Examining the Regulatory Landscape

1
Examining the Regulatory Landscape
Continuity Insights April 27, 2009

• Al Berman
• DRI International

2

Post-9/11
Sarbanes-Oxley Act of 2002 HIPAA, Final Security
Rule FFIEC BCP Handbook -2003/ 2008 Fair Credit
Reporting Act NASD Rule 3510 NERC Security
Guidelines FERC Security Standards NAIC Standard
on BCP NIST Contingency Planning
Guide FRB-OCC-SEC Guidelines for Strengthening
the Resilience of US Financial System NYSE Rule
446 California SB 1386 Australia Standards BCM
Handbook GAO Potential Terrorist Attacks
Guideline Federal and Legislative BC
Requirements for IRS Basel Capital Accord MAS
Proposed BCP Guidelines (Singapore) NFA
Compliance Rule 2-38 FSA Handbook (UK) BCI
Standard, PAS 56 (UK) Civil Contingencies Bill
(UK)
FPC 65 NYS Circular Letter 7 ASIS State of NY
FIRM White Paper on CP NISCC Good Practices
(Telecomm) Australian Prudential Standard on
BCM HB221 HB292 BS25999 SS507 SS540 TR19 CA
Z1600 ISO/PAS 22399
Pre-9/11
Consumer Credit Protection Act OMB Circular
A-130 FEMA Guidance Document Paperwork Reduction
Act ISO 27002 (Previously ISO17799) FFIEC BCP
Handbook Computer Security Act 12 CFR Part
18 Presidential Decision Directive 67 FDA
Guidance on Computerized Systems used in
Clinical Trials ANSI/NFPA Standard 1600 Turnbull
Report (UK) ANAO Best Practice Guide
(Australia) SEC Rule 17 a-4 FEMA FPC 65 CAR JHACO
DRII
Title IX 110-53
1991 - 2001
2002 ---------------------------------------------
----------2008
3
BCP Standards for Financial Institutions

• Federal Financial Institutions Examination
  Council (FFIEC) BCP Handbook

• Business continuity planning is about
  maintaining, resuming, and recovering the
  business, not just the recovery of the
  technology.
• The planning process should be conducted on an
  enterprise-wide basis.
• A thorough business impact analysis and risk
  assessment are the foundation of an effective
  BCP.
• The effectiveness of a BCP can only be validated
  through testing or practical application.
• The BCP and test results should be subjected to
  an independent audit and reviewed by the board of
  directors.
• A BCP should be periodically updated to reflect
  and respond to changes in the financial
  institution or its service provider(s).

not just the recovery of the technology
4
BCP Standards for Financial Institutions

• NASD Rule 3510
• Rule 3510 will require a business continuity plan
  that addresses, at a minimum
• Data back-up and recovery (hard copy and
  electronic)
• Mission critical systems
• Financial and operational assessments
• Alternate communications between customers and
  the firm
• Alternate communications between the firm and
  its employees
• Business constituent, bank and counter-party
  impact
• Regulatory reporting
• Communications with regulators

5
BCP Standards for Financial Institutions

• NYSE Rule 446
• National Association of Insurance Commissioners
  (NAIC)
• National Futures Association Compliance Rule 2-38

• (a) Members and member organizations must develop
  and maintain a written business continuity and
  contingency plan establishing procedures to be
  followed in the event of an emergency or
  significant business disruption. Members and
  member organizations must make such plan
  available to the Exchange upon request.
• (b) Members and member organizations must conduct
  a yearly review of their business continuity and
  contingency plan to determine whether any
  modifications are necessary in light of changes
  to the member's or member organization's
  operations, structure, business or location.

(a) Each Member must establish and maintain a
written business continuity and disaster recovery
plan that outlines procedures to be followed in
the event of an emergency or significant business
disruption. The plan shall be reasonably designed
to enable the Member to continue operating, to
reestablish operations, or to transfer its
business to another Member with minimal
disruption to its customers, other Members, and
the commodity futures markets.
6
BCP Standards for Financial Institutions

• Electronic Funds Transfer Act - held that banks
  were liable for actual damages caused by failing
  to transfer funds in a timely fashion. This
  required the establishment of contingency plans
  to meet the standard of reasonable standard of
  care (the care that a reasonable man would
  exercise under the circumstances the standard
  for determining legal duty.)
• Basel Committees Capital Accords and Sound
  Practices for the Management and Supervision of
  Operational Risk - Banks should have in place
  contingency and business continuity plans to
  ensure
  their ability to operate on an ongoing basis and
  limit losses in the event of severe business
  disruption. Seventh Principle in Sound
  Practices for Management and Supervision of
  Operational Risk
• Reserve Bank of India - Operational Risk
  Management - Business Continuity Planning -
  Business Continuity planning is a key
  pre-requisite for minimising the adverse effects
  of one of the important areas of operational risk
  business disruption and system failures.

7
FINRA (Financial Industry Regulatory Authority)

• Business Continuity Planning
• NASD Rules 3510 and 3520 require firms to create
  and maintain business continuity plans (BCP) to
  use in the event of a significant business
  disruption.
• Rule filings associated with Business Continuity
  Planning (SR-NASD-2002-108) 
• FINRAs Business Continuity Plan
• Small Firm Emergency Partner Program A Voluntary
  Addition to a Firm's BCP
• Securities and Exchange Commission / Board of
  Governors of the Federal Reserve System / Office
  of the Comptroller of the Currency Joint White
  Paper on Business Continuity Planning
•  The Disaster Recovery Institute
•  Financial Services Sector Coordinating Council
  for Critical Infrastructure Protection and
  Homeland Security

8
BCP Standards for Insurance Companies

• NYS Circular Letter 7
• Board of Directors support
• Training and education
• Scenario based and operational plans
• Testing and communications plans
• Annual updates and changes submitted to the
  Department, starting on June 1, 2005

9
NOT JUST IT

• United States
• FFIEC March 2008
• Business continuity planning is about
  maintaining, resuming, and recovering the
  business, not just the recovery of the
  technology. The planning process should be
  conducted on an enterprise-wide basis.

10
NOT JUST IT

• Singapore
• Monetary Authority of Singapore June 2003
• Business Continuity Management (BCM) is an
  over-arching framework that aims to minimise the
  impact to businesses due to operational
  disruptions. It not only addresses the
  restoration of information technology (IT)
  infrastructure, but also focuses on the rapid
  recovery and resumption of critical business
  functions for the fulfilment of business
  obligations.

11
NOT JUST IT

• Australia
• Australian Prudential Standard April 2005
• Business continuity management (BCM) describes
• a whole of business approach to ensure critical
  business functions can be maintained, or restored
  in a timely fashion

12
Not Just IT

• FFIEC March 2008
• Business continuity planning is about
  maintaining, resuming, and recovering the
  business, not just the recovery of the
  technology. The planning process should be
  conducted on an enterprise-wide basis.
• Australian Prudential Standard April 2005
• Business continuity management (BCM) describes
  a whole of business approach to ensure critical
  business functions can be maintained, or restored
  in a timely fashion
• Monetary Authority of Singapore June 2003
• Business Continuity Management (BCM) is an
  over-arching framework that aims to minimise the
  impact to businesses due to operational
  disruptions. It not only addresses the
  restoration of information technology (IT)
  infrastructure, but also focuses on the rapid
  recovery and resumption of critical business
  functions for the fulfillment of business
  obligations.

13
BCP Standards for the Healthcare/Life Science
Industries

• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA), Final Security Rule

• 7. Contingency Plan ( 164.308(a)(7)(i))
• We proposed that a contingency plan must be in
  effect for responding to system emergencies. The
  plan would include an applications and data
  criticality analysis, a data backup plan, a
  disaster recovery plan, an emergency mode
  operation plan, and testing and revision
  procedures.
• In this final rule, we make the implementation
  specifications for testing and revision
  procedures and an applications and data
  criticality analysis addressable, but otherwise
  require that the contingency features proposed be
  met.

14
HIPAA BCP REQUIREMENTS

• State privacy laws are NOT preempted by federal
  privacy rules, unless there is a direct conflict
• If state law is more stringent, or covers an
  area not covered by federal rules, state law
  controls

Is it enough ????
15
BCP Standards for the Healthcare/Life Science
Industries
Manufacturing Laboratory Clinical

• FDAs GxP Good Practices
• FDA Guidance on Computerized Systems in Clinical
  Trials

IX. SYSTEM CONTROLS B. Contingency Plans Written
procedures should describe contingency plans for
continuing the study by alternate means in the
event of failure of the computerized system. C.
Backup and Recovery of Electronic Records Backup
and recovery procedures should be clearly
outlined in the SOPs and be sufficient to protect
against data loss. Records should be backed up
regularly in a way that would prevent a
catastrophic loss and ensure the quality and
integrity of the data.
16
BCP Standards for the Energy Industry

• Federal Electric Reliability Councils (FERC)
  Security Standards for Electric Market
  Participants, July 2002
• North American Electric Reliability Councils
  (NERC) Security Guidelines for the Electricity
  Sector, June 2002

Business Continuity Every participant operating
a critical electric resource shall have
contingency plans that define roles,
responsibilities and actions for protecting the
rest of the electric grid and market from the
failure of its own critical resources. Those
plans should further define the roles,
responsibilities and actions needed to quickly
recover or reestablish electric grid and market
functions, processes and systems, in the event
that a critical physical or cyber resource fails
or suffers harm or attack. Such plans shall be
tested or exercised regularly.

• Continuity of Business Processes
• Reduces the likelihood of prolonged interruptions
  and enhances prompt resumption of operations when
  interruptions occur. Consider flexible plans that
  address key areas such as telecommunications,
  information technology, customer service centers,
  facilities security, operations, generation,
  power delivery, customer remittance and payroll
  processes. It is useful to revise and test plans
  on a regular basis. It also is advisable to train
  personnel so they fully understand their roles
  with respect to the plans.

17
Cross-Industry BCP Standards

• Sarbanes-Oxley Act of 2002

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL
CONTROLS. (a) RULES REQUIRED.The Commission
shall prescribe rules requiring each annual
report required by section 13(a) or 15(d) of the
Securities Exchange Act of 1934 (15 U.S.C. 78m or
78o(d)) to contain an internal control report,
which shall (1) state the responsibility of
management for establishing and maintaining an
adequate internal control structure and
procedures for financial reporting and (2)
contain an assessment, as of the end of the most
recent fiscal year of the issuer, of the
effectiveness of the internal control structure
and procedures of the issuer for financial
reporting. (b) INTERNAL CONTROL EVALUATION AND
REPORTING.With respect to the internal control
assessment required by subsection (a), each
registered public accounting firm that prepares
or issues the audit report for the issuer shall
attest to, and report on, the assessment made by
the management of the issuer. An attestation made
under this subsection shall be made in accordance
with standards for attestation engagements issued
or adopted by the Board. Any such attestation
shall not be the subject of a separate engagement.
IS THERE BCP IN SARBANES-OXLEY????
18
Is There BCP in Sarbanes-Oxley?

• PCAOB (Public Company Accounting Oversight Board)

NO Furthermore, management's plans that could
potentially affect financial reporting in future
periods are not controls. For example, a
company's business continuity or contingency
planning has no effect on the company's current
abilities to initiate, authorize, record,
process, or report financial data.
Therefore, a company's business continuity or
contingency planning is not part of internal
control over financial reporting."
19
Is There BCP in Sarbanes-Oxley?

• Practitioners

YES
20
Municipal Governments

• Therefore, I have ordered the Department of
  Homeland Security to undertake an immediate
  review, in cooperation with local counterparts,
  of emergency plans in every major city in
  America.
• President Bush 9/15/05

21
Municipal Governments

• Continuity of Operations (COOP)
• Continuity of Government (COG)
• FEMA Federal Preparedness Circular (FPC) 65

• Originally Issued June 1999 James Lee Witt

• Revised June 2004 Michael Brown

22
Rating COOP Compliance FEMA 65 Crosswalk
23
Are They A Client?

• FFIEC Appendix E - Interdependencies

• THIRD-PARTY PROVIDERS, KEY SUPPLIERS, AND
  BUSINESS PARTNERS
• outsourcing information, transaction processing,
  and settlement activities
• Institutions should review and understand service
  providers' BCPs and ensure critical services can
  be restored within acceptable timeframes based
  upon the needs of the institution
• - If possible the institution should consider
  participating in their providers testing
  process.

HOW FAR DOES THIS EXTEND?????
24
Are They A Client?

• HIPAA Business Associate (aka Chain of Trust)

• the business associate must--(1) implement
  safeguards that
• reasonably and appropriately protect the
  confidentiality,
• integrity, and availability of the electronic
  protected health
• information that it creates, receives,
  maintains, or transmits on
• behalf of the covered entity (2) ensure that
  any agent, including
• a subcontractor, to whom it provides this
  information agrees to
• implement reasonable and appropriate safeguards

25
Singapore The Model for the Future?

• SS 540 Revision to TR19 (PDCA Plan Do Check
  Act) New BCM Framework
• Standard for Business Continuity / Disaster
  Recovery Service Providers (SS507) - Singapore is
  the first country in the world to introduce a
  Standard and Certification program for BC/DR
  service providers. Developed by the Infocomm
  Development Authority of Singapore and the IT
  Standards Committee (ITSC), the Standard
  specifies the stringent requirements for BC/DR
  service providers. These requirements benchmark
  against the top practices in the region and
  stipulate the operating, monitoring and
  up-keeping of BC/DR services offered.
• TR19 Technical Reference 19 - aims to help
  Singapore based enterprises build competence,
  capacity, resilience and readiness to respond to
  and recover from events that threaten to disrupt
  normal business operations.
• PROPOSED BUSINESS CONTINUITY MANAGEMENT
  REQUIREMENTS FOR SGX MEMBERS May 2008

26
China Japan

• Chinese Business Continuity Management Committee
  (CBCM)
• Setting Standards for Chinese
• Emergency Response
• Business Continuity
• Still IT Centric (Committee exists under
  technology directorate)
• Will Greatly Influence its Business Partners
• Japanese Crisis Management Prepareness
  Organization. (CMPO)
• Business Continuity Advancement Organization.
  (BCAO)

27
Australia 2008-9

• Introducing 3 New Standard Handbook to Align
  with ISO 31000 (Risk Management Standard) Due
  for Release in February 2009
• Management Standard
• Practice Standard
• Audit Standard

28
Standards

• Uniform Commercial Code
• Preparing for foreseeable business disruption
• National Institute of Standards and Technology
  (NIST)
• Contingency Planning Guide for Information
  Technology Systems
• IT Governance Institute Standards COBIT
• Control objectives for information and related
  technology

29
ISO Standards and Business Continuity

• ISO/TS 16949 - Applicable to any supplier to
  automotive original equipment manufacturer
• ISO 27001 (Previously Designated (ISO17799) -
  Deals with Information Security
• ISO 9001, Quality Management - Record Retention
  and Data Availability
• ISO 14001, Environmental Mgt - Emergency
  Preparedness and Response
• ISO/PAS 22399 Societal Security - Guideline for
  incident preparedness and operational continuity
  management

Section 6.3.2. Contingency Plans The
organization shall prepare contingency plans to
satisfy customer requirements in the event of an
emergency such as a utility interruptions, labor
shortages, key equipment failure, and field
returns.

• 11 BUSINESS CONTINUITY MANAGEMENT
• 11.1 ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
• 11.1.1 Business continuity management process
• 11.1.2 Business continuity and impact analysis
• 11.1.3 Writing and implementing continuity plans
• 11.1.4 Business continuity planning framework
• 11.1.5 Testing, maintaining and re-assessing
  business continuity plans

30
Is It BCP?

• Business Continuity vs. Vital Records
• Foreign Corrupt Practices Act Make and keep
  records and accounts, which, in reasonable
  detail, accurately and fairly reflect the
  transactions and dispositions of the assets.
• SEC Rule 17a - Record Retention Requirements
• IRS Procedure 86-19 - Requires off-site
  protection, as well as documentation of computer
  records maintaining tax information.
• European Union Privacy - Data Privacy
• Under the Safe Harbor, organizations that have
  committed to cooperate and comply with the
  European Data Protection Authorities (DPAs)
• PATRIOT ACT, ACH RULES, G-L-B, AS/NZ 4390,
  Records Management Standard, et. al.

31
Legal Standards

• Liability of Corporations
• Liability of Corporate Executives
• Liability to Outside Parties
• Standard of Negligence
• Standard of Care
• Prudent Man Doctrine
• Exercise same care in managing company affairs as
  in managing own affairs.
• Informed Business Judgment v. Gross Negligence

32
Case Law Legal Precedence

• Blake v. Woodford Bank Trust Co. (1977)
  Foreseeable workload failure to prepare
• Sun Cattle Company, Inc.vs. Miners Bank (1974)
  Computer System Failure Foreseeable Computer
  Failure
• Uniform Commercial Code Preparing for
  foreseeable business disruption

33
Meeting the Standards

• US v. Carroll Towing Co. (1947)
• 1. Probability of Harm (P) the chance that a
  damaging event will occur
• 2. Magnitude of Harm (M) the amount of financial
  damage that would occur should a disaster happen
• 3. Cost of Prevention (C) the price of putting
  in place a means of preventing the disasters
  effects
• P M C

34
Negligent Failure To Plan/Prepare Liability
Pandemics

• 2003 Canadian Nurses who contracted SARS file
  suit stating that the Government was Negligent in
  not preparing for the second wave of the disease
  after the first wave was identified.
• Munich Re
• American Bar Association

35
BS25999

• Part 1 is an extension of PAS56
• Guidance
• Prescriptive
• Not Performance Based
• Part 2
• Certification Body
• Specification
• Auditable
• Create Ability to Demonstrate Compliance
• Stage 1 Audit Initial Assessment Desktop
  Review
• Successful Completion Required Before Moving To
  Stage 2
• Stage 2 -Conformance Audit - Certification Audit
• Demonstrate Implementation
• Failure Requires Corrective Action Plan Which
  Must be Agreed Upon
• Completion of Stage 1 2 Allows for Application
  to BS 25999 Certification Manager for
  Certification
• Surveillance Audits
• (To be fair, British standard BS25999introduced
  "Maximum Tolerable Period of Disruption" (MTPD),
  another mind-bender destined for the verbal scrap
  heap, as well.)

36
BS25999 --UPDATE

• Will be revised and included with ASIS proposed
  standard. The new proposed ISO/ANSI standard
  will also include elements of the Dutch standard.
• The ANSI PINS (Project Initiation Notification
  System) filing will be reviewed by ANSI by the
  first week in November 2008 which ends the 30 day
  PINS comment period
• A Technical committee will be formed to help
  create the standard. The technical committee
  will be open to a mixture of experts SDOs, users,
  managers, producers, etc.
• The new proposed standard may face some
  opposition in that there is an indication that it
  is in conflict with other ANSI standards
• The same group concluded unanimously that there
  is a compelling reason to have this standard.
• The effort to create and have the new standard
  approved may take anywhere from 6 months to 2
  years to be approved.

37
PUBLIC LAW 110-53   IMPLEMENTING RECOMMENDATIONS
OF THE 9/11 COMMISSION ACT OF 2007   TITLE IX
38
The Holy Grail or SOX for Business Continuity

• The Program Was Called For In Title IX Of "The
  Implementing The 9/11 Commission Recommendations
  Act Of 2007 (Public Law 110-53) Which Addresses
  A Diversity Of Other National Security Issues As
  Well. It Was Signed Into Law By The President On
  August 3, 2007.
• Intent To Implement The Findings Of The 9/11
  Commission
• NFPA 1600 Was Recommendation Of Commission For
  Standard
• DRIIs Professional Practices Are The Basis For
  BCP In NFPA 1600
• Will It Become A Standard????
• Voluntary
• Non-punitive
• Unsuccessful Attempts By Federal Government To
  Address Private Sector BCM
• Overcome Investments By Private Sector
• Strain On Small And Medium Sized Businesses In
  Supply Chain

39
Title IX 110-53
 a. Goal of the new program is to provide a
method to independently certify the emergency
preparedness of private sector organizations,
including their disaster / emergency management
and business continuity programs.  The program
focuses on certifying the preparedness of
businesses and other private sector entities, and
does not involve any individual professional
certification.  b.  The program will be
voluntary.c.  Key stakeholders are invited to
participate in the development of the program. 
Consultation with a variety of organizations and
various sectors is required by the legislation. 
Program development will likely include
involvement by a diversity of private sector
advisory groups and others.d.  The program will
be administered outside of government by 3rd
party organizations with experience / expertise
in managing and implementing voluntary
accreditation and certification programs.e.  One
or more preparedness standards can be
designated.  NFPA 1600 is reference by
example.f.  Existing industry efforts,
certifications and reporting in this area will
not be duplicated or displaced, but rather
recognized and integrated.g.  Special
consideration will be made for small
business.h.  Proprietary and confidential
information is to be protected.
40
Defining The Standard

• Process Used By Sloan Interdisciplinary Team
• Representatives of
• ASIS, DRI International, NFPA, RIMS
• Review Existing Regulations
• FFIEC, NYSE, SEC, NASD
• NERC
• HIPAA
• Provide Credit for Work Already Done
• Reduce Start From Scratch Opposition
• Create Core Elements for Standard

Core elements are those basic components that,
when implemented within an organizations unique
governance and culture, provide the underlying
framework to enable the organization to sustain
itself in spite of a disruptive event (i.e., the
common set of criteria for preparedness,
disaster management, emergency management, and
business continuity programs...." called for
under the law.)
41
Core Elements 13 Become 8

• Policy statement and management commitment -
  Scope, program roles, responsibilities, and
  resources
• Risk identification, assessments and criticality
  impact analyses, including legal and other
  requirements
• Prevention and Mitigation Evaluation and Planning
• Incident management (procedures and controls
  before, during and after a disruption, including
  emergency management of people, business
  operations and technology) includes
  communications
• Recovery Planning - May be considered to include
  rebuilding, repairing, and / or restoring
• Awareness and training
• Exercises and testing
• Program revision and improvement

42
Process Mapping
43
Standards Crosswalk

• NFPA 16002007 Standard on Disaster/ Emergency
  Management and Business Continuity Programs
• CSA Z1600 Standard on Emergency Management and
  Business Continuity Programs
• DRI International Professional Practices for
  Business Continuity Planners
• BS 25999-2 2007 Business Continuity Management
  Part 2 Specification
• ASIS International - Organizational Resilience
  Preparedness and Continuity Management - Best
  Practices Standard Probably Become Part of
  ISO/PAS 22399
• TR192005 Technical Reference for Business
  Continuity Management (BCM) includes TS507
• ISO/PAS 223992007 Societal Security Guidelines
  for Incident Preparedness and Operational
  Continuity Management

TO BE REPLACED WITH A NEW PROPOSED ANSI/ISO
STANDARD UNDER DEVELOPMENT
44
Flexibility Within A Framework

• Existing Industry Efforts
• Regulations
• FFIEC NYSE SEC HIPAA NERC
• Standards
• ISO, ANSI, BSI

NOT Sarbanes-Oxley
45
Results
46
Process For Implementation of Title IX

• 1.  DHS will designate one or more organizations
  to act as the accrediting body, and oversee the
  certification process, and to accredit qualified
  third parties to carry out the certification
  program.
• 2.  DHS will separately designate one or more
  standards for assessingprivate sector
  preparedness.
• 3.  DHS will provide information and promote the
  business case forvoluntary compliance with
  preparedness standards.
• 4.  DHS will monitor the effectiveness program on
  an on-going basis.

47
Process For Implementation of Title IX

• Appointment by DHS of Designated Officer October
  1, 2007
• Ashley Moore FEMA
• Enter into Agreement for standard February 28,
  2008

Marcus Pollack- FEMA
48
DHS Selects ANSI-ASQ National Accreditation Board
To Support Voluntary Private Sector Preparedness
Certification Program Release Date July 30,
2008 Release Number HQ-08-148 WASHINGTON, D.C.
-- The Department of Homeland Security announced
today that it has signed an agreement with the
ANSI-ASQ National Accreditation Board (ANAB) to
establish and oversee the development and
implementation of the accreditation and
certification requirements for the Voluntary
Private Sector Preparedness Accreditation and
Certification Program.  This program is directed
by Public Law 110-53, Implementing the
Recommendations of the 9/11 Commission Act of
2007, requiring the department to establish a
common set of criteria for private sector
preparedness in disaster management, emergency
management and business continuity. Under Title
IX of the Act, the department is charged with a
number of core tasks to establish the voluntary
program, to include the designation of an
organization to act as an accrediting body.  In
this role, ANAB will be responsible for
overseeing the certification process, managing
the accreditation, and accrediting qualified
third parties to carry out certifications of
private sector entities. ANAB was selected based
on its experience and expertise in managing and
implementing accreditation programs. As required
by the Act, Homeland Security Secretary Michael
Chertoff previously designated an officer within
the department to be responsible for the
accreditation and certification program.  R.
David Paulison, Administrator of the Federal
Emergency Management Agency, serves as the
designated officer and will chair an internal
Private Sector Preparedness Council comprised of
department leadership from the Science
Technology Directorate, Private Sector Office and
the Office of Infrastructure Protection. The
Private Sector Preparedness Council will focus on
the remaining requirements of the Act. This
includes selecting program standards, defining
and promoting the business case for private
sector entities to work toward voluntary
certification, overseeing the program's progress,
and providing regular updates to Congress. 
Learn more at www.fema.gov/privatesectorpreparedn
ess
49
Gaining Accreditation
ANSI-ANAB
50
Gaining Accreditation
ANSI-ANAB
DHS
51
NFPA gets new DHS support - PRECURSOR TO A
STANDARDS CHOICE? The US Department of Homeland
Security (DHS) has designated the National Fire
Protection Association (NFPA) codes and standards
development process as a Qualified
Anti-Terrorism Technology (QATT) under the
Support Anti-terrorism by Fostering Effective
Technologies Act of 2002 (SAFETY Act). NFPA is
the first standards development organization to
receive this designation. Under provisions of the
SAFETY Act, NFPAs codes and standards
development process was also certified as an
Approved Product for Homeland Security.
According to DHS, the SAFETY Act encourages the
development and deployment of new and innovative
anti-terrorism products and services by providing
liability protections. Designation as a QATT and
certification as an approved product for homeland
security under the SAFETY Act provides legal
protections for the NFPA codes and standards
development process as applied to
anti-terrorism. NFPA is pleased to have its
codes and standards development process
recognized as an effective anti-terrorism
technology which reflects the openness, balance
and fairness NFPA strives to achieve in its
voluntary codes and standards development
process, said NFPA President James M.
Shannon. Federal protections under the DHS
Designation and Certification are retroactive and
recognize NFPAs technologys first date of
sale as September 11, 2001. Shannon added, The
commitment and involvement of NFPA in
anti-terrorism standards predates the events of
9/11. NFPA has long been committed to making its
codes and standards development process available
for the creation and continual improvement of
standards used to protect first responders and
the public in terrorist events. We believe we
have a world-class system which attracts numerous
experts from diverse fields to develop codes and
standards that mitigate the effects of terrorism
on people and property. All NFPA safety codes
and standards are developed through a process
accredited by the American National Standards
Institute (ANSI). The more than 250 technical
committees responsible for developing and
updating all 300 codes and standards include
approximately 4,000 volunteers, representing
enforcing authorities, installers and
maintainers, labor, research and testing
laboratories, insurers, special experts,
consumers and other users. NFPA was the developer
of the NFPA 1600 Standard on Disaster/Emergency
Management and Business Continuity Programs.
52
TITLE IX UPDATE December 2008

• At ANSI HSSP (Homeland Security Standards
  Panel ) - DHS unveiled its Voluntary Private
  Sector Preparedness Accreditation and
  Certification Program Proposed Target Criteria
  for Preparedness Standard
• Internally developed and will be open for comment
  when DHS publishes a notice in the Federal
  Registry
• December 24, 2008 DHS files notice for comments
  in the Federal Register. We note that the
  designated officer will consider adoption of the
  American National Standards Institute (ANSI)
  National Fire Protection Association (NFPA) 1600
  Standard on Disaster/Emergency Management and
  Business Continuity Programs (ANSI/NFPA 1600)the
  standard specifically mentioned in both the
  statute and the 9/11 Commissions
  recommendationas well as any other private
  sector preparedness standards submitted for
  adoption.

53
Implications

• Certification
• Benefit To Passing Certification
• If You Cant Pass Dont Start
• Legal
• Litigation Standard
• Voluntary Negligence
• No Teeth
• Non-Punitive

Will it meet customer requirements
54
What We Know Right Now

• Title IX of PL 110-53 is an unfunded effort,
  there are no tangible rewards e.g., tax
  reductions in the form of deductions or tax
  credits to use as an incentive. While there are
  ongoing efforts to provide some insurance relief
  for business continuity planning, at this time no
  such incentives are available Sloan Foundation
  Report
• FEMA has been designated to lead the effort
• ANSI will oversee the certification process
• Manage Accreditation
• Accredit third parties to carry out certification
  
• Collaborate to develop procedures and
  requirements for certification and accreditation

55
Now For The Misinformation
Although voluntary right now, these standards
could soon be federal mandates for all private
industry.  - Not To Be Named Consulting Firm in
advertising for their webinar
Will share their best practices to meet the new
"national preparedness standard" known as NFPA
1600 Not To Be Named Consulting Firm

• This voluntary program offers a number of
  potential benefits to the certified organization,
  including 
• Possible insurance premium advantages
• Enhanced credit ratings
• Competitive differentiation - Not To Be Named
  Consulting Firm

56
DHS Selects ANSI-ASQ National Accreditation Board
To Support Voluntary Private Sector Preparedness
Certification Program Release Date July 30,
2008 Release Number HQ-08-148 WASHINGTON, D.C.
-- The Department of Homeland Security announced
today that it has signed an agreement with the
ANSI-ASQ National Accreditation Board (ANAB) to
establish and oversee the development and
implementation of the accreditation and
certification requirements for the Voluntary
Private Sector Preparedness Accreditation and
Certification Program.  This program is directed
by Public Law 110-53, Implementing the
Recommendations of the 9/11 Commission Act of
2007, requiring the department to establish a
common set of criteria for private sector
preparedness in disaster management, emergency
management and business continuity. Under Title
IX of the Act, the department is charged with a
number of core tasks to establish the voluntary
program, to include the designation of an
organization to act as an accrediting body.  In
this role, ANAB will be responsible for
overseeing the certification process, managing
the accreditation, and accrediting qualified
third parties to carry out certifications of
private sector entities. ANAB was selected based
on its experience and expertise in managing and
implementing accreditation programs. As required
by the Act, Homeland Security Secretary Michael
Chertoff previously designated an officer within
the department to be responsible for the
accreditation and certification program.  R.
David Paulison, Administrator of the Federal
Emergency Management Agency, serves as the
designated officer and will chair an internal
Private Sector Preparedness Council comprised of
department leadership from the Science
Technology Directorate, Private Sector Office and
the Office of Infrastructure Protection. The
Private Sector Preparedness Council will focus on
the remaining requirements of the Act. This
includes selecting program standards, defining
and promoting the business case for private
sector entities to work toward voluntary
certification, overseeing the program's progress,
and providing regular updates to Congress. 
Learn more at www.fema.gov/privatesectorpreparedn
ess
57
Assessing The Business Continuity Process

• DRII Evaluates Planning Process, Implementation
  and Testing Across The 10 Professional Practices
  MAPS TO CORE ELEMENTS
• Includes Subcategories
• Ability To Weight Each Category
• Utilizes The Same Scoring As It Does For
  Certifying Professionals
• Questions Require a Yes Or No
• Recommendations Are Provided When a No Answer
  Is Provided
• May Be Customized For Industry, Country Or
  Regulatory Considerations
• Will Contribute To a Worldwide Database

58
Q A

• Thank You

Statements concerning legal matters should be
understood to be general observations based
solely on our experience as risk consultants and
should not be relied upon as legal advice, which
we are not authorized to provide. All such
matters should be reviewed with your own
qualified legal advisors in these areas