Responding to Mail Threat: How to design an ERP and EAP

 

Introduction

Now that we discussed the various types of threats and the techniques used to detect them, we need to address how your organization will respond when a threat is detected.

There is a very high probability that your organization already has an emergency response plan and that the plan addresses some level of mailroom threats. Most of the time, however, basic emergency action plans seem to group ALL mail-borne threats into a single response category. It is important to consider a response per each threat. 

 

Definition of Emergency Response Plan and Emergency Action Plan

Response Planning is a two-step process that requires the development of an Emergency Response Plan or ERP and a separate, more detailed Emergency Action Plan (or Protocol) ERP.

The response plan identifies key elements, is specific to the anticipated threat, and is, by definition, developed to mitigate the damage associated with those threats. It ensures all required support elements are identified, responsibilities are understood, and are prepared to function together. It eliminates confusion and provides guidance that will allow dissimilar groups to work together.

The EAP is an executable plan providing specific instruction to individuals directly involved in the discovery and reporting of a threat, and the person or organization responding to that threat.  It clearly spells out, in step-by-step detail, each element of the activation, response, recovery, and reversion process,  It identifies key roles and provides options should a specific notification or response element be unavailable to respond. The EAP includes both internal and external elements.  Quarterly testing and reviews are highly recommended along with external evaluations.

While the ERP is administrative in nature, the EAP is functional, meaning it requires validation. This is normally done through tabletop, walk-through, and full-scale exercises designed to stress each element of the plan, identify weaknesses, and recommend changes. This type of coordination is necessary to avoid confusion during real-world events, where time and the situational factors are dictated and not a planning factor.

 

Risk Assessment and Planning

As with most security-related plans, conducting a pre-planning risk assessment is paramount. This will help you identify which individuals, departments, projects, or corporate elements are at risk, what groups or individuals are most likely to generate the threat, what types of threats are most likely to be encountered and what is the best method to employ when countering those threats.

Remember, risks change, as does our approach to risk management and risk assessments.

Reporting an Incident 

First, you must consider who, how, and when the incident is reported.  When identifying internal and external resources first consider the three potential locations or functions where threats are most likely to be identified, receiving, sorting, and opening. This is important because, for some users, it will determine who, and how the discovery is reported.

What should the individual, identifying the threat, do between the initial point of discovery and the time internal or external response team members arrive on the scene?  For example, an individual working in a specific location such as the loading dock or mail center who has been contaminated may go to a pre-defined space; such as, a specific restroom or emergency shower location. Administrative personnel or addressees working in a large office complex or campus, on the other hand, may need to work with their area response team to identify the best place to go and actions to take.

The next step is to identify who the person identifying the threat contacts and what information is to be conveyed. This is where a chart, such as the one shown here that list the primary, secondary and tertiary contacts comes into play. Be sure that these are prominently displayed in the area where mail is being processed and that they are checked monthly to verify accuracy.

InSert RaySecur ERP

EAP for each Threat 

From this point forward, the EAP response protocols diverge based on the threat.  For example, a potential IED will require a much broader, faster, and robust response than a letter containing threatening language and ground glass. Both are threats and both require a response but not at the same level as the physical separation from the threat.

Insert ERP Guide

It is imperative when developing our ERP and EAP  management be involved. The last thing you need is for managers, who were not involved in the EAP development and approval process, to inject themselves into a real-world event.

As a minimum, your protocols should include the following categories:

  • Potential explosives,
  • Unknown powder
  • Unknown liquids or gasses
  • Contraband such as weapons, or unauthorized recording devices
  • Written threats or suspicious content.

Notice we did not discuss specific types of threats. That is because, regardless of the technology used to classify the threat, it is outside the scope of the mail center or organization to identify the threat. Detection is the key.  Powders are powders, liquids are liquids, and IED’s or explosive devices are just that. Trying to create EAP’s that address specific threats such as Anthrax is time-consuming and offers little value.

Leave threat identification to the experts, in most cases, including those where the letter identifies the supposed threat, external first responders are the only ones capable of determining if the threat is real and actionable.

Coordinate with the External First Responders 

Coordination with local law enforcement and emergency response teams is paramount. Don’t make assumptions. Contact the agencies and invite them to tour your facility and discuss how they would respond to specific threats. Pick their brains, share your plans, and take their advice. Most of all, be sure your plan addresses the impact the activation of your EAP will have on your organizational hierarchy. In most cases, the minute a first responder enters your building, he or she is in charge and can order the evacuation of your building, bypassing security protocols, and the securing of ventilation or power. This is why joint training and exercises are critical.

In addition to first responders, be sure your plan includes reporting and notification criteria for local, state, and federal law enforcement. Coordinating with these teams prior to an event occurring will reduce confusion and jurisdictional food fights.

Transition Process -Normal state to an Emergency state – back to Normal

The final element of the ERP and EAP is the transition process. Prior to the event occurring, your organization needs to have a clear understanding as to how you will transition from normal operations to emergency operations and back to a normal state. This sounds simple but it requires a great deal of thought especially if your plan includes the use of an alternative administrative or mail handling location. It is also important to understand the implementation of an off-site screening facility or the need for a higher level of technical screening for a specific period of time.

Reviewing the Plans 

When reviewing protocols do not forget to take into consideration that any false alarms or hoax situation must be taken seriously.   It is important for the entire team to stays vigilant to new risks and future mail-borne threats.

In conclusion

The content of the ERP and EAP will vary, however, successful plans share many if not all of the common traits addressed in this video. If you have questions, don’t hesitate to contact your team at RaySecur.