NFPA 1600 Continuity, Emergency, and Crisis Management
Acceptable to the authority having jurisdiction.
Authority Having Jurisdiction (AHJ).
An organization, office, or individual responsible for enforcing the requirements of a code or standard, or for approving equipment, materials, an installation, or a procedure.
- Indicates a mandatory requirement.
- Indicates a recommendation or that which is advised but not required.
- An NFPA Standard, the main text of which contains only mandatory provisions using the word “shall” to indicate requirements and that is in a form generally suitable for mandatory reference by another standard or code or for adoption into law. Nonmandatory provisions are not to be considered a part of the requirements of a standard and shall be located in an appendix, annex, footnote, informational note, or other means as permitted in the NFPA Manuals of Style. When used in a generic sense, such as in the phrase “standards development process” or “standards development activities,” the term “standards” includes all NFPA Standards, including Codes, Standards, Recommended Practices, and Guides.
- General Definitions.
Access and Functional Needs
Persons requiring special accommodations because of health, social, economic, or language challenges.
An approach for prevention, mitigation, preparedness, response, continuity, and recovery that addresses a full range of threats and hazards, including natural, human- caused, and technology-caused.
Business Continuity/Continuity of Operations
An ongoing process to ensure that the necessary steps are taken to identify the impacts of potential losses and maintain viable continuity and recovery strategies and plans.
- Business Impact Analysis (BIA). A management level analysis that identifies, quantifies, and qualifies the impacts resulting from interruptions or disruptions of an entity’s resources. The analysis can identify time-critical functions, recovery priorities, dependencies, and interdependencies so that recovery time objectives can be established and approved.
- The ability to perform required actions.
- Demonstrated ability to apply knowledge and skills to achieve intended results.
- Continual Improvement. Recurring process of enhancing the management program in order to achieve improvements in overall performance consistent with the entity’s policy, goals, and objectives.
- A term that includes business continuity/ continuity of operations (COOP), operational continuity, succession planning, continuity of government (COG), which support the resilience of the entity.
- An issue, event, or series of events with potential for strategic implications that severely impacts or has the potential to severely impact an entity’s operations, brand, image, reputation, market share, ability to do business, or relationships with key stakeholders. A crisis might or might not be initiated or triggered by an incident, and requires sustained input at a strategic level to minimize its impact on the entity.
- Crisis Management. The ability of an entity to manage incidents that have the potential to cause significant security, financial, strategic, or reputational impacts.
- Damage Assessment. A determination of the effects of the incident on humans; on physical, operational, economic characteristics; and on the environment.
- Disaster/Emeigency Management. An ongoing process to prevent, mitigate, prepare for, respond to, maintain continuity during, and to recover from, an incident that threatens life, property, operations, information, or the environment.
- A governmental agency or jurisdiction, private or public company, partnership, nonprofit organization, or other organization that has crisis/disaster/emergency management and business continuity/continuity of operations responsibilities.
Exercise. A process to assess, train, practice, and improve performance in an entity.
- An event that has the potential to cause interruption, disruption, loss, emergency, disaster, or catastrophe, and can escalate into a crisis.
- Incident Action Plan. A verbal plan, written plan, or combination of both that is updated throughout the incident and reflects the overall incident strategy, tactics, risk management, and member safety requirements approved by the incident commander.
Incident Management System (IMS).
The combination of facilities, equipment, personnel, procedures, and communications operating within a common organizational structure and designed to aid in the management of resources during incidents.
The ability of diverse personnel, systems, and entities to work together seamlessly.
Activities taken to reduce the impacts from hazards.
Mutual Aid/Assistance Agreement.
A prearranged agreement between two or more entities to share resources in response to an incident.
Ongoing activities, tasks, and systems to develop, implement, and maintain the program.
Activities to avoid or stop an incident from occurring.
Activities and programs designed to return conditions to a level that is acceptable to the entity.
The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions.
A system for identifying available resources to enable timely access to resources needed to prevent, mitigate, prepare for, respond to, maintain continuity during, or recover from an incident.
Immediate and ongoing activities, tasks, programs, and systems to manage the effects of an incident that threatens life, property, operations, an entity, or the environment.
- Risk Assessment. The process of identifying threats and hazards to life, property, operations, the environment, and entities, and the analysis of probabilities, vulnerabilities, and impacts.
- Situation Analysis. The process of collecting, evaluating, and disseminating information related to the incident, including information on the current and forecasted situation and on the status of resources for management of the incident.
- Social Media. Forms of electronic communication (such as websites) through which people create online communities to share information, ideas, and personal messages.
- Supply Chain. A network of individuals, entities, activities, information, resources, and technology involved in creating and delivering a product or service from supplier to end user.
- Procedure for evaluation with a pass or fail result.
- Vital Records. Information critical to the continued operation or survival of an entity.
Leadership and Commitment.
- The entity leadership shall demonstrate commitment to the program to prevent, mitigate the consequences of, prepare for, respond to, maintain continuity during, and recover from incidents.
- The leadership commitment shall include the following:
- Support the development, implementation, and maintenance of the program
- Provide necessary resources to support the program
- Ensure the program is reviewed and evaluated as needed to ensure program effectiveness
- Support corrective action to address program deficiencies
The entity shall adhere to policies, execute plans, and follow procedures developed to support the program.
Program requirements shall be applicable to preparedness including the planning, implementation, assessment, and maintenance of programs for prevention, mitigation, response, continuity, and recovery.
Laws and Authorities.
The program shall comply with applicable legislation, policies, regulatory requirements, and directives.
The entity shall establish, maintain, and document procedure(s) to comply with applicable legislation, policies, regulatory requirements, and directives.
The entity shall implement a strategy for addressing the need for revisions to legislation, regulations, directives, policies, and industry codes of practice.
Finance and Administration.
The entity shall develop finance and administrative procedures to support the program before, during, and after an incident.
There shall be a responsive finance and administrative framework that does the following:
- Complies with the entity’s program requirements
- Is uniquely linked to response, continuity, and recovery operations
- Provides for maximum flexibility to expeditiously request, receive, manage, and apply funds in a nonemergency environment and in emergency situations to ensure the timely delivery of assistance
- Procedures shall be created and maintained for expediting fiscal decisions in accordance with established authorization levels, accounting principles, governance requirements, and fiscal policy.
- Finance and administrative procedures shall include the following:
- Responsibilities for program finance authority, including reporting relationships to the program coordinator
- * Program procurement procedures
- * Accounting systems to track and document costs
- Management of funding from external sources
- Crisis management procedures that coordinate authorization levels and appropriate control measures
- Documenting financial expenditures incurred as a result of an incident and for compiling claims for future cost recovery
- Identifying and accessing alternative funding sources
- Managing budgeted and specially appropriated funds
- The entity shall develop, implement, and manage a records management program to ensure that records are available to the entity.
- The program shall include the following:
- Identification of records (hard copy or electronic) vital to continue the operations of the entity
- Backup of records on a frequency necessary to meet program goals and objectives
- Validation of the integrity of records backup
- Implementation of procedures to store, retrieve, and recover records on-site or off-site
- Protection of records
- Implementation of a record review process
- Procedures coordinating records access
Planning and Design Process.
The program shall follow a planning process that develops strategies, plans, and required capabilities to execute the program.
Strategic planning shall define the entity’s vision, mission, and goals of the program.
- The entity shall conduct a risk assessment.
- The entity shall identify hazards and monitor those hazards and the likelihood and severity of their occurrence over time.
Hazards to be evaluated shall include the following:
- Landslide, mudslide, subsidence
- Extreme temperatures (hot, cold)
- Flood, flash flood, seiche, tidal surge
- Ceomagnetic storm
- Snow, ice, hail, sleet, avalanche
- Wildland fire
- Windstorm, tropical cyclone, hurricane, tornado, water spout, dust storm, sandstorm
- Food-borne illnesses
- * Infectious/communicable/pandemic diseases
- Accidental human-caused:
- Building/structure collapse
- * Entrapment
- Fuel/resource shortage
- * Hazardous material spill or release
- Equipment failure
- Nuclear reactor incident
- Radiological incident
- * Transportation incident
- Intentional human-caused:
- Incendiary fire
- Bomb threat
- Demonstrations/civil disturbance/riot/insurrection
- Disinformation (rumors, false allegations, or accusations)
- Ceopolitical risks including acts of war, change in government, and political instability
- Missing person
- * Cyber security incidents
- * Hardware, software, and network connectivity interruption, disruption, or failure
- * Utility interruption, disruption, or failure
- Foreign currency exchange rate change
- Economic recession
- Theft/fraud/malfeasance/impropriety/scandal involving currency, monetary instruments, goods, and intellectual property
- Loss of senior executive
- Failed acquisition/strategic initiative
- Humanitarian issues
The vulnerability of people, property, operations, the environment, the entity, and the supply chain operations shall be identified, evaluated, and monitored.
The entity shall conduct an analysis of the impacts of the hazards identified in 5.2.2 on the following:
- Health and safety of persons in the affected area
- Health and safety of personnel responding to the incident
- Security of information
- * Continuity of operations
- Continuity of government
- * Property, facilities, assets, and critical infrastructure
- Delivery of the entity’s services
- Supply chain
- * Economic and financial conditions
- Legislated, regulatory, and contractual obligations
- Brand, image, and reputation
- Work and labor arrangements
- The risk assessment shall include an analysis of the escalation of impacts over time.
- Resource management shall include the following tasks:
- Establishing processes for describing, taking inventory of, requesting, and tracking resources
- Resource typing or categorizing by size, capacity, capability, and skill
- Mobilizing and demobilizing resources in accordance with the established IMS
- Conducting contingency planning for resource deficiencies
- A current inventory of internal and external resources shall be maintained.
- Donations of human resources, equipment, material, and facilities shall be managed.
Emergency Operations/Response Plan.
Emergency operations/response plans shall define responsibilities for carrying out specific actions in an emergency.
The plan shall identify actions to be taken to protect people, including people with disabilities and other access and functional needs, information, property, operations, the environment, and the entity.
The plan shall identify actions for incident stabilization. 6.9.4* The plan shall include the following:
- Protective actions for life safety in accordance with 6.9.2
- Warning, notifications, and communication in accordance with Section 6.6
- Crisis communication and public information in accordance with Section 6.5
- Resource management in accordance with 6.8.7
- Donation management in accordance with 6.8.9
Continuity and Recovery.
Continuity plans shall include strategies to continue critical and time-sensitive processes and as identified in the BIA.
Continuity plans shall identify and document the following:
- Stakeholders that need to be notified
- Processes that must be maintained
- Roles and responsibilities of the individuals implementing the continuity strategies
- Procedures for activating the plan, including authority for plan activation
- Critical and time-sensitive technology, application systems, and information
- Security of information
- Alternative work sites
- Workaround procedures
- Vital records
- Contact lists
- Required personnel
- Vendors and contractors supporting continuity
- Resources for continued operations
- Mutual aid or partnership agreements
- Activities to return critical and time-sensitive processes to the original state
- Continuity plans shall be designed to meet the RTO and RPO.
Annex A is not a part of the requirements of this NFPA document but is included for informational purposes only. This annex contains explanatory material, numbered to correspond with the applicable text paragraphs.
A.l.l The crisis/disaster/emergency management and business continuity/continuity of operations community comprises many different entities, including the government at distinct levels (e.g., federal, state/provincial, territorial, aboriginal, indigenous, tribal, and local levels); commercial business and industry; nonprofit and nongovernmental entities; and individual citizens. Each of these entities has its own focus, unique mission and responsibilities, varied resources and capabilities, and operating principles and procedures.
A1.2 The standard promotes a common understanding of the fundamentals of planning and decision making to help entities examine all hazards and produce an integrated, coordinated, and synchronized program for crisis/disaster/emergency management and business continuity/continuity of operations. NFPA 1616 is based upon an integrated program described in NFPA 1600.
Starting with the 2010 edition of NFPA 1600, the standard was organized in the Plan-Do-Check-Act (PDCA) format, as follows:
Plan is the process to determine goals and objectives and the desired outcome (s), and concludes with an agreement to proceed.
Do is executing the actions needed to achieve the desired outcome (s).
Check is evaluating whether the desired outcome (s) has been achieved by those actions.
Act is addressing any gaps between desired outcome (s) and actual outcome(s).
Figure A. 1.2 depicts the PDCA cycle.
A.1.3 The application of NFPA 1600 within the private sector is described in detail in the NFPA 1600 Handbook published by the National Fire Protection Association.
The application of NFPA 1600 used with the United Nations Environmental Program Awareness and Preparedness for Emergencies at the Local Level (APELL) for Technological Hazards is described in Annex G. Annex G describes both international and domestic applications.