FOUR DEGREES OF PROXIMITY: - CiteSeerX
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of FOUR DEGREES OF PROXIMITY: - CiteSeerX
FOUR DEGREES OF PROXIMITY:
KEY FACTORS THAT INFLUENCE PRIVATE SECTOR PREPAREDNESS AND CONTINUITY PLANNING
by W. Michael Dunaway
B.S., 1973, United States Naval Academy M.A, 1990, Fletcher School of Law and Diplomacy, Tufts University
A Dissertation submitted to
The School of Engineering and Applied Science of The George Washington University
in partial fulfillment of the requirements for the degree of Doctor of Science
31 January 2010
Dissertation directed by
Gregory L. Shaw Director, Institute for Crisis, Disaster and Risk Management
Department of Engineering Management and Systems Engineering
UMI Number: 3386954
All rights reserved
INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed, a note will indicate the deletion.
UMI 3386954
Copyright 2010 by ProQuest LLC. All rights reserved. This edition of the work is protected against
unauthorized copying under Title 17, United States Code.
ProQuest LLC 789 East Eisenhower Parkway
P.O. Box 1346 Ann Arbor, MI 48106-1346
ii
The School of Engineering and Applied Sciences of the George Washington University
certifies that W. Michael Dunaway has passed the Final Examination for the degree of
Doctor of Science as of 02 December 2009. This is the final and approved form of the
dissertation.
FOUR DEGREES OF PROXIMITY:
KEY FACTORS THAT INFLUENCE PRIVATE SECTOR PREPAREDNESS AND CONTINUITY PLANNING
W. Michael Dunaway
Dissertation Research Committee: Gregory L. Shaw, Associate Professor, Engineering Management and Systems Engineering, Director, Institute for Crisis, Disaster and Risk Management Dissertation Director Thomas A. Mazzuchi, Professor of Engineering Management and Systems Engineering, Chair, Department of Engineering Management and Systems Engineering Committee Chairman John R. Harrald, Professor Emeritus of Engineering Management and Systems Engineering, Committee Member Julie C. Ryan, Associate Professor of Engineering Management and Systems Engineering, Committee Member Kathleen Smarick, Executive Director, National Consortium for the Study of Terrorism and Responses to Terrorism (START), University of Maryland Committee Member
iv
DEDICATION
This work is dedicated to the first responders and public and private sector leaders
who have worked tirelessly to keep America safe since September 11th 2001.
v
ACKNOWLEDGMENTS The list of people who have advised, encouraged and inspired this study is, of course, a
long one. The author is particularly indebted to the following individuals:
For academic guidance, counseling and support: Marvine Hamner, Jack Harrald, Greg
Shaw, and Julie Ryan, the George Washington University; Monica Schoch-Spana, Center
for Bio-Security, University of Pittsburgh; Gary LaFree and Kathleen Smarick,
University of Maryland; Kathleen Tierney and Dennis Mileti, University of Colorado,
Boulder; Susan Cutter, University of South Carolina; Fran Norris, Dartmouth College;
and Andy Felts, the College of Charleston.
For professional advice and a First Responder’s perspective: Chief Ed Sherlock, Captain
Tom Wilson, Barbara Fay and Cathy Welker in Annapolis; John Simsen in Galveston;
and David Maack in Racine. For insight into public/private partnerships: Brit Weber,
Michigan State University; Ann Patton, Tulsa Partners; Tom Moran, All Hazards
Consortium; Len Pagano, SafeAmerica Foundation, and Warren Edwards, Community
and Regional Resilience Institute.
For patience and understanding: Jane, Sarah and Missy.
This material is based upon work supported by the Science and Technology directorate of the U.S. Department of Homeland Security under Grant Award Numbers N00140510629 and 2008-ST-061-ST0004, made to the National Consortium for the Study of Terrorism and Responses to Terrorism (START, www.start.umd.edu). The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security or START.
vi
ABSTRACT
FOUR DEGREES OF PROXIMITY: KEY FACTORS THAT INFLUENCE PRIVATE SECTOR
PREPAREDNESS AND CONTINUITY PLANNING
Numerous federal documents issued since September 11, 2001 have emphasized
that private sector business and industry share equal responsibility with government for
the security of the nation’s critical infrastructure and key assets. The National Response
Framework (2008) further states that private sector entities have a role in the safety,
security and resilience of their communities. Yet, eight years after 9/11, only a fraction of
U.S. businesses and non-profits have taken adequate measures to protect their assets,
property and employees from the threat of harm from natural disasters or human-caused
incidents. To understand this disparity, this dissertation examined four factors that
influence the adoption of business continuity planning and emergency preparedness
measures within the private sector. The study conducted an online survey of 145
businesses, industries and non-profit organizations to assess the adoption of 12 specific
preparedness measures. From this data, the study developed a cognitive model
highlighting four “degrees of proximity” that could influence the commitment of a
business or organization to adopt continuity planning and emergency preparedness
programs:
(1) Geographic proximity (exposure): the physical proximity or exposure of a private sector entity to hazards or threats that affect the organization and its environment.
(2) Temporal proximity (experience): whether—and if so, how recently—a private
sector entity had experience with a disaster or emergency that affected the organization.
(3) Proximity of capability (capability): whether the private sector entity has at hand
the capability to manage a threat to its viability assessed as a function of the entity’s size.
vii
(4) Organizational proximity (collaboration): whether or not the private sector entity participates in a collaborative organization for regional emergency planning and preparedness.
The results confirm earlier research—and much of the experiential and anecdotal
information in the disaster and risk literature—that two key factors affect decisions of
private sector entities to adopt continuity planning measures: previous experience in a
disaster and the size of the organization. Owing to the varied level of survey participation
and the intervention of two natural disasters during the survey, the direct influence of
geographic exposure to hazards was less clear. However, the data did reveal that
participation in an organization dedicated to collaborative planning and mutual support
can have a motivating effect on preparedness equivalent to past experience in a disaster
or an increase in capability equal to the difference between a small and a medium-size
business. The data further identified a consistent hierarchy among the 12 preparedness
measures, indicating a strong prevalence or preference among private sector businesses
and non-profits for certain types of preparedness measures over others. Lastly, the
research identified a strong concern among business owners regarding hazards and
threats to organization viability that originate from natural disasters or that threaten
physical or intellectual property. There was relatively little concern exhibited for the
threat posed by terrorism.
The results of this study shed light on perceptions of risk and priorities for
preparedness measures within the private sector. The study further provides information
relevant to government policies and programs aimed at increasing continuity planning
within the private sector and specifically identifies the value of public-private
viii
partnerships for encouraging participation in efforts that protect business interests while
building community resilience against hazards and disasters.
KEYWORDS: Business continuity planning Emergency management Continuity of operations Private Sector Disaster preparedness Resilience
ix
TABLE OF CONTENTS
DEDICATION............................................................................................................... iv ACKNOWLEDGMENTS ...............................................................................................v ABSTRACT...................................................................................................................vi TABLE OF CONTENTS ............................................................................................... ix LIST OF FIGURES........................................................................................................xi LIST OF TABLES .......................................................................................................xiv LIST OF ACRONYMS................................................................................................. xv GLOSSARY OF TERMS............................................................................................xvii CHAPTER 1: INTRODUCTION ...................................................................................1 1.0 Background ..............................................................................................................1 1.1 Statement of the problem and research hypothesis ....................................................5 1.2 Significance of this study..........................................................................................8 1.3 Dissertation structure................................................................................................9 CHAPTER 2: LITERATURE REVIEW....................................................................... 12 2.0 Overview................................................................................................................ 12 2.1 Disaster, hazards and risk research.......................................................................... 14 2.1.1 Disaster as history, sociology and anthropology 20 2.1.2 Disaster research 26 2.1.3 Hazards and risk research 42 2.1.4 Heuristics 48 2.2 Business continuity management ............................................................................ 55 2.3 Federal agency documents...................................................................................... 61 2.4 Regional approaches and best practices................................................................... 78 2.5 The internet ............................................................................................................ 82 CHAPTER 3: CONCEPTUAL MODELS AND FRAMEWORKS............................... 88 3.0 Overview................................................................................................................ 88 3.1 Modeling risk ......................................................................................................... 92 3.2 Modeling resilience ................................................................................................ 99 3.3 Modeling distance and proximity.......................................................................... 103 3.4 Reasoned action and technology acceptance ......................................................... 107 3.5 Decision-making for planning and operations ....................................................... 113 CHAPTER 4: METHOD, APPROACH AND RESULTS.......................................... 122 4.0 Overview.............................................................................................................. 122 4.1 Research method .................................................................................................. 125 4.2 Analytic approach................................................................................................. 127 4.3 Survey method...................................................................................................... 132 4.4 Survey structure........................................................................................... 136 4.5 Summary of results ........................................................................................... 141 4.5.1 Characteristics of participants 142
x
4.5.2 Perceptions of risk and threat 145 4.5.3 Perceptions of federal, state and local responsibilities 147 CHAPTER 5: HYPOTHESES, TESTING AND ANALYSIS..................................... 150 5.0 Overview.............................................................................................................. 150 5.1 Descriptive statistics, tests of significance, and box plots........................................157 5.3 Skewness and tests of normality: Anderson-Darling test 171 5.4 Non-Parametric tests: Kruskal-Wallis test 175 5.5 Pareto charts of preparedness measures 177 5.6 Correlation of proximities among private sector entities 181 5.7 Influences on participation in a collaborative partnership 186 CHAPTER 6: SUMMARY OF RESULTS................................................................. 190 6.0 Overview.............................................................................................................. 190 6.1 Analysis of research results................................................................................... 190 6.2 Limitations and agenda for further research .......................................................... 196 6.3 The question of motivation .................................................................................. 199 6.4 Conclusion: A framework for private sector preparedness..................................... 203 REFERENCES............................................................................................................ 214 APPENDIX A: SAMPLE SURVEY .......................................................................... 238
xi
LIST OF FIGURES
Figure 1-1: Four proximities of preparedness 8 Figure 2-1: Core topics of hazards and disaster research 17 Figure 2-2: Business continuity planning and disaster/hazards research 19 Figure 2-3: National disaster response framework 64 Figure 2-4: Risk management framework 72 Figure 3-1: Influence diagram template 94 Figure 3-2: Influence diagram for risk of tripping and falling on stairs 95 Figure 3-3: Social amplification of risk framework 97 Figure 3-4: Community resilience as a set of adaptive capacities 101 Figure 3-5: The cultural, administrative, geographic and economic (CAGE) 105 distance framework Figure 3-6: Ishikawa diagram for a program management process 107 Figure 3-7: Ishikawa diagram for the CAGE distance framework 107 Figure 3-8: Theory of reasoned action (TRA) 109 Figure 3-9: Technology acceptance model 110 Figure 3-10: A model of the attributes of systems acceptability 112 Figure 3-11: Inducement of analysis and intuition in contingency planning and 117 operations Figure 3-12: Aviation decision process model 118 Figure 3-13: Business decision process model: routine business operations vs. 120 business-related crisis, emergency or disaster—without a plans Figure 3-14: Business decision process model: routine business operations vs. 121 business-related crisis, emergency or disaster—with a plan. Figure 4-1: A time line of BCP activities relative to a business disruption 124
xii
Figure 4-2: Ishikawa diagram for the CAGE distance framework 128 Figure 4-3: Ishikawa diagram for four proximities of preparedness 129 Figure 5-1: Four proximities of preparedness 152 Figure 5-2: Box plots of regions, organization size, incident occurrence, 160 and collaborative partnerships. Figure 5-3: Comparative histograms and box plots of the effects of disaster 162 experience on measures adopted. Figure 5-4: Comparative histograms and box plots of the effects of organizational 163 size on measures adopted. Figure 5-5: Comparative histograms and box plots of the effects of participation 164 in a collaborative partnership on measures adopted. Figure 5-6: Analysis of variance (ANOVA) and normal probability plot 167 of regression for preparedness measures as a function of region. Figure 5-7: Analysis of variance (ANOVA) and normal probability plot 168 of regression for preparedness measures as a function of incident experience. Figure 5-8: Analysis of variance (ANOVA) and normal probability plot of 169 Regression for preparedness measures as a function of organization size. Figure 5-9: Analysis of variance (ANOVA) and normal probability plot of 170 regression for preparedness measures as a function of collaboration. Figure 5-10: Histogram showing distribution of preparedness measures. 172 Figure 5-11: Anderson-Darling test of normality for all private sector data . 174 Figure 5-12: Probability plot for goodness of fit for A-D test of normality. 174 Figure 5-13: Comparison of box plots of disaster experience, organizational 175 capability, and collaboration. Figure 5-14: Pareto charts—Preparedness measures adopted among private sector 178 organizations having disaster experienced vs. no experience
xiii
Figure 5-15: Pareto charts—Preparedness measures adopted among private sector 179 sector organizations involved in collaboration vs. no collaboration. Figure 5-16: Pareto charts—All preparedness measures adopted among public 180 sector agencies vs. private sector businesses. Figure 5-17: Depiction of analytic approach for correlation among proximity 182 factors. Figure 5-18: Pareto chart of distribution of measures adopted across private 184 sector entities correlated by proximity Figure 5-19: Pareto chart of average number of measures adopted per private 184 sector entity correlated by proximity Figure 5-20: Overall effect of organization size on collaboration. 187 Figure 5-21: Relationship between organization size, previous disaster 187 experience and participation in a collaborative partnership. Figure 6-1: Bar chart illustrating effect of organizational size on adoption of 187 preparedness measures Figure 6-2: Bar chart illustrating the effect of previous disaster experience on 188 adoption of preparedness measures. Figure 6.3: Bar chart illustrating the distribution of preparedness measures across 190 regions for the survey population. Figure 6.4: Bar chart illustrating effects of collaboration on preparedness measures 191 adopted Figure 6-5: Factors potentially influencing business decisions for preparedness 195 and continuity planning Figure 6-6: Cost avoidance from the effects of catastrophic events achieved through 196 building resilient capacities in a community. Figure 6-7: Community resilience model 197 Figure 6-8: Framework for modeling total economic impact of extreme events 198 Figure 6-9: Theory of Reasoned Action and Technology Acceptance Model 200 Figure 6-10: Framework for private sector preparedness 201
xiv
LIST OF TABLES
Table 2-1: Dominant variables of social vulnerability 30 Table 2-2: Typology of collective stress situations 33 Table 2-3: Crisis management framework 35 Table 2-4: Major crises types / risks 59 Table 4-1: Organization size of all respondents 144 Table 4-2: Composite organization size of private sector respondents 144 Table 4-3: Ranking of preparedness measures adopted by all respondents 145 Table 4-4: Ranking of perceived threat to continuity of operations 147 Table 4-5: Ranking of perceived threat from specific acts of terrorism 148 Table 4-6: Perceptions of federal responsibilities for preparedness 149 Table 4-7: Responsibility for security and preparedness 150 Table 4-8: Perceptions of general preparedness since 9/11 150 Table 5-1: Descriptors for independent variables 153 Table 5-2: Descriptors for dependent variables 153 Table 5-3: Collected data for private sector organizations 155 Table 5-4: Data for private sector organizations normalized to percentages 155 Table 5-5: Descriptive statistics and Student t-test for four dimensions of 158 proximity among private sector respondents (for-profit and non-profit) Table 5-6: Descriptive statistics and Kruskal-Wallis test 176 Table 5-7: Correlation of proximities among 145 private sector entities 183 Table 5-7: Collaboration relative to organization size and disaster experience 186
xv
LIST OF ACRONYMS
BCP Business Continuity Planning
BCCP Business Crisis and Continuity Planning
CIKR Critical Resources and Key Resources
DHS Department of Homeland Security
FEMA Federal Emergency Management Agency
ICS Incident Command System
HDCS Strategy for Homeland Defense and Civil Support
HSC Homeland Security Council
HSPD Homeland Security Presidential Directive
NAS National Academies of Science
NEHRP National Earthquake Hazard Reduction Program
NFPA National Fire Protection Administration
NIMS National Incident Management System
NIPP National Infrastructure Protection Plan
NMS National Military Strategy
NMSHD National Military Strategy for Homeland Defense
NRC National Research Council of the National Academies of Science
NRF National Response Framework
NSHS National Strategy for Homeland Security
NSIS National Strategy for Information Sharing
NSCT National Strategy for Countering Terrorism
NSS National Security Strategy
xvi
PS PREP Private Sector Voluntary Preparedness Certification Program
Y2K Year 2000 (refers to the world-wide change in computer clock time
that occurred at midnight on 31 December 1999)
xvii
GLOSSARY OF TERMS Except where noted, definitions for terms cited in this dissertation are taken from the “Dictionary of Emergency Management and Related Terms, Definitions, Legislation and Acronyms,” B. Wayne Blanchard, Emergency Management Institute, Emmitsburg, Maryland, (November 2007) and are cited as they appear in that document (http://www.csc.noaa.gov/vata/glossary.html). Accident “An unexpected or undesirable event, especially one causing injury to a small number of individuals and/or modest damage to physical structures. Examples would be automotive accidents or damage from lightning striking a house.” (Drabek 1996) “…situations in which an occasion can be handled by…emergency organizations. The demands that are made on the community are within the scope of domain responsibility of the usual emergency organizations such as police, fire, medical and health personnel. Such accidents create needs (and damage) which are limited to the accident scene and so few other community facilities are damaged. Thus, the emergency response is delimited in both location and to the range of emergency activities. The primary burden of emergency response falls on those organizations that incorporate clearly deferred emergency responsibility into their domains. When the emergency tasks are completed, there are few vestiges of the accident or lasting effects on the community structure” (Dynes 1998) Business Crisis and Continuity Management “The business management practices that provide the focus and guidance for the decisions and actions necessary for a business to prevent, prepare for, respond to, resume, recover, restore and transition from a disruptive (crisis) event in a manner consistent with its strategic objectives” (cited in Shaw and Harrald 2004). Catastrophe “Catastrophic events are different in the severity of the damage, number of persons affected, and the scale of preparation and response required. They quickly overwhelm or incapacitate local and/or state response capabilities, thus requiring coordinated assistance from outside the affected area. Thus, the response and recovery capabilities needed during a catastrophic event differ significantly from those required to respond to and recover from a ‘normal disaster’.” (GAO, Emergency Preparedness and Response 2006) “An event of such impact upon a community that new organizations must be created in order to deal with the situation.” (Quarantelli 1987) Crisis “A collective crisis can be conceptualized as having three interrelated features: (1) a threat of some kind, involving something that the group values; (2) when the occasion occurs it is relatively unexpected, being abrupt, at least in social time; and (3) the need to collectively react for otherwise the effects are seen as likely to be even more negative if nothing is done sooner or later...” (Quarantelli 1998) “…a decisive or critical moment or turning point when things can take a dramatic turn, normally for the worse…” (Allinson 1993)
xviii
Critical Infrastructure and Key Resources (CIKR) “Critical infrastructure and key resources, or CIKR, comprises systems and assets, whether physical or virtual, so vital to the United states that their incapacitation or destruction would have a debilitating impact on national security, national economic security, public health or safety, or any combination of those matters. (Federal Register / Vol. 73 No. 248 FEMA-2008-0017) Disaster “Disasters are fundamentally social phenomena; they involve the intersection of the physical processes of a hazard agent with the local characteristics of everyday life in a place and [with the] larger social and economic forces that structure that realm” (Bolin with Stanford 1998). “The label ‘disaster’ rather than ‘accident’ carries with it not only the implication that…an event…was of extraordinary misfortune…but also the implication that it could (unlike most accidents) have been prevented…disasters are events which fall within our scope of concern to prevent and in principle are events which may be prevented, and that we have a consequent obligation to attempt to prevent them” (Allinson 1993) Emergency “Any occasion or instance--such as a hurricane, tornado, storm, flood, tidal wave, tsunami, earthquake, volcanic eruption, landslide, mudslide, snowstorm, fire, explosion, nuclear accident, or any other natural or man-made catastrophe--that warrants action to save lives and to protect property, public health, and safety.” (FEMA Guide For All-Hazard Emergency Operations Planning (SLG 101) 1996) “An unexpected event which places life and/or property in danger and requires an immediate response through the use of routine community resources and procedures. (Drabek 1996) Exposure “The number, types, qualities, and monetary values of various types of property or infrastructure and life that may be subject to an undesirable or injurious hazard event.” (APA Planning For A Disaster-Resistant Community 2005) Hazard “Hazard means an event or physical condition that has the potential to cause fatalities, injuries, property damage, infrastructure damage, agricultural loss, damage to the environment, interruption of business, or other types of harm or loss” (FEMA 1997) “A condition with the potential for harm to the community or environment. Many use the terms “hazard” and “disaster agent” interchangeably. Hence, they will refer to “the hurricane hazard” or even more broadly to “natural hazards” which includes hurricanes, tornadoes, earthquakes and other natural phenomena that have the potential for harm. The hazard is the potential, the disaster is the actual event.” (Drabek 1997) Incident “In this document, incidents include actual or potential emergencies or all-hazard events that range from accidents and natural disasters to actual or potential terrorist attacks. They include modest events wholly contained within a single community to others that are catastrophic in nature and national in their scope or consequences.” (DHS National Response Framework Comment Draft September 2007) “An actual or impending hazard impact, either human caused or by natural phenomena, that requires action by emergency personnel to prevent or minimize loss of life or damage
xix
to property and/or natural resources.” (HHS Medical Surge Capacity and Capability Handbook 2004) Mitigation “Activities designed to reduce or eliminate risks to persons or property or to lessen the actual or potential effects or consequences of an incident. Mitigation measures may be implemented prior to, during, or after an incident. Mitigation measures are often developed in accordance with lessons learned from prior incidents. Mitigation involves ongoing actions to reduce exposure to, probability of, or potential loss from hazards. ... Mitigation can include efforts to educate governments, businesses, and the public on measures they can take to reduce loss and injury.” (DHS NIPP 2006) “…mitigation is the social attempt to reduce the occurrence of a disaster, to reduce the vulnerability of certain populations, and to more equitably distribute the costs within the society.” (Dynes 1993) Preparedness “The range of deliberate critical tasks and activities necessary to build, sustain, and improve the operational capability to prevent, protect against, respond to, and recover from domestic incidents. Preparedness is a continuous process involving efforts at all levels of government and between government and private sector and nongovernmental organizations to identify threats, determine vulnerabilities, and identify required activities and resources to mitigate risk.” (DHS, National Infrastructure Protection Plan 2006) “Those activities, programs, and systems that exist prior to an emergency that are used to support and enhance response to an emergency or disaster.” (FEMA 1992) Prevention “Actions to avoid an incident or to intervene to stop an incident from occurring. Prevention involves actions to protect lives and property. It involves applying intelligence and other information to a range of activities that may include such countermeasures as deterrence operations; heightened inspections; improved surveillance and security operations; investigations to determine the full nature and source of the threat; public health and agricultural surveillance and testing processes; immunizations, isolation, or quarantine; and, as appropriate, specific law enforcement operations aimed at deterring, preempting, interdicting, or disrupting illegal activity and apprehending potential perpetrators and bringing them to justice.” (FEMA NIMS 2007) Private Sector “Common English usage draws a binary distinction between the public and private sectors—meaning those organizations and activities that are formally governmental at all levels, and those that are not. The private sector thus includes many distinct entities, including for-profit businesses (publicly-traded or privately owned), trade associations and NGOs, not-for-profit enterprises, faith-based organizations and other voluntary organizations. Of course, from another perspective, the private sector is comprised not only of organizations, but of individual citizens and families, who have important obligations to be prepared for emergencies ... .” (National Response Framework 2008). Recovery “Recovery involves actions, and the implementation of programs, needed to help individuals and communities return to normal. Recovery programs are designed to assist victims and their families, restore institutions to sustain economic growth and
xx
confidence, rebuild destroyed property, and reconstitute government operations and services. Recovery actions often extend long after the incident itself. Recovery programs include mitigation components designed to avoid damage from future incidents. (DHS, National Response Plan (Draft) 2004). “Activities and programs designed to return conditions to a level that is acceptable to the entity.” (NFPA 1600, 2007) Resilience “In the context of the NIPP, resiliency is the capability of an asset, system, or network to maintain its function during or to recover from a terrorist attack or other incident.” (DHS NIPP 2006) “The capacity of a system, community or society to resist or to change in order that it may obtain an acceptable level in functioning and structure. This is determined by the degree to which the social system is capable of organizing itself, and the ability to increase its capacity for learning and adaptation, including the capacity to recover from a disaster.” (UN/ISDR 2002) Response “Those activities and programs designed to address the immediate and short-term effects of the onset of an emergency or disaster.” (FEMA 1992) “The term ‘response’ as used in this Framework includes immediate actions to save lives, protect property and meet basic human needs. Response also includes the execution of emergency plans and actions to support short-term recovery. (DHS National Response Framework 2008) Risk “A measure of potential harm that encompasses threat, vulnerability, and consequence. In the context of the NIPP, risk is the expected magnitude of loss due to a terrorist attack, natural disaster, or other incident, along with the likelihood of such an event occurring and causing that loss.” (DHS NIPP 2006) “The estimated impact that a hazard would have on people, services, facilities, and structures in a community; the likelihood of a hazard event resulting in an adverse condition that causes injury or damage. Risk is often expressed in relative terms such as a high, moderate, or low likelihood of sustaining damage above a particular threshold due to a specific type of hazard event. (FEMA 2001) Threat “The likelihood of a hazard occurring.” (HHS Medical Surge Capacity and Capability Handbook 2004) “An indication of possible violence, harm, or danger.” (FEMA NIMS Draft 2007) Vulnerability “A measure of the extent to which a potential event is likely to deplete or damage available resources such that the reestablishment of usual living conditions cannot be achieved within a reasonable period. In this sense vulnerability may be measured as a ratio of damaged to undamaged resources.” (Buckle 1995) “Vulnerability to disasters is a status resulting from human action. It describes the degree to which a society is either threatened by or protected from the impact of natural hazards. This depends on the condition of human settlements and their infrastructure, the way in which public policy and administration are engaged in disaster management, the level of information and education about hazards and how to deal with them.” (UN ISDR 2001)
xxi
“A weakness in the design, implementation, or operation of an asset, system, or network that can be exploited by an adversary, or disrupted by a natural hazard or technological failure.” (DHS NIPP 2006)
1
CHAPTER 1: INTRODUCTION 1.0 Background
1.1 Statement of the problem and research hypothesis
1.2 Significance of this study
1.3 Dissertation structure
1.0 Background More than eight years have passed since the terrorist attacks on the World Trade
Center and the Pentagon, and over four since Hurricanes Katrina and Rita devastated the
Gulf Coast. During that period it has become an article of faith that private sector
business and industry share equal responsibility with public sector government and
agencies for the protection of America’s assets, resources, critical infrastructures, and the
lives and livelihood of the nation’s citizens. National strategies issued by the federal
government since 9/11 have increasingly emphasized the shared responsibility for
homeland security between the public and private sectors (for example, the National
Strategy for Homeland Security [2002]; the National Strategy for Countering Terrorism
[2003]; the National Response Plan [2004]; the National Strategy for Pandemic Influenza
(2005); National Infrastructure Protection Plan [2006]; and the National Response
Framework [2008]).
Implicit in this charge is an assumption that the degree of security and resilience
attained in a community is a function of the level of coordination and involvement
between local government, local response agencies and the private sector—to include
businesses, non-profit associations, faith-based groups, and private voluntary
organizations. Indeed, the National Response Framework states that “During an incident,
2
key private sector business partners should be involved in the local crisis decision-
making process or at least have a direct link to key local emergency managers.
Communities cannot effectively respond to, or recover from, incidents without strong
cooperative relations with the private sector.” [NRF, 2008], (emphasis added).
Business and industry have long recognized the need to protect assets and core
organizational functions from threats posed by natural disasters and technological or
man-made incidents. Indeed, business functions directed toward ensuring continuity of
operations and disaster recovery have in recent years become professional competencies
and corporate line responsibilities in their own right, especially in larger organizations
where institutional complexity and sheer size require formal training in continuity
planning and the dedication of corporate assets and personnel to that purpose [Amato-
McCoy, 2006; Black, 2005; Rose 2009]. Recently, the term Business Crisis and
Continuity Management (BCCM) has been proposed as a more accurate name for the
business process that consolidates the traditional—and often separable—functions of
crisis management, risk assessment, emergency management and disaster recovery, and
business continuity planning [Shaw and Harrald, 2004]. There has also been recent
recognition that some measure of standardization and measurable competence among
private sector entities would be desirable.
As an indication of the growing momentum in this direction, Title IX of House
Resolution 1, Implementing Recommendations of the 9/11 Commission Act of 2007
establishes a Voluntary Private Sector Preparedness Accreditation and Certification
Program intended to certify private sector businesses in a “common set of criteria for
preparedness, disaster management, emergency management, and business continuity
3
programs.”1 The Department of Homeland Security has since begun crafting guidelines
for a voluntary private sector certification program in all-hazards business preparedness
that would implement this legislation. Title IX (section 524) cites the American National
Standards Institute’s Standard for Disaster/ Emergency Management and Business
Continuity Programs (ANSI/NFPA 1600) as the model for program envisioned, and
provides for third-party entities to manage the certification process, and not the
government itself.
The adoption of NFPA 1600 by private sector businesses or non-profits is itself a
voluntary program, and NFPA 1600 adds a caveat regarding the challenge of
implementing common standards across multiple agencies or organizations, noting that
“plans for business continuity, continuity of government and continuity of operations are
generally more similar in intent and less similar in content” [NFPA 1600, 14].
Therein lies a problem with the current state of continuity of operations planning
generally, and with business continuity planning specifically. With the exception of
certain federally regulated industries (e.g., nuclear power; transportation; aviation;
chemical production), business continuity programs are directed almost universally
toward survival of the corporate entity and its profitability; little regard is paid to the
condition of the social or economic environment that the corporation inhabits. The
National Response Framework effectively acknowledges this, providing that, “private
sector organizations and NGOs (non-governmental organizations) are encouraged to
develop contingency plans and to work with State and local planners to ensure that their
1 USC Title IX (Private Sector Preparedness) Sec. 524 Voluntary Private Sector Preparedness Accreditation and Certification Program (110th Congress, H.R.1, Implementing Recommendations of the 9/11 Commission Act of 2007), August 3, 2007 (Public Law No. 110-53) at http://thomas.loc.gov/cgi-bin/query/F?c110:5:./temp/~c110fnUs5s:e317311.
4
plans are consistent with pertinent plans, the NIMS (National Incident Management
System) and this Framework” [NRF, 6] (emphasis added). They are not, however,
required to do so.
In short, business continuity planning as currently practiced is essentially an
internally-focused enterprise with formalized processes directed toward the preservation
of corporate operations, capital and profitability with little regard for the benefits that
might be gained or economies that could be achieved through coordinated effort with
local agencies or organizations. [Flynn and Prieto, 2006]. NFPA 1600 does make
reference to the need for “mutual support,” though stipulating only that “the need for
mutual aid/assistance shall be determined” [NFPA 1600, p. 6]. What NFPA 1600 does
not do is to identify a relationship or establish the requirement for coordination between
private and public sector entities in disaster planning, response and recovery that would
begin to address the deficiency highlighted by the National Response Framework that
“communities cannot effectively respond to, or recover from, emergencies or disasters
without strong cooperative relations with private sector businesses” [NRF, p. 8].
In spite of the emphasis placed on business continuity programs in recent years, and
the current attempts to standardize procedures, there remains a less than enthusiastic
adoption of voluntary standards or willingness on the part of business to commit
resources to continuity and preparedness programs. For example, a recent analysis by
Mitroff and Alpaslan found that less than 25 % of Fortune 500 companies could be
considered capable of successfully managing a corporate crisis. [Mitroff and Alpaslan,
2003].
5
A fundamental question of business continuity and preparedness programs, then, is
whether private sector entities are truly prepared to protect their own interests and
welfare, much less participate effectively in planning initiatives or programs intended to
address the broader aspects of community resilience, security and cohesiveness called for
in the National Response Framework. And yet, with the stakes so clearly defined by the
well-known scale of loss experienced in the World Trade Center attacks in New York
City, and again along the Gulf Coast following Hurricanes Katrina, (and more recently
Hurricanes Gustav and Ike) one must ask, why would private sector businesses, industries
and organizations not participate in these initiatives? Are their any factors that would
reliably motivate the private sector to embrace emergency preparedness and continuity
planning initiatives?
1.1 Statement of the problem and research hypothesis These fundamental questions are the genesis of this research project. In succeeding
chapters, this dissertation will conduct a review of relevant literature, describe a survey of
private sector organizations, construct and test a statistical model of the data collected
from that survey, and develop a cognitive framework as an approach to understanding
motivation among private sector business, industry, and non-profit organizations toward
the adoption of emergency preparedness and continuity planning measures.
In a recent historical review of emergency management practices entitled, Emergency
Management: The American Experience 1900-2005, Claire Rubin articulates a hypothesis
about the broad evolution of emergency management practice in the United States:
“The hypothesis of this book is that changes in emergency management policies, authorities, and processes are event-driven, and major focusing events have provided an
6
opportunity to explore the effect of disasters on emergency management principles and practices.” [Rubin, 2007 (4)]
In a corollary fashion, this study asserts that focusing events occur not just at the
regional level with professional, cultural or national-level implications, but at the local
level with implications for decisions made by individual businesses, organizations and
communities regarding the adoption of policies and measures to prepare for, respond to
and mitigate the effects of local disasters and emergencies. The broad objective of this
research project is to make an attempt at identifying the degree to which focusing events
affecting an organization’s welfare might motivate its adoption of emergency
preparedness and business continuity measures within that organization.
To accomplish this objective, the study examines the influence of four factors on the
motivation of private sector businesses and non-profit organizations to adopt emergency
preparedness and continuity planning measures. The study analyzes the rate or extent of
adoption of twelve specific preparedness measures across a survey population of
businesses, industries and non-profit organizations in four regions of the country. It
develops a cognitive model highlighting the four key “degrees of proximity” that can
influence the commitment of a business or organization to adopt continuity planning and
emergency preparedness programs. It analyzes data gathered from the online survey and
develops a statistical model of the relationships between private sector business and non-
profit organizations and the range of preparedness measures that the private sector
entities adopted. Finally, it suggests a framework for conceptualizing the private sector
role in improving community preparedness and resilience against natural, man-made and
technological disasters, as envisioned in the National Response Framework.
7
To serve as a foundation, this study defines four “degrees of proximity” that influence
business decision-making regarding preparedness and continuity planning:
(1) Geographic proximity: the physical proximity or exposure of a private sector entity to hazards or threats that affect the organization and its environment. (2) Temporal proximity: whether—and if so, how recently—a private sector entity had experience with a disaster or emergency that affected the organization. (3) Proximity of capability: whether the private sector entity has at hand the capability to manage a threat to its viability assessed as a function of the entity’s size. (4) Organizational proximity: whether or not the private sector entity participates in a collaborative organization for regional emergency planning and preparedness.
The first two of these proximities form the null and alternate research hypotheses:
NULL HYPOTHESIS: Experience with or exposure to disasters has little or no effect
on whether a private sector entity adopts preparedness or continuity planning measures.
ALTERNATE HYPOTHESIS: Experience with or exposure to disasters has an effect
on whether a private sector entity adopts preparedness or continuity planning measures.
A third hypothesis is developed based on a common observation in disaster and risk
literature that an organization’s size (and thus its capability) likewise affect its
preparedness. The final hypothesis emerged from the research itself, which indicated that
participation in a collaborative organization motivated preparedness and continuity
planning initiatives among the participating private sector organizations.
8
A graphical representation of the research hypotheses (Figure 1-1) is developed in
Chapter 3 of the study illustrating the four proximities that affect motivation toward
business preparedness and continuity planning:
Figure 1-1: Four proximities of preparedness
1.2 Significance of this study While limited in its scope, this study nevertheless sheds some light on perceptions of
risk and priorities for preparedness measures within the private sector. It empirically
validates the observations—both research-based and anecdotal—that past experience in a
disaster and the size of the organization have significant impact on the motivation of
private sector entities to devote resources to preparedness and continuity of operations
planning. It further identifies the potential value of public-private partnerships for
encouraging participation in efforts that protect business interests while building
community resilience against hazards and disasters. It establishes the prevalence (or
preference) among private sector entities for the adoption of certain preparedness
measures over others that is consistent across private sector businesses and non-profits, as
9
well as across public sector agencies. Finally, the study provides information that is
relevant to government policies and programs aimed at increasing continuity planning
within the private sector.
1.3 Dissertation structure The dissertation is organized in accordance with the February 2008 memorandum of
the George Washington University School of Engineering and Applied Science entitled
“SEAS Dissertation Format Guidelines,”2 and conforms with the George Washington
University’s standards for Electronic Theses and Dissertations.3 The dissertation will
follow a traditional organizational structure.
Chapter 2 provides an overview of the literature that bears on the research problem
and, specifically, on defining the motivations and obstacles faced by businesses and non-
profit organizations in responding to and preparing for large-scale disasters and civil
emergencies. The chapter will examine relevant literature in the disaster, hazards and risk
analysis fields; in the business continuity literature, business journals and trade
publications; in federal agency documents; and through current examples of literature and
best practices as they are emerging in the internet, through regional research centers, and
through university centers of excellence.
Chapter 3 reviews cognitive models of decision-making among individuals and
organizations relevant to the decision-making process for preparedness and continuity
planning within the private sector. Models examined include those used in modeling risk
2 GWU/SEAS website at: (http://www.seas.gwu.edu/shared/dissertation_guidelines_2008.pdf. 3 GWU ProQuest Guide to Electronic Theses and Dissertations: http://www.gwu.edu/~etds/
10
and resilience; in identifying cultural or economic distance (or proximity, as it is
employed in this study); reasoned action and technology acceptance models; and models
that highlight the distinction between operational decision-making and operational
planning as applied to business decision-making. This review serves as the foundation for
the development of a conceptual framework for analyzing private sector decisions or
commitment to business continuity planning and preparedness in the final chapter. The
review will also provide background and structure to the analysis of the Private Sector
Survey and the statistical models for hypothesis testing in Chapter 5.
Chapter 4 details the research method and analytic approach that is the focus of the
dissertation. The chapter presents the research approach and describes the methodology
of a Private Sector Survey of Preparedness and Continuity Practices that was conducted
among 171 businesses, industries, non-profit organizations, and local government
agencies in four geographic regions of the country to determine the factors that motivate
continuity planning and emergency preparedness. After describing the goals and
implementation of the survey, the chapter summarizes results and provides observations
on responses to questions that were not directly relevant to the statistical analysis that is
conducted in the next chapter.
Chapter 5 describes the analysis of results from the private sector survey and tests the
two principal and two secondary research hypotheses. It builds statistical models and
examines outcomes of the analysis across all sample populations. The analysis compares
frequency of selection of 12 measures of preparedness—the dependent variables of this
experiment—with results from response populations within each of the four proximities,
which serve as the independent variables of the analysis. It then separates out three
11
sample populations for comparative analysis using sample populations that were of
equivalent size. From this latter analysis, the results highlight the effects of organizational
capability, past experience in disaster, and participation in a collaborative organization as
having a significant affect on motivation within the private sector. Owing to events that
occurred during the course of the survey, and inconsistencies in response rates within
specific communities, the effects of geographic proximity to a hazard as a motivating
factor is inconclusive based on results of this study. The chapter then examines a series of
Pareto Charts generated from the responses that identify discernible patterns—if not
actual preferences or priorities—from among respondents as regards the selection of the
twelve preparedness measures evaluated in the survey.
Finally, Chapter 6 will offer an interpretation of the survey results, based on the
theoretical foundation provided from the Literature Review. It describes limitations to the
survey and the analytic methodology as revealed during the course of the study. The
chapter also offers an analysis of the survey process and its potential utility as a template
for future research in other geographic or professional communities. Lastly, the chapter
develops a cognitive Framework for Private Sector Preparedness based on an application
of reasoned action theory and the technology acceptance model.
Concluding appendices include additional graphics of the results of statistical
analyses and a copy of the Private Sector Survey of Preparedness and Continuity
Practices as it appeared on the internet.
12
CHAPTER 2: LITERATURE REVIEW 2.0 Overview 2.1 Disaster, hazards and risk research 2.1.1 Disaster as history, sociology and anthropology 2.1.2 Disaster research 2.1.3 Hazards and risk research
2.1.4 Heuristics
2.2 Business continuity management 2.3 Federal agency documents 2.4 Regional approaches and best practices 2.5 The internet
2.0 Overview This chapter reviews literature relevant to the involvement of private sector business,
industry and non-profit organizations in continuity planning, disaster and emergency
preparedness and risk management. By way of organization, it divides the literature into
five groups based on focus and source:
• Hazard, Risk and Disaster Management: This group includes theoretic and
academic literature largely from professional and scientific journals and books
written from a technical perspective by practitioners within those fields (for
example, Birch and Wachter 2006; Haddow and Bullock 2006; Lindell, Prater
and Perry 2007; Perrow 1999 and 2007). This genre also includes literature
dealing with particular disasters and the effects on organizations and
13
communities, often historic and sociological in nature and based on case
studies of specific disasters and the aftermath (Barry 1997; Bolin and Stanford
1998; Erikson 1976; Hoffman and Oliver-Smith 2002; Ripley 2008; Rubin
2006).
• Business Continuity Management: Literature from and for the business
sector—predominantly found in trade publications and a few textbooks—that
focuses on continuity of operations planning (COOP) within specific
professions and industries or teaches fundamental principles applicable across
the business enterprise. This material has been traditionally subdivided among
crisis management, business risk assessment and contingency planning, and
business continuity planning (for example, Dorn 2006; Henry 2006; Kuzyk
2007; Morganti 2002; Sheffi 2007).
• Federal Agency Documents: Government documents issued at the federal
level that establish policy or have been issued as guides for federal state and
local agencies, private sector business or for the use of private citizens and
non-profit organizations. Many of these have either been issued or revised
since the terrorist attacks of 9/11 and the formation of the Department of
Homeland Security (DHS NIPP 2006; DHS NRF 2008; FEMA 2004; HSC
NSPI 2006; NFPA 1600). Virtually all are accessible (and now largely
distributed) through federal agency websites, and many are accessed directly
through links from state and local agency websites. State offices of emergency
management and/or homeland security (and many local jurisdictions at the
county and city level) often issue similar documents crafted for regional
14
geography or local conditions and hazards. Owing to the diversity among
these, this study will not explore documents below the federal level.
• Resources for Best Practices: Documents that develop, collect or adapt “best
practices” literature from professional guides, emergency management or
government documents, and other sources, for use by local organizations,
individual corporations or regional or multi-agency constituencies (Business
Executives for National Security 2007; Magnusson, Thornton, Brady and
Ante 2004; National Congress for Secure Communities
[www.nationalcongress.org]; Citizen Corps [http://www.citizencorps.gov]).
• The internet: The internet provides ready access to documents that span all
four of the categories defined above, and thus has become an extraordinarily
versatile source for acquiring knowledge, recommended methods and best
practices, and regulations and standards pertaining to business continuity
planning, emergency management and disaster preparedness. Most of the
relevant professional journals are also accessible, either through a university
library or commercial library service. As representative examples, this section
presents websites from a federal agency, several consulting firms, a national
non-profit organization, a disaster research center, and a university-based
homeland security institute.
2.1 Disaster, hazards and risk research Two recent publications offer perspectives on the current state of professional and
academic research into emergency preparedness and continuity of operations practice
within the private sector, and the broader relationship between private sector
15
preparedness and community resilience. A 2006 study of the National Research Council,
Facing Hazards and Disasters: Understanding Human Dimensions, observed that prior
to the 1990s, little research had been conducted on private sector disaster preparedness
and most attention focused on research into regional impacts of disasters on communities,
families and society as a whole [Kreps 2006]. Consequently, little had been determined
about impacts on private sector business and industry beyond generalities such as that
“larger businesses are significantly more likely to engage in preparedness activities than
smaller ones” [p. 109]. This began to change in the late 1980s and early1990s with
studies sponsored by the National Earthquake Hazard Reduction Program (NEHRP),
founded in 1977. In particular, studies conducted on the economic impacts of Hurricane
Andrew and the Loma Prieta and Northridge earthquakes focused attention on the effects
that disasters have on individual businesses and also on the economic units that make up
a region’s economic equilibrium, and that make restoration of local communities possible
[Kreps 2006, p. 109].
More recently, the Handbook of Disaster Research [Rodriguez, Quarantelli, and
Dynes 2007] offers a number of perspectives on the current state of disaster and hazards
research, and on continuity of operations planning and risk management. Representative
among those perspectives (and fundamental to the intent of this research project) is the
observation of Kathleen Tierney of the Natural Hazards Center, University of Colorado
(Boulder), that very little substantive research has been done using businesses as a “unit
of analysis” or on the relationships between the economic resilience of individual
businesses—either before or after significant disasters—and whether there is any
correlation to business decisions or planning that was done in advance of those disasters.
16
(Similar observations had been made by Mileti [1999, p. 224] and by Perry and
Quarantelli [2005, p. 387], both cited below). Tierney reaffirms the observation in the
NRC study that “overall larger businesses do more to prepare for disasters than smaller
ones [Tierney 2007, p. 281], but later observes that “in the aggregate and controlling for
other factors, standard recommended preparedness measures have little impact on short-
and long-term business recovery outcomes,” (italics in the original) [p. 291]. This
assertion supports the general conclusion that much research remains to be done in
business preparedness decisions and the potential impact that those decisions have on
local communities. This is particularly so if, as Tierney states, there is little correlation to
be found between the normal efforts of businesses to prepare for crises or disasters, and
the actual outcomes after an event.
As highlighted by these two volumes, prior to the 1990s, little dedicated research had
been conducted on the impact of disasters on private sector enterprise, or on the roles
played by the private sector in disaster mitigation or recovery. The National Research
Council study presents a diagram in its introduction (adapted from an earlier work by
Tierney) that illustrates the traditional approach in hazards and disaster research.
17
Figure 2-1: Core topics of hazards and disaster research [NRC 2006]
As Figure 2-1 illustrates, research is this field has traditionally been subdivided into
two approaches: (1) studies of disasters and the efforts of human societies to respond to
and recover from them; and (2) studies of hazards and risks associated with human
society’s interaction with the natural and man-made environment and measures taken to
mitigate those hazards. The introduction to the NRC study quotes Susan Cutter’s
observation that
“the distinction between hazard, risk, and disaster is important because it illustrates the diversity of perspectives on how we recognize and assess environmental threats (risks), what we do about them (hazards), and how we respond to them after they occur (disasters). ... However, as the nature of hazards, risks, and disasters become more complex and intertwined and the field of hazards research and management more integrated, these distinctions become blurred ...” [Kreps 2006, p. 14]
As Cutter points out, the divisions are not important of themselves, but rather for how
the range of approaches reveals the breadth of the larger problem. That is, the most
important aspect of the diagram is not necessarily the subdivision of the fields, but rather
18
the arrows that describe the interactive and mutually supportive nature of research within
the fields.
While these two fields of hazards and disaster research may be mutually supportive,
neither had focused to any great extent on the specific consequences that accrue to
individual businesses or industries, business sectors, or on the broader impact on the
economic foundations of affected communities that results from the economic loss and
recovery costs from disasters. This had begun to change with the approach of the Y2K
time change in 1999 [MacGregor 2003; Tierney 2007] and has gained momentum since
the 9/11 attacks on the World Trade Center, and most certainly since Hurricanes Katrina
and Rita. At the same time, however, the literature of the business community has rarely
delved into the long-term effects of natural and technological disasters on private sector
enterprise or on the surrounding community.
A useful depiction of this perspective would add a third circle to the NRC diagram
representing professional business literature, policy and research, and illustrating the
relationship between business studies and the hazard, risk and disaster research
communities (Figure (2-3). As in the previous diagram, Figure 2-3 depicts mutual
interaction between the fields illustrated by the double-ended arrows between each circle
of the Venn diagram. Notably, the intersection of the three circles (labeled BCCP for
business crisis and continuity planning4) is considerably smaller than the overlap between
the two fields of hazards and disaster research.
The immediate challenge for research in this field is to expand this area of
intersection with empirical research that might broaden the understanding of the
4 For brevity, Shaw’s convention combining business continuity with crisis planning is adopted here).
19
relationship between risk and hazard perceptions, the effects of disasters and extreme
events, and the role played by the private sector in local and regional resilience.
Ultimately, such research into economic impacts on local businesses and industries of
natural, technological and human-caused disasters might motivate participation in
corporate and community preparedness programs by individual businesses and non-profit
organizations. Much progress in this direction has, in fact, been seen in the professional
literature emerging from the business community since 9/11, as will be discussed in
Section 2.2. Only in recent years, however, has there begun to be much intersection of the
three fields.
Figure 2-2: Business continuity planning and disaster/hazards research
Hazards Research Disaster Research
HAZARD EMERGENCY VULNERABILITY RESPONSE HAZARD DISASTER MITIGATION RECOVERY BCCP
Professional Business Literature
SOCIAL & ECONOMIC CCNSEQUENCES
OF DISASTERS
20
2.1.1 Disaster as history, sociology and anthropology A reasonable starting point for this review is research that explores the economic and
communal impact of disasters from a historical or sociological perspective. Much of this
writing has emerged from field studies of the aftermath of specific disasters, and is
usually focused on effects at the organizational or societal levels, often informed by
personal anecdote and the lived experiences of disaster survivors. David Alexander
quotes Fischer’s observation that “what disaster sociologists actually study is (structural)
change under specialized circumstances” [Alexander 2005, 27]. In many respects, the
most significant of those “specialized circumstances” involves economic displacement, as
well as the geographic or communal displacement customarily noted in large-scale or
regional disasters.
Probably the most significant work in the historical and sociological genre is Kai
Erikson’s description of the 1972 Buffalo Creek incident, when a breached dam above a
West Virginia coal-mining town utterly destroyed a community of 5,000 persons
[Erickson 1976]. His study, aptly titled Everything in its Path, discusses at length the
economic structure of Appalachian coal towns, and the delicate balance between the
inhabitants, the mining industry, the harsh environment and the harsher way of life in that
impoverished region. While focusing primarily on the literal washing away of the
community of Buffalo Creek, Erickson’s observations nevertheless make it clear that a
culture on the margins of survival during routine times does not have the economic
wherewithal to recover from a catastrophe—a point Erickson emphasizes in the prologue
of the second edition regarding the aftermath of Hurricane Katrina [Erickson 1976,
21
reissued in 2006; see also Mileti 1999, 122]. This observation has since been developed
by Cutter, et al, into a Social Vulnerability Index that establishes some 42 dimensions of
vulnerability to natural hazards, many of which can be shown to have an economic basis
[Cutter, Boruff and Shirley 2003; Schmidtklein, Deutsch, Peigorsch and Cutter 2008].
A similar analysis of the broad interplay between disasters and the economics of
human life is to be found in John Barry’s Rising Tide, the story of the development of the
U.S. levee system in the wake of the 1927 Mississippi flood [Barry 1997]. This book
deals with the impact of natural disasters on both local and regional economies, but also
with the competing interests and priorities that arose out of the national campaign to re-
channel one of the largest river systems in the world to control flooding, and the
economic and social consequences that that campaign generated.
In a recent historical review of U.S. emergency management practices entitled
Emergency Management: The American Experience 1900-2005, Claire Rubin offers the
hypothesis that “changes in emergency management policies, authorities, and processes
are event-driven, and major focusing events have provided an opportunity to explore the
effect of disasters on emergency management principles and practices.” [Rubin 2007, 4].
This hypothesis is borne out in the changes in the U.S. levee system described by Barry,
and even by the changes in the coal mining industry’s relationship to its Appalachian
workforce, largely as a result of the notoriety (and a $13.5 million class-action law suit)
arising from the Buffalo Creek disaster.
However, the historical analysis of disasters as social and economic phenomena
points to a paradox in their value for motivating everyday decision-making of the sort
that might shape economic or social policy at the local level or for individual
22
organizations. First, in the same way that risks and hazards are ignored because a disaster
“can’t happen here,” historical disasters—even those of recent history—when analyzed at
the macro-level are all too easily observed as springing from grand causes far removed
from individual lives and affairs. It has been observed that hazards and disasters “reveal
the conceptions, alliances, relationships, social order and disorder, structure, and
organization of a certain community, region, or society,” in a way that constructs a
critical social theory about that society. [Garcia-Acosta (p. 58) in Hoffman and Oliver-
Smith 2002].
This point is echoed by Steinberg in Acts of God: The Unnatural History of Natural
Disaster in America, which analyzes the recurrent image in American history of disasters
as beyond prediction and control, even in the face of considerable scientific and historical
evidence to the contrary [Steinberg 2006]. He notes that what tends to happen is that
historical events of catastrophic proportions enter the collective memory as “archetypes,”
which transcend the efforts of normal political and social processes to resolve. [Steinberg
2006, 25] The destruction of New Orleans from Hurricane Katrina—which had been
predicted with eerie accuracy in a New Orleans Times Picayune article in 2002
[Steinberg 2006, 198]—is a case in point. More recently, the devastation of Galveston,
Texas from Hurricane Gustav—echoing the great hurricane of 1900—reinforces the
relative ineffectiveness of history in mitigating human social behavior, particularly the
urge or commitment to rebuild and endure, despite the challenges that nature imposes.
Given this perspective, it may be unrealistic to expect that individual commitment—such
as a small business owner’s decision to develop a detailed evacuation plan, or to site his
offices outside a flood plain—would be tempered through the study of disaster history.
23
On the other hand, the sort of immediacy required for motivating private sector
engagement may be found from personal accounts of disaster survivors such as those that
have emerged from the terrorist attacks of September 11, 2001. An example is Amanda
Ripley’s The Unthinkable: Who Survives When Disaster Strikes and Why. This book
includes an array of anecdotal information and interviews with survivors of disasters, and
explores personal experience in disaster survival that is more in line with the case-based
approach that typifies much of the genre in business and professional literature. Of
particular merit are the stories of individuals, offices and entire floors that escaped
destruction in New York City during the attacks on the World Trade Centers on
September 11th, 2001. Three particular points emerge from this book that have merit for
business preparedness for the unexpected and unpredictable: (1) the need for clear
instructions and authoritative leadership during crisis situations; (2) the value of planning
reinforced by rehearsals and drills, particularly for challenging situations such as rapid
evacuation from skyscrapers and building complexes; and (3) the importance of trust as
the critical element in an effective warning system [Ripley 2008].
Further insight into the relationship of disaster to economic effects at the individual
and societal levels is provided by cultural anthropology. In Catastrophe and Culture,
Hoffman and Oliver-Smith observe that
“Disasters, no matter how large, are experienced first at the local level. Even an enormous disaster affecting great areas and legions of people, while it may result from a single climatological, geological, or technological phenomenon, ultimately comes down to a compendium of local but related disasters experienced throughout the region. Not all communities experience a disaster in the same way or to the same degree; each undergoes a catastrophe in the context of its own profile of vulnerability. The same disaster agent will show great variation in patterns of destruction as well as interpretation of cause, effect, and responsibility. Such variation challenges more global, macro approaches.” [Hoffman and Oliver-Smith 2002, 13].
24
The view that “all disasters are local” is hardly unique to cultural anthropology. And yet,
this perspective highlights a common theme among most analyses of disasters and their
effects: the relationships among individuals, social classes, communities, regions and
nations, and how a disaster resonates in the public mind owing to differing perspectives.
This “framing” of disasters often illuminates, but can as easily obscure, important
dimensions of an event, particularly given the focus that is often provided by the media
[Button 2002, 146]. This is one cause of what is often a tension between policies adopted
at the national, state or local levels, and the pursuit by private citizens or groups of efforts
that are incompatible with those policies. A relevant example—and the specific subject of
this study—is the frequent statement in recent federal homeland security documents that
the private sector needs to become more involved in coordinated preparedness and
planning efforts, at the same time that the private sector has been largely resistant to
becoming involved in centrally coordinated homeland security initiatives.
This problem has particular resonance when differing perspectives on disaster
preparedness or response capability are driven by what cultural theorists have described
as a society’s or community’s active selection of risks to be accorded attention. The work
of anthropologists Mary Douglas and Aaron Wildavsky was the first to formulate a
theory and structure for how and why societies select the risks they do [Douglas and
Wildavsky 1982; also Thompson, Ellis and Wildavsky 1990; and Ellis and Thompson
1997]. Their formulation is more than a method for understanding priorities within a
bureaucracy. Rather, it represents four competing world-views—often depicted as a
quadrant of four groups— which organize priorities according to fears and threats to
power relationships. Mileti has observed more directly that risk and vulnerability are part
25
of the “shared culture” of a society and often reflect the interplay among political, social
and economic priorities within that society [Mileti 1999, 121]. An anthropologic or
cultural theory of this sort seems “academic” until one applies it to a problem such as the
U.S. response to Hurricane Katrina and the clear preferences established by the
Department of Homeland Security for focusing preparedness and response investments
(representing significant federal funding allocations) on “low-probability, high
consequence” terrorist events, rather than on the known threats of flooding and hurricane
preparedness in historically vulnerable regions [Cooper and Block 2006].
Another relevant insight into the cultural dimensions of organizational decision-
making and prioritization of resources comes from the work of Hofstede. His five-year
study of 72 international offices of IBM (which at the time of the study in the late 60s,
was as homogenous a corporate culture as was likely to be found) identified five
fundamental relationships that defined the values with an organization, and which can
vary among divisions of an otherwise cohesive organization. These included
• Power distance – the extent to which less powerful members of an organization accept and expect that power is distributed unequally;
• Uncertainty avoidance – the extent to which a culture programs its members to
feel either uncomfortable or comfortable in unstructured situations;
• Individualism versus Collectivism – the degree to which individuals are expected to look after themselves or to remain integrated into groups;
• Masculinity versus Femininity – the distribution of emotional roles between the
genders, i.e., “tough” masculine to “tender” feminine groups;
• Long-term versus Short-term orientation – the extent to which a culture programs its members to accept delayed gratification of material, social and emotional needs. [Hofstede 2001]
26
These relationships are particularly pertinent to collaborative decisions made by members
of a community when faced with an imminent or evolving disaster, and also contain
lessons for the balance that must be struck between central control, regional identity and
local autonomy—particularly in a federalist state system such as the United States.
2.1.2 Disaster research One of the earliest comprehensive assessments of the field of disaster research was a
study funded by the National Academies of Science in the mid-1990s and published in
1999 under the title Disasters by Design. That work was the progeny of an earlier (1975)
National Academies study by G. F. White and J. E. Haas that attempted to assess the state
of research into U.S. disasters at that time. Dennis Mileti, chairman of the 1999 study,
points out that it was difficult to directly attribute the 1975 study with any general
improvements in preparedness, recovery or mitigation policy. However, he emphasizes
that the impact on the disaster research field was profound insofar as it sparked
development of a “hazards community” growing out of the cadre of academic researchers
and graduate students that were involved in the initial study [Mileti 1999, p. 316].
Disasters by Design did not specifically address the role of the private sector in
providing an economic foundation for recovery, or define the need for coordination
between public and private sector entities in regional or community preparedness. It did
cite the general role of sound local economies in community resilience and recovery, and
devoted a chapter to aggregate national costs of various types of disasters. However,
specific focus on the private sector is limited to mention of the insurance industry’s role
in recovery and the responsibility of the private sector for mitigating the effects of
technological hazards [Mileti 1999, p. 213]. In the only two paragraphs devoted
27
specifically to private sector preparedness, Mileti notes that ‘the strongest predictor of
preparedness among businesses is size, followed by previous disaster experience, and
owning rather than leasing business property” [p. 218]. He states, however, that “studies
of the response of private sector organizations to disaster situations were virtually non-
existent” and that “little is known about how private organizations actually respond when
faced with disaster related demands” [p. 225].
As noted in the introduction to this section, Mileti’s 1999 finding was reaffirmed in
2007 by Kathleen Tierney in the Handbook of Disaster Research. In a relatively short
(21 page) article, Tierney provides an assessment within the disaster research field of the
state of research on business preparedness and the effects of disasters on private sector
enterprise. Perhaps the most significant aspect of this article is Tierney’s emphasis on the
relationship between the effect of disaster on individual businesses and on the community
as a whole. In particular, she emphasizes that the ability of the business community to
withstand stress and recover gracefully is often a function of decisions made and policies
adopted by the larger community.
The fates of businesses following disasters are influenced by such community-level factors as whether their communities had been effectively managing hazards through prudent land-use strategies; whether they had adopted up-to-date codes for new construction; whether they required retrofitting for structures that do not meet codes; and whether steps had been taken to reduce disaster-induced lifeline service disruption. ... [T]he fates of individual businesses also depend on local capacity to manage the recovery process, which includes the ability of the community to under-take pre-disaster recovery planning; gain access to, package, and leverage different sources of aid for businesses; and take advantage of knowledgeable experts both from within and outside the community during the recovery process. [Tierney 2007, p. 278-9].
Part of the disadvantage that both communities and their businesses suffer is that “the
consequences of local infrastructure failures for larger infrastructure systems, as well as
28
for businesses and business sectors, may become apparent only when disaster strikes.”
[Tierney 2007, p. 279]. These effects include damage resulting in direct impact of
disaster events, such as physical property damage and loss of inventory and business
records, as well as indirect effects including disruption or interruption of supply and
delivery chains and utility failures that affect regional economies. [p. 282]. Other
significant effects on business continuity include the loss of customer base due to
evacuations or local community degradation; time required for business restoration and
reclamation processes; and divided attention and priorities among employees when their
families and own homes require attention. Any or all of these may adversely affect
business operations, even if a business entity suffers no physical damage to its own assets
or properties [p. 283].
On the broader scale, business recovery at the individual business and community
level is dependent on a number of factors including government support to local recovery
efforts; recovery of local infrastructure and utilities; loss of customer base and revenue
stream; and ability of businesses to adapt successfully to the new, post-disaster operating
environment [Tierney 2007; also Alesch 2001]. Of particular value is the distinction
Tierney draws between “inherent resilience” and “adaptive resilience” in determining
business vulnerability and potential for recovery. Inherent resilience is a function of a
business’s characteristics that make it inherently less vulnerability relative to other
businesses in the affected region. These factors include relative size and financial
condition prior to the disaster; diversified market base and a more robust market niche;
mitigation steps and continuity measures adopted and practiced. Adaptive resilience, on
the other hand, is more reflective of an attitude and an ability to adapt to the changed
29
circumstances. This includes not simply shifting market focus or business plan, but
potentially abandoning operations in the affected region and moving, changing service
sectors, or even abandoning a failing enterprise and beginning anew [Tierney 2007;
Alesch 2001]. Lastly, Tierney cites the work of Miles and Chang in modeling factors
that affect the recovery process based on research into earthquake recovery. Their studies
indicate that a significant factor in successful business recovery is the recovery of
transportation, infrastructure and support services in the affected region [Tierney 2007;
Miles and Chang 2003]. The significant contribution of this perspective—and of
Tierney’s article more broadly—is to highlight the linkage that exists between the
vulnerability and resilience of individual businesses, the larger business and economic
environment of the affected region, and the vulnerability and resilience of the entire
region or community, to include the resilience of its human population.
A more comprehensive view of this relationship has been pursued by Susan Cutter
and other researchers in the development of a Social Vulnerability Index (SoVI). Social
vulnerability is an approach to identifying factors among populations, regions and
communities that account for variations in the sensitivity to hazards and the ability to
respond and recover from the affects of disasters [Cutter and Finch 2008]. It is based on
work over several decades within the social science community that has identified a
range of factors as determinants of vulnerability among populations. Among those are
“lack of access to resources (including information, knowledge, technology; limited
access to political power and representation; social capital, including social networks and
connections; beliefs and customs; building stock and age; frail and physically limited
individuals; and type and density of infrastructures and lifelines” [Cutter, Boruff and
30
Shirley 2003, p. 245]. In developing a Social Vulnerability Index, Cutter’s team
identified over 250 variables, which were in turn reduced to 42 and used in the analysis
of over 3,100 U.S. counties to develop an index of relative vulnerability to natural
disasters. The resulting analysis yielded eleven salient factors that explained 76% of the
variance among all the counties analyzed. Table 2-1 below lists the determining factors
and dominant variables that Cutter’s analysis revealed.
Table 2-1: Dominant variables of social vulnerability (Adapted from Cutter, Boroff, and Shirley 2003, p. 252).
Factor Name Dominant Variable 1 Personal wealth Per capita income 2 Age Median age 3 Density of the built environment Nr. of commercial establishments per mi2 4 Single-sector economic dependence % employed in extractive industries 5 Housing stock and tenancy % housing units that are mobile homes 6 Race—African American % African American population 7 Ethnicity—Hispanic % Hispanic population 8 Ethnicity—Native American % Native American population 9 Race—Asian % Asian population 10 Occupation % employed in service occupations 11 Infrastructure dependence % employed in transportation, communications, and public utilities
The significant aspect of this work is the clear economic dimension to all of the
dominant variables that Cutter’s analysis identified. Exposure to hazards—whether
environmental, technological or societal—clearly determines the frequency and potential
impact of a specific disaster event in a given geographic location. However, the ability of
a region and its population to sustain an impact and recover effectively is largely a
function of socioeconomic factors. Though not apparent in Table 2.1, the accompanying
analysis in Cutter’s article makes clear, for example, that resource availability and
infrastructure development, imbalances or deficits in the percentage of working
31
population, and education and type of employment all contribute to socioeconomic status
and thus to the general vulnerability of a region to the potential effects of a disaster. As
Cutter summarizes,
Social vulnerability is born from inequality and its social and political consequences. In many ways, it mirrors the geography of inequality and poverty. Within the context of natural hazards, the SoVI helps determine which places may need specialized attention during immediate response and long-term recovery after a natural hazard event, given the sensitivity of the populations and the lowered capacity to respond. [Cutter and Finch 2008, p. 2305].
Based on this foundation, a more detailed investigation into preparedness and continuity
planning among private sector employers may enhance understanding of the relationship
between the viability of local economies and general civic preparedness and resilience.
Another foundational work in the field of disaster research was the 2005 study of
Perry and Quarantelli, What is a Disaster? [Perry and Quarantelli 2005]5. This book
directs attention to the problem of defining the term “disaster” and the varying
perspectives that have shed light on the subject. Of particular note is Quarantelli’s
assertion that disasters should be forcefully decoupled from hazards because a “focus on
disasters calls attention to the social nature of such happenings; a focus on hazards tends
to emphasize physical and natural phenomena. With rare exceptions little can be done
about the latter; much can be done about the former” [Quarantelli in Perry and
Quarantelli 2006, 342]. This statement originates from two fundamental distinctions
between hazards and disasters: (1) disasters are “social occasions” that can be largely
attributed to human decisions and human actions, and not environmental or ecological
phenomena; and (2) hazards, while possibly contributing to disasters, are merely one in
5 The study is a reassessment and expansion of a prior work, Quarantelli, E.L. (1998) What is a Disaster—Perspectives on the Question. London: Routledge.
32
usually a series or sequence of decisions, policies or action that lead to the failure of
human systems in avoiding or preventing a disaster. [Quarantelli, 2006 pp. 342-343].
This understanding of disasters as social events reinforces the broad concept of social
vulnerability as originating in often long-term policy and economic decisions such as
where to site cities, neighborhoods and industries; whom to empower and whom to
exclude from political and social decisions; and how to structure a local economic base
and distribute its benefits.
The subject of disasters is never far removed from the expense of disaster outcomes
and the costs of mitigation and preparedness. Mileti devoted an entire chapter of
Disasters by Design to the losses, costs and impacts of disaster. The National Research
Council similarly included an extensive section in the 2006 study on the direct and
indirect losses associated with disasters, including a discussion on the operational
vulnerability of businesses [Kreps 2006, p. 80]. And though it was not a central focus of
the work—the book concludes with Quarantelli’s observation that the “what, why and
who [of private sector involvement in disaster response] are totally unknown territories”
[p. 387])—What is a Disaster? contains observations about the economic dimensions of
disasters that could be applied directly to regional or local economies, and which are
potentially applicable to individual businesses.
For example, the essay by Neil Britton cites a “growing realization that what humans
do in the normal course of their lives can magnify the vulnerability of their community.
Steps taken to manage risks of extreme events can be justified to the extent that they
deliver a net benefit to society” [Britton 2005, p. 67]. Britton cautions that attempts to
manage risks will impose costs as well as benefits, but observes that emergency
33
management is beginning to broaden its traditional focus on minimizing losses from
disasters to include supporting sound investment decision-making within the community
[pp. 67-68]. This broad reference to the relationship between routine human decisions
and activities and the potential for a benefit to society alludes to the possibility of a return
on investment for daily actions that can pay dividends in local preparedness.
In a later chapter, Barton develops a Typology of Collective Stress Situations related
to phases of and proximities to disasters. The typology supports Barton’s definition of a
disaster as a form of collective stress “in which members of a social system fail to receive
expected conditions of life from the system” [Barton 2005, p. 126]. Table 2-2 provides a
view of this model.
Table 2-2: Typology of collective stress situations [Barton 2005]
A TYPOLOGY OF COLLECTIVE STRESS SITUATIONS
NATIONAL REGIONAL SEGMENTAL LOCAL
SUDDEN Nuclear war Invasion Economic crash Rebellion
Earthquake Major flood Nuclear plant meltdown Hurricane
Ethnic massacre Corporate layoff Expropriation of a class
Tornado Explosion Ghetto riot Plant closing by employer
GRADUAL Depression Epidemic Environmental decay Government breakdown
Famine Drought Price collapse of main crop Land exhaustion
Aborigines dying off Obsolete occupation Rise of group discrimination Addiction to harmful substances
Decline of main industry Environmental pollution Land sinking Coal seam fire
CHRONIC Poverty Endemic disease Wartime bombing Colonialism
Backward regions Endemic disease Internal colonialism
Enslavement Race or class discrimination, persecution Political persecution Gender or sexual discrimination
Slum, ghetto, rural slum Pockets of joblessness High crime areas
34
Significantly, Barton’s typology includes a number of economic and business-related
stressors (economic crash; corporate layoff; decline of industry), emphasizing that there
is a broad range of events that have psychological impact similar to that of natural
disasters, but may be solely economic or business-related in cause. Barton’s typology is
also instructive for economic or business-related preparedness because it distinguishes
between disasters viewed from the national, regional or local levels, and also with regard
to whether they emerge suddenly, gradually, or from chronic social conditions.
A question for private sector entities is whether a localized disaster involving a single
business requires the same disaster preparedness measures as a disaster stretching across
an entire region. That is, is the definition or meaning of “disaster” for private sector
businesses more or less variable than the definition of “disaster” for a community, region
or nation? If so, does the difference have any meaning for how private sector entities or
non-profit organizations should think about preparedness, response and mitigation?
Barton’s typology could serve as a useful framework for assessing business continuity
plans in that respect. By dividing the question into both temporal and geographic
perspectives—in the manner of Barton’s typology—plans could be organized and
evaluated to cover the entire scope of both foreseeable and unforeseeable risks presented
to an organization or a business enterprise.
A second useful model or heuristic is provided by Smith, who illustrates phases of a
disaster event according to the actions available to the management team dealing with the
situation, and the outcomes or processes that result [Smith 2005, p. 218]. Table 2-3
provides a condensed version of Smith’s model.
35
Table 2-3: Crisis management framework [Smith 2005] (modified)6 Phase of the event
Characteristics and Processes
The crisis of management
- Role of assumptions and beliefs in shaping decision-making for disaster prevention (group think) - Reluctance to consider and plan for worst case scenarios due to perceived low probability of occurrence (and high cost of intervention) - Distraction of decision-making bodies by other issues which are given priority - Trade-offs made between “risk” and benefit—risk minimization - Failures in “management” to identify and prevent erosion of defenses - Excessive power given to technocratic elites in decision-making - Difficulties around communication inhibit early warnings of potential disaster - Emergent properties in complex systems generate conditions beyond the tolerance of control systems - Creation of pathways of vulnerability and fractures within control systems - Erosion of resilience
The operational crisis
- Trigger events expose weaknesses in the crisis management system - Release of “energy” or emergent properties cause damage and disruption - Emergent properties exceed capabilities of contingency plans - Need to utilize additional resources to deal with demands of the event - Need for containment and control; mobilization of rescue and recovery teams - Additional demands placed on other organizations to deal with damage - High task demands from vulnerable populations generates “political” problems - “Crisis management teams” mobilized to deal with task demands of the event - Constrained communications and control may compound initial problems - Prior failure to train rescue and crisis teams may lead to escalation of the event - Involvement of media increases the profile of the event and heightens stress levels for those charged with “management” of the problem - Mobilization of aid and resources from outside of the “region of damage”
The crisis of legitimation
- Need for rehabilitation, stabilization and recovery - Investigation of causal factors and lessons to be learnt–high level of government involvement - Re-evaluation of control mechanisms and contingency plans - Heightened possibility of scape-goating through a search for culpability - Organizational learning constrained due to assumptions of those “managing” the process - Media investigations into the cause of the event and the attempts at dealing with its demands - Impact on financial performance of organization or state through rehabilitation and recovery demands - Failure to address the core problems or assumptions and beliefs leading to single-loop learning
6 Smith’s original model provides a more elaborate listing of Characteristics and Processes involved in crisis development. For brevity’s sake some of the text has been condensed here.
36
Smith’s model would support examination of “what went wrong and why,” and thus
would be a valuable tool for generating lessons learned following any crisis or disaster
(and, perhaps, anticipating future events). It also illustrates phases of an investigation into
a seriously flawed response—such as Hurricane Katrina or the Challenger launch
decision—with separate focus on operational decisions made to respond to the actual
crisis; how those decisions were affected by the organizational biases and assumptions of
the decision-makers; and how those decisions highlight flaws that call into question the
legitimacy of processes and methodologies used by the leadership to formulate those
decisions. Smith’s model defines a disaster by highlighting its phases and management
challenges, starting with planning and communications decisions (or lack thereof) that set
the stage for a potential crisis in operations and execution that then leads to a crisis of the
legitimacy of the organization and its leadership. If carefully analyzed, this template
could serve as a tutorial for business crisis and continuity planning that would not be far
off the mark.
To reiterate, the models provided by both Barton and Smith are intended to illustrate
aspects of a definitional problem within a text that only minimally addresses private
sector disaster preparedness or continuity planning. Nevertheless, both heuristic
approaches provide insights that could be applied to private sector preparedness and
continuity planning. Chapter 3 will discuss the use of heuristic devices in the
development of business crisis and continuity plans.
In the summary chapter of this book, Quarantelli highlights what is perhaps the
fundamental problem with attempting to draw consistent lessons from disaster research
and apply them to the unit or organizational level, as one would in applying those lessons
37
to individual private sector enterprises or organizations. While this lesson (like the book
itself) is not directed at the private sector, it resonates with the scope of the problem faced
by private sector entities—both internally for large organizations, and in cooperative
efforts with other organizations in a community affected by disaster:
This [model] argues that organizations (and in our view, societies) instead of having clear and consistent goals and values operate instead from a variety of inconsistent and ill-defined preferences. Different social entities at different social levels have different and incompatible views at different times; preferences may not be known until after choices are made. In addition, different parts of the system do not know what others are doing; what happened in the past and why it happened is not clear, and the connections between the actions taken and the consequences of such actions are obscure.” [Quarantelli 2005, 337].
The variability in the organizational objectives and intentions that Quarantelli notes is
equally evident in the methods and abilities of organizations to actually survive disasters.
In one of the few studies to examine business responses to specific disasters, Daniel
Alesch and a team of researchers surveyed responses and outcomes to a range of disasters
by over 100 small businesses and non-profit organizations from 1992 to 2000 [Alesch,
Holly, Mittler and Nagy 2001]. This also included longitudinal surveys from a previous
study of business responses to the Northridge Earthquake (cited in section 2.2 above).
Among their findings was that “organizational failure takes many forms,” and conversely
that “survival and recovery take many forms” [p. 18]. This is so because failure or
survival and recovery can be defined in a number of ways depending on changes in a
business’s earnings, decisions to continue functioning after suffering a disaster and the
consequences, whether or not recovery financing was attained, whether successful
relocation was managed, and a host of other results.
38
Of immediate value for businesses is the summary version of the study’s results, After
the Disaster, What Should I Do Now? [Alesh, Holly, Mittler and Nagy 2002], published
through the Public Entity Risk Institute (website noted in section 2.2.5 below). This 7-
page document amounts to a quick and dirty survival guide for business planning prior to
and immediately after a disaster. The document highlights four key findings:
• Disasters cause problems for businesses unrelated to the damage they sustain
during the event;
• Unless business owners make good decisions about recovery, the greatest losses
come in the years following the disaster and not from direct damage;
• Following a disaster, things never get back to normal; the goal is to adjust to the
new business environment that will exist in the affected community;
• If correct decisions are made, the owner of a business can survive and achieve
viability in the post-event environment [p. 2].
The remainder of the document summarizes empirically derived steps that resulted in
successful transitions of businesses in disaster-affected regions to operations in the new
post-disaster environment.
Two other recent publications contain sections addressing broader private sector roles
and contributions to homeland security and resilience. The first, Stephen Flynn’s The
Edge of Disaster, is a critical view of the current state of homeland security in the United
States, to include first responder preparedness and the integrity of the nation’s critical
infrastructures. The problem as Flynn sees it is that:
“the design, ownership, and day-to-day operational knowledge of many of the nation’s most essential systems rest almost exclusively with the private sector, both foreign and domestic. But safety and security are public goods whose provision is a core responsibility of government at all levels.” [Flynn 2007, p. 141].
39
Among the solutions Flynn offers is to “tap into the private sector” to mobilize
readily available technologies and expertise and to incentivize private sector investment
and collaboration with federal and local government to strengthen local resilience. The
objective is to develop a “business case” for private sector investment in security and
preparedness [p. 136]. Incentives to the private sector would include insurance protection
made affordable through government policies that reduce barriers to comprehensive
insurance; streamlined information sharing among public and private sector entities to
improve security; and regional partnerships between private sector business and non-
profit organizations to support more vigorous community efforts at problem solving. The
prerequisite for these initiatives, Flynn asserts, is to eliminate the “slavish adherence to
free-market and small-government orthodoxy” that has hamstrung federal leadership to
mobilize private sector initiative [p. 149].
The second recent book to directly address private sector involvement in homeland
security and regional resilience is On Risk and Disaster: Lessons from Hurricane Katrina
[Daniels, Kettl and Kunreuther 2006]. As the title implies, this volume is focused more
on addressing risks from natural (and technological) events—such as Hurricane
Katrina—than on the national and homeland security aspects as Flynn’s book does.
Nevertheless, the book arrives at many of the same conclusions. (Interestingly, this may
reflect an emerging consensus on basic principles and an all-hazard approach to
preparedness as a means of reinforcing national security). The basic premise of the book,
as stated in the introduction, grows out of the U.S experience witnessed during Hurricane
Katrina, and the failed social and governmental response:
“We must find a way to distribute risks equitably in order to push our democracy closer to its promise of liberty and justice, not only for the affluent but for all. Rising
40
to this challenge demands that the public and private sectors collaborate to develop effective prevention strategies and coordinated responses to natural disasters, industrial accidents, terrorist attacks and pandemics.” [Daniels, Kettl and Kunreuther 2006, p. viii].
In the chapter entitled, “Private Sector Strategies for Managing Risk,” Meyer
identifies three key biases that predispose private individuals and the private sector to
routinely fail to prepare adequately for risks:
• a tendency to focus on short-term feedback (i.e. recent experience);
• a tendency to imagine the future as an extrapolation of the present; and
• discounting the value of ambiguous future rewards compared to immediate costs
[Meyer 2006, p. 154].
On the societal and political scale, these cognitive biases explain why the levees in New
Orleans were inadequately designed and engineered, and why upgrades were habitually
deferred; on the personal level, they explain why the experience of successfully preparing
for smaller storms had more impact on New Orleans residents’ thinking than the rare
experience of having to rebuild after inadequate preparation for the exceptional storm.
Such biases explain why organizations and citizens routinely make incorrect calculations
of risk (as noted by Perrow, 1999) and act on false assumptions of expected outcomes
and costs.
One traditional means of remedying the inability of people to make correct judgments
about risk and take appropriate mitigating actions is to provide insurance to cover for
losses when judgment fails, or measures taken prove inadequate to the circumstances.
Kunreuther [p. 175] argues for establishment of a comprehensive disaster insurance
program that would provide common protection against all hazards. Insurance industry
41
efforts to accommodate this would need to be backstopped by multi-state insurance pools
to defray risks and costs, as well as federal support for catastrophic regional damage that
might exceed private sector capabilities. A three-tiered system of this sort would demand
a public-private sector cooperative effort to balance regional risks against individual costs
[p. 199]. An independent analysis has estimated that this strategy could result in as much
as $11 billion in insured savings per year [Chernick and Appel 2007].
In a third article, Harrington offers three suggestions for building incentives for the
private sector to become more actively engaged in mitigating local and regional risks:
• allowing private catastrophe insurance premiums and coverage availability to be
determined by competition among insurers, rather than through federal regulation;
• reducing corporate tax disincentives for supplying private insurance against large
losses from extreme events; and
• constraining federal disaster assistance after major disasters in order to develop
stronger incentives for mitigation measures and acceptance of private insurance.
Like the treatise by Flynn, the articles in On Risk and Disaster deal with developing
stronger policies and means for improving regional and local preparedness through
engaging private sector resources, and structuring incentives and disincentives to ensure
greater public adoption of private sector initiatives. These ideas are not directed at
protecting businesses or making them more resilient against disasters, except insofar as
they, like private citizens, would be “customers” or recipients of these initiatives.
However, according to these authors, the overall resilience of the nation could be
improved by permitting the private sector to engage more fully in mitigation,
preparedness and response.
42
2.1.3 Hazards and risk research If the distinctions between the disaster research field and that of hazards and risk
research are blurring, as Cutter observed, there is one aspect in which the distinction
seems more clear. In disaster research, the attention to a broad range of natural and man-
made hazards has inclined contemporary research toward identifying “all-hazards”
capacities for mitigation, preparedness, response and recovery—thus the emerging
emphasis in this field on “resilience” as a broad-spectrum approach to building capacity
for disaster survival and restoration of community regardless of the nature of the disaster
that befalls. One recent study has defined community resilience as a set of networked
adaptive capacities that enable the community to identify resources that can ensure
stability through disasters and environmental stress, and to mobilize those resources for
the protection and benefit of the community [Norris, Stevens, Pfefferbaum, Wyche and
Pferfferbaum, 2008].
Traditional hazards and risk research, on the other hand, might be characterized as
taking a more economic approach in its analysis. That is, fundamental to hazards and risk
analysis is a recognition that resources are finite and therefore decisions must be made—
typically without full knowledge about potential consequences—concerning which
hazards to emphasize, given that organizations will face competing demands. As a
consequence, attention has focused on identifying which hazards present the highest risks
and the most likely worst-case scenarios against which to plan, and then instituting
appropriate policies and programs based on the resources available. For example, the
purchase of insurance by private individuals or businesses has traditionally been
characterized as a calculation of expected utility when weighing the cost of insurance
43
versus the benefit of being insured against possible loss, while at the same time
recognizing that paying for one form of insurance (i.e., liability) may mean that some
other outlay may be deferred (such as flood insurance). Declining to insure against less
certain flood damage may free up assets for better personal liability coverage; however,
the risk of flood damage must then be assumed by the individual or corporation [Slovic
2000] (see the discussion below). At the national level, the federal government’s focus
since September 11th 2001 on protecting the passenger airline system against terrorist
attack—at the perceived detriment to other national security priorities—is an example.
Recently an “all-hazards” approach to risk assessment and contingency planning has
begun to emerge within the business sector, as well as within the Department of
Homeland Security similar to that in the emergency management community. However,
the emphasis has been on achieving economies of scale through a more comprehensive
plan for preparedness and continuity of operations. This will be addressed later in this
section.
A further distinction that Mileti makes in Disasters by Design is that social
responsibility for risk reduction is more focused on the private sector in the case of
technological disasters than for natural disasters [Mileti 1999, 213]. This is so because
technological hazards are often seen as the by-products of private sector technology
development (sometimes with government funding or sponsorship) where the risk is born
by an exposed public, often without their consent (i.e., transport of hazardous materials;
electro-magnetic fields from transmission lines; nuclear power generating stations). As a
consequence, the attention of private sector entities has often been on protection of the
products or functions for which an organization or corporation has public liability.
44
Prior to 9/11, literature in the hazard and risk community focused to a great degree on
public acceptance of technologies and the corporate and government role in insuring
public safety against the statistically rare, but catastrophic events that have so often
shaped public opinion about the hazardous nature of advanced technologies. The first
comprehensive study of this issue is Perrow’s 1984 book Normal Accidents [2nd
publication in 1999]. The book’s subtitle “Living with High-Risk Technologies,”
provides the basic premise of the study: given the complexity of modern technologies,
risk of catastrophic failure with a potential for disaster cannot be eliminated and must
therefore be accommodated because of the fundamental role those technologies play in
society. Perrow’s study evaluates a pantheon of high-technology systems that have met
with occasional catastrophe: nuclear powered generating stations; petrochemical plants;
aircraft and air traffic control; maritime navigation leading to ship collisions and
groundings; dam failures; space vehicle accidents; military weapons systems
malfunctions. Perrow’s postscript in the 2nd edition further cites the Bhopal and
Chernobyl accidents, the destruction of space shuttle Challenger, and the potential for
massive control system failures in the Y2K time changeover, which had transpired since
the publication of the first edition.
Perrow concludes that systemic risk is unavoidable in modern, complex societies. The
risks inherent in complex technologies must be understood to the best degree possible,
but ultimately those risks cannot be engineered out of society. Analysis, at best, can
inform decisions and recommend whether to tolerate and improve, to restrict, or to
abandon certain high technology systems. However, these considerations must be
weighed alongside other social, economic and political priorities. Doing so in a
45
transparent and understandable fashion would likely make societal risks more acceptable
to the public.
In a more recent analysis written after 9/11 and Hurricane Katrina (The Next
Catastrophe, 2007), Perrow describes three fundamental vulnerabilities that the nation
unavoidably faces:
• Concentrations of energy such as explosive and toxic substances (i.e. industrial storage and processes); flammable substances including brush and scrub forests; and dams; (this includes critical infrastructures on which whole regions depend for economic stability and public services);
• Concentrations of population particularly in risk-prone areas, such as in close
proximity to the aforementioned hazardous substance sites and industries, and developments in flood planes, earthquake zones, forested areas prone to wildfires, and coastal areas prone to hurricanes;
• Concentrations of economic and political power particularly in critical industries
such as electrical power generation, telecommunications and the internet, and agriculture production of critical food supplies. Aside from the raw industries and production, this concentration includes economic clout that ensures deregulation of industries, reduces market competition, and concentrates political influence. [Perrow 2007, p. 6].
The parallel between these vulnerabilities and the factors identified in the Social
Vulnerability Index of Cutter, et al, is striking, and indicates the degree to which—as
Cutter noted—the fields of analysis appear to be merging toward consensus on the
inherent risks, scope and distribution of hazards in American society.
The significance of Perrow’s study to the issue addressed in this thesis is that it
typifies the priority given prior to 9/11 to the development and management by private
sector industry and government agencies of high-technology systems that hold potential
for catastrophic failure affecting the public and social sphere. In the hazard and risk
analysis field, research was largely directed toward quantifying and analyzing risks and
reconciling them with research into public perceptions of those risks. This was done, as
46
Perrow points out, to aid policy-makers in analyzing courses of action for technology
development and often for “selling” those technologies to the public.
With the increase in risk and public concern today, a new field of risk assessment has grown up, giving advice and (usually) legitimating the decisions of elites in the private and public sectors. At the behest of Congress, regulatory agencies have appeared in large numbers, and another function of risk assessors is to second-guess these agencies’ awkward attempts to do a very difficult job. ... This is a very sophisticated field. Mathematical models predominate; extensive research is conducted; and the esoteric matters of Bayesian probabilities, ALARA principles (as low as reasonably achievable), “discounted future probabilities,” and so on are debated in courtrooms as well as academic conferences. Some of the best scientific and social science minds are a work on the problem of “how safe is safe enough?” [Perrow 1999, pp. 307-308]7.
Perrow highlights that much of the work in the hazard and risk analysis field has been
directed toward defining risk and attempting to clarify society’s understanding of risk-
based decisions so as to improve social policies and resource investments, particularly
with regard to advanced technologies and hazardous substances. The challenge is
described succinctly in Slovic’s The Perception of Risk as “the need to make the
decision-maker’s perceptions of the hazard more accurate and the need to make him
aware of a more complete set of alternative courses of action” [Slovic, Kunreuther and
White 1972, in Slovic 2000, p. 24]. This book is a compilation of 25 years of research by
leaders in the field of risk analysis and risk perception. The question for this study is how
that research has been directed toward enabling individual businesses and private sector
enterprise to make better risk-based decisions.
7 A similar observation is made by Slovic “The practice of risk assessment has steadily increased in prominence during the past several decades as risk managers in government and industry have sought to develop more effective ways to meet public demands for a safer and healthier environment. Dozens of scientific disciplines have been mobilized to provide technical information about risk, and billions of dollars have been expended to create this information and distill it in the context of risk assessments” [Slovic 2000 p. 391].
47
The most direct applicability of hazards and risk research to business and private
sector concerns is the development of principals or methodologies for making complex
business decisions less “risky.” One example has been the attempt by risk researchers to
clarify the seemingly basic concept of insurance. Kunreuther’s proposal to establish
comprehensive disaster insurance as a means of accounting for bad judgments in
insurance decisions, and to ensure equitable sharing of social and economic risks has
already been cited [Daniels, Kettl and Kunreuther 2006]. Slovic further describes a series
of studies conducted over several years to determine rationales for private insurance
decisions. One key finding is that people consistently countermand principles of expected
utility theory by purchasing low-deductible policies that cover minor incidents with a
perceived high rate of occurrence, while avoiding insurance covering low-probability but
high-consequence, or catastrophic events (specifically flood and earthquake insurance).
Slovic cites several hypotheses for this common observation, which is backed up by
controlled experiments dealing with expected gains under uncertainty in gambling
scenarios. The most reasonable explanation is that individuals have a “threshold
protecting a finite reservoir of concern” and are selective, if not parsimonious, in
applying it to their decisions. [Slovic 2000 p. 70]. Slovic cites the comments of Haas in
the findings of a 1971 study of people’s response to earthquake insurance:
What do people attend to most of the time? They pay attention to that which is most pressing, that which must be attended to, that which has deadlines, that which is generally considered most critical, that which one would be severely criticized for if he or she didn’t attend to. [Haas 1971, cited in Slovic 2000, p. 69).
The lessons from this series of studies led to a number of recommendations regarding
non-traditional methods for improving adoption of disaster insurance by the public,
48
including Kunreuther’s call for mandated comprehensive disaster insurance; the bundling
of high-probability, low-consequence hazards insurance with low-probability, high-
consequence coverage; and the shaping of statistical information about the probabilities
of loss over time to make insurance more appealing (for example, compounding hazard
over time so that the risk of damage from a 100-year flood over a thirty-year mortgage
term is presented as 30%, rather than 1 in 100 in any given year).
However, Slovic’s and Kunreuther’s study has other implications for private sector
and public preparedness, aside from the seemingly fundamental issue of purchasing flood
or disaster insurance. This study offers a caution regarding expectations for cooperation
by private citizens and private sector entities in even basic preparedness and continuity of
operations measures against local or regional disasters. Studies cited later in this thesis
rarely indicate better than a 50% commitment by the public or by private sector
businesses to preparedness measures prior to actually experiencing a disaster firsthand. In
the same way that the study cited above proposed non-traditional solutions to the problem
of motivating insurance usage, we will likely need equally imaginative and non-
traditional approaches to motivate broad spectrum involvement in preparedness programs
by the private sector and general public.
2.1.4 Heuristics An important contribution from hazard and risk research that has implications for
preparedness and planning in the private sector is the use of heuristics in risk-based
decision-making. Heuristics are judgmental rules based on experience or ready-at-hand
knowledge that often take the place of evidence when decisions must be made on
incomplete information. They are employed—consciously or unconsciously—to reduce
49
difficult mental tasks to simpler ones. [Slovic, Fischhoff and Lichtenstein 1979, in
Kahneman, Slovic and Tversky 1982]. For purposes of this study, four are of note: the
anchoring effect, and the representativeness, availability, and affect heuristics.
Anchoring is the experience of misapplying statistical estimates based on prior
knowledge that skews subsequent estimates in a particular direction. For example, Slovic,
et al, cite a 1978 study of risk perception in which people were asked to estimate the
number of deaths that occurred in the U.S. based on a list of 40 different causes. In one
phase of the study, subjects were told in advance that the average number of automobile
fatalities was on the order of 50,000 per year; in the second phase, subjects were told only
that the annual number of U.S. deaths by electrocution was about 1,000 (both estimates
were factually true). In the latter phase of the survey, people who were aware of the 1,000
deaths by electrocution gave lower estimates of fatalities for virtually every other
category than the people who were aware of the 50,000 automobile fatalities. [Slovic,
Fischhoff and Lichtenstein 1980]. Thus, prior knowledge of a related fact affected
intuitive estimates of a much larger body of information.
Representativeness is the tendency of people to extrapolate probabilities from
information gathered from a small number of instances, and assume that it resembles or
corresponds to a broader set of circumstances. Tversky and Kahneman offer as an
example the likelihood that a random sample of ten men will yield a mean height of 6
feet based on the similarity of this finding in a much larger population, discounting the
fact that the accuracy of a probability assessment increases with sample size [Tversky
and Kanheman 1974]. They explain that
Our thesis is that people have strong intuitions about random sampling; that these intuitions are wrong in fundamental respects; that these intuitions are shared by naïve
50
subjects and by trained scientists; and that they are applied with unfortunate consequences in the course of scientific inquiry. ... (P)eople view a sample randomly drawn from a population as highly representative, that is, similar to the population in all essential characteristics. Consequently, they expect any two samples drawn from a particular population to be more similar to one another and to the population than sampling theory predicts, at least for most samples. [Tversky and Kahneman 1971, p. 105].
An example of the effect of the representativeness heuristic on decision-making
regarding natural disasters would be the assumption that the appearance of the “100-year
flood” (or Category 4 hurricane or 6.4 Richter-scale earthquake) essentially “innoculates”
home-owners, developers or city administrators from experiencing two such events
within their lifetimes, because statistical inference implies a frequency of occurrence of
no more than once every 100 years (or some other large time span).
The availability heuristic is based on the common experience that strong recollections
of an event often make the prevalence or frequency of the event seem more common than
it actually is. In this case,
Life-long experience has taught us that instances of large classes are recalled better and faster than instances of less frequent classes; that likely occurrences are easier to imagine than unlikely ones; and that associative connections are strengthened when two events frequently co-occur. ... That associative bonds are strengthened by repetition is perhaps the oldest law of memory known to man. The availability heuristic exploits the inverse form of this law, that is, it uses strength of association as a basis for the judgment of frequency. [Tversky and Kahneman 1973, pp. 164].
The representativeness heuristic and the availability heuristic could therefore be
considered at the heart of the oft-cited truism that “militaries fight the last war” because
the future probability is that the next instance of combat will closely resemble the current
sample (i.e., it can be expected to be representative of the last instance of warfare) and
51
also that the available experience of the decision-making leadership biases their decisions
towards making certain strategic, logistical and tactical assumptions about the nature of
future conflict. The same could be said about human expectations with regard to natural
disasters—Hurricane Katrina, for example.
Affect is a subtle form of emotion that amounts to a fleeting evaluation of “like” or
“dislike” to some stimulus that can shade an individual’s response to perceptions of risk
[Slovic 2000]. The affect heuristic states that peoples’ decisions about the differences
between costs and benefits of a given situation may be shaped not by a cognitive or
rational decision-making process, but rather by preferences based on affect or emotional
value associated with either the costs or the benefits [Finucane, Alhakami, Slovic and
Johnson 2000]. In other words, a strong elicitation of negative emotional response to a
certain situation or choice can amplify perceptions of risk, while a positive emotional
response can amplify perceptions of the benefits and therefore shape a decision-maker’s
preferences either for avoiding risks or for seeking benefits. As Finucane, et al, state it:
“representations of objects in people’s minds are tagged to varying degrees with affect. People consult or refer to an ‘affective pool’ (containing all the positive and negative tags associated with the representations consciously or unconsciously) in the process of making judgments. ... Using an overall, readily available affective impression can be far easier—more efficient—than weighing the pros and cons or retrieving from memory many relevant examples, especially when the required judgment or decision is complex or mental resources are limited. This characterization of a mental short-cut leads us to label the use of affect a ‘heuristic.’ [Finucane, et al 2000, p. 3].
Experiments have shown that the affect heuristic exerts a stronger influence when
decisions must be made under time stress, presumably because the heuristic value is
maximized when there is no time available for gaining further information or conducting
a rational calculation of costs and benefits.
52
The degree to which these heuristics are employed by different individuals during
specific sets of circumstances, and the degree to which heuristics take precedent over
other cognitive decision-making processes (such as expected utility or bounded
rationality) is a subject of speculation. The significance, rather, is that they may be
working through or in conjunction with more cognitive and deliberative processes:
“To date the availability heuristic has been portrayed typically as a cognitive judgment strategy, in that it works by increasing deliberation about reasons that bias probability judgments. However, the reasons that come to mind may be analytic, or tinged with positive or negative affective tags, or both. Thus, the availability heuristic may be working through cognitive or affective processes.” [Finucane, et al 2000 p. 14]
Implications of heuristics for this study reside in the decision-making processes used
by business owners and leaders in determining priorities for preparedness and continuity
initiatives, and how those decisions might be affected by personal experience in previous
disasters (or not), by corporate history, or by hazard and risk warnings (particularly those
that prove to be false alarms), as well as other costs and benefits competing for attention.
A further implication may be for the effectiveness of government or agency-sponsored
public preparedness campaigns, and whether it would prove more effective to emphasize
the potential for damage from lack of preparedness (the risk) or the broader advantages to
be gained from preparedness and continuity measures (the benefits).
One final area in which traditional research into hazard and risk perception may have
positive utility for private sector business and industry is in the area of public relations
and perceptions of organizational or corporate responsibility. Slovic discusses this in his
1993 article “Perceived Risk, Trust and Democracy,” [Slovic 2000, pp. 316-327]. He
53
points out that the consistent differences found between expert opinions of technological
risk and public perceptions of those same risks do not stem from public ignorance or
irrationality, but rather indicate a different public calculus that is not easily modeled in
current risk-based analysis. That is, public perceptions are based on larger concerns borne
out of debated uncertainties which are a part of any risk analysis, and the tempering of
uncertainties by social concerns such as involuntary exposure to hazards; inequities in
sharing of risks and benefits by population segments; and dread of unknown
consequences, particularly as portrayed by the media [Slovic 2000, p. 316]. Of equal
significance, however, is the factor of public trust, which is a function of long-term
relationships and a perception of open and honest communications. Slovic writes, “The
limited effectiveness of risk-communications efforts can be attributed to the lack of trust.
If you trust the risk manager, communication is relatively easy. If trust is lacking, no
form of communication will be satisfactory. Thus trust is more fundamental to conflict
resolution than communication” [Slovic 2000, p. 319].
The most significant aspect of this piece is Slovic’s presentation of data from studies
of trust-building activities between authorities and the public, compared with
corresponding activities that tend to undermine public trust. In general, trust-undermining
actions have a stronger negative effect on perception than trust-building actions have a
positive effect. This indicates that public trust built through civic relations programs may
provide capital that helps mitigate a potentially negative public image during a crisis—
but that the accumulation of that capital might not be apparent until it is drawn on during
a crisis. In other words, competence and openness on the part of organizations in a
democracy—whether private sector enterprises or public agencies—is the status quo
54
expectation of the public. Its absence will compound a crisis, while a reputation for
openness and competence can go a long way toward mitigating negative consequences
during that crisis. This finding has implications for private sector entities—particularly
businesses that control hazardous processes or materials—for building positive corporate
relations with the public before an incident that puts the entity in the public spotlight.
Likewise, it has implications for public sector agencies (whether federal, state or local)
that attempt to gain private sector support for preparedness initiatives requiring private
sector collaboration or cooperation with government.
Finally, formal risk assessment and analysis processes must be kept in perspective as
means to an end, the end being good decisions in a world in which competing demands
make certainty—even for mundane decisions like selection of insurance coverage—a
trade-off against other priorities. Fischoff, Slovic and Lichtenstein offer perhaps the most
realistic assessment of the utility of analytic methods for real-world decision-making:
No approach to acceptable risk is clearly superior to the others. To exploit the contributions each of these methods can make, careful consideration must be given to the social and political world in which they are used and to the natural world in which we all live. Our social world is characterized by its lack of orderliness. Because hazards are not the only consideration in hazard management decisions, the best we can hope for is some intelligent muddling through. Recognizing this, we should develop and apply the various approaches to hazard management not as inviolate ends in themselves but as servants to that process. [Fischoff, Slovic and Lichtenstein in Slovic 2000, p. 134].
55
2.2 Business continuity management While the research field of hazard and risk analysis has traditionally focused on the
social perceptions of risk and the implications for policy, the private sector has made use
of risk analysis tools for determining options and developing best practices for several
years. The “case-based” approach that characterizes much of the sociological research in
disaster studies has had particular relevance for motivating and instructing business
owners and executives toward the adoption of crisis and continuity management
practices. For well over a decade, private sector business and industry have been
cautioned about the increasing complexity of the basic systems and processes of modern
society and the potential for serious impact on business in the event of their failure
[Silverstein, 1992; Perrow, 1999]. Moreover, published guidelines for business
preparedness have emphasized that the first line of defense against technological
accidents, natural disasters, civil emergencies—even acts of terrorism—resides with the
individual businesses and organizations themselves, and that businesses can take steps to
protect themselves [FEMA 141, 1993; Laye, 2002]. This is not merely a matter of
corporate security, but an essential condition for maintaining continuity of business
operations and profitability, whether against internally or externally generated crises.
Nevertheless, in spite of the emphasis in professional literature—to say nothing of the
well-known experiences of 9/11, Hurricane Katrina and numerous other weather-related
disasters since 2001—there remains a less than enthusiastic adoption of voluntary
standards or willingness on the part of business to commit resources to continuity and
preparedness programs. A 2003 analysis by Mitroff and Alpaslan, drawing on a 20-year
study by the University of Southern California’s Center for Crisis Management, found
56
that—at most—only 25 % of Fortune 500 companies could be considered prepared to
deal competently with a corporate crisis. Mitroff emphasizes that this means that at best
estimate, 75% of Fortune 500 companies cannot be expected to capably deal with a crisis
[Mitroff and Alpaslan, 2003].
Similarly, a two-year survey of 168 U.S. companies completed in 2006, indicated that
73% considered pandemic influenza a serious threat to the United States; 59% believed
that PI would adversely affect their companies; and 72% believed that planning could
protect their companies from the impact of a pandemic. And yet, only 52% of those
companies indicated that they had taken steps to actually plan for or mitigate the effects
of pandemic influenza [Deloitte 2006].
More recently, a 2008 survey of 100 financial executives representing U.S. and
Canadian corporations with at least $1billion in annual revenue, revealed that 96% had
operations that were exposed to natural disasters such as hurricanes, earthquakes or
floods, but only 52% considered their companies prepared against loss due to a hurricane;
only 37% considered themselves protected against flooding; and only 29% had taken
what they considered adequate measures against the risk of earthquake damage. Perhaps
most revealing was that fewer than 21% of the same executives stated that they were
concerned about the potential for a negative impact on corporate bottom line owing to a
natural disaster. [FM Global 2008].
Nevertheless, it is clear that 9/11 forms a dividing line within the business community
in terms of at least awareness of the need for preparedness and continuity planning—
witness the fact of the three studies cited above. A more substantial indication is that
business functions directed toward ensuring continuity of operations and disaster
57
recovery have in recent years become professional competencies and corporate line
responsibilities in their own right, especially in larger organizations where institutional
complexity and sheer size require formal training in continuity planning and the
dedication of corporate assets and personnel to that purpose [Amato-McCoy, 2006;
Black, 2005].
The literature within the business community has also reflected a reevaluation since
9/11. For example, three recent business guides on crisis management and decision-
making copyrighted in 2000 and 2001 collectively contain no indexed references to
“disasters,” “natural disasters,” “hurricanes,” “flooding” or “terrorism.” [Harvard
Business School 2000 and 2001; Hoch, Kunreuther and Gunther 2001]. This is not to say
that corporate disasters and crises are not discussed. One article cites earthquake
protection planning in an example dealing with insurance risk estimation [Kunreuther in
Hoch, Kunreuther and Gunther 2001, p. 262]. Another cites both Three Mile Island and
the Exxon Valdez incident in an article dealing with CEO statements to the press during a
crisis [Augustine in Harvard Business School 2000, p. 21]. The third references the 1965
Northeastern electric power failure, the thalidomide tragedies of the 1960s, and the
Cuban Missile Crisis as examples of unique events, in a discussion of framing situations
for effective decision-making [Drucker in Harvard Business Review 2001, pp. 5-6].
However, it is clear through the executive perspective and typical readership of these
books (all three are anthologies of articles from influential business journals) that the
focus is on crisis management as a means of maintaining corporate integrity against
threats to business viability and profitability and not necessarily to physical integrity.
58
In a manner similar to that noted in the traditional hazard and risk literature, business
literature prior to 9/11 reflects an overarching concern with corporate-public and
corporate-government relations and the need for careful decision-making where liability,
regulation, reputation or long-term market viability are concerned. There is remarkably
little discussion of corporate decision-making for organizational integrity in the face of
external hazards or technological failures of the sort that would threaten a business’s
physical plant, assets, intellectual property (occasional references to Y2K excepted), or a
company’s or organization’s personnel and staffing. This contrasts decidedly with the
50+ articles from the spectrum of business journals cited in the bibliography of this study
dealing with disaster management, continuity of operations planning, emergency
preparedness, or facility security—all of which have been published since 2001 [note in
particular: Amato-McCoy 2006; Barthold 2007; Black 2005; Chepaitis 2004; DiNuzzo
2004; Dorn 2006; Edwards 2007; Greenberg 2002; Hale and Moberg 2005; Henry 2006;
Hutchins 2006; Johnson 2006; Krell 2006; Kuzyk 2007; Magnusson, et al 2004;
McCarthy 2007; Morgan and Mellinger 2003; Morganti 2002; Raish, Statler and Burgi
2007; Rigby and Biledo 2007; Sarrel 2007; Snowden and Boone 2007; Wainright 2007;
Watkins and Bazerman 2003].
Representative of this more recent view are a number of texts dealing with the
protection of corporate assets, personnel, logistics chains, continuity of operations and
market share across the entire spectrum of possible crises and disasters. One example,
Mitroff’s guidebook Managing Crises Before They Happen, provides a taxonomy of
corporate and private sector emergencies that he argues should shape the perspective and
preparedness of every executive (Figure 2-4).
59
Table 2-4: Major crises types / risks (Mitroff 2001, pp. 34-35)
Na
tura
l D
isaste
rs
Earth
quak
e Fi
re
Floo
ds
Expl
osio
ns
Typh
oons
H
urric
anes
Ps
ycho
path
ic
Acts
Prod
uct
tam
perin
g K
idna
ppin
g H
osta
ge
taki
ng
Terr
oris
m
Wor
kpla
ce
viol
ence
Re
puta
tiona
l
Slan
der
Gos
sip
Sick
joke
s R
umor
s D
amag
e to
co
rpor
ate
repu
tatio
n Ta
mpe
ring
with
cor
pora
te
logo
s
H
uman
Re
sour
ce
Loss
of k
ey
exec
utiv
es
Loss
of k
ey
pers
onne
l R
ise
in
abse
ntee
ism
R
ise
in
vand
alis
m a
nd
acci
dent
s W
orkp
lace
vi
olen
ce
Phys
ical
(lo
ss o
f key
pl
ants
and
faci
litie
s
Loss
of k
ey
equi
pmen
t, pl
ants
, and
m
ater
ial
supp
lies
Bre
akdo
wn
of
key
equi
pmen
t, pl
ant,
etc.
Lo
ss o
f key
fa
cilit
ies
Maj
or p
lant
di
srup
tions
In
form
atio
nal
Loss
or
prop
rieta
ry
and
conf
iden
tial
info
rmat
ion
Fals
e in
form
atio
n Ta
mpe
ring
with
com
pute
r re
cord
s Lo
ss o
f key
co
mpu
ter
info
rmat
ion
with
rega
rd to
cu
stom
ers,
supp
liers
, etc
. (Y
2K)
Ec
onom
ic
Labo
r stri
kes
Labo
r unr
est
Labo
r sh
orta
ge
Maj
or d
eclin
e in
stoc
k pr
ice
& fl
uctu
atio
ns
Mar
ket c
rash
D
eclin
e in
m
ajor
ear
ning
s
60
Mitroff’s taxonomy is also the basis for the more recent Why Some Companies
Emerge Stronger and Better from a Crisis (2005), which provides a quick-and-dirty (11
pages) “Brief Primer on Crisis Management” that offers a conceptual framework for the
development of a Crisis Management plan.
A comprehensive approach to private sector preparedness is also reflected in an
article entitled “Identification of Core Competencies by Executive Level Business Crisis
and Continuity Managers” [Shaw and Harrald 2006], which proposes the term Business
Crisis and Continuity Management (BCCM) as a more accurate name for an
“organization wide strategic program” that consolidates the traditional functions of crisis
management, risk assessment, emergency management and disaster recovery, as well as
business continuity planning [Shaw and Harrald, 2004]. Shaw and Harrald offer the
following definition of a comprehensive view of this process:
The business management practices that provide the focus and guidance for the decisions and actions necessary for a business to prevent, prepare for, respond to, resume, recover, restore and transition from a disruptive (crisis) event in a manner consistent with its strategic objectives. [Shaw and Harrald 2004 p. 3].
A similarly practical guide to business preparedness is provided by Laye’s Avoiding
Disaster: How to Keep Your Business Going When Catastrophe Strikes. This book and
others of the sort [Childs and Dietrich 2002; Syed and Syed 2004] are more typical of the
“how to” approach to business crisis planning—often directed toward professionals in
continuity or risk management, or small business owners who lack specialized staff—
rather than a conceptual approach targeted for the executive leadership who need to
understand why business continuity planning and crisis management are important, but
not necessarily the details of how to implement it.
61
At the technical end of the spectrum are corporate guidelines or professional texts in
risk assessment and risk analysis (e.g., Koller 2005; Vose 2008), which are analytic
guidebooks for professional risk analysts for use either within consulting firms or
businesses that employ full-time or collateral-duty staff to conduct quantitative risk
assessments, or for classroom use in college-level or professional courses teaching these
skills. In any case, these guides provide a conceptual approach to risk assessment, but
then proceed to the quantitative assessment procedures required to support a detailed
analysis of cost-benefit based decision processes for risk management.
2.3 Federal agency documents In the opening page of Emergency Management: The American Experience 1900-
2005, Claire Rubin observes that “Prior to World War II, there was no overarching
legislation or policy at any level of government driving emergency and disaster
management in the United States.” [Rubin 2007, p. 11]. She quotes geographer
Rutherford Platt’s explanation that “Before 1950, disaster assistance was viewed as the
moral responsibility of neighbors, churches, charities and communities—not the federal
government” [Rubin, p. 12]. Until very recently, that general attitude had driven most
policy regarding private sector involvement in disaster preparedness and response,
whether that view was reflected by private businesses or industries, non-profit charitable
organizations, or by individual citizens. The first substantive piece of legislation devoted
to general disaster response—the 1950 Federal Disaster Relief Act—made provision for
federal assistance to regions affected by disaster, but focused on “making emergency
repairs to and temporary replacement of” public facilities (Rubin, p. 105]. It made no
mention of any specific role for private sector entities or for private citizens generally,
62
and local preparedness and recovery was understood to be the responsibility of the
citizens and the community themselves. State and local responsibility for preparedness
and recovery was also reflected in the 1950 Civil Defense Act, which covered civil
emergencies and physical damage inflicted through hostilities against the United States
[Rubin, p. 82]. This approach continued through a succession of legislation that defined
the boundaries of federal responsibility and provided mechanisms for state and local
support for disaster recovery via federal disaster assistance.8
The 1988 Stafford Act was the legislation that laid the foundation for what is today an
emerging recognition of the importance of the private sector in local disaster response,
recovery and mitigation. Section 307 of the Stafford Act, “Use of Local Firms and
Individuals,” states
In the expenditure of Federal funds for debris clearance, distribution of supplies, reconstruction, and other major disaster or emergency assistance activities which may be carried out by contract or agreement with private organizations, firms, or individuals, preference shall be given, to the extent feasible and practicable, to those organizations, firms, and individuals residing or doing business primarily in the area affected by such disaster or emergency. [Stafford Act 1988, §307].
While not explicitly stated, this provision recognizes several advantages that private
sector involvement provides for recovery operations. First, it supports the use of the most
readily available talent, material and equipment in the recovery operation, thus shortening
the logistics chain for recovery operations, and potentially the response time. Secondly, it
maintains emphasis on the fact that, while federal funding may be made available, the
responsibility for recovery remains with the affected community, including the resources
available from the for-profit sector. Third, it offers the opportunity to put disaster victims 8 This included the Small Business Act of 1953; the Southeast Hurricane Disaster Relief Act of 1965; the Disaster Relief Act of 1966; the National Flood Insurance Act of 1968; and the Disaster Relief Act of 1970, which was further expanded in 1974 [see Rubin, 2008, pp. 81-102].
63
and their businesses immediately to work with enough federal assistance to begin
restoration of the local economy, as well as that of the physical infrastructure and
community. Subsequent revisions to the Stafford Act (2000 § 5150; 2007 § 307)
preserved the original language.
The principles of the Stafford act were made operational by the Federal Response
Plan issued in 1992 under a provision of the Stafford Act itself. As later amended in
1998, the Stafford Act specified that
The combined emergency management authorities, policies, procedures, and resources of local, State, and Federal governments as well as voluntary disaster relief organizations, the private sector, and international sources constitute a national disaster response framework for providing assistance following a major disaster or emergency. [Federal Response Plan, 1998, p. 2]. Federal agencies are encouraged to take advantage of current partnership relations with the private sector. Businesses, both inside and outside the disaster-affected area can supply critical resources during response operations, and assist in restoring essential services and rebuilding the economic base during recovery operations. (As potential disaster victims, private-sector businesses are also urged to identify their risks, develop appropriate contingency plans, and take corrective actions prior to a disaster). [Federal Response Plan 1998, p. 9].
In particular, the Federal Response Plan specified in the Recovery Function Annex that
“the involvement of voluntary organizations and private sector at the national, State and
local levels is critical to the success of a disaster recovery mission [Federal Response
Plan, p. RF-3].” This was the first reference in a federal document to an expectation of
ongoing coordination between federal agencies and private sector business and voluntary
organizations, and the first mention of a need for risk assessments and development of
contingency plans among private sector entities as a key to disaster recovery within
affected areas. A diagram depicting the National Response Framework highlighted the
private sector as one of six partners in disaster response (Figure 2-3).
64
Figure 2-3: National disaster response framework [FRP 1998]
In conjunction with the issuing of the Federal Response Plan, the Clinton
Administration issued Presidential Decision Directive NSC-63 on Critical Infrastructure
Protection, which framed the risk to the nation’s infrastructure:
Because of our military strength, future enemies, whether nations, groups or individuals, may seek to harm us in non-traditional ways including attacks within the United States. Because our economy is increasingly reliant upon interdependent and cyber-supported infrastructures, non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy. [Clinton, 1998]
The document charged the private sector with the responsibility to “ensure the orderly
functioning of the economy and the delivery of essential telecommunications, energy,
financial and transportation services” so that “any interruptions or manipulations of these
critical functions [would be] brief, infrequent, manageable, geographically isolated and
minimally detrimental to the welfare of the United States.” [Clinton, 1998, para III.] The
document further established the concept of a shared responsibility and partnership
between “owners, operators, and the government,” in protecting the physical integrity and
65
operational viability of the nation’s critical infrastructures. It further established a
National Infrastructure Assurance Council (NIAC) to oversee coordination across
agencies and private sector concerns involved in maintaining and operating sectors of the
critical infrastructure, and placed directive control of this effort under a National
Coordinator for Infrastructure Protection and Counter-Terrorism.
Several themes were identified in PDD-63 that continue to pose challenges for current
efforts to identify a workable framework for public-private sector partnerships that would
enhance security of the economy and critical infrastructure, notably:
• Liability and legal impediments arising from participation by private sector companies in information sharing with federal agencies;
• Problems of classification of technical documents, threat analyses, risk and
vulnerability assessments;
• Information sharing and secure dissemination of proprietary information, trade secrets, business data, law enforcement information and evidentiary material;
• Impacts of information sharing between international trade partners and domestic
security and law enforcement agencies;
• Potential benefits and liabilities from mandates requiring insurance protection, particularly for foreign-owned elements of the critical infrastructure;
• Ways to encourage private sector participation in information sharing and risk
assessments;
• Means to foster public sensitivity to the need for critical infrastructure protection, to include the need for a national awareness campaign among the public.
At the same time that PDD-63 and the Federal Response Plan were being initiated,
two independent congressionally-chartered studies were underway that raised warnings
about the potential for domestic terrorism. The first was the report of The United States
Commission on National Security/21st Century—entitled New World Coming: American
66
Security in the 21st Century, commonly referred to as the Hart-Rudman Commission.
This study was chartered to examine the structure of the federal government (in particular
the Department of Defense) and make recommendations to address perceived gaps in the
nation’s strategic posture relative to current threats to national security. The second report
was the Advisory Panel to Assess Domestic Response Capabilities for Terrorism
Involving Weapons of Mass Destruction, commonly known as the Gilmore Commission.
The objective of this commission was to evaluate the vulnerabilities of the United States
against the potential for attack by a terrorist organization employing a weapon of mass
destruction.
In both of these studies, the focus on private sector preparedness and continuity
planning was founded on the concern that America’s critical infrastructures—which are
owned and operated predominantly by private corporations—were increasingly
vulnerable to terrorist attack. Phase III of the Hart-Rudman Commission report
emphasized that “homeland security is not peripheral to U.S. national security strategy,
but central to it” [Hart-Rudman 2001, p. 11]. It identified three measures that required
active public-private partnerships to achieve effective security:
• The development of transportation security measures to reduce the risk that importers, exporters, freight and transportation carriers serve as conduits for criminal or terrorist activity;
• Bolstering the intelligence gathering, data management and information sharing
capabilities of border control agencies to enhance inspection and identification of potential threats; and
• Strengthening the capabilities of border agencies to arrest terrorists and interdict
dangerous shipments before they arrive in the U.S. [Hart-Rudman 2001, p. 13].
67
The Hart-Rudman Commission cited progress made in implementing PDD-63, but
emphasized that the continuing integration of critical infrastructure systems such as
electrical utilities, water systems, transportation networks, telecommunications, and
banking and finance industries required coordination between federal agencies and
private sector enterprise to ensure security of these systems.
The concern for vulnerability to terrorism was highlighted, as well, by references in
the third annual report of the Gilmore Commission to the need for involvement by the
private sector in developing education in disaster awareness; maintaining security of
logistics and transportation systems; and participating in national efforts to ensure
security of cyber and communications systems [Gilmore 2001]. The Commission’s fourth
annual report made special mention of the concerns of private sector entities in emerging
requirements for protecting critical infrastructures—particularly the cyber infrastructure.
It recommended the establishment of an independent commission to address coordination
of federal requirements with private sector interests such as liability protection for
corporations, and the need to establish mechanisms for increasing market value
associated with compliance with government standards, and other mandated requirements
[Gilmore, 2002].
The final report of the Gilmore Commission called for “strong preparedness and
readiness across State and local government and the private sector with corresponding
processes that provide an enterprise-wide national capacity to plan, equip, train and
exercise against measurable standards” [Gilmore 2003, p. iv]. The report offered “a
prospective vision of the future for 2009” that emphasized “State, Local and Private
Sector Empowerment” as fundamental to domestic security [Gilmore 2003, p. 15]. This
68
report also included as an appendix a report of the Business Roundtable Security Task
Force (http://www.businessroundtable.org/) on initiatives that the Business Roundtable
had sponsored and coordinated to further preparedness in individual businesses and
among private-public partnerships within communities [Gilmore 2003, Appendix N].
It is significant that both the Hart-Rudman Commission and the Gilmore Commission
reports focused on preparedness against what the Gilmore Commission referred to as the
“new normalcy” of terrorism, with no specific reference to other hazards that could
jeopardize regional or national security. This outlook was reflected in the majority of
Federal documents from the late 1990s, through the post-9/11 period up until Hurricanes
Katrina and Rita in 2005. The focus of federal-level efforts to enjoin private sector
cooperation in homeland security was principally focused on maintaining security of the
nation’s critical infrastructures against terrorist attack.
Federal documents issued in the wake of 9/11 largely took this approach to
mobilizing and motivating the private sector. From the outset the private sector was
identified as a fundamental strategic resource and provider of equipment and services
essential to homeland security against the threat posed by terrorist acts involving
weapons of mass destruction. The Homeland Security Act of 2002 established that,
To the maximum extent practicable, the Secretary (of DHS) shall use national private sector networks and infrastructure for emergency response to chemical, biological, radiological, nuclear, or explosive disasters, and other major disasters. [§ 508]
and
The Secretary should, to the maximum extent possible, use off-the-shelf commercially developed technologies to ensure that the Department’s information technology systems allow the Department to collect, manage, share, analyze, and disseminate information securely over multiple channels of communication; and in order to further the policy of the United States to avoid competing commercially with
69
the private sector, the Secretary should rely on commercial sources to supply the goods and services needed by the Department [§ 509].
Moreover, noting that the private sector owns 85% of the nation’s infrastructure9, the
2002 National Strategy for Homeland Security identified five areas where partnerships
between federal agencies and private sector entities were essential:
• Border and transportation security for supply chains and overseas trade;
• Protection of critical infrastructure and key resources;
• Directing science and technology efforts to homeland security;
• Integrating information sharing among public and private sectors.
Homeland Security Presidential Directive (HSPD-7) on Critical Infrastructure
Identification, Prioritization, and Protection directed that the Department of Homeland
Security and sector-specific agencies collaborate with appropriate private sector entities
to encourage development of information sharing and analysis regarding threats,
vulnerabilities, incidents, potential protective measures and best practices [White House
2003]. The National Response Plan (2004) established an operational framework under
the National Incident Management System and the Incident Command System for
integrating private sector capabilities into local or regional response alongside local, state
and federal government agencies. Moreover, it established private sector responsibilities
9 The author has attempted (without success) to establish a source for the assertion that the private sector owns and operates 85% of the nation’s critical infrastructure. That statement does not appear in President Clinton’s PDD-63 nor in the reports of the Gilmore or Hart-Rudman Commissions. However, it is cited in numerous documents of the G. W. Bush administration, beginning with the National Strategy for Homeland Security (2002); and including the National Strategy for Physical Protection of Critical Infrastructure and Key Assets; the National Strategy for Pandemic Influenza; the 9/11 Commission Report, and the Government Accountability Office report “Critical Infrastructure Protection” [GAO 2006]. Of perhaps greater importance is the comment of one small business owner interviewed by the author who stated that, “the proportion of the private sector that owns that 85% of the nation’s infrastructure probably amounts to about 15% of the nation’s private sector.”
70
“(voluntarily or to comply with applicable laws and regulations)” [NRP 2004, p. 13] as
directed by local authorities or authorities in charge at the scene of an incident.
The successor to the National Response Plan, the National Response Framework,
expanded on the operational requirements for coordinating private sector support to
disaster response, and emphasized that “During an incident, key private sector business
partners should be involved in the local crisis decision-making process or at least have a
direct link to key local emergency managers. Communities cannot effectively respond to,
or recover from, incidents without strong cooperative relations with the private sector.”
[NRF, 2008]. The NRF then enumerated seven essential private-sector responsibilities,
which can be taken independent of involvement with the Federal government:
• Planning for protection of employees, infrastructure and facilities.
• Planning for the protection of information and the continuity of business operations.
• Planning for, responding to, and recovering from incidents that impact their own
infrastructure and facilities.
• Collaborating with emergency management personnel before an incident occurs to ascertain what assistance may be necessary and how they can help.
• Developing and exercising emergency plans before an incident occurs.
• Where appropriate, establishing mutual aid and assistance agreements to provide
specific response capabilities.
• Providing assistance (including volunteers) to support local emergency management and public awareness during response and throughout the recovery process.
However, it is the National Strategy to Secure Cyberspace that takes the most
expansive view of the relationship between public and private sector interdependencies
for security and mutual support:
71
The purpose of [the National Strategy to Secure Cyberspace] is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact. Securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society—the federal government, state and local governments, the private sector, and the American people. ... Our economy and national security are fully dependent upon information technology and the information infrastructure. At the core of the information infrastructure upon which we depend is the Internet, a system ... that connects millions of other computer networks making most of the nation’s essential services and infrastructures work. These computer networks also control physical objects such as electrical transformers, trains, pipeline pumps, chemical vats, radars, and stock markets, all of which exist beyond cyberspace. ... In general, the private sector is best equipped and structured to respond to the evolving cyber threat [White House, February 2003, p. viii-ix].
As can be seen, federal documents published at the strategic level, such as those
above, offer little by way of specific direction or guidance on how security, disaster
preparedness or continuity of operations could or should be achieved within the private
sector to support Homeland Security Department objectives. However, there are other
government sources that are intended to fill those needs. For example, detailed guidance
to private sector business and non-profits for all-hazards preparedness and continuity of
operations planning has been issued by the Federal Emergency Management Agency as
an Emergency Management Guide for Business and Industry
(http://www.fema.gov/business/guide/index.shtm) and through the Ready Business
program (http://www.ready.gov/business/); and in the Sector Specific Plans issued as
annexes to the Critical Infrastructure Protection Plan
(http://www.dhs.gov/xprevprot/programs/gc_1179866197607.shtm#2) for those
industries included in the eighteen critical infrastructure sectors. Similarly, a series of
guides for business and community planning against pandemic influenza was issued by
72
the Department of Health and Human Services (Pandemic Influenza Preparedness,
Response, and Recovery Guide for Critical Infrastructure and Key Resources
http://www.pandemicflu.gov/plan/workplaceplanning/index.html).
The 2006 National Infrastructure Protection Plan issued by DHS is built around a
Risk Management Framework that is explained in detail and provides a usable, though
fairly high level, process for building a risk and vulnerability assessment and mitigation
program (Figure 2-4) (http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm).
Figure 2-4: Risk management framework [NIPP 2006, p. 4]
A more comprehensive approach, which has been adopted as the planning guide for
all-hazards preparedness within much of the private sector, is the National Fire Protection
Association document NFPA 1600 Standard on Disaster/Emergency Management and
Business Continuity Programs. NFPA 1600 provides a detailed checklist of requirements
and procedures for private sector preparedness to a level of “shall establish,” shall
develop,” and “shall evaluate” specificity. The objective is to establish a standard for
“disaster and emergency management and business continuity programs, the criteria to
73
assess current programs or to develop, implement, and maintain aspects for prevention,
mitigation, preparation, response, and recovery from emergencies” [NFPA 1600, p. 4].
While not strictly a federal document, NFPA 1600 has been acknowledged in the 9/11
Commission Report as the most authoritative standardized approach to business
preparedness and continuity planning. As a consequence, it was recommended in the
“Implementing Recommendations of the 9/11 Commission Act of 2007” [H.R. 1, 2007]
as a potential standard for the Voluntary Private Sector Accreditation and Certification
Program (explained below).
Harrald has noted that “Post 9/ll infrastructure protection investments have focused
on increasing the security of the infrastructure, not in increasing its resilience [Harrald
2005]. The truth of this is borne out in Bush Administration documents issued between
9/11 and the destruction of Hurricane Katrina. However, as the former incident served as
the “focusing event” (to use Rubin’s term) for U.S. anti-terrorism policies—many of
which necessarily involved private sector efforts in infrastructure protection—Hurricane
Katrina exposed the need for a more comprehensive, all-hazards approach that could
mobilize private sector resources when a catastrophic disaster exceeded the capacity of
even the federal government to respond (for example, witness the Wal-Mart
Corporation’s response to Hurricane Katrina [Cooper and Block 2006, pp.259-266]).
The fact that the Federal government ultimately recognized this deficiency can be
seen by comparing the focus of the 2002 National Strategy for Homeland Security with
the 2007 update to that document. Whereas the 2002 NSHS had focused exclusively on
the threat of terrorism to national assets—written as it was in the aftermath of 9/11—and
74
had directed its recommendations for private sector engagement toward terrorism
preparedness and prevention, the 2007 NSHS included specific references to Hurricane
Katrina, but more importantly to natural and man-made disasters in general. In this sense
the perspective of the National Strategy for Homeland Security had undergone an
important transformation from its original thrust. This broader scope was evident in the
initial section of the 2007 edition, entitled “Evolution of the Paradigm.” That introduction
emphasized that “homeland security is a shared responsibility built upon a foundation of
partnerships. Federal, State, local, and Tribal governments, the private and non-profit
sectors, communities, and individual citizens all share common goals and responsibilities
—as well as accountability—for protecting and defending the Homeland” [NSHS 2007,
p. 4]. This broadened scope included references to the concept of resilience as a key to
mitigating vulnerabilities of both government and private sector operations against man-
made or natural disasters [p. 29]. Moreover, the private and non-profit sectors were
identified as having a specific role in response alongside community, State and Federal
authorities:
Private and Non-Profit Sector. The private and non-profit sectors fulfill key roles and work closely with communities, States, and the Federal Government. The private sector plays an essential role implementing plans for the rapid restoration of commercial activities and critical infrastructure operations, which can help mitigate consequences, improve quality of life, and accelerate recovery for communities and the Nation. Non-profit organizations serve a vital role by performing essential services within communities in times of need, such as mass sheltering, emergency food supplies, counseling services, or other vital support services. [p. 33] (Emphasis in the original).
In addition to the roles identified for the private sector in the 2002 NSHS having to do
with protection of critical infrastructures, information sharing, science and technology
75
and supply chain security, the 2007 document identified five other areas requiring private
sector engagement for effective response, recovery and mitigation:
• Restoration of community services and the economy to include business and non-profit operations that underpin local economies;
• Engaging in planning and coordination of collective recovery efforts, particularly
in the form of public-private partnerships;
• Facilitating long-term assistance for displaced victims, including solutions for housing in affected areas;
• Rebuilding critical infrastructures to support the return of citizens and businesses
to affected communities; and
• Building a “Culture of Preparedness” by ensuring structural and operational resilience of critical infrastructures and contributing to collective initiatives to ensure the resilience of communities.
In essence, the experience of Hurricane Katrina demonstrated much more than the
need for preparedness and resilience among individual private sector enterprises or
sectors, as had been called for in the 9/11 Commission Report. The need identified by
Hurricane Katrina was for a strategic capability that could mobilize private sector
resources and talent, and employ it against regional disasters that crossed jurisdictions or
that destroyed an area’s infrastructure to such a degree that “normal” recovery and
restoration operations were impeded. The broader approach in the 2007 revision to the
National Strategy for Homeland Security did much to acknowledge that reality.
From the start, however, the Federal government has faced two significant challenges
in gaining private sector support for homeland security and preparedness initiatives. The
first challenge was simply motivating private sector participation in view of potential
costs and the uncertain return on investments from corporate or organizational
preparedness. The second challenge was identifying common standards or measures of
76
effectiveness that could ensure that the initiatives adopted actually achieved an
improvement in preparedness among private sector enterprise. This problem was
recognized by the members of the 9/11 Commission, who included in their report to
Congress an endorsement to recommendations of the American National Standards
Institute (ANSI) to establish a voluntary National Preparedness Standard for private
sector entities, based on NFPA 1600. [National Commission 2005, p. 399]. The
recommendation of the 9/11 Commission was later enacted in the “Implementing
Recommendations of the 9/11 Commission Act of 2007” (H.R. 1 of the 110th Congress)
as Title IX—Private Sector Preparedness, in an amendment to the Homeland Security
Act of 2002 [H.R.1 2007].
Title IX established the Voluntary Private Sector Accreditation, Certification and
Preparedness Program or “PS-Prep” (Private Sector Preparedness) as the Department of
Homeland Security program to institute a “common set of criteria for preparedness,
disaster management, emergency management, and business continuity programs” [H.R.
1, 2007, § 524]. The goals of the program are to develop guidance or recommendations
and identify best practices to foster commitment by the private sector in emergency
preparedness and continuity of operations planning. Specific objectives of the PS Prep
program are to motivate private sector businesses, industries and non-profit organizations
to:
(1) identify potential hazards and assess risks and impacts; (2) mitigate the impact of a wide variety of hazards, including weapons of mass destruction; (3) manage necessary emergency preparedness and response resources; (4) develop mutual aid agreements;
77
(5) develop and maintain emergency preparedness and response plans, and associated operational procedures; (6) develop and conduct training and exercises to support and evaluate emergency preparedness and response plans and operational procedures; and (7) develop procedures to respond to requests for information from the media or public.
Private sector entities that participate in the program would undergo a certification
process that will confirm they have met established standards of preparedness. The
voluntary certification criteria would be developed by DHS in consultation with private
sector entities and administered by third-party non-government agents (i.e., private
corporations or non-profits) that had been accredited by ANSI as competent to administer
the program and certify other private sector entities. The program would reside under the
executive authority of the Department of Homeland Security’s Assistant Secretary for
Infrastructure Protection. In view of the potential costs to achieving certification, the
legislation specifies that small business concerns be taken into consideration “to ensure
that such measures are not overly burdensome and are adequate to meet the voluntary
preparedness stand adopted” [H.R. 1 § 524].
At the time of this writing, the PS Prep program had been briefed during a series of
public meetings in early 2009 in order to solicit private sector response to the program,
which is to be implemented in 2009 under the incoming Obama administration. The
expectation on the part of DHS is that the PS Prep program would “raise the level of
private sector preparedness through a number of means, including (1) establishing a
system for DHS to adopt private sector preparedness standards; (2) encouraging creation
of those standards; (3) developing a method for a private sector entity to obtain a
78
certification of conformity with a particular DHS-adopted private sector standard, and
encouraging such certification; and (4) making preparedness standards adopted by DHS
more widely available.” [Federal Register 73(248) 2008].
However, a key concern expressed in the first of the public hearings held at the U.S.
Chamber of Commerce, Washington, D.C., on 15 January 2009, was that a standard and
certification process established by federal authority—even if voluntary—would have
immediate costs associated with compliance, and has the potential to become a tacit
mandate to the private sector which would generate long-term unavoidable costs to
achieve and maintain certification. [The author attended both of the public hearings on
this initiative]. There were also concerns expressed by industries that already comply
with existing standards that their previous efforts would have to be aligned with a new
system, at additional expense. Whether private sector businesses and non-profits would
participate in a voluntary program where standards are established by an agency acting
on behalf of the Federal government, remains to be seen.
2.4 Regional approaches and best practices10 Even without the impetus provided by the PS Prep initiative, or the National
Response Framework, there is a growing recognition among private sector business,
industry and non-profit organizations that they need to develop competencies in disaster
preparedness and continuity planning, and that there is a need to be able to coordinate
planning with other agencies and organizations in their regions. Yossi Sheffi’s book The
10 The footnotes in this section are internet links to the home pages of the non-profit and corporate initiatives cited. Inclusion in this section is in no way intended to imply an endorsement or recommendation by the author of practices espoused by the organizations listed. The author provides these only as examples and a partial listing of the many dedicated organizations engaged in civic and private sector preparedness at the time of publication of this study. The unavoidable omission of other equally capable and valuable organizations in other regions of the country is acknowledged and regretted.
79
Resilient Enterprise makes a business case for public-private sector partnerships that
provide benefits to a community and region by improving the resilience of companies
and this providing a competitive advantage for survival through adversity [Sheffi 2007].
Key to his approach is the building of security through collaboration to anticipate crises;
building flexibility through interchangeability to avoid crises; and building resilience
through redundancy to survive crises. Sheffi writes that the business case for investment
in preparedness and resilience among the private sector should be justified in two ways:
“Security investments should be justified both by their contribution to avoiding disruptions (even when not all the benefits can be quantified) and by the collateral benefits they provide. Resilience investments should be primarily justified by their contribution to flexibility—creating a competitive advantage for the company.” [Sheffi 2007 p. 279].
Since before 9/11, there have been numerous programs that have initiated and often
successfully institutionalized coordinated planning for disaster preparedness, response
and recovery between private and public sectors. Some of these have been federally
sponsored efforts with local chapters: for example, the FEMA-sponsored Project Impact
and Local Emergency Planning Committees,11 and the DHS-sponsored Citizens Corps12
established immediately after 9/11. Others have been organized within municipalities and
surrounding counties, such as the National Capital Region Emergency Preparedness
11 Local Emergency Planning Committees are mandated for communities to receive federal preparedness grants, and apply to regulated industries within a community that pose a risk to public safety from hazardous materials or toxic substances. The National Incident Management System Integration Center website states, “LEPCs are non-profit community organizations that must include in their membership, at a minimum, local officials including police, fire, civil defense, public health, transportation, and environmental professionals, as well as representatives of facilities subject to the emergency planning requirements, community groups, and the media. LEPCs must assist in the development of emergency response plans, conduct annual reviews at least annually, and provide information about chemicals in the community to citizens.” http://www.fema.gov/pdf/emergency/nims/lepc_fs.pdf. 12 Citizens Corps http://www.citizencorps.gov/.
80
Council (NCR-EPC) 13, San Diego’s The Security Network,14 the New Jersey Business
Force15 and cities that have transformed the Project Impact program after its termination
in 2001.16
Still others have taken a regional perspective across several state jurisdictions having
common security interests, such as the Community and Regional Resilience Institute
(CARRI),17 or the All Hazards Consortium.18 Yet others have undertaken efforts in cities
and towns across the entire nation, such as the or the Safe America Foundation,19 or the
Michigan State University initiative called the Critical Incident Protocol20 originally
sponsored by the Department of Justice Office of Domestic Preparedness, and now by
DHS.
While there has been sound support for programs of this sort at the national level
(enabled—so far—by relatively consistent funding from federal or private sector
sources), the programs have nonetheless met with varying degrees of success at the local
level, and are hardly universal in their adoption. Regardless of their scope, the
fundamental determinant for the success among these disparate organizations seems to be
the level of commitment shown by private sector businesses and non-profit organizations,
and by private citizens within the community.
13 National Capital Region Emergency Preparedness Council http://www.mwcog.org/committee/committee/default.asp?COMMITTEE_ID=40. 14 The Security Network http://www.thesecuritynetwork.org/. 15 New Jersey Business Force http://www.njbusinessforce.org/. 16 For example, the program in Tulsa, Oklahoma http://www.tulsapartners.org/, or Seattle, Washington http://www.seattle.gov/emergency/programs/projectimpact/ 17 Community and Regional Resilience Initiative: http://www.resilientus.org/. 18 All Hazards Consortium http://www.ahcusa.org. 19 Safe America Foundation http://www.safeamerica.org. 20 Critical Incident Protocol: http://www.cip.msu.edu/
81
Beyond an expanding number of regional public-private partnerships, several
private sector entities—non-profits and corporations alike—have begun providing
recommended best practices as a public service. For example, the Partnership for Critical
Infrastructure Security21 “coordinates cross-sector initiatives that promote public and
private efforts to help ensure secure, safe, and reliable critical infrastructure services.”
The Institute for Business and Home Safety22 provides an on-line guide and disaster
planning toolkit, “Open for Business,” for small businesses and homeowners that
includes worksheets for vulnerability and risk assessments and development of a
continuity plan. Other private initiatives, such as the National Congress for Secure
Communities23 and the Business Executives for National Security (BENS),24 have
advocated and actively supported public-private sector partnerships to enhance local and
regional security and emergency preparedness. Getting Down to Business: An Action
Plan for Public-Private Disaster Response Coordination is a guide published by the
BENS Business Response Task Force that provides recommendations on three priorities
for regional and community preparedness: (1) public-private sector collaboration; (2)
surge capacity and supply chain management; and (3) the legal and regulatory
environment [BENS 2007]. ProtectingAmerica.Org25 is a national coalition that supports
insurance industry efforts to “improve financial protection for consumers by establishing
special catastrophe backstops at the state and regional level to provide recovery and
rebuilding funds in case of a major national catastrophe.” The website also maintains a
21 Partnership for Critical Infrastructure Protection: http://www.pcis.org. 22 Institute for Business and Home Safety: http://www.ibhs.org/business_protection/ and http://www.disastersafety.org/. 23 National Congress for Secure Communities: http://nationalcongress.org/. 24 Business Executives for National Security: http://www.bens.org/home.html. 25 ProtectingAmerica.Org: http://www.protectingamerica.org/about-the-coalition.
82
page of web links to a wide range of research and planning resources to enhance
preparedness of both private sector entities and private citizens. One university resource,
the International Center for Enterprise Preparedness (Intercep) at New York University is
an “academic center dedicated to private sector crisis management and business
continuity.”26 Several other universities maintain provide similar resources through
research centers, business schools and graduate programs dedicated to homeland security,
risk management and continuity of operations, and disaster preparedness.
There are also numerous private sector corporations, business coalitions,
chambers of commerce and regional business planning commissions that offer similar
services, including published on-line (and some print) resources for other businesses and
regional entities. The importance of these services cannot be understated in terms of
disseminating and refining best practices for private sector entities interested in
improving their levels of preparedness and reducing vulnerability to predictable and
unforeseeable disasters and crises.
2.5 The internet As is clear from the preceding section, the internet provides ready access to
documents and resources that span all four of the literature categories defined in this
chapter, and thus has become an extraordinarily versatile source for acquiring knowledge,
recommended methods and best practices, and regulations and standards pertaining to
business continuity planning, emergency management and disaster preparedness. For
example, over 70% of the references listed in the bibliography of this dissertation—in
particular all of the government sources—are accessible online, either via open access
26 International Center for Enterprise Preparedness: http://www.nyu.edu/intercep/.
83
search engines, or through a university library journal index or commercial search
service. And this in no way reflects the available information that resides within private
sector business, regional planning organizations and state and local government agencies.
At the same time, however, a significant obstacle facing businesses, non-profit
organizations and the general public in preparing for disasters and planning for continuity
of operations is not the lack of available information and guidance, but the abundance of
it. Whereas a decade ago there was little information to guide the non-professional in
continuity of operations planning or emergency preparedness, there is now a virtually
limitless range of programs and best practices to choose from. This is compounded by the
overwhelming quantity of free and readily available information on the internet. This
wealth of information makes the problem of sorting out reliable sources and identifying
appropriate guidance a daunting problem for any business or organization that is
launching a new program in continuity planning or emergency preparedness—and the list
of on-line resources continues to grow over time.
As an example of the extent of the resources available, the websites described below
represent a federal agency, several business consulting firms, a national non-profit
organization, a disaster research center, a homeland security institute at a land-grant
university, and one private citizen. Each provides an extensive catalog of resources and
links to other websites, which are themselves connected to numerous other distinct—and
often overlapping—internet sources for homeland security, disaster and emergency
management, continuity of operations or business continuity planning.27 These websites,
while individually unique, are nevertheless representative of the breadth of information
27 Citation of these websites is not intended to constitute an endorsement of the content or methodology used by the authors or organizations hosting these sites.
84
available to researchers and customers seeking best practices, guidelines and templates
for developing business crisis and continuity management programs.
• Federal Emergency Management Agency (http://www.fema.gov). The FEMA
website is noteworthy for several reasons. First, as the emergency management
agency of the federal government, FEMA publishes information that is tacit
policy or government-sanctioned best practices in disaster preparedness,
emergency response and continuity of operations. Two sections are of special
significance for private sector entities. The first is the Business link that directs
customers to a collection of guidance documents for business, industry and
vendors in the private sector. The second important link, Regional Offices directs
visitors to the ten FEMA regions, and also to the emergency management
agencies of 59 states, territories and protectorates. From those, virtually every
state website links either directly or via subsidiary links to business-specific
planning guides, and often back to the FEMA business directory.
• Disaster Research Institute International and its associated Institute for Continuity
Management (http://www.drii.org). The website of the non-profit, DRII, is typical
of many firms and non-profit organizations that offer services for continuity
planning, risk analysis and security management. Many of those organizations
include “best practices” guidebooks as a primer in fundamental continuity
planning and an entrée to other courses and services offered by the organization.
DRII’s guidebook, “Professional Practices for Business Continuity Managers,”
85
appears under the link Professional Practices=>Introduction/ Overview. Several
other organizations maintain similar websites worthy of note: (1) the Business
Continuity Institute (http://www.thebci.org, which compiles a “Good Practices
Guide” for business continuity practices and also a reference of applicable
certification standards; and (2) the BCM Institute (http://www.bcm-institute.org),
an international certification organization in business continuity management.
• National Congress for Secure Communities (http://nationalcongress.org) is a non-
profit organization that sponsors partnerships between local communities and the
private sector as a means of increasing community resilience and preparedness. Its
partner organization, the Corporate Crisis Response Officers Association
maintains a website (http://www.ccroa.org) that contains a link to Resources for
business and industry partners, including an extensive listing of Best Practices
Abstracts and Public Private Partnership Abstracts. The abstracts provide
information and resources for businesses and industries involved in regional or
community preparedness initiatives, or for private sector vendors offering services
or material to support those initiatives.
• Institute for Business and Home Safety (IBHS) sponsors a website named
DisasterSafety.org (http://www.disastersafety.org/) that collects and manages best
practices and lessons learned for business and industry relevant to preparedness
against natural disasters, technological hazards, and everyday threats to the
viability, liability and profitability of business interests. Its program entitled
86
“Open for Business” (http://www.disastersafety.org/OFB_Training) offers an
online “disaster protection and recovery planning toolkit for the small to medium
sized business.”
• Natural Hazards Center at University of Colorado (Boulder).
(http://www.colorado.edu/hazards/) This site is hosted by one of the oldest
dedicated research centers for natural hazards in the country. It includes a link to
Resources that further directs customers to a dedicated link for Selected Web
Resources, and from there to a Business Continuity site that lists resources for the
private sector (http://www.colorado.edu/hazards/resources/web/business.html). In
addition, this site hosts a Natural Hazards Center Library with a hazards literature
database (HazLit Database) that accesses the entire library’s electronic holdings
for disaster, continuity and emergency/risk management related literature.
• Texas A&M University’s Integrative Center for Homeland Security
(http://homelandsecurity.tamu.edu/) maintains a site called TEX: Taxonomy for
Education and Exploration (http://homelandsecurity.tamu.edu/framework) which
is an extensive and highly organized online resource of homeland security and
disaster management internet sites and documents. Like other university and
research center websites, TEX contains links to other university libraries, but also
to private and national research laboratories, private industries, and non-
government organizations involved in terrorism studies, homeland security and
87
disaster preparedness. It also catalogs a wide range of available “best practices”
literature from those sources.
While unique in the organization and resources they list, these websites are more or
less representative of the enormous scope and ready availability through the internet of
information on risk management, continuity of operations planning, disaster and
emergency preparedness and homeland security. The challenge faced by any private
sector business or organization is to identify trusted sources and appropriate guidance for
their specific case from the universe of available information. This is by no means a
trivial task.
88
CHAPTER 3: CONCEPTUAL MODELS AND FRAMEWORKS
3.0 Overview
3.1 Modeling risk 3.2 Modeling resilience 3.3 Distance and proximity 3.4 Reasoned action and technology acceptance 3.5 Decision-making for planning and operations
3.0 Overview This chapter reviews several models relevant to decision-making among individuals
and organizations that will be applied to the decision-making process for preparedness
and continuity planning within the private sector. The review will provide background
and structure to the analysis of the Private Sector Survey and the development of a
Framework for Private Sector Preparedness to be presented in a later chapter.
There are several reasons for developing a model or framework for analyzing private
sector decisions or commitment to business continuity planning and preparedness. The
first and most basic reason is that a framework or model is a useful tool for simplifying
and depicting complex relationships [Senge 1990; Hoch 2001]28. Secondly, as will be
28A model in science is a physical, mathematical, or logical representation of a system of entities, phenomena, or processes. Basically a model is a simplified abstract view of the complex reality. Formally a model is a formalized interpretation that deals with empirical entities, phenomena, and physical processes in a mathematical, or logical way. A cognitive model is an approximation to animal cognitive processes (predominantly human) for the purposes of comprehension and prediction. Cognitive models tend to be focused on a single cognitive phenomenon or process (e.g., list learning), how two or more processes interact (e.g., visual search and decision making), or to make behavioral predictions for a specific task or tool. A conceptual schema or conceptual model is a map of concepts and their relationships. This describes the semantics of an organization and represents a series of assertions about its nature. Specifically, it describes the things of significance to an organization (entity classes), about which
89
seen in the following sections, practitioners in disaster research, risk analysis, mitigation
planning and preparedness have often resorted to models as a way of depicting the web of
relationships and variables, distinguishing sequences among causes and effects, and
exploring likely outcomes of decisions made under conditions of uncertainty. This
chapter builds on that tradition in the attempt to illustrate decision-making approaches
that are common to the disaster, hazard and risk research fields, but specific—even
unique—to private sector enterprise.
The third and most important reason is that business continuity planning and the
execution of those plans requires a balance between two types of business decision-
making: decision-making within the context of business operations where the risks and
potential consequences are immediate but relatively familiar; and decision-making of the
sort involved in planning against an uncertain future—such as a potential disaster
scenario and its consequences. Addressing this balance poses a dilemma insofar as the
commitment of business resources that may benefit preparedness for the unknown is
often considered a cost or diversion of resources away from core business functions
whose immediate consequences affect day-to-day success and profit-making. Moreover,
aside from the competing priorities for resources, these two types of business planning
also require two different cognitive processes, one involving execution and oversight of
routine operations and one involving planning against uncertainty. This dimension will be
explored more fully at the end of this chapter. As the statistician E. P. Box famously
it is inclined to collect information, and characteristics of (attributes) and associations between pairs of those things of significance (relationships). A framework is a basic conceptual structure used to solve or address complex issues. A conceptual framework is often used in research to outline possible courses of action or to present a preferred and reliable approach to an idea or thought. Souce: Wikipedia (http://en.wikipedia.org/wiki/Main_Page) [Definitions edited for brevity].
90
observed, “all models are wrong, and some models are useful” [Box 1979]. This is a
valuable caution for presenting models for explaining complex processes, particularly
decision processes that are as open-ended as whether or not to plan for and prepare
against unknown disasters. Following from that precept, Clemens developed a set of
criteria for assessing the usefulness of a model in conveying relevant information. In
order to be useful, a model must be:
Salient: Since no model can represent everything, it must selectively represent those things most relevant to the task at hand.
Accurate: The model should precisely encode the actual state of affairs and not an
erroneous or biased view. Complete yet parsimonious: The model should be as simple as possible, but no
simpler. It should concisely capture all the relevant dimensions of the problem without squeezing out the opportunity for serendipitous or creative insight.
Perceptible: Models should be appropriately displayed in high fidelity as they won't be
much use if we can't clearly see, hear, or feel them. Understandable: Once we perceive the model we must be able to make sense of it; it
shouldn't be too complicated or unfamiliar for us to understand. Predictive: The model should not only depict what is, but should also predict what will
happen; or at least give some insight into future possibilities. Falsifiable: The model should be formulated such that it is possible, through
experimentation, to both confirm and disconfirm the model's accuracy and predictive power.
Emotive: In addition, the model may convey a subjective feel for the emotional and
value-laden connotations of the situation being modeled. Inspiring: Because people are drawn to and inspired by thoughtful design, models
should be elegant, i.e. they should synergistically combine style and substance. Memorable: Models are not of much use if they pass quickly from the mind, or if they
cannot be used as a mnemonic device. Models should be easily accessible for future reference and to refresh our understanding.
Flexible: As all models are, to some degree, inaccurate, irrelevant, mistaken, time-
91
sensitive etc., they should be open to recursive revision to reflect new data, our growing understanding, or our evolving needs.
Coherent: Models do not exist in isolation but in interlocking systems, thus any
particular model should be coherent with other related models. Productive: Ultimately, the model has a purpose: the production of effective action. A
good model should help define our goals and then specify the actions necessary to reach them.
Useful: Usefulness is the sum of the above properties and the degree to which they
combine to promote understanding and effective action. It is important to note that the most accurate, or the most complete, or the most elegant model is not necessarily the most useful. [Clemens, 2007].
Gentner and Stevens assert that a major purpose of a model is to “enable a user to
predict the operation of a target system. As a result, the predictive power of such a model
is of considerable concern” [Gentner and Stevens 1983]. It would be presumptuous and
almost certainly inaccurate to propose that any model could capture all of the rationales
or rationalizations for a business decision to adopt preparedness or continuity measures—
or, conversely, to adopt none at all—sufficiently to be predictive of that decision process.
This is particularly true when one considers that business decisions related to prepared-
ness can change according to such factors as economic or corporate priorities;
compliance with regulation or code; insurance or tax incentives; corporate leadership;
and perceptions of vulnerability to prevailing or imminent hazards. The limitations of this
study in attempting to model preparedness among the private sector are admittedly
significant. Suffice it to say at this point that the effort is more descriptive than analytic.
To quote one critic, “muddling through at least has the merit of not imposing any
particular set of blinkers or filters on inquiry during the early stages of development”
[Rayner, 1988].
92
Having offered these caveats, this chapter reviews a number of conceptual models—
including several used in the disaster research field—that provide useful approaches for
depicting the relationships between disaster, risk, potential outcome, and the analytic
process leading to a decision to take preparedness measures. These include examples
from risk communications; the modeling of resilience in communities; a conceptual
framework for compatibility among potential business partners; and a technology
acceptance model based on reasoned action theory. The study then integrates aspects of
these models to produce a hybrid for depicting and understanding motivation among
private sector entities toward the adoption of preparedness and continuity planning.
3.1 Modeling risk A starting point for this discussion is the mental model of risk communication
developed by Morgan, Fischhoff, Bostrom and Atman. According to Fischhoff, the goal
of risk communications is to “provide laypeople with the information they need to make
informed, independent judgments about risks to health, safety, and the environment”
[Morgan, Fischhoff, Bostrom and Atman 2002, p. 4]. In the present case, “laypeople”
would refer to managers, presidents, CEOs, owners and leaders of private sector entities
who have responsibility for protecting the interests and viability of their organizations,
their employees and assets, but who lack a complete understanding of the situation
encountered during a disaster or crisis. As the authors explain, what people typically need
in order to make critical decisions in such cases can be categorized as follows:
• Advice and answers often in the form of explicit instructions, summarizing “the
conclusions they would reach if they had sufficient time and knowledge.”
93
• Numbers, i.e., quantitative summaries of expert knowledge to enable them to
“plug the values into their personal decision-making model and make the choice
that makes the most sense for their personal situations.”
• Processes and framing sufficient to allow individuals to “monitor their own
surroundings, identify risky situations, and devise appropriate responses.” Rather
than simply recommending correct action, this level of information provides a
basis for understanding and competent, independent decision-making.
[Morgan, Fischhoff, Bostrom and Atman 2002, pp. 5-6].
The mental models approach to risk communication is based on the development of
“influence diagrams” that enable the inclusion of various expert perspectives on a given
problem and the identification and inclusion of all the relevant factors that could
influence a specific problem or decision.
Figure 3-1 shows the authors’ template of a generic influence diagram that breaks the
risk calculus into separate management activities directed toward addressing: (1) risks
arising from exposure to the hazard and activities to mitigate it; and (2) risks arising from
the impact of an event and measures taken to limit its effects. Factors affecting outcomes
at a given stage in the analysis originate from environmental, physiological or behavioral
sources.
94
Figure 3-1: Influence diagram template [Morgan, Fishhoff, et al 2002, p. 42]
To illustrate an application of influence analysis, the template is directed to the specific
example of mitigating the risk of tripping and falling on stairs (Figure 3-2). In this
diagram, ovals represent conditions or states, and squares represent decisions or points of
intervention. The arrows indicate influences that affect subsequent nodes in the diagram.
95
Illustration of the construction of an influence diagram for the risk of tripping and falling on the stairs: (a) shows just those two elements; (b) adds factors that could cause a person to trip; (c) adds factors that might prevent a fall after a person trips; and (d) introduces decisions that residents could make that would influence the probabilities of tripping and falling.
Figure 3-2: Influence diagram for risk of tripping and falling on stairs [Morgan, Fischoff, et al 2002, p. 37]
96
The significance of this process is twofold. First, the influence diagram approach
results in an “expert model;” that is, knowledge gathered from a range of sources to
properly identify and construct all the parameters that must be included in the risk
analysis. In the example above, that could include the owner of the home; carpenters,
electricians and masons; architects and building inspectors; and expert parents to control
the cat’s whereabouts and the childrens’ proclivity to leave their toys out. Secondly, the
influence diagram approach permits any number of factors to be illustrated, thus
providing some perspective on the relationships between causes and effects, and
highlighting intervention points where mitigation steps may be imposed. The key virtue
of the influence diagram approach to risk analysis is its depiction of the chain of causes
and effects, and the relationships between them. This has particular merit in modeling
potential disaster situations that can arise from complex and interactive sources—such as
maritime or aviation accidents—where contributing factors include physical engineering
systems, organizational structures affecting ways of doing business, environmental and
situational conditions, as well as human-induced error originating in experience, training,
qualifications, vigilance and the like [e.g., van Dorp, Merrick, Harrald, et al 2001].
A second model from risk perception and communications is the Social Amplification
of Risk Framework (SARF) developed by Kasperson, Slovic and colleagues in the late
1980s [Kasperson, Renn, Slovic, et al 1988]. The SARF model (Figure 3-3) takes a
similar approach to that of the risk influence diagram, insofar as it attempts to identify
and order the factors that contribute to risk assessments. In the case of SARF, however,
the evaluation is directed toward understanding how the public perceives risk and how
97
those perceptions shape public acceptance or disapproval of specific technologies. SARF
is concerned with risk as it pertains to the public sphere.
Figure 3-3 Social amplification of risk framework [Kasperson, et al 1988; Pidgeon, Kasperson, Slovic 2003]
The Social Amplification of Risk Framework is based on the theory that “risk events”
would be localized and their impact largely unknown except for their interaction with and
observation by human populations, and communication of that impact to others (to
illustrate, consider the public perception of risks from hurricanes along the southern coast
of America in 900 A.D. when the hazard was unrecognized except by early inhabitants of
the region). Therefore, the concept of risk has two key components: the actual experience
of physical harm, and the interpretation and transmission of that experience to a public
98
audience. Risk is then a product of an event and the social and cultural processes that
shape the interpretation of that event and the perceptions that result [Pidgeon, Kasperson,
and Slovic 2003, p. 15]. The initial article that presented the SARF methodology,
explains the core problem:
[T]he technical concept of risk is too narrow and ambiguous to serve as the crucial yardstick for policy making. Public perceptions, however, are the product of intuitive biases and economic interests and reflect cultural values more generally. The overriding dilemma for society is, therefore, the need to use risk analysis to design public policies on the one hand, and the inability of the current risk concepts to anticipate and explain the nature of public response to risk on the other. After a decade of research on the public experience of risk, no comprehensive theory exists to explain why apparently minor risk or risk events, as assessed by technical experts, sometimes produce massive public reactions, accompanied by substantial social and economic impacts and sometimes even by subsequently increased physical risks. [Kasperson, et al, 1988, p. 178].
In response to this dilemma, the SARF model presents an entire taxonomy of factors
that can attenuate or amplify risk perceptions, including informational, social, individual
and organizational factors (the grid and boxes on the left) and transmits the resulting risk
perceptions via a pool of public interactions (the concentric ovals on the right) that
generate ripple effects throughout a society. Those ripple effects result in impacts on
various levels and functions of that society. The authors hypothesize four response
mechanisms that contribute to public amplification (or attenuation) of risk, and that
account for the resulting reactions that emerge into the public dialogue about specific risk
issues:
• Heuristics and Values that provide simplifying mechanisms for individuals to evaluate risk and shape responses;
• Social Group Relationships that influence member responses and the types of
rationality brought to risk issues;
99
• Signal value which, as in the field of telecommunications, determines how high the volume and the quality of discrimination given to a particular public risk; and
• Stigmitization, a measure of the negative imagery or undesirable social impact
that is attributed to specific risks and technologies. [Kasperson, et al 1988, pp. 185-186]. The cumulative effect of these response mechanisms and the interactions among them are
what shape the amplitude of the ripple effects that impact public reaction and the
emergent policies.
The significance of the Social Amplification of Risk Framework for this study is that
it captures the interactive and reinforcing effects of public response and reaction at
varying social levels on the development of risk perception and illustrates that those
responses can have corresponding effects on public policy. The SARF structure allows
for the fact that risk perceptions are not simply the products of individual assessment or
analysis, but a reflection of a larger public perception that develops as a result of a wide
range of factors. This public aspect of risk perception and the potential for impact on
public acceptance of technologies and the shaping of public policies will be applied to the
Framework for Private Sector Preparedness to be presented later.
3.2 Modeling resilience Another research area relevant to the issue of private sector preparedness is directed
toward defining and understanding the resilience of communities and organizations
against threats posed by natural disasters, psychosocial traumas, and economic
disturbances. One recent study has devoted significant effort to defining community
resilience, identifying its “structural” components, and developing a model that would
serve to organize those components around a theoretical framework [Norris, Stevens,
100
Pfefferbaum, Wyche and Pfefferbaum 2008].29 This study approaches the concept of
resilience from four perspectives: as a metaphor taken from physics or engineering and
applied to organizations or social units; as a theory from public health about the ability of
individuals or populations to manage psychological stress; as a set of social, political and
economic capacities that enable adaptability to change; and as a strategy for disaster
preparedness [Norris, et al 2008].
Each of these four perspectives describes a basis for understanding resilience as it
applies to communities and to organizations. A virtue of this approach is the tacit
acknowledgement that more than one approach is needed to capture the range of qualities
and the dynamic nature of interactions that define the resilience of a community.
However, for the purposes of this study, the importance of the community resilience
study is that it attempts to identify the characteristics that would comprise a resilient
community and to relate them through a “network of adaptive capacities.” Figure 3-4 is
the model developed by the authors to illustrate the network of adaptive capacities that
collectively form the resilience within communities.
29 “Community resilience as a metaphor, theory, set of capacities, and strategy for disaster readiness.” American Journal of Community Psychology. 41(4) 127-150. The article will be referred to in this paper as the “Community Resilience study.”
101
Figure 3-4. Community resilience as a set of networked adaptive capacities [Norris, et al, 2008].
The four sets of adaptive capacities are depicted in the ovals with critical qualities
identified for each. The significance of this model is that it captures at one and the same
time the required adaptive capacities of a community, but also many of the equivalent
capacities of the individual social units—the organizations, agencies, neighborhoods and
businesses—that make up the community. As the authors highlight, “resilience rests on
both the resources themselves and the dynamic attributes of those resources” a view that
is consistent with “the property of an ecosystem that describes changes in stability
landscapes and resilience [Norris 2008, p. 135].” The concept of the community as an
ecosystem is the fundamental principle that this model captures. As such, the resilience of
the system rests on the resilience of individual components, on the interactions and
interdependencies with one another, and on the balance maintained within the system
102
itself and the stability and resilience that that balance imparts. This is clearly seen if one
applies the definitions of the four adaptive capacities of a resilient community to the unit
level of an individual business or enterprise within the community. The Community
Resilience study variously describes the four adaptive capacities as follows:
• Information and communications. “Information may be the primary resource in technical and organizational systems that enables adaptive performance. ... Information and communication become vital in emergencies.” Quoting Longstaff, the authors observe, “a trusted source of information is the most important resilience asset that any individual or group can have” [p. 140].
• Community competence “has to do with collective action and decision-making,”
by which communities “must be able to learn about their risks and options and work together flexibly and creatively to solve problems.” The authors again cite Longstaff’s observation that “the capacity to acquire trusted and accurate information, to reflect on that information critically, and to solve emerging problems is far more important for community resilience than is a detailed security plan that rarely foresees all contingencies” [p. 141].
• Social capital. A term borrowed from economics, social capital implies that
“individuals invest, access, and use resources embedded in social networks to gain returns”, and “encompasses relationships between individuals, their larger neighborhoods and communities.” Enabling capabilities for achieving a high degree of social capital are “participation, referring to member involvement and engagement” and “structures, roles, and responsibilities, referring to leadership, teamwork, clear organizational structures, well-defined roles and management of relationships with other communities” [pp. 137-139].
• Economic development. The capacity for economic development “encompasses
economic growth, stability, and equitable distribution of the benefits of income and assets” within a community.” Moreover, “community resilience depends not only on the volume of economic resources, but also on their diversity.” “Because of extensive interdependencies at the macroeconomic level, economic resilience depends not only on the capacities of individual businesses but on the capacities of all the entities that depend on them and on which they depend.” [pp. 136-137].
If one were to replace the term “community” with the term “organization,” or
“business,” it is easy to see that the network of adaptive capacities are as fundamental to
the ability of single businesses or organizations to successfully survive a crisis or disaster
103
as they are for the entire community in which those businesses and organizations reside.
It is also clear that within the four sets of resources in the network of adaptive capacities,
many of those identified at the community level are equally critical for the resilience of
individual businesses and organizations. These include such qualities as
• Diversity of economic resources;
• Equity of resource distribution;
• Information skills and communication infrastructure;
• Problem solving skills
• Flexibility and creativity;
• Political partnerships;
• Leadership and role identification;
• Organizational linkages and cooperation;
• Formal and informal social ties; and
• A sense of community and attachment to place.
In this sense, the ecosystem of a resilient community is built on the resilience of its
constituent organizations and agencies and their active participation in maintaining
balance within the system. Displacement or trauma suffered by the ecosystem during a
disaster requires the collective involvement of all in order to restore the balance and adapt
to the changed environment.
3.3 Modeling distance and proximity In a 2001 Harvard Business Review article, economist Pankaj Ghemawat described
the concept of “distance” as it applies to the ability of companies to achieve penetration
in foreign markets. Based on a time-tested economic analysis process know as Country
104
Portfolio Analysis (CPA), “distance” is measured along four dimensions to gain a sense
of the potential for successful commercial ventures in a foreign country [Ghemawat,
2001]. The four dimensions—geographic distance; cultural distance; administrative
distance; and economic distance—reflect both physical and cognitive separation between
a corporation seeking an overseas business venture and the country with which it seeks to
partner. The four parameters of “distance” could be summarized as follows:
• Geographic distance. Simply, the physical distance between potential commercial partners. However, while clearly a factor of physical distance between countries, geographic distance also takes into account the ease of access according to transportation infrastructure, topography, information channels, and costs associated with those factors.
• Cultural distance. How a country’s culture, language, social customs and history
affect its compatibility, flexibility and openness relative to its prospective partner country, and how the interaction is enhanced or impeded by those differences.
• Administrative distance includes historical and political relationships, including
diplomatic history, colonial history, previous or existing treaty partnerships, currency and trade relations, and tariff and trade regimes that enhance or impede commerce across borders.
• Economic distance. The relative balance between the economic capacity of one
potential partner to the other. Close correlation or great disparity between the economic status of trading partners affects the overall quantity of trade, and thus the odds of gaining cooperative agreement for a single company’s venture, but also affects the nature of potential trade, according competitive advantage to some sorts of enterprises, and disadvantages to others.
[Ghemawat 2001].
Long use of CPA in market analysis has established a fairly reliable index for assessing
likelihood of success when taking the four dimensions or vectors into account
collectively. Figure 3-5 depicts the CAGE Distance Framework and lists the attributes
and the impacts on various market products that cultural, administrative, economic and
geographic distance conveys.
105
Figure 3-5: The cultural, administrative, geographic and economic (CAGE) distance framework [Ghemawat 2001]
In the summary chapter of this thesis, the fundamental approach of the CAGE
Distance Framework will be adopted to examine four aspects of “distance” as indicators
of the likelihood of a business or organization to adopt emergency preparedness or
business continuity planning measures. For the purposes of modeling business
preparedness and its motivators, however, the factors will not be presented as “distance
from” a potential business enterprise to its prospective market as in CPA, but rather
“proximity to” a hazard, disaster or emergency that affects business decision-making.
106
Relative degrees of proximity will be examined as indicators of motivation or de-
motivation for support or adoption of emergency preparedness or continuity planning
measures by a private sector entity.
A useful way to conceptualize the properties and relationships of an organization or
system is through the use of a “fishbone” or Ishikawa Diagram. This process was
developed by Kaoru Ishakawa in the 1960s as a way to understand cause and effect
relationships in quality control analysis. The diagram later became a fundamental tool of
Total Quality Management and other process analysis methods.30 Figure 3-6 is an
Ishikawa diagram for depicting a program management process. Arranging the four
dimensions of the CAGE Distance Framework as an Ishikawa diagram enables one to
visualize how the four elements of “distance” might relate to the ability of a company to
engage a foreign partner (Figure 3-7). The same technique will be adopted to illustrate
preparedness among private sector entities as a function of their proximity to specific
hazards and threats to organizational viability in the next chapter.
30 Source: Wikipedia, http://en.wikipedia.org/wiki/Ishikawa_diagram. Accessed 20 March 2009.
107
Figure 3-6: Ishikawa diagram for a program management process http://www.diegm.uniud.it/create/Handbook/techniques/List/Immagini/FishboneDiagram
Figure 3-7: Ishikawa diagram for the CAGE distance framework
3.4 Reasoned action and technology acceptance The final cognitive model that will be examined for application to the Framework for
Private Sector Preparedness will be a Technology Acceptance Model that grows out of
the Theory of Reasoned Action postulated by Fishbein and Ajzen in 1975. Their study
108
entitled Belief, Attitude, Intention and Behavior, established a framework for
understanding the distinctions between peoples’ beliefs, their formation of attitudes, their
intentions toward certain behaviors, and the adoption of those behaviors as evident
through their actions [Fishbein and Ajzen 1975]. Among the key aspects of their research
was the distinction between (1) an individual’s intentions toward certain behaviors and
how those intentions are shaped by the individual’s beliefs and attitudes toward that
behavior; and (2) normative standards that are culturally or socially formed regarding
actions that should or should not be taken, and how those normative beliefs form a
motivation to comply leading to pressures regarding that specific behavior. This pressure
Fishbein and Ajzen termed a “subjective norm.” According to their framework, an
individual’s behavioral intention is motivated by two factors: his attitude toward the
behavior itself, and the subjective norm that is the result of other, external social factors
[Fishbein and Ajzen 1977, p. 16].
A further set of distinctions was offered regarding the differences between beliefs,
attitudes, intentions and behavior. In brief, an attitude “refers to a person’s favorable or
unfavorable evaluation of an object” (evaluation being the critical word), and a belief
“represents the information he has about the object. Specifically a belief links an object to
some attribute” [Fishbein and Ajzen, p. 13]. The final distinction is drawn between
intention and behavior. In the former case, intentions “may be viewed as a special case of
beliefs, in which the object is always the person himself and the attribute is always a
behavior” [Fishbein and Ajzen, p. 12]. In other words, an intention is about a person’s
strength of attitude toward performing or not performing some behavior. As regards the
109
behavior itself, Fishbein and Ajzen consider it simply as “the observable acts of the
subject,” though behaviors can be used “to infer beliefs, attitudes, or intentions” [p. 14].
These distinctions are all critical to the Theory of Reasoned Action because the
attitude or intention toward a certain behavior is not necessarily an assurance of the actual
performance of that behavior. Much of the difference in actual attitude and belief and the
formation of intentions leading to actual performance of the behavior may be attributed to
the effects of subjective norms based on normative beliefs and a motivation to comply
with some external stimulus, as depicted in the schematic diagram of TRA (Figure 3-8).
Figure 3-8: Theory of reasoned action (TRA) [Fishbein and Ajzen 1975] An application of the Theory of Reasoned Action was developed by Malhotra and
Galletta to clarify the effects of social influence on the adoption of information systems
technologies [Malhotra and Galletta 1999]. Building on earlier work of Davis, Malhotra
and Galletta offer a model of technology acceptance that ties in two additional constructs,
the perceived usefulness and perceived ease of use of the technology (Figure 3-9).
110
Figure 3-9: Technology acceptance model [Malhotra and Galletta 1999].
Like the Theory of Reasoned Action, these two exert a dual influence on the attitude of a
potential user to adopt or not to adopt a given technology or innovation. Malhotra and
Galletta cite the earlier work of Kelman who identified three distinct processes through
which social influences can affect individual behavior:
• Compliance: when an individual adopts the induced behavior not because she believes in its content but with the expectation of gaining a reward or avoiding a punishment;
• Identification: when an individual accepts influence because she wants to
establish or maintain a satisfying relationship to another person or group; and
• Internalization: when an individual accepts influence because it is congruent with her value system. [Malhotra and Galletta 1999, p. 3].
In running a series of survey-based tests of technology acceptance for particular
information technology systems, the study determined significant variation in acceptance
based on social influences. As Malhotra and Galletta summarized:
111
When social influences generate a feeling of compliance, they seem to have a negative influence on the users’ attitude toward use of the new information system. However, when social influences generate a feeling of internalization and identification on the part of the user, they have a positive influence on the attitude toward the acceptance and use of the new system. The findings also suggest that internalization of the induced behavior by the adopters of new information system plays a stronger role in shaping acceptance and usage behavior than perceived usefulness. Hence the consideration of social influences and how they affect the commitment of the user toward use of the information system seems important for understanding, explaining and predicting system usage and acceptance behavior. [Malhotra and Galletta 1999, p. 8]
Another researcher, Jakob Nielsen, developed the concept of “usability” and
“usability engineering” to describe the process of designing and assessing the quality of
the human-computer interface for computer software [Nielsen 1993]. He defines usability
by five characteristics:
• Learnability: The system should be easy to learn so that the user can rapidly start
getting some work done with the system.
• Efficiency: The system should be efficient to use, so that once the user has learned the system, a high level of productivity is possible.
• Memorability: The system should be easy to remember, so that the causal user is
able to return to the system after some period of not having used it, without having to learn everything all over again.
• Errors: The system should have a low error rate, so that users make few errors
during the use of the system, and so that if they do make errors they can easily recover from them. Further, catastrophic errors must not occur.
• Satisfaction: The system should be pleasant to use, so that users are subjectively
satisfied when using it; they like it. [Nielsen 1993, p. 26]. The parameters of Nielsen’ usability study are diagrammed in Figure 3-10. The
parameters are the end product of a refined engineering process that puts the human-
computer interface in the larger context of “system acceptability.” That is, “whether the
112
system is good enough to satisfy all the needs and requirements of the users and other
potential stakeholders” [Nielsen, 1993, p. 24].
Figure 3-10: A model of the attributes of systems acceptability [Nielsen 1993]
One dimension of Nielsen’s model is the notion of “social acceptability” as a
contingent aspect of any technology acceptance problem. Nielsen does not develop the
concept of social acceptability to any great detail, though it has been described elsewhere
as applicable to systems having cultural dimensions. [Fitzpatrick and Higgins 1998]. The
concept of the subjective norm of Fishbein and Azjen bears striking resemblance to this
aspect of Nielsen’s model. Of perhaps greater significance for this study, however, is the
attention Nielsen devotes to identifying the parameters of usability, and the degree to
which those parameters influence the willingness of an individual or an organization to
adopt a new technology or way of doing things. The simple concepts of ease of use,
113
compatibility, utility, and overall usefulness are worth keeping in mind when attempting
to introduce and motivate the adoption of new or unfamiliar concepts such as
preparedness and contingency planning within the private sector.
Collectively, the results of these studies have important implications for the
adoption by private sector entities of preparedness and continuity planning practices, and
indicate that some methods of inducing or influencing adoption will likely work better
than others. This is particularly relevant to issues affecting the usability of advanced or
new technologies and is particularly relevant to the adoption of preparedness and
continuity planning measures by the private sector. Moreover, there is an obvious social
dimension of private sector adoption of continuity planning and emergency preparedness,
that can affect the resilience and recovery of whole communities or regions. The social
aspect of individual business decisions will be explored in Chapter 6, but are clearly in
line with the models of the theory of reasoned action, as well as with acceptability and
usability engineering.
3.5 Decision-making for planning and operations An emerging school in the field of decision science research called Naturalistic
Decision-Making (NDM) examines cognitive processes involved in two different types or
modes of decision-making: one employed in operational settings where analytic strategies
are tempered by experience and where constraints in time, limited options, changing
circumstances and competing priorities all impact the decision-making process; and a
second mode dominated by analysis and hypothesizing about potential events or
consequences arising from imagined circumstances [Zsambok, Beach, Klein 1992; Flin,
Salas, Strub, Martin 1997]. These two types of decision-making illustrate the differences
114
between business decision-making for routine business operations (or even for crisis and
consequence management) and the mode of decision-making during business continuity
or contingency planning. On the one hand are decisions made in day-to-day operations—
an area where the domain is familiar and the costs, risks and outcomes known and
relatively predictable. NDM classifies expert decisions made in this domain as
Recognition-Primed Decision-Making (RPD), a form of decision-making based on the
use of analogy and heuristics to draw parallels between current situations and previous
experience. RPD contributes to analysis and understanding of such questions as
• how expertise and experience affect decision-making;
• how people use experience to adopt the first actions they consider;
• how people make decisions without analyzing strengths and weaknesses of alternate courses of action;
• how the use of heuristics aids in making situations recognizable as typical
[Klein, 1997]. The second mode of decision-making in NDM is termed Anticipatory Thinking—the
ability to prepare in current time for problems and opportunities in the indefinite future
that may not be clearly understood until they are encountered [Klein, Snowden and Pin
2007]. Anticipatory thinking is focused on examining potential events, including those
that have high consequences but a low probability of occurrence. This analytic approach
is differentiated from prediction because it involves active planning and functional
preparation, and not simply speculation about future possibilities. Moreover, whereas
prediction is externally directed toward predicting and understanding potential future
events, anticipatory thinking also involves identifying potential consequences relevant to
115
one’s own situation, and planning courses of action to mitigate, prepare for or avoid those
consequences [Klein 2007, p. 121]. Klein describes three modes of anticipatory thinking:
• Pattern matching, in which events that do not conform to patterns of previous experience are recognized for their dissimilarities as well as for their similarities. This is a common cognitive process among experts with large repertoires of patterns in their experience base.
• Trajectory matching, in which experience and understanding allow an expert
decision-maker to “get ahead of the curve” by recognizing where current actions or events are most likely to lead, and anticipating the next decision point. In military parlance, this is often referred to as the “OODA loop” for observe-orient-decide-act, that describes expert decision-making against an adversary.31
• Conditional recognition that allows one to see connections or interdependencies
between events and discern connections that indicate the likelihood of consequences and the sequence of cause and effect relationships. [Klein 2007, pp. 121-122].
Taken together, these two cognitive processes from Naturalistic Decision-Making
provide a way of characterizing the differences in methodology between decision-making
for routine or crisis business operations and those for business continuity or contingency
planning. This is not to say that there are no unknowns or unanticipated risks in business
decisions in such areas as marketing, competitive strategies, mergers or acquisitions, or
even day-to-day operational planning. But rather, for a seasoned business owner or CEO,
business decisions that affect the operation of a private sector enterprise is the familiar
terrain where experience and expertise can be brought to bear on the problems
encountered. It is in this arena that a CEO or business owner has chosen to play. Contrast
this with the decisions required for continuity of operations planning and emergency
preparedness, where threats and consequences are understood largely in the abstract,
through simulations and case studies, or through limited or unique experience which is 31 See http://oodacycle.com/OODA.aspx for a description of the origins of the OODA loop, devised by Colonel John Boyd to explain expert fighter pilot skills in dog-fights against opposing aircraft.
116
seldom replicated in later disasters or crises.32 This latter domain is where analytic
processes predominate, since experience may be limited, the decisions are not necessarily
immediate or operational, and where there is time to consider options. Cannon-Bowers,
Salas and Pruitt developed a framework for characterizing decision-making strategies
under these varying conditions according to categories of cognitive tasks. Their
framework offers an appropriate illustration of these two cognitive frames of reference as
they apply to business decision-making (Figure 3-11). As this diagram illustrates, there is
a greater reliance on analysis and option comparison in Anticipatory Thinking—during
planning when time is available and concepts are abstract, non-operational and
speculative (i.e., during threat and risk assessments, cost-benefit analysis, and
contingency planning). On the other hand, operational decisions made by experienced
decision-makers tend to be made by calling on past experience where learned patterns
compare with the problem at hand, heuristics gained through formal training and on-job-
experience, and an intimate understanding of the terrain and environment [Crego and
Spinks, 1997].
32 One area of research in NDM is the use of Recognition-Primed Decision-making among experienced operators such as Fire Chiefs, police officers and military personnel. While many of the domains these experts operate in is clearly that of emergency or crisis operations, they are arenas where seasoned professionals frequently draw on experience and expertise described in RPD, and at other times on analytic modes similar to Anticipatory Thinking. As opposed to these career professionals, business professionals are rarely challenged by emergency or crisis circumstances. For those business leaders who have been, their experiences frequently become the case studies used to train other business leaders in crisis or contingency management, as much of the literature in Chapter 2 illustrates. See the articles by Kerstholt; Fredholm; and Martin, Flin and Skriver in Flin, Salas, Strub and Martin 1997.
117
Figure 3-11: Inducement of analysis and intuition in contingency planning and operations [adapted from Cannon-Bowers, et al, in Martin, Flin, Skriver 1997].
Once one departs from familiar terrain, however, there may be limited heuristics to call
on and consequently greater reliance on intuition not grounded in relevant experience.
In such cases, a third cognitive mode can be imagined where an individual is faced with
an emergency or crisis that would benefit from Recognition-Primed Decision-making,
but that individual lacks the experience that would enable an intuitive understanding of
the situation, or an experiential frame of reference for effective decision-making. In such
an instance, preparation in the way of option-weighing and Anticipatory Thinking would
help fill that gap in experience, provided that the preparations have been made in advance
of the crisis. When adequate planning against contingencies has not been conducted,
however, there may be little left to fall back on other than what might be termed
118
“reasoned muddling-through.” In a nutshell, this is the fundamental argument for
contingency and continuity planning.
Figures 3-12 offers an example based on an NDM analysis of the decision process
aircraft pilots face during non-routine or emergency decisions under extreme stress.
When time is limited and risk is high, pilots fall back on intuitive actions and rules that
were learned through training and previous experience gained under less demanding non-
emergency situations, or those from previous experience that resemble the current
emergency.
Figure 3-12: Aviation decision process model [Orasanu and Fischer 1997]
Orasanu and Fischer describe the decision process as follows:
119
Sometimes a single response is prescribed in company manuals or procedures. In other circumstances no rule is prescribed and multiple options may exist from which one must be selected. In these cases, options are evaluated on the basis of goals, situational constraints, and anticipated outcomes. On some rare occasions no response is available and the crew must invent a course of action. In order to deal appropriately with the situation, the decision maker must be aware of what response options are available and what constitutes a situationally appropriate process (retrieving and evaluating a single option, choosing, scheduling, inventing) in light of risk and time factors. Experience drives situation assessment and sensitivity response options. [Orasanu in Flin, Salas, Strub and Martin 1997, p. 48].
Interestingly, the explanation of the decision process that the authors provide
could be applied to business owners and CEOs as easily to aircraft pilots. Indeed, a
modification to this diagram—separating out the decision-making process under
uncertainty for the familiar terrain of business operations, from the decision-process
under the relatively unfamiliar terrain of a business crisis or disaster—illustrates the
critical difference between having cognitive rules that facilitate Recognition-Primed
Decision-Making from having nothing to draw on but a leader’s ability to “muddle
through” with a certain amount of authority supported by blind luck.
Figure 3-13 illustrates the decision process model the situation for a business leader
or executive faced with similarly stressful decisions during a crisis or disaster that
threatens his company’s survival. Under normal operating conditions, even stressful
problems are understood because they are part of “normal” competition and day-to-day
survival, as routine landings in bad weather and strong cross-winds are for experienced
pilots. In such cases, executives apply the rules, heuristics, and common sense built
through their years of experience and familiarity with the operating environment
(depicted on the left-hand column, “Problem understood: routine business operations”).
120
Figure 3-13: Business decision process model: routine business operations vs. business-related crisis, emergency or disaster—without a plan.
However, in situations that are radically different—such as a decision to shut down
company operations and evacuate from the possible landfall of a hurricane—a lack of
available knowledge or options means that no cognitive rules may be available and the
executive and his company will simply have to “muddle through” as illustrated above.
However, with prior planning and preparation (such as a reasonably well developed
business continuity plan, for example) there will be a new set of rules, heuristics and pre-
planned responses to call upon. In such a case, the cognitive terrain will not be entirely
unfamiliar, and the normal muddling-through process can be supported by a foundation
of understanding appropriate to the crisis, as depicted in Figure 3-14.
121
Figure 3-14: Business decision process model: routine business operations vs. business-related crisis, emergency or disaster—with a plan.
Relevant to this example, however, is a cautionary note about planning based on
Weick’s studies of High Reliability Organizations: an excessive reliance on planning can
lead to the development of expectations about impending events that cause decision-
makers to tend to look for information that confirms the plan in place. “Disconfirming
evidence is avoided, and plans lure you into overlooking a buildup of the unexpected
quite as handily as other expectations,” [Weick and Sutliffe 2001, p. 43]. This is a
particular trap when planning focuses on threat assessment and scenario development,
rather than on developing and exercising a flexible planning process. As General Dwight
Eisenhower observed, “Plans are nothing; planning is everything.”
122
CHAPTER 4: METHOD, APPROACH AND RESULTS
4.0 Overview
4.1 Research method
4.2 Analytic approach
4.3 Survey method
4.4 Survey structure
4.5 Summary of results
4.5.1 Characteristics of participants 4.5.2 Perceptions of risk and threat
4.5.3 Perceptions of federal, state and local responsibilities
4.0 Overview The Recognition-Primed Decision-Making and Anticipatory Thinking frameworks
presented in the previous chapter describe two different conceptual approaches to
decision-making that have relevance for private sector enterprise. The former method is
appropriate for managing risks in the familiar domain of day-to-day business operations,
while the latter is applicable to the less familiar realm of contingency and continuity
planning for emergencies or disasters that could affect business viability. To reiterate, this
framework does not distinguish between decision-making for normal operations and
decision-making during emergencies; certainly decisions under either situation must
often be made based on incomplete information, under the press of limited time, and
when the potential risks and penalties for error are high.
123
Rather, the distinction is between operational decisions made by an experienced
individual who has familiarity with the environment and with the general requirements of
the situation, as opposed to planning that is conducted against potential, but unknown
situations whose details and outcomes may not be known in advance: that is, the
distinction is between decision-making on the one hand, and planning in advance to
facilitate decision-making at some later time, on the other.
Experienced business leaders are, almost by definition, comfortable with making
decisions about the day-to-day operations of their companies and organizations, even
when those decisions will have heavy outcomes. For most, however, the same cannot be
said about decision-making during an emergency or crisis that threatens the company’s
viability, the safety or welfare of employees, or the integrity of facilities, physical capital
or the company’s reputation. Decision-making during a life-threatening emergency or a
disaster involving physical risk may be routine operations for some professionals, but it is
largely unknown territory for most CEOs and company owners.33
Given these facts, one should expect that Anticipatory Thinking about worst-case
scenarios, and planning for emergencies and interruptions to business operations would
be more widespread, if not common practice among experienced business leaders,
particularly after the 9/11 attacks on the World Trade Center and Hurricanes Katrina and
Rita. Current literature and experience indicate, however, that only a minority of
companies has incorporated business continuity planning and emergency preparedness
into their routine business functions, as noted in the studies cited in Chapter 2 [Mitroff
and Alpaslan 2003; Deloitte 2006; and FM Global 2008]. Add to this the fact that
33 See, for example, articles by Kerstholt; Fredholm; and Martin, Flin and Skriver in Flin, Salas, Strub and Martin 1997, and Mitroff 2001 and 2005.
124
business continuity planning is often viewed as an unrecoverable cost to core business
functions (i.e., within the boundary of a zero-sum calculus for costs and benefits), and the
potential impediments to business crisis and continuity planning and emergency
preparedness become clear. The investment in time, resources and talent to conduct the
dedicated thinking, analysis and planning required for an effective business continuity
plan or a series of relevant emergency plans can seem daunting, particularly to a small
business with limited resources, limited experience or expertise to draw on, and little
perception of its exposure to risks or operational hazards. This seeming imbalance
between the investment for contingency and continuity planning and the requirement for
day-to-day operational decision-making is clear in the illustration below from a business
handbook on establishing and maintaining a business continuity plan (Figure 4-1).
Figure 4-1: A time line of BCP activities relative to a business disruption [Syed and Syed 2004, p. 9]
125
Recognizing the range of activities in this illustration that occur to the left of the business
disruption—all of which, of course, must take place concurrently with normal business
operations—it is not surprising that building and managing an effective Business
Continuity Plan can appear daunting, the investment for which might prove worthwhile—
with luck—only in the event of the 100-year flood or the rare Category 5 hurricane.
So the question arises: among those businesses that have adopted continuity planning
and emergency preparedness measures, what motivates the decision to do so? And
conversely, what are the inhibitors that deter other private sector enterprises from
committing the time, talent and resources necessary to develop their own plans? These
two questions are at the heart of the problem that motivated this study.
4.1 Research method This chapter will present the research method and highlight results of a project that
surveyed 145 businesses, industries, and non-profit organizations in four geographic
regions of the country to determine the factors that motivate private sector entities to
adopt business continuity planning or emergency preparedness measures. For purposes of
establishing a testable research question, the focus was on determining the effect of
recent experience in and geographic proximity to a disaster event on the adoption of
emergency preparedness measures or business continuity planning by a private sector
entity. As the research evolved, two additional factors were identified as relevant to
motivation among private sector entities. These factors are analyzed in the next chapter.
The introduction to this study cited a hypothesis that appears in Rubin’s Emergency
Management: The American Experience 1900-2005:
126
“The hypothesis of this book is that changes in emergency management policies, authorities, and processes are event-driven, and major focusing events have provided an opportunity to explore the effect of disasters on emergency management principles and practices.” [Rubin, 2007 (4)]
In a corollary fashion, this study proposes to examine whether focusing events occur not
just at the regional level with cultural or national-level implications, but at the level of
individual businesses, as well, with implications for the adoption of policies and
measures to prepare for, respond to and mitigate the effects of local disasters and
emergencies. The specific research objective is to identify the effects of disaster
experience and proximity to hazards in motivating the decision to adopt business
continuity planning and emergency preparedness measures within an organization. The
following research hypothesis was the basis for evaluation:
HYPOTHESIS: Experience with or exposure to disasters has an effect on whether a
private sector entity adopts preparedness or continuity planning measures.
NULL HYPOTHESIS: Experience with or exposure to disasters has little or no effect
on whether a private sector entity adopts preparedness or continuity planning
measures.
In addition to the factors of exposure and experience, two other motivations for
business decisions favoring preparedness were examined. According to Mileti and
Tierney, a second major factor besides past experience that influences preparedness
among private sector business is the size of the organization [Mileti 1999; Tierney 2007].
The significance of this factor is the relationship between organization size and the
127
availability of resources, technical and managerial capabilities, staffing capacity and the
like. Clearly, the administrative overhead required to establish, manage and operate a
full-blown, capital-letter Business Continuity Plan of the sort depicted in Figure 4.1 goes
a long way toward explaining why corporate size matters in formal business continuity
planning. But are organizational size and available resources the key discriminators? And
if so, what motivates small businesses to take similar measures? To explore this aspect of
the problem, the analysis also examined the effect of organizational size on the decision
by a private sector entity to adopt continuity and preparedness measures.
Lastly, during the course of the survey development and administration, it became
clear that a fourth factor had a significant effect on the business decision to adopt
continuity planning and emergency preparedness practices: that is, participation within a
community or regional planning structure or organization that aided collaborative
decision-making, coordinated planning or mutual support.
Thus the analytic approach for the data collection and analysis in this study is based
on four primary factors: (1) experience in a disaster that a business or organization may
have had, whether recent or historic; (2) exposure to a hazard or disaster by virtue of
geographic location; (3) the relative size of the business or organization as an indication
of capacity to prepare and availability of resources to respond; and (4) participation in a
local or regional organization for collaborative planning or mutual support. This structure
and the analytic process are described below.
4.2 Analytic approach
128
Chapter 3 presented Ghemawat’s concept of “distance” and the CAGE Framework as
a method to estimate the potential for a company to successfully expand its operations
into a foreign country. An Ishikawa Diagram was presented to visualize the CAGE
framework, where the four components of “distance” between the business and its
foreign market serve as indicators of commercial potential for the business (Figure 4-2).
Figure 4-2: Ishikawa diagram for the CAGE distance framework
A similar approach is presented here to analyze motivation within the private sector for
adopting continuity of operations planning and emergency preparedness measures.
Rather than “distance,” however, this framework is defined by the “proximity” of a
business or organization to the four factors described above that influence business
decisions for preparedness. The four “degrees of proximity” in this analysis are:
• Geographic proximity – geographic or physical distance from a hazard or
regional condition that exposes a business and its operations to the effects of a
disaster;
129
• Temporal proximity – recent or historic experience with crises, emergencies or
disasters that affected a business and it operations;
• Proximity of capability – whether an entity has the capability and resources at
hand to survive a disaster event and maintain continuity of operations, as
indicated by the organization’s size; and
• Proximity of organization – whether an organizational structure exists within the
entity and/or local community that fosters development of capabilities for
preparedness and continuity of operations.
A second Ishikawa Diagram, similar to the one developed for the CAGE Framework,
illustrates the four aspects of proximity that might affect motivation for continuity
planning and emergency preparedness in the private sector.
Figure 4-3: Ishikawa diagram for four proximities of preparedness
Of the four proximities illustrated in Figure 4-3, two are largely independent of the
commitment of a business to either prepare or to not prepare for a disaster. These are (1)
the region in which a particularly private sector entity is located; and (2) its history and
130
experience with disaster-related events.34 Conversely, the other two proximities are more
clearly reflections of decisions made within the entity itself: (3) the resources that a
company has available, by virtue of its size, to make itself more resilient and less
vulnerable to disaster; and (4) an entity’s decision to participate in an organization or
mutual aid association to enhance its preparedness through cooperation with other
entities. The survey did not attempt to directly assess the relationship between any
specific proximity and another is not intended to imply necessarily any sort of cause and
effect relationship among the four proximities. Direct cause-and-effect relationships
between proximities may, indeed, exist—for example, the more prepared companies are,
the more likely they are to participate in mutual aid agreements (or, conversely perhaps,
the less capable companies are the more likely they are to participate in mutual aid
agreements). However, this survey and analysis did not direct itself toward identifying
the degree to which those connections existed and how they would impact business
decisions. Nevertheless, some examination of the relationship among the four proximities
will be addressed in the next section.
Of equal importance—as explained in the next section—is that the dependent
variables used in the survey to determine levels of motivation toward preparedness are
represented by a number of preparedness measures (out of a total of twelve) that each
respondent claimed to have actually implemented. The measures that were assessed
through the survey included the following: 34 Tierney has observed that where a business locates is one of the key mitigation factors that are under an organization’s control, insofar as exposure can be avoided and vulnerability diminished by the choice of location that a business adopts (i.e., in a floodplain) [Tierney 2007]. It could likewise be claimed that a business’ experience during disaster is a function of its level of preparedness, though perhaps not a direct factor in whether or not a disaster occurs in the first place. This understanding would clearly distinguish between disasters that originate from sources external to the business or organization, and crises or emergencies that arise from conditions or situations internal to the organization—i.e., of its own making. However, organizational crises of this sort are not the subject of this analysis.
131
1. Maintaining a written plan for handling workplace emergencies such as a small
fire, bomb threat, workplace violence or emergency evacuation;
2. Maintaining a Continuity of Operations Plan (COOP) for sustaining operations
and recovering from a large-scale disaster;
3. Designating a location as an alternate headquarters or base of operations in the
event that the organization must evacuate its normal workplace;
4. Identifying a route for the emergency evacuation of employees and specifying a
rendezvous point or call-in number to account for them after they evacuate;
5. Maintaining a back-up copy of important files or financial accounts and sales
records at some location other than the regular place of business;
6. Completion of training sessions for employees or members in emergency
response measures, evacuation, or disaster preparedness;
7. Completion of exercises or drills to test the organization’s emergency plan and
familiarize employees in the procedures to be taken in an emergency;
8. Formal training to “qualify” organization’s preparedness manager in emergency
preparedness, continuity of operations planning, and/or risk management;35
9. Coordination with a partner or with members of a local group for emergency
preparedness or continuity of operations planning or training;
10. Use of FEMA or DHS websites for information on emergency preparedness and
continuity planning;
11. Implementation of measures intended to increase physical security.
35 The survey did not specify qualifications for the organization’s emergency manager, and did not use the word “qualifications.” The summary tables and data analysis charts in this study use the word “Quals” as one of the 12 preparedness measures to distinguish it from “Training,” which refers to employee training.
132
12. Registering or specifying a willingness to register corporate resources,
capabilities or services that could be donated to the local EMA during a disaster.
Each of these measures of preparedness represents a specific capability adopted by
the business or organization being surveyed. Responses to the questions in the survey
were simple yes/no responses; either an organization had put one of the measures into
practice, or it had not. There was no attempt made to determine the “degree” to which
adoption of the measure was adequate or feasible. In short, companies were asked to
“self-assess” based on a yes/no response to whether they had implemented any of twelve
measures of preparedness. For this reason—and for purposes of this study—adopting a
given measure of preparedness indicates merely that an organization is more motivated
toward getting prepared than if it had not adopted that measure. Thus, a company that
adopts or implements eight out of twelve measures was considered more motivated—for
whatever reason—than a company that adopts only three. The study did not solicit
reasons or rationales for why only certain measures were adopted; for why some were
selected over others; or how priorities or importance were assigned to the measures that
were adopted.
4.3 Survey method An internet-based survey was administered through an online commercial survey
company to four communities from separate geographic regions of the country.
Discussions were conducted with the directors of county emergency management
agencies of the counties or principal cities of the four regions, and all agreed to support
this research project. A survey link was posted on the websites of the county Emergency
133
Management Agencies, and/or on the websites of the local Chambers of Commerce or
Economic Development Councils and was accessible from June 2008 until February
2009. There was no identifying information from participants gathered in the survey
responses. A unique internet link was assigned to each participating region, so that
responses could be collected separately for comparison.
In addition to the four geographic regions targeted for participation, the survey was
also distributed through a university-based, federally-chartered program that facilitates
public and private sector partnerships to enhance community preparedness in cities,
counties and regions across the nation. Since 1999, the program has been initiated in over
45 communities across 23 states and maintains active liaison with its local organizations
through an online newsletter. Through its mailing list, the organization distributed a
separate link to the survey that enabled private sector members from within each of its
member organizations to participate in the survey. Those responses were compiled as a
separate “region” and constituted almost half of the responses to the survey. Those
responses were not identified for regional affiliation and, taken as a group, constitute a
basis for comparison against the responses collected from the four geographic regions.
The four geographic regions share some common traits relevant to this study:
• All regions contain coastal communities that are exposed to hazards from storms,
flooding, and damage caused by wind-driven tides and waves. Three of the
regions are vulnerable to hurricanes.
• All regions have a broad spectrum of industry, business, agriculture and urban
enterprises in their economic makeup; all contain port facilities with maritime
industries comprised of both commercial and recreational business enterprises;
134
• All have current public-private sector involvement in disaster planning and
preparedness, and several have local organizations dedicated to that purpose.
On the other hand, the regions differ in that each has unique historic and recent
experience with hurricanes and storms that generate flood conditions; each also has
significant hazards specific to the region.
• Region 1 lies on the upper Chesapeake Bay and last suffered the effects of a
hurricane in 2003 during Hurricane Isabel. Damage to the region was not
extensive, though it did include the failure of a number of small businesses and
damage to local agriculture and the recreational maritime industry. Since that
time, an ongoing campaign of hurricane preparedness has raised general
awareness, but has not been tested in a more recent event. Prior history that
generated a significant impact was Hurricane Agnes in 1972. This region is a
center for a number of large defense-related industries and two significant
military installations, and owing to its proximity to the nation’s capital, has had a
focus on terrorism awareness and counter-measures since 9/11 that is not typical
of the other regions.
• Region 2 is situated on the southern Atlantic seaboard and suffered extensive
damage during Hurricane Hugo in 1989, which resulted in declaration as a federal
disaster area. However, the region’s major city has since become a case study in
successful recovery that yielded a more economically vibrant community than had
existed before the storm. This region is also susceptible to earthquakes and has a
history of significant damage from them.
135
• Region 3 is on the western Gulf of Mexico and has historic and well-documented
experience in hurricanes and recent experience with both Hurricanes Katrina and
Rita. The number of survey responses from this region was the most robust of the
four regions surveyed, even though they terminated abruptly (and were not
resumed) halfway through the survey period when the region was evacuated and
subsequently heavily damaged during Hurricane Ike. This region is a center for
petroleum processing and transport and has a heavy industrial base and a long-
standing focus on industrial hazards and ecological protection.
• Region 4 is situated on western Lake Michigan and is not exposed to hurricane
damage. However, it is susceptible to severe winter storms, and springtime coastal
flooding. Weeks before the launching of the survey, this region was significantly
affected by the flooding of local rivers, which necessitated a partial evacuation of
nearby communities and did significant damage throughout the region.
• As noted above, Region 5 is not geographic in character, but is comprised of a
number of businesses and organizations from member communities who have
participated in a federally-sponsored, university-managed program to develop
public/private sector partnerships dedicated to collaborative planning and
emergency preparedness efforts. Member communities in this program are
distributed across the country and no geographic information was attained from
participants in this group.
136
4.4 Survey structure The survey was comprised of 34 questions clustered into six categories of interest to
support the research and analysis. In addition to data gathered to support hypothesis
testing, additional information was gathered from questions that assessed participants’
perceptions of risk; previous experience with disaster-related loss; and perceptions of
federal and local responsibility for public security and disaster preparedness.
Content validity of the survey instrument was determined through a number of
means. The survey was developed based on principles and techniques outlined in the
Sage Publications Applied Social Research Methods Series [Converse and Presser 1986;
Fowler 1995; Spector 1992]. In the process of development (over the course of more than
a year) the survey was reviewed by representatives from the following organizations:
• Regional director, wireless telecommunications carrier • Regional general manager of a national food and merchandise chain • Director of business continuity planning, regional gas & electric company • Regional manager, safety and environmental risk, of a national food chain • President, local commercial bank • President, regional medical center • Public information officer, regional medical center • Harbor master of a seaport city • Director of security, U.S. military installation • Director of homeland security programs, defense contracting company
The survey was further validated through administration via paper copy format to 15
businesses for review and usability testing under the sponsorship of the local chamber of
commerce. Blind results were delivered to the author and comments were incorporated
into the survey form. The survey was also reviewed and critical comments incorporated
from the following individuals with experience in survey-based research:
• Anthropologist in medical and public health research (PhD.) • Statistician at a university social science research institute (PhD.) • Cultural anthropologist at a social science research institute (PhD.)
137
• Cognitive psychologist, Department of Defense research agency (PhD.) • Statistician at a university-based school of criminal justice (PhD.) • Cultural anthropologist, U.S. Department of Homeland Security (PhD.) • Director of bio-security programs at a non-profit research institute (ScD.)
Lastly, in the process of gaining concurrence of the participating regions, the survey
was reviewed and critiqued by senior representatives of the following agencies:
• 7 directors of city and county offices of emergency management • 2 CEOs of city chambers of commerce • 1 director of a county office of economic development
In all, 234 participants visited the website and acknowledged a willingness to
participate in the survey. However, willingness (or ability) to answer the questions
varied, with overall response rates of typically 170-180 for “yes/no” questions, and 150-
160 for Likert Scale and multiple-choice questions. Of the 234 initial respondents, 27 did
little more than log onto the website and scan the survey. Another 36 had responses that
were evaluated as unreliable or incomplete. This was typically from two causes: (1) the
respondents did not provide enough identifying data (size or type of organization; sector;
or level of disaster experience) to enable a correlation with other responses; or (2)
because they answered less than 8 of the questions relevant to the 12 measures of
preparedness (typically answering only the “yes” questions, but leaving the “no”
responses blank. Consequently, a total of 63 responses were eliminated from the
database. In 88 other cases, answers to specific questions on preparedness measures were
left blank (i.e., answered neither “yes” nor “no”). In these 88 cases the answers were
considered to be “no” responses, and were counted as valid survey submissions primarily
because the omissions occurred in the three least commonly adopted measures (see
section 4.4), and the surveys were otherwise accurately completed. Assuming a “no”
138
response also resulted in a more conservative estimate of measures adopted. In all, the 88
questions where answers were assumed to be “no” and the data filled in by the author
represented less than 4.3% of the measures of preparedness that were validly answered in
the survey (that is, 88 out of a total 2052 measures (171 x 12)). Participation rates for
specific questions ranged from 64% to 77%, and the survey site calculated an overall
response rate of 66%. The survey site was set up to prevent a recurrent visit by any
computer that had previously completed the survey. (Internet Protocol (IP) Addresses
collected for this purpose were not recorded or accessible to the principal investigator or
any respondents).
In addition to the private sector respondents, 26 responses came from public agencies.
At the request of a number of respondents (notably, the hosting Emergency Management
Agencies), a category was added to question #2 to permit local government agencies to
participate in the survey. 26 public sector agencies subsequently responded. For the
analysis relevant to the research hypothesis (dealing specifically with private sector
entities analyzed in Chapter 5), these participants were removed from the database,
yielding a total of 145 private sector entities evaluated. However, for the results presented
in the remainder of this chapter, responses included public sector as well as private sector
entities.
Two caveats regarding potential biases in the survey process are in order. First,
because this was an online survey with an audience referred to it by local emergency
management and business organizations, the participants were largely self-selected and
motivated to complete the survey. Thus, it should not be inferred that the results are
139
necessarily reflective of the population in the regions surveyed, nor of the U.S. business
community at large. This aspect will be more fully discussed in Chapter 6.
Secondly, this survey and the research project itself is focused on identifying factors
that motivate private sector entities to adopt preparedness measures and continuity of
operations planning. The project makes no claim—and draws no conclusions—as to
whether the adoption of such measures actually improves business continuity planning or
emergency preparedness of specific entities. No attempt is made to correlate actual
preparedness of respondents with overall preparedness of a specific region, community or
business. This is a question—not addressed in this study—which is raised by Tierney’s
observation that it is not evident that “standard recommended preparedness measures
have little impact on short- and long-term business recovery outcomes” [Tierney 2007].
Appendix A provides a copy of the survey as it appeared on the website to
participants. As noted above, the questions fell into six general categories to support the
analysis, and can be broken down into the following sections. Numbers in brackets after
the group description indicate specific questions in the survey that were used to support
that aspect of the analysis.
• Group 1 General description and characteristics.
o Business type: publicly traded; privately owned; non-profit; government
agency [Q2].
o General business category according to an abbreviated North American
Industrial Classification System (NAICS) Code. [Q6].
o Business entity by size: employees [Q3]; total assets [Q4]; revenue [Q5].
140
• Group 2 Geographic proximity and exposure to hazards
o Covered by the geographic regions (Region 1 to Region 4, plus Region 5
(non-geographic)) to which the survey was distributed.
• Group 3 Recent disaster experience
o Within last 5 years (yes/no) [Q21].
o Type of disaster experienced (multiple choice) [Q23].
o Extent of damage: monetary cost; loss of operations; and when occurring
[Q22].
• Group 4 Preparedness and continuity measures adopted:
o Written emergency plan (yes/no) [Q7]
o Written Continuity of Operations Plan (yes/no) [Q8]
o Alternate headquarters designated (yes/no) [Q9]
o Emergency evacuation route designated (yes/no) [Q10]
o Back-up copy of records maintained (yes/no) [Q11]
o Emergency response training held (yes/no) [Q12]
o Exercises and drills conducted to test plans (yes/no) [Q13]
• Group 5 Organization structure and support
o Identity of individual responsible for emergency management plan
(multiple choice) [Q16]; level of training [Q17 and Q18].
o Collaboration in writing emergency or continuity plans (multiple choice)
[Q14]; from whom or by which agency resources [Q15].
o Coordination for mutual aid or support (yes/no) [Q19].
141
o Collaboration for joint planning and information sharing (multiple choice)
[Q34].
o Willingness to register resources with local EMA (multiple choice) [Q35].
• Group 6 General information and perceptions
o Identity of collaboration partner (multiple choice) [Q22].
o Perception of local threats [Q24]
o Perception of terrorist threat to region [Q25]
o Use of FEMA / DHS resources and planning templates [Q26]
o Perception of federal (DHS / FEMA) responsibilities [Q27]
o Perception of local government and private sector responsibilities [Q28]
o Perception of general level of preparedness since 9/11 [Q29]
o Inhibitors from preparing for emergencies and disasters [Q30]
o Implemented changes to security procedures since 9/11 (yes/no) [Q31]
o Types of changes to security procedures made (multiple choice) [Q32]
o Local costs to institute planning and preparedness measures [Q33]
4.5 Summary of results Chapter 5 provides analysis of the survey results relevant to the testing of the research
hypotheses. This section provides a brief summary of responses, as well as some results
of interest that emerged from the survey, and provides a snapshot of preparedness among
the participants. These results are based on percentage responses to the survey questions,
but not all were subjected to further statistical validation.
142
4.5.1 Characteristics of participants Geographic location.
Of the 171 survey responses evaluated, 19 responses originated from Region 1; 9
from region 2; 39 from Region 3; and 24 from Region 4. An additional 80 responses were
from “Region 5,” which—as noted above—was not a geographic region, but a collection
of numerous communities across the country that were affiliated with a university-led
center dedicated to developing public/private sector partnerships. Thus, non-region
specific responses constituted 47% of the total.
Organization type and size.
The 171 private sector entities included 117 for-profit businesses, 28 not-for profit
organizations, and 26 public sector agencies. For purposes of the data analysis,
organization size was a combination of the three factors assessed in the survey: the
number of employees (or staff and members for non-profits); the value of collected
assets, property and inventory; and annual revenue. While most organizations tended to
be clearly in one category or another, an assessment was made through inspection of
responses for organizations that, for example, had high annual revenue but relatively few
members (companies with 101-500 employees, typically), or conversely, a high
employee population but little or no profit (typically large non-profit organizations or
public sector agencies). In all but a dozen cases, two of three determining factors were
consistent. Accordingly, the total private sector population surveyed consisted of
businesses representing the following categories (Tables 4-1 and 4-2):
143
Table 4-1: Organization size of all respondents
1 to 25
26 to 50
51 to
100
101 to
500
501 to
1000 1000+ N/A
n
Employees and/or Staff
65 13 9 28 18 48 7 188
$1 to
$1M
$1M+ to
$15M
$15M+ to
$35M
$35M+ to
$165M
$165M+ to
$500M Over
$500M N/A
n
Total assets and
inventory 54 31 10 16 4 50 19 184
$1 to
$1M
$1M+ to
$15M
$15M+ to
$35M
$35M+ to
$165M
$165M+ to
$500M Over
$500M N/A
n
Total annual
revenue 53 31 12 16 9 38 21 180
Discounting public sector agencies and incomplete responses, the factors above yielded a
composite business size that supported analysis of private sector entities as follows:
Table 4-2: Composite organization size of private sector respondents
1 2 3 4 5 6 N/A n
Composite Organization
Size 49 16 13 9 21 37 43 145
Adoption of preparedness measures.
Among the most interesting results was the remarkable consistency across agencies,
regions, and size and type of organization, regarding the priority given to the adoption of
the preparedness measures. This is presented graphically in Pareto Charts in Chapter 5,
but it is worth providing here the priority and percentage of respondents that had adopted
specific measures. (Table 4-3. Note: All Private Sector = Businesses + Non-Profits).
144
Table 4-3: Ranking of preparedness measures adopted by all respondents
All Regions
All Organizations All
Private Sector All
Businesses All
Non-Profits All
Agencies n = 171 n = 145 n = 117 n = 28 n = 26 1. Backup 0.88 0.87 0.88 0.82 0.96 2. EmergPlan 0.82 0.79 0.78 0.82 1.00 3. Quals 0.77 0.76 0.74 0.82 0.85 4. EvacRte 0.71 0.71 0.70 0.75 0.73 5. Training 0.73 0.70 0.69 0.71 0.88 6. AltHQ 0.65 0.65 0.63 0.71 0.69 7. ExerDrills 0.64 0.61 0.62 0.61 0.77 8. COOP 0.61 0.60 0.62 0.50 0.69 9. Security 0.60 0.59 0.59 0.61 0.65 10. Partners 0.56 0.51 0.50 0.54 0.85 11. DHSguides 0.46 0.46 0.45 0.46 0.50 12. RegSvcs 0.20 0.18 0.16 0.25 0.31
NOTE: The coded abbreviations listed above also appear on the graphics in Chapter 5:
[Backup] The organization maintains a back-up copy of important files or financial accounts and sales records at some location other than the regular place of business. [EmergPlan] A written plan exists for handling workplace emergencies such as a small fire, bomb threat, workplace violence or emergency evacuation. [Quals] The organization’s preparedness manager has undergone formal training in emergency preparedness, continuity of operations planning, and/or risk management.36 [EmergRte] An emergency evacuation route and rendezvous point are designated for employees, and a call-in number established to account for them after they evacuate. [Training] Training sessions for employees or members have been conducted in emergency response measures, evacuation, or disaster preparedness. [AltHQ] A location has been designated as an alternate headquarters or base of operations in the event the organization must evacuate its normal workplace.
36 The survey did not specify qualifications for the organization’s emergency manager, and did not use the word “qualifications.” The summary tables and data analysis charts in this study use the word “Quals” as one of the 12 preparedness measures to distinguish it from “Training,” which refers to employee training.
145
[ExerDrills] The organization has conducted exercises or drills to test the emergency plan and familiarize employees in the procedures to be taken in an emergency. [COOP] The organization has a written Continuity of Operations Plan (COOP) for sustaining operations and recovering from a large-scale disaster. [Security] The organization has implemented measures to increase physical security. [Partners] The organization coordinates with a partner or with members of a local group for emergency preparedness or continuity of operations planning or training. [DHSguides] The organization has accessed FEMA or DHS websites and downloaded information on emergency preparedness and continuity planning. [RegSvcs] The organization has registering or has specified a willingness to register corporate resources, capabilities or services with the local EMA for disaster planning.
While there tended to be some variation in the middle third of this ranking of
preparedness measures, the top and bottom third of the 12 assessed measures were
consistent across all sectors, with two exceptions—public sector agencies ranked training
and exercises higher in the adopted measures (3rd overall) than did any category of
private sector entities (typically 5th). Secondly, a similar variation was noted in
development of collaborative relationships and partnerships: public sector agencies
ranked this initiative as among the top five, whereas it ranked 10th out of 12 for private
sector entities. It was revealing—though not particularly reassuring—that the use of DHS
and FEMA websites as sources of information for private sector entities—as well as for
local public sector agencies—ranked 11th out of the 12 available measures.
4.5.2 Perceptions of risk and threat Perception of general risk for continuity of operations
Respondents were asked to rate the “threats” to continuity of operations, profitability
or survival of their organizations or businesses. Figures in Table 4-4 indicate average
146
ranking based on responses from private sector entities. Rankings consistently showed
high concern for weather-related hazards, as well as outages of services and loss of data
and intellectual or physical property. It should be noted, however, that over half of the
respondents were identified as residing in regions where hurricanes and seasonal or wind-
driven flooding were the predominant natural hazard. Contrast this with the concern for
earthquakes and geologic hazards, which ranked 15th.
Table 4-4: Ranking of perceived threat to continuity of operations “From the list below please rate the “threats” to continuity of operations, profitability or survival of your organization or business.” (Based on a 5-point Likert scale of 1 (not threatening) to 5 (very threatening) n=149). 1. Weather-related disaster (flood, hurricane, tornado, storm) 3.92 2. Fire on your own property 3.59 3. Public utilities failure (power, water, telephone) 3.48 4. Loss/corruption of computer files or records 3.36 5. Market failure, recession, or other economic crisis 3.19 6. Theft of property (physical or intellectual) 3.19 7. Loss of customer confidence or satisfaction 3.03 8. Act of vandalism or sabotage 3.01 9. Workplace accident (to customer or employee) 2.86 10. Pandemic Influenza, “Bird Flu,” SARS, or other epidemic 2.79 11. Workplace violence (involving employees) 2.64 12. Large scale terrorist attack outside your community (like 9/11) 2.61
13. Industrial accident (chemical spill; gas leak; radiological accident) 2.56 14. Employee absenteeism (illness, injury, strike) 2.53 15. Terrorist attack in your area or neighborhood 2.51 16. Interruption in supply or delivery chain 2.49 17. Product or service liability lawsuit 2.40 18. Fire in a neighboring or adjacent property 2.32 19. Geologic disaster (earthquake, mudslide, volcanic action) 2.13
Perception of risk of terrorist attack
Terrorism ranked below the top ten perceived threats, and considerably below the
perceived threat of general workplace violence (15th for terrorism compared with 11th for
147
workplace violence). In order to further assess the general attitude regarding terrorism,
respondents were asked to identify how likely they considered the threat of terrorist
attack that would have an impact on their business or organization. Consistent with the
concern about losses to data or electrical power services, the risk of computer attack
affecting commerce was ranked at the top of the list, though even that threat scored only
3.11 out of 5.00 on a five-point Likert scale. Other terrorist threats ranked below the 3.00
median.
Table 4-5: Ranking of perceived threat from specific acts of terrorism
“In your opinion, how likely is it that a terrorist attack of the sort listed below would happen in a way that would have an impact on your business?” (Based on a 5-point Likert scale ranging from 1 (not at all likely) to 5 (highly likely) n=151). 1. A computer attack on the U.S. that would affect commerce 3.11 2. A radiological “dirty bomb” in a major U.S. city 2.65 3. A nuclear weapon detonated in a major U.S. city 2.62 4. Act of biological terrorism that could affect your employees 2.48 5. A bomb smuggled into an American port aboard a ship 2.30 6. A suicide bomber in a public place or business 2.13 7. A car bomb in your area 2.06 8. IED (Improvised Explosive Device or “roadside bomb”) on a major highway 2.05
4.5.3 Perceptions of federal, state and local responsibilities Responsibilities of government authorities
Respondents were also asked two questions to assess their perceptions of the levels of
responsibility that various entities and government bodies had toward preserving security
and preparing for disasters (Tables 4-6 and 4-7). Responses are listed below in order of
priority. Of key significance was that each of these was considered to be relatively
similar in importance, and none was considered trivial or unimportant.
148
Table 4-6: Perceptions of federal responsibilities for preparedness “What do you think are the most important responsibilities of federal government and agencies like the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) for ensuring that communities can survive and recover after a major regional catastrophe?” (Based on a 5-point Likert scale ranging from 1 (not very important) to 5 (very important) n=152). 1. Ensuring local government and first responders are trained funded and prepared well enough to protect their communities. 4.47 2. Standardizing procedures and communications systems across agencies and from federal to state and local levels so response efforts can be efficiently and capably managed. 4.38 3. Guaranteeing adequate manning, training and equipment for the National Guard, Coast Guard, and the U.S. military 4.27 4. Providing funding, training and education so the citizens and local business and industry can take care of themselves. 4.06 5. Ensuring support for relief organizations like the Red Cross, Salvation Army and/or faith-based organizations so they can respond when called. 3.88
A second question asked respondents to assess the key agencies responsible for the
preparedness and security of their organizations, Significantly, the responses clearly
illustrate the expectation of respondents that local authorities hold key responsibility for
the security and safety of the community and the organizations themselves. Of further
interest, is the fact that the organizations surveyed indicated a strong sense of their own
responsibility for their security, exceeding in particular any preference for involvement
higher than state level (though responsibility at the federal level was also acknowledged
as about 4.0 on a 5.0 scale).
149
Table 4-7 Responsibility for security and preparedness
“In your opinion, how much responsibility does each of these groups have for ensuring the safety and security of the community and the businesses that support it.” (Based on a 5-point Likert scale ranging from 1 (not much responsibility) to 5 (a key responsibility) n=151). 1. Local Police, Fire Department and First Responders 4.79 2. City and County government 4.57 3. The businesses and private citizens themselves 4.42 4. State government and state agencies 4.28 5. The National Guard and U.S. military 4.04 6. Federal agencies like FEMA and DHS 4.03 7. The President and Congress 3.69
General perception of preparedness [Q20]
Finally, respondents were asked to assess general preparedness of their communities
for emergencies and disasters relative to the levels that existed prior to 9/11 (Table 4-8).
Table 4-8 Perceptions of general preparedness since 9/11 “In general, do you believe that your community is more prepared now to survive a major disaster or terrorist attack than it was before 9/11?” (n=150). More prepared now than we were then. 75.3% About the same. 23.3% Not as prepared as we were then. 1.3%
150
CHAPTER 5: HYPOTHESES, TESTING AND ANALYSIS
5.0 Overview
5.1 Descriptive statistics, tests of significance and box plots
5.2 Tests of significance, analysis of variance and regression
5.3 Skewness and tests of normality: Anderson-Darling test
5.4 Non-parametric tests: Kruskal-Wallis test
5.5 Pareto charts of preparedness measures
5.6 Correlation of proximities among private sector entities
5.7 Influences on participation in a collaborative partnership
5.0 Overview The goal of this research project is to assess the influence of various factors on the
decisions among private sector entities to adopt business continuity planning and
preparedness measures. This chapter presents analysis of the testing of four research
hypotheses. The original hypothesis (and basis for the dissertation) focused on assessing
the influence of past experience in disaster or geographic exposure to hazards as
motivating factors in an organization’s decision to adopt continuity and preparedness
measures. The two factors of experience and exposure form the principal null and
alternate hypotheses:
Ho: Experience with disasters (Ho1) or exposure to hazards (Ho2) has little or no effect on whether a private sector entity adopts preparedness or continuity planning measures.
Ha: Experience with disasters (Ha1) or exposure to hazards (Ha2) has an effect on
whether a private sector entity adopts preparedness or continuity planning measures.
151
As explained in the previous chapter, these two hypotheses were expanded based on a
common observation in the disaster research literature to include organizational size as a
third determining factor in private sector motivation toward preparedness. In this case,
organizational size is a reflection of available capacity or capability to plan for and
respond to a disaster. That factor establishes a third hypothesis:
Ho3: The size of the organization has little or no effect on whether a private sector entity adopts preparedness or continuity planning measures.
Ha3: The size of the organization has an effect on whether a private sector entity
adopts preparedness or continuity planning measures. Finally, results of the Private Sector Survey indicated the existence of a fourth
factor—participation in a collaborative organization or partnership—that was worth
examining and thus established a fourth hypothesis:
Ho4: Participation in a collaborative partnership has little or no effect on whether a
private sector entity adopts preparedness or continuity planning measures. Ha4: Participation in a collaborative partnership has an effect on whether a private
sector entity adopts preparedness or continuity planning measures. This section describes the analytic procedures and results of hypothesis testing using
quantitative methods to determine the relevance and validity of each of these influences
on private sector preparedness decisions. Data from the Private Sector Survey on
Preparedness and Continuity Planning were examined to determine connections between
the individual organizations and influences on motivation to adopt preparedness
measures. The analysis examined distributions of twelve preparedness measures relative
to four factors that established the independent variables of the analysis:
152
(1) The region in which the business or organization was situated as an indication of
relative exposure to a common hazard (in this study, the common hazard being
regional flooding from hurricanes or seasonal storms);
(2) Recent or historic experience of a business or organization in dealing with
disasters or emergencies;
(3) The size of the organization as an indicator of its capacity or capability to plan,
prepare for, respond to, and recover from a disaster; and
(4) Participation of that organization or business in a collaborative partnership with
other organizations in its region.
In Chapter 4, these four factors were presented graphically in an Ishikawa diagram
(Figure 5-1) to establish four “proximities of preparedness” in a manner similar to the
CAGE Distance Framework [Ghemawat, 2001]:
Figure 5-1: Four proximities of preparedness
153
The degree of influence of these four factors was assessed by determining rates of
adoption of twelve preparedness measures, which collectively established the dependent
variables of the analysis. Tables 5-1 and 5-2 explain the abbreviations and provide
definitions of the four factors that formed the independent variables of the analysis, and
the 12 preparedness measures used in the survey to establish the dependent variables.
Table 5-1: Descriptors for independent variables
Table 5-2: Descriptors for dependent variables
Nr. Abbreviation Definition
1 Backup
2 EmPlan
3 Quals
4 EvacRte
5 Training
6 AltHQ
7 ExerDrills
8 COOP
9 Security
10 Partners
11 DHSguides
12 RegSvcs Has registered or specified willingness to register corporate resources or services with local EMA.
Dependent Variables
Has implemented measures since 9/11 to increase security at the workplace.
Has conducted exercises or drills to test the emergency plan and familiarize employees.
Coordinates with a partner or is a member of collaborative group to coordinate preparedness.
Has used DHS or FEMA guides or websites for information on preparedness and continuity planning.
Has established an emergency evacuation route and a muster point for employees.
Has conducted training for employees in emergency procedures and response measures.
Has designated an alternate headquarters or base of operations in the event of evacuation.
Maintans a continuity of operations plan for sustaining operations and recovering capacity.
Maintains a backup copy of important records and files at another site.
Maintains a written plan for handling workplace emergencies.
Employee responsible for emergency preparedness has had formal training.
Abbreviation Definition
Region1Region2Region3Region4Region5
Incident: NoIncident: Yes1Incident: Yes2Incident: Yes3Incident: Yes4
Organization Size1Organization Size2Organization Size3Organization Size4Organization Size5Organization Size6
Collaboration: YesCollaboration: No
Employees/Staff: 26 - 50 Total assets: $1M-$15M Annual Revenue: $1M-$15M
Organization last experienced a disaster or emergency 10 yeasrs or more ago.
Employees/Staff: 1 - 25 Total assets: < $1M Annual Revenue: < $1M
Organization last experienced a disaster or emergency between 3-10 years ago.
Coastal region, upper Chesapeake Bay. Last major damage due to hurricane in 2003.Coastal region, mid-Atlantic coast. Last major damage due to hurricane in 1989.Coastal region, western Gulf of Mexico. Last major damage due to hurricane in 2008.
Organization participates in a collaborative partnership or organization for preparedness.Organization does not participate in a collaborative partnership or organization.
Employees/Staff: 51 - 100 Total assets: $15M-$35M Annual Revenue: $15M-$35M Employees/Staff: 101 - 500 Total assets: $35M-$165M Annual Revenue: $35M-$165M
Employees/Staff: > 1000 Total assets: > $500M Annual Revenue: > $500M Employees/Staff: 501-1000 Total assets: $165M-$500M Annual Revenue: $165M-$500M
Organization has experienced a disaster or emergency within the last 3 years.
Independent Variables
Coastal region, western Lake Michigan. Last major damage due to seasonal flooding in 2008.Non-geographic "region." Participants were referred by a university-based research organization.
Organization has not experienced a disaster or emergency.Organization has experienced a disaster or emergency within the last year.
154
Tables 5-3 and 5-4 present a consolidation of the data collected from the Private
Sector Survey upon which the research project is based. The top section of the table
displays the comparative data collected from all respondents (n=171) broken into
organizational categories (All Regions-All Organizations; All Private Sector; All
Businesses; All Non-profits; and All Agencies). Succeeding categories show data
collected only from private sector entities (i.e., businesses and non-profits) to support
testing of the hypotheses (n=145). Table 5-3 presents the raw data of positive responses
to the 12 preparedness measures across all four categories used to establish the research
hypotheses, (geographic region; experience in a disaster or emergency; relative size of
the organization or business; and whether the entity participated in a collaborative
partnership). Table 5-4 normalizes the raw data to percentages for each category.
Scores in each box represent the number or percentage of organizations from among
those in a particular category that responded in the affirmative, indicating they had
adopted that preparedness measure. For example, from among all 171 survey respondents
representing public sector agencies, for-profit businesses, and non-profit organizations
from across all five regions, 151 (88%) maintained back-up copies of critical data; 122
(71%) had established an evacuation route from their facility; and 96 (56%) engaged in a
collaborative partnership or organization dedicated to preparedness or planning. From
among the 145 private sector respondents who had never experienced a disaster or
emergency (Incident: no / n=75), 49 (65%) had nevertheless implemented an emergency
response plan; 40 (53%) had established an alternate headquarters; and 30 (44%) had
instituted or upgraded security measures since 9/11.
155
Table 5-3: Collected data for private sector organizations
Table 5-4: Data for private sector organizations normalized to percentages.
Private Sector Results Collected data
Bac
kup
Em
Plan
Qua
ls
Eva
cRte
Training
AltH
Q
Exe
rDrills
COOP
Sec
urity
Par
tner
s
DHSgu
ide
Reg
Svc
s
All Regions All Orgs n = 171 151 140 132 122 124 112 109 105 103 96 79 34
n = 145 126 114 110 103 101 94 89 87 86 74 66 26
n = 117 103 91 87 82 81 74 72 73 69 59 53 19
n = 28 23 23 23 21 20 20 17 14 17 15 13 7
n = 26 25 26 22 19 23 18 20 18 17 22 13 8
Region1 n = 17 11 6 6 5 4 4 2 2 3 2 2 1
Region2 n = 8 8 7 7 8 6 7 6 8 5 4 5 1
Region3 n = 34 29 20 21 20 18 17 13 17 13 13 7 5
Region4 n = 16 15 15 15 12 14 10 14 13 14 11 12 3
Region5 n = 70 63 66 61 58 59 56 54 47 51 44 40 16
n = 75 60 49 51 46 41 40 37 33 30 32 22 9
n = 32 30 32 28 25 28 24 26 24 29 18 21 9
n = 22 21 19 19 18 18 17 13 17 15 11 11 6
n = 13 12 11 9 11 11 10 11 10 9 11 9 2
n = 3 3 3 3 3 3 3 2 3 3 2 3 0
n = 49 38 24 29 22 19 22 17 18 16 18 13 5
n = 16 13 11 11 10 9 7 5 8 8 5 4 1
n = 13 13 13 13 12 13 12 10 12 8 6 6 3
n = 9 8 8 6 7 8 5 8 7 5 4 5 2
n = 21 18 21 18 19 20 17 18 12 18 15 12 7
n = 37 36 37 33 33 32 31 31 30 31 26 26 8
n = 74 68 71 67 64 66 64 64 60 55 74 44 22
n = 71 58 43 43 39 35 30 25 27 31 0 22 4
All Regions All Orgs
All Private Sector
All Businesses
All NonProfits
All Agencies
Incident: No
Yes 1
Yes 2
Yes 3
Yes 4
Oganization Size 1
Size 2
Size 3
Size 4
Size 5
Size 6
Collaboration: yes
Collaboration: no
All data normalized to percentagesPrivate Sector Results
Bac
kup
Em
Plan
Qua
ls
Eva
cRte
Training
AltH
Q
Exe
rDrills
COOP
Sec
urity
Par
tner
s
DHSgu
ide
Reg
Svc
s
All Regions All Orgs n = 171 0.88 0.82 0.77 0.71 0.73 0.65 0.64 0.61 0.60 0.56 0.46 0.20
n = 145 0.87 0.79 0.76 0.71 0.70 0.65 0.61 0.60 0.59 0.51 0.46 0.18
n = 117 0.88 0.78 0.74 0.70 0.69 0.63 0.62 0.62 0.59 0.50 0.45 0.16
n = 28 0.82 0.82 0.82 0.75 0.71 0.71 0.61 0.50 0.61 0.54 0.46 0.25
n = 26 0.96 1.00 0.85 0.73 0.88 0.69 0.77 0.69 0.65 0.85 0.50 0.31
Region1 n = 17 0.65 0.35 0.35 0.29 0.24 0.24 0.12 0.12 0.18 0.12 0.12 0.06
Region2 n = 8 1.00 0.88 0.88 1.00 0.75 0.88 0.75 1.00 0.63 0.50 0.63 0.13
Region3 n = 34 0.85 0.59 0.62 0.59 0.53 0.50 0.38 0.50 0.38 0.38 0.21 0.15
Region4 n = 16 0.94 0.94 0.94 0.75 0.88 0.63 0.88 0.81 0.88 0.69 0.75 0.19
Region5 n = 70 0.90 0.94 0.87 0.83 0.84 0.80 0.77 0.67 0.73 0.63 0.57 0.23
n = 75 0.80 0.65 0.68 0.61 0.55 0.53 0.49 0.44 0.40 0.43 0.29 0.12
n = 32 0.94 1.00 0.88 0.78 0.88 0.75 0.81 0.75 0.91 0.56 0.66 0.28
n = 22 0.95 0.86 0.86 0.82 0.82 0.77 0.59 0.77 0.68 0.50 0.50 0.27
n = 13 0.92 0.85 0.69 0.85 0.85 0.77 0.85 0.77 0.69 0.85 0.69 0.15
n = 3 1.00 1.00 1.00 1.00 1.00 1.00 0.67 1.00 1.00 0.67 1.00 0.00
n = 49 0.78 0.49 0.59 0.45 0.39 0.45 0.35 0.37 0.33 0.37 0.27 0.10
n = 16 0.81 0.69 0.69 0.63 0.56 0.44 0.31 0.50 0.50 0.31 0.25 0.06
n = 13 1.00 1.00 1.00 0.92 1.00 0.92 0.77 0.92 0.62 0.46 0.46 0.23
n = 9 0.89 0.89 0.67 0.78 0.89 0.56 0.89 0.78 0.56 0.44 0.56 0.22
n = 21 0.86 1.00 0.86 0.90 0.95 0.81 0.86 0.57 0.86 0.71 0.57 0.33
n = 37 0.97 1.00 0.89 0.89 0.86 0.84 0.84 0.81 0.84 0.70 0.70 0.22
n = 74 0.92 0.96 0.91 0.86 0.89 0.86 0.86 0.81 0.74 1.00 0.59 0.30
n = 71 0.82 0.61 0.61 0.55 0.49 0.42 0.35 0.38 0.44 0.00 0.31 0.06Collaboration: no
All NonProfits
All Businesses
All Agencies
Size 4
Size 5
Size 6
Oganization Size 1
Size 2
Size 3
All Regions All Orgs
All Private Sector
Collaboration: yes
Incident: No
Yes 1
Yes 2
Yes 3
Yes 4
156
As the data in Table 5-3 illustrate, there is significant variation among sample size
within populations across regions; among the sizes of organizations; and among
organizations with various levels of experience with disasters. This is a function of the
number and character of respondents to the survey and how the data broke out in terms of
classification. However, there is relative statistical parity in the survey populations when
data are consolidated and examined from different perspectives. Analysis later in this
chapter will examine comparative data collected among groups that
• have had no previous disaster experience and those that have (75:70);
• are regionally-affiliated versus those that were not selected from a specific
geographic region (75:70);
• occupy the lower two tiers of organization size (small businesses or organizations
with fewer than 50 employees and less than $15M in annual revenue) and those in
the upper three tiers (large businesses with more than 100 employees and greater
than $35M in annual revenue) (65:67); and those that
• do not participate in a collaborative organization versus those that do (71:74);
The following section describes the analysis of hypothesis testing for the four
independent variables examined in this study. For the remainder of this chapter, the
analysis will focus on private sector entities only—that is, for-profit businesses and non-
profit organizations across the five regions examined, totaling 145 respondents, where
local government agencies are not included. For this analysis, the statistical analysis
program SPSS was used to generate descriptive statistics, conduct tests of significance,
analysis of variance and regression. MiniTab was used to generate separate graphics of
157
histograms and to conduct tests of normality. Microsoft Excel was used to generate
Pareto Charts. Representative sections of the graphics will be included in the text of this
chapter for purposes of illustration; other graphics are collected in section 5.3 at the end
of the chapter.
5.1 Descriptive statistics, tests of significance, and box plots Table 5-5 presents a compilation of the descriptive statistics and tests of significance
that were run on the collected data. For purposes of this part of the analysis, the following
assumptions are made:
The four proximities that form the independent variables (exposure; experience;
capability and organization) are discrete and independent of each other; that is,
there is no necessary relationship between the size of an organization, its
geographic location, its experience with disaster, or its participation in a
collaborative organization;
The 12 preparedness measures that serve as the dependent variables are likewise
discrete and independent of each other; i.e., there is no precedence or relation
among them and the decision to adopt one or more measures has no necessary
relation to the decision to adopt or not to adopt any other;
Data reflecting observations within each category are independent and identically
distributed, and mutually exclusive (R1 is distinct from R4; S2 from S5; etc.).
Data within each category are normally distributed (this is the basic assumption of
the Central Limit Theorem, which states that any sufficiently large number of
independent random variables will be distributed approximately normally across a
population [Devore 2004; others].
158
The standard critical value of .05 is assumed for tests of significance.
Table 5-5: Descriptive statistics and Student t-test for four dimensions of proximity among private sector respondents (for-profit and non-profit)
The categories that form the independent variables reflected in Table 5-5 (region,
organization size, disaster experience, and collaboration with partner(s)) essentially
permit four different analytic views of the dataset. From the descriptive statistics the
following observations can be made:
(1) Differences of means. The mean of the number of measures adopted from among the
145 organizations in this population is 7.42; there is a notable deviation from this mean
across sample populations in the survey, most dramatically apparent in
Composite 145 7.4207 3.6068 0.2995 13.009 -0.753 -0.616 21.4358 144 1.18587E-46 6.4207 5.8286 7.0127
Region 1 17 2.8235 3.1272 0.7585 9.779 1.283 1.419 2.4043 16 2.8675E-02 1.8235 0.2157 3.4314
Region 2 8 9.0000 2.1381 0.7559 4.571 -2.222 5.666 10.5830 7 1.47079E-05 8.0000 6.2125 9.7875
Region 3 34 5.6765 4.0581 0.6960 16.468 0.004 -1.352 6.7195 33 1.17987E-07 4.6765 3.2605 6.0924
Region 4 16 9.2500 2.4358 0.6090 5.933 -1.755 4.628 13.5477 15 8.10008E-10 8.2500 6.9520 9.5480
Region 5 70 8.7857 2.3646 0.2826 5.591 -0.935 0.406 27.5486 69 5.87378E-39 7.7857 7.2219 8.3495
Size 1 49 4.9184 3.8451 0.5493 14.785 0.232 -1.206 7.1334 48 4.5935E-09 3.9184 2.8139 5.0228
Size 2 16 5.7500 3.4351 0.8588 11.800 -0.254 -1.338 5.5311 15 5.7599E-05 4.7500 2.9196 6.5804
Size 3 13 9.3077 1.7022 0.4721 2.897 -0.449 -0.252 17.5973 12 6.1808E-10 8.3077 7.2791 9.3363
Size 4 9 8.1111 3.0185 1.0062 9.111 -1.924 4.057 7.0676 8 1.0531E-04 7.1111 4.7909 9.4313
Size 5 21 9.2857 2.0036 0.4372 4.014 -0.600 -0.599 18.9511 20 3.0124E-14 8.2857 7.3737 9.1977
Size 6 37 9.5676 2.0621 0.3390 4.252 -1.247 0.789 25.2725 36 1.6652E-24 8.5676 7.8800 9.2551
No Incidents 75 6.0000 3.6093 0.4168 13.027 -0.356 -1.174 11.9971 74 4.9748E-19 5.0000 4.1696 5.8304
Incident <1 32 9.1875 2.2638 0.4002 5.125 -0.906 0.240 20.4588 31 1.4628E-19 8.1875 7.3713 9.0037
Incident 1-3 22 8.4091 3.4179 0.7287 11.682 -1.251 0.791 10.1677 21 1.4469E-09 7.4091 5.8937 8.9245
Incident 3-10 13 8.9231 3.8180 1.0589 14.577 -1.640 1.378 7.4823 12 7.4076E-06 7.9231 5.6159 10.2303
Incident >10 3 10.3333 1.1547 0.6667 1.333 -1.732 14.0000 2 5.0633E-03 9.3333 6.4649 12.2018
Collab'n: Yes 74 9.7162 1.8096 0.2104 3.275 -1.159 0.911 41.4352 73 1.8232E-52 8.7162 8.2970 9.1355
Collab'n: No 71 5.0282 3.4599 0.4106 11.971 -0.031 -1.262 9.8102 70 8.8086E-15 4.0282 3.2092 4.8471
Mean
Diff
95% Conf Inter
Lower UpperSE t df
Significance
(2-tailed)Variance Skewness KurtosisVariable n Mean SD
159
• Region 1 (historically, the region least affected by seasonal flooding or hurricane)
as compared to other regions with recurrent histories of disasters (2.8 : >9.0)37;
• Small businesses (Size1 <50 employees and $15M in annual revenue) and large
businesses (Size6 >1,000 employees and $500M in annual revenue) (4.9 : 9.5);
• Organizations with no experience in dealing with disasters compared to those that
have had some experience; (6.0 : >8.4).
• Organizations that do not collaborate with partners versus those that do (5.0 : 9.7).
Further exploratory analysis was done by constructing box plots of the survey data
divided into the sub-populations among the four factors shown in Table 5-5. This
information appears in Figure 5-2. In box plots the boxes represent the central quartiles
(50%) of the illustrated populations with the heavy black line in each box showing the
position of the mean. Whiskers at either end of the box mark the smallest and largest
values in the dataset that are not outliers. Outliers, where they exist, are shown as
numbered data points.
The box plots generated in this analysis show general trends among the data of each
independent variable. For example, there is little discernible pattern among data from
Regions 1-5. However, trends among the other three factors are much more evident, and
illustrate that the number (frequency) of preparedness measures adopted generally
increases with increasing organizational size; with previous disaster experience as
opposed to no experience; and with participation in a collaborative partnership.
37 Data from Region 3 ceased mid-way through the survey period when it was evacuated and subsequently devastated by Hurricane Ike.
160
Figure 5-2: Box plots of regions, organization size, incident occurrence, and collaborative partnerships.
Regions 1, 2, 3, 4, 5
Organization size (Size 1-6)
Incident occurrence (No / Yes1-4)
Collaboration partners (No / Yes)
161
Moreover, graphing the survey results in this fashion revealed one of the more
interesting dimensions among the factors examined in this study: that the clearest
difference in motivation for preparedness among the factors evaluated appeared to be
between organizations that had participated in a collaborative partnership and those that
had not (i.e., the bottom of the graphs in Figure 5-2). In order to further examine this
relationship, three sample populations were selected from the data of private sector
participants and compared using the Minitab histogram and box plot functions. The
populations represent mutually exclusive groups for three of the four factors—disaster
experience, organizational size, and participation in a collaborative partnership—and
have roughly equivalent population n’s. Figures 5-3 to 5-5 provide the histograms and
box plots from this analysis. Disaster experience and collaboration (5-3 and 5-5) divide
the survey population roughly in half. Organizations depicted in Figure 5-4 represent
those with less than 100 employees and under $35K annual revenue (Sizes 1-3) and those
with over 100 employees and $35K in annual revenue (Sizes 4-6), yielding comparative
populations of 78 and 67 respectively.
It should be noted that for this aspect of the analysis, one of the twelve dependent
variables—participation in a collaborative partnership—has been singled out for use as
an independent variable and then employed as a basis for comparison between disaster
experience, organizational capability, and collaboration as motivating factors for
preparedness. As will be noted in the summary in Chapter 6, there are any number of
ways by which to divide and analyze the data acquired in this study, and the selection
between dependent and independent variables is largely a matter of which facet of the
data is being examined and from which perspective.
162
Figure 5-3: Comparative histograms and box plots of the effects of disaster experience on measures adopted.
15129630
10
8
6
4
2
0
Data
Fre
qu
en
cy
6 3.609 75
8.943 2.938 70
Mean StDev N
No Disaster Experience
Previous Disaster Experience
Variable
Effect of Disaster Experience on Measures AdoptedNormal
Previous Disaster ExperienceNo Disaster Experience
12
10
8
6
4
2
0
Da
ta
Boxplot of No Disaster Experience, Previous Disaster Experience
163
Figure 5-4 Comparative histograms and box plots of the effects of organizational size on measures adopted.
Size 4-6Size 1-3
12
10
8
6
4
2
0
Da
ta
Boxplot of Organization Sizes 1-3 and 4-6
15129630-3
12
10
8
6
4
2
0
Data
Fre
qu
en
cy
5.821 3.813 78
9.284 2.207 67
Mean StDev N
Size 1-3
Size 4-6
Variable
Effect of Organization Size on Measures AdoptedNormal
164
Figure 5-5 Comparative histograms and box plots of the effects of participation in a collaborative partnership on measures adopted.
129630-3
18
16
14
12
10
8
6
4
2
0
Data
Fre
qu
en
cy
5.028 3.460 71
9.716 1.810 74
Mean StDev N
No Collaboration
Collaboration
Variable
Effect of Collaboration on Measures AdoptedNormal
CollaborationNo Collaboration
12
10
8
6
4
2
0
Da
ta
Boxplot of No Collaboration, Collaboration
165
When the survey populations are examined in this fashion, the histograms and box
plots reveal one of the two significant findings of this research project: that among the
population sampled in this study, participation in a collaborative organization had a
stronger correlation with motivation to adopt preparedness measures and continuity
practices than past experience in a disaster, and at least an equivalent effect as the rough
doubling in size (on average) from a small to a medium-size (or larger) organization or
business. The implications of this finding will be examined in detail in Chapter 6.
5.2 Tests of significance, analysis of variance and regression Assuming that frequency distributions for all measures of preparedness reflect normal
distributions (a 2-tailed test), then the tests of significance (Student’s t-test) yield large
positive values in each case for t and a significance value less than the critical value of
.05, as was evident in Table 5-5. Thus, in all four cases the null hypotheses can be
rejected; that is, the data analysis does not show that the four proximities (geographic
exposure to hazard; past disaster experience; organizational size; and collaboration with
other organizations) have no effect on business decisions regarding adoption of
preparedness and continuity measures. Therefore, the failure to reject the null hypotheses
establishes that exposure to hazard, past experience with disaster, the size and capability
of the organization, and participation in a collaborative organization all have an impact
on the motivation of non-profit organizations to implement preparedness measures.
Further testing was conducted through a one-way Analysis of Variance (ANOVA) for
each of the four proximities. Figures 5-6 through 5-9 present the resulting tables of the
one-way ANOVA for independent variables of Regional Affiliation (exposure), Incident
Experience, Organization Size (capability) and Collaboration against the dependent
166
variable of preparedness measures adopted (maximum of 12). In each of the four cases,
the F-test of the distribution is large and the significance value is less than the critical
value of .05. Thus the ANOVA confirms that there are significant differences in the
means of each of the data sets.
Lastly, a regression analysis was performed on each of the four datasets, and a
Probability Plot was created to illustrate the relationship between the measures of
preparedness (dependent variable) and the independent variables within each sample
population. Scatter plots (lower half of Figures 5-6 to 5-9) show the relative dispersion of
data for each of the independent variables, with the Normal Probability Plot for each
independent variable illustrating the degree of linear conformance among residuals. In
each of the four cases, the P-P Plot for residuals shows that the regression conforms to
the linear model indicating moderately strong relationships between the independent and
dependent variables. However, the “bumpiness” and clustering in the probability plots
points to the need for a further level of analysis to examine the normality of the datasets.
167
Figure 5-6: Analysis of variance (ANOVA) and normal probability plot of regression for preparedness measures as a function of region.
Independent Variable: Region
Scatter Plots
Sum of
Squares df
Mean
Square F Sig.
(Combined) 666.640 4 166.660 19.336 .000
Linearity 469.331 1 469.331 54.451 .000
Deviation
from
Linearity
197.309 3 65.770 7.631 .000
1206.697 140 8.619
1873.338 144
Measures *
Region1, 2,
3, 4, 5
Between
Groups
Within Groups
Total
ANOVA Table
Region1, 2,
3, 4, 5 Mean N
Std.
Deviation
Std. Error of
Mean Sum Variance Skewness
1 2.82 17 3.127 .758 48 9.779 1.283
2 9.00 8 2.138 .756 72 4.571 -2.222
3 5.68 34 4.058 .696 193 16.468 .004
4 9.25 16 2.436 .609 148 5.933 -1.755
5 8.79 70 2.365 .283 615 5.591 -.935
Total 7.42 145 3.607 .300 1076 13.009 -.753
168
Figure 5-7: Analysis of variance (ANOVA) and normal probability plot of regression for preparedness measures as a function of incident experience.
Independent Variable: Incident Experience
Scatter Plots
Sum of
Squares df
Mean
Square F Sig.
(Combined) 327.555 4 81.889 7.417 .000
Linearity 215.637 1 215.637 19.530 .000
Deviation
from
Linearity
111.918 3 37.306 3.379 .020
1545.783 140 11.041
1873.338 144
Measures *
When
Between
Groups
Within Groups
Total
ANOVA Table
When Mean N
Std.
Deviation
Std. Error of
Mean Sum Variance Skewness
0 6.00 75 3.609 .417 450 13.027 -.356
1 9.19 32 2.264 .400 294 5.125 -.906
2 8.41 22 3.418 .729 185 11.682 -1.251
3 8.92 13 3.818 1.059 116 14.577 -1.640
4 10.33 3 1.155 .667 31 1.333 -1.732
Total 7.42 145 3.607 .300 1076 13.009 -.753
169
Figure 5-8: Analysis of variance (ANOVA) and normal probability plot of regression for preparedness measures as a function of organization size.
Scatter Plots
Independent Variable: Organization Size
Sum of
Squares df
Mean
Square F Sig.
(Combined) 645.640 5 129.128 14.620 .000
Linearity 568.702 1 568.702 64.388 .000
Deviation
from
Linearity
76.938 4 19.234 2.178 .075
1227.698 139 8.832
1873.338 144
Measures *
OrgSize
Between
Groups
Within Groups
Total
ANOVA Table
OrgSize Mean N
Std.
Deviation
Std. Error of
Mean Sum Variance Skewness
1 4.92 49 3.845 .549 241 14.785 .232
2 5.75 16 3.435 .859 92 11.800 -.254
3 9.31 13 1.702 .472 121 2.897 -.449
4 8.11 9 3.018 1.006 73 9.111 -1.924
5 9.29 21 2.004 .437 195 4.014 -.600
6 9.57 37 2.062 .339 354 4.252 -1.247
Total 7.42 145 3.607 .300 1076 13.009 -.753
170
Figure 5-9: Analysis of variance (ANOVA) and normal probability plot of regression for preparedness measures as a function of participation in a collaborative partnership.
Scatter Plots (all data)
Sum of
Squares df
Mean
Square F Sig.
Between
Groups
(Combined) 796.354 1 796.354 105.738 .000
1076.984 143 7.531
1873.338 144
Measures *
Partners
Within Groups
Total
ANOVA Tablea
Partners Mean N
Std.
Deviation
Std. Error of
Mean Sum Variance Skewness
0 5.03 71 3.460 .411 357 11.971 -.031
1 9.72 74 1.810 .210 719 3.275 -1.159
Total 7.42 145 3.607 .300 1076 13.009 -.753
Independent Variable: Collaboration
171
5.3 Skewness and tests of normality: Anderson-Darling test Among the assumptions upon which the descriptive statistics and tests of significance
are based is the assumption that the data follow a normal distribution. This is a reasonable
and valid assumption assuming a large population, as formulated in the Central Limit
Theorem. However, as was clear in Table 5.5, there is significant variability of n’s within
each test population of the independent variables, as well as wide disparity in variances.
There is likewise a high degree of variability in skewness and kurtosis indicating that the
actual data is not normally distributed. Skewness is an indicator of non-normality in a
distribution, such that negatively skewed distributions have longer left-hand tails, while
positive skewing indicates a longer right-hand tail. Kurtosis is an indicator of the
“fatness” of the tails relative to a normal distribution, and can be either negative (steep
sides to the curve with little tailing) to positive (showing a heavy or extended tail). In the
case of this dataset, individual data are skewed in either direction and kurtosis is positive
or negative depending on the population in question. This skewness is evident in the box
plots in Figure 5-2.
The deviation from normality is evident in the cumulative data across the entire
population of private sector survey responses. Figure 5-10 provides a histogram of the
total population of private sector respondents showing the frequency with which private
sector entities adopted the corresponding number of preparedness measures (1076
preparedness measures adopted by 145 private sector entities across the population).
172
Figure 5-10: Histogram showing distribution of preparedness measures
The histogram shows that a large number of private sector entities implemented
11 preparedness measures (approximately 30); nevertheless, there are a larger number at
the lower end of the scale whose implemented measures were below the mean of 7.42,
thus skewing the data to the left. In this case, skewing indicates a real-world condition:
that is, a trend within the survey population toward the adoption of a large number of
measures among a relatively small number of organizations, but also a large number of
organizations that reported adoption of a number of measures that are substantially below
the mean.
To confirm the distribution of data within this population, a separate analysis was
conducted using the Anderson-Darling (A-D) normality test, accompanied with a
probability plot to examine goodness-of-fit for the normal distribution within this
15129630
30
25
20
15
10
5
0
All Regions
Fre
qu
en
cy
Mean 7.421
StDev 3.607
N 145
Effect of Geographic Proximity on Measures AdoptedNormal
All Private Sector (n=145)
Distribution of Preparedness Measures among Survey Respondents
173
population. The Anderson-Darling test is used to test whether a data sample comes from
a population having a specific distribution, and is an alternative to the Kolmogorov-
Smirnov goodness-of-fit test, with the advantage that it gives more weight to the
distribution tails than the K-S test [NIST/Semantech, 2009]38. The A-D test assumes
normality for the tested distribution so that a test result below the critical value rejects the
null hypothesis (H0= the data conform to a normal distribution) confirming that the data
are not normally distributed. Figure 5-11 shows a Minitab print of the Anderson-Darling
test using a critical value of .05. As can be seen from visual inspection of the histogram,
the p-value of .005 indicates that the null hypothesis in this case can be rejected in favor
of the alternate hypothesis that the data for all survey respondents do not conform to a
normal distribution.
Further confirmation of this observation is provided by the accompanying Probability
Plot (Figure 5-12), generated in Minitab using the Anderson-Darling test for normality. In
this case, the deviation from a straight-line plot—negatively on the left edge of the curve
and positively on the right edge—confirms that the data are skewed to the left and do not
conform to a normal distribution. To confirm this observation, Anderson-Darling tests
and probability plots were generated for each of the sample populations for the four
proximities (independent variables) under investigation. In each sub-population, the
histograms and p-values < .05 in those tests indicate that the data do not conform to a
normal distribution.
38 Accessed 10 August 2009 at http://www.itl.nist.gov/div898/handbook/eda/section3/eda35e.htm. See also, http://www.isixsigma.com/dictionary/Anderson-Darling_Normality_Test-189.htm
174
Figure 5-11: Anderson-Darling test of normality for all private sector data
Figure 5-12: Probability plot for goodness of fit for A-D test of normality
121086420
Median
Mean
9.08.58.07.57.0
1st Q uartile 5.0000
Median 9.0000
3rd Q uartile 10.5000
Maximum 12.0000
6.8286 8.0127
8.0000 9.0000
3.2340 4.0776
A -Squared 5.52
P-V alue < 0.005
Mean 7.4207
StDev 3.6068
V ariance 13.0093
Skewness -0.753355
Kurtosis -0.616387
N 145
Minimum 0.0000
A nderson-Darling Normality Test
95% C onfidence Interv al for Mean
95% C onfidence Interv al for Median
95% C onfidence Interv al for StDev
95% Confidence Intervals
Summary for All RegionsDistribution of Preparedness Measures among Survey Respondents
20151050-5
99.9
99
95
90
80
70
60
50
40
30
20
10
5
1
0.1
All Regions
Pe
rce
nt
Mean 7.421
StDev 3.607
N 145
AD 5.515
P-Value <0.005
Probability Plot of All RegionsNormal
All Private Sector (n=145)
Probability Plot for Distribution of Preparedness Measures
175
5.4 Non-Parametric tests: Kruskal-Wallis test Given the consistency with which the survey population appeared to have non-normal
distributions, a further test was conducted. The Kruskal-Wallis analysis of variance is a
non-parametric test, not dependent on a normal distribution, that compares medians
among populations to determine significant differences among them. It adopts the null
hypothesis that there is no difference between the medians of specific group populations
and an alternate hypothesis that a significant difference exists between the medians. For
this analysis, the populations of interest are those that represent the three factors
identified in section 5.1 that appeared to have the strongest correlation to the adoption of
preparedness measures among the organizations surveyed—i.e., those with previous
disaster experience or greater capability to prepare, and those involved in collaborative
partnerships. Figure 5-13 provides a box plot consolidating the three plots from Figures
5-3 to 5-5, showing the mean and median of each of the factors’ distributions.
Figure 5-13: Comparison of box plots of disaster experience, organizational capability, and collaboration.
CollaborationCapabilityExperience
80
70
60
50
40
30
20
Da
ta
52.916751.8333
59.9167
Comparison of disaster experience, capability, and collaboration
176
Table 5-6 provides descriptive statistics for these three populations and summarizes the
results of the Kruskal-Wallis test for each of the three factors, comparing the higher and
lower halves of each population (that is, NO EXPERIENCE VS. EXPERIENCE; SIZES 1-3 VS.
SIZES 4-5; AND NO COLLABORATION VS. COLLABORATION). In the left-hand column is a
consolidation of the three populations comparing the three sub-populations as a group.
Table 5-6: Descriptive statistics and Kruskal-Wallis test
Experience Capability Collaboration
Mean 52.16666667 51.83333333 59.91666667
Standard Error 3.809544102 3.721015936 4.118432942
Median 55 55.5 64
Mode 54 57 64
Standard Deviation 13.19664788 12.88997731 14.26667021
Sample Variance 174.1515152 166.1515152 203.5378788
Kurtosis 4.357638222 4.757352291 4.315989202
Skewness -1.867561705 -1.94589528 -1.998451728
Range 49 49 52
Minimum 17 17 22
Maximum 66 66 74
Sum 626 622 719
Count 12 12 12
Confidence Level(95.0%) 8.384750029 8.189900851 9.064609783
Descriptive Statistics
All Three Factors Experience Capapbility Collaboration
66 62 68 60 66 64 62 58 68
65 66 71 49 65 48 66 43 71
59 57 67 51 59 53 57 43 67
57 59 64 46 57 44 59 39 64
60 60 66 41 60 41 60 35 66
54 53 64 40 54 41 53 30 64
52 57 64 37 52 32 57 25 64
54 49 60 33 54 38 49 27 60
56 54 55 30 56 32 54 31 55
42 45 74 32 42 29 45 0 74
44 43 44 22 44 23 43 22 44
17 17 22 9 17 9 17 4 22
Median 54 54 64 Median 37 54 Median 38 54 Median 30 64
Rank Sum 152 155 251 Rank Sum 82 171 Rank Sum 82.5 170.5 Rank Sum 74.5 178.5
Count 11 11 11 Count 11 11 Count 11 11 Count 11 11
Avg. Rank 13.818 14.091 22.818 Average Rank 7.455 15.545 Average Rank 7.500 15.500 Average Rank 6.773 16.227
Alpha 0.05 Alpha 0.05 Alpha 0.05 Alpha 0.05
kw Statistic 6.420 kw Statistic 8.539 kw Statistic 8.348 kw Statistic 11.659
p value 0.0404 p value 0.0035 p value 0.0039 p value 0.0006
ComparisonPairwise
Diff.
Critical
ValueComparison
Pairwise
Diff.
Critical
ValueComparison
Pairwise
Diff.
Critical
ValueComparison
Pairwise
Diff.
Critical
Value
66-62 0.273 9.665 60-66 8.091 5.427 64-62 8.000 5.427 68-58 9.455 5.427
66-68 9.000 9.665
62-68 8.727 9.665
Conclusion: there is evidence of
differences in the methods.
Kruskal-Wallis Test with Pairwise Comparison
Conclusion: there is evidence of
differences in the methods.
Conclusion: there is evidence of
differences in the methods.
Conclusion: there is evidence of
differences in the methods.
177
For each of these three factors, as well as for the consolidated population, the Kruskal-
Wallis test indicates a p-value < .05, thus rejecting the null hypothesis and affirming that
there is a significant difference between the medians of each of these populations as well
as for the sup-populations within them. This confirms that the correlations seen between
the effect of collaboration, relative to that of organizational size and capability, and to
previous disaster experience is, indeed, significant.
5.5 Pareto charts of preparedness measures The second significant finding of this study emerged in examining Pareto charts
generated in Excel to determine the presence of patterns or general trends in the selection
of preparedness measures from among the survey populations (Figures 5-14 to 5-16). It
was noted in the introduction to this chapter that an assumption of the analysis is that
each of the dependent variables (the 12 measures of preparedness) are independent
among themselves; that is, there is no necessary connection or relationship between them
that would make any one measure a prerequisite for any other.
Nevertheless, there emerged a remarkably consistent pattern regarding the selection
and priority of the 12 preparedness measures. This can be detected in examining the
numerical scores in Table 5.3, in which the 12 measures have been arranged in generally
descending order of selection. The following Pareto charts make this trend more easily
recognizable.
178
Figure 5-14: Pareto charts—Preparedness measures adopted among private sector organizations having experienced a disaster vs. not having experienced a disaster
At least one incident occurred
66 65 60 59 57 56 54 54 52 44 42
17
11%
21%
31%
40%
49%
58%
67%
75%
84%
91%
97%100%
0
100
200
300
400
500
600
Bac
kup
Em
ergP
lan
Training
Qua
ls
Eva
cRte
Sec
urity
AltH
Q
COOP
Exe
rDrills
DHSgu
ides
Par
tner
s
Reg
Svc
s
Preparedness Measures
Me
as
ure
s A
do
pte
d
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Pe
rce
nt
Data Collection from Jul 2008 - Feb 2009
No Incidents
6051 49 46 41 40 37 33 32 30
229
13%
25%
36%
46%
55%
64%
72%
79%
86%
93%
98%100%
0
50
100
150
200
250
300
350
400
450
Bac
kup
Qua
ls
Em
ergP
lan
Eva
cRte
Training
AltH
Q
Exe
rDrills
COOP
Par
tner
s
Sec
urity
DHSgu
ides
Reg
Svc
s
Preparedness Measures
Me
as
ure
s A
do
pte
d
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Pe
rce
nt
Data Collection from Jul 2008 - Feb 2009
179
Figure 5-15: Pareto charts—Preparedness measures adopted among private sector organizations involved in collaboration vs. no collaboration.
Collaboration with Partners
74 71 68 67 66 64 64 64 60 5544
22
10%
20%
30%
39%
48%
57%
66%
75%
83%
91%
97%100%
0
100
200
300
400
500
600
700
Par
tner
s
Em
ergP
lan
Bac
kup
Qua
ls
Training
AltH
Q
Eva
cRte
Exe
rDrills
COOP
Secur
ity
DHSgu
ides
Reg
Svc
s
Preparedness Measures
Me
as
ure
s A
do
pte
d
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Pe
rce
nt
Data Collection from Jul 2008 - Feb 2009
No Collaboration
58
43 43 39 35 31 30 27 25 22
4 0
16%
28%
40%
51%
61%
70%
78%
86%
93%
99% 100% 100%
0
50
100
150
200
250
300
350
Bac
kup
Em
ergP
lan
Qua
ls
Eva
cRte
Training
Secur
ity
AltH
Q
COOP
Exe
rDrills
DHSgu
ides
Reg
Svc
s
Par
tner
s
Preparedness Measures
Me
as
ure
s A
do
pte
d
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Pe
rce
nt
Data Collection from Jul 2008 - Feb 2009
180
Figure 5-16: Pareto charts—All preparedness measures adopted among public sector agencies vs. private sector businesses (n= 26 and 117, respectively).
Government Agencies
26 25 23 22 22 20 19 18 18 1713
8
11%
22%
32%
42%
51%
60%
68%
76%
84%
91%
97%100%
0
50
100
150
200
Em
ergP
lan
Bac
kup
Training
Par
tner
s
Qua
ls
ExD
rills
Eva
cRte
AltH
Q
COOP
Sec
urity
DHSgu
ides
Reg
Svc
s
Preparedness Measures
Me
as
ure
s A
do
pte
d
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Pe
rce
nt
Data Collection from Jul 2008 - Feb 2009
All Businesses
103 91 87 82 81 74 73 72 69 59 53
19
12%
22%
33%
42%
51%
60%
68%
77%
85%
92%
98%100%
0
100
200
300
400
500
600
700
800
Bac
kup
Em
ergP
lan
Qua
ls
Eva
cRte
Training
AltH
Q
COOP
ExD
rills
Sec
urity
Par
tner
s
DHSgu
ides
Reg
Svc
s
Preparedness Measures
Me
as
ure
s A
do
pte
d
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Pe
rce
nt
Data Collection from Jul 2008 - Feb 2009
181
The Pareto charts of preparedness measures demonstrate that there is relative
consistency in the implementation of measures, regardless of whether the organization
has experienced a disaster or not; whether it engages in a collaborative partnership with
other organizations; or whether it is a government agency or private sector business. The
charts illustrate, as well, that both past experience and participation in a collaborative
partnership have a significant—and consistent—influence on the implementation of
preparedness measures across virtually the entire range of available measures assessed by
this study. The scales on the left hand column of those two charts further illustrate that
experience and collaboration have a significant effect on the total number of preparedness
measures adopted across an entire population.
5.6 Correlation of proximities among private sector entities
It was noted in the introduction to this dissertation that the study does not attempt to
determine cause-and-effect relationships regarding the influence of any specific
proximity on any other. In other words, the influence of exposure, experience, capability
and collaboration—as well as individual preparedness measures—were treated as
independent factors relative to one another. In the real world, however, this is not likely
the case. It should not be surprising, for example, if there were some relationship between
an organization’s past experience in a real disaster or its size and capabilities, and the
likelihood that it would adopt active measures to protect against disasters to include
participation in a collaborative planning partnership with other organizations in the same
community or region.
182
In an effort to investigate these relationships, the three proximities above were further
examined to determine the degree to which combinations of proximities might have an
effect on the number of preparedness measures adopted by the private sector entities
evaluated. This was accomplished by evaluating the total number of measures adopted
based on combinations of the three proximities (size of the organization (small/large);
previous disaster experience (yes/no); and participation in a collaborative partnership
(yes/no)). Calculations were then made based on the data of the numbers of measures
adopted by each of the entities represented. A Pareto chart was then developed based on
this analysis to develop a ranking among the number of preparedness measures adopted
relative to the relationships among the three proximities. Figure 5-17 provides a graphic
illustration of the manner in which the permutations among categories were assessed.
Figure 5-17: Depiction of analytic approach for correlation among proximity
factors.
183
The 145 private sector entities were grouped together according to relative size as in the
previous section. This accounted for 78 private sector entities of Size 1-3 (less than 100
employees/members and less than $35M in annual revenue) and 67 private sector entities
of Size 4-6, with greater than 100 employees/members and annual revenue exceeding
$35M. From that basis, counts were made of entities that had experienced a disaster (or
not) and those that participated in a collaborative partnership (or not). Table 5-7 provides
a tally of the number of instances of each of these categories among the 145 private
sector entities and shows the collective number of preparedness measures distributed
across the population from among the total of 1076 within the total 145 private sector
entities surveyed.
Table 5-7: Correlation of proximities among 145 private sector entities
S1 = Organization Size 1-3 S4 = Organization Size 4-6 Iy = Incident or disaster experience In = No incident or disaster experience Cy = Involved in a collaboration Cn = Not involved in a collaboration
To organize this data into a meaningful format, Pareto charts were then developed of the
correlation data, organizing the categories according to the number of preparedness
measures adopted from across the eight groupings. Figures 5-18 and 5-19 present the
resultant data.
184
Figure 5-18: Pareto chart of distribution of measures adopted across private sector entities correlated by proximity
Figure 5-19: Pareto chart of average number of measures adopted per private sector entity correlated by proximity.
185
The degree of influence exerted by multiple proximities on private sector adoption of
preparedness measures as depicted in Figure 5-19 can be summarized as follows:
1. Large organizations with previous disaster experience and participation in a
collaborative partnership (10.44);
2. Small organizations with previous disaster experience and participation in a
collaborative partnership (10.22);
3. Large organizations that participate in collaborative partnership but have no
previous disaster experience (9.54);
4. Small organizations that participate in collaborative partnership but have no
previous disaster experience (8.37);
5. Large organizations with previous disaster experience but no participation in
collaborative partnerships (8.36);
6. Large organizations with neither previous disaster experience in disaster nor
participation in collaboration (5.88);
7. Small organizations with no previous disaster experience but membership in a
collaborative partnership (5.21);
8. Small organizations with neither previous disaster experience nor membership in
a collaborative partnership (3.43).
For the population surveyed in this research project, then, this analysis confirms that
there is a significant effect of multiple influences (i.e., proximities) on the decisions of
private sector entities to adopt preparedness measures. The data tend to confirm the
relative importance of organizational size—i.e., capability to prepare and respond—as the
key discriminator among private sector organizations toward adopting preparedness and
186
continuity planning measures. The second most important influence appears to be that of
participation in a collaborative partnership. Third in importance is previous disaster
experience. Of note, is the fact that the combination of previous experience and
participation in collaboration correlates with both large and small organizations.
5.7 Influences on participation in a collaborative partnership
Based on the foregoing, it would be reasonable to inquire whether the degree to
which an organization’s decision to participate in a collaborative partnership is itself
influenced by previous experience in a disaster or the size and capability of the
organization. To assess this question, two components of the survey population—those
that participated in a collaborative partnership and those that did not (n = 74 and 71,
respectively)—were examined according to previous disaster experience and organization
size. Table 5-8 shows the number of individual organizations of the 145 surveyed that fall
into each category. Figures 5-20 and 5-21 provide a visual depiction of the data.
Collaboration No Collaboration Total
Yes No Yes No
1= 18 4 14 1= 26 7 19 44
2= 5 3 2 2= 16 2 14 21
3= 6 3 3 3= 7 5 2 13
4= 4 1 3 4= 5 4 1 9
5= 15 8 7 5= 6 3 3 21
6= 26 23 3 6= 11 7 4 37
n=74 42 32 n=71 28 43 145
Organization
Size
Organization
Size
Disaster ExperienceDisaster Experience
Table 5-8: Collaboration relative to organization size and disaster experience
187
Figure 5-20: Overall effect of organization size on collaboration.
Figure 5-21: Relationship between organization size, previous disaster experience and participation in a collaborative partnership. Based on this analysis, it appears to be the case that participation in a collaborative
partnership is, indeed, influenced by the size of the organization. There is a significantly
higher percentage of partnerships (71% or 41/58) reported by the two largest organization
188
groups in the study (those with more than 500 employees and over $165 million in assets
and revenue). However, it also appears that the size of the organization exerts influence
at the other end of the spectrum, as well. Forty-one percent (18/44) of the smallest
organizations in this survey population—those with 25 employees or fewer and under $1
million in assets and revenue—also listed participation in a collaborative partnership as
one of the preparedness measures they had adopted. Results among the middle third of
the survey population revealed a lower but relatively consistent engagement in
collaboration across those three organization sizes.
With regard to the influence of multiple factors such as the combination of disaster
experience with organization size, the strongest influence appears to be among
organizations at the uppermost end of the scale. Figure 5-20 breaks down the previous
graph into four elements:
(1) Organizations that only participate in a collaborative partnership;
(2) Organizations that have disaster experience but are not members of a partnership;
(3) Organizations that have neither disaster experience nor membership in a
partnership; and
(4) Organizations that have experience and also participate in a collaborative
partnership.
The combination of disaster experience and membership in a collaborative partnership
clearly has the greatest prevalence among the largest organizations in the survey
population. However, as noted before, it is not feasible in this study to determine whether
any of these characteristics are directly linked to those conditions. For example, it is quite
likely that larger organizations—with the greatest longevity, most diversified assets and
189
multiple geographic locations—have the highest rate of experience with disasters and
organizational crises simply as a matter of course. That is, with size comes both
exposure and experience. This may motivate participation in collaborative planning as a
means of protecting assets from known hazards and to mitigate well-recognized
vulnerabilities. For the smaller business or organization, the motivation may be as high as
for the larger organization, but is not based so much on personal experience as on the
opportunity to participate with a larger corporation or organization and gain from their
experience.
Such questions as these are worth pursuing in follow-on studies, particularly in
attempting to identify and balance the interests and preparedness needs of a community
comprised of diverse businesses, industries and non-profits, all having a range of
interests, vulnerabilities and histories.
190
CHAPTER 6: SUMMARY OF RESULTS
6.0 Overview
6.1 Analysis of research results
6.2 Limitations and areas for further research
6.3 The question of motivation
6.4 Conclusion: A framework for private sector preparedness
6.0 Overview This final chapter summarizes significant results related to the research hypotheses
based on analysis developed in Chapter 5. Other results concerning perceptions of risk
and threat, agency responsibility, and general levels of preparedness were summarized in
Chapter 4. Limitations of this research project are discussed along with an analysis of
areas for future research. The chapter concludes by presenting a Framework for Private
Sector Preparedness as a conceptual model for the relationship between the preparedness
of individual private sector organizations and the overall resilience of the economic
environment they inhabit.
6.1 Analysis of research results The analysis of data collected from the Private Sector Survey of Preparedness and
Continuity Practices confirmed—for this survey population—the two key research
hypotheses that previous disaster experience and the size of the business or organization
have significant effects of private sector entities to adopt preparedness and continuity
planning measures. In particular, business or organizational size—as an indicator of
191
overall capability to prepare for and respond to emergencies—appears to have a
predominant effect on the willingness of organizations to adopt a wide range of
preparedness measures. Figure 6-1 provides a bar chart that illustrates this effect:
Figure 6-1: Bar chart illustrating effect of organizational size on adoption of preparedness measures
Like Figure 5-11, this chart divides the survey population into the two groups
representing small businesses (less than 100 employees; annual revenue less than $35M)
and medium-to-large businesses of more than 100 employees, and annual revenue of
greater than $35M. Within this population, small organizations (size 1-3) accounted for a
total of 454 preparedness measures (mean = 5.82 per organization) and medium-large
organizations a total of 622 (mean = 9.28 per organization) of the 1076 total measures
192
adopted by the survey population. Of particular significance, is the number of small
organizations in Size 1 that adopted none or only a few measures, as opposed to the
number of larger organizations (Size 6) that had adopted 11 or more. As expected, this
trend supports previous findings and indicates the degree to which, on average, the size
and capability of an organization provides a basis for engaging in preparedness and
continuity practices.
A similar trend can be seen in a graph of the effects of previous disaster experience
on the number of measures adopted. Figure 6-2 provides a similar bar chart that shows
the distribution of preparedness measures across the range of previous experience. This
graph provides evidence of a decaying of the effect of experience over time—represented
between group number 1 (disaster experience within the last year) and group number 4
(disaster experience within the last decade.
Figure 6-2: Bar chart illustrating the effect of previous disaster experience on adoption of preparedness measures.
193
The most significant trend illustrated in this graph, however, is the distribution of
measures between organizations that have disaster experience (groups 1-4) and those that
have none (group 0). In this case, the population of organizations with no previous
disaster experience had nevertheless adopted a total of 450 of the 1076 preparedness
measures adopted, for a mean of 6.0 (450/75) compared to a mean of 8.94 (626/70) for
organizations that had previous disaster experience. This is a surprisingly high average
rate of preparedness among organizations that have had no previous experience with the
effects of a disaster, and indicates that the factor of experience may not be as critical to
motivating preparedness as much of the disaster literature has indicated. The case for
the effects of proximity to hazards cannot be so easily identified in the distribution of
preparedness measures when evaluated by regional affiliation for this research project.
For reasons previously discussed, there was no significant trend identified among the
regions surveyed that could lead to valid conclusions. Moreover, there is significant
evidence that—at least for this survey population—any influence generated by exposure
to hazard was overshadowed by other factors. For example, Figure 6-3 shows the
distribution of preparedness measures across the four geographic regions compared to the
non-regional category (group 5). Two points are evident in this graph. First, the rate of
participation in Region 2—the region with the least exposure to seasonal flooding or
hurricane effects—was the lowest among the private sector of any of the regions—in
spite of a concerted effort on the part of the author to spur survey participation in this
region. Anecdotally, this points to the fact that exposure to hazard may, indeed, influence
the attitudes of private sector entities toward or away from preparedness against local
hazards, even insofar as participation in a survey of attitudes is concerned.
194
Figure 6-3: Bar chart illustrating the distribution of preparedness measures across regions for the survey population.
On the other hand, the greater influence of collaboration is likely evident in the
number of preparedness measures adopted by group 5, a non-regionally affiliated survey
group that was generated from among the participants in a university-based collaborative
network. Within that survey population of 70 participants, there were 615 measures
adopted (mean = 8.79), compared to a total of 461 from among the four geographic
regions (mean = 6.15). While other unidentified factors may have also influenced
outcomes within this population, the influence of collaboration seems clear and reinforces
other findings of this study.
195
In that regard, a final bar chart provides further evidence of the significance of
collaboration on the adoption of preparedness measures across the survey population.
Figure 6-4 shows the distribution of measures as a result of the influence of collaboration
(and lack thereof) on preparedness and continuity planning. Of the population represented
by this division, the group not belonging to a collaborative partnership had adopted a
total of 357 preparedness measures (mean = 5.03), while the population engaged in
collaborative partnerships had adopted a total of 719 (mean = 9.72).
Figure 6-4: Bar chart illustrating effects of collaboration on preparedness measures adopted
196
This near doubling of the preparedness indicators from among the population involved in
a collaborative partnership—along with the significantly heavier trend of organizations in
this group to adopt a higher number of measures from within the population—is yet
further evidence of the apparent effect of collaboration on motivation to prepare.
6.2 Limitations and agenda for further research While this research project delivered results that validated three of the four research
hypotheses (for the specific population of private sector entities that participated in the
survey), there are nevertheless some limitations on the ability to draw broader
conclusions due to the structure of the research approach and several extenuating
circumstances. Specific limitations in the current effort include the following:
Limited survey population. While the data gathered in the Private Sector Survey
provided a basis for testing the hypotheses against this survey population, caution
must be exercised in claiming more validity for the results than is merited. A broader
survey population and diversity across regions or communities where exposure to
hazards can be more rigorously assessed would be a logical next step. In that regard, a
principal virtue of this current study may not be the results, per se, but rather the
development and “beta testing” of a survey instrument with the potential to explore
the relationships among motivating factors within private sector business, industry
and non-profit organizations.
A high degree of variation in survey participation between regions. The intervention
of two significant natural disasters during the course of the survey (Hurricane Ike
along the Gulf coast and the summer 2008 flooding in the northern Midwest)
undoubtedly affected the outcome of the survey, though the degree and direction of
197
that effect would not be easy to determine. Whether an ongoing natural disaster
would limit or enhance participation in a survey on preparedness could be debated.
Of greater significance is that the regional disparity among participants makes
conclusions regarding common perceptions of risk within specific communities
generally unreliable for this research study.
Establishing cause and effect relationships among proximities. It was observed in the
previous section that the relationships among the four proximities identified in this
study—experience, exposure, capability and collaboration—cannot be assessed as
cause and effect to any degree of fidelity. More research based on a larger population
of businesses and non-profit organizations and a different set of survey questions
would be necessary to draw firm conclusions in this direction (for example, “did
collaborative planning with other organizations provide you with knowledge or
capabilities for planning that you otherwise did not have?). That said, it does seem
clear that the development of private sector collaborative organizations at the regional
or local level may potentially be the most lucrative starting point for increasing the
general level of private sector preparedness and spreading capability across an entire
business sector of large and small businesses. On this issue, further research could
prove very worthwhile.
Establishing the parameters and characteristics of “collaboration” as it applies to
private sector and public sector efforts to jointly prepare for and respond to disasters.
This question has particular merit given the strong correlation among organizations
that belonged to collaborative partnerships with a higher than average rate of adoption
of preparedness measures as seen in this study. Within the business context, there has
198
been a great off effort and research invested in the art of negotiation, or of
salesmanship, leadership or corporate management. There is a good deal less research
into what constitutes effective collaboration—particularly in the context of forming
public/private sector partnerships for the purpose of preventing or dealing with
catastrophe. This is an area where further research could provide important insights.
The relationship between size of an organization and its actual capability to prepare
for a disaster. Without specific research in this area (which was not undertaken in this
study) it must be observed that the assertion that preparedness increases with the size
of the organization is itself a hypothesis, if not simply an assumption. While the data
in this project supports the conclusion that motivation to prepare seems to increase
with the size of the organization, this may not indicate actual preparedness within
specific organizations. Different organizations and businesses likely prepare in
different ways for the threats that are of most concern to them, and what constitutes
actual preparedness for one business or type of business might not be the whole
picture for another.
Finally, the connection between motivation to prepare and actual preparedness. The
assessment of capability or resilience against disasters or business crises cannot
necessarily be inferred from the number of measures of preparedness adopted, or
from programs in place or planning conducted, Establishing measures of
effectiveness for actual preparedness or resilience against disaster and the ability to
maintain continuity of operations is a field ripe for further investigation, as is seen in
the current efforts of the Department of Homeland Security to establish criteria for
preparedness to support a Voluntary Private Sector Preparedness Certification
199
Program (PS-PREP) under Title IX of the Implementing the Recommendations of the
911 Commission Act.
6.3 The question of motivation
More than any other issue, the question of motivation within the business sector is
of prime importance as an area for future research. As noted in the introduction of
Chapter 1, the establishment of standards or measures of effectiveness for preparedness—
as it currently being sought under the Title IX PS-PREP program—is not likely to be
nearly as important to the success of the program as the simple matter of motivating
businesses and non-profits to voluntarily participate. Previous surveys of the business
community have rarely indicated better than 50% adoption of any specific preparedness
measure, as noted in the literature cited in Chapter 2. But the larger issue is more
fundamental—that is, the question of what motivates businesses in regard to any specific
matter when considered as organizations acting in the presence of other organizations.
Motivation as a matter of organizational behavior has traditionally focused on the
behavior of members within an organization—that is, how workplace conditions,
incentives, perceptions, climate and leadership (among other factors) affect the
motivation of employees as members of the organization, and thus shape the culture and
character of the organization and its output and success. As an example, a foundational
text on organizational behavior describes expectancy theory—the expected relationship
between effort, outcome and reward—as a “framework for understanding how motivation
operates” [Bowditch and Buono 2001. This is one among about a dozen theories of
motivation discussed in the text, all of which examine motivation as it applies to
individual employees and employers in organizational contexts. Such questions as
200
these—fundamental though they are to the character, functions and goals of an
organization—do not address the behavior of organizations as entities that act on
decisions affecting the external environment. Edgar Schein addresses this question to
some degree in his discussion of the “Organization-Environment relationship” [Schein
1992]. Of particular relevance to the issue of disaster preparedness and collaboration is
his observation that “the more turbulent the environment, the more important it will be
for leaders to argue for and show that some level of control over the environment is
desirable and possible” [Schein, 1992, p. 364]. His discussion, however, is in a chapter on
Learning Culture, which is relevant for other reasons given the current state of private
sector preparedness already alluded to elsewhere in this study. About the specific
character of private sector motivation for preparedness, little appears to be known at this
stage, as we are all—individuals and organizations, alike--only embarking on a path to
learning how to do it effectively and institutionalize the concepts and objectives.
To elaborate, this research effort identified four factors that evidence indicates
may exert some measure of influence on the motivation of private sector organizations to
prepare for emergencies and conduct planning to ensure continuity of business
operations. However, these are far from the only—or perhaps—even the most important
of the factors. Given the growing recognition of the private sector role in protecting
critical infrastructure and contributing to the resilience of the nation’s communities, this
area merits further research to address the broader range of motivating factors, and to
determine the priorities and causal relationships among them.
For example, Figure 6-5 offers an illustration of some of the variables that could
influence those decisions on the part of a single business or the business sector of an
201
entire community. These could include specific characteristics of the organization itself
(e.g., the entity’s size, business type and sector, or the business model that underpins
business decision-making); factors originating in the external environment, such as
exposure to hazards, recent experience in disaster response, existing laws, regulations or
policies (such as insurance or safety and health regulations); and overall perceptions of
risk and threat to the organization owing to knowledge of its vulnerabilities or a current
or imminent threat condition. The private sector survey upon which this study was based
examined several of these. However, for purposes of analysis, this study concentrated on
only four key factors.
Figure 6-5: Factors potentially influencing business decisions for preparedness and continuity planning
At this stage, two paths for further analysis seem clear. The first is to pursue a
quantitative assessment of motivating factors for private sector preparedness using a
survey instrument, perhaps of the sort employed in this study (now thoroughly beta-
tested) across a much wider segment of the business and non-profit community. Based on
202
the experience of this study, a follow-on survey should certainly include a broader range
of regional perspectives and hazards, to include earthquakes, tornadoes, wildfires, as well
as technological and industrial hazards that are common in urban areas. This would be
essential to begin to understand the true effect of exposure to hazards as a motivating
factor, and which this study was not able to pursue with sufficient validity.
Secondly, and perhaps more importantly, a quantitative assessment should be
supplemented with qualitative work to understand motivation for preparedness from the
perspective of employees, shareholders and leaders in the business community. This
could be pursued through focus groups, targeted interviews, telephone discussion surveys
or other interview techniques. Fundamental, however, is the need to begin assessing the
why of business preparedness decisions. A more qualitative process may also begin
establishing some of the issues relevant to this study but inadequately addressed such as
the priorities for selecting and implementing some preparedness measures over others, or
the causal effects of factors such as organizational size or business sector on other factors
such as participation in collaborative partnerships.
The pursuit of this information may model efforts recently made to understand the
adoption of information security practices within the private sector. At this stage, ten
years after Y2K and with information technologies a growing aspect of modern life, there
may be valid lessons to be learned from the experiences of business attempts to protect
information technology systems, data, personal identifying information and digital
intellectual property that may inform further investigations into preparedness and
continuity planning, generally. One dissertation in the field arrived at conclusions similar
to this study: that more research was needed to understand and explain why businesses
203
adopt some IT management tools, rather than others [Ryan, 2001]. However, over the
course of a decade, information technology security practices have come a long way in
terms of universal adoption, and also in terms of the sophistication of systems that can be
used to aid the private sector in more easily protecting information systems. The National
Institute of Standards and Technology (NIST) guidebook, “Small Business Information
Security: The Fundamentals,” is a case in point [Kissel 2009]. The operable lesson that
information security practices may illustrate, is that it takes more than a couple of
decades of practice and technology development before increased security becomes
institutionalized within the private sector—and even then, there will always be holes in
the security systems, as there no doubt will be in preparedness regimes or continuity
planning.
6.3 Conclusion: A framework for private sector preparedness Tierney has observed that “individual businesses depend critically on robust local
business ecologies,” and that survival of individual businesses following a disaster is
determined not only on business continuity practices and the recovery of operations at the
individual or unit level, but on the return of residents, workers and consumers to the
region and on the restoration of the entire economic community [Tierney 2000, 287].
Businesses normally operate within a “natural environment” consisting of social, political
and economic forces; a population of consumers, citizens, residents and employees; and
among partners, competitors, customers and suppliers. The immediate challenge for any
business or non-profit following a disaster, local emergency or organizational crisis is to
limit the effects, recover gracefully and resume full business operations as expeditiously
204
as possible. However, recovery for a single business and restoration of the entire business
sector or community—while complementary—are not necessarily the same.
Managing the risks and hazards to a business or organization’s viability is the
traditional approach for most business crisis decision-making, as is evident in the
literature identified in Chapters 2 and 3 (see in particular the discussion of comprehensive
business insurance [Daniels, Kettle and Kunreuther 2006] cited on page 47, and the
discussion of Morgan and Fischhoff’s influence diagram for managing risk, (Figure 3.2)
[Morgan, Fischhoff, et al 2002]. This approach, however, does not address the viability
or sustainability of the post-disaster environment that businesses will necessarily swim in
following a large-scale or regional disaster. Sarewitz, Pielke and Keykhah [2003] have
argued for a more comprehensive approach to preparedness against extreme events that
includes managing vulnerabilities as well as risks. However, they observe that “at the
heart of the problem of vulnerability lies the tension between individual action and
collective consequence” [Sarewitz, Pielke and Keykhah 2003].
The results of this study seem to indicate that membership in a collaborative
partnership has a significant impact on motivating continuity planning and preparedness
measures among individual private sector entities. This opens the door to the possibility
that collective preparedness could have an equally significant impact on collective
resilience of the business community as a whole, and offers perhaps the most efficacious
means for mitigating the collective consequences of a local or regional disaster of the sort
that could affect the business community.
A recent diagram (Figure 6-6) from the Department of Homeland Security’s Science
and Technology Directorate illustrates the relationship between the social and economic
205
losses to a community following a disaster and the potential cost avoidance to be realized
in developing resilient capacities through enhanced response and recovery capabilities.
Figure 6-6: Cost avoidance from the effects of catastrophic events achieved through building resilient capacities in a community. The diagram is intended to address an entire range of resilience measures across any
number of sectors for both the physical and the civic infrastructures. However, the
depiction of cost avoidance as an outcome of enhanced functional capacities for response
and recovery has obvious implications for the entire economy of the affected region, and
likewise for each individual private sector business, industry, or non-profit organization
operating within that region. A further view is provided by the community resilience
model developed by Norris, Pfefferbaum and others (depicted in Figure 3-4 and repeated
below in Figure 6-7). This model presents a more comprehensive view of the relationship
between individual business entities and the network of economic and social relationships
of a community. Citing Rose [2004], those authors observe that “because of extensive
206
interdependencies at the macroeconomic level, economic resilience depends not only on
the capacities of individual businesses, but on the capacities of all the entities that depend
on them and on which they depend” [Norris, Pfefferbaum, et al 2008, p. 136].
Figure 6-7: Community resilience model [Norris, Pfefferbaum, et al, 2008].
Adam Rose explored this concept of networked relationships and consequences and
developed a “framework for analyzing the total economic impacts of terrorist attacks and
natural disasters” [Rose 2009]. In his analysis he identifies three levels at which
resilience can have economic effects:
Microeconomic – individual behavior of firms, households or organizations;
Mesoeconomic – economic sector, individual market or cooperative group; and
Macroeconomic – all individual units and markets combined, including interactive effects. [Rose 2009, p. 6].
As an economic function of resilience, Rose identifies two levels of analysis: (1) direct
economic resilience that applies to individual firms or industries at the micro- and meso-
207
levels, and which corresponds to economic equilibrium for the individual entity; and total
economic resilience that refers to the general equilibrium of the entire economy at the
macro-level, and which accounts for price and resource interactions in a given economy
following a disaster or other trauma. Figure 6-8 presents Rose’s framework.
Figure 6-8: Framework for modeling total economic impact of extreme events [Rose 2009, p. 15].
Of particular significance is Rose’s assertion that “the market is an excellent source of
resilience” [Rose 2009, p. 21]. By this, he means first, that resilience can provide a means
for conducting cost-benefit analyses of disaster-related strategies that account for both
pre-event mitigation measures and post-event recovery and restoration operations [p. 20].
Secondly, the normal “invisible hand” of market economies can provide indicators
following disaster or trauma of the effectiveness of mediation or mitigation efforts and
the overall strength and inadequacies in recovery and restoration schemes. This is not
without its unknowns, however, and Rose cautions that more research is needed on how
resilience functions as a system and on the behavioral linkages between risk perceptions
208
among affected populations and the effectiveness of implementation for recovery
strategies [p. 22].
The tensions between individual action and collective consequence and the influence
of individual and social or macro-level assessments of outcomes are also at the heart of
the Theory of Reasoned Action developed by Fischbein and Ajzen (1975) and discussed
in Chapter 3 (Figure 3-8 and Figure 6-9 below). This concept was further developed by
Davis, et al, to form a Technology Acceptance Model that addresses not only the
adoption of behaviors, but the adoption of technologies that offer some level of perceived
usefulness (Figure 3-9 and Figure 6-9 below). The significance of these two models for
the purpose of this analysis is the merging of considerations of individual preference
based on individual and socially-derived mores with the more pragmatic view of the costs
and benefits of certain actions or technologies based on their perceived ability to achieve
stated objectives. In other words, there may be a willingness to comply with socially
desirable goals as long as they do not conflict with individual preferences, but also as
long as they are perceived as effective for achieving those objectives.
209
Figure 6-9: Theory of Reasoned Action and Technology Acceptance Model Collectively, these models and the effect of collaborative partnerships on motivation
to adopt preparedness measures identified in this research project form the basis for what
I propose as a Framework for Private Sector Preparedness. The objective of this
framework is to address the collective vulnerability of the local economic environment to
large-scale disaster or trauma by balancing the tension between individual action and the
consequences or outcomes that might be achievable through collective action on the part
of the members of the economic community. Figure 6-10 presents this framework.
Theory of Reasoned Action (TRA) (Fishbein & Ajzen 1975)
Technology Acceptance Model (TAM) (Davis, et al. 1989)
210
Figure 6-10: Framework for private sector preparedness Like all business decisions, those involving the direction of corporate resources and
talent toward preparedness and continuity planning are not made within a vacuum, but
are merely some among a range of business decisions made within the context of the
economic and social ecosystem which the business or corporation inhabits. The behaviors
that a company or organization adopts or avoids have consequences, both for the
organization itself and also for its competitors and local economy and the larger market
place—what Rose refers to as the micro-, meso-, and macro-economic scales. Likewise,
the resulting socio-economic behavior also has implications for an entire range of social
and political fields at the local, regional and sometimes national levels.
Like the Theory of Reasoned Action, business decisions to adopt certain behaviors
are based on a balance among competing interests that can be generally categorized as
211
springing either from intrinsic corporate values or objectives, or which may be subject to
socially-derived norms and standards. As in the case of individuals, the justification for
adopting these behaviors can spring from several sources and can overlap—such as, for
example, the case of maintaining a certain corporate image regarding fair-play or
compliance with regulations out of a self-interest to maintain public confidence in the
corporation and its products. Decisions based on corporate self-interest, however
grounded, could be considered as part of the corporation’s responsibility to itself and its
shareholders to maintain profitability; these decisions thus take place within a domain of
market competition.
In this sense, preparedness for emergencies or the adoption of continuity of
operations plans is merely one more among a number of corporate strategies for
achieving competitive advantage over other companies, assuming that the more prepared
company has a better chance of surviving a disaster, recovering its operations quickly,
and perhaps capturing market share that must be abandoned by less prepared competitors.
However, this sort of calculus growing solely out of self-interest does not account for
the health or viability of the larger economic system which itself must recover from a
regional or large-scale disaster. If this ecosystem is unable to recover from a
catastrophe—whether from a loss of public services or infrastructure; a loss of integrity
in the supply chain; the collapse of the customer base due to displacement of the local
population; or a complete shift to another commodity or service as a result of adaptation
to the post-disaster environment—then all members of the private sector are likely to
share equally in that outcome and suffer equally—or at least proportionately—in the
failure of the local economy. This is the case for a new approach among members of the
212
private sector within a community, based not on competition, but on collaboration against
common hazards and threats to the viability of the economic ecosystem. Within this
domain of cooperation, the immediate objective is not corporate viability but community
resilience against common threats. In this sense, preparedness and continuity planning
serve both the corporate interest directly by strengthening the resilience of the
organization, but also its interest in strengthening the resilience of the larger community,
local markets, the supply chain and customer base, and the economy as an ecosystem.
Such a sense of corporate responsibility toward the larger community does not need
to be the highest priority in order for it to have a significant effect on the overall
resilience of a community. Laye points out that there is clearly a tension—echoed in the
earlier observation of Sarewitz, Pielke and Keykhah—between individual or corporate
action and collective consequences:
[W]e are now discussing long-term recovery with many strategic issues, and it is difficult to stop thinking about short-term restoration issues. One of the things that changes during recovery is that companies that were not only willing but also eager to assist one another with mutual aid during the response phase and on into restoration will now move back to their more normal competitive postures and become less willing to share resources. The same is true for divisions within companies. [Laye 2002, p. 165. Italics in the original].
Nevertheless, what the results of this study indicated through the Private Sector
Survey of Preparedness and Continuity Practices is that many of the private sector
entities had already adopted a program of collaboration with other private sector entities
and had achieved a higher state of motivation toward preparedness as evidenced by a
higher average number of measures actually implemented. The Framework for Private
Sector Preparedness thus may be a worthwhile model for collaborative initiatives
213
elsewhere, and should be pursued in further research to validate and perhaps broaden the
applicability of the concept as a means for enhancing private sector preparedness.
214
REFERENCES Alesch, D. J. (undated). Complex urban systems and extreme events: Toward a
theory of disaster recovery. Public Entity Risk Institute. http://www.riskinstitute.org. Accessed 15 January 2008.
Alesch, D. J., Holly, J. N., Mittler, E., and Nagy, R. (2001). Organizations at risk:
What happens when small businesses and not-for-profits encounter natural disasters. Public Entity Risk Institute. http://www.riskinstitute.org. Accessed 15 January 2008.
Alesch, D. J., Holly, J. N. Mittler, E., and Nagy, R. (2002). After the disaster ...
What should I do now? Information to help small business owners' post-disaster business decisions. Public Entity Risk Institute. www.riskinstitute.org. Accessed 15 January 2008.
Alexander, D. (2005). An interpretation of disaster in terms of changes in culture,
society and international relations. In Perry, R. W., and Quarantelli, E.L., eds. What is a disaster?: New answers to old questions. (pp. 25-38). Philadelphia: XLibris.
Amato-McCoy, D. M. (2006). Planning for continuity. Bank Systems &
Technology. 43(3) 44-48. Anderson, M. J. and Whitcomb, P. J. (2007) DOE simplified: practical tools for
effective experimentation. New York: Productivity Press. Arvai, J. L. (2003). Using risk communication to disclose the outcome of a
participatory decision-making process: Effects on the perceived acceptability of risk-policy decisions. Risk Analysis. 23(2) 281-289.
Atkinson, W. (2005). Risk management: A new strategy with a historical
perspective. Purchasing. 134(12) 37-41. Aven, T., Nilsen, E. F., and Nilsen, T. (2004). Expressing economic risk-review
and presentation of a unifying approach. Risk Analysis. 24 (4) 989-1005. Bankoff, G., Frerks, G., and Hilhorst, D. (2004). Mapping vulnerability: Disasters,
development and people. London: Earthscan Publications, Ltd. Barabasi, A. L. (2002). Linked: How everything is connected to everything else.
New York: Plume Books. Barry, J. M. (1997). Rising tide: The great Mississippi flood of 1927 and how it
changed America. New York: Simon and Schuster.
215
Barthold, J. (2007). Disaster recovery is not enough. Telecommunications
Americas. 41(3) 18-23. Barton, A. H. (2005). Disaster and collective stress. In Perry, R. W., and
Quarantelli, E.L., eds. What is a disaster?: New answers to old questions. (pp. 125-152). Philadelphia: XLibris.
Baxter, J., Guibert, G., Kuligowski, E., Rabenold, C., and Stapleton, S. (2005).
Holistic disaster recovery: Ideas for building local sustainability after a natural disaster. Fairfax, VA: Public Entity Risk Institute.
Beichman, J. (2004). Ready for anything. Journal of Housing and Community
Development. 61(2) 18-20. Beierle, T. C. (2002). The quality of stakeholder-based decisions. Risk Analysis.
22(4) 739-749. Bennett, J. (2006). Planning for resiliency. Computer Technology Review. 26(3)
24. Berke, P. R. , and Campanella, T. J. (2006). Planning for post-disaster resiliency.
The Annals of the American Academy of Political and Social Science. 604(1) 192-207.
Bernard, H., Kilworth, P., Johnsen, E., Shelley, G. and McCarthy, G. (2001)
Estimating the ripple effect of a disaster. Connections. 24(2) 30-34. Bigley, G. A., and Roberts, K. H. (2001). The incident command system: high-
reliability for complex and volatile task environments. Academy of Management Journal. 44(6) 1281-1299.
Birch, E. L., and Wachter, S. M., eds. (2006). Rebuilding urban places after
disasters: Lessons from Hurricane Katrina. Philadelphia: University of Pennsylvania Press.
Black, P. (2005). Shelter from the storm: National disasters have underlined the
importance of business continuity planning-it's not just about compliance. Financial Planning. (Nov) 1-2.
Blaikie, P., Cannon, T., Davis, I., and Wisner, B. (2003). At risk: Natural hazards,
people's vulnerability and disasters. London: Routledge. Bolin, R., and L., Stanford. (1998). The northridge earthquake: Vulnerability and
216
disaster. New York: Routledge Publishers. Bowditch, J. L., and Buono, A. F. (2001). Primer on organizational behavior.
New York: John Wiley & Sons. Britnell, A. (2003). Crisis? What crisis? Profit. 22(5) 77. Box, G. E. P. (1979). Some problems of statistics and everyday life. Journal of
the American Statistical Association. 74(365) 1-4. Boyd, D., Dunn, L. A., Arnold, A., and Ullrich, M. (2008). Why have we not been
attacked again? Special Report. Washington: Defense Threat Reduction Agency.
Britton, N. R. (2005). Whatʼs a word: Opening up the debate. In Perry, R. W., and
Quarantelli, E.L., eds. What is a disaster?: New answers to old questions. (pp. 60-78). Philadelphia: XLibris.
Bryson, J. M. (1995). Strategic planning for public and nonprofit organizations.
San Francisco: Jossey-Bass. Buchanan, L., and O'Connell, A. (2006). A brief history of decison-making.
Harvard Business Review. (January) 33-41. Business Executives for National Security. (2007). Getting down to business: An
action plan for public-private disaster response coordination. Washington, D.C. http://www.bens.org/mis_support/Getting-Down-To-Business.pdf Accessed 25 September 2008.
Capra, F. (1982). The turning point: Science, society and the rising culture. New
York: Simon and Schuster. Cerullo, V., and Cerullo, M. J. (2004). Business continuity planning: A
comprehensive approach. Information Systems Management. 21(3) 70-78.
Checa, N., Maguire, J., and Barney, J. (2003). The new world disorder. Harvard
Business Review. (August) 70-79. Chepaitis, E. . (2004). The limited but invaluable legacy of the Y2K crisis for post-
911 crisis prevention, response and management. Journal of Information Technology Theory and Applcation. 6(3) 103-116.
217
Chernick, D. R. and Appel, D. (2007). Report on the impact on consumers from potential state & national legislation designed to prepare and protect citizens from natural catastrophes. Milliman, Inc. http://www.protectingamerica.org/pdf/Milliman_Report_FINAL.pdf. Accessed 20 January 2009.
Chesser, N. ed. (2007). Deterrence in the 21st century: An effects-based
approach in an interconnected world. US Strategic Command (USSTRATCOM).
Childs, D. R., and Dietrich, S. (2002). Contingency planning and disaster
recovery: A small business guide. Hoboken: John Wiley & Sons. Chiles, J. R. (2001). Inviting disaster: Lessons from the edge of technology. New
York: Harper Business. Choi, S. O., and Kim, B. T. (2007). Power and cognitive accuracy in local
emergency management networks. Public Administration Review. 67(December) 198-209.
Christensen, C. M., Baumann, H., Ruggles, R., and Sadtler, T. M. (2006).
Disruptive innovation for social change. Harvard Business Review. (December) 94-101.
Clarke, L. (2005). Worst cases: Terror and catastrophe in the popular
imagination. Chicago: University of Chicago Press. Clemens, M. (2007). A good model should be. Idiagram. Personal website.
http://www.idiagram.com/ideas/models.html. Accessed 25 November 2008.
Clinton, W. J. (1998). Presidential decision directive/NSC-63. Critical
infrastructure protection. Washington: White House. http://www.fas.org/irp/offdocs/pdd/pdd-63.htm. Accessed 10 January 2009.
Cohen, S., Eimicke, W. and Horan, J. (2002) Catastrophe and the public service:
A case study of the government response to the world trade center. Public Administration Review. 2002(62) 24-32.
Cone, C. L., Feldman, M. A., and DaSilva, A. T. (2007). Causes and effects.
Harvard Business Review. (July) 95-101. Converse, J. M. and Presser S. (1986). Survey Questions: Handcrafting the
218
Standardized Questionnaire. Sage University Series on Quantitative Applications in the Social Sciences 7(63). Thousand Oaks: Sage Publications.
Cooper, C. and Block, R. (2007). Disaster: Hurricane Katrina and the failure of
homeland security. New York: Henry Holt and Co. Coutu, D. L. (2002). How resilience works. Harvard Business Review. (March)
46-55. Crego, J. and Spinks, T. (1997) Critical incident management simulation. In Flinn,
R., Salas, E. Strub, M., and Martin, L., eds. (1997). Decision making under stress. Aldershot, UK: Ashgate Publishing Ltd. 85-94.
Creswell, J. W. (2003). Research design: Qualitative, quantitative, and mixed
methods approaches. Thousand Oaks: Sage Publications, Inc. Crowther, K. G., Haimes, Y. Y., and Taub, G. (2007). Systemic valuation of
strategic preparedness through application of the inoperability input-output model with lessons learned from Hurricane Katrina. Risk Analysis. 27(5) 1345-1364.
Cutter, S. L. (2003). The Vulnerability of Science and the Science of Vulnerability.
Annals of the Association of American Geographers. 93(1) 1-12. Cutter, S. L., Boruff, B. J. and Shirley, W. L. (2003). Social vulnerability to
environmental hazards. Social Science Quarterly. 84(2) 242-261. Cutter, S. L. (2005). Are we asking the right questions. In Perry, R. W., and
Quarantelli, E.L., eds. What is a disaster?: New answers to old questions. 39-48. Philadelphia: XLibris.
Cutter, S. L. and Finch, C. (2008). Temporal and spatial changes in social
vulnerability to natural hazards. Proceedings of the National Academies of Science. 105(7). 2301-2306.
Cvetkovich, G., Siegrist, M., Murray, R., and Tragesser, S. (2002). New
information and social trust: Assymetry and perseverance of attributions about hazard managers. Risk Analysis. 22(2) 359-367.
Daniels, R. J., Ketle, D. F., and Kunreuther, H., eds. (2006). On risk and disaster:
Lessons from Hurricane Katrina. Philadelphia: University of Pennsylvania Press.
219
Deisler, P. F. (2002). A perspective: Risk analysis as a tool for reducing the risks of terrorism. Risk Analysis. 22(3) 405-413.
Delich, M., Kelly, R., Dreibelbis, C. (2008). Building a resilient nation: Enhancing
security, ensuring a strong economy. Symposium Series. Arlington, VA: The Reform Institute.
Deloitte Center for Health Solutions. (2007). Year Two Pandemic Preparedness
Survey. Deloitte Development, LLC.. http://www.deloitte.com/ dtt/cda/doc/content/us _chs_ yeartwopandemicsurvey121806v1.pdf. Accessed 29 December 2008.
Department of Defense. (2005). Strategy for homeland defense and civil support.
Washington, D.C. Department of Defense. (2007). Homeland defense. Joint Pub 3-27. Washington,
D.C. Department of Homeland Security. (2004). Securing our homeland: U.S.
Department of homeland security strategic plan. Washington, D.C. Department of Homeland Security. (2004) National response plan. Washington,
D.C. Department of Homeland Security. (2006). A performance review of FEMA's
disaster management activities in response to Hurricane Katrina. OIC-06-32. Washington, D.C.
Department of Homeland Security. (2006). National infrastructure protection plan.
Washington, D.C. Department of Homeland Security and Department of Transportation. (2006).
Nationwide plan review, phase 2 report. Washington, D.C. Department of Homeland Security. (2007). Pandemic influenza: Best practices
and model protocols. Washington, D.C. Department of Homeland Security. (2006). Pandemic influenza: Preparedness,
response and recovery. Guide for critical infrastructure and key resources. Washington, D.C.
Department of Homeland Security. (2007). National preparedness guidelines.
Washington, D.C.
220
Department of Homeland Security. (2007). National incident management system
(draft). FEMA 501/Draft August 2007. Washington, D.C. Department of Homeland Security. Ready Business. Website. Washington, D.C.
http://www.ready.gov/business/index.html. Accessed 15 May 2008. Department of Homeland Security. (2008). The national response framework.
Washington, D.C. Department of Transportation, Department of Homeland Security. (2004). The
national plan for research and development in support of critical infrastructure protection. Washington, D.C.
Devore, J. L. (2004). Probability and Statistics for Engineering and the Sciences.
Belmont, CA: Brooks/Cole-Thomson Learning, Inc. DiNuzzo, J. (2004). Post 9-11 employee & business protection. Occupational
Health & Safety. 73(8) 66-89. Disaster Recovery Institute International. (2003). Professional practices for
business continuity planners. https://www.drii.org/professional_prac/index.php Accessed 15 February 2008.
Dorn, M. S. (2006). The "all hazards" way. School Planning & Management.
45(4) 10. Dorner, D. (1996). The logic of failure: Recognizing and avoiding error in complex
situations. Reading PA: Addison-Wesley. Douglas, M., and Wildavsky, A. (1982). Risk and culture. Berkeley: University of
California Press. Drucker, P. (1992). The new society of organizations. Harvard Business Review.
(September-October). 95-104. Early, P. C., and Mosakowski, E. (2004). Cultural intelligence. Harvard Business
Review. (October) 139-146. Edwards, F. L. (2007). Businesses prepare their employees for disaster recovery.
Public Manager. 35(4) 7-12. Eggers, W. D. (2004) Prospering in the secure economy. New York: Deloitte
221
Touche Tohmatsu. Ellis, R. J., and Thompson, M., eds. (1997). Culture matters: Essays in honor of
Aaron Wildavsky. Boulder: Westview Press. Erikson, K. T. (1976). Everything in its path: Destruction of community in the
Buffalo Creek flood. New York: Simon and Schuster. Farazmand, A., ed. (2001). Handbook of crisis and emergency management.
New York: Marcel Dekker, Inc. Federal Emergency Management Agency. (1993). Emergency management
guide for business and industry. FEMA 141. Washington, D.C. Federal Emergency Management Agency. (2004). Are you ready? An in-depth
guide to citizen preparedness. Washington, D.C. Federal Emergency Management Act. (2007). Robert T. Stafford disaster relief
and emergency assistance act as amended, and related authorities. FEMA 592. Washington, D.C.
Federal Register. (2008). Voluntary Private Sector Accreditation and Certification
Preparedness Program. FEMA. 73(248). 24 December 2008. Federal Response Plan. (1998). FEMA 9230.1-PL. Federal Emergency
Management Agency. Washington, D.C. Finucane, M. L., Alhakami, A., Slovic, P., Johnson, S. M. (2000) The affect
heuristic in judgments of risks and benefits. Journal of Behavioral Decision Making, 13(1), 1-17.
Fishbein, M. and Ajzen, I. (1975). Belief, attitude, intention and behavior: An
introduction to theory and research. MA: Addison-Wesley Publishers. Fischoff, B. and Furby, L. (1988). Measuring values: a conceptual framework for
interpreting transactions with special reference to contingent valuation of visibility. Journal of Risk and Uncertainty. 1. 147-188.
Fischoff, B., Gonzalez, B., Small, D., Lerner, J. (2003). Judged terror risk and
proximity to the world trade center. Journal of Risk and Uncertainty. 26(2/3)137-151.
Fitzpatrick, R. and Higgins, C. (1998) Usable software and its attributes.
222
Proceedings of Human Computer Interface on People and Computers XIII. http://www.comp.dit.ie/rfitzpatrick/papers/hci98_25.pdf. Accessed 28 April 2008.
Flinn, R., Salas, E. Strub, M., and Martin, L., eds. (1997). Decision making under
stress. Aldershot, UK: Ashgate Publishing Ltd. Flynn, S. (2007). The edge of disaster. New York: Random House. Flynn, S., and Prieto, D. B. (2006). Neglected defense: Mobilizing the private
sector to support homeland security. Council on Foreign Relations. New York.
FM Global. (2008). Study reveals most large companies exposed to natural
disasters but many unprepared. Press Release. Johnstown, R.I. Fowler, F.J. (1995). Improving survey questions: Design and evaluation.
Advanced Social Research Methods Series. Vol. 38. Thousand Oaks: Sage Publications.
Garcia-Acosta V. Historical disaster research, in Hoffman, S. and Oliver-Smith, A.
eds., (2001). Catastrophe & Culture. Sante Fe: School of American Research Press.
Gavetti, G., and Rivkin, J. W. (2005). How strategists really think: Tapping the
power of analogy. Harvard Business Review. (April) 54-63. Gentner, G. and Stevens, A. L., eds. (1983). Mental models. Hillsdale, NJ:
Lawrence Erlbaum Associates, Publishers. Ghemawat, P. (2001). Distance still matters: The hard reality of global expansion.
Harvard Business Review. (September) 137-147. Gilmore, J. S. III, Chairman. (1999). Annual report to the President and the
Congress of the advisory panel to assess domestic response capabilities for terrorism involving weapons of mass destruction. Assessing the Threat. Washington: RAND.
______ Second Annual Report (2000). Toward a National Strategy for Combating
Terrorism. ______ Third Annual Report (2001). For Ray Downey.
223
______ Fourth Annual Report (2002). Implementing the National Strategy. ______ Fifth Annual Report (2003). Forging Americaʼs New Normalcy. Gladwell, M. (2000). The tipping point: How little things can make a big
difference. New York: Little, Brown and Company. Granovetter, M. (1983). The strength of weak ties. Sociological Theory. 1. 201-
233 Greenberg, J. W. (2002). Sept 11, 2001: A CEO's story. Harvard Business
Review. (October) 58-64. Greenwald, B. and Kahn, J. (2005). All strategy is local. Harvard Business
Review. (September) 95-104. Government Accountability Office. (2006). Critical infrastructure protection:
Progress coordinating government and private sector efforts varies by sectorsʼ characteristics. GAO-07-30. Washington, D.C.
_____ (2008) Past experiences offer insights for recovering from hurricanes Ike
and Gustav and other recent natural disasters. Washington, D.C. GAO-08-1120.
Haddow, G. D., and Bullock, J. A. (2006). Introduction to emergency
management. Burlington: Elsevier Butterworth-Heinemann. Hale, E. (2006). Disaster plans: Beyond single-site events. American Banker.
171(154) 11-12. Hale, T., and Moberg, C. R. (2005). Improving supply chain disaster
preparedness. Journal of Physical Distribution and Logistics Management. 35(3/4) 195-207.
Hamel, G., and Valikangas, L. (2003). The quest for resilience. Harvard Business
Review. (September) 52-63. Harrald, J. R. (2005). Back to the drawing board: A first look at lessons learned
from Katrina. Testimony before the House committee on government reform hearings. 15 September 2005.
_____ (2006). National emergency management: Where does FEMA belong?
Testimony before the Senate homeland security and government affairs committee. 8 June 2006.
224
_____ (2006). Agility and discipline: Critical success factors for disaster
response. Annals of the American Academy of Political and Social Science. 604(1) 256-272.
Harrington, S. E. (2006). Rethinking disaster policy after Hurricane Katrina. In
Daniels, R. J., Ketle, D. F., and Kunreuther, H., eds. On risk and disaster: Lessons from Hurricane Katrina. (pp. 203-222). Philadelphia: University of Pennsylvania Press.
Hart, G. and Rudman, W. B. (1999). New world coming: American security in the
21st century. Phase 1 Report. United States commission on national security in the 21st century. Washington, D.C.
_____ (2000). Seeking a national strategy: A concert for preserving security and
promoting freedom. Phase II report of the United States commission on national security/21st century. Washington, D.C.
_____ (2001). Road map for national security: Imperative for change. Phase III
report of the United States. commission on national security/21st century. Washington, D.C.
Harvard Business School. (2000). Harvard business review on crisis
management. Boston: Harvard Business School Publishing. Harvard Business School. (2001) Harvard business review on decision-making.
Boston: Harvard Business School Publishing. Hayes-Roth, B. and F. Hayes-Roth (1980). A cognitive model of planning. Human
Planning Processes. Santa Monica: RAND Report R-2670-ONR. Henry, A. (2006). Preparing for the unknown: developing a business continuity
plan. Rural Telecommunications. 25(6)14-20. Heukelom, F. (2007). Kahneman and Tversky and the Origin of Behavioral
Economics. Tinbergen Institute Discussion Paper. 2007-003/1. http://papers.ssrn.com/ sol3/papers.cfm?abstract_id=956887. Accessed 10 Oct 2008.
Hiss, S. B. (2006). Does corporate social responsibility need social capital?
Journal of Corporate Citizenship. 2006(23) 81-91. Hoch, S. J. (2001). Combining mocels with intuition to improve decisions. In
Hoch, S. J., H.C. Kunreuther and R. E. Gunther. Wharton on making
225
decisions. Hoboken: John Wiley & Sons. 81-101. Hoch, S. J., H.C. Kunreuther and R. E. Gunther. (2001). Wharton on making
decisions. Hoboken: John Wiley & Sons. Hoffman, S. M., and Oliver-Smith, A. (2002). Catastrophe & culture: The
anthropology of disaster. Santa Fe: School of American Research Press. Hofstede, G. (1997). Cultures and organizations: Software of the mind. New
York: McGraw-Hill. Hofstede, G. (2001). Culture's consequences. Thousand Oaks: Sage
Publications, Inc. Hogan, L. J., Conference Moderator. 2001. Community response to the threat of
terrorism: An online symposium. Public Entity Risk Institute. http://www.riskinstitute.org. Accessed 15 January 2008.
Hogarth, R. M, Portell, M., and Cruxart, A. (2007). What risks do people perceive
in everyday life? A perspective gained from the experience sampling method (ESM). Risk Analysis. 27(6) 1427-1439.
Homeland Security Advisory Council. (2008). Top ten challenges facing the next
secretary of homeland security. Washington, D.C. Homeland Security Council. (2006). National strategy for pandemic influenza.
Washington, D.C. Homeland Security Council. (2007). National strategy for homeland security.
Washington, D.C. Homeland Security Institute. (2007). Homeland security strategic planning:
Mission area analysis. RP 05-05-03. Arlington. H.R. 1 (2007). Implementing recommendations of the 9/11 commission act of 2007. U.S. House of Representatives, 110th Congress. Washington, D.C. http://thomas.loc.gov/cgi-bin/query/F?c110:5:./temp/~c110fnUs5s:e317311. Accessed 20 December 2008. Hutchins, G. (2006). Your future in risk management. Quality Progress. 39(3) 54-
55.
226
Interrnational Risk Governance Council. (2008). Introduction to the IRGC Risk Governance Framework. http://www.irgc.org/IMG/pdf/An_Introduction_ to_the_IRGC_Risk_Governance_ Framework. Accessed 10 September 2008.
IBM Business Solutions. (2006) Panic slowly: Integrated disaster response and
built-in business continuity. White Paper. http://www-935.ibm.com/services/us/ bcrs/pdf/wp_integrated-disaster-response.pdf. Accessed 15 September 2007.
Johnson, R. M. (2006). Planning for emergencies. Associations Now. May. 24. Kahneman, D., Slovic, P. and Tversky, A., eds. (1982). Judgment under
uncertainty: Heuristics and biases. Cambridge: Cambridge University Press.
Kaplan, R. S., and Norton, D. P. (2000). Having trouble with your strategy? Then
map it. Harvard Business Review. (September) 167-176. Kaplan, R. S., and Norton, D. P. (2005). The office of strategy management.
Harvard Business Review. (October) 74-80. Kapucu, N. (2005). Interorganizational Coordination in Dynamic Context:
Networks in Emergency Management. Connections. 26(2) 33-48. Kasperson, R., Renn, O., Slovic, P., Brown, H., Emel, J., Goble, R., Kasperson
J., and Ratick, S. (1988). The social amplification of risk: a conceptual framework. Risk Analysis. 8(2). 178-187
Kayyem, J. N., and Pangi, R. L., eds. (2003). First to arrive: State and local
responses to terrorism. Cambridge: MIT Press. Kettl, D. F. (2006). Is the worst yet to come? Annals of the American Academy of
Political and Social Science. 604(1) 273-287. Kim, W. C., and Mauborgne, R. (2003). Tipping point leadership. Harvard
Business Review. (April) 60-69. Kissel, R. Small business information security: The fundamentals. National
Institute of Standards and Technology. NSTIR 7621 (Draft). (2009). Klein, G. (1997). The current status of the naturalistic decision-making
framework. In Flinn, R., Salas, E. Strub, M., and Martin, L., eds. (1997). Decision making under stress. Aldershot, UK: Ashgate Publishing Ltd. 12-
227
28. Klein, G., Snowden, D. and Pin, C. (2007). Anticipatory thinking. In Moiser, K.
and Fischer, U., eds. (2007). Proceedings of the eighth international conference on naturalistic decision-making. Pacific Grove, CA. http://bss.sfsu.edu/kmosier/NDM8_Proceedings.pdf. Accessed 20 March 2009.
Koller, G. (2005). Risk assessment and decision making in business and
industry. Boca Raton: Chapman & Hall/CRC. Krell, E. (2006). Worst-case scenario. Electric Perspectives. 31(6) 52-67. Kreps, G. ed. (2006). Facing hazards and disasters: Understanding human
dimensions. Washington, D.C.: National Research Council, National Academy of Sciences.
Kridel, M. S. (2006). Disaster recovery survival equation: Bc>dr+l. Infotech
Update. 15(6) 1-5. Kuhn, T.S. (1970). The Structure of Scientific Revolutions. 2nd ed. Chicago:
University of Chicago Press. Kunreuther, H., Movemsky, N. and Kahneman, D. (2001). Making Low Probabilities
Useful. Journal of Risk and Uncertainty. 23(2) 103-120. Kunreuther, H. (2002). Risk analysis and risk management in an uncertain world.
Risk Analysis. 22(4) 655-664. Kunreuther, H. (2002). Insurance in managing extreme event: Implications for
terrorism coverage. Risk Analysis. 22(3) 427-437. Kunreuther, H. (2006). Risk and reaction. Harvard International Review. 28 (3)
38-42. Kunreuther, H., Meyer, R. and Van den Bulte, C. (2004). Risk analysis for
extreme events: Economic incentives for reducing future losses. Gaithersburg, MD: National Institute of Standards and Technology. NIST GCR 04-871.
Kunreuther, H. (2006). Has the time come for comprehensive natural disaster
insurance? In Daniels, R. J., Ketle, D. F., and Kunreuther, H., eds. On risk and disaster: Lessons from Hurricane Katrina. (pp. 175-202).
228
Philadelphia: University of Pennsylvania Press. Kuzyk, R. (2007). Serving through disaster. Library Journal. 132(5) 26-29. Lattin, J., Carroll, D. J. and Green, P. E. (2003). Analyzing multivariate data.
Pacific Grove, CA: Brooks/Cole-Thomson Learning, Inc. Laye, J. (2002). Avoiding disaster: How to keep your business going when
catastrophe strikes. Hoboken: John Wiley & Sons. Leavitt, H. J. (2003). Why hierarchies thrive. Harvard Business Review. (March)
96-102. Lerbinger, O. (1997). Crisis manager. Mahwah NJ: Lawrence Erlbaum
Associates, Inc. Lindell, M. K., Prater, C., and Perry, R. W. (2007). Introduction to emergency
management. Hoboken: John Wiley & Sons. Lipsky, J. (2008). IMF says crisis marks tectonic shift in financial markets. IMF
Survey Magazine. 25 September 2008. http://www.imf.org/external/pubs/ ft/survey/so/2008/new092508a.htm. Accessed 23 October 2008.
MacGregor, D.G. (2003). Public response to Y2K: Social amplification and risk
adaptation: or, “how I learned to stop worrying and love Y2K. In Pidgeon, Kasperson and Slovic (eds.). The Social Amplification of Risk. (pp. 243-261). Cambridge: Cambridge University Press.
Mackey, W. F., Long, J., Crisp, H., Mayian, S., Cropley, D., and Raza, Shabaz.
(2002). The role of systems engineering in combating terrorism. Paper presented at the International Council on Systems Engineering 2002. Las Vegas.
Magnusson, P. Thornton, E., Brady, D., and Ante, S. (2004). What companies
need to do. Business Week. (3896) 26-27. Masuda, J. R., and Garvin, T. (2006). Place, culture, and the social amplification
of risk. Risk Analysis. 26(2) 437-454. McCarthy, E. (2007). Tech tools for disaster recovery. Journal of Financial
Planning. 20(2) 28-34.
229
McGill, W. L., Ayyub, B. M., and Kaminskiy, M. (2007). Risk analysis for critical asset protection. Risk Analysis. 27(5) 1265-1269. Meyer, R. J. Why we under-prepare for hazards. (2006). In Daniels, R. J., Ketle,
D. F., and Kunreuther, H., eds. On risk and disaster: Lessons from Hurricane Katrina. (pp. 153-174). Philadelphia: University of Pennsylvania Press.
Mileti, D. S. (1999). Disasters by design. Washington, D.C.: National Academy of Sciences. Moiser, K. and Fischer, U., eds. (2007). Proceedings of the eighth international
conference on naturalistic decision-making. Pacific Grove, CA. http://bss.sfsu.edu/kmosier/NDM8_Proceedings.pdf. Accessed 20 March 2009.
Molich, R. and Nielsen, J. (1990) Improving a human-computer dialogue.
Communications of the Association for Computing Machinery. 33(3) 338-348.
Mitroff, I. I., Pauchant, T. C. (1992). Transforming the crisis-prone organization.
San Francisco: Jossey-Bass, Inc. Mitroff, I, I., Pearson, C. M., and Harrington, L. K. (1996). The essential guide to
managing corporate crises. New York: Oxford University Press. Mitroff, I. and Anagnos, G. (2001). Managing crises before they happen: What
every manager needs to know about crisis management. New York: Amacon Publishing.
Mitroff, I. I., and Alpaslan, M. C. (2003). Preparing for evil. Harvard Business
Review. (April) 109-115. Mitroff, I. (2005). Why some companies emerge stronger and better from a crisis:
7 essential lessons for surviving disaster. New York: Amacon Publishing. Montgomery, D. C. (2005). Design and Analysis of Experiments. 6th Ed.
Hoboken: John Wiley and Sons. Moore, G. A. (2007). Focus on the middle term. Harvard Business Review. (July)
84-90. Morgan, J., and Mellinger, B. (2003). "Disaster doctrine." Association
230
Management. 55(9) 26-29. Morgan, M. G., Fischhoff, B., Bosatrom, A., and Atman, C. J. (2002). Risk
communication: A mental models approach. Cambridge: Cambridge University Press.
Morganti, M. (2002). A business continuity plan keeps you in business.
Professional Safety. 47(1) 19. Moss, M. L., and Shelhamer, C. (2007). The Stafford Act: Priorities for reform.
The Center for Catastrophe Preparedness and Response, New York: New York University.
Moteff, J. and Parfomak, P. (2004) Critical infrastructure and key assets:
Definition and identification. CRS Report for Congress. Congressional Research Service. Washington, D.C.
Moynihan, D. P. (2007). From forest fires to Hurricane Katrina: Case studies of
incident command systems. IBM Center for the Business of Government. Washington, D.C.
Murphy, C., and Gardoni, P. (2006). The role of society in engineering risk
analysis: A capabilities-based approach. Risk Analysis. 26(4) 1073-1083. National Commission on the Terrorist Attacks Upon the United States. (2005).
The 9/11 Commission Report. New York: W.W. Norton & Company. National Fire Protection Association. (2007). Standard on disaster/emergency
management and business continuity programs (NFPA 1600). Quincy, MA.
Nielsen, J. (1993). Usability engineering. San Francisco: Morgan Kaufmann. Nielsen, J. (1994). Conduct a heuristic evaluation. Online instruction guide.
http://www.useit.com/papers/heuristic/heuristic_evaluation.html . Accessed 13 September 2008.
Nielsen, J. and Levy, J. (1997). Measuring usability: preference vs. performance.
Communications of the Association for Computing Machinery. 37(4) 66-77.
Norris, F., Stevens, S. P., Pfefferbaum, B., and Wyche, K. F. (2008) Community
231
resilience as a metaphor, theory, set of capacities, and strategy for disaster readiness. American Journal of Community Psychology. 41(4) 127-150.
O'Hanlon, M., Orszag, P. R., and Daalder, I. H., et al. (2002). Protecting the
American homeland: A preliminary analysis. Washington, D.C: Brookings Institution Press.
Omand, D. (2004). Emergency planning, security and business continuity. RUSI
Journal. 149(4) 26-33. Orasanu, J. (1997) Stress and naturalistic decision making: Strengthening the
weak links. In Flinn, R., Salas, E. Strub, M., and Martin, L., eds. (1997). Decision making under stress. Aldershot, UK: Ashgate Publishing Ltd. 43-66.
Osborne, M. (2005). Crisis management. Telecommunications International.
39(12) 32-33. Pelling, Ma. (2003). The vulnerability of cities: Natural disaster and social
resilience. London: Earthscan Publications, Ltd. Perr, J. 2004. Cognitive dissonance, terrorism and 9/11. Perspectives.com.
March 30. http://www.perrspectives.com/articles/art_cogdis01.htm Accessed 04 January 2008.
Perrow, C. (1999). Normal accidents. Princeton: Princeton University Press. Perrow, C. (2007). The next catastrophe: Reducing our vulnerabilities to natural,
industrial, and terrorist disasters. Princeton: Princeton University Press. Perry, R. W., and Quarantelli, E.L., eds. (2005). What is a disaster?: New
answers to old questions. Philadelphia: XLibris. Perry, R. W. (2007) Introduction in Rodriguez, H., and Quarantelli, E. L., eds.
(2007). Handbook of disaster research. New York: Springer Publishing. Pidgeon, N., Kasperson, R. E., and Slovic, P., eds. (2003). The social
amplification of risk. Cambridge: Cambridge University Press. Pine, J. C. (2007). Technology in emergency management. Hoboken: John
Wiley & Sons. Plane, K. (2007). A very peculiar practice? Promulgating social partnerships with
232
small business. Australian Journal of Adult Learning. 47(1) 25-45. Porter, M. E. , and Kramer, M. R. (2006). Strategy & society: The link between
competitive advantage and corporate social responsibility. Harvard Business Review. (December) 78-92.
Putnam, R. D., and Feldstein, L. M. (2003). Better together: Restoring the
American community. New York: Simon & Schuster. Raish, W., Statler, M. and Burgi, P. (2007). Mobilizing corporate resources to
disasters: Toward a program for action. InterCEP White Paper. New York University. http://www.nyu.edu/intercep/events/20070125-218.html. Accessed 20 July 2007.
Rasmussen, J. (1997). Merging paradigms: Decision making, management, and
cognitive control. In Flinn, R., Salas, E. Strub, M., and Martin, L., eds. (1997). Decision making under stress. Aldershot, UK: Ashgate Publishing Ltd. 67-81.
Rayner, S. (1988). Muddling through metaphors to maturity: A commentary on
Kasperson, et al, The social amplification of risk. Risk Analysis. 8(2) 201-204.
Relyea, H. C. (2006). National emergency powers. CRS Report to Congress.
Washington, D.C. Renn, E. O. (2000). Cross-cultural risk perception - a survey of empirical studies.
Amsterdam: Kluwer Academic Publishers. Renn, E.O. (2006). Risk governance: Towards an integrative approach.
International Risk Governance Council. White Paper Nr. 1. Geneva. Richardson, H. W., Gordon, P., and Moore J. E., eds. (2007). The economic
consequences and costs of terrorism. Cheltenham: Edward Elgar Publishing, Inc.
Rigby, D., and Bilodeau, B. (2007). A growing focus on preparedness. Harvard
Business Review. (July) 21-22. Ripley, A. (2008). The Unthinkable: Who survives when disaster strikes and why.
New York: Crown Publishers. Roberts, J., and Ohlhorst, F. J. (2005). Disaster planning promises big channel
233
profits. CRN channel web research network. (January) 22. Rodriguez, H., and Quarantelli, E. L., eds. (2007). Handbook of disaster
research. New York: Springer Publishing. Rose, A. Z. (2004). Defining and measuring economic resilience to disasters.
Disaster prevention and management. 13. 307-314. _______ (2009). A framework for analyzing the total economic impacts of
terrorist attacks and natural disasters. Journal of Homeland Security and Emergency Management. 6(1) 1-27.
Rubin, C. ed. (2007). Emergency management: The American experience 1900-
2005. Fairfax, VA: Public Entity Risk Institute. Ruiz, G. (2005). Business continuity plans for an avian flu pandemic largely off
workforce radar. Workforce Management. 84(14) 34-37. Rutledge, A., and Boykin, K. (2006). After the fire. Circuits Assembly. 17(6) 26-
33. Ryan, J. J. C. H. (2001). Information security practices in small business.
Dissertation. The George Washington University, Washington, D.C. Sarewitz, D., Pielke, R. and Keykhah, M. (2003). Vulnerability and risk: Some
thoughts from a political and policy perspective. Risk Analysis. 23(4) 805-810.
Sarrel, M. D. (2007). Your disaster recovery plan: Building a business continuity
plan in case of disaster is vital to the survival of your company. PC Magazine. 26(2) 1.
Schein, E. H. (1992). Organizational culture and leadership. San Francisco:
Jossey-Bass. Schmidtklein, M. C., Deutsch, R. C., Piegorsch, W., and Cutter, S. L. (2008). A
sensitivity analysis of the social vulnerability index. Risk Analysis 28(4) 1099-1114.
Schwarzman, S. (2008). Some lessons of the financial crisis. Wall Street Journal.
4 November 2008. http://online.wsj.com/article/SB122576100620095567 .html. Accessed 15 December 2008.
Shaw, G. L., and Harrald, J. R., (2006) Identification of the core competencies of
234
executive level business crisis and continuity managers.” Journal of Homeland Security and Emergency Management. 1 (1) http://www.bepress.com/jhsem/vol1/iss1/1/. Accessed 14 November 2007.
Senate, U.S. (2006). Hurricane Katrina: A nation still unprepared. Special Report
of the Committee on Homeland Security and Governmental Affairs. S. Rept. 109-322. http://hsgac.senate.gov/_files/Katrina/FullReport.pdf. Accessed 15 Jan 2008.
Senge, P. (1990). The fifth discipline: The art & practice of the learning
organization. New York: Currency Doubleday. Sheffi, Y. (2007). The resilient enterprise: Overcoming vulnerability for
competitive advantage. Cambridge: MIT Press. Sheffi, Y., and Rice, J. B. (2005). A supply chain view of the resilient enterprise.
MIT Sloan Management Review. 47(1) 41-48. Silverstein, M. E. (1992). Disasters: Your right to survive. Washington, D.C:
Brassey's Publishing. Simpson, D. (2006). The metrics of hazards and the hazards of metrics:
Thoughts on the measurement of community preparedness. Briefing for the Disasters Roundtable. University of Louisville: Center for Hazards Research and Policy Development.
Slovic, P. (2000). The perception of risk. London: Earthscan Publications LTD. Slovic, P. (2002). Terrorism as hazard: A new species of trouble. Risk Analysis.
22(3) 425-426. Slovic, P., Fischhoff, B., and Lichtenstein, S. (1979). Rating the risks.
Environment. 21(3) 14-39. Slovic, P., Fischhoff, B., and Lichtenstein, S. (1980). Facts versus fears:
Understanding perceived risk. In Kahneman, D., Slovic, P. and Tversky, A., eds. (1982). Judgment under uncertainty: Heuristics and biases. (pp. 464-489). Cambridge: Cambridge University Press.
Slovic, P. Kunreuther, H. and White. G. (1974). Decision processes, rationality
and adjustment to natural hazards. In Slovic, P. (2000). The perception of
235
risk. (pp. 1-31). London: Earthscan Publications LTD. Smith, D. (2005). In the eye of the beholder? Making sense of the system(s) of
disaster(s). In Perry, R. W., and Quarantelli, E.L., eds. What is a disaster?: New answers to old questions. (pp. 201-236). Philadelphia: XLibris.
Snowden, D. J., and Boone, M. E. (2007). A leader's framework for decision
making. Harvard Business Review. (November) pp. 69-76. Solovoy, A. (2007). Business continuity planning. Hospitals and Health Networks.
6(2) 34-43. Spector, P. E. (1992). Summated Rating Scale Construction: An Introduction.
Sage University Series on Quantitative Applications in the Social Sciences 7(82). Thousand Oaks: Sage Publications.
Stallings, R. A., ed. (2003). Methods of disaster research. Philadelphia: Xlibris
Corp. Steinberg, J. (2002). The management of the human impact of a large-scale
community disaster: A perspective on the world trade center terrorist attack. Brief Treatment and Crisis Intervention. 2(2) 173-181.
Steinberg, T. (2006). Acts of god: The unnatural history of natural disaster in
America. 2nd edition. New York: Oxford University Press. Susman, T. (2003). Terrorism: Real threats. Real costs. Joint solutions.
Monograph. The Business Roundtable. Washington, D.C. Sutcliffe, K. M., and Weber, K. (2003). The high cost of accurate knowledge.
Harvard Business Review. (May) 74-82. Syed, A., and Syed, A. (2004). Business continuity planning methodology.
Mississauga, ON: Sentryx. Thomas, A., and Fritz, L. (2006). Disaster relief, inc. Harvard Business Review.
(November) 114-122. Thomas, W. M. (2007). Community resilience: Exploring the conceptual
framework. Bulletin of the American Meteorological Society. 88(3) 407-407.
Thompson, M., Ellis, R. J., and Wildavsky, A., eds. (1980). Cultural theory.
236
Boulder: Westview Press. Tierney, K. J. (2007). Businesses and disasters: Vulnerability, impact and
recovery. In Rodriguez, H., and Quarantelli, E. L., eds. Handbook of disaster research. (pp. 275-296). New York: Springer Publishing.
Turkle, S. (2003). Technology and human vulnerability. Harvard Business
Review. (September) 43-50. Tversky, A. and Kahneman, D. (1971). Belief in the law of small numbers.
Psychological Bulletin. 2. 105-110. Tversky, A. and Kahneman, D. (1973). Availability: A heuristic for judging
frequency and probability. In Kahneman, D., Slovic, P. and Tversky, A., eds. (1982). Judgment under uncertainty: Heuristics and biases. (pp. 164-178.) Cambridge: Cambridge University Press
Tversky, A. and Kahneman, D. (1974). Judgment under uncertainty. Science.
185(4157) 1124-1131. Tversky, A. and Khaneman, D. (1992). Advances in Prospect Theory: Cumulative
Representation of Uncertainty. Journal of Risk and Uncertainty. 5. 297-323. U.S. Congress (1988). Robert T. Stafford disaster relief and emergency
assistance act. Public Law 93-288. U.S. Code Title 42. Chap. 68. U.S. Congress (2002). Homeland Security Act of 2002. Public Law 107-296. H.R.
5005. 107th Congress. U.S. Congress. (2007). Implementing recommendations of the 9/11 commission
act of 2007. H.R. 1. 110th Congress. U.S. Northern Command. (2004). Civil support concept of employment. Colorado
Springs, CO. U.S. Northern Command. (2006). Defense support of civil authorities. CONPLAN
2501-05. Colorado Springs, CO. Vale, L. J., and Campanella, T. J., eds. (2005). The resilient city: How modern
cities recover from disaster. New York: Oxford University Press. Van Dorp, J., Merrick, R., Harrald, J., Mazzuchi, T., Grabowski, M. (2001). A risk
management procedure for the Washington state ferries. Risk Analysis. 21(1). 127-142
237
Vose, D. (2008). Risk analysis: a quantitative guide. West Sussex: John Wiley &
Sons Ltd. Wainwright, V. L. (2007). Business continuity by design. Health Management
Technology. 28(3) 20-21. Watkins, M. D., and Bazerman, M. H. (2003). Predictable surprises: The
disasters you should have seen coming. Harvard Business Review. (March) 73-80.
Weick, K. E., and Sutcliffe, K. M. (2001). Managing the unexpected: Assuring
high performance in an age of complexity. San Francisco: Jossey-Bass. White House. (2002). National strategy to combat weapons of mass destruction.
Washington, D.C. White House. (2003) National strategy for physical protection of critical
infrastructures and key assets. Washington, D.C. White House. (2003). National strategy for combating terrorism. Washington,
D.C. White House. (2003). National strategy to secure cyberspace. Washington, D.C. White House (2003). Critical infrastructure identification, prioritization, and
protection. Homeland security presidential directive 7. Washington, D.C. White House. (2006). National security strategy of the United States.
Washington, D.C. White House. (2007). National strategy for information sharing. Washington, D.C.
238
APPENDIX A: SAMPLE SURVEY
Private Sector Survey of Preparedness and Continuity Practices INTRODUCTION
Dear Participant, We are asking for your help in fil l ing out a survey on local preparedness for emergency situations or disasters that could affect your community. This survey asks questions regarding the state of planning and awareness of potential emergencies affecting your organization or business. In addition, the survey is intended (1) To provide your local Office of Emergency Management with a picture of the current state of knowledge, experience, and resources for emergency and disaster response among private sector business, industry and non-profit organizations in your region. (2) To provide your local Chamber of Commerce and civic organizations like Citizens Corps with information to better serve your region in developing a program of training, education and outreach for strengthening the preparedness and resilience of your community. The survey has 25 questions and should take about 20 minutes to complete. IMPORTANT: Since this survey is intended to understand the preparedness level of business and non-profit organizations in your region (and not you as a private citizen) please ensure that your organization responds to this survey only once. The next page contains important information on the survey and your agreement to participate. If you agree, please indicate by selecting the “I agree” button at the end of the information, and you will be directed to the survey. By answering this survey, you will help make our region safer and better able to recover in the event of a disaster. We very much appreciate your time and assistance.
239
Organization Characteristics 1. Please answer the following questions to describe your company or organization. If your organization is an affil iate, franchise or member of a larger corporation or organization, please answer only for the division or branch that exists in your geographic area (county or city). Describe your company or organization in terms of its type and size Publicly traded Privately owned Non-Profit Government Agency and as applicable, Minority owned Veteran owned Woman owned Not applicable Please describe the number of employees and/or members. For Non-Profits and organizations, please indicate both employees (i.e., paid staff) and total membership. Employees Members 1-25 1-25 51-100 51-100 101-500 101-500 501-1000 501-1000 Over 1000 Over 1000 What are your company’s or organization’s total assets/property (including inventory) and its annual revenue? Assets/property/inventory Annual revenue $1 to $999,999 $1 to $999,999 $1 million to $15 million $1M to $15M Over $15 million to $35 million Over $15M to $35M Over $35 million to $165 million Over $35M to $165M Over $165 million to $500 million Over $165M to $500M Over $500 million Over $500M N/A – government agency N/A – govt agency
What sort of work does your business or organization do? Please select the closest match. (Adapted from the North American Industrial Classification System, NAICS 2007)
Agriculture and Environment: Crop production, horticulture, aquaculture. Animal husbandry, fisheries, hunting/fishing. Forestry, logging, timber operations.
Mining: Oil, gas and coal extraction. Metal ore mining and processing. Non-metallic mineral mining and quarrying.
240
Construction: Residential/ non-residential buildings.
Civil engineering and utilities construction. Transportation systems (road, rail, terminal). Telecommunications construction. Construction of public works.
Utilities and infrastructure operation: Electrical power generation and distribution. Water supply, irrigation and storage. Sewage/waste water and reclamation. Telecommunications (wired, wireless, broadcast).
Manufacturing
Wholesale Sales and Trade
Retail Sales and Trade
Transportation and Warehousing: Aviation, air transport and operations. Rail and freight (trucking)industries. Maritime operations, shipping and transport. Passenger ground transportation. Warehousing and storage.
Real Estate development, sales, rental, leasing: Includes both residential and non-residential.
Finance, Banking and Insurance industries
Education (schools, universities, vocational)
Civic, professional, political organizations
Medical and Healthcare: Health care facilities and clinics (out-patient). hospitals and in-patient medical care. Pharmacies and laboratory services; Public and environmental health.
Public Safety and Security: Fire protection and rescue services. Police, physical security and personal protective services. Emergency medical and ambulance services. Emergency management.
Information technology, publishing, electronic and print media, journalism: Printing trade, books, periodicals, newspapers. Motion picture and video industries. Sound recording industries. Radio / Television broadcasting. Internet publishing and transmission.
241
Administrative Services: Executive and administrative support. Facilities management and janitorial services; Environmental and resource management. Computer programming / IT systems support.
Personal Service Sector: Personal care. Barber and beauty services. Household services. Funeral and mortuary services.
Tourism and Recreation:: Hotels and guest accommodations. Food service, restaurants, drinking places. Entertainment and recreation. Arts and performance industries.
Professional, scientific and technical services: Scientific, engineering and technical services. Legal, accounting, bookkeeping services. Architecture and industrial engineering; Information Technology and data processing. Scientific research and development.
Marketing, Advertising, Public Relations
Professional Consulting
Religious services and organizations
Social services and relief agencies
Other
242
This first series of questions concerns steps your organization may already be taking to protect its assets, employees and operations in the event of a regional disaster or workplace emergency. Please note that where we say “organization” we also mean “company,” “office” or “business.” 2. Does your organization have a written plan for handling workplace emergencies such as a small fire, bomb threat, workplace violence or emergency evacuation? Yes No 3. Does your organization have a written plan (usually called a Continuity of Operations Plan, or COOP) for maintaining operations and recovering from large-scale damage from a fire, tornado or hurricane? Yes No 4. Does your organization have a location identified as an alternate headquarters or base of operations in the event that you must evacuate your normal workplace for some period of time? Yes No 5. Has your organization identified a route for the emergency evacuation of your employees with a rendezvous point or call-in telephone number to account for them after they evacuate? Yes
No 6. Does your company or organization maintain a back-up copy of its important files or information like financial accounts and sales records at some location other than your regular place of business? Yes
No 7. Has your organization conducted any training sessions for your employees or members in emergency response measures, evacuation, or disaster preparedness? Yes
No 8. Has your organization conducted any exercises or drills to test your emergency plan and familiarize employees or members in the procedures to be taken in an emergency? Yes
No
243
9. If your organization has a written plan for emergency response or business continuity planning, did you receive assistance from another organization or resource in writing it? If “yes” please indicate the source of that assistance.
We do not have a written plan. We have a written plan but no assistance was received in writing it. Yes we have a plan, and we received assistance from the following sources: (Select all that apply):
Parent corporation or headquarters staff Private consultant or firm we hired to develop the plan Corporate partner or partner in a mentor-protégé relationship Professional organization, association or club Guidelines adopted from a textbook or professional journal Guidelines utilized from another company’s critical incident plan Guidelines from a federal agency (FEMA, DHS, DOE, NIST) Guidelines from a state emergency management agency Guidelines from a local (county/city) office Other (please specify) __________________________________ 10. Who in your organization is responsible for the management of emergency preparedness or continuity of operations planning? President, Owner or CEO A professional emergency manager within the company An employee who serves as company emergency manager or security officer A professional emergency manager at our corporate headquarters A consultant or subject matter expert hired by the company Other (please specify) ________________________________________________ 11. Has the individual noted in the question above received formal training in emergency preparedness continuity of operations planning, risk management or a similar subject? Yes
No If yes, please indicate when the most recent training session or seminar was attended. Within the last year
Between 1 and 2 years ago. Between 2 and 3 years ago.
More than 3 years ago, but within the last 5 years. More than 5 years ago. 12. Does your organization coordinate with a partner or with members of a group for emergency preparedness or continuity of operations planning or training? Yes No If yes, please indicate the type of partner you coordinate with (select all that apply): Another business or organization similar to our own A professional organization or trade association A business organization or planning group in our neighborhood or area The local Chamber of Commerce The local Citizens Corps chapter A community service organization (Kiwanis, Rotary Club, Lions Club) A local First Responder (fire dept., police dept., emergency management, etc.) A high school, community college, vocational school or university A church or faith-based organization A local non-profit relief organization A national or federal organization or agency (i.e., American Red Cross). Other (please specify) __________________________________________________
244
The following questions are about your sense of the threats to your own business, and how your community might help you deal with them. 13. Within the last five years, has your business or organization experienced an incident that caused a loss of work, damaged your company’s assets, or caused an interruption in normal operations? Yes No If yes, please indicate the extent of loss and interruption to operations, and when it occurred. If your organization suffered more than one incident, add the total time and cost. Monetary loss: Loss of operations: Time of occurrence: under $10,000 Less than a work day Within the last year $10,001-$50,000 One working day Within the last 3 years $50,001-$150,000 Two to five working days 3 to 10 years ago $150,001-$500,000 Six to twenty working days Over 10 years ago Over $500,000 More than a month 14. If you answered yes to the previous question, please indicate the type of emergency or disaster that caused the damage or interruption to operations for your company or organization (check all that apply). Fire Act of vandalism or sabotage Flood Theft of property or assets Tornado Loss of computer data or records Hurricane or storm Failure of transportation system Act of terrorism Loss of electrical power or utilities Workplace accident Geologic disaster (earthquake, Employee absenteeism mudslide, etc.) 15. From the list below please rate the “threats” to continuity of operations, profitability or survival of your organization or business, based on a scale of 1 (not threatening) to 5 (very threatening): NOT A THREAT A REAL THREAT a. Fire on your own property 1 2 3 4 5 b. Fire in a neighboring or adjacent property 1 2 3 4 5 c. Natural disaster (flood, hurricane, tornado) 1 2 3 4 5 d. Theft of property (real or intellectual) 1 2 3 4 5 e. Act of vandalism or sabotage 1 2 3 4 5 f. Terrorist attack in your area or neighborhood 1 2 3 4 5 g. Terrorist attack outside your community (like 9/11) 1 2 3 4 5 h. Loss/corruption of computer files or records 1 2 3 4 5 i. Workplace violence (involving employees) 1 2 3 4 5 j. Workplace accident (to customer or employee) 1 2 3 4 5 k. Public utilities failure (power, water, telephone) 1 2 3 4 5 l. Employee absenteeism (illness, injury, strike) 1 2 3 4 5 m. Pandemic Influenza, “Bird Flu,” SARS, or epidemic 1 2 3 4 5 n. Product or service liability lawsuit 1 2 3 4 5 o. Interruption in supply or delivery chain 1 2 3 4 5 p. Loss of customer confidence or satisfaction 1 2 3 4 5 q. Market failure, recession, or other economic crisis 1 2 3 4 5
245
16. In your opinion, how likely is it that a terrorist attack of the sort listed below would happen in a way that would have an impact on your business? NOT LIKELY HIGHLY LIKELY a. A car bomb in our area 1 2 3 4 5 b. IED (Improvised Explosive Devices) on U.S. highways 1 2 3 4 5 c. A suicide bomber in a public place or business 1 2 3 4 5 d. Act of biological terrorism that could affect employees 1 2 3 4 5 e. A nuclear “dirty” bomb in a major U.S. city 1 2 3 4 5 f. A bomb smuggled into an American port aboard a ship 1 2 3 4 5 g. A nuclear weapon detonated in a major U.S. city 1 2 3 4 5 h. A computer attack that would affect commerce 1 2 3 4 5 17. Have you ever looked up or used the information at the FEMA or DHS websites on emergency preparedness and continuity planning for business, industry and non-profit organizations?**
No; I have never checked into the FEMA or DHS websites. Yes; but I have never downloaded or used any of the information. Yes; I have downloaded some of the FEMA guidebooks for use by my
organization. Yes; I have downloaded the guidebook “Ready Business” for use by my organization.
**The FEMA website is at http://www.fema.gov/business/index.shtm The DHS website is at http://www.ready.gov/business/index.html 18. What do you think are the most important responsibilities of federal government and agencies like the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) for ensuring that communities can survive and recover after a major regional catastrophe? NOT IMPORTANT VERY IMPORTANT a. Providing funding, training and education so citizens, 1 2 3 4 5 businesses and industry can take care of themselves. b. Ensuring local government and first responders are trained 1 2 3 4 5 funded and prepared to protect their communities. c. Standardizing procedures and communications systems 1 2 3 4 5 across agencies and from federal to state and local levels so response can be efficiently and capably managed. d. Guaranteeing adequate manning, training and equipment 1 2 3 4 5 for the National Guard, Coast Guard and U.S. military. e. Ensuring support for relief organizations like Red Cross, 1 2 3 4 5 Salvation Army and faith-based organizations so they can respond when called. 19. In your opinion, how much responsibility do each of these groups have for ensuring the safety and security of your community and the businesses that support it? NOT MUCH RESPONSIBILITY A KEY RESPONSIBILITY a. The businesses and private citizens themselves 1 2 3 4 5 b. City and County government 1 2 3 4 5 c. Local Police, Fire Department and First Responder 1 2 3 4 5 d. State government and state agencies 1 2 3 4 5 e. The National Guard and U.S. military 1 2 3 4 5 f. Federal agencies like FEMA and DHS 1 2 3 4 5 g. The President and Congress 1 2 3 4 5
246
20. In general, do you believe that your community is more prepared now to survive a major disaster or terrorist attack than it was before 9/11?
More prepared now than we were then. About the same. Not as prepared now as we were then.
The following questions are intended to help professional emergency managers in your community identify and develop programs that would assist business and organizations in emergency planning and preparedness. Please answer all that apply to you. 21. If your organization does not currently have an emergency plan or continuity of operations plan, what most prevents you from developing one? (Select all that apply.) Not appropriate for my business/organization No one in our organization has the expertise or knowledge Costs too much in time or consulting fees to develop one The minimal risks we face do not justify the time or expense It’s not a priority at this time Other (please specify) ______________________________________________ 22. Since the U.S. terrorist attacks on 9/11/2001, have there been many changes in the way your business or organization handles workplace security and preparedness measures? Please answer all that apply.
Yes. Since 9/11 we have taken measures to improve our security and/or preparedness.
No. There have been no real changes in the way we handle security or preparedness. Indicate any of the following steps that your organization has taken to improve security or workplace preparedness:
Our employees and visitors now wear security ID badges on the workplace. We have written a security plan for the organization. We have written an emergency preparedness and response plan. We have installed surveillance equipment on our premises. We have hired or established special security personnel. We have established a position as Security Officer in our business. We have joined a security or preparedness group to protect our neighborhood. Other (please specify) _______________________________________________
23. If your organization adopted any of the measures listed above, what would you estimate the annual costs to your business have been for these added security measures? (Include the cost of personnel wages for implementing or maintaining these programs). Less than $5000 per year. Between $5000 and $9999. Between $10,000 and $49,999. Between $50,000 and $250,000. More than $250,000 annually.
247
24. Would your company or organization be interested in joining with other businesses in your region to share expertise and conduct joint planning to enhance your community’s ability to respond to an emergency and to recover the local economy after a major disaster?
We already belong to such an organization. Yes No Not sure; it would depend on the circumstances. Other (please specify). ___________________________________________
25. Would your company or organization be willing to register company supplies, services or equipment to be placed on a local listing with your city or county emergency management agency so that it could be included in resource planning in the event of a large-scale disaster in your area? We have already provided a list of our services/equipment to local Emergency Management. Yes; if the local agency developed a list of local resources, we would be willing to participate. Yes; we could provide time and talent of our personnel if we were properly trained for it. No; there is nothing we could offer that would be of use in a disaster or emergency. No; we are not in a position to participate in a program like this. Other (please specify) _______________________________________________