Prevention, preparedness, response and recovery (PPRR) management model of risk mitigation

Management Model

Institution:

Name:

Introduction

Prevention, preparedness, response and recovery (PPRR) management model of risk mitigation is a fundamental concept of risk management that recognises four components of risk management, namely prevention or mitigation, preparedness, response and recovery (MacNeil & Topping, 2007). The management model is premised on two broad rationales. First, the model represents the phases or sequences of risk incidents and hence tells the events that take place before, during or after an incident. Second, the model classifies the agenda of available risk management strategies. Overall, the PPRR management model recommends the development of structures that espouse all the four components. The Australian emergency response authorities have been quick to espouse and integrate generic risk management, using the PPRR model (Rogers, 2011). In spite of the ready uptake of risk management, there lacks clarity in the thought of risk management practitioners, in regards to what is PPRR management model, its relevance and context and how the model should be formulated. This essay argues that PPRR is an integrated risk management model that uses a systems approach to tackle complex and unexpected situations, prevent discrete risks, put up system resilience and enable adaptive management response. It is further showed that the model can be used to manage security related across security’s broad domain using the systems approach.

Understanding PPRR management model of risk mitigation

Background of PPRR

The PPRR management model was first proposed in 1978 by State Governors’ Association in the United States. It was first considered as a comprehensive means for emergency management in 1978 as a policy structure that covered prevention, preparedness, response and recovery (MacNeil & Topping, 2007). The model was afterwards imported to Australia, where it was espoused as emergency management policy framework. Subsequently, it was adopted in Australia after the Ash Wednesday bushfires that occurred in South Australia in 1983, which provided an impetus to adopt a comprehensive risk management strategy before, during and after crises. The Natural Disasters Organisation [presently Emergency Management Australia (EMA)] first adopted the management model in 1980s. Afterwards, it was integrated into Australian state legislations, where is widely used today. Currently, the management model is embraced by several emergency management authorities in Australia. Indeed, a survey of state-level Hazard Management Plans evidences that PPRR model is a central theme towards the management of hazards (Hodges, 2000). A case in point is the State Emergency Service of WA that has formulated emergency plans based on the PPRR components. Other hazard management authorities, such as Fire Services of WA have since 1999 embraced the four components in their corporate plans. The Metropolitan Fire and Emergency Services Board in Melbourne have also listed PPRR components in their corporate strategies. Additionally, the Queensland Fire and Rescue Authority also classify the four PPRR components in their emergency management.

Analysis of confusions regarding the definition of PPRR

Confusions regarding the definition and implication of the PPRR management model have originated from lack of recognition of the actuality that the model should be based on a systems approach. It is therefore reasoned that even with the ready uptake of risk management, there has always lacked precision in thought among risk management practitioners in regards to what is PPRR management model, its relevance and context and how the model should be formulated (Painilainen, 2011). For instance, Emergency Management Australia (EMA), which has used the model since 1983, has issued erroneous risk management strategies with limited understanding of the PPRR management model. For instance, Emergency Management Australia’s (2000) Emergency Risk Management Applications Guide that specified the risk management process for community risks indicated that one of the last stages of a comprehensive analytical process model is generating options for risk treatment, where PPRR is incorporated as a latent means of considering risk treatment. However, the last stages should be response and recovery (Crondstedt, 2002).

Indeed, this shows that a misunderstanding of risk management and the differences between treatments of risk and addressing emergencies is prevalent. It also shows that there is a misunderstanding that risk management process is separate and an addition to PPRR process (Gabriel, 2003). Hence, better understanding of prevention, preparedness, response and recovery management model of risk mitigation should be based on depiction of the PPRR model as based on systems approach (Rogers, 2011). Four meanings are therefore suggested.

PPRR is an integrated risk management model

A more satisfactory union of PPRR management model and risk management is anchored in recognising that treating or reducing the risks – through reduction of the likelihood and consequences – is the same as what is referred as prevention or mitigation, and is focused on attaining the same goal. Within the context of emergency, risk reduction will seldom result to elimination of a certain risk unless response takes place (Rogers, 2011). In which case, there is a need for the exposed community or organisation along with the emergency response team, agency or professionals to integrate response and recovery. Hence, a central benefit of the emergency risk management approach should be to pursue all the means of responding and recovery, other than prevention and preparedness to counter the likelihood of risks and the potential consequences, as shown in Figure 2.

Figure SEQ Figure * ARABIC 1: Emergency Risk Management (Cronstedt, 2002)

This perspective is supported by Crondstedt (2002), who posited that in risk management, based on the PPRR management model, an unrestrained estimation of the likely treatment is a critical component of deriving better means of risk treatment. Crondstedt (2002) further pointed out that risk management practitioners should look beyond that structures that restraint the application of prevention and preparedness. He further argued that risk management would also be less effective if focus was only on response and recovery. In which case, the four components, namely prevention, preparedness, response and recovery must all be given due consideration.

PPRR is model for comprehensive analysis of risks

PPRR is a model for comprehensive analysis of likelihood of risks and the consequences. PPRR seeks to approach security in a structured way. It ensures a comprehensive analysis of likelihood of risks and the consequences (Helm, 2013). It takes a systems approach to managing risks, reducing risk exposure and building resilience through recovery. It is an integrated risk management model that uses a system approach to tackle complex and unexpected situations. It ensures that an organisation or security practitioners have systems in place for adaptive management of crises (Young & Leveson, 2014). Based on these perspectives, it is opined that based on systems approach, the components of the model, namely a prevention, preparedness, response and recovery, have to be managed as a whole to prevent separate risks, build system resilience and enable adaptive management response.

Hence, the four components must function as an integrated system. This is based on General Systems Theory, which specifies that a system will only work effectively when its interrelated components work as an integrated part, rather than independently (Patton & McMahon, 2006; Mele et al., 2010). The first component mitigates hazard impacts. The second component ensures preparedness within the organisation. The third element offers effective response after the risk. The fourth element offers recovery of the organisation affected by the risk impact.

PPRR is a system for classification of risks

Emergency planning involves the key phases for addressing threats, namely prevention, protection, response and recovery management model (PPRR). The phases are often depicted as a component of a continuous process. The PPRR model is hence a technique for classification of risk reduction alternatives, based on prevention, preparedness, response and recovery. The PPRR management model has extensively found application in risk management’s combination of treatments as indicated in Figure 1.

Figure SEQ Figure * ARABIC 1: The place of PPRR in risk management (Cronstedt, 2002)

In Figure 1, it is evidently showed that the PPRR management model classifies the accessible risk treatment options, instead of describing the cycle or phases of the incidents. The context of risk is established before each risk is identified, analysed, assessed and a range of treatments for the risk are considered. Several prevention, preparedness, response and recovery treatment alternatives are suggested.

PPRR is a framework for planning risk mitigation

PPRR is a model for planning frameworks for risk management. It is within the structured framework that risk management presents a means of considering and planning frameworks for managing risks (Crondstedt, 2002). To this end, the risk management framework allows for focus on the risks — and how they interact in certain context — rather than just the hazards. PPRR also allows for the formulation of a range of approaches to ensure security and safety by reducing the risk through modification of the “likelihood” or their likely ‘consequences.” For instance, they improve the resilient of certain people or organisations exposed to certain risks. PPRR model also encourages the engagement of a broader group of professionals or individuals than just the safety or security services (Rogers, 2011).

Using PPRR model to manage security related across security’s broad domain

Security threat assessment and management

The PPRR management model offers a framework for managing security related across security’s broad domain. Indeed, it can be argued that the functions of PPRR, including prevention, preparedness, response and recover, relate to the functions of physical security systems, namely deter, detect, delay, respond and recover (Fay, 2006).

Prevention or mitigation involves the actions intended to reduce the security threats from human-caused incidents, such as terrorism (Shrivastave, 2005). Here, prevention planning helps reduce the opportunistic and secondary events that are likely to take place after a primary incident. By including the mitigation methods into the broad planning, it helps in gathering intelligence or information essential for overall security planning (Paton & Johnston, 2006). Overall, they include the actions taken to eliminate or reduce the likelihood impacts of an incident. At this level, the security personnel are supposed to promote the correlation with the emergency response organisation that may play an integral role in the emergency. They also need to play an integral role in a range of mitigation practices, specifically in respect to the protection of the personnel or infrastructures, such as handling suspicious mails (Prezelj, 2012).

Protection includes the preparedness activities or processes aimed at eliminating or reducing a threat to property, environment or individuals (MacNeil & Topping, 2007). It is principally focused on the combative incidents and protecting critical resources or infrastructure. It is important for national security. Protection planning is specifically designed to safeguard people and their property, critical infrastructure and freedoms. Protection actions can happen before an incident or during and after an incident (Fenelly, 2012). At these stages, they prevent, reduce and contain the incident’s overall impact. At this stage, security systems are intended to promote substantial elements of preparedness measures. For instance, the security staff conducts business impact analysis or the existent ultra-high frequency (UHF) communications network to ensure that they can suitably supplement the global system for mobile communications (GSM), in case of an emergency.

Response covers the actions that have been pursued within the immediate outcome of an incident to reduce the loss of property, in addition to the impact on the critical infrastructure. It refers to the overall activities aimed at containing, controlling or minimising an incident’s impacts (Gabriel, 2003). After an incident, the response activities minimise the psychological, physical, economic and social impacts of the incident. Response planning offers swift and efficient incident assessment to guarantee a speedy adaptable, flexible and scalable response. Here, the security personnel play a critical role in risk mitigation by providing response to incidents or organising the response team (Painilainen, 2011).

Recovery covers the short- and long-term efforts intended to rebuild and revitalise areas that have been affected by an incident. It also provides seamless transition from the response processes to the short-term recovery operations, such as restoring interrupted services. Long-term recovery plans are aimed at maximising results, through efficient application of resources. It comprises the steps taken to minimise disruption.

The model manages security threats within the context of crisis management

The increased global incidences of large-scale criminal activities and terrorism have underscored the need for management of security risks as a component of crisis management (Brooks, 2006). This demand for crisis management to protect people, property and valuable assets from adversarial attacks has reflected the need for security risk management, to prevent crises and emergencies. This has reflected the need for comprehensive risk management frameworks, such as PPRR management model. Globally, incidences of mass-scale terrorism that have caused large scale human loss include the bombing of US Embassy in Nairobi in 1998, where more than 250 people were killed, and the 9/11 terrorist incidents in New York and Washington in 2001. Other terrorist bombings include Saudi Arabia and Morocco in 2003 and Indonesia in 2004.

Hence, the need to manage the crises resulting from terrorist attacks on people and facilities has called for the need for a crisis management model to ensure effective prevention, preparedness, response and recovery (Willis, 2011). Hosie and Smith (2004) suggest that such large-scale terrorist attacks have focused the international and national attention on the need for comprehensive risk management strategies, in regards to security management, security technology and security risk management, through prevention, preparedness, response and recovery by the community services, military, civilian police and private organisations (Zarate, 2008). Hence, the PPRR management model can be used to manage security related across security’s broad domain.

Crisis management approaches have evolved to warfare and military intervention

Hosie and Smith (2004) suggest that approaches in crisis management have undergone transformation from responding to natural disasters into responding to warfare and militarist efforts. Indeed, the modern-day concepts of crisis management are concerned with issues linked to response and recovery. Both response and recovery are basic components of PPRR management model.

This is specifically due to the 21st century terrorist acts. In which case, corporate initiatives to develop countermeasures based on past events have originated from the idea that crisis management should as well prepare for terrorist attacks. A significant part of prevention and preparedness have been training the security personnel at the organisational level to respond to a crisis and to recover from the incidents (Rumelili, 2013).

Security is a critical and apparent feature of the PPRR management model

As stated by Heath (1993), more and more organisations that deal with crisis management have habitually adopted the PPRR 4-stage management model (Figure 3) to offer learning. According to Hosie and Smith (2004), PPRR is an interactive model whose components relate to security management within the broader crisis management. Hosie and Smith (2004) indicated that the sequence of prevention, preparedness, response and recovery, in logic, starts off with preparation, although random events such as the 9/11 attacks have indicated that it may actually start with response when the preparedness phase is insufficient (Robinson et al., 2010). Hence, the response, recovery and response components of the crisis management model are interconnected and are central to deterrence, delay, response and recovery. Therefore, security is a critical and apparent feature of the PPRR management model.

Security threat is the primary focus of PPRR management model.

The PPRR components of crisis management are applicable to organisations, facilities and national infrastructure and national government agencies such as the civilian police and the military services. Hutchinson (2005) suggested that in a bid to attain a more professional approach to crisis management, organisations have to prepare, plan and execute particularly for security threats, through assessment of the risks to an organisations as well as evaluation of the consequences of the security threats, such as terrorist. Similarly, security threat mitigation is the primary focus of PPRR management model.

The principle of prevention phase relates to the concept of physical security

The prevention phase of the PPRR is to identify and subsequently reduce and eliminate the underlying sources of risks. Similarly, the prevention phase requires that an organisation should integrate several approaches that relate to install physical security barriers in consistency with the Defence in Depth theory. In the same manner, physical security is intended to delay intrusion by barriers to allow sufficient time for the response team to respond to the intrusion (Coole et al., 2012; Alach, 2007).

Conclusion

This essay argues that PPRR is an integrated risk management model that uses a systems approach to tackle complex and unexpected situations, prevent discrete risks, put up system resilience and enable adaptive management response. Even with the ready uptake of risk management, there has always lacked precision in thought among risk management practitioners in regards to what is PPRR management model, its relevance and context and how the model should be formulated. The reason for this is since there has been lack of recognition of the actuality that the model should be defined and used, based on a systems approach. It is concluded that PPRR management model should be recognised as an integrated risk management model. It should also be depicted as a model for comprehensive analysis of risks. PPRR is also integrated system for classification of risks. Lastly, it is a framework for planning risk mitigation.

Based on the systems approach, the model can be used to manage security related issues across security’s broad domain. This is since it ensures effective security threat assessment and management (Smith & Brooks, 2012). Further, the model manages security threats within the context of crisis management. Additionally, crisis management efforts that PPRR is concerned with have evolved to warfare and military intervention. Next, Security is a critical and apparent feature of the PPRR management model. Security threat is also the primary focus of PPRR management model. Lastly, the principle of prevention phase relates to the concept of physical security.

References

Alach, Z. (2007). Mapping the elements of physical security towards the creation of a holistic physical security model. This thesis is presented for the degree of Master of Science (Security Science) at Edith Cowan University

Alach, Z., & Smith, C.L. (2002). A suggestion for a holistic (descriptive) approach to modelling physical security decisions. Proceedings of 3rd Australian Information Warfare and Security Conference, 107-116.

Brooks, D. (2006). Mapping the consensual knowledge of security risk management experts. Originally published in the Proceedings of 7th Australian Information Warfare and Security Conference, Edith Cowan University, Perth Western Australia, 4th – 5th December, 2006

Coole, M. & Brooks, D. (2014). Do Security Systems FailBecause of Entropy? Journalof Physical Security 7(2), 50-76

Coole, M., Corkill, J. & Woodward, A. (2012). Defence in Depth, Protection in Depth and Security in Depth: A Comparative Analysis Towards a Common Usage Language. Paper published in the Proceedings of the 5th Australian Security and Intelligence Conference, Novotel Langley Hotel, Perth, Western Australia, 3rd-5th December, 2012

Crondstedt, M. (2002). Prevention, Preparedness, Response, Recovery: An Outdated Concept? Australian Journal of Emergency Management 17, 10–13.

Emergency Management Australia. 2000. Emergency Risk Management Applications Guide. Australian Emergency Manual Part II, Vol. 1.

Fay, J. (2006). Contemporary Security Management. Burlington, MA: Butterworth-Heinemann

Fenelly, L. (2012). Effective Physical Security. (4th ed.) Waltham, MA: Butterworth-Heinemann

Gabriel, P. (2003). The development of municipal emergency management planning in Victoria, Australia. The Australian Journal of Emergency Management 18(2), 74-80

Heath, R. (1993). Dealing with complete crisis-the crisis management shell structure. Safety Science, 30, 139-150.

Helm, P. (2013). Risk & Resilience: A Systems Approach for National Security. IRGC International Conference, Tsinghua University, Beijing, 10 January 2013

Hodges, A. (2000). Emergency Risk Management. Risk Management 2(4), 7-18

Hosie, P.Hosie, P. & Smith, C. (2004). Preparing for Crises with Online Security Management Education. Research and Practice in Human Resource Management, 12(2), 90-127.

Hutchinson, B. (2005). Proceedings of the 4th European Conference on i-Warfare and Security (ECIW 2005). Reading: Academic Conferences Limited

MacNeil, W. & Topping, K. (2007). Crisis management in schools: evidencebased prevention. Journal of Educational Enquiry 7(1), 64-91

Mele, C., Pels, J. & Polesce, F. (2010). A Brief Review of Systems Theories and Their Managerial Applications. Service Science 2(1/2), 126 – 135

Painilainen, H. (2011). Out of the Woods: Crisis Management in Finnish National Parks. Retrieved: <https://publications.theseus.fi/bitstream/handle/10024/32035/Painilainen_Heidi.pdf?sequence=1>

Paraskevas, A. (2013). Aligning strategy to threat: a baseline anti-terrorism strategy for hotels. International Journal of Contemporary Hospitality Management,25 (1). pp. 140-162.

Paton, D. & Johnston, D. (2006). Disaster Resilience: An Integrated Approach. Springfield: Charles C Thomas Publisher

Prezelj, I. (2012). Challenges in Conceptualizing and Providing Human Security. HUMSEC Journal, Issue 2, 1-22

Robinson. L., Hammitt, J., Aldy, J., Krupnick, A. & Baxter, J. (2010). Valuing the Risk of Death from Terrorist Attacks. Journal of Homeland Security and Emergency Management 7(1), 1-18

Rogers, P. (2011). Development of Resilient Australia: enhancing the PPRR approach with anticipation, assessment and registration of risks. The Australian Journal of Emergency Management 26(1), 54-58

Rumelili, B. (2013). Identity and desecuritisation: the pitfalls of conflating ontological and physical security. Journal of International Relations and Development doi: 10.1057/jird.2013.22

Shrivastave, P. (2005). Managing Risks in the Age of Terror. Risk Management: An International Journal 7(1), 63-70

Smith, C. & Brooks, D. (2012). Security Science: The Theory and Practice of Security. Oxford: Butterworth-Heinemann

Talbot, J. & Jakeman, M. Security Risk Management Body of Knowledge. New York: John Wiley & Sons

Willis, H. (2011). Using Risk Analysis to Manage Terrorism Risk. Research Project Summaries. Paper 97

Young, W. & Leveson, N. (2014). An Integrated Approach to Safety and Security Based on Systems Theory. Communications Of The ACM. 57(2), 31-35

Zarate, P. (2008). Collaborative Decision Making: Perspectives and Challenges. Amsterdam: IOS Press