Guide to ISO 22320: Emergency management requirements for incident response

Why standardization in emergency incident response matters

Natural and/or man-made catastrophic events are quickly becoming the norm. Indeed, since the 1970s, the number of weather and climate-related disasters alone has more than quadrupled to around 400 per yearⁱ. 

Unfortunately for responder agencies, few things are more challenging than procuring and deploying the right resources to the right people and places during complex disasters covering wide areas and causing mass casualty and damage. In these scenarios, the imperatives of incident response routinely overwhelm the resources and capabilities of individual agencies acting alone. Meeting the life and property-saving objectives of the disaster response, then, requires an influx of personnel, skills, technologies, facilities, equipment, and/or funding from other organizations. 

Though the organizations themselves share many of the same functions, the number and weight of those commonalities haven’t been enough to close what’s become an acute incident response performance gap. The gap has been studied carefully in the emergency management literatureii. And the consensus seems to be that emergency responses undertaken by clusters of public safety agencies incur a higher likelihood of the following:

• Extended response times
• Higher potential for loss of property and life
• Lack of shared situational awareness on the ground
• Disputes and competition as to who is in charge, when, and where
• Difficulties in filtering and validating the flood of information generated during the disaster
• Difficulties in coordination among response agencies due to incompatible infrastructureⁱⁱⁱ

What’s going on, here? Well, researchers have sought explanations to this pattern of delays in getting assistance and rescue underway, not to mention delays in decision making, and lack of clarity in command and control structures. It turns out there are myriad. Some of the reasons given: individual agencies develop independently of each other, creating heterogeneity in practices. Also cited, inadequate information and knowledge flow between participants, springing either from a lack of trust, confusion on the ground, or competition between agencies^iv. 

Significant challenges, all of them; but not insoluble problems. Indeed, the emergency management community has moved aggressively in recent times to correct many of them, foremost the glaring absence of an industrywide command and control structure for facilitating collaboration and interoperability. Those efforts, in particular, culminated in the development of the ISO 22320 standard. 

A deep dive into ISO 22320

An international, emergency management and societal security standard, ISO 22320 offers common-sense prescriptions for implementing best-practice emergency management systems and measures. Generic in nature, the standard aims to help organizations of any shape or size, in any sector, respond effectively to all categories of major incident or emergency. 

So, how does it work? The standard focuses centrally on achieving efficient coordination and cooperation between multiple actors involved in large-scale disaster management. Its explicit goal is to boost various types of interoperability, while enhancing response capabilities and minimizing impact. 

Specifically, ISO 22320 lays out a loose framework for establishing the basics of command and control within a single incident response organization. The aspects the standard touches include structures and procedures, decision support, traceability, information management, and, of course, interoperability.

It’s important to note, though, that the standard itself is not intended as a standalone solution. Instead, ISO 22320 is meant to be implemented as part of a larger incident preparedness and operational continuity management program, with a broad scope applicable to any of the following activities:

• Incident prevention and preparedness to ensure disaster resilience
• Guidance and direction in incident response
• Planning for command and control systems
• Multi-organizational coordination and cooperation
• Information and communication systems for emergency management
• Public affairs 

ISO 22320 requirements for command and control in incident response

One of the key innovations of the ISO standard is to lay out minimum requirements for the command and control system deployed during an incident response requiring multiple emergency management agencies. In that context, the primary objective of the system is to enable the organization to respond efficiently, both as an independent entity as well as jointly with other parties (See more below). 

Various elements go into achieving that core objective. The standard covers those, too, including structures, processes, and resources. For instance, to be considered ISO-compliant, the command and control system must be able to perform a number of documented actions, including the following:

• Establishing and updating goals and objectives for the incident response
• Determining roles, responsibilities, and relationships
• Establishing rules, constraints, and schedules
• Ensuring legal compliance and liability protection
• Monitoring, assessing, and reporting on the situation and progress
• Recording key decisions
• Managing resources
• Disseminating information

Advanced software capabilities to enable efficient incident response

Advanced emergency management technology can help teams and agencies bolster common response efforts, search and rescue, evacuation systems and procedures, shelters, disaster impact reports, medical care, etc. Only thing is the software in question will need robust functionality to deliver core benefits, like increased coordination and efficient information exchange. 

First things first. Nothing improves incident coordination more than system flexibility. Unfortunately, that’s where a lot of solutions fall down: they only offer advanced functionality in discrete mission areas. Instead, teams need to be able to manage all information, communications, plans, and tasks within a single, flexible platform. Specific features to improve communication and facilitate collaboration include alerts, dashboards, and collaboration spaces for teams, as well as notifications and updates via email, SMS, voice, or in app.

Teams also stand to gain in their incident response efforts from internalizing lessons learned from the field – not even just their prior experiences but collective best practices from the industry at large. What are we talking about, here? Some solutions come pre-configured with best-practice incident templates, forms, dashboards, and plans, covering common incidents like active armed offender, bomb threat, fire/explosion, emergency evacuation, emergency lockdown, emergency shelter in place, hurricane and other severe weather. 

This library of plans, checklists, work instructions, and actions can help improve command and leadership, as well. Fully-configurable workflows can lead people through common procedures, automating repetitive aspects of the dispatch process, thus removing some of the burden from dispatchers and incident managers. An example: best-practice workflows can provide standard procedures for complex tasks like activating and deactivating emergency operations centers (EOCs), or establishing incident management teams including cell structures, roles, and equired capabilities. 

As for the command and control structure, the standard’s prescriptions are likewise generic. ISO 22320 stipulates that the objective of a functional hierarchy is simply to make comprehensive and effective decisions in a timely manner. That common-sense logic also informs how the standard considers roles and responsibilities within
the hierarchy. They, too, must contribute to making comprehensive and effective decisions quickly.

The Incident Commander sits at the top of this hierarchy. It is the sole role given final decision-making authority over command and control. The purview of the role also extends to setting up the incident response organization, as well as activating, escalating, and terminating processes. 

Other roles figure in the command and control structure, too. Indeed, the entire structure is set up so that that Incident Commander can efficiently delegate authority as dictated by the pace and scale of the incident. As such, subordinating roles and responsibilities cover the following functions:

• Personnel, administration, and finance
• Situation awareness and planning
• Decision making and implementation (i.e. operations)
• Logistics
• Media and press
• Communications and transmission
• Liaising
• Public information
• Safety

What’s more, the standard appreciates the inherent fluidity of the emergency situation. It thus constructs command and control processes that are similarly dynamic (and ongoing). Decision making, of course, is one of those core processes. And it is treated as an ongoing process by the standard, segueing as it does from observation to information gathering, processing, and sharing to assessment to planning to decision making and sharing to implementation to feedback gathering and control measures and back again. 

A final point on this command and control in incident response section: effective resource management is
constitutive of a successful incident response. Flexible processes must, therefore, be provided for so as to ensure that resources remain available and functional throughout the response. 

The right technology helps, here, too. And though the ISO standards makes no specific technology recommendations, implementing agencies should consider the following resource management capabilities when procuring integrated emergency management software to increase operational effectiveness, achieve shared situational awareness, and increase the effectiveness of command:

• Mapping. Location tracking of resources in relation to assignment locations helps teams find the closest available resources quickly.
• Mobile app. Mobile-optimized software helps teams communicate with staff and volunteers wherever they are.
• Rostering and scheduling. Enables teams to create flexible resource assignment structures that can be filled and activated when needed.
• Resource allocation. Helps teams better engage with staff and volunteers to confirm availability and assign roles via email, SMS, and/or voice recording.
• Certification and documentation management. Ensures that documents are managed and kept up to date. Teams won’t have to worry about staff or volunteers with expired certifications.

Further sections: Cooperation and coordination

The case evidence makes it clear that effective interagency cooperation creates positive feedback loops. The right services and programs get recognition and visibility that, then, provide more opportunity for vital, new projects to be undertaken^v. But interagency cooperation doesn’t just happen automatically. It takes hard work and planning, some of the key elements of which are collaboration, coordination, and communication.

In many respects, that’s the point of ISO 22320, hence why it sets out general requirements for coordination among parties. For one, the standard stipulates that cooperation must be based on identified incident risks; cooperation must also yield measurable incident relief. Indeed, objectives for coordination can’t be theoretical, either. They must be highly relevant to the actual incident in question. The assessment criteria for those objectives reflect that fact:

• The establishment of the incident’s command and control structure
• Interoperability of communication, geographic and information management network
• Implementation of a communication flow plan and communication guidelines
• Identification of critical needs
• Management of resources
• Implementation of an information sharing and situation awareness policy
• Identification of common and transparent decision-making procedures
• Preparation and implementation of a logistic support network
• Continuity of the coordination process with the turnover of staff involved
• Division of operational tasks
• Setting the boundaries (geographical and areas of responsibility) between the different organizations

ISO 22320 also offers guidance for information sharing, the basis of coordination and cooperation and often one of the thorniest aspects of interoperability. Specifically, the standard stipulates establishing the appropriate means to enable the sharing of all information that can be shared among participating organizations. 

Nor does the standard neglect the human side of interoperability. A lack of trust and knowledge of other organizations often proves an unexamined barrier to successful interagency cooperation; so too does ignoring whether the capability of a given resource makes that resource incident-ready. ISO 22320 addresses both human factors in cooperation and coordination, arguing that competency levels, cultural backgrounds, operating protocols, common terminology, and language should be considered in the design of interoperable systems and structures on the ground.

Finally, while challenging, achieving interoperability is indeed possible. It just takes effort. And the brunt of that effort falls on first responders, emergency managers, government agencies, and non-governmental, public safety organizations to implement the best-practice standards, like ISO 22320, that will beef up their coordinated incident response efforts.

That’s not all those entities must do, though. Teams and agencies also have to procure and deploy advanced emergency management systems (in coordination with their ISO-implementation), so as to ensure effective interagency cooperation, either in the event of a largescale emergency, a major event, or more day-to-day emergency situations. 

Not just any system, either. ISO 22320 explicitly states that when designing or procuring said human-system interfaces, actor’s abilities, characteristics, limitations, skills, and tasks must be primary considerations. Unfortunately, most systems on the market will only present the same view for users, irrespective of who they are and what role they play in the organization. Best-practice integrated emergency management software, on the other hand, isn’t one-size fits all. It’s purpose-built for people and roles, whether that person is the Incident Commander, the head of Logistics, or a representative from the local transportation agency who has just stepped into the Emergency Operations Center for the first time.

It is in transitioning to these ISO-compliant interoperable solutions that public safety organizations will take that critical first step toward accelerating coordinated decision making and improving response outcomes.

Citations

i The Economist: Weather-related disasters are increasing. Available at https://www.economist.com/graphic-detail/2017/08/29/weather-relateddisasters-are-increasing.

ii Ovidiu Noran, Effective Disaster Management: An Interoperability Perspective.

iii Ibid.

iv Ibid.

v Kimberley I. Shoaf, Melissa M. Kelley, et al., Public Health Reports: Enhancing Emergency Preparedness and Response Systems: Correlates of Collaboration Between Local Health Departments and School Districts. Available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4187313/ .