Two and a half years after Congress directed the Department of Homeland Security (DHS) to develop a voluntary program to promote private sector preparedness,
"The genesis of this program is that Congress wanted to know if we were better prepared than we were in 2001 and better than we were in Hurricane Katrina to sustain a major catastrophe, and the answer is, 'We do not know,'" said Donald Byrne, managing director of consulting firm North River Solutions Inc., and a business continuity professional. "Part of the goal is to use this program to gauge where we are improving and where we need to invest more."
The three standards, proposed by FEMA in October and open for public feedback until mid-January, are:
- NFPA 1600, developed by the National Fire Protection Association;
- BS 25999, from the British Standards Institution; and
- ANSI/ASIS SPC. 1-2209, a new standard from ASIS International.
According to DHS Secretary Janet Napolitano, the frameworks were among 25 standards considered and were chosen based on "their scalability, balance of interest and relevance to the PS-Prep program."
The DHS has also contracted with the ANSI National Accreditation Board (ANAB) to develop the accreditation rules that will allow certification bodies to go out and conduct the audits. But Byrne, who serves on the ANAB's committee of experts, said that even as PS-Prep moves forward, many issues remain up in the air, including:
- How to handle certifications for small businesses.
- How to credit businesses that have already passed more rigorous business continuity standards.
- How to determine what, if any incentives, should be offered to encourage businesses to become certified.
Indeed, questions about these issues -- and recommendations -- came up often in the 41 pages of letters submitted to FEMA during the public comment period. Michael Cummings, director of loss prevention services at Milwaukee-based Aurora Health Care, praised the agency's decision to approve more than one standard for PS-Prep and urged that other guidelines and best practices be sanctioned.
"This is not an area where one size fits all," Cummings stated. "The ultimate goal of the PS-Prep Program should be to incentivize and assist business organizations to find solutions and approaches that work for them and not create bureaucracy and arbitrary certification programs as a barrier to accomplishing preparedness."
The question of incentives versus costs was also raised by J.D. Densmore, manager of the emergency command center at home improvement chain Lowe's Cos. Densmore said he supports standardization of business continuity across the retail industry as "an excellent goal," but he was concerned that adhering to any one standard would result in a "significant cost to any retailer" and that these costs would either erode the retailer margins or be passed on to consumers as higher cost of goods.
Businesses in general have a vested self-interest to be prepared for disaster, he said. "The business case to participate in the voluntary program needs to be compelling enough to overcome the cost, or it will not be adopted," he warned.
Paul Kirvan, a business continuity expert based in New Jersey who has written about PS-Prep options for SearchCompliance.com, said that giving companies a choice of three standards eligible for certification is probably better than having only one.
But deciding on a standard will require thoughtful analysis from businesses to find the right fit, and the cost can be considerable. Kirvan said that when he learned the program would be voluntary, his initial reaction was that it was doomed to fail.
Kirvan said he doubts people will participate in a certification program unless they're required to or have a substantial business incentive to volunteer. "But I think what will happen over time is certain large businesses, Fortune 100 or Fortune 500 organizations are going to decide it is probably the right thing to do and good from a competitive standpoint," he added. "So, I think it will be competitive forces in the marketplace that will get organizations on the bandwagon for this." Kirvan also said he expects that the government program will come up with a streamlined way for getting certified.
Byrne agreed. "I am hoping the government understands that its real role in a voluntary standard like this is education," he said.
However, this step may be the first phase in setting standards that could be used to officially indemnify companies against liability for damages after a disaster, Byrne said. That aspect will likely be sorted out by the courts citing the voluntary best practices in cases, rather than written into PS-Prep.
In the meantime, adopting these standards may be useful as a means for companies to assure their suppliers and customers that they are reliable in case of emergency. "In the end, there is no reason for people to do this except market pressure, and that is ultimately going to be the driving force behind this," Byrne said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.