|
by William Raisch
A much needed link between good practice in corporate
preparedness and bottom-line incentives for businesses
may be in the offing.
This could significantly advance resilience
in corporate priorities. The new
U.S. legislation calls for the establishment
of a voluntary private sector
preparedness certification program for
American businesses. The certification
program could create a method to
facilitate greater acknowledgement of
preparedness by the insurance industry,
rating agencies, legal community,
supply chain management arena and
others. Vital to the success of this
program will be early and active stakeholder
involvement by both the general
corporate sector as well as key players in
the incentives community.
The Law
The legislation was signed into law on
August 3, 2007. It is entitled ‘‘Implementing
Recommendations of the 9/11
Commission Act of 2007,’’ but it is
not just about counter-terrorism and
national security. Title IX of Public
Law 110-53 calls for the creation of a
new program targeted at “all-hazards”
business emergency preparedness and
continuity.
The new legislation requires the U.S.
Department of Homeland Security
(DHS) to provide for the development
of a private sector voluntary certification
program for all-hazards business
emergency preparedness. This program is to be developed in consultation
with key stakeholders reflecting existing
best practices and standards. The
full text of the law is available at:
www.govtrack.us/congress/billtext.
xpd?bill=h110-1&show-changes=0
Key Points of Title IX
1. The goal of the legislation is to provide
a method to independently certify
the emergency preparedness of private
sector organizations. It includes their
disaster/emergency management and
business continuity programs. The program
is to certify businesses and other
private sector entities, not individual
professionals. The focus is on all-hazards
preparedness and not on terrorism.
2. The program is to be voluntary.
Businesses will decide whether or not
they wish to obtain certification of their
organizations’ preparedness, likely based
on what benefits they see in such
certification.
3. Key stakeholders are invited to
participate in the development of the
program. Consultation with a variety
of organizations and various sectors is
required by the legislation. Program
development will likely include involvement
by a variety of private sector
advisory groups and others.
4. The federal government will not run
the certification program. The program
will be administered outside of government
by third party organizations with
experience in accreditation and certification
programs.
5. One or more preparedness standards
can be designated. NFPA 1600 is referenced
as one example. The law calls for
the adoption of “one or more appropriate
voluntary preparedness standards.” It
further states that “The term ‘voluntary
preparedness standards’ means a common set of criteria for preparedness, disaster
management, emergency management,
and business continuity programs, such
as…ANSI/NFPA 1600.’’
6. Existing industry efforts, certifications
and reporting in this area will
be recognized and integrated. The
legislation requires that the program
consider the unique nature of various
groups within the private sector, including
current preparedness certifications
and reporting as well as existing initiatives
by other federal agencies. The
legislation specifically calls for existing
certification efforts to be acknowledged
to avoid duplication, where appropriate.
7. Special consideration will be made
for small businesses. The program is
to establish separate classifications and
methods of certification for small business
concerns.
8. Proprietary and confidential information
is to be protected. The administration
of the program outside of government by
a third party, non-governmental agency
and requiring any certifying body to
enter into a confidentiality agreement
with the company to be certified will
protect sensitive information.
Key Responsibilities of the U.S.
Department of Homeland Security
The federal government has four basic
tasks in establishing the program:
1. DHS will designate one or more
organizations to act as the accrediting
body to develop and oversee the
certification process, and to accredit
qualified third parties to carry out the
certification program. This decision is
independent of the actual standards to
be utilized in assessing preparedness
and likely will focus more on capacity
to manage and support the accreditation
process.
2. DHS will separately designate one
or more standards for assessing private
sector preparedness. The standards may
be tailored to specific sectors and must
accomodate separate considerations for
small businesses.
3. DHS will provide information and
promote the business case for voluntary
compliance with preparedness
standards. Businesses must be aware
of the program and see value in it to
participate in the program.
4. DHS will monitor the effectiveness
of the program. DHS will annually
review the program and must make
improvements and adjustments as necessary
and appropriate.
Key Considerations Going Forward
The International Center for Enterprise
Preparedness (InterCEP) at New York
University is the world’s first academic
research center dedicated to private
sector preparedness and resilience.
InterCEP recommended the establishment
of the private sector certification
program to Congress based upon its
active engagement with incentives
stakeholders and the corporate community.
Several factors below will influence
the success of the program.
1. Market-based incentives should be
integrated with this certification program.
A major rationale cited in the
Congressional testimony for the program
was the need for a closer link
between preparedness and benefits for
business. Key stakeholders in such areas
as insurance, legal liability, rating agencies
and supply chain management have
acknowledged that business preparedness
is valuable and should be rewarded,
but to date there has been no widely
accepted methodology to confirm that
preparedness exists in a business so that
it can be rewarded.
2. Incentive providers must be involved
from the beginning in the development
of the certification process and its ongoing
implementation. The program must
be structured so the final assessment is
of value to them and justifies marketbased
incentives.
3. Businesses and their representative
associations must also be involved from
the beginning in the development of
the certification program and its ongoing
operation. Key issues related to the
certification program that should be
addressed include but are not limited to:
- Potential value of the certification
process for internal self-assessment of
preparedness activities by the business
- Use of certification as a consistent tool
to promote supply chain resilience
and to avoid the need for companies
to do their own individual assessments
of critical suppliers
- Use of certification as a proactive
strategy to minimize legal liability
post-event
- Use of certification in support of
corporate governance and social
responsibility activities
- Integration with other business
reporting requirements where
practical to avoid duplication and
potentially integrate divergent
requirements under one program
- Potential TRIA (Terrorism Risk
Insurance Act) considerations
- Capitalize on existing management
system activities where they
exist in the corporation to facilitate
conformance (e.g., quality and environmental
management)
- Assurance that the ultimate program
is scalable and of value to small,
medium and large businesses.
4. Experience from similar, established
voluntary certification programs should
be tapped for insights into program
development. Historical experience and
lessons learned with existing voluntary
certification programs could provide
insights into the development of the
preparedness certification program.
5. In designating one or more preparedness
standards for use in the program, a “constellation of standards” should be
evaluated. Where there are more than
one acceptable existing preparedness
standards with significant value to one
or more business sectors, consideration
should be given to structuring a certification
process which accommodates the
assessment of the business against one or
more standards in a unified framework
that acknowledges a common core of
program elements and best practices.
About the Author
William Raisch is Director of the International
Center for Enterprise Preparedness (InterCEP)
at New York University. InterCEP is the world’s
first major academic center dedicated to private
sector preparedness and resilience. Mr.
Raisch was a private sector advisor to the
Federal 9/11 Commission which advocated both
a voluntary standard for preparedness and market-
based incentives to encourage compliance
with the standard. Mr. Raisch can be reached at
212.998.2000 or intercep@nyu.edu.
|
