Emerging Standards for Business Continuity

1
Emerging Standards for Business
Continuity Emergency Management The New
Voluntary Business Preparedness Certification
Program
2
About InterCEP

• Worlds First Academic Research
  Center Dedicated to Private Sector
  Preparedness Corporate Resilience
• The Alfred P. Sloan Foundation Funds InterCEP
  Research on Incentives for Business Preparedness
• insurance, rating agency, mitigating legal
  liability, supply chain, corporate governance
• Research Focus on the Linkage of
• What Why of Corporate Resilience

3
Current Research

• 
  
• What to Do There are consensus-based standards
  that indicate what good preparedness is.
• Why to Do It
• Internal Incentives There are a diversity of
  internal corporate benefits to preparedness
  although these need to be better clarified
  communicated
• External Incentives Major stakeholders who may
  offer external incentives to acknowledge
  preparedness
• Supply Chain
• Rating Agencies
• Legal
• Insurance

4
Current Research

• Finding on External Incentives
  Major
  incentive stakeholders are generally willing to
  acknowledge preparedness but lack an indicator /
  assessment and are not necessarily interested in
  assessing preparedness themselves
• Rating Agencies, Legal Liability, Insurance,
  Supply Chain

What to Do (Preparedness Standards)
Why to Do It (Incentives Benefits)
lt No Strong Connection gt
No Indicator if Prepared
5
If cant measure it, you cant manage it

• and you cant reward it!

6
Current Research

• InterCEP Recommendation to Congress
  A Voluntary Business Preparedness
  Certification based on Stakeholder Input
  including Incentives Community

What to Do (Preparedness Standards)
Why to Do It (Incentives Benefits)
Assessment Certification
7
Combining Multiple Benefits
Minimizing Impact of Business Disruptions
Insurance Benefits
Supply Chain Resiliency
Rating Agency Acknowledgement
Corporate Governance
Mitigating Legal Liability Post-Event
Reputational and other Benefits
8
Key Points We Will Cover

• What are Standards and what is their value to
  business?
• What are emerging standards guidance?
• What is the new Voluntary Business Preparedness
  Certification and how can you use it to advance
  your program?

9
What is a Standard?

• why it should matter to you

10
What a real Standard is not

• Gods word from above.
• Just a general practice that everybody does
• The declaration of an individual or small
  isolated group
• A regulation

11
A True Standard is the Product of a Process

• Wide representation on core body
• Large technical committee of stakeholders
• Develops straw man for wider comment
• Open and transparent process
• Comments requested from entire community. All
  must be responded to with action taken
  justification.
• Ultimately ratified by a large representative
  body
• Ongoing maintenance (evergreen) to reflect
  evolving practice
• Frequent revision cycle

12
Reality Check

• All documents that call themselves standards do
  not necessarily reflect this process
• Caveat emptor
• Ask for a look under the hood
• Is the body an accredited Standards Developing
  Organization ANSI, ISO
• Look for longevity of the organization and the
  Standard

13
So what?

• Standards can provide a convenient and efficient
  distillation of industry best practices.
• Augmenting journals and conferences
• Can have legal standing.
• Courts often look for industry standards in
  asking what should have been done
• Can provide a common tool for wider
  acknowledgement of good practice.
• Avoids each stakeholder having to create its own
  definition of what good preparedness is.
• Supply chain, rating agencies, insurance, legal
• Can facilitate benchmarking

14
What are Key Standards Guidance?
15
Preparedness Standards Best Practices

16
Preparedness Standards Best Practices
17
Preparedness Standards Best Practices
18
What is the New Voluntary Certification Program

• and why may it be
• of value to you?

19
Overview of New Law

• The Program will
• Provide a method to independently certify the
  emergency preparedness of private sector
  organizations
• including disaster/emergency management and
  business continuity programs.
• Be voluntary
• Engage key stakeholders to participate in the
  development of the program
• Briefing on the New Law Available at
• www.nyu.edu/intercep/events/

20
Overview of New Law

• The Program will also
• Be administered outside of government by third
  party organizations with experience / expertise
  in managing and implementing voluntary
  accreditation and certification programs.
• Designate one or more preparedness standards.
  Standard NFPA 1600 is referenced as example.

21
Overview of New Law

• The Program will
• Integrate/recognize existing industry efforts,
  standards, practices and reporting in this area.
• Give special consideration to small businesses.
• Protect proprietary and confidential information
  of companies.

22
DHS has four basic tasks in establishing the
program

• Designate one or more organizations to act as the
  accrediting body to develop and oversee the
  certification process, and to accredit qualified
  third parties to carry out the certification
  program
• Separately designate one or more standards for
  assessing private sector preparedness
• Provide information and promote the business case
  for voluntary compliance with preparedness
  standards
• Monitor the effectiveness of program on an
  ongoing basis
• .

23
The Opportunity

• Enable market-based incentives
• By providing a way to confirm that a business is
  prepared / resilient
• Which can then be acknowledged by key
  stakeholders including insurance, legal
  community, rating agencies, supply chains, etc.
• Key considerations going forward
• General business key stakeholder involvement in
  program development
• Consider a constellation of standards

24
Overview of Generic Accreditation/Certification
Program

25
Accreditation Certification

• Accreditation bodies assess the competence of and
  accredit (i.e., approve) certification bodies
  against a set of accreditation requirements to
  carry out certain certification activities
• Accredited certification bodies assess the
  conformity of and certify an organization to
  certain standards or specifications

26
Generic Template for Accreditation/Certification
Scheme
27
What is a Preparedness Certification?

• Acknowledgment that the current state of
  organizations emergency preparedness meets an
  accepted, designated standard(s)
• Verification conducted by qualified and
  independent third party
• It is not
• Personnel certification
• Peer evaluation process
• Clipboard checklist exercise

28
Preparedness Certification Process

• We envision a structured process very similar to
  other certifications
• Quality Management ISO 9000
• Environmental Management ISO 14000
• Proven process for private sector certification
• Could allow for efficient piggy-backing on
  existing audits

29
Typical Certification Steps

• Review of current state of emergency preparedness
  (gap analysis) against selected standard (Strohl
  Compliance Scorecard?)
• Supplement and/or improve existing preparedness
  processes, plans activities to meet intent of
  desired standard(s)
• Contract with accredited certification body for
  assessment and certification
• On-going surveillance and continual improvement
  processes

30
Potential Benefits of a Compliance Assessment
Program

• Can facilitate the acknowledgement and rewarding
  of preparedness efforts (insurance, legal, rating
  agency, etc.)
• May facilitate exchange of best practices
• Enables more consistent benchmarking internally
  and externally
• May facilitate financial analysis
• May forward corporate governance goals

31
Current Status

• Framework of standards has been developed by
  RIMS, DRII, ASIS, NFPA The Sloan Report
• DHS reporting to Congress on plan for program
  development
• Potential accreditation body identified and
  published in Federal register ANAB
• One or more standards still to be designated

32
Likely Trajectory

• Standards yet to be identified. Likely role for
  accrediting body.
• Much detail yet to be addressed.
• Legislation requires stakeholder input and this
  takes time.
• Pilot projects will likely lead introduction.
• Supply chain push down may be factor.
• Small businesses may be dealt with separately and
  later in process.

33
Re the Standard (s)

• May be a framework of Standards with common
  elements
• See Sloan Report on Framework for Voluntary
  Preparedness by ASIS, DRII, NFPA, RIMS
  www.sloan.org
• May involve a maturity model or levels of
  competency
• See the work of the FSTC Carnegie Mellon
  www.fstc.org

34
InterCEP Activity Focus

• To inform stakeholders about the new
  certification program the opportunity it
  presents
• To identify stakeholders considerations and
  recommendations regarding the program
• To channel this input to inform the development
  ongoing operations of the certification program

35
InterCEPs Activities

• Hosting Working Groups
• Supply Chain Management
• Legal Liability Mitigation
• Insurance Acknowledgement
• Rating Agency Acknowledgement
• Developing an online clearinghouse of information
  relevant to the voluntary business preparedness
  accreditation and certification program.
• Participating in conferences other forums.

36
The Opportunity

• Get involved now to shape this program to meet
  your needs.
• Work individually or through key trade and
  professional associations.
• Join one of the InterCEP working groups.
• Stay informed on program development.

37
Combining Multiple Benefits
Minimizing Impact of Business Disruptions
Insurance Benefits
Supply Chain Resiliency Assessment
Rating Agency Acknowledgement
Corporate Governance
Mitigating Legal Liability Post-Event
Reputational and other Benefits
38
International Center for Enterprise Preparedness

• Bill Raisch
• Director
• InterCEP- New York University
• 212-998-2000
• www.nyu.edu/intercep