SF Prepared | Finance & Administration
Preparedness is the phase prior to an emergency or disaster - in which we plan, train, exercise, and continuously evaluate and improve our readiness to Respond to and Recover from future incidents.
Pursuant to the Controller's five-year Strategic Plan, we aim to sustain the City's financial operations in a disaster. Three focal areas essential to meeting this goal are: Continuity of Operations, Emergency Management, and Cybersecurity planning.
Continuity of Operations
Continuity of Operations (COOP) is the process of maintaining an agency's essential operations when interrupted by a disaster. COOP planning should include policies and procedures for maintaining the organizational functions, personnel, systems, and records which are essential to meeting an agency's mission. Resources include:
- COOP Plan Template
- Department of Technology COOP SharePoint
- COIT Disaster Preparedness, Response, and Recovery (DPR3) Policy
- FEMA COOP resources
In accordance with California's Standardized Emergency Management System (SEMS), and consistent with the National Incident Management System (NIMS), there are five functions that a local government must be able to activate during a disaster or major emergency: Management, Operations, Planning, Logistics, and Finance and Administration. Local governments in California must use SEMS in response to multi-jurisdictional or multi-agency incidents, in order to be eligible for State reimbursement of response-related personnel costs.
Finance & Administration
The Controller's Office is the lead agency for the City's Finance and Administration function. This function is responsible for financial management in support of emergency response operations and initiating cost recovery. This may include:
- Executing pre-established emergency financial policies and procedures
- Accounting for personnel and non-personnel costs
- Expediting purchasing and contracting, in support of life safety and property protection
- Documenting and processing workers' compensation and injury claims
- Estimating actual and projected expenditures to provide for public safety, property protection, environmental health, and removal of disaster-induced debris
- Assessing physical damage to public property, estimating aggregate damage to private property, and quickly preparing and reporting loss estimates
- Maximizing and expediting recovery of losses
Cybersecurity is the prevention of damage to, unauthorized use of, exploitation of, and - if needed - the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems. Cyberattacks are malicious attempts to access or damage such systems and information. Cyberattacks may result in costly downtime to vital operations and services and pose significant security, safety, and reputational risk.
The Controller's Office Cyber Audits Team assists City departments in enhancing capabilities to prevent, detect, and respond to cyberattacks. The team monitors compliance with Cybersecurity policies set by the City's Committee on Information Technology (COIT), which include:
- Citywide Cybersecurity Policy
- Cybersecurity Awareness & Training Standard
- DPR3 Policy
- Data Classification Standard
- Data Management Standard
- National Institute of Standards and Technology (NIST) Cybersecurity Framework
- FEMA Cybersecurity Resources
- Center for Internet Security Controls
Cybersecurity Preparedness Checklist
Based on the NIST Cybersecurity Framework, here are several important steps to enhance Cybersecurity:
|✓||Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Framework can be adapted to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance. Risk tolerances may be reflected in a target Implementation Tier.|
|✓||Step 2: Orient. Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets.|
|✓||Step 3: Create a Current Profile. The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved. If an outcome is partially achieved, noting this fact will help support subsequent steps by providing baseline information.|
|✓||Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization's overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events.|
|✓||Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization's desired cybersecurity outcomes. Organizations also may develop their own additional categories.|
|✓||Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next, it creates a prioritized action plan to address gaps - reflecting mission drivers, costs and benefits, and risks - to achieve the outcomes in the Target Profile. The organization then determines resources, including funding and workforce, necessary to address the gaps. Using Profiles in this manner encourages the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements.|
|✓||Step 7: Implement an Action Plan. The organization determines which actions to take to address the gaps, if any, identified in the previous step and then adjusts its current cybersecurity practices in order to achieve the Target Profile. For further guidance, the Framework identifies example Informative References regarding the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs.|
Training & Exercise
Training and exercise are key components of Preparedness. City finance and administrative professionals are encouraged to complete the SF Prepared Finance and Administration Academy.
All State and local government employees in California are designated as Disaster Service Workers, under State law. Personal preparedness at home can help employees meet their work responsibilities in an emergency. Learn how to Get Connected, Gather Supplies, and Make a Plan.
Emergency Pocket Guide
An employee emergency pocket guide is a useful way to help ensure key information is available to employees in the event of a disaster. This includes:
- Disaster Service Worker responsibilities
- Workplace preparedness information
- Tips for preparing a go bag
- What to do if there is a disaster, including check-in procedures and important contact information
You can download a copy of our Emergency Pocket Guide in PDF, customizable in Adobe InDesign© (click here for text files).
The Response phase occurs when an active hazard or threat requires immediate actions to save lives, protect property, and the environment. Depending on the scale of an incident, City resources may be supplemented by help from other local governments, State and Federal partners, and the community.
The following memorandum provides applicable financial policies and procedures in response to declared emergencies and other potentially cost recoverable incidents within the City's jurisdiction.
For applicable payroll and personnel policies, refer to:
Under the City's Emergency Response Plan, the City's emergency management organization consists of the Policy Group, Emergency Operations Center (EOC), Department Operations Centers (DOCs), and the Field.
The City's Policy Group consists of elected officials and key Department Heads and provides overall policy direction to Citywide emergency response.
Emergency Operations Center
The City's EOC monitors situational information, coordinates Citywide resources to support DOCs and field operations, and coordinates and disseminates public information.
Department Operations Centers
Key City departments operate a DOC in an emergency. DOCs manage departmental emergency operations and support personnel assigned to the field.
Finance and Administration Sections
A DOC Finance and Administration Section consists of the positions illustrated below. SF Prepared position-specific job resources are provided below - including checklists, job aids, and forms.
|Finance & Administration Section Chief
||Timekeeping Unit Leader
The Field is where emergency response actions take place, under the command of the appropriate authority, to save lives, protect property and the environment, and administer disaster relief services to the public.
Mutual Aid Deployments
The following policy and procedures apply to City departments when deploying personnel as Mutual Aid, to assist other communities impacted by an incident:
- Memorandum: Mutual Aid Deployments - Accounting for Personnel and Non-Personnel Costs
- SF Prepared Timekeeping Job Aid: Mutual Aid Deployments
Recovery occurs following an incident, when disaster-induced damage and losses require restoration of services and rebuilding.
Disaster Financial Impacts
Disasters are costly. Being financially prepared will help your agency recover.
Below are statistics on the financial impacts of past incidents impacting the City.
In 2013, the Rim Fire burned over 250,000 acres - the fifth largest wildfire in California history. The burned area includes infrastructure and other property of the San Francisco Public Utilities Commission, which operates the Hetch Hetchy Regional Water System. The fire caused over $70 million in damages and other losses to public entities. As of December 2018:
- Total Federal disaster assistance obligated to State and local government (to date) - $22.8 million
- Total estimated losses to the City - $31.5 million
- Approved insurance claims for damaged CCSF assets - $7.2 million (to date)
- Total eligible Federal and State disaster assistance obligated to the City - $6.1 million (to date)
- Total approved insurance claims and Federal and State disaster assistance obligated to the City - $13.3 million (to date)
Loma Prieta Earthquake
On October 17, 1989, the magnitude-6.9 Loma Prieta Earthquake shook for fifteen seconds, resulting in approximately $6 billion in damages (1989 value). Below are a few facts:
- Total estimated losses to State and local assets within the City - $1.3 billion (1989 value, includes Federal and State funded roadways)
- Total Federal and State disaster assistance claimed by the City - $165.7 million (actuals claimed, 1989-2001)
- Total Federal and State disaster assistance received by the City - $164.7 million (actuals received, 1989-2001)
- Date of incident - October 17, 1989
- Date of closeout, all City claims - December 18, 2001
Federal & State Disaster Assistance
- FEMA Public Assistance Program
- California Disaster Assistance Act (CDAA) Public Assistance Program
Financial Recovery Checklist
Here are several important steps local governments finance agencies can take to improve financial resilience and recovery:
|✓||Budget a contingency fund|
|✓||Establish a pool of competitively bid disaster-related commodities and services|
|✓||Establish contingency contracts|
|✓||Establish emergency timekeeping and cost accounting procedures|
|✓||Track your assets and update insurance coverage accordingly|
|✓||Become familiar with insurance claim and Federal and State disaster assistance processes - including Federal, State, and local disaster declarations and preparing an Initial Damage Estimate|
|✓||Become familiar with the FEMA Public Assistance Program|
|✓||Ensure that all of your authoritative business systems have the capability to collect the level of data detail needed for Federal and State disaster assistance|
|✓||Backup your key financial records, including insurance documents|
|✓||Backup real property records, both public and private|
|✓||Develop failover capability for your financial and human resources systems, and other critical financial systems|