NFPA 1600 2010 Edition: What You Need to Know

Avalution Team Avalution Team | Jan 28, 2010

nfpa perspectiveNFPA 1600 is a “Disaster / Emergency Management and Business Continuity” standard published by the National Fire Protection Association that was originally released in 1995.  The original iteration focused on tactical issues associated with disaster management.  However, beginning in 2000, the standard matured to include “total program planning”, which included common business continuity program elements, techniques and processes.

In late 2007, the concept of “management systems” was formally introduced to the business continuity profession and quickly gained a significant amount of support due to its acceptance and success in other business disciplines (quality, environmental management and security, to name a few).  Since the introduction of business continuity management systems concepts, NFPA has been working to better align its standard to the “Plan, Do, Check, Act” (PDCA) model, which is at the heart of management systems.  In January 2010, NFPA announced the release of its triennial edition of the NFPA 1600 standard.  The 2010 edition has changed significantly – organizationally and in its content.  At a high-level, NFPA 1600 2010’s most significant changes can be grouped in three ways:

  • The numerical reordering and content expansion of chapters, generally grouped and aligned to PDCA;
  • The clarification of various requirements; and
  • The addition of supplementary, value-added annexes.

This article summarizes the major improvements in the 2010 edition of NFPA 1600, in order to assist organizations in determining how the changes will help them achieve a more comprehensive, better-performing business continuity program.

Chapter Additions and Expansions
When performing a side-by-side comparison of the NFPA 1600 2007 edition (v2007) to the 2010 edition (v2010), the most obvious difference is organization, specifically chapter expansion.  The 2007 version has five chapters, and v2010 has eight.  While the first three chapters are generally the same in both versions (1: Administration, 2: Referenced Publications, and 3: Definitions), the remaining chapters are significantly different.  As mentioned above, the motivation for this change seems to reside in the alignment of NFPA 1600 to management systems concepts, resulting in a more logical organization of the standard when compared to the PDCA approach (see graphic below):

NFPA

For an itemized list of changes to each specific chapter, see the table below:

Chapter Changes
4: Program Management
  • Expanded to emphasize the importance of leadership and commitment
  • Includes new requirements for defining performance objectives
  • Includes new requirements for records management
  • Includes finance and administration (previously covered in Chapter 5)
5: Planning
  • Rewritten as four chapters instead of one (addressing planning, implementation, testing and exercises, and program improvement separately)
  • Includes new requirements for planning elements and design
  • Outlines requirements for business impact analysis (previously covered under “risk assessment”)
6: Implementation
  • Includes new sections on emergency response and employee assistance and support
  • Includes new requirements for communications and warning
7: Testing and Exercising
  • Expanded to emphasize the importance and details associated with testing and exercising
  • Includes new requirements for testing and exercising
8: Program Management
  • Incorporates evaluations (program reviews) and corrective actions

Again, it is important to note that the ordering of the chapters in v2010 follows a typical program development process and is consistent with “Plan, Do, Check, Act”.

Content Clarification
In addition to the various business continuity program elements that were added, expanded or reorganized,  v2010 clarified many of the terms and concepts that may have been perceived to be ambiguous in v2007.  Some of the expansions and clarifications include:

  • Records Management Program  (this requirement applies solely to  business continuity records, as opposed to an enterprise-wide records management process)
  • Business Impact Analysis (BIA) Process
  • Communications and Emergency Operations Centers (EOCs) Strategies
  • Testing and Exercising Strategies / Execution
  • Corrective Actions

Due to these changes in requirements and additional specifications, a number of definitions were added to Chapter 3, further clarifying possible ambiguities that may have existed previously.

Additional Annexes
While the number of chapters increased in v2010, the number of annexes actually decreased; however, this change is an additional improvement within the newest edition.  While the annexes in v2007 were largely reference information, the annexes in v2010 prove to be useful tools in aligning organizations with the standard, specifically aligning organizations with management systems concepts (Annex D) and providing organizational value by offering a Self-Assessment For Conformity (Annex C).

The content presented in Annex C, Self-Assessment for Conformity, can assist organizations in determining whether or not their program conforms to NFPA 1600 by providing a table of indicators based on the requirements and specifications within the standard.  Each line item provides a space for users to indicate conformity, partial conformity, or nonconformity, as well as indicate evidence of conformity, corrective action, task assignment, a schedule for action, or other information in the “Comments” column.  This tool is a major improvement in aiding organizations with first-party evaluations, as well as enabling one of the most important elements in management systems – continual improvement.

The content presented in Annex D, Management Systems Guidelines, outlines which sections of NFPA 1600 v2010 align with the PDCA model.  This mapping allows organizations to focus in on each individual chapter within the standard to align their business continuity practices to management system concepts, which makes it that much easier for organizations to integrate multiple management systems standards (i.e. ISO 27001, BS 25999 and SPC.1-2009).

How Can NFPA 1600 v2010 Help My Organization?
As mentioned above, management systems concepts have gained a great amount of visibility in the business continuity profession over the last few years.  Business continuity programs that have embraced management systems concepts have already reported tremendous improvements and success stories, including:

  • Better alignment to core organizational strategies
  • Improved management support
  • Enhanced maturity of strategies over time

The improvements of the NFPA 1600 v2010’s alignment to management systems will help organizations fulfill tasks required to achieve a set of related business objectives, as well as capture and maintain management’s support for the business continuity program.

Can My Organization Use NFPA 1600 to Bolster Other Standards?
Not only does NFPA 1600 offer a comprehensive view of life cycle and management system-oriented business continuity planning, but there are a number of specifications outlined in v2010 that are not adequately covered in other business continuity standards, including (but not limited to):

  • Records management programs
  • Risk assessment processes
  • Prevention strategies
  • Finance and administrative processes
  • Other incident management concepts, include resource management and mutual aid

Are There Gaps In NFPA 1600 That Require Improvement in 2013?
When applying NFPA 1600 to your organization’s business continuity program, it is important to note that while v2010 provides alignment to many management systems concepts, there appears to be a few gaps.  Since NFPA 1600 is reviewed and updated every three years, there are few improvement opportunities that can be addressed in the next iteration of the standard, especially since it appears that the end goal is closer alignment to industry-accepted management systems concepts.  After all, no standard is perfect!  Here are five core concepts you should consider – again, as it pertains to management system alignment – to improve the effectiveness of your business continuity program:

  1. Independent Review:  A core element of management systems concepts is independent review (commonly called Internal Audits in most management systems standards, but it should not be confused with the Internal Audit department).  Overall, independent reviews offer a non-biased perspective on compliance with management expectations and/or the standard, and result in corrective and preventative actions.  This concept is not covered in detail within v2010 and is a core input to management reviews.
  2. Competencies:  The section addressing “Training and Awareness” offers a solid overview of how to increase exposure to business continuity concepts; however, this section uses an undefined term, “Curriculum”.  Because management systems concepts emphasize the formal definition and creation of “competencies”, future iterations of the standard should clearly indicate that curriculum development should include the identification of business continuity competencies.
  3. Preventative Actions:  v2010 adds a requirement specific to “Corrective Actions”, but not the inclusion of proactive “Preventative Actions”.  From a management systems perspective, identifying and preventing a non-conformity before it occurs is a core competency, as opposed to strictly reacting to issues.
  4. Scope Definition:  Business continuity professionals generally agree that their programs may not fully apply to every aspect of their organization (unless they are responsible for safety-related processes like evacuation plans, and only those elements should apply everywhere).  Regardless, having a carefully crafted scope statement that starts with organizational products and services, then focuses on the activities, locations and resources that support them, is a “must-have” and a common element of management systems concepts.  The concept of scope is addressed in v2010 of the standard, but additional explanation would be helpful to fully define the requirement.
  5. Documentation:  The concept of documentation, which addresses how an organization plans to execute its business continuity processes and meet obligations, is somewhat ambiguous and may impact program success and repeatability.  Requiring documentation that fully describes how the organization intends to execute Disaster / Emergency Management and Business Continuity processes – and assigns roles and responsibilities – is a key element of a strong management system.

Conclusion
For those organizations aligned to the earlier iteration of NFPA 1600, v2010 is clearly worth a closer look.  It clearly aligns to the “Plan, Do, Check, Act” model and offers a comprehensive view of preparedness activities that apply to various organizations in the public and private sector.

Overall, even if your organization is already aligned to other business continuity standards, utilizing NFPA 1600 to enhance the organization’s performance should not impair its performance specific to the other standard.  In fact, it should enhance the organization’s capabilities.

——————————-

Jacque Rupert
Avalution Consulting: Business Continuity Consulting