Bureau's J5 (IA) Unit, or any of the state National Guard units which have an elite WMD-CST (weapons of mass destruction, civil support team). The National Response Center, staffed 24 hours a day by the Coast Guard, is the place where elite training is done, and the lessons learned from many training exercises, including the biannual TOPOFF (Top Officials), can be found at the National Response Team site. FEMA also supports simulation exercises, and in fact has a Master Curriculum Guide at the EMI (Emergency Management Institute) website, and also collects "Smart Practices" that exemplify good local preparedness activities. Some of the lessons learned from conducting disaster simulations at the national or international level include the following:

Clearly, emergency response drills and simulation exercises are worth the effort. Exercises help evaluate an organization’s capability to execute one or more portions of its response plan or contingency plan, and research has shown that people generally respond to an emergency in the way that they have trained.

PRINTED RESOURCES
Alexander, D. (2002). Principles of Emergency Planning and Management. NY: Oxford Univ. Press.
Bannister, J. (1997). How to Manage Risk. London: LLP Limited.
Bedford, T. & Cooke, R. (2001). Probabilistic Risk Analysis. NY: Cambridge Univ. Press.
Biggs, J. (1964). Introduction to Structural Dynamics. NY: McGraw Hill.
Broder, J. (1999). Risk Analysis and the Security Survey. NY: Butterworth-Heinemann.
Bullock, J., Haddow, G., Coppola, D., Ergin, E., Westerman, L. & Yeletaysi, S. (2005). Introduction to Homeland Security. Boston: Elsevier.
Cameron, G. (1998). "The Liklihood of Nuclear Terrorism," Journal of Conflict Studies (Fall): 5-28.
Chavas, J. (2004). Risk Analysis in Theory and Practice. San Diego: Academic Press.
Defense Research LLC. (2004). Terrorism Preparedness. Washington DC: Defense Research LLC.
Erickson, P. (1999). Emergency Response Planning for Corporate & Municipal Managers. San Diego: Academic.
Godschalk, D. (1986). Mitigation Strategies and Integrated Emergency Management. Chapel Hill: Univ. of NC Press, Center for Urban and Regional Studies.
Godschalk, D., Beatley, T., Berke, T., Brower, D. & Kaiser, E. (1999). Natural Hazard Mitigation. Washington DC: Island Press. [sample excerpt]
Gordon, J. (2002). Comprehensive Emergency Management for Local Governments. NY: Rothstein Associates.
Haddow, G. & Bullock, J. (2003). Introduction to Emergency Management. Boston: Elsevier.
Herrmann, D. (2001). A Practical Guide to Security Engineering and Information Assurance. Boca Raton, FL: CRC Press.
Hopkins, L. (2001). Urban Development: The Logic of Making Plans. Washington DC: Island Press.
Kaplan, S. (1997). "The Words of Risk Analysis." Risk Analysis 17(4): 407-418.
Kaiser, E., Godschalk, D. & Chapin, S. (1995). Urban Land Use Planning. Champaign-Urbana: Univ. of Illinois Press.
Kelly, E. & Becker, B. (2000). Community Planning. Washington DC: Island Press.
Kelly, R. (1989). Industrial Emergency Preparedness. NY: Wiley.
Krauthammer, T. (2004). “Conventional Blasts, Ballistic Attack, and Related Threats.” The Construction Specifier (May): 73-84. [author's website]
Leonard, B. (1988). Guide to Exercises in Chemical Emergency Preparedness Programs. NY: Diane Pub. Co.
Longinow, A. (1995). "The Threat of Terrorism: Can Buildings be Protected?" Building Operating Management (July): pages unknown.
Molak, V. (1996). Fundamentals of Risk Analysis & Risk Management. Chelsea, MI: Lewis Publishers.
Nicholson, J. (2003). "Design of Public Buildings: Lessons Learned." Pp. 61-64 in R. Kemp (ed.) Homeland Security: Best Practices for Local Government. Washington DC: ICMA.
Nudell, M. & Antokol, N. (1988). The Handbook for Effective Emergency Management. Lexington, MA: Lexington Books.
Omika, Y., Fukuzawa, E., Koshika, N., Morikawa, H. & Fukuda, R. (2005). "Structural Responses of World Trade Center under Aircraft Attacks." Journal of Structural Engineering 131(1): 6-15.
Perry, R. (1985). Comprehensive Emergency Management. Greenwich, CT: JAI Press.
Quarentelli, E. (1979). Studies in Disaster Response and Planning. Newark: Univ. of Delaware Disaster Research Center.
Schneid, T. & Collins, L. (2000). Disaster Management and Preparedness. Chelsea, MI: Lewis Publishers. [sample excerpt]
Veenema, T. (2003). Disaster Nursing and Emergency Preparedness for Chemical, Biological, and Radiological Terrorism. NY: Springer.
Vose, D. (2000). Risk Analysis: A Quantitative Guide. NY: Wiley.
White, Jonathan. (2004). Defending the Homeland. Belmont, CA: Wadsworth.

*Four Phases of Disaster Management*
MITIGATION "the reduction or elimination of future risk"	PREPAREDNESS "a practiced state of readiness to respond"
RESPONSE "an immediate reaction or relief that saves lives"	RECOVERY "the process of repair and restoration"

*The Risk Management Model*
Low impact	High probability		High impact
	I Contain and control	II Prevent and protect
	III Safely ignore	IV Insurance or backup plan
	Low probability

Summary of Risk Assessment Formulas (* =multiplication)
Relative Risk analysis	likelihood of hazard * impact of event.
Vulnerability analysis	likelihood of threat * scope of impact
Threat analysis	scope of impact * source identification * control weaknesses
Mitigation	cost to mitigate * level of risk reduction + residual risk