PS-Prep – Myth or Fact

Brian Zawada, FBCI Brian Zawada, FBCI | Mar 16, 2010

PS-PrepHaving attended a number of conferences recently – many of which were focused on topics other than business continuity and disaster recovery – I’ve found that the amount of discussion regarding PS-PREP has increased substantially over the past 2+ years. In addition, as more and more professionals and organizational disciplines are being made aware of PS-PREP-related developments, concern and skepticism increases. And, unfortunately, because of the unknowns that remain – as well as the raw emotion on display by those adamantly opposed to this effort – few people walk away from presentations understanding what this effort is all about. The purpose of this article is to not only describe what PS-PREP is today and where we think it’s headed, but most importantly, to dispel (or possibly confirm) some of the rumors out there that may be getting in the way of organizations carefully evaluating the possible benefit that may result.

What Is It?
The 9/11 Commission recommendations evolved into Public Law 110-53, which provides for a voluntary preparedness certification process for private sector organizations managed by the Department of Homeland Security (DHS). This legislation was signed by President Bush on August 3, 2007. Title IX (also known by the acronym PS-PREP), a section of Public Law 110-53, refers to the voluntary private sector preparedness certification and accreditation program. Overall, the purpose of the legislation – and the voluntary certification effort – was to draw more attention to preparedness in the private sector, with the end goal of creating a more resilient and recoverable private sector.

To begin preparing for the development of a certification process, DHS appointed the American National Standards Institute’s (ANSI) American Society for Quality (ASQ), more specifically the American National Accreditation Board (ANAB), as the entity charged with developing and administering the accreditation and certification program. ANAB is responsible for defining the certification approach and criteria for third-party audit teams and oversight assessors, as well as the application process for PS-PREP certification. ANAB is in the process of developing the “Business Continuity Accreditation/Certification Rule”, which will be released for public comment, adjudicated and then posted as a final version mid-summer 2010. This rule will establish certification body requirements and individual examiner knowledge, skill and ability expectations. A Committee of Experts was also convened by ANAB to assist in offering accreditation activity recommendations.

Since the selection of ANAB, DHS has facilitated a number of public outreach meetings to collect feedback on the PS-PREP concept, as well as ideas on which standards should be included in the process. Since that time, DHS has made two key announcements:

What
WhenDescription
Target Criteria AnnouncementDecember 24, 2008DHS announced the criteria they intended to use to select one or more standards for inclusion in the PS-PREP program. These criteria were not to be used to build a DHS-authored standard, but to select existing standards that best-aligned to these characteristics.
Preliminary Standards Selection AnnouncementOctober 16, 2009

DHS announced the first three standards preliminarily selected for inclusion in the PS-PREP program. In making this announcement, DHS requested feedback via public comment on the selections before making a final determination. The following three standards were selected:

  1. BS 25999 (Business Continuity Management Specification)
  2. NFPA 1600 v2007 (Standard on Disaster/Emergency Management and Business Continuity Programs)
  3. ASIS SPC.1-2009 (Organizational Resilience)

Following the final standards selection announcement, ANAB was charged with creating and implementing the certification approach and requirements for each standard, as well as determining how to select qualified auditors to perform the certification process.

Myth or Fact (or It Depends)?
A number of business continuity professionals – as well as other professionals in related risk management disciplines, like security and insurance – incorrectly comment on PS-PREP as if the program is in place and finalized. The following table seeks to summarize some of the more common statements made about PS-PREP and classify each as “myth or fact” (or something in between). The table also includes additional commentary as to why we’ve classified each issue the way we did.

IssueMyth or Fact?Comments
PS-PREP will result in a new, DHS-authored business continuity standard.MythThe legislation does not mandate the development of a new preparedness standard, and government representatives have – on numerous occasions – stated that it is their sole intention to select existing standards for inclusion in PS-PREP.
The PS-PREP process will look similar to other organizational certification efforts.FactDuring public presentations, DHS/FEMA representatives, as well as representatives from ANAB, have indicated that the PS-PREP certification process will align to private sector certification processes (as described in ISO 17021).
PS-PREP is only for large companies.MythThe legislation mandates that the PS-PREP program scale to the needs of smaller private sector entities.  Although the specifics are not yet defined, it should be expected that smaller enterprises will realize value by leveraging the standards selected, and perhaps some of the tools and processes developed (which may include self-assessment processes).
PS-PREP will be expensive for companies considering certification.It DependsOrganizations new to preparedness, or those that may have taken an approach dissimilar to those offered by the three selected standards, may require an investment (time and money) to become compliant with one of the standards.
An organization can self-certify.MythBy definition and consistent with international standards, organizational certification efforts – as performed by an independent, uninterested third-party – must follow a strict set of rules to judge compliance with a standard.  Although it is expected that DHS will develop and roll-out self-assessment processes, a self-certification process would not be credible.
Those with a BS 25999 certification will be “grandfathered” into the PS-PREP program.Most LikelyThere has been considerable dialogue that indicates this is possible (especially if PS-PREP follows ISO 17021, which is the same international standard that governs all other certification processes – including BS 25999).
Long-term, only three standards – BS 25999, NFPA 1600 v2007 and SPC.1-2009 – will be included in the PS-PREP program.It DependsAt the present time, the three selected standards were the only candidates that most closely aligned to the target criteria. However, if other standards are developed and/or identified that offer value to the US private sector and align to the target criteria, it should be expected that they would be added as certification options.
The 2010 version of NFPA 1600 will be used in the PS-PREP program, not the 2007 version.Most LikelyUnfortunately, the 2007 version of NFPA 1600 was announced as the selection (because the 2010 version was just released in February 2010). Based on very informal dialogue with various professionals involved in shaping the PS-PREP program, an effort will be made to include version 2010 as opposed to the 2007 iteration.
PS-Prep will move from voluntary to mandatory.MythAs discussed above, the legislation calls for a voluntary program. However, market forces – meaning customers – may mandate that current or prospective suppliers achieve some form of preparedness certification. In this case, it would be a market mandate, not a regulatory mandate.
DHS should have selected the FFIEC handbook as a standard for PS-PREP.MythAlthough the FFIEC is one of the most mature and comprehensive regulatory requirements in any industry, it is exactly that – an industry-specific regulatory mandate. Unlike the three standards selected, the FFIEC handbook is not written to be certifiable.

In My Opinion
I am unaware of any mandatory certification in any discipline – for an individual or an organization. However, I am aware of multiple instances where organizations value individual or supplier certifications because they demonstrate a competency and commitment toward an important discipline. In other words, certification can offer market-driven value in order to increase employability (for an individual), business opportunities (for a private sector company) or public confidence (for public or private sector entities). A good example is “green certifications”. These certifications are far from mandatory but a differentiator nonetheless, as a growing number of organizations and consumers want to do business with those committed to sustainability and strong environmental practices.

So, as it relates to PS-PREP, it is expected that this program will remain voluntary. However, it should also be assumed that some buying organizations, at some point in the future, may ask for (or even demand) that their suppliers provide some form of third-party attestation regarding preparedness. As such, those that made the time and resource investment in PS-PREP (or a related private sector certification like the existing BS 25999 organizational certification process, for example) may benefit when it comes to business development or account management.

One other point. The PS-PREP certification process remains undefined. As such, the costs associated with certification preparation and the certification processes remain unknown. Before concluding that certification is too expensive, wait to hear more about the process – when it’s fully defined – and then investigate! Also, recognize that no one organizational competency should shoulder the burden to prepare. Look around your organization for help. Build a business case to get the value back, and if you can’t, perhaps PS-PREP – and organizational certification in general – isn’t for you!

Conclusions
The design and implementation of the PS-PREP program is far from over. A number of private sector professionals remain skeptical, not only in terms of the program’s value, but also the role of government in influencing private sector preparedness. Further, some worry that the effort will only scale to large businesses, while others wonder how a group of standards can apply and enable certification for a very diverse private sector. But mainly, many are questioning whether a voluntary program will become “highly recommended” or even mandatory. Although the answers to these concerns are far from finalized, these issues are well socialized amongst DHS and FEMA. As such, the government sponsors charged with developing and implementing the program are committed to meeting the needs of the private sector as best they can.

So, let’s be patient. And if PS-PREP can offer value to your organization, chart a course to become certified using a standard that reflects your unique needs. However, keep something in mind. Before thinking about certification, consider using standards to better align preparedness efforts with your business strategy, with the end goal of improving performance. After all, this is the primary reason the standards were developed in the first place.

Check out the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) Resource Center for more information.

————————

Brian Zawada
Avalution Consulting: Business Continuity Consulting