Risk mitigation is the process of planning and developing options to reduce threats or risks to people. Resilience is the ability to learn, respond, reflect, and recover from emergencies. While risk mitigation activities are preventative, and resilience activities are reactive, both place serious responsibility on the shoulders of facilities management teams.
What’s important in resilience and risk mitigation is the fact that there’s no one-size-fits-all approach. Every situation and facility will be different—so broad-based recommendations and suggestions can be misleading.
“It’s important to understand the risks in your area,” said William Dunne, director of emergency management and business continuity at the Penn State Health Milton S. Hershey Medical Center. “We look at similar organizations in our area to glean lessons learned.”
One example is the recent increase in cyberattacks and specifically ransomware activities impacting healthcare organizations. Dunne and his team worked collectively with federal (CISA and FBI), state (DOH/PEMA), and local entities (law enforcement and emergency management) to develop a series of exercises to test system- and department-level preparedness. These exercises are based on actual attacks and impacts at peer institutions which assisted in strengthening preparedness, response, and recovery capabilities.
Many primary and secondary educational organizations are focusing their attention on current events.
The National School Vulnerability Assessment Program requires reviews of the physical plant, existing policies and procedures, crisis management, training, and communications programs. In addition to the self-assessment, a climate survey is conducted with the faculty and students. Both the self-assessment and survey are then reviewed with a law enforcement professional for risks, vulnerabilities, and recommendations.
Many organizations are also conducting Hazard Vulnerability Analysis programs, where the goal is to seek constant process improvement regarding potential loss of life and infrastructure damage by assessing the level of preparedness, planning, training, and education and gauging the highest areas of vulnerability.
Amanda Stephens, administrative director of operations at Methodist Hospital Specialty & Transplant, conducts an annual Hazard Vulnerability Assessment as well as an annual Security Vulnerability Assessment.
These assessments aim to systematically go through each potential risk to the facility, scoring potential impacts to business, patient care, and structure.
“We grade ourselves on how well prepared we are and the resources we have available to respond to such an incident. We then use this information to focus our preparedness activities and education/exercises,” said Stephens.
Stephens and her team also work to ensure strong partnerships in the community to pull additional resources, if needed.
Steve Kuhr, CEO of Kuhr Group LLC, added that organizations can take a proactive approach to ensure that their facilities are resilient to natural disasters, cyberattacks, active shootings, and other potential disruptions by implementing a comprehensive risk-based crisis management program.
Kuhr recommends conducting the following steps:
Risk Comprehension: Organizations should conduct a thorough assessment of their facility to identify potential risks and vulnerabilities. This may include assessing the facility’s location, occupancy, workforce population, public access, hazardous materials, critical building infrastructure, and other factors that may increase the likelihood of a crisis event.
Risk Mitigation and Controls: Once risks have been identified, organizations should develop strategies to mitigate them. This may include physical security measures such as access controls, surveillance cameras, alarm systems, and perimeter protection, as well as cybersecurity measures such as firewalls, anti-virus software, and strong workforce cyber protection policies. Also, organizations should consider local natural hazard risks such as wildfire, flooding, and severe weather, and develop controls and protective measures such as vegetation clearance for wildfires and flood barriers for riverine and excessive rainfall flooding.
Crisis Management Planning: Organizations should develop a comprehensive crisis management plan that outlines procedures for responding to a crisis event. This should include plans for evacuating the facility, workforce assembly and accountability, communicating with employees and stakeholders, and coordinating with emergency responders.
Testing and Training: To ensure that the crisis management program is effective, organizations should regularly train employees and conduct drills on crisis response procedures. This may include conducting simulated crisis events, tabletop exercises, and other training activities.
Adrian Verner, facilities manager at Northern Regional College, makes sure that all staff and students are familiar with emergency plans. He believes that it’s critical that campus buildings have adequate physical security measures in place, such as surveillance cameras and perimeter fencing.
Verner and his team ensure that campus buildings can continue to function in the event of an interruption to critical services with the movement to solar panels with battery backup to aid with electrical supply issues. Also, regular backup of all data, to protect against loss from cyberattacks, is critical.
“We have a close working relationship with local authorities to ensure our emergency response plan is aligned with their protocols and to receive guidance on how to improve the resilience of our building. With the advancement of IOT, buildings are becoming more advanced and FMs are becoming a more valued member of any organization,” he said.
Schools and universities, being complex and expansive, are vulnerable to a wide range of threats. Consider a teaching university which may contain a hospital, classrooms, laboratories, research facilities, public spaces, conference rooms, roadways, and more. Various activities—operations, medical procedures, classes, lectures, rehabilitation, and research—may be occurring simultaneously.
Finally, consider the potentially threatening materials that may be present: chemicals, medical waste, nitrogen, and oxygen. Then add all the threats to information and operations, including cyberattacks and power outages.
Schools and universities are highly visible in their communities and around the globe. They are constantly being examined, considered, and weighed by multiple parties, including students, parents, researchers, donors, alumni, and others. If science labs, for example, aren’t working, then grants are jeopardized. If classrooms aren’t conducive to learning, schools lose rankings, and enrollment and donations are impacted. These are all major risks.
One way to mitigate risk in facilities is to build in features that underscore the need for safety. For example, a restroom, built into the center core of a building, can double as a tornado or active shooter shelter, especially if there are no windows in the restroom.
Innovations in fire escapes, ladders, shelters, and wayfinding/signage can also help mitigate risk in most facilities.
Unfortunately, there’s no way to eliminate every risk.
“It’s important to know years ahead of time what equipment may need to be replaced and when,” said Jim Stephens, associate VP of infrastructure at the Georgia Institute of Technology. “For example, most equipment failures are not catastrophic. In most cases, a roof can almost always last another year. Threats can be mitigated by doing a high-quality, temporary roof repair until there’s enough capital to replace the roof.”
On-the-go technicians are tasked with knowing their buildings inside and out, top to bottom, as they move from one area to another.
With these tasks comes a wide assortment of documentation, including equipment manuals, inspection reports, and warranties. Knowing where to find critical building information like shutoffs and electrical panels—in a hurry, on-the-go, remotely—is still a big challenge. There may be hundreds of technicians working on-site, each with a different area of expertise. Knowledge, information, and risk go hand in hand. The ability to make fast decisions is critical.
Wasting time is also a risk. There are only so many hours in a day. When time is spent unproductively, then there’s a risk that a fast response won’t happen. Distances also present risk. If there’s an event and it can’t be addressed quickly because the person responsible is knee-deep in a document storage room looking for a building information, then that’s a big problem.
When facilities management and other departments are equipped with mobile devices loaded with their building information, renovations, drawings, equipment maintenance, and emergency planning documents, then great strides can be made toward streamlining emergency response, thereby mitigating risk.
Jack Rubinger is marketing content writer for ARC Facilities. He can be reached at jack.rubinger@arcfacilities.com.