¶ … organization is derived from the preparedness cycle developed by the National Incident Management System (NIMS) and utilized by the Federal Emergency Management Association (FEMA) of the U.S. Department of Homeland Security and other disaster response / emergency preparedness organizations. A primary advantage of using this proven model is that it provides a consistently implemented and commonly understood approach to disaster preparedness. The preparedness cycle is a continuously renewing series of integrated components that enable the a state of preparedness to be achieved and maintained, and includes the following: Planning, organizing, training, equipping, exercising, evaluating, and taking corrective action ("Preparedness," 2014). The components of the NIMS preparedness cycle are shown below. Figure 1. NIMS Preparedness Cycle

Organizational preparedness requires the coordinated effort of both internal and external individuals, and the engagement of agencies and resources external to the focus organization. These external resources are dedicated to incident response and emergency management, an important aspect of which is coordination of effort. Undergirding the need for disaster readiness is the markedly more efficacious implementation of incident response activities and emergency management processes and procedures in the presence of a continuous organizational preparedness cycle. Source: National Incident Management System, FEMA. 2014

Not every component of the preparedness cycle is present in every phase of the development of a preparedness plan for an organization. Indeed, the linkages are often of the dotted line type, which indicates a relationship more rigorous than a bookmark, say, but signals that the implementation of some components will be more fully addressed in other phases of preparedness plan development. Throughout the discussion, remarks about the role of the components of the preparedness cycle are included in each of the four main topics: 1) The identification of threats and vulnerabilities; 2) the situational and information analyses; 3) the preparation, prevention, and response; and, 4) the impact mitigation.

Note that the author has not used the first person in this proposal for an organization preparedness plan, however, it may be assumed that the author will direct the introduction and implementation of the preparedness plan as it is articulated throughout the enterprise.

I. Identification of Threats and Vulnerabilities

The process of identifying threats and vulnerabilities is most certainly an ongoing endeavor. Current and historical incidents and events have shown the importance of connecting the dots in a manner that reveals both expected and unexpected patterns. Within an organization, the capacity to think outside of conventional frames is often constrained by a full court press to conform. Maverick thinking is often frowned upon, such that it is quite possible that the identification of threats and vulnerabilities can suffer from a lack of imagination -- though not on the scale of 9/11, this problem is often seen in organization governed by boards of directors, chairmen, and a full C-suite of executives who may tilt in favor of stakeholder perceptions. The nature of an enterprise is such that it may loose track of its organizational memory, and develop a bias toward the exigencies of the immediate business landscape, wherein the collective organizational attention is directed toward what the competition is doing or perceived as about to do. This is a corollary phenomenon of the deeply experienced critical incident commander who tends to draw from past experience without fully integrating new information about current threats and vulnerabilities.

The components of the preparedness cycle that are most engaged in this phase of preparedness plan development are planning, evaluating, and corrective action ("Preparedness," 2014). To facilitate the development of enterprise preparedness plans, FEMA has developed a voluntary preparedness program for the private sector. The voluntary program offers several paths to preparedness that enterprises in the private sector can follow, including "following best practice programs, aligning to a standard or certifying to a standard" ("Private Sector," 2014).

The range of difficulties that an organization can face as a result of some catastrophe is exceedingly broad, the least of which is potential temporary disruption of operations, or worse -- high costs to restore the enterprise, and the loss or cessation of business revenue ("Private Sector," 2014). Data loss and impaired facilities are probable, and can result in business relationships being impacted or severed ("Private Sector," 2014). Worse case scenarios include complete loss of facilities and fatalities of employees and customers ("Private Sector," 2014). The key objectives of the business preparedness plan are continuity and recovery ("Private Sector," 2014). This means that organizations must develop a preparedness plan that fosters the capacity to comprehensively address business continuity, disaster response management, emergency preparedness, and strong organizational resilience. The standard of preparedness selected for this organizational preparedness plan is based on the guide developed by ASIS,...

3).
Articulating the scope of the preparedness plan is an early step in this phase, which consist primarily of determining whether preparedness and resilience of the entire organization will be addressed, or if certain constituent parts will be the focus ("ASIS," 2009). Within the risk scenarios determined, consideration must also be directed to mission related obligation, legal responsibilities, and critical operational goals ("ASIS," 2009). All of these component considerations and aspects of the enterprise business will be entered into a matrix that will be used to reflect strategic weighting according to the risk assessment and impact analysis (see Appendix A -- Risk Assessment Matrix).

Once the strategic weighting has been accomplished, the organization will refine (or develop, if this is an initial preparedness plan) and communicate relevant policy that appropriately reflects the current understanding of the type and size of potential threats and vulnerabilities, in conjunction with enterprise objectives ("ASIS," 2009). Concomitant with this policy, management will disseminate a strong statement communicating the policies, the allocation of preparedness and resilience resources, the development of competencies, and the importance of achieving the preparedness plan objectives under the designated authority ("ASIS," 2009). By adopting the standards developed by the American National Standards Institute, the enterprise will ensure that objectives, procedures, and processes are established to enable the achievement of obligations defined in policy and the commitment of management to the operational resiliency ("ASIS," 2009).

II. Situational and Information Analyses

The components of the preparedness cycle that are utilized the most in this phase of preparedness plan development are organizing and evaluating ("Preparedness," 2014). Key objectives of this phase are the assurance of competence and awareness, and a demonstration of conformity to the ASIS standards and applicable standards of NIMS, and the residual components of ICS that are still employed albeit in an updated NIMS format ("ASIS," 2009). The situational and informational analysis encompasses a broadly-based survey of operational activities designed to pinpoint specific intentional and unintentional vulnerabilities and threats that have the "potential for direct or indirect impact on the organization's operations, functions, and human, intangible, and physical assets; the environment; and its stakeholders" ("ASIS," 2009, p. 7).

The organization must ensure it has the capability to connect with and support integrated multi-agency coordination systems (MACs), as conducted between local 911 Centers, local Incident Command Posts (ICPs), local Emergency Operations Centers (EOCs), and the state, regional, and federal level EOCs ("NIMS Integration Center," 2006). Memorandum of Understandings (MOUs) and Memorandum of Agreements (MOAs) will be established with the government agencies and with other private sector organizations to ensure that personnel and resources are shared in the event of an incident or disaster event so warranted ("NIMS Integration Center," 2006). These agreements will provide information about the credentials held by the incidence response personnel ("NIMS Integration Center," 2006). An aspect of multi-agency coordination includes provisions for shared information and shared response assets ("NIMS Integration Center," 2006). To enable the mutual benefits from optimized multi-agency coordination, the organization will conduct an inventory of response assets, and will share the completed and regularly updated inventory with the local authority for emergency management ("NIMS Integration Center," 2006). In addition, the organization will establish and promote an information system to disseminate preparedness plan information, emergency management and incident response information within the organization and with relevant stakeholders in the event of an incident ("NIMS Integration Center," 2006). Relevant stakeholders could include the media, local emergency management personnel, and other private sector enterprises with which the organization might share resources as well as information (see Appendix B -- Business Continuity Resource Requirements, and Appendix C -- Business Continuity Plan) ("NIMS Integration Center," 2006).

III. Preparation, Prevention, and Response

The components of the preparedness cycle that are active during this phase of preparedness plan development are planning, organizing, training, equipping, exercising, evaluating, and taking corrective action ("Preparedness," 2014). An important but easily overlooked component of a preparedness plan is the identification of points of contact for the organization ("NIMS Integration Center," 2006). A current list of the names and contact information of the organization's points of contact needs to be shared with the local authorities for emergency management. These lists of points of contact should be maintain in a current mode and not just updated when a…