menu

By Bob Connors

The 9/11 Commission found that the Private Sector wasn’t adequately prepared to respond to or recover from a catastrophic disaster. The commission Vice Chair Lee Hamilton stated “Now is the time for serious consideration of a national [private sector] preparedness standard” and the Commission accepted a recommendation by the ANSI Homeland Security Standards Panel to endorse NFPA 1600 as the National Preparedness Standard. The recommendation was included in the Intelligence Reform and Terrorism Prevention Act of 2004 – Title VII, Subtitle C, Sect 7305:

It is the sense of Congress that the Secretary of Homeland Security should promote, where appropriate, the adoption of voluntary national preparedness standards such as the private sector preparedness standard developed by the American National Standards Institute and based on the National Fire Protection Association 1600 Standard on Disaster/Emergency Management and Business Continuity Programs.

A few years later, Congress felt many of the recommendations from the 9/11 Commission weren’t (fully) implemented; thus, in 2007, they passed the Implementing Recommendations of the 9/11 Commission Act of 2007. In Title IX of this act, the DHS is required to “establish and implement the voluntary private sector preparedness accreditation and certification program.” It states no later than 210 days after enactment of this law (~Feb, 2008), the DHS would start rolling this program out.

DHS officially launched the Private Sector Preparedness Program (PS-Prep) in December, 2008 as outlined in the federal register. One of the first priorities for the program was to establish the accreditation and certification process, so DHS selected the ANSI-ASQ National Accreditation Board (ANAB) to develop and manage this part of the program.

The next priority was to select the standard or standards that would be approved for PS-Prep. In October, 2009 DHS announced three standards would be proposed for the program; NFPA 1600 – Standard on Disaster/Emergency Management and Business Continuity Programs, BS25999 – Business Continuity Management and ASIS SPC.1.2009 (see the Institute for Business & Home Safety for a helpful crosswalk of the three standards). Once these standards were announced, the DHS had a request for comments period and received scores of comments, which were reviewed and adjudicated by DHS.

As the first half of 2010 comes to a close, Sen. Joe Lieberman and Rep. Benny Thompson, chairmen of the Senate Homeland Security & Governmental Affairs Committee and House Committee on Homeland Security respectively, issued a joint memo citing their concern with the state of PS-Prep and calling on DHS/FEMA to “act promptly to implement this program and vigorously promote it within the private sector.” This is a warning shot that PS-Prep is coming, and coming soon.

Unfortunately, this was a reaction to the BP Deepwater Horizon disaster and PS-Prep will not and is not intended to prevent a disaster like that. There’s a risk management element to PS-Prep that will address risk assessment and mitigation strategies, but don’t be fooled into thinking it could/would have prevented what’s happening in the Gulf. PS-Prep will enable businesses to be prepared to respond to and recover from a disaster and resume normal business operations effectively and efficiently.

There are many opinions about whether a voluntary private sector preparedness certification (i.e., PS-Prep) is necessary. The thought of business continuity/crisis management (private sector preparedness) being “regulated” through standards makes practitioners shudder…standard is a dirty word to many people and the thought of applying standards to preparedness is like applying standards to safety…oh wait, we do that (via OSHA). I mean, like applying standards to security…oh, guess we do that too (via ASIS, DSS, NIPP and others). Opponents argue that the private sector already has preparedness programs in place and manages the process effectively. Others argue many industries (i.e., the financial sector) already have regulations and those requirements meet or exceed anything PS-Prep would prescribe. Finally, there are those who hold that certification won’t lead to the ultimate goal – resiliency – it’ll just be another unfunded mandate a la Sarbanes/Oxley.

These are valid concerns and I share them as well as a few more; however, it’s been my experience that many companies believe they have adequate preparedness programs in place, but truly aren’t ready for a significant incident (and may not even know it). One issue is the lack of standards for planning, and another is that exercises to identify gaps in the planning aren’t very effective. Businesses exercise their plans for likely scenarios and identify gaps/lessons learned, but the exercises are often scripted to an extent the outcome is predictable complete with a check in the box and a slap on the back. The result is a false sense of security that the business is prepared for a disaster.

It’s no secret that I’ve been a proponent for private sector preparedness certification since the start and I’ve discussed and debated my position in many different public forums. In fact, my presentation theme this year is “the 3 P’s of 21st Century Resiliency – People, Partnerships and PS-Prep” (more on that in another blog). If businesses (or public agencies for that matter) aren’t measured against a standard, how can we be sure if they are adequately prepared to respond to and/or recover from (catastrophic) incidents? If we are to become more resilient as a nation, how can we achieve that if we don’t have a way to evaluate or measure preparedness?

Private organizations across the country—from businesses to universities to non-profit organizations—have a vital role to play in bolstering our disaster preparedness and response capabilities. These new standards will provide our private sector partners with the tools they need to enhance the readiness and resiliency of our nation.” – Secretary Janet Napolitano

If we’re going to be serious about resiliency, we need to embrace standards to some extent. If we do it right, it will be less painful and frustrating than trying to figure out whether a company you are dealing with is as resilient as they say they are.

There are a few requirements that I believe will be key to PS-Prep’s success that include, but aren’t limited to:

1. Allow for the professionals (i.e., those of us who do this for a living not lawyers or policy people) to review and comment on the proposed standards. * Sincere thanks to Jim Caverly and his team at the DHS Office of Infrastructure Protection. They’ve gone above and beyond to engage all the stakeholders and listen to our feedback. This has been a very open and collaborative process and much appreciated!

2. Allow for a maturity model certification process. This will allow businesses to build a business case for a higher level of maturity (if necessary) and small-medium sized businesses don’t have to be held to the same levels as larger companies (e.g., CMMI for services might be a starting point).

3. Allow for self-assessments so small-medium sized businesses can benefit. The Institute for Business and Home Safety “Open for Business” and American Red Cross “Ready Rating” programs provide an existing framework that may be leveraged to handle small-medium sized businesses.

4. Allow businesses/industries who have regulatory requirements that meet/exceed the proposed standards to use that evidence to achieve certification instead of going through a different process.

5. Provide incentives and info to help build a business case for certification

6. * SAFETY Act type protections if a company gets certified
* A Malcolm Baldrige type award
* Insurance companies should provide incentives for certification

The International Center for Emergency Preparedness (INTERCEP) at New York University has been engaged in this effort since the 9/11 Commission was established and they’re facilitating discussions around some of these “requirements”. Bill Raisch et. al. have done an exceptional job pulling subject matter experts together to frame the requirements and allow our collective voices to be heard. Through the INTERCEP website, you can review some of the research that ranges from the business incentives to legal issues that are being analyzed.

It’s time to get knowledgeable about PS-Prep and position your business to achieve certification of compliance for one of the approved standards. The 21st Century incidents are increasing in frequency, scale, and consequence and the private sector needs to be prepared to bounce back and help our nation recover.

If that’s not compelling enough, consider that we may be one crisis away from this voluntary program becoming mandatory.

Bob Connors is the Director for Preparedness at Raytheon Corporation.

This piece was originally posted on America First.

  • Joe Grettenberger

    Bob, I appreciate the article and agree with most of your perspective. But one part I take issue with is your statement regarding BP's Deepwater Horizon disaster: “PS-Prep will not and is not intended to prevent a disaster like that.” Granted PS-Prep is not a guarantee of disaster prevention, but it just might of prevented the spill. The fact is that if BP was following BS-25999-2 at their rig sites and had true BCM arrangements in place with critical vendors, they may have avoided the disaster. For example, section 4.4.2 of BS 25999-2 states “[t]he organization shall carry out a range of different exercises [at planned intervals] that taken together validate the whole of its business continuity arrangements.” Isn't it true that regular testing of the drill's emergency response system would/could have included the hydraulics of the blowout preventer's blind shear ram? And wouldn't such testing triggered the need to get the blowout preventer's blind shear ram fixed before the rig's continued operation?

    • Bob Connors

      Joe:

      Thanks for the response!

      I don't disagree with you that they may have avoided the disaster, but I made the statement because companies are going to do a cost analysis to address risk – the cost of action vs. the cost of inaction (mitigate the risk vs. accept the risk).

      BP, and many others, chose to ignore, accept, or just didn't foresee the risk and we saw what happened. PS-Prep is not going to force them to mitigate the risk and it may not even identify all the risks (I know – everythign is foreseeable now).

      We can hope, but can't expect that PS-Prep will change the way companies do risk management. It doesn't prescribe how to do a comprehensive TVA and/or BIA, so no two companies will come up with the same risks, same remediation/mitigation steps, nor have the same leaders who will make the ultimate investment decisions.

      Thanks again for your response!
      Bob