EIIP Virtual Forum Presentation — February 25, 2009

NFPA 1600 Update
Standard on Disaster/Emergency Management
and Business Continuity Programs, 2010 Edition

Donald L. Schmidt
Chair, Technical Committee on Emergency Management and Business Continuity
National Fire Protection Association
CEO, Preparedness LLC

Amy Sebring
EIIP Moderator

The following has been prepared from a transcription of the recording. The complete slide set (Adobe PDF) may be downloaded from http://www.emforum.org/vforum/NFPA/NFPA1600-2010Edition.pdf for ease of printing.


[Welcome / Introduction]

Amy Sebring: Good morning/afternoon everyone. As our long-timers know, we have been following the development of the NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs for several years now. The standard is currently going through the revision cycle again, and comments are due March 6th.

Our purpose today is to highlight the proposed changes and encourage you to participate in the process. Please note that both the Report on Proposals, which includes the revised text near the end, and the NFPA online comment system are linked from today’s Background Page.

Please also note the related poll on our home page: "Should the business continuity aspects of NFPA 1600 be made into a separate standard? Yes, No." Please take time to participate by voting and review the results thus far.

Now it is my pleasure to introduce today’s guest speaker: Donald L. Schmidt serves as Chair of the NFPA's Technical Committee on Emergency Management and Business Continuity, the Technical Committee responsible for NFPA 1600. His is also a principal member of NFPA's Technical Committee on Pre-Incident Planning, responsible for NFPA 1620.

Don is the editor of Implementing NFPA 1600 National Preparedness Standard, co-author of Business at Risk: How to Assess, Mitigate, and Respond to Terrorist Threats and Tools & Techniques of Risk Management and Insurance. He is a contributing author to the McGraw Hill Homeland Security Handbook and the Fire Protection Handbook, 20th Edition.

Lastly, but not least, Don is CEO of Preparedness, LLC, a Massachusetts based consulting firm that helps clients assess hazard and operational risks; develop and implement strategies and programs to prevent hazards and mitigate the impacts of hazards; and design, implement, and evaluate emergency management and business continuity programs.

Welcome Don, and thank you for being with us today. I now turn the floor over to you to start us off please.

[Presentation]

[Slide 1]

Don Schmidt: Good day, everyone. Thank you very much, Amy, for that introduction. I want to chat with you today about the 2010 edition of NFPA 1600. We’ve been working very hard on the latest edition for about the last two years now. Let me give you the highlights of the new edition. It’s still a work in progress, and we encourage you to review the draft and favor us with you comments. We’ll talk about that process later on.

[Slide 2]

Just a little history lesson here: our committee was formed in 1991. We have four published editions beginning in 1995, most recently with the 2007 edition. Following the terrorist attack of 9/11 there was a lot of attention focused, and continues to be focused on preparedness, on private sector preparedness in particular.

NFPA 1600 was endorsed by the 9/11 Commission and that recommendation was carried forward in two federal laws: Public Law 108458 back in 2004, and most recently in Title IX of Public Law 11053 which calls for a voluntary (and I underline the word "voluntary") certification of private sector preparedness programs. A lot of attention is focused on 1600 and it’s great because it focuses on a committee and we get a lot of input. We appreciate that.

[Slide 3]

We take a look at the development of the standard and noted the standards development is the work of a lot of people including many of you hopefully on the call. We have a technical committee, we’re authorized for 36 members, we’re currently about 32. There are always people coming and going. We also have alternate members and non-voting members. That is the formal technical committee.

But with this edition, the development of the 2010 edition, we pull together 6 task groups with about 74 members, people who are not members of the technical committee but have joined task groups to provide their input. That is available to many of you, if you are interested, to let us know.

We also took a look at lessons learned from Hurricane Katrina and national reports that were published. The Sloane Foundation also focused in on private sector preparedness and I co-authored a framework for voluntary preparedness, and we’re very much involved in Public Law 11053 of Title IX Voluntary Certification Program, that whole discussion.

The committee began work in late 2007 in our research to put together this edition and now we’re approaching the last stage in that process which is what we call our report on comments meeting which is upcoming.

[Slide 4]

Let me give you the highlights of the 2010 edition. First off, one of my goals for this edition was to define some additional words—terminology can be a bit of a challenge—so we’ve added some new definitions.

In addition, probably the biggest change here is we’ve expanded what was within chapters 4 and 5 into 5 chapters and they’re ordered in more of a program development process and I’ll display that in just a minute.

Another one of the goals was to address strategic issues and introduce a concept of crisis management, really taking a look at the strategic management of major issues that we face in an entity.

The annexes have always been a great repository for a lot of explanatory and reference information. We’ve taken out some of the lists. Instead we’re putting in a self-evaluation checklist and also criteria for management system guidelines.

[Slide 5]

I mentioned the expansion of chapters 4 and 5 and you can see here on this slide, we’ve expanded chapter 5 into 4 chapters (5-8) and again they follow pretty much any program development process. We don’t specify any program development process. But again, I think it’s more user-friendly when we’ve organized in this manner. This was a suggestion from our colleagues in Canada with Z1600, which was recently published by the Canadian Standards Association.

[Slide 6]

If we take a look at program management, really the pillars of the foundation of the entire program, we have a new section here on leadership and commitment, really speaking to what senior management needs to do. We’ve expanded the Performance Objectives. We’ve moved the Finance and Administration section from the back end of chapter 5 into the Program Management section and we’ve added a new section on Records Management.

[Slide 7]

In the Planning section, which is the new chapter 5, we’ve expanded under the Risk Assessment here and, in particular, a section on business impact analysis for business continuity professionals. I’ve mentioned crisis management; we’ve introduced that here at 5.5, the Crisis Management section. In addition, we’ve added additional elements into the common plan requirements, specifically succession and delegation and authority.

[Slide 8]

In chapter 6 we have always had a section on communications and warning. That has been emphasized because it’s critically important. In addition we’ve pulled out and under a new title of Emergency Response section and we have emphasized or added a language in here to address the needs of people with special needs.

In the Business Continuity and Recovery section, not only are we addressing business continuity but we’re addressing the needs, the human impact—the people—it’s not just the employee assistance but to support the people after emergencies and disasters.

The Crisis Communications section was pulled in from chapter 5 and somewhat expanded. I think that was always a great part of the document and I think the latest edition is going to be an enhancement of that.

[Slide 9]

If we look at Testing and Exercises, this is a new chapter. We focused in on this because it is so important, to develop your program and really insure that that program is going to meet your needs. We’ve defined goals and objectives. We’ve defined a system so that we get recommendations for those involved. I think that’s going to be a great addition to the document.

[Slide 10]

Chapter 8, the last chapter of the document, focuses on Program Improvement. We’ve expanded this section to focus on management review, and involvement of management. It really goes back to chapter 4, that commitment and leadership to do section 4. 1. This pulls it all together with the management review and the involvement of management. We don’t specify frequency of reviews; we say it’s periodic. There are a lot of triggers that we specify as to when the program needs to be reviewed.

We’ve addressed in prior editions Corrective Action. We’ve expanded that just a little bit in this section as well.

[Slide 11]

There has always been a lot of great information in the Annexes. Annex A is specific explanatory text that supports chapters 1-8. We have a new chapter B which is Program Development Resources and this kind of replaces a lot of the lists of organizations and publications and other documents out there.

Annex C is a new Checklist for Compliance, a self-evaluation checklist, and I think that’s going to be a helpful tool for you to go through and evaluate your current program.

Annex D is a relatively short annex but it provides the criteria for Management System Guidelines.

[Slide 12]

In the introduction, Amy emphasized that there is an opportunity for all of you to participate in the process, favor us with your comments on the Report on Proposals draft. That comment period is open until Friday, March 6. You can submit your comments online or you can download the form and fill out the form and fax it, mail it, or E-Mail it to NFPA. It has to be done by March 6.

The committee will meet in the middle of March to review all the public comments and since we’ve finalized the document, in that ROC draft (Report on Comments) will be published by NFPA by late August, approximately August 28. Depending upon whether there are any challenges to the document, it could be available as early as January 29, 2010.

[Slide 13]

I also want to point out to everybody there is a lot of additional information out there. NFPA 1600 is freely available from the NFPA’s website. I understand it has been downloaded more than 120,000 times. You might definitely want to take advantage of that. Amy mentioned Implementing NFPA 1600, the handbook that I edited and many members of the technical committee and other subject matter experts contributed to.

NFPA also has a 2-day professional development course, focused on 1600. The intended audience for that is largely the private sector although we’ve had many representatives from the public sector who have attended those courses.

That concludes my introductory presentation here, and I’ll turn it back over to Amy so we can entertain your questions.

Amy Sebring: Thank you very much Don. We have a lot of good interest today. Now, to proceed to our Q&A.

[Audience Questions & Answers]

Question:
Jim Kendig: Has NFPA 1600 been reconciled with NFPA 99, the EM standards for healthcare?

Don Schmidt: A great question. The 1600 committee has been working over the past several years with the 99 committee -- trying to work together, trying to coordinate. In a direct answer to the question we have not reconciled. The needs of the healthcare community are addressed within chapter 10 or chapter 11 of 99. They are taking our input, I think they are revising. I don’t know exactly where it stands today, but there is a dialogue back and forth. Each NFPA committee can do what they feel is appropriate for their individual document. We just hope that there is good coordination and referencing back and forth but they are responsible for their document.

Question:
Charles Hout: Do you have any update on the status of progress from the ANAB committee of experts regarding their work?

Don Schmidt: I am a member of the ANAB committee of experts. ANAB is the American National Accreditation Board. ANAB was designated or hired by the Department of Homeland Security to handle the accreditation of the certifying bodies. The certifying bodies are those organizations that will go into the field and evaluate the preparedness programs of private sector organizations. That’s the Voluntary Private Sector Certification Program that is called for under Title IX of Public Law 11053.

ANAB has been identified. I am a member of the committee of experts. We’ve had a number of calls to define some of the accreditation requirements for those certifying bodies. However, DHS has not yet designated any standard that will be used as a criteria for the certification of private sector preparedness programs. I’ve been in several of the DHS meetings—they had one in January and they had one just the other day and I didn’t go to that one—and I think that NFPA 1600 will be one of the standards designated. DHS has not done so yet.

You can go to the ANAB website [http://www.anab.org] and they have some information on that program and they’ll post updates as soon as information becomes available.

Question:
Brit Weber: Did the committee poll what types of "private sector" entities are following NFPA1600? We strongly promote this Standard with the private sector and it is our hope that more and more are using it.

Don Schmidt: I try to follow any published reports, any surveys, regarding the use of NFPA 1600 because we want to see how it’s being used and we want to get feedback and so forth. There have been a number of different surveys done—KPMG Continuity Insights published a poll. The Conference Board has done some surveys and I have a copy of their report that was published in the middle of last year—and we’re seeing that NFPA 1600 is clearly the standard that is being used within the public sector. Certainly it has a long history in the public sector but we’re seeing increasing use in the private sector.

I’ve also seen that in the number of participants in the DHS private sector preparedness meetings as well as the American National Standards Institute, the Homeland Security Standards Panel meetings which are focused on private sector preparedness. So clearly 1600 is getting the attention of the private sector following its significant use in the public sector.

Question:
Steve Frew: I am particularly interested in NFPA input/direction on NIMS training standards and guidelines, especially as they apply to public utilities. My concern is that training standards are being established primarily based on FIRE DEPARTMENT recommendations, and that the hours of required training are NOT realistic for utilities.

Don Schmidt: Again, a great question. As we all understand how important incident management is, and we have addressed incident management as well as testing and training exercises within 1600 for many years. I think the focal point here is going to be on the incident management standards.

First off in the 1600 we stayed generic. We state that you need to have an incident management system; that a management system needs to be used when you respond to incidents. We talk about using an incident action plan or management by objectives. Within the training requirements in 1600 we speak to training in the incident management system, whatever system you follow, but again we are not specific. We mention in Annex A NIMS and ICS, but we do not specify NIMS or ICS. We don’t get down and prescribe specific requirements for training.

NFPA is a programs standard and fairly high-level standard and therefore it does not get into the nitty-gritty requirements there. I would say it’s important that you understand the regulations that apply to your part of the private sector; that you plug in and take advantage of all the free resources, the online training and other resources that are available to you. But in 1600 we don’t get that specific in terms of implementation of incident management systems or training in incident management systems.

Question:
Rennie Raines: Where can we obtain info on the NFPA 1600 two day class?

Don Schmidt: If you go to the NFPA website, they have a catalog of their professional development. There’s information there. If not, maybe we can get a message to me here, I don’t know whether my email address is going to be displayed for you, but if we get word from you we can make sure that information gets back out to you.

[http://www.nfpa.org/itemDetail.asp?categoryID=227&itemID=17515&URL=Learning/Training%20and%20professional%20development/On-site%20seminars&cookie%5Ftest=1 . Also, address email inquiries to jpolito@nfpa.org for the NFPA 1600 seminar brochure and further information.]

Question:
Philip J. Padgett: It is rumored that NFPA is not supportive of the Emergency Management Standard by EMAP. What is your position on EMAP? Are you supportive of maintaining the positive and complementary relationship between NFPA and EMAP?

Don Schmidt: EMAP (Emergency Management Accreditation Program) has been represented on the NFPA 1600 committee for many, many years. We embrace their support and input. EMAP really got their roots using NFPA 1600. They have chosen to develop their standard, and that’s fine.

We hope they will continue to participate and contribute to the NFPA 1600 technical committee. We recognize there’s room for a lot of standards out there. We encourage everybody to review all the standards that are out there to use that to make your program as effective as it can be. I would say at this point the NFPA is supportive of EMAP. But again I have to point out, I’m not a NFPA employee. I speak on behalf of the committee and we try to embrace everybody.

Question:
Brit Weber: Could you describe further the 2-day professional development course? (topics, etc.) I heard you say that it was targeted for the private sector (great!). Why for private sector?

Don Schmidt: The 2-day course is designed to be very interactive. What we’ve done is designed a hypothetical company that has operations around the United States. The hypothetical company we describe in the background information—their facilities, their operations, their information technology infrastructure and so forth.

Then, what we do is we go through, in approximately 8 modules, and focus on program management and what it takes to put together your program. We’ll have an exercise that follows in terms of organizing your program committee and getting the management support for the program.

Then we’ll go through a module on risk assessment to identify hazards and potential impacts. That leads into the next module where we talk about prevention and mitigation strategies. Again this is all work group focused on the hypothetical company. You’ll read about a division of the company that you’re an employee of and you’re supposed to come up with your risk assessment and then your prevention and mitigation strategies.

We have a fourth module on resource management and we take a look at the people with the training and the education, the capability. We take a look at systems, equipment, materials, supplies, communications capabilities, all the different resources that are really important to your program. Then we have an exercise focused on deploying emergency medical capability within the corporate office building.

The fifth module is actually broken down into a couple of pieces. The first part is emergency response and identifying laws and regulations that are applicable in the United States. Then identifying, through a group exercise, the process to go through to decide what would be appropriate in terms of emergency response capabilities. What are the minimum requirements, which are spelled out in various regulations, OSHA and so forth, but then also what are other options that may be appropriate for your business?

The next module is business continuity where we’ll talk about business impact analysis. We’ll talk about identifying critical business functions. We’ll talk about business continuity requirements, the various strategies for recovering after an interruption or disruption of a facility or critical business functions. We’ll go through an exercise, again applying it to the hypothetical company.

At the end of module five, we cover crisis communications—how important it is to be able to effectively communicate not just in term of during the incident, but dealing with all the potential stakeholders, all the different audiences that you may need to reach out to. There are many different audiences and again, the scope of your crisis communications program has to be scalable if you have a significant incident.

Module six focuses on incident management. What we’ve done is we’ve taken the ICS forms, we’ve customized these forms for private sector audience, and then we present a table-top exercise where we have a scenario that plays out and the users have to go through a briefing and develop an incident action plan based upon that hypothetical incident.

Then we get into module seven which is focused on training and exercise. What are the components of your training and exercise program? We do a multi-part table-top exercise.

The program concludes with program improvement and program evaluation. Really that is an opportunity for the participants to take what they learn in the course and think about what they’re going to do when they get back to their offices and back to their organizations to be able to dig in it and work to improve their program.

It’s a very good 2-day course and we’ve got some great feedback on the course. If you’re interested, let us know.

Question:
Amy Sebring: Don, in the presentation, you talked about a new section on management and involving management. I’m interested in learning a little bit more. I know in the past there’s been basically a recommendation to have a management committee. What approaches are you taking in the new version?

Don Schmidt: Within the prior editions of NFPA 1600 we’ve always had requirements for program administration really defining policies, goals and objectives and so forth. But what we did is add in a new section called "Leadership and Commitment". I go back to leadership, and commitment from senior management, really makes or breaks your program. What we do is define it here as the responsibility of senior management to get involved with policies, the plans, the procedures, to provide the resources necessary to support the program.

Also management needs to be involved with the periodic evaluation and review. Not that they’re going to go through and do that, but they need to support that. They need to make sure that the program is being evaluated, that the program is being properly supported. Because without that leadership and commitment, the program may not meet the organization’s needs.

But also in chapter 4 under program management, we’ve always had requirements for what we’ve called in the past "advisory committee", we’re going to call it "program committee" in the 2010 edition, but that program committee really pulls together the experts within the organization, the people who really know your organization and the people who are going to help you put together that program. It’s a lot of different people. Those of you who’ve been involved with helping with business continuity plans, you need to reach out to all of your managers within the organization.

When we go to emergency response, we have a lot of different players—security, human resources, facilities, engineering, HR—so a lot of players need to come together and be a part of your committee. Then we need to appoint a program coordinator, someone who is vested with authority to develop the program but also held accountable to make sure that program meets the entity’s needs.

We’ve expanded on the performance objectives section. We’ve always had that section there, but we’ve kind of built that out so that the organization can look at, what do we want to accomplish? There are a lot of options here. To what degree do you want to build out your program? You’ve got to meet the regulatory or minimum requirements, but what are the objectives for your program? I think that’s an important part of chapter 4.

In addition to chapter 4, I’ve brought in an expanded section on finance administration, recognizing that certainly money makes or breaks the program. Particularly when an organization suffers or is involved in a major incident, that the finance administration is important to make sure that we’re able to implement various strategies for business continuity, recovery efforts, financial resolution of the incident and so forth. We’ve expanded that section as well.

In the past we have addressed records management with maybe one sentence, I believe. Within the 2010 edition, we built out a new section called "Records Management" with a little bit more detail in terms of records management, retention, storage, archiving and so forth. That was a suggestion from some of the people with the Management System Standards.

Question:
Bob Fletcher: As a member of the NFPA 1600 TC (Technical Committee), EMAP TC and an ASTM TC, I have watched the NFPA 1600 evolve first hand. I am often asked by my contemporaries if NFPA 1600 is still interested in having the standard apply equally to the public and private sector, i.e. an "entity?" I know that it was at one time an objective of the NFPA 1600 TC. Do you support that objective?

Don Schmidt: I’ve been on the committee since the early 1990’s and the document has always applied to the public sector, private sector, not-for-profits. In the latest edition we identify it applies to NGO’s. It applies to all organizations. It’s a voluntary standard, so its use is subject to the entity’s choice. It’s challenging to write a document that applies to public sector and private sector both, to big and small and medium size organizations, so it’s always a challenge in terms of scripting the language.

If we look back historically when the document was first published in 1995, we thought the private sector would really embrace the document. We did get a lot of feedback. In fact, we surveyed to see who was using the document and really we got more feedback from the public sector. Then 1600 was used by EMAP in the accreditation of public sector emergency management programs and we saw a lot of interest.

I remember meeting with certain state directors who began embracing the document. Mike Austin from Arizona was a name that comes to mind. So the use of 1600 really expanded at the public sector. It was following 9/11 and the 9/11 Commission’s attempt to identify a way and a standard that could promote private sector preparedness that at that point in time we started seeing the momentum for private sector used of 1600.

History shows it is used both public and private. We have not changed the scope and I think we continue to write the document so it applies to both. Those who choose to use it, that’s great; those who choose to use other standards, that’s fine, too.

Question:
Lewis W. Broome: Is the plan to have NFPA 1600 be a one size fits all for both business and local governments?

Don Schmidt: Clearly, there’s a challenge for small business in trying to follow any standard because small businesses have limited resources, limited expertise, and certainly it’s a challenge in today’s economic environment. But 1600 is designed to be a document that can be scalable. I think if you have a small business it would be an effort that would go into developing an emergency management business continuity program based upon NFPA 1600, it would not be as great a challenge as it would be for a Fortune 500 company or a state government, for an example. But it is designed to be a document that applies to all.

Because it’s voluntary, you can use the standard to build out your program as you have resources, as you have the ability to do so. I see no push for any sort of mandate in terms of the use of NFPA 1600. With the Public Law 11053, it is a voluntary program. The folks at DHS emphasize it’s voluntary. Some have maybe speculated that this is some kind of back-door effort, this Public Law 11053, is some sort of a back-door effort at regulation. I don’t see that. I have not seen anything that would indicate that that’s the case. If you’re small business, look at 1600 and look at your program. Do the best that you can do.

Question:
Brit Weber: You stated you added a new section - the self-evaluation tool. Does it evaluate against all sections/contents of the Standard?

Don Schmidt: It is designed to be a self-evaluation took, a checklist, that would identify all the elements within NFPA 1600 2010 Edition. It would be a tool that you can use to self-evaluate your program.

The challenge here is the level of detail. Having put together a lot of evaluation or audit tools over the years, there could be a lot of questions, there could be a lot of detail and it could be customized depending on the industry or if its public sector, state, county or local government. What we’re intending to prepare is a fairly high-level self-evaluation checklist that covers all the texted elements within the NFPA 1600 2010. End-users will have to apply it to their own organizations and that may require them to prepare additional questions that are specific to their organization.

Question:
Charles Hout: Would it be possible to bring an instructor to Alaska for the 2-day NFPA 1600 course?

Don Schmidt: NFPA offers their 2-day courses around the world, so the answer to that question would be yes.

Question:
Arnie Barajas: Do you have a course such as the private sector course that is designed for higher education college/university emergency preparedness?

Don Schmidt: I know of the hundreds and hundreds of people who have attended a course, at least of the ones I have instructed, and we’ve had many representatives from higher education. Given some of the tragedies, Virginia Tech and Northern Illinois University, there’s been a lot of work done within colleges and universities to enhance the Emergency Management and Business Continuity programs and we’ve seen a lot of participants from colleges and universities.

We have not customized for colleges and universities, but certainly that could be done. We’ve seen a lot of interest there. We’re also aware that there is effort on part of NACUBO [National Association of College and University Business Officers]. I saw a press release last year. They are looking to develop standards. I know that EMAP also does some work with colleges and universities, although I don’t know the details. We can customize training for higher education, but I think the basic program that we have right now has been very well-received by those folks that have attended from colleges and universities.

I’m on a working group that is attempting to write a standard guide for school emergency preparedness in conjunction with the U.S. Department of Education’s Office of Safe and Drug-Free Schools. The project has been a bit challenging. Trying to educate educators on national standards, which is something that they’re not as familiar with, (the ASTM world or the NFPA world, or whatever) but we’ve got some really good support and there’s a lot of great interest. Clearly there’s a need there. It’s just a bit of a challenge, particularly in the public schools because it’s a challenge for resources. It’s kind of a challenge that we all face, but particularly in the public schools where the budgets are under pressure. It’s something they know they have to do and they’re just trying to do a lot of different things including this.

What we did in the outline of some of the chapters we put together, is we were using NFPA 1600 as the basis for that standard guide so that we get the essential elements of the program and then customize it for a K-12 environment. The focus of that ASTM working group is kindergarten through grade 12. It is not focused on higher education. There has been some talk that maybe that would be a project down the road, but it’s just talk at this point in time.

Question:
Xavier Criel: This is a question regarding the global reach of NFPA1600. How does it consider other standards for BCM such as the BS25999, which is in use in Europe?

Don Schmidt: We have found that NFPA 1600 has been embraced in many countries around the world, clearly here in North America. Z1600 in Canada is actually copyrighted by NFPA. It is a derivative entity of NFPA 1600. We’ve seen a lot of support in Mexico and Latin America. I know the Dean Larson from the committee has garnered a lot of frequent-flyer miles going through Argentina and other countries. We’ve seen a lot of support in Latin America and South America.

I’ve traveled into Europe, clearly the standards there--the BS25999 standard, a great standard, a lot of detail, much more detail in terms of business continuity, not as much in the emergency management area, but a great standard. End-users should look to all the available standards, whether that is the BS25999, the ISO22399, NFPA 1600, and look through that. You’re going to see a lot of common elements, terminology will vary; the degree of detail will vary from standards. But look in all of them and use all of them to build your program or evaluate your program. They all get their plusses and their minuses, but you can pick the best of all the standards.

Question:
Marvine Hamner: Will NFPA1600 (2010) address integration of emergency management/business continuity into normal, routine business operations or will emphasis still be on maintaining EM/BC as a separate area/function?

Don Schmidt: The way that we’ve written the NFPA1600 is that it’s an integrated program, that the pieces all have to fit together. We can find the essential elements of the program, we identify how those pieces are fit together, but it should be an integrated program.

My experience has been in a lot of organizations there are different people involved, they work in many cases, maybe too often, they work independently in their own silos. Whether that’s emergency response, we may have security working over here, we’ve got HR over there dealing with maybe medical response, we’ve got facilities or engineering doing something, business continuity is another process done by another group.

But if you look at 1600 in the process flow, it begins with the program management, and that program applies to all aspects of the program. It really needs to be integrating a lot of aspects of the program, so that we understand—what does the organization need? Where is the organization growing or developing? And that applies to business continuity as well as hazards, and facilities in terms of emergency response. If you go through the elements of that NFPA1600, you’ll see that they apply both to emergency management and business continuity.

What we need to try to do is work together in our organizations, pull together those working on business continuity with those focused on emergency response and work side by side. I think there’d be a lot of great synergies, I think the program will be a better program ultimately, and if management looks at this holistically, looking at risk management, enterprise risk management, business continuity, emergency management, crisis communications and sees the benefits of pulling all these pieces together, they will have a much more powerful program.

Question:
Jim Kendig: Follow up question: Has the 1600 committee evaluated relevancy of Joint Commissions new standards?

Don Schmidt: I have very limited familiarity with the Joint Commissions’ requirements. We do have representatives on the technical committee, David Hood and Pete Brewster—Pete works for the VA and David Hood is in private practice with a number of health care institutions. David is plugged in, I think he actually represents the health care section (I may be incorrect there) but certainly plugged into health care. They are the ones we look to to understand the joint commission requirements and see if there is any element we need to address in 1600.

But again, 1600 applies to all industries—health care as well as all the others out there—so we cannot be too specific in NFPA 1600.

Question:
Donna Gingera: You commented that it might be easier for a SMB (small business) than a Fortune 500 company. We often hear they (SMB) think it is over kill and too difficult because they don't have the resources to put all the elements into play. Any recommendations on how to apply it to SMBs?

Don Schmidt: Small business, first off, if we look at Title IX of Public Law 11053, within that law it directs DHS to address the needs of small businesses. I’m not sure exactly how that’s going to be done, but I know there is clearly an effort to provide information for small businesses.

We look at ready.gov and readybusiness.gov—there are a lot of resources that are available for small businesses. I know the Institute for Business and Health Safety, they publish some great materials that can be used by small businesses. I’ve identified a lot of these links on the Preparedness LLC website as a resource page. There are links to a lot of these documents. You may want to check that out.

There has been an emphasis on small business, a recognition. I still understand that, especially in this economic climate, it’s a challenge for small businesses. It really is. But small businesses also have to understand that they are most at risk because they have the least amount of resources. If something bad happens, you have a major loss to one of your facilities, maybe your only facility, you may not be able to recover. The stakes are even greater for small businesses. That’s why I hope there will be a continued outreach through the U.S. Chamber and other organizations to be able to reach out to small business and help them to understand hazards and impacts, prevention and mitigation, and business continuity, because it’s real important.

Question:
Becky Dobbs: What is the relationship (if any) between NFPA 1600 and Federal Preparedness Circular (FPC)-65?

Don Schmidt: I think it’s been updated since then and I know recently within the last month or so DHS or FEMA have published some new planning guidance. We have referenced the old FPC-65 within the annex. Clearly there has always been a little confusion, maybe a lot of confusion, between business continuity and continuity of operations.

I would always say that government is a big business; it’s just that government takes in enough money to pay its expenses and it doesn’t make a profit, whereas businesses’ goal is to make a profit. Whether it is ‘business continuity’ or ‘continuity of operations’, a lot of it is the same. Clearly the mission of a public sector organization is to be able to service the constituents within that jurisdiction instead of making a profit, but there are a lot of parallels. I think that 1600 complements the FPC-65 and some of the newer documents that have been published since FPC-65.

Comment:
Justin Solobay: Federal Continuity DIRECTIVES 1 and 2 are the latest guidance. FCD 3 is a recommended template to satisfy the requirement and will be out within the year.

Question:
Michael J. Dube: I understand that NFPA 1600 is a voluntary compliance standard. However as an emergency responder for the last 20 years I have found that the most difficult concept for the private sector is for Unified Command. Could this not be considered a minimum mandatory requirement under the standard?

Don Schmidt: We don’t get into very specific detail about implementation of the incident management system. We stay generic. We specify using the incident management and train in that and so forth, and there are some other details under that part of 1600.

However if we go back to program management, we talked about having a program committee, we talked about having the internal participants and we also talked about soliciting external participation. That’s going to be fire and law enforcement, hazmat, public health, public works, a lot of external public agencies. That is an opportune time where you can work to develop plans or the public sector can review your plans, and critique those plans, where you can coordinate response. A big part of that coordination is taking a look at where command posts are going to be set up, how you’re going to implement unified command.

It’s a great opportunity for the private sector to educate the public agencies in their jurisdiction about hazards of their facility, how public agencies should respond, where to and so forth. It really begins with that program management to get connected to the public sector agencies in your jurisdiction.

As you get into exercises, invite them in. I’ve done a lot of exercises within the private sector. We brought in public sector participants—it’s been great. We see relationships being built. People put a name to a face and people begin to develop a relationship that can bear great fruit if there’s an incident and the public sector and private sector need to work together to manage that incident.

Question:
Amy Sebring: There is a hazard analysis section in the NFPA 1600, is there not? And that would be another area where it would behoove the private sector to coordinate and cooperate with the public sector on finding those risks, right?

Don Schmidt: Absolutely. There are certain parts of the risk assessment where you’re going to look within your own facility to identify the various hazards and understand vulnerabilities and determine the potential impacts. There are a lot of natural hazards; flood exposure, hurricane exposure, earthquake exposure. We take a look at pandemic planning, for example. There are a lot of hazards where the private sector organization needs to reach out to the public sector for input. That’s another opportunity to work together to build out the program so if you ever have to respond you have a relationship and you’ve got good information as the foundation of your program.

Comment:
Brit Weber: There are organizations (such as ours) out there that promote NFPA1600 be the Standard for both government and business to work from as a collaborative tool. Can it be done? Yes, some are already doing it at various levels of implementation.

Don Schmidt: I’m very pleased to hear that statement. The NFPA is a great document. Literally hundreds if not thousands of people have contributed to this document over the last 17 years, a long period of time. It has been used throughout North America, South America, around the world, public sector, private sector, and it gets people focused on what are the right things to do, the quality of the program, what are the essential elements.

I love where I see public sector and private sector both using the same standard, because if they’re using the same standard they’re going to be approaching this from a common ground. That’s real important because we see a lot of different people looking at this from different angles. If everybody can use some common standard, NFPA 1600, to develop their program, to evaluate their program to enhance their program, then it’s all good. We can hopefully reach that goal of being properly prepared to deal with the hazards that are out there.

[Closing]

Amy Sebring: That’s a great note to end on Don. Time to wrap for today. Thank you very much Don for an excellent job. We wish you continued success in your role with NFPA and all your endeavors. Would it be all right to publish your email in the transcript?

Don Schmidt: Absolutely. [DLS@PreparednessLLC.com] I want to thank everybody out there. And again, I encourage you to review the ROP draft and favor us with your comments because it is the comments from people like you that the committee can use to make the document stronger. Thank you very much in advance.

Amy Sebring: Please stand by just a moment while we make a couple of quick announcements...

Again, the recording should be available later today and the transcript on Friday. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page to Subscribe.

Don't forget to vote in our poll, and PLEASE take a moment to do the rating/review! I am going to load the rating/review form into Live Meeting so you can complete it on the spot. Note: We are asking you to rate the relevance of the information, and this will assist our future visitors.

Thanks to everyone for participating today. Great comments and questions. We invite you to return. We stand adjourned.