Finding the Right Fit – Comparing NFPA 1600 to BS 25999

Avalution Team Avalution Team | Jun 23, 2008

stacy perspective NFPABSAs a standard first released by the National Fire Protection Association in 1995, NFPA 1600 should be familiar to many business continuity planners.  Though NFPA 1600 was initially focused on disaster response, it was modified in 2000 to include “total program planning”, and has been revised twice since then, with new versions in 2004 and 2007.  In comparison, BS 25999, a business-focused planning standard, is new to the scene and just beginning to catch organizations’ attentions.  The British Standards Institution (BSI), a globally-recognized standardization body, published Part One: Code of Practice in 2006 and published Part Two: the Specification in late 2007.  The purpose of this article is to highlight the similarities and unique features of both standards, utilizing NFPA 1600 v2007 and BS 25999’s Specification document in order to help companies determine which standard best fits their organization.

Main Focus of the Standard
NFPA 1600’s focus, directed to public, not-for-profit and private entities, is to meet two main goals.  The first is to establish universal components or criteria for disaster/emergency management and business continuity programs. The second is to provide disaster/emergency management/business continuity programs with the criteria to develop, implement, maintain and assess the five main aspects of their programs: prevention, mitigation, preparation, response, and recovery.

BS 25999, in comparison, focuses to a much greater extent on analyzing and understanding the business. Particularly, BS 25999 recommends defining policy and objectives for business continuity that support implementing and maintaining controls to reduce and manage an organization’s overall business continuity risks.  BS 25999 provides particular emphasis on document management and controls to not only verify that the program meets its goals but also works toward continual improvement based on objective measures.

Defining the Program Structure and Policy
As mentioned previously, NFPA 1600 structures its approach as focusing on prevention, mitigation, preparedness, response and recovery to ensure that the response effort is defined and managed from beginning to end.  While it does not necessarily define a response structure, BS 25999 defines the overarching program management structure as the “Plan-Do-Check-Act” (PDCA) cycle.  This ensures that once the program is developed, it is tested, evaluated and updated regularly.

Both standards recommend developing an executive policy to guide the direction of and requirements for the business continuity program, as well as defined management and personnel to oversee and implement the program. Both standards also advocate using documented plans and procedures, with auditable evidence, to manage the business continuity process.

Key Elements
In addition to an executive policy, NFPA 1600 recommends defining the program’s goals and objectives, as well as a method to evaluate the program.  Other key elements include a program plan and procedures that utilize and incorporate applicable standards and regulations.  In order to properly manage the program, NFPA 1600 states that a program budget and project schedule are necessary, as well as records management practices.

In comparison, BS 25999 outlines specific processes that must occur to properly manage the program, including policy, planning, implementation and operation, performance assessment, management review, and improvement. Also important is auditable documentation to verify the program meets the stated goals, utilizing processes such as a business impact analysis and business continuity plans.

BCM Policy
Both NFPA 1600 and BS 25999 recommend setting an executive level policy that defines the scope and objectives of the program, as well as key roles and responsibilities for both board members and top management.  BS 25999 specifically calls out establishing and demonstrating management’s commitment to the business continuity management policy.  While both recommendations call for periodic review and evaluation of the policy, only BS 25999 states that the policy shall be formally approved by top management and communicated to all persons working for or on behalf of the organization.

Assigning the Right People and Resources
Both standards state that resource management objectives should be established to ensure that the program is appropriately funded, staffed and equipped, and that personnel are trained and have the knowledge to maintain the program.  NFPA 1600 specifically states that entities shall establish procedures to track and acquire the above listed resources.  This includes establishing processes to identify, request and track resources, as well as activate, dispatch and deactivate these resources during an incident.  NFPA 1600 also specifically addresses how to deal with mutual aid/assistance.

While BS 25999 does not outline requirements for defining and managing procedures, it does state that management needs to appoint an individual to claim overall responsibility for the program, as well as assign one or more personnel to manage the day-to-day activities.  BS 25999 focuses significantly more on verifying personnel are properly trained, including by analyzing training needs and documenting records that verify that the necessary competence is reached.

Business Impact Analysis
NFPA 1600 and BS 25999 both recommend conducting a business impact analysis to understand the potential impacts of outages.  However, NFPA1600 takes more of an “emergency response” approach, while BS 25999 focuses on fully understanding what is critical to business operations.

The key areas NFPA1600 recommends analyzing include emergency response, continuity of operations and regulatory, reputational and/or financial considerations.  In comparison, BS 25999 recommends internally analyzing the organization to identify critical activities, including maximum downtime and dependencies, and any impacts associated from a disruption of these activities.  BS 25999 also states that a defined and documented method should be used to determine the impact of a disruption on critical activities.

Risk Assessment
Both standards acknowledge the importance of identifying and analyzing threats and vulnerabilities to business operations, determining the likelihood of their occurrences and monitoring the hazards.  NFPA 1600 seeks to analyze the impact of natural and human-initiated events on the business as a whole, while BS 25999 focuses more on understanding the impact on critical activities.  BS 25999 also states that business partner and supplier risks should be analyzed, and risk that cannot be mitigated should be formally accepted by the business.

Defining Plan Content
Both NFPA 1600 and BS 25999 define the structure and content of plans.  Recommended content includes objectives, roles and responsibilities, activation criteria, authority to declare and manage an incident, resource requirements, alternate work locations, communication capabilities and strategies for both internal and external stakeholders, and response and recovery processes.  Both standards also state that plans need to be available to those who are responsible for implementing them.

NFPA recommends structuring the content into a strategic plan, emergency operations/response plan, prevention plan, mitigation plan, recovery plan and continuity plan.  NFPA’s prevention plan specifically focuses on strategies to completely eliminate hazards that can be prevented, while the mitigation plan outlines methods to reduce the impact of any hazards that cannot be eliminated.

Rather than defining multiple plans, BS 25999 only specifies that plans “outline how the organization will manage an incident and how it will recover or maintain its activities to a predetermined level in the event of a disruption”, though it does reference an incident management plan and business continuity plans.  BS 25999 states that plans should have identified plan owners responsible for reviewing, updating and approving plans to ensure accountability and maintenance.

NFPA 1600 and BS 25999 recognize the importance of training and education, focused on awareness and enhancing knowledge and skill in each individual’s role in response, in developing a strong business continuity program.  Both also acknowledge that training must occur on a periodic basis to ensure the information is fresh and current, and that training records must be kept for audit and regulatory purposes.

Both standards also state that organizations should conduct regular, planned and documented exercises to verify that program elements meet stated business objectives, as well as familiarize personnel with the response process. Both standards advise testing part or all of the program frequently, whether it be individual elements or the entire program as a whole.  Both also state that lessons learned meetings and post-exercise program element reviews should occur, with key findings incorporated into plan updates and future planning scenarios.

BS 25999 also states that the testing program should be approved by top management and vary the scenario scopes.  It also dictates that exercises should be planned to prevent causing a true outage and, following the exercise, a written report should be submitted to management.

BCMS Documentation and Records
While NFPA 1600 does mention the importance of records management practices, BS 25999 focuses significantly on this area.  Specifically, all critical elements of the business continuity program should have procedures around documenting the existence, maintenance and effectiveness of these elements.  Procedures should also be documented to define the controls monitoring the records management process to ensure the documents are easily identifiable and retrievable, and that documents are approved before use, reviewed and updated as necessary, revisions are tracked, distribution is controlled and obsolete documents are destroyed.

Though each standard has unique components and approaches, both recognize key elements within business continuity.  There are a number of factors planners should consider when deciding which standard best fits their organization’s culture.  NFPA 1600, first developed in 1995, has been heavily utilized in government and public entities for over a decade and is considered one of the leading standards in the industry in the United States.

BS 25999, in comparison, is quite new, directed to private organizations and has been designed to be internationally applicable.  NFPA focuses on emergency response and disaster recovery, while BS 25999 targets understanding business processes and addressing any risks that threaten the continuity of these processes.  Also, BS 25999 is the only certifiable business continuity standard available for organizations, which could be beneficial to those companies looking for market differentiation, customer reassurance, compliance with regulatory requirements, or answers to board inquiries regarding operational risk.