Research Standards Continuum of Organizational Resilience Publications/Conferences

Background

Standards

Overview

Organizations must demonstrate their due diligence through adherence to nationally and internationally recognized standards, guidelines, and best practices. Challenging Risk has created emergency management and business continuity software that supports all existing and proposed standards (NFPA 1600-10, BS 25999-07, CSA Z1600-08 and ASIS SPC1-09), guidelines, and best practices.

Recently DHS published a notice in the Federal Register announcing its intent to adopt the three standards listed below under PS-Prep (the Voluntary Private Sector Preparedness Accreditation and Certification Program):

  • ASIS SPC.1-2009 “Organizational Resilience: Security Preparedness, and Continuity Management Systems
  • British Standard 25999-2:2007 “Business Continuity Management”
  • National Fire Protection Association 1600:2010 “Standard on Disaster/Emergency Management and Business Continuity Programs”

While the new PS-PREP is voluntary, it will become increasingly difficult for organizations to maintain or implement emergency management and business continuity programs that are not based on a recognized standard.

A significant problem for organizations is the complexity and scope of the standards. The three standards adopted by FEMA place hundreds of requirements and sub-requirements on organizations. ASIS SPC.1-09 contains 25 separate requirements, each containing dozens of sub-requirements.

As an example, 4.4.7 (Incident Prevention, Preparedness, and Response), requires the creation, implementation, and maintenance of (a) procedure(s) that address all hazards that may impact not only the organization’s activities, functions, and services, but also stakeholders and the environment. The procedure(s) must address preparedness, prevention, mitigation, and response. Additionally, the procedure(s) should consider seven separate actions, such as preventing further escalation of the disruptive incident.

Requirement 4.4.7 suggests the procedure(s) address 19 separate organizational needs, such as “Procedures and authority to declare an emergency situation, initiate emergency procedures, activate plans and actions, assess damage, and make financial decisions.”

Requirement 4.4.7 requires the procedure(s) to have a continuous improvement component, outline the capabilities and competency of those in the organization tasked with emergency management duties, and provide documentation of all actions listed in the requirement.

In addition to the requirements presented in the various standards, there is increasing pressure from emergency responders for accurate, timely information regarding buildings where an incident is occurring. They require information such as vulnerable populations, CBRNE, fire plans, and evacuation plans.


< ASIS SPC.1-2009 FEMA >

FEMA PS-PREP

(Private Sector Preparedness Accreditation and Certification Program)

Recently DHS published a notice in the Federal Register announcing its intent to adopt three standards under PS-Prep (the Voluntary Private Sector Preparedness Accreditation and Certification Program). The notice stated:

The Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep) is mandated by Title IX of the Implementing Recommendations of the 9/11 Commission Act of 2007. Congress directed the Department of Homeland Security (DHS) to develop and implement a voluntary program of accreditation and certification of private entities using standards adopted by DHS that promote private sector preparedness, including disaster management, emergency management and business continuity programs.

The purpose of the PS-Prep Program is to enhance nationwide resilience in an all-hazards environment by encouraging private sector preparedness. The program will provide a mechanism by which a private sector entity - a company, facility, not-for-profit corporation, hospital, stadium, university, etc. - may be certified by an accredited third party establishing that the private sector entity conforms to one or more preparedness standards adopted by DHS.

  • ASIS SPC.1-2009 “Organizational Resilience: Security Preparedness, and Continuity Management Systems
  • British Standard 25999-2:2007 “Business Continuity Management”
  • National Fire Protection Association 1600:2010 “Standard on Disaster/Emergency Management and Business Continuity Programs”

< Overview NFPA 1600:2010 >

NFPA 1600:2010

(National Fire Protection Association Standard on Disaster/Emergency Management and Business Continuity Programs)

The 1995 edition of NFPA 1600 was subtitled “Recommended Practice for Disaster Management”.

The 2000 edition of NFPA 1600

  • incorporated a total program approach
  • shifted focus from disaster management to disaster/emergency management
  • changed from a recommended practice into a standard
  • included business continuity programs into the standard

The 2007 edition of NFPA 1600

  • expanded the conceptual framework for disaster/emergency management and business continuity programs
  • added prevention as a distinct aspect of the program (in addition to mitigation, preparedness, response, and recovery)

The 2007 changes were made to bring the standard into alignment with related disciplines and practices of risk management, security, and loss prevention.

NFPA 1600:2007 applies to public, not-for-profit, and private entities.

The 2010 edition of NFPA 1600

  • has been reordered and expanded
  • received designation and certification as anti-terrorist technology under the SAFETY Act

< FEMA BS 25999-2:2007 >

BS 25999-2:2007

(British Standard on Business Continuity Management)

The adoption of the British Standard is a result of concerns raised regarding the American and Canadian standards. NFPA 1600 and CSA Z1600 are extremely thorough regarding emergency management; however, they are not as comprehensive in the area of business continuity. The British Standard (BS 25999) has been identified as the best practice standard for business continuity.

BS 25999 defines the requirements for a management systems approach to business continuity. It is designed for use in large, medium, and small organizations operating in the industrial, commercial, public, and voluntary sectors.

The British Standard came into effect in November 2007.

< NFPA 1600:2010 CSA Z1600-08 >

CSA Z1600-08

(Canadian Standards Association Emergency Management and Business Continuity Programs)

CSA Z1600-08 is the Canadian Standard on Emergency Management and Business Continuity.

CSA Z1600 is designed to develop, implement, maintain, and evaluate emergency management and business continuity programs for any organization or institution, private or public. It addresses prevention, mitigation, preparedness, response, and recovery, and establishes the elements of a continuous improvement process. The standard was released in 2008, and applies to public, not-for-profit, and private entities.

< BS 25999-2:2007 ASIS SPC.1-2009 >

ASIS SPC.1-2009

(Organizational Resilience: Security, Preparedness, and Continuity Management Systems)

ASIS SPC.1-2009 is designed to emphasize resilience in an organization, and specifies an organizational resilience management system. The standard enables the development and implementation of policies, objectives, and programs that reinforce organizational resilience.

The standard is designed to address hazards that the organization can control, influence, or reduce. It covers all phases of incident management, and includes pre-event, event, and post-event planning.

ASIS SPC.1-2009 was released in 2009.

< CSA Z1600-08 Overview >


FEMA NFPA BS CSA ASIS