Emergency Preparedness — The Gap Between the Drill and the Real Event
Every emergency plan is correct until the moment it is needed.Last month's edition argued that contractor and vendor HSE(Q) management ends at the gate unless supervision extends into the work zone and that a documented permit-to-work is not the same as a controlled one. This month, the argument moves to a related boundary and one that has been tested in operational reality with unusual frequency over the past eighteen months: the boundary between an emergency response plan that has been written, trained, and drilled and the moment the operation is actually called to use it. Across engagements in Western Europe and the Gulf region in 2025 and into 2026, we have observed a consistent pattern. Industrial operators have invested in emergency response plans that meet regulatory requirements. They have conducted, documented, attended, and signed off drills. They have trained personnel on the procedure. They have populated tabletop scenarios with the worst credible events their hazard registers describe. And then, when an event occurs—such as a process upset, a contamination event, a state-actor strike on a facility in the Gulf, or a multi-system failure at a Western European site—the response does not match what the plan describes. The argument here is not that emergency plans are inadequate. Most are technically sound. The argument is that emergency plans are constructed against the scenarios their authors anticipated, executed by people who were trained in those scenarios, and communicated through channels that worked under controlled conditions. The actual event almost never sits inside those parameters. The gap between the drill and the real event is where the response either holds or fails — and the past eighteen months of operational experience in both regions suggest it has been failing more often than the documented record allows. This month, three failure modes are examined:
Each appears in its own form in any high-hazard industrial environment. Each surface, when the conditions of an actual emergency move outside what the drill rehearsed, is affected. 1. Scenario Selection — The Event Your Plan Was Not Designed ForThe first failure mode appears before the event itself. It is the question of which scenarios the emergency response plan was built to address. Most major-hazard operations have well-developed emergency response plans for the dominant credible scenarios in their hazard registers. A petrochemical site drills its largest credible vapor cloud event, its worst-case tank fire, and its most consequential rupture sequence. A pharmaceutical site drills a containment breach, a critical-utility loss, and an evacuation under controlled conditions. A logistics hub drills a road tanker incident or a warehouse fire involving classified material. These are the right scenarios to drill; they represent the most operationally credible events, and the regulators require them. The problem is what the drill list does not include, and the cost of that omission has been particularly visible across the Gulf region in 2026. A gas processing complex in the Gulf, in the spring of 2026—an operation under one of the region's mature industrial safety regimes, with an emergency response plan that had been in place for years and reviewed against international standards. The plan addressed every category of process emergency that the operation was designed to manage. The drill record was current. The on-site emergency response team had completed its required exercises, and the documentation reflected it. The actual event was not on the drill list. A regional security incident produced an external strike on the complex during operating hours. There was no process upset. There was no contained fire that the existing scenarios addressed. There was external impact damage to a facility section, a fire whose progression was governed by what was hit rather than by an anticipated process sequence, and — critically — a follow-on event during the response window. The team was evacuating an area when a second strike occurred elsewhere in the complex. The response now had to manage two non-contiguous incident sites simultaneously, with response resources planned and exercised for a single-location event. Public reporting across several comparable incidents in the Gulf region confirms the same pattern. A separate Gulf operation several years earlier — widely referenced in the industry record — restored production within 11 days of a multi-site external strike, an outcome that the operator publicly attributed to its emergency response readiness. The same operator also acknowledged that the response had required, for the first time in the facility's operational history, a total shutdown of the live, pressurized plant under live-fire conditions. That action had not been drilled at full scale. It was executed because the people present were operationally competent and the command structure held; it was not executed because the drill had ever asked them to do it. The lesson is not that operators should drill external attacks. In some sectors and regions, that scenario sits outside what the operator can credibly include in its planning. The lesson is that scenario selection is itself a form of control. An emergency response plan that has been drilled against the dominant in-scope hazards but not against a second-event-during-response sequence, a non-process-initiating event, or a multi-location simultaneous incident has a known shape. The actual event will probe the shape's boundaries, and the response will be tested where the drill never went. Lesson: A drill record establishes that the team can execute the scenarios the planners selected. It does not establish that the team can execute the scenarios that occur. The first is a documentation outcome. The second is an operational outcome. Treating them as equivalent is a structural error. Recommended Reading:
2. Command Authority — The Question of Who Decides Under PressureThe second failure mode appears once the event is underway. It is the question of who has the authority to make cross-functional decisions when the original plan no longer applies cleanly. A specialty composites manufacturer in Western Europe, operating under a Seveso-aligned safety regime. The operation had an emergency response manual that had been written, reviewed, and updated as required. The emergency response team had been trained. The required stakeholders—production, safety, security, environmental, occupational health, and site management—were present in the building at the time of the event. By any documentary measure, the conditions for an effective response were in place. What was not in place was a crisis management team — a defined, named, pre-rehearsed body with the authority to coordinate decisions across the response functions in real time as the event evolved beyond the manual's prescriptions. The result, under the pressure of the actual event, was that each function executed its own section of the manual. Production made the operational shutdown decisions appropriate to its area. Safety made the safety decisions. Security made the access-control decisions. The environment made the containment decisions. Each was technically correct. But there was no coordinating layer to make the cross-functional trade-offs the situation now required—when to suspend the staged shutdown to prioritize an evacuation route, when to escalate notification beyond the regulatory minimum, when to bring in an external resource early, and when to commit to a recovery path rather than a containment path. The functions were operating in parallel rather than in coordination, and under sustained pressure, the response began to lose coherence. Decisions were taken on incomplete information because no one was authorized to integrate the operating picture in real time. The system did not hold — not because the people were inadequate, but because the architecture above them was missing. The pattern is more common than the post-incident reviews suggest. Most emergency response manuals describe what each function should do. Most manuals do not explain who decides what to do when functions need to perform something the manual did not anticipate. Even fewer name an individual—by role, by deputy, or by tertiary cover—who holds decision-making authority when the named principal is unreachable. Most do not rehearse the moment of decision under conditions of incomplete information, contested priorities, and time pressure. ISO 45001:2018, Section 8.2, requires emergency preparedness and response procedures. ISO 22301:2019 requires incident response structures. Both standards require the operator to populate those structures with named decision-makers who have been rehearsed in the act of deciding, not only in the act of executing. Lesson: A procedure that describes the actions but does not name the decision-maker is a script without a director. Under controlled drill conditions, the absence of a director does not surface—every actor knows their part. Under real conditions, where the script no longer matches the scene, the absence is what determines whether the response holds together or falls apart. Recommended Reading:
3. Communication Failure — How the Operating Picture DegradesThe third failure mode is the one that determines, after the fact, whether the response is judged a success or a failure, regardless of what happened operationally. It is the communications failure that occurs when the operating picture degrades faster than the response can reconstitute it. In a drill, communications work because everyone is following the script. The notification cascade is rehearsed, and the channels are open. The information flow is unidirectional and orderly: site to incident command, incident command to corporate, corporate to regulator, corporate to customers, corporate to families, corporate to media — each in sequence, each at the appropriate moment, and each with the prepared message. In an actual event, the information flow is multidirectional and disorderly. Operations is generating updates faster than the incident command can process them. Security is reporting external developments that change the operational picture in real time. The regulator is calling for an update that the operator does not yet have the data to provide. Customers are calling to confirm whether their supply will be affected. Family members are calling because they have seen news coverage. Media outlets are publishing partial information. Insurance brokers are requesting preliminary loss reserves. Multiple stakeholders are requesting the same fact in parallel, and the operator has not yet decided what the fact is. The operating picture degrades under this load. Decisions are made on stale information because the cycle from observation to decision is now longer than the cycle from one event to the next. The communications function, which, in the manual, serves incident command, becomes the constraint that determines whether incident command has the right information at the right time to make the right call. The best operators have made the communications function part of the incident command structure, not an output of it. They have pre-positioned the playbook: a named spokesperson with a deputy and a tertiary; a same-day business continuity statement template that requires only event-specific data to deploy; a "colleagues" language convention that humanizes the operator's account without sensationalizing it; a CEO presence cadence within 48 hours at the location and with the families of those affected; and a regulator-customer-insurer notification sequence that does not wait for the full operating picture to clarify. Several operators in the region between 2022 and 2026 replicated a contemporary Gulf incident-response model, establishing what is now the working template across the sector. A Western European chemical operator working with the same architecture during a Seveso-relevant event in 2025 found that the playbook held: the operating picture remained coherent, the regulator notification sequence ran on time, the customer communications cycle stayed ahead of the news cycle, and the post-incident review focused on operational matters rather than on communications failure. Operators that had not pre-positioned the playbook found, in the same period, that the post-incident review's central finding was the communications gap, a gap that, 6 months later, materialized as a regulator inquiry, an insurance pricing discussion, and a customer audit request. The operational facts of the event do not determine the post-event judgment. The communications coherence does. Lesson: Emergency communications is not a sub-function of incident response. It is the operating picture itself. A response that performs well operationally but loses communication coherence will be judged a failure by the regulator, the customer, the insurer, and the investor, and that judgment will outlast the event. Recommended Reading:
HSEQ Market Insights — May 2026The European Commission's second Seveso III implementation report and the external emergency plan gap. The Commission's 2nd Implementation Report (COM(2025) 508 final, published 19 September 2025) covers the 2019-2022 reporting period and finds, across more than eleven thousand EU establishments, fewer than 22 major industrial accidents per year and lower harmful impacts than in earlier reporting cycles. The same report explicitly flags the operational testing gap: in 2022, 21% of existing external emergency plans had not been tested in the previous three years. For BRZO (Dutch Major Hazard Control Act) and Seveso-regulated operations across the Netherlands, Belgium, Germany, and France, the supervisory authorities now have a measured benchmark, and operators whose external plan testing falls behind the 3-year cycle have a documented exposure. The expectation through 2026 and into the next Seveso reporting cycle is for sharper enforcement of the testing cadence and external plan integration. The Critical Entities Resilience Directive becomes operational, and the regulatory question changes. The CER Directive (2022/2557) became applicable on 18 October 2024, and national authorities must identify critical entities by 17 July 2026. The directive covers eleven sectors, including energy and gas, and requires national risk assessments, operator-level resilience assessments, and technical, security, and organizational measures. For operators in the EU energy and chemicals sectors, the regulatory question is no longer whether an emergency plan exists but whether it has been tested against all-hazards threat scenarios, including security incidents, which are now within regulatory scope. After the October 2024 deadline, the Commission initiated infringement proceedings against 24 member states for failing to notify of transposition, clearly indicating that the directive will be enforced rather than merely accepted. Operational resilience becomes an investor-visible disclosure under IFRS S2 and ESRS E1. IFRS S2 requires companies to disclose climate resilience, including how they can respond to and adapt to climate-related physical risks. It is effective for annual reporting periods starting on or after 1 January 2024 in jurisdictions that adopt it. ESRS E1, which applies to the largest entities under the CSRD (European Corporate Sustainability Reporting Directive) from FY2024 onward, requires disclosure of vulnerabilities identified through physical climate risk assessments, strategies to reduce exposure, and investment plans to implement adaptation measures. For private-equity-backed industrial operations in Western Europe, the practical effect is that emergency preparedness has shifted from an internal HSE concern to an investor-grade disclosure requirement. The same operational evidence that supports the Seveso external plan testing record and the CER resilience demonstration must now also support the FY2024 and FY2025 sustainability disclosure, and the gap between operational reality and disclosed capability is increasingly visible to rating agencies, asset managers, and acquirers. Personalized Recommendations for Our SubscribersRe-run the worst-case drill on the assumption that a second event occurs during the response to the first. The drill record at most facilities reflects the response to a single initiating event. High-hazard industries have experienced a series of related events over the past five years, often with overlapping response times. The drill that does not include this sequence has a known blind spot. The next exercise should test it. Verify that the corporate communications architecture has been pre-positioned rather than assembled. Identify, by name and by deputy and by tertiary, who issues the same-day business continuity statement. Identify the language convention that will be used to refer to those affected. Identify the sequence of regulator, customer, and insurer notifications, with target times. Identify the location and cadence of the CEO's presence in the first 72 hours. If any of these are decided in real time during an actual event, the response is starting from behind. Cross-walk the emergency response plan against the ESRS E1 adaptation disclosure requirements and the IFRS S2 paragraph 22 resilience assessment. The evidence supporting the operational readiness of the emergency plan should be the same evidence base that supports the sustainability disclosure of resilience. The divergence occurs when the disclosed capability is either stronger or weaker than the operational capability, creating a governance exposure. The next investor review will examine it. Questions for You to ConsiderWhat is the difference between a drill that tests procedures and a drill that tests decision-making? A drill that tests the procedure asks each function to execute its assigned actions in sequence and verifies that the actions can be performed. A drill that tests decision-making puts the decision-maker in front of a situation the manual does not exactly cover and observes how the cross-functional trade-off is made, by whom, on what information, and in what time. The first is a training verification. The second is a verification of authority. Most drills are on the first. The events that matter test the second time. Who is in charge at 02:30 on a Sunday, and has the named person ever practiced it? Emergency response plans typically name the principal decision-maker and the deputy. Fewer plans specify the tertiary cover that applies when both the principal and deputy are unreachable. Almost no plans rehearse a 02:30 activation under realistic call-down delays, missing personnel, and the cognitive conditions of waking to a developing emergency. The drilled response occurs during the daytime. The event does not respect daytime conditions. What does ESRS E1 require you to disclose about your emergency response capability? ESRS E1 requires disclosure of vulnerabilities identified through physical climate risk assessments, strategies to reduce exposure, and investment plans to implement adaptation measures. The disclosure obligation is independent of the operational obligation under Seveso III, BRZO, ISO 45001, and the CER Directive — meaning that the same emergency response capability is now reportable in two parallel regimes, and that inconsistency between the two is itself a finding. The Practical ActionIdentify the last drill conducted at your facility. State, in one sentence, what scenario the drill tested. List the three scenarios you would now consider the most likely actual emergencies at the facility, drawn from two sources: the dominant credible events in your major hazard register and the events that have actually occurred in your sector over the past 24 months. The second list contains most of the unanticipated patterns. Score the overlap. For each of the three scenarios on the second list, answer one question: would the response your last drill rehearsed cover this event in its first thirty minutes? If the answer is yes for all three, the drill list is calibrated. If the answer is partial for one or more, the drill list has a known gap. The next exercise needs to test the gap rather than repeat what is already covered. If the answer is "no" for one or more items, the gap is not due to a drill issue. It is a plan issue, and the response architecture needs to be revised before the next drill is meaningful. This is a thirty-minute exercise. It does not require external support or permission. It surfaces the structural question that distinguishes a documented emergency response capability from a functional one. Next Month: Business Continuity Planning and Business Continuity ManagementIn June, the argument moves past the moment of emergency response and into the question that becomes operationally dominant once the immediate event is contained: how does the operation continue? Business continuity planning and business continuity management are often treated as separate disciplines from emergency response, owned by a different function and governed by a different standard. In practice, the two are continuous. The emergency response contained the incident, but the operation could not restart, leaving the business unprotected. The unintegrated continuity plan has failed to protect the operation. We will examine where the boundary actually sits, how high-reliability operators integrate the two, and what investor-grade continuity documentation looks like under ISO 22301, CER, and the converging disclosure regime. Download Our Guide: 30-Minute Compliance Vulnerability Audit for High-Risk Operations Amador Brinkman · Technique Works |