10/31/07 EIIP Virtual Forum Transcript: The New Certification Program for Business Preparedness

EIIP Virtual Forum Presentation — October 31, 2007

The New Certification Program for Business Preparedness
Key Issues for Stakeholders

Matt Statler, Ph.D.
Associate Director, International Center for Enterprise Preparedness (InterCEP)
New York University

Amy Sebring
EIIP Moderator

The following version of the transcript has been edited for easier reading and comprehension. A raw, unedited transcript is available from our archives. See our home page at http://www.emforum.org

[Welcome / Introduction]

Amy Sebring: Good morning/afternoon everyone. Thank you for joining us today. On behalf of Avagene and myself, welcome to the EIIP Virtual Forum! Our topic today is "The New Certification Program for Business Preparedness: Key Issues for Stakeholders."

This is not the first time we have had a representative from InterCEP join us, nor is it the first time we have devoted a session to private sector issues. Our first session with InterCEP was approximately three years ago when Executive Director Bill Raisch presented "Strategies for Private Sector Preparedness." Based at NYU, the International Center for Enterprise Preparedness (InterCEP) is the world’s first major academic center dedicated to private sector preparedness and resilience.

A core focus of InterCEP is the business case for business preparedness including both internal benefits to the corporation as well as external incentives from the market. With respect to this new accreditation and certification program, InterCEP’s goal is to serve as an ongoing channel for key stakeholder input in the development and continuing operation of the program. They have recently hosted a series of teleconference discussions for this purpose.

It is my pleasure to introduce Dr. Matt Statler, InterCEP’s Associate Director, where his responsibilities include conducting research and coordinating special projects to generate findings and recommendations for strategic action. Before joining InterCEP, Matt served as Director of Research at the Imagination Lab, a nonprofit Swiss foundation. In that role, he designed and facilitated strategy processes for major corporate, non-governmental, and educational organizations, while guiding a multidisciplinary research team that produced dozens of academic publications.

His most recent book publication is Everyday Strategic Preparedness: The Role of Practical Wisdom in Organizations (2007), Palgrave Macmillan UK. Welcome Matt. We are delighted you could join us today. I now turn the floor over to you please to start us off.

[Presentation]

Matt Statler: Thanks, Amy. I am very happy to participate in this forum, and I say hello and happy Halloween to the group. I do hope that the overview of the new legislation that I am about to provide will be helpful and informative - and I invite anyone seeking additional information beyond what I am able to provide today to contact us via email. That said, please let me start with the basic background and context.

Legislation was signed into law on August 3, 2007 that requires the U.S. Department of Homeland Security (DHS) to provide for the development of a private sector led voluntary certification program for all-hazards business emergency preparedness.

This program is to be developed in consultation with key stakeholders reflecting existing best practices and standards. The program represents a significant opportunity to link preparedness activities by business with bottom-line market based incentives.

The Law: The law is titled ''Implementing Recommendations of the 9/11 Commission Act of 2007'' and is also referred to as H.R. 1 and Public Law 110-53. Title IX of the Act addresses private sector preparedness and the certification program. A link to the relevant sections of the law has been posted to today's Background Page, or you can access directly at http://www.emforum.org/vforum/PL110TitleIXSec524.pdf

Key Points of New Program and Legislation are as follows:

• The goal of the program is to provide a method to independently certify the emergency preparedness of private sector organizations including their disaster/emergency management and business continuity programs. The program focuses on certifying the preparedness of businesses and other private sector entities and does not involve any individual professional certification. The focus is on all-hazards preparedness and does not focus on terrorism.

• The program will be voluntary. Businesses will decide whether or not they wish to obtain certification of their organizations' preparedness, likely based on what benefits they see in such certification. There is no legal requirement to participate.

• Key stakeholders are invited to participate in the development of the program. Consultation with a variety of organizations and various sectors is required by the legislation. Program development will likely include involvement by a diversity of private sector advisory groups and others.

• The program will be administered outside of government by third party organizations with experience / expertise in managing and implementing voluntary accreditation and certification programs. The federal government will not run the accreditation / certification program.

• One or more preparedness standards can be designated. NFPA 1600 referenced as example. The law calls for the adoption of "one or more appropriate voluntary preparedness standards." It further states that "The term 'voluntary preparedness standards' means a common set of criteria for preparedness, disaster management, emergency management, and business continuity programs, such as the American National Standards Institute's National Fire Protection Association Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/NFPA 1600).''

• Existing industry efforts, certifications and reporting in this area will not be duplicated or displaced but rather recognized and integrated. The legislation requires that the program consider the unique nature of various sectors within the private sector, including current preparedness certifications and reporting as well as existing initiatives by other federal agencies. The legislation specifically calls for existing certification and related efforts be acknowledged and given credit in the process to avoid duplication. It further calls for any designated standards to be tailored to address the unique nature of various sectors within the private sector.

• Special consideration will be made for small businesses. The program is to establish separate classifications and methods of certification for small business concerns as appropriate.

• Proprietary and confidential information is to be protected: The certification process is to protect information that is proprietary and confidential to the business. In addition, DHS may make public the listing of certified private sectors entities, only with the business' consent.

• Thus the federal government has four basic tasks in establishing the program:

1. DHS will designate one or more organizations to act as the accrediting body to develop and oversee the certification process, and to accredit qualified third parties to carry out the certification program: In consultation with key stakeholders, DHS is to designate one or more third party non-governmental organizations based on experience and expertise in accreditation and certification processes. This decision is independent of the actual standards to be utilized in assessing preparedness and likely will focus more on capacity to manage and support the accreditation process.

2. DHS will separately designate one or more standards for assessing private sector preparedness: In consultation with key stakeholders, DHS will also separately designate one or more voluntary preparedness standards that each third-party certification body will use to assess preparedness. The standards may be sector specific and must include separate considerations for small businesses.

3. DHS will provide information and promote the business case for voluntary compliance with preparedness standards. Businesses must be aware of the program and see value in it to participate in the program. DHS will provide information to the private sector regarding voluntary preparedness standards and the business justification for preparedness. The Department will promote to the private sector the adoption of voluntary preparedness standards.

4. DHS will monitor the effectiveness program on an ongoing basis. DHS will annually review the accreditation and certification program to ensure its effectiveness, including the operations and management of any the accreditation and certification bodies, and the standards designated, and must make improvements and adjustments to the program as necessary and appropriate.

InterCEP's Assessment of Key Considerations Going Forward

• Market-based incentives may develop as the certification will provide a way to confirm that a business is prepared so it may be rewarded. A major rationale cited in the testimony for the program was the need to enable a closer link between preparedness and benefits for business. Key stakeholders in such areas as insurance, legal liability, rating agencies and supply chain management have generally acknowledged that business preparedness is valuable and should be rewarded but to date there has been no widely accepted methodology to confirm that preparedness exists in a business so that it could be rewarded. This program could supply such a method.

• Businesses and their representative associations must be actively involved from the beginning in the development of the certification program and its ongoing operation. In order to assure that the ultimate certification program has true value to businesses, business and key stakeholders must have ongoing input into the program.

• Potential external incentive providers must also be involved from the beginning in the development of the certification process and its ongoing implementation. The program must be structured such that the final assessment is of value to them and facilitates their provision of market-based incentives. Input from and involvement of the following key stakeholders should promote recognition of the preparedness certification in their respective activities:

the insurance industry,
rating agencies,
the legal community,
internal and external auditors,
risk management professionals such as those participating in this seminar,
and others as appropriate

• Experience from similar but more established voluntary certification programs should be tapped for insights into program development: Similar voluntary assessment and certification programs have been utilized on a voluntary basis for some time in quality management and environmental management. While the legislation clearly does not call for a management systems approach and many businesses opt for a more program element approach, historical experience and lessons learned with the voluntary certification element of these programs could provide insights into the development of the preparedness certification program.

• In designating one or more preparedness standards for use in the program, a "constellation of standards" should also be evaluated. Where there are more than one acceptable existing preparedness standards with significant value to one or more business sectors, consideration should be given to structuring a certification process which accommodates the assessment of the business against one or more standards in a unified framework that acknowledges a common core of program elements and best practices.

Now, that's the overview and a few initial issues for consideration. During September and October 2007, InterCEP has held a series of forums (integrating conference calls and online discussions) focused on key issues involved in assuring that the new certification program delivers real value to business, with a particular focus on achieving bottom-line incentives and advancing resiliency.

Each session included an introductory overview on the new law and prospective elements of the voluntary certification program, followed by discussion by key stakeholders and Q&A on the chosen topic.

Over 200 different individuals participated in the webinars, many of them attending more than one event. There was a good cross-section of stakeholders, including government agency officials at federal state and local levels, representatives of major multinationals as well as SME's in the private sector, and key leaders from major nonprofit organizations and trade associations.

I will now briefly mention the topics discussed at these forums, and then perhaps we can get into some more detail during the Q&A.

• Learning from Existing Voluntary Certification Programs in Quality and Environmental Management: Some businesses have current management systems programs in quality management and/or environmental management. This session focused on what can be learned from these experiences in voluntary certification.

• The Rating Agency Perspective on Assessing Business Preparedness: Rating agencies are primarily focused on factors which contribute to credit defaults or business failures. This session focused on whether there are rating agency considerations worthwhile incorporating into this new certification program which are of either immediate or long-term value.

• Supply Chain Management and Assessing Supplier Resilience: There is an increasing focus on supply chain resiliency and the preparedness of critical suppliers. Some firms are noting significant time spent on interfacing with multiple customers assuring each of the business' preparedness status. This session focused on whether this voluntary certification program could provide a commonly accepted verification of preparedness and thereby avoid multiple customer queries. It additionally addressed key considerations that the supply chain management community would optimally see incorporated into this program.

• Can Corporate Governance & Social Responsibility Initiatives be Advanced through a Voluntary Certification Program?: In an increasingly risky business environment, risk management is a growing concern among boards of directors and executive management. This session focused on how this voluntary certification program might be structured to address these concerns.

• Incorporating Insurance Company Input into the New Certification Program: The insurance industry on the whole acknowledges the value of business preparedness and recognizes its ability to minimize losses to both the individual business and the insurance company. Risk evaluation and underwriting processes of individual insurance firms vary, however. This session inquired whether a voluntary certification program that is both representative of best preparedness practices and incorporates the perspective and needs of insurance companies could facilitate a clearer acknowledgement of business preparedness by insurance companies.

• Minimizing Legal Liability Through a Preparedness Certification Program: Negligence tort and other legal liability can be a major exposure for companies of all sizes in the aftermath of an emergency. This session discussed how the certification program might best be structured to minimize downside legal liability of the company.

• Incorporating the Perspective of Key Vertical Industries into the New Preparedness Certification Program: The Financial Services Sector as a Case in Point: Some business sectors have a long history in preparedness activities and robust programs in place. The financial services sector is one with particularly deep experience in this area. The new law specifically calls for existing industry efforts, standards, practices and reporting in the area of preparedness not be duplicated or displaced but rather recognized and integrated.

• Special Considerations for Small & Medium Sized Business in the New Preparedness Certification Program: Small businesses make up the vast majority of the U.S. economy. Even though voluntary, the new certification program must be economically and operationally achievable for small business for it to be of any true value to them. This session discussed how the legislation acknowledges small business concerns and calls for the new program to establish separate classifications and methods of certification for small business concerns as appropriate.

• Potential TRIA Considerations and the New Voluntary Preparedness Certification Program: This session addressed potential considerations related to the Terrorism Risk Insurance Act (TRIA) from both the perspective of business risk managers and the insurance industry.

• Integrating Voluntary Preparedness Certification with other Business Reporting Requirements: Issues and Opportunities: Based on the functions of a business, its vertical industry and public or private ownership, there are a variety of reporting requirements that businesses have to shareholders, customers, partners, the government and others. This session focused on how the new voluntary certification program might fit into existing reporting activity so as to avoid duplication and excess effort.

Ten different discussions in all, and we are only beginning to process all the information we gathered.

Looking ahead, we eagerly await word from DHS concerning who will be the designated officer/agency in charge of developing the certification program. This was supposed to have occurred within 30 days of the law's passage, so the process is already lagging a bit. The law stipulates that this designated officer should have 210 days to develop, promote and implement the program. Since the bill was signed into law in August 2007, we anticipate that the program may begin operations at some point in the range of February 2008.

Now, my primary purpose here today is to inform people about the content of the discussions that we've held, but I am eager to hear what other considerations this group might have relative to the new law. That said, I would like now to conclude this overview, and turn the session back over to our Moderator for the Q&A.

Amy Sebring: Thank you very much Matt. Now, to proceed to your questions or comments.

Matt Statler: I will do my best to answer what I can, but will also defer to other experts in the forum on specific points that I'm not clear about.

[Audience Questions & Answers]

Question:
Lloyd Colston: Good morning, Dr. Thanks for bringing this issue to our attention. Does the business get "extra points" for engaging their LOCAL emergency manager to facilitate (but not write) their disaster plan(s)?

Matt Statler: Certainly coordination with other organizations would be part of what good disaster planning entails. As for 'extra points', issues like that have yet to be determined since the program itself has not yet been created. But without doubt, the private sector might be increasingly looking to public sector expertise in these areas.

Question:
John Copenhaver: Does InterCEP support the use of both NFPA 1600 and the brand-new ASIS "All-Hazards Risk Management" standard in conjunction with the "voluntary certification and accreditation" provision?

Matt Statler: Good morning John. We have been discussing the importance of a 'constellation of standards'. As you know, NFPA 1600 was named in the law, but the law also says 'one or more' standards may be used. And we see a great deal of expertise embedded in a variety of standards, some of which may be focused differently, or relevant to particular verticals. But the new ASIS [American Society for Industrial Security, http://www.asisonline.org/guidelines/guidelines.htm] standard should definitely be on the list of standards considered, especially as it is implemented in companies moving forward.

Question:
Sherry Buresh: How has this been related to the Continuity of Operations Plan (COOP) now being required for government agencies?

Matt Statler: My understanding, and this is definitely a point I'll defer on to others with greater expertise, my understanding is that existing public sector requirements like COOP, as well as EMAP, which I know has been a focus of discussion in this forum, should inform the private sector accreditation and certification efforts. If anyone out there has any specific information about COOP and its relevance to the law I'd love to hear it. But to my knowledge, COOP was not referenced in the legislation explicitly, and since we're still waiting for the program to start up, there's no substantive overlap as yet.

Question:
Roland De Rocili: All this being said, how does this certification program differ from the current Certified Emergency Manager (CEM) program that is offered by the International Association of Emergency Managers (IAEM)?

Matt Statler: That program certifies individuals. The certification program we're discussing here is for companies. Like ISO 9000 or other voluntary certification efforts, it would serve as a kind of overall 'seal of approval', but not have anything directly to do with individual professional qualifications per se. Although, qualified personnel would certainly be required by any prepared organization. I guess that goes without saying.

Question:
Melissa McClain: I work with the aviation industry, who probably has the best model for victim assistance, and my company also provides Employee Assistance services. Too often the people are forgotten. To what extent will preparedness issues specifically focused around corporate and individual employee preparedness initiatives be a part of this program?

Matt Statler: A great question and one that we see frequently. If the question is 'to what extent', then the answer depends primarily on the standard(s) that are chosen. The standard would serve as a kind of measuring stick. Again, standard or standards, ideally in some kind of constellation, and the extent of individual preparedness involved would depend on how the standard is structured.

NFPA 1600 addresses such matters, and if I'm not mistaken, the specific issue of the 'human aspect' of preparedness was woven into the most recent update of the standard. I'm sure Lloyd Bokman and others could confirm this, but your point that the people are often forgotten should definitely inform the considerations of the accrediting body. I've talked around your question I fear, but I hope not too far off base.

Question:
Steve Pappas: How does the certification process work?

Matt Statler: We've looked into this in some depth. There are a number of voluntary certification and accreditation programs currently in operation. Perhaps most widespread and well-known are those around the ISO 9000 and ISO 14000 series standards, but there are literally dozens of them ongoing in the areas of environmental safety, OSHA, industrial hygiene, Labor, corporate social responsibility, etc. And while there are certainly differences across these various efforts the basic structure of the voluntary program is as follows:

If you can envision a kind of pyramid: At the top is the accreditation body. This is an independent, qualified organization that oversees the entire process. Here in the US, ANSI prominently plays this role. That accreditation body issues accreditation to other organizations that seek to operate as certifiers. Those accredited organizations would be conducting the certification process at companies. This is typically market-driven. Some of the usual suspects playing in this market include big consulting firms such as KPMG or Price Waterhouse, but also small organizations can become certified to fill specific market niches.

Then at the bottom of the pyramid are the various companies that seek certification voluntarily because they believe it will be beneficial to their business. So this is the generic structure. And from the conversations that we've had, it seems that this basic structure could be used for the preparedness certification program. And all the business processes that support the existing voluntary programs could ideally be adapted to support the certification of corporate preparedness.

Question:
Amy Sebring: Matt, there is already some movement to develop a new ISO Standard in this area, not only from NFPA 1600, but also considering existing international practices. Do you think there is an advantage to developing an ISO standard, in that businesses are already familiar with ISO in these other areas?

Matt Statler: Are you speaking about the activity of Technical Committee 223, focused on Societal Security?

Amy Sebring: Yes, I believe that is the one. [See http://www.iso.org/iso/standards_development/technical_committees/list_of_iso_technical_committees/iso_technical_committee.htm?commid=295786 ]

Matt Statler: Well, we hosted a meeting last year to inform that committee and my general understanding is that they are moving forward rapidly with a provisional standard almost ready for publication, if not out already.

On the point of whether it makes sense; we think the ISO processes are robust enough, established over time, and with involvement of many different stakeholders in an international environment that it will be of great benefit if an ISO standard for business continuity and emergency preparedness were to emerge.

And the fact that businesses are already familiar with the ISO process would streamline things. But again, such a standard would ideally, in our estimation be one star in a constellation that would be sufficient to address the range of variability in the marketplace and the different needs and risk exposures of firms in different industries and geographical locations.

Question:
Ric Skinner: I suggest that InterCEP give primary focus on those enterprises that are part of the DHS designated Critical Infrastructure/Key Resources. Of particular focus should be healthcare facilities because they are at the center of robust and responsive emergency management/disaster response system.

Matt Statler: Ric, this issue did come up repeatedly. Some other folks mentioned transport and utilities infrastructure as most important, but the fact that the program will be voluntary means that critical infrastructure businesses will have to see the business benefit of certification. And that's one reason why DHS will be working hard to support the development of the business case for preparedness generally speaking, and specifically for certification by an accredited preparedness auditor.

Question:
Brit Weber: Has there been any discussions on whether NPO's/NGO's will be defined as 'private sector' in this legislation?

Matt Statler: Brit, my understanding is that the legislation applies to businesses, for-profit firms only. And to my recollection, the issue didn't come up in our forums, but I'm happy to be corrected if in fact NGO's will be included.

Comment:
Rich Kos: The law shows "training & exercising" but mainly looks like internally. The certification should address the public and private sector training and exercising together. Otherwise it is just another certification sitting on a shelf. The exercises need to include employees at all levels.

Matt Statler: Rich, this is another point that people raise frequently, so you are right that the ‘seal of approval’ has no value unless the certification process is rigorous, and the standard to which companies will be certified includes elements of public-private collaboration and the creation of a preparedness culture that pervades the organization.

Question:
Paula Gordon: Do you think that there is an adequacy of courses or programs in academia that focus on business continuity and preparedness issues? What institutions, if any that you know of, are addressing the need to educate the educators and curriculum developers?

Matt Statler: Good question Paula. From our perspective, it's been interesting to watch over the last few years as a variety of preparedness training and education initiatives have sprung up both in universities and in conjunction with major professional associations. Still, we see a growing need, and especially from the private sector perspective, since many of the existing educational programs at universities tend to focus more on the public sector.

Business continuity and operational risk have not quite permeated the core MBA curriculum, for example. That may be the wave of the future--where risk management becomes, like marketing or finance, a core business discipline. This certification program may help to accelerate that process simply by raising the bar in terms of corporate preparedness and creating an even greater need for risk-related skill sets. But to my knowledge, no educational institution has yet developed a program specifically designed around the certification program. Again, it doesn't yet exist!

Question:
Marc DeCourcey: What have you heard about the funding amount needed and source to implement this program? Congress hasn't specifically set any money aside for this. DHS/FEMA may be able design the policy with input from stakeholders, but to implement the initiative by hiring an organization to oversee the program and engage the certifiers will be expensive. Is there concern that this will delay launch in 2008?

Matt Statler: That's a key issue being kicked around Marc. There are those who are concerned about further delays. I don't have any specific information about the projected scope and budget of the program, but you are certainly right that it does require resources. So we can hope that appropriate allocations are made sooner rather than later.

[Closing]

Amy Sebring: That is all we have time for today. Thank you very much Matt for an excellent job and for staying over. We hope you enjoyed the experience. Can you put up a follow up email address?

Matt Statler: Certainly. Please feel free to contact me: matt.statler@nyu.edu. Thanks to you all for your time and attention!

Amy Sebring: Please stand by just a moment while we make a couple of quick announcements. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page to Subscribe.

We have recently achieved a milestone, and now have more than 1500 subscribers representing a diverse cross section of organizations. We are also pleased to welcome FIVE new Partners today!

Facility 911 Coalition; www.facility911.com ; POC: Ed Lupton; "Our mission is to develop a network of facilities that care for people with disabilities and the elderly to improve their emergency planning; not be a burden on their county in crisis; save lives; and keep them in business."

Evolution Technologies, Inc.; http://www.evotecinc.com/; POC: Timothy Grapes, Vice President; "The goal of Evolution Technologies is to produce long term solutions for a constantly changing business environment."

National Child Traumatic Stress Network; http://www.NCTSN.org; POC: Melissa Brymer, Program Director, Terrorism and Disaster; "Established by Congress in 2000, the National Child Traumatic Stress Network (NCTSN) is a unique collaboration of academic and community-based service centers whose mission is to raise the standard of care and increase access to services for traumatized children and their families across the United States."

Florence Independent School District; http://www.florence.k12.tx.us; POC: Dr. Marilyn Hill, Curriculum Director; "The mission of Florence ISD is to provide each student with appropriate learning opportunities in a positive atmosphere of mutual respect (development of citizenship, responsibility, high-level thinking skills, and leadership)."

Finally, but certainly not least, SRA International, Inc.- Emergency Management and Crisis Communication (EMaCC); http://www.sra.com/; POC: Dominick Urso, Principal; "SRA is a leading provider of technology and strategic consulting services and solutions – including systems design, development, integration, outsourcing, and managed service."

Whew! Thanks for your patience! If your organization is interested in becoming an EIIP Partner, please see the link to Partnership for You from our home page. We are definitely trying to increase our number of Partners as a show of support for what we do.

Thanks to everyone for participating today. We stand adjourned but before you go, please help me show our appreciation to Matt for a fine job.