The “buzz” in the business continuity industry is the enactment of “Implementing Recommendations of the 9/11 Commission Act of 2007”. Also known as H.R. 1 and Public Law 110-53, this legislation includes a key section on Private Sector Preparedness (Title IX) addressing the development and implementation of a “Voluntary Private Sector Preparedness Accreditation and Certification Program”.
Title IX will most likely integrate the best practices and guidelines of one or more current industry-independent standard. While the law mentions NFPA 1600 as an example of such a standard, the table below summarizes this and other applicable standards available today that may be considered as “inputs” into the Title IX standard.
|BS 25999||Business Continuity Management||Yes|
|ISO 22399||Societal Security — Guideline for IncidentPreparedness and Operational Continuity Management||No|
|ISO 27001||Information Security Management||Yes|
|NFPA 1600||Standard on Disaster/Emergency Management and Business Continuity Programs||No|
Title IX Overview
Legislation Signed Into Law:
August 3, 2007
“Designated Officer” Named:
(30 days following enactment, although delayed)
Entity to Develop Standard Named:
(210 days following enactment)
Standard Development Initiation:
(210 days following enactment)
According to the language contained in Title IX, the term “voluntary preparedness standards” means a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as the American National Standards Institute’s National Fire Protection Association Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/NFPA 1600).”
Although a direct result of 9/11 and the 9/11 Commission, Title IX will not focus on terrorism, but rather “all hazards” influencing private sector operations. While the precise process remains unknown, third-party certification will be for organizations only, not individuals.
The standard will integrate provisions for individual sectors and utilize industry-specific best practices and lessons learned. Title IX will also distinguish between small and large organizations as defined within section 3 of the Small Business Act (15 U.S.C. 632). When certification becomes available, the scalability of requirements and level of preparedness will correlate to the size of the entity.
The proposal for a “Voluntary Private Sector Preparedness Accreditation and Certification Program” under Public Law 110-53 raised inquiries over its potential value and benefit as a public standard for private entities. The public versus private standard may cause some to argue that “voluntary” certification may signify first-stage regulation, but Title IX states otherwise.
Any organization certified will be placed on a public listing “as being in compliance with the program established”. This voluntary program offers a number of potential benefits to the certified organization, including:
- Possible insurance premium advantages
- Enhanced credit ratings
- Competitive differentiation
In many business continuity professionals’ minds, the value is found in increased business continuity awareness amongst business partners, consistent execution of business continuity principles designed to increase readiness and recoverability and higher levels of management involvement in meeting industry best practices. Clearly, the failure of a key supplier is on the minds of many business continuity professionals, and to these individuals, this is an opportunity to add efficiency to supply chain risk management efforts by encouraging vendors to participate. As a result, the need for businesses to evaluate their own suppliers for compliance to some form of a business continuity program or disaster/emergency management system would no longer exist.
Keep in mind, a third-party supplier certification program only takes an organization so far. A key vendor may have a best-in-class business continuity program that could be “certifiable”, but they still may not fully meet the needs of an organization. Without a doubt, the Voluntary Private Sector Preparedness Accreditation and Certification Program could contribute to an evaluation of key suppliers’ business continuity capabilities, but inquiry will still be necessary in order to ensure individual organizations’ needs are met.
Overall, an organization may position itself to benefit financially through insurance premium reductions and credit savings, but it also may benefit as being more stable, dependable and reliable by its customers due to best-in-class, certifiable business continuity processes.
Preparation for Certification
Although the standard used for the voluntary certification program remains undefined (and will probably remain undefined for a few more months), business continuity professionals can assume that key attributes found in existing standards will be reflected in this voluntary accreditation program. Therefore, both NFPA 1600 and BS-25999 should be reviewed in preparation.
The law also highlights key preparedness attributes that will most likely be reflected in the standard, namely:
- Identifying potential hazards and assessing risks and impacts.
- Mitigating the impact of a wide variety of hazards, including weapons of mass destruction.
- Managing necessary emergency preparedness and response resources.
- Developing mutual aid agreements.
- Developing and maintaining emergency preparedness and response plans, and associated operational procedures.
- Developing and conducting training and exercises to support and evaluate emergency preparedness and response plans and operational procedures.
- Developing and conducting training programs for security guards to implement emergency preparedness and response plans and operations procedures.
- Developing procedures to respond to requests for information from the media or the public.
Overall, a review of an organization’s business continuity program will ensure its key activities are documented and operating in a repeatable manner, consistent with leading standards such as those cited above.
For individual organizations, the specific value of the Title IX business continuity preparedness certification remains somewhat unknown. We can speculate that certification will be a competitive differentiator and possibly offer financial benefits as well (similar to ISO and BSI certification efforts). However, the true value of the law is that it significantly elevates the visibility and importance of business continuity across all entities in the public and private sectors. Business continuity professionals have already begun discussing the implications with their senior management teams and are considering how to participate and prepare. These discussions, and the resulting impact on organizational responsiveness and recoverability, could enable a significant maturation of the business continuity industry as a whole.