12/10/08 EMForum.org Transcript: ISO TC 223 for Societal Security

EIIP Virtual Forum Presentation — December 10, 2008

International Standards for Incident Preparedness and Operational Continuity
ISO Technical Committee 223, Societal Security

Dean R. Larson, PhD, CEM®
Chair, U.S. Technical Advisory Group and Head of Delegation
ISO Technical Committee 223

Amy Sebring
EIIP Moderator

The introduction, presentation, and closing parts of the transcript are prepared remarks and not necessarily verbatim. The Q&A portion is prepared from a transcription of the recording. The complete slide set (Adobe PDF) may be downloaded from http://www.emforum.org/vforum/ISO/ISOtc223.pdf for ease of printing.

[Welcome / Introduction]

Amy Sebring: Good morning/afternoon everyone. Welcome to EMforum.org and our last program for 2008! Today’s topic is one we have wanted to do for a long time, "International Standards for Incident Preparedness and Operational Continuity: The ISO Technical Committee 223, Societal Security"

Please note the related poll on our homepage. "Do you think the ISO process will promote adoption of universal EM principles? Yes, Maybe, No." Please take time to participate by voting and review the results thus far.

Also note that there is a related handout article, "ISO and Societal Security" that was published in the July 2008 Edition of the IAEM Bulletin that today’s guest co-authored. [http://www.emforum.org/vforum/ISO/ISOsocietalSecurity.pdf]

Now it is my pleasure to introduce today’s guest speaker: Dr. Dean R. Larson is Chair of the U.S. Technical Advisory Group and Head of Delegation to ISO/TC 223. Dean also serves on the National Fire Protection (NFPA) Technical Committee on Emergency Management and Business Continuity, author of the NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity.

Dean initiated the Emergency Management Certificate Program, and teaches courses in Emergency Management and Homeland Security for Purdue University Calumet. He was the Department Manager, Safety and Industrial Hygiene, U. S. Steel Gary Works until he retired in 2003.

Dean also serves as a Commissioner on the Indiana Emergency Response Commission and on the Certified Emergency Manager (CEM®) Commission, and holds certifications as a Certified Safety Professional (CSP), Certified Emergency Manager (CEM®), and Certified Professional Technologist (CPT), with additional qualifications in hazardous materials and explosive safety.

Welcome Dean, and thank you for being with us today. I now turn the floor over to you to start us off please.

[Presentation]

[Slide 1]

Dean Larson: Thank you, Amy.

On behalf of the U.S. Technical Advisory Group, the "TAG," I want to thank you for this invitation to share some ideas on the ISO work on developing standards and guides for Societal Security. The term "societal security" may be new to many.

The term societal security was first used by Barry Buzan in the book People, States and Fear: National Security Problem in International Relations (Longman; 2 edition, 1991), as part of his theory of security. Various other security theorists have modified his theory and the debate continues on the exact meaning of the term. The international community has not reached consensus on the meaning of Societal Security. ISO/TC 223 has adopted an inclusive perspective bringing together the disciplines of security, risk management, preparedness, crisis management, emergency management, business continuity management, and disaster management.

ISO Technical Committee 223 was formed in 2001 with the little activity until the end of 2005 when the responsibility for leadership and secretariat support was assigned to the Swedish Standards Institute. Currently the committee has thirty seven Participating countries and seventeen Observer countries. The sixth Plenary session was held in Bali in November with the largest participation in any of the meeting.

[Slide 2]

The purpose of the ISO initiative on Societal security is described in dialogue balloons.

Incident Preparedness Management mainly covers "before occurrence of disaster".

Operational Continuity Management mainly covers "after occurrence of disaster".

From this diagram, you can see the goal of shortening the time to return to full operational level. You can also see the terminology for our common concepts of emergency management and business continuity.

[Slide 3]

Societal security is provided by a complex system of systems, in the context used author Barry Buzan, who first used the term "societal security as I mentioned.

This system of systems is predominantly governed by rules related to market forces and economy as the services, assets and systems are mainly provided by the private sector and government agencies.

Thus the term "societal security" applies to both the public and private sectors.

[Slide 4]

When the system of systems is stressed, it will deform, and, by how much and to what effect will be dictated by factors such as:

size and type of stress;
rate of onset;
scope and magnitude

incident, emergency, disaster, crisis etc.

From experience we know that there is little success in predicting when the stress on the system will occur or any of the factors just named.

[Slide 5]

As I mentioned, consensus on the term "societal security" has created a significant discussion among the ISO committee and there is confusion over the term "societal security." This confusion exists in spite of the explicit focus of the single published document, ISO/TC 22399, the Publicly Available Specification (PAS), published in December 2007.

During the last plenary session of TC 223, a suggestion was made in an attempt to clarify the focus, using the convention being used in book titles, where a modifying phrase is added after a colon to elaborate the meaning.

[Slide 6]

The term "organizational resilience" was recommended to focus on the need for resilience in a single organization.

[Slide 7]

Many of us have heard the term resilience and have used it in other contexts.

For example: in Materials Science, we identify resilience as the capability of a strained body to recover its size and shape after deformation caused by compressive strain. Organizations need resilience after a disaster.

[Slide 8]

In a psychological context, we define resilience as the ability to recover from or adjust easily to misfortune or change, a characteristic that organizations need.

[Slide 9]

When the system is stressed, there are several responses to that stress:

First, the response and the most desirable response is to Absorb stress and require no internal change to cope – Resilience.

This would be the most desirable response for an organization. An organization that has mature resilience that results in no requirement for change internal to the organization to absorb the effect of the stress and no external intervention in response.

[Slide 10]

A second type of response, less desirable than the first is to change internally but still does not require external assistance to deal with the effect of the stress. That is called "toughness."

[Slide 11]

Break/fracture and require external intervention (e.g. requirement to invoke incident response and continuity at the system level) – Requires External Intervention.

This is the situation that means a system needs intervention external to the system and that the system is ready to accept the outside intervention without qualification.

[Slide 12]

You may be asking the question:: Why should Emergency Management in the United States focus on resilience? Is this not a term that is used in business continuity in the private sector?

[Slide 13]

"In his address, Mr. Schrader emphasized that the goal of the Title IX, Public Law (PL) 110-53 program is to improve private sector preparedness in disaster management, emergency management, and business continuity to enhance nationwide resilience." [emphasis added]

[Slide 14]

Before we get to more on the ISO committee, let’s cover a short introduction to Management Systems Standards, for example, ISO 9000.

[Slide 15]

Management Systems

"Management system" refers to what the organization does to manage its processes, functions or activities, so that its products or services meet the objectives it has set itself.
Management system standards provide a model to follow in setting up and operating a management system.
The Plan – Do – Check – Act (PDCA) cycle is the operating principle of ISO's management system standards.

Bottom line: Proactively improve resilience.

[Slide 16]

ISO and Societal security

Technical Committee (TC) 223

37 member countries

17 observer countries

Six plenary sessions to date, and the next is scheduled during the last week in May, hosted by the France and to be held in Paris

NFPA is the administrator for the U.S. Technical Advisory Group (TAG)

[Slide 17]

ISO Societal security TC’s Goals

Aligned with the globally accepted standards:

ISO 9001:2000 - Quality management
ISO 14001:2004 - Environmental management
ISO/IEC 27001:2005 - Information technology security

Supports consistent and integrated implementation and operation with related management standards

Flexible, robust and cost effective tool to assure the resilience IN ONE ORGANIZATION

[Slide 18]

"Best of Five" was used by ISO TC 223 to develop the "PAS"

Australia - HB 221:2004 - Business continuity management, Standards Australia/Standards New Zealand

Israel– IS 24001:2007 - Security and continuity management systems -Requirements and guidance for use, Standards Institution of Israel

Japan – Proposal for Guidelines for the Establishment of Framework on Emergency Preparedness, Japanese Industrial Standards Committee

United Kingdom - BS 25999-1:2006, Business continuity management - Code of practice, BSI British Standards

United States - NFPA 1600:2004, Standard on disaster/emergency management and business continuity programs, National Fire Protection Association

There have been SEVERAL new additions to this list, including the NFPA 1600:2007 edition.

[Slide 19]

This diagram depicts the conceptual framework of the work of ISO TC 223.

These five areas need expertise, expertise from the United States working through the US TAG.

[Slide 20]

Current Projects

In addition to further work on the Publicly Available Specification, to address comments received:

Framework and Roadmap
Preparedness and Continuity
Document on Exercises and Testing
Document on Private Public Partnership
Vocabulary to support Societal security
Technologies to support Societal security
Command and Control documents

[Slide 20]

The U.S. Technical Advisory Group needs you, some of your time and your talents to formulate the U.S. positions on ISO issues. If interested, please contact Dean Larson. drlarson@jorsm.com.

[Slide 21]

That concludes my overview, and I will be happy to respond to your comments and questions. I turn the floor back over to our Moderator.

Amy Sebring: Thank you very much Dean. Now, to proceed to your questions or comments.

[Audience Questions & Answers]

Question:
Isabel McCurdy: Where can you get a copy of the published ISO standards?

Dean Larson: Isabel, that’s available through ISO. The standard is not really a standard; it’s the publicly available specification. I would caution you that that was published in December of 2007 and has resulted in a significant amount of comments on that document. It is certainly not in the final stage when we’re ready to put it as a draft in a national standard. If you go to ISO website, click in either TC 223 or societal security, it will take you to the website where you can purchase a copy of what they call PAS or public available specification. [http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50295&commid=295786] Again, just to re-emphasize, it’s not in the standards stage yet.

Amy Sebring: Dean, when they get there, the price is in Swiss francs. Do we know what the cost is approximately in U.S. dollars?

Dean Larson: The approximate cost is about $150. Again, forgive me if I’ve shortchanged you on that. I haven’t worked in Swiss francs for a bit.

Question:
Rex Brooks: Does the ISO effort have any formal or informal liaisons with other Standards Development Organizations like OASIS and W3C?

Dean Larson: To answer your question, yes. Some of those other organizations have sent regular representatives to our TC 223 Plenary sessions and observer statuses, and others achieved the connection through the Swedish Standards Institute. That doesn’t prevent anybody from making the connection, starting to work with us in establishing a connection.

We’re looking to network in as many ways as we can, because obviously (I think you gathered from the overview) this is a pretty broad approach and we believe that it will need as much as possible. When you’re talking about advocating a new ISO standard, the more coordination with other bodies, the better off we are. I believe I responded to your question. If not, please ask for additional clarification.

Question:
Yousef Ghadanfari: Can a private organization join TC 223 and how?

Dean Larson: The organization can join in one of two ways. They can either come as part of the U.S. delegation. In other words, join the U.S. TAG, you come to a meeting as part of a private organization. Or, you can apply directly to the TC and apply for observer status. Now, when I say observer status, that’s different than an observer country.

I’ll give you an example of observer status that many of you know. ASIS International has official observer status in the TC 223, which means that they can participate in a meeting and they’re more than welcome to participate, but they have no vote. All the countries--it comes down to no matter how many representatives are at a meeting, there’s only one vote per country. So a private organization, again, could come and be part of U.S. Delegation, (we’d welcome that), or you could apply directly to TC 223 for observer status.

Question:
Richard Kinchlea: How will this standard align with the proliferation of EM & BC standards? Will there always be several standards to choose from? How do they all link together?

Dean Larson: Let me speak to the standards that I know best, and that’s the NFPA 1600. As you saw in one of those slides, 1600 was one of what they call the "Best of Five" that was used to write the original PAS. One of the things we deal with is countries that want to continue to have their national standards but in the spirit of cooperation want to work together.

I can tell you that how we’re working to align NFPA 1600 with the 2010 edition, which will be out for comments within a few weeks, by the end of this month. Again there is very little change from 2007 in terms of requirements, but a very significant reorganization to make it work with the Plan-Do-Check-Act format that is the norm for ISO. Our goal is to make sure that we continue to make a very powerful international standard, a national standard, and align in an organization to get ready for ISO.

We know that, in fact, NFPA 1600 is used in other countries. Personally, I spent Thanksgiving week in two different conferences in Argentina because Argentina has taken on as a goal to implement NFPA 1600 throughout their whole country. In fact, in one city we worked in, the mayor told me that his goal was to have his first municipality in the world in compliance with 1600.

When we worked with the Argentines, and we worked with the other countries, they keep asking us the question, "What about your 1600?" We said, "1600 is going to be there, it’s going to continue to be there. We’ve realigned it so that it is supportive of ISO rather than duplicative or conflicting standards." How we’re going to do with the multiple spread of standards, to be candid with you, I don’t know. All I can tell you is, what I’ve told the told my fellow members of the 1600 committee, we must be on the right track because other people are developing their own approach.

The national bodies in most of the other countries have established one standard. The United States, as we know, has multiple standards. As many of the people on the ISO committee will say, the marketplace will ultimately decide which is the one, including will the marketplace adopt ISO. Argentina is implementing throughout the country, but there is no government mandate to use NFPA 1600. We expect some day there will be.

The only place there is a government mandate is in the province of Ontario, and they had indicated that they had passed legislation a few years back implementing NFPA 1600. Now that has changed over to shift with Z1600, which is aligned and harmonized with 1600, but it’s more specific to Canada.

Question:
Paul John: Does this standard have any relevance to the facilities under the USEPA's National Environmental Performance Track program?

Dean Larson: I’m going to have to pass on that question. We have looked certainly at making sure we don’t have any requirements that would be in conflict with ISO 14000, and I assume that the EPA is making the same assumption. I’m going to hazard an educated guess that this would be supportive and it would be certainly something we’d do, but this is one of the things where we invite people to participate in the TAG and say, "Well let’s not forget the EPA’s standards."

So if we look at the U.S. position as we develop these standards, we want to make sure that the U.S. interests are first and foremost in our own consideration, knowing full well that we may not be able to completely sway the other countries, but we can certainly put it on the table and make a convincing argument. I apologize that I can’t respond to your question directly.

Amy Sebring: Perhaps you could speak a little bit to the private sector implications, the business continuity. I know you have those types of people involved in the NFPA Technical Committee.

Dean Larson: And we have them also involved in the U.S. TAG. We’re making sure that this standard that is being written on the ISO level is not a public standard or a private standard, but it’s both. We’re focusing on one organization, be it private or public.

In many countries they don’t have the public/private sector issues we’re dealing with in the United States. So it’s easier in their countries because they come down from a national level. But this is certainly appropriate for both, and we’re making sure that it is appropriate for both. What you’ll see is, (if you remember there was that one particular type of wiring diagram, which I said were 5 legs under there, one of the legs was business continuity), we know that the public sector can learn a great deal from business continuity because they have requirements for COOP plans and COG plans. We know that the private sector can learn a great deal from the public sector in terms of how they prepare for and respond to emergencies.

Comment:
Richard Kinchlea: Note: Z1600 is not legislated in Ontario (that's where I am an emergency manager), although it once was the plan.

Dean Larson: Forgive me if I had that in error. That’s what I was getting from the people who worked for emergency management in Ontario. When it was 1600 it was legislated for the public sector only in Ontario, not the private sector.

Question:
Joyce Shroka: The term "Societal Security" -- how was the term "security" chosen? The diagram that showed the components (business continuity, emergency management, etc.) seems to encompass more than what is normally thought of as "security".

Dean Larson: To be candid with you, there are many people on the ISO committee who wish we hadn’t picked "Societal Security". That was picked early on in the shift over from when the Soviets ran TC 223. When the Soviets were responsible for TC 223, they used the term "Civil Defense". When it was reassigned to the Swedes, the term "Societal Security" was proposed and accepted. The problem with it is, there’s not a clear-cut definition other than the author Barry Buzan said in 1991, because other theorists have taken and reinterpreted a lot of the work.

The term "security" has become problematic to us. That’s one of the reasons why Joyce that we are specifically talking about is one organization and we’re talking about those five legs. I’m certain that in your organization the security folks may say, "Now ‘Societal Security’ says this is a security issue." It’s not that at all. It is really still a broad-based issue in terms of preparing an organization. Security is one of the things we have to prepare. But certainly business continuity is something we need to prepare, too.

Question:
Amy Sebring: I’d like to follow up with a question. You emphasized a focus on one organization. Is the concept there that if each of our individual organizations has incorporated this resilience, the cumulative effect is a safer society?

Dean Larson: That’s exactly what it is. But what we’re saying is that we’re focusing on one organization; prepare that organization and prepare how they work together. If you look at some of the ISO standards, for example 9000, you’re preparing one organization for a quality system, but obviously it will work into the next organization, down and up the supply chain. We envision this particular relationship between organizations will exist if they’re using a common platform and they’re using a common response.

It’s interesting with the country of Sweden. They certainly have taken a leadership role. If you look at the country of Sweden and you say, "Why would they have to be as worried on an international basis?" Well, they had their worst peacetime disaster in Swedish history that occurred in December of 2004 when they lost 843 citizens in the tsunami. That was many thousands of kilometers from their home, but they needed to be able to interact in a same basis. That’s what our goal is—to be able to interact, but to build it from the bottom, organization to the top.

Question:
Peter Rannells: Is the intent of this TAG to develop a national or international standard for all these related disciplines that will eventually become law that will be binding on all government and private institutions?

Dean Larson: I would not think that anyone in the ISO would say that this would become international law, only because we still have the debates, and the individual countries have said, "We have the standard, the national standard, we’ll cooperate with ISO, but we’re going to resist an international law mandating it."

I would like to point back to 9000. When 9000 was implemented, it was basically a quality standard. Now it has gone to a much broader approach, when you’re talking about quality of products and quality of service. But I don’t think that anybody in any of the countries that are participating would ever advocate an international mandate. I can tell you that we have enough trouble with addressing simple things like terminology between countries and then trying to get it to the next level.

So to answer your question, no, I don’t think anybody would advocate this becoming a mandate or this becoming an international standard. But if you look at 9000, how people went up and down supply chains and said, "I’m ISO 9000 compliant because my customers want me to, so I’m going to require my suppliers to be the same." We believe that the same approach can be used here. As you’re all prepared for resilience, we know that the world is so totally interrelated, the better you’re prepared for stresses any place in the system, the better you are to work together.

Amy Sebring: The ISO 9000 and some of these other international standards, they have been widely adopted in the U.S., have they not?

Dean Larson: Absolutely. I can remember when I was working for US Steel, when they first started talking about implementation of international standards, there were people resisting. Then it came down to the point where if you wanted to do anything in the international arena, you needed to comply with 9000, and then it became the same linkage across the United States. In other words, one thing led to another because we are so interrelated. But yes, these standards are applying.

We know that DHS has shown interest in this ISO process, and for our first meeting in Bali, DHS sent their first representative to be part of the U.S. delegation and we are very happy to have that, because they are very interested in this process, too.

Question:
Yousef Ghadanfari: Would implementing NFPA 1600 for private organization be satisfactory, or do we have to implement ISO/TC 223?

Dean Larson: Our goal with 1600 is that those organizations, be they public or private, that implement 1600 will be prepared if they so choose to go to the ISO level. I think to answer your question, Yousef, is if you start with one organizational standard, you’ll be able to move into the ISO when the time comes that you’re required to move into the ISO standard.

Many people said, "I have a good quality system, I don’t need to comply with 9000." But it became the standard, the norm, and you had to participate. We think that will happen eventually. But it will be the market that will drive it, not an international regulation.

Comment:
Heather Bryan: I would just like to comment that this is precisely what we have needed in the private sector for quite some time. I often run into clients who separate security, business continuity, and emergency preparedness. My own background is a mix of the three and I have been pushing for a more fluid alignment under a common risk management framework. Thanks, I look forward to participating in any way possible.

Dean Larson: Heather, thank you very much. I would like to be flippant and say you said that just the way I wrote it, but that’s not true. If you are interested, Heather, please contact me directly and I will get you started with the U.S. TAG. I have gone out and talked to several different venues about this and people come on board and we integrate them in and assign to. This participation depends on whatever your interest and schedule to participate will allow. But we’d be happy to have you. Thank you for that comment, Heather.

Question:
Amy Sebring: I wanted to ask you, Dean, about the effort on the vocabulary? Is English the language?

Dean Larson: That’s a good question. Thank you, Amy. We have run into some issues because of how various terms translate from one language to another. The adopted language for this standard is English, but we must be very careful if it gets translated to another language that we don’t lose the context in the translation.

We’ve really dealt with several different approaches to vocabulary. At one time the vocabulary list was over 700 terms, and we all agreed that that was way too many. Now we’re dealing with a list of 23 terms, and that really doesn’t satisfy us, either. That’s something that’s headed up by the United Kingdom and they are handling that as far as that. It’s a much more difficult problem to deal with than it seems on the surface, but when you start to go into those translation issues, you lose that.

We find that in our discussions. Sometimes discussions have to be repeated, because there are countries as they translate into their native language, they discuss and it goes back and it has to repeat things only because of translation issues. Does that respond to your question?

Amy Sebring: I can see where that would be very challenging because right here in the U.S. we have so many different terms and slight variations on terms, so I was just picturing that in the international community, that issue would be compounded, as you suggest.

Dean Larson: Amy, you and I had a discussion beforehand about what is the interaction between NFPA and ANSI. NFPA has the role for being the technical advisory group, coordinator and administrator. What that means is they provide the staff support. So if you decided you wanted to join the U.S. TAG, what I would do is hand off your contact information to an NFPA staff person who would contact you directly and get you started.

Again, we’re not doing this as an NFPA-type project; this is NFPA in the name of ANSI, as it would be in any other country. In the ISO setting, one country, one vote, and the members of the ISO committee are really the national standards body, which in our case, is ANSI.

Question:
Amy Sebring: Speaking of ANSI, they have a Homeland Security working group of some sort. Are they involved as well?

Dean Larson: Are you talking about the Homeland Security Standards Panel? They have been involved. That was formed in response to the 911 Commission workings, and one of the first major tasks they had was at the request of the Commission, to find us a national standard that we can advocate for the private sector.

As a reminder, the 911 Commission really looked at the two major terrorist attacks and looked at the public sector response at the Pentagon and looked at the private sector response at the World Trade Center. One of the conclusions was that the private sector needed to do a great deal more in preparedness. They went to ANSI, who formed the ANSI Homeland Security Standards Panel, which I think has a membership of something in excess of 2,000. They said, "What standard exists on a national level in the United States that we can hand back to the Commission and the Commission can say, "This is what we advocate." And they advocated NFPA 1600 as the national standard for preparedness for the private sector. It’s not that 1600 isn’t both private and public, but the Commission focused on private sector because of the World Trade Center.

Now when we saw the homeland security standards, the Commission titled public law that was enacted in the first of August of 2007 to push the recommendations of the 911 Commission, they said at that point in time, "A standard like the NFPA 1600."

HSSP from ANSI has been involved all along. The head administrator for a few years, named Matthew Dean, has since moved on, but they’re still in place. If you noticed that quotation that I had from Dennis Schrader, that was in a meeting hosted by that same group.

Question:
Avagene Moore: Dean, I know you have always been involved and interested in acronyms as well. Everyone has a different set--not just emergency managers. Any thought on acronyms? Or do you try to avoid acronyms totally?

Dean Larson: On the international level, Avagene, acronyms would really tie us up. So we’re pretty careful trying not to proliferate acronyms like we do in this country. One of the reasons I got interested in that was working from Navy planning, the civilian agencies were confused by our acronyms. It turns out that we were just as confused by their acronyms.

In the ISO setting we try to avoid those acronyms as much as possible, because that’s just another sense of confusion when you start to translate them. For example, if you go to country of Argentina, they call their standards body IRAM. Well, that’s the last version of the title of that organization, so they didn’t confuse the issue, they just kept the same acronym, but they changed the name of the organization.

Question:
Rex Brooks: Thanks for bringing up vocabulary, Amy. My next question is related not just to languages, but to technical representations, especially for specifying the semantics of a given standard. In OASIS EM TC we have had ITU adopt the Common Alerting Protocol using an ASN [abstract syntax notation] representation of our XML specification. So my question is if ISO is choosing a standard to represent semantics, e.g. OWL v WSML (Web Service Modeling Language)?

Amy Sebring: My related question is you had mentioned that the Israelis were over the technology. Do you know what kind of direction they are going?

Dean Larson: First of all, let me address what the Israeli standards group initiated, which was a working group to discuss the kinds of technology to support Societal Security. But they were specific in saying that we’re not going to specify specific protocols that you’re suggesting. There are other ISO efforts doing that, and rather than start down a path that would end up being confusing and possibly contradictory, we’re deferring to those other bodies like the ITU to identify the exact protocols to be used. We’re dealing more with organizational issues here.

The only reason the Israelis formed this, the stated reason is that we wanted to explore the kinds of technology that would support this, but again, not to the technical level you’re suggesting. I hope I responded to your question adequately.

Amy Sebring: In other words, you think the Israelis are looking at what standards are out there, and then incorporating those into their efforts?

Dean Larson: What they’re doing is looking at and studying and saying, what are the things that would support Societal Security? That’s a pretty broad subject. But they had specifically said, "We’re not going to advocate any specific type of protocol," as you’re suggesting.

Question:
Amy Sebring: One of the legs in that chart was "crisis management". Could you explain what the slant of that is, since it’s sort of a broad term?

Dean Larson: The slant here would be talking about how crises are managed within an organization. We know that crisis management has evolved from a term that was used specifically by the FBI some years ago into now a much broader basis. For example, I have a book on my bookshelf, "A Campus Crisis Management."

One of the problems we’re dealing with on an international level is the same kinds of issues we dealt with on the 1600 committee, is because there have been so many interpretations of "crisis", what do we mean by that? What we’re really doing is probably looking toward a lead from the British Standards Institute, and starting to develop a standard on crisis management and see if that fits the other need. Of all the different areas we’ve looked at, that is probably an area that has as much interpretation when you go from country to country, even down to the point, Amy, of "what does a crisis mean"? We think of a crisis as something that would require some kind of immediate response. When you start translating to some other languages, you don’t have immediacy that you would have in English.

Question:
Amy Sebring: Are they incorporating the notion of a catastrophic level in the document you’re doing?

Dean Larson: When I say ‘catastrophic’, I think that probably goes back to the rethinking of how we do a lot of things after Katrina, because there was a catastrophe. What we really said with this effort is, if you have the resilience, obviously a catastrophe, even though you are a very resilient organization, would probably require some kind of external intervention. What we’d like to believe is we’d build those resilient organizations. Collectively they can respond much better in a catastrophe, and we would have less need for each other, and they can respond out.

I think about the way Wal-Mart responded in Katrina. Because of their supply chain system, they were able to come back online as quickly as possible. After they took care of their own internal needs, they were able to start giving things away because they were in that good of shape. Does that respond to your question?

Question:
Amy Sebring: Yes.

I notice the emphasis on organization. Are you stressing the notion of individual public resilience in any manner? In other words, what we think of as public preparedness?

Dean Larson: When you talk about an organization, it could be a municipality. In other words, when we’re talking about some kind of organizational entity that is of such a nature that you have a single lead and it could be effective and put a lot of things into change. You may end up with, for example, with our county system. You would have organizational resilience in individual municipalities, but then they are able to come together on a county level and a state level.

Amy Sebring: Individuals generally fit into an organization somewhere, whether it’s at their work, or school.

Dean Larson: That’s what we’re saying. Build from the organizational level, build up to it. But it’s certainly both a public and private organization. Many of the countries don’t have the kinds of concerns that we do because they’ve come down with much more control down from their federal level, their governmental level, their national level that says, "This is the way we’re all going to work together."

[Closing]

Amy Sebring: Time to wrap for today. Thank you very much Dean for an excellent job. Please stand by just a moment while we make a couple of quick announcements...

Again, the recording should be available later today and the transcript on Friday. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page to Subscribe.

Don't forget to vote in our poll, and PLEASE take a moment to do the rating/review! I am going to load the rating/review form into Live Meeting so you can complete it on the spot. Note: We are asking you to rate the relevance of the information, and this will assist our future visitors.

Thanks to everyone for participating today. Have safe and happy holidays, and join us "next year!" We stand adjourned.