Get started Bring yourself up to speed with our introductory content.

Improve disaster preparedness with the National Mitigation Framework

Businesses can use FEMA's National Mitigation Framework to improve disaster preparedness planning. Expert Joseph Granneman explains how.

Many businesses that I talk with about disaster recovery don't have the time, resources or expertise to develop...

solid mitigation strategies. They leave themselves vulnerable to disasters, the effects of which could have less disastrous effects if they had only been prepared.

For those companies, there is good news: The Federal Emergency Management Agency recently released the National Mitigation Framework, which offers guidelines for lessening the effects of disasters. Although FEMA's Mitigation Framework is meant to prepare the public for disasters, businesses can also use it -- for free! -- to bolster their disaster preparedness, as the key points are broadly applicable.

The National Mitigation Framework is divided into seven core capabilities. Each of these could be applied as a best practice for disaster preparedness for businesses.

FEMA National Mitigation Framework: Seven core capabilities

1. Threats and hazards identification

The first step in any disaster preparedness plan is to identify the threats and hazards that could possibly affect the business. Each region of the country has different regional hazards that need to be addressed, such as hurricanes, tornados, fires, floods and earthquakes. These threats and hazards also include nonregional events such as terrorism, criminal acts and mass casualty events.

2. Risk and disaster resilience assessment

The next step is to analyze the identified threats and hazards and prioritize them by probability of occurrence and their potential impact on the business. Some businesses may be more resilient to certain threats because of their differing environmental requirements. A company storing frozen food, for example, would be more susceptible to an extended power outage than a pet store. It is important to consider the social impacts of the potential threats in the planning as well. Critical staff may be more concerned about their families than reporting to work in times of crisis. Employees can be trained to recognize and manage risk to assist in this process. They can be a good source of information about risks to organizational processes and procedures.

Although the Mitigation Framework is meant to prepare the public for disasters, businesses can also use it -- for free! -- to bolster their disaster preparedness, as the key points are still applicable.

3. Planning

Next, a plan is developed to best address the analysis performed in the previous step. The most effective plans evolve as new threats and hazards are identified. Businesses should ideally work with their IT and strategic business partners in building these plans in order to add expertise and options to the planning process.

4. Community resilience

Community resilience is a critical core capability as it describes how the employees in the business can help reduce potential threats and hazards. Formal and informal leaders in any business need to be communicated with and collaborate with others to make the planning successful. Formal leaders are those with designated leadership positions, while informal leaders may not have official leadership positions but still have a level of authority with coworkers. Both of these types of leaders should communicate the plans and educate all of their employees. Any one of them could be the difference between success or failure in effectively managing and reducing the outcomes of an incident.

5. Public information and warning

Public information and warning is the core capability that defines how the business will learn and share new information about potential threats and hazards. This could be achieved by partnering with the local emergency response or law enforcement agencies. There could be opportunities for the business to join or create information-sharing groups by geographic area or type of business. However it is accomplished, it is vital to build these communication channels for up-to-date threat information.

6. Long-term vulnerability reduction

Long-term vulnerability reduction represents the "pay-off" for all of the preceding work. The business can now integrate the threat data collected and analyzed in the previous phases into all aspects of operations. This includes acquiring insurance for natural disasters and catastrophic events, as well as adapting capital projects to consider building locations or construction methods to better survive threats or hazards.

7. Operational coordination

Operational coordination is the final core capability identified in the National Mitigation Framework. It defines the need for maintaining a coordinated operational structure for use both before and during an emergency. A good example of this would be that the business could use the Incident Command System, which was also developed by FEMA. It provides roles and responsibilities so that employees have a firm understanding of the part they play in an emergency.

No excuses

Natural disasters can strike anywhere at any time and have catastrophic effects on businesses and communities. Enterprises can repurpose FEMA's free National Mitigation Framework to develop resilience to these events and lessen their impact. There is no excuse for businesses to be caught unprepared due to cost or a lack of expertise in disaster planning. Businesses may not be able to dodge every possible threat or hazard but could dramatically increase the odds that they will remain viable, making the entire community more resilient. Thanks to FEMA for helping businesses and communities accomplish this goal.

About the author:
Joseph Granneman is's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in healthcare information technology. He is an active independent author and presenter in the healthcare information technology and information security fields and is frequently consulted by the media and interviewed on various healthcare information technology and security topics. He has been focused on compliance and information security in cloud environments for the past decade with many different implementations in the medical and financial services industries.

This was last published in December 2013

Dig Deeper on Information Security Incident Response-Information