By Jeanne Rivera,2014-05-17 22:56
9 views 0

    The Sloan Foundation

    Forum for Private Sector Preparedness Accreditation and Certification

    “Straw Man” Recommendations

    & Supporting Discussion

    DRAFT FOR COMMENT TO FORUM PARTICIPANTS Note: this “Straw Man” document was prepared by InterCEP, the International Center for Enterprise Preparedness at New York University at the request of the

    Sloan Foundation to facilitate discussion. It is not meant to be limit discussion but

    rather to provide an initial point of departure for active consideration.

Comments on this document should be directed to Matt Statler, Associate Director

    of InterCEP at . Potential electronic platforms for electronic

    collaboration are being investigated and process recommendations are welcomed.

    InterCEP staff telephone number: 212-998-2000

    November 13, 2007


    On October 23, 2007, the Alfred P. Sloan Foundation convened a group of key

    stakeholders to discuss the U.S. federal law signed on August 3, 2007, „„Implementing Recommendations of the 9/11 Commission Act of 2007‟‟ also referred to as H.R. 1 and Public Law 110-53. Title IX of the Act addresses private sector preparedness and calls

    for the creation of a private sector accreditation and certification program. While the U.S.

    Department of Homeland Security (DHS) is to take key actions in establishing this

    program, the legislation calls for wide private sector input into the programs development

    and ongoing operation.

    Sloan Forum participants (see Participant List, p. 11) discussed key attributes

    important to a voluntary private sector preparedness accreditation and certification

    program. They additionally discussed the challenges and obstacles relevant to the

    development and implementation of a preparedness certification program.

    Participants agreed that key next steps included the development of a

    recommendation to DHS (and any subsequently designated accreditation body) as to (1)

    the key attributes of a private sector preparedness accreditation & certification

    process/program and (2) the core elements private sector preparedness (including disaster

    management, emergency management and business continuity) which could form a

    framework to inform the selection of the standards that should be used in such a

    certification program. A cross-walk of selected standards was agreed as a first step in the

    process of identifying and confirming common key elements for the framework.

    Potentially, such a framework of key elements could support “freedom within a


framework,” that is a strategy which would allow the use of different preparedness

    standards in the certification program so long as they conformed with the standard.

    This document provides information in support of two basic recommendations:

    ? The one or more preparedness standards designated for use in the certification

    program should conform to the framework of core elements of private sector

    preparedness as identified in this recommendation;

    ? The design and operation of the certification program should be informed by

    the key program attributes identified in this recommendation.

    These recommendations and the supporting documentation are presented here as a

    „straw man‟ to provide Sloan Forum participants as well as other stakeholders with a

    point of reference to inform ongoing dialogue. Readers are encouraged to provide

    corrections, comments and other feedback via Matt Statler, ( by

    November 27, 2007. All feedback will inform subsequent versions of these

    recommendations. Potential electronic platforms for electronic collaboration are being

    investigated and process recommendations are welcomed.

    It is currently planned that the next iteration of this straw man will be

    completed based on comments received by November 27 from the initial core group of

    Forum participants and released to a wider vetting group by December 3, 2007. A

    physical meeting of approximately 40 stakeholders including the initial core group of

    Forum participants is planned for December 10, 2007 in New York City. It is envisioned

    that the stakeholder meeting will discuss key issues and potential recommendations on

    the Voluntary Private Sector Preparedness Certification Program using the straw man as

    starting point for discussion.


Addressing a Standard Framework of Core Elements of Private Sector


The legislation establishing the private sector preparedness accreditation and certification

    program states that

    “The term „voluntary preparedness standards‟ means a common set of criteria for

    preparedness, disaster management, emergency management, and business

    continuity programs…”

This stipulation in the legislation set the content focus for development of a potential

    framework of core elements of private sector preparedness. In considering an initial set

    of elements that could be used, InterCEP chose not to draw them from a particular

    existing standard to avoid potential bias. Rather, InterCEP looked for various consensus

    practice documents or other guidelines that might be illustrative.

With respect to the first term cited above, preparedness” is often used in a very elastic

    and general sense and in the context of the legislation “preparedness” appeared to be more generally used as an umbrella term as it is often employed in common usage.

With respect to the second and third terms, “disaster management” and “emergency

    management,” practices appeared to be reflected in the Capability Assessment for

    Readiness process that was developed by the National Emergency Management and

    FEMA to examine operational readiness and capabilities of the Federal/State

    emergency management partnership to mitigate against, prepare for, respond to, and 1recover from, emergencies and disasters. While clearly developed for public sector

    application, the organizational focus of emergency and disaster management suggest that

    these practices are similarly valid in private sector organizations.

With respect to the final term, “business continuity,” the Professional Practices jointly

    agreed upon by the Disaster Recovery Institute International (DRII) and the Business

    Continuity Institute (BCI) were identified as a valuable starting point for core elements of

    this discipline.

    Thus the straw man categories for common elements of private sector

    preparedness listed below reflect the combined elements of DRII / BCI Professional 23Practices and The Capability Assessment for Readiness (CAR). In some cases, where

     1 State Capability Assessment for Readiness (CAR), A Report to the United States Senate Committee on

    Appropriations, December 10, 1997 accessed on November 9, 2007. 2 Source for descriptions of BCI/DRII Professional Practices: accessed on October 29, 2007 3 Source for descriptions of CAR definitions of emergency management functions: accessed on November 9, 2007.


these various elements appeared to overlap, we have combined two distinct elements into

    one category but retained the two distinct definitions, indicating the source of each.

    Future revisions of this list could further consolidate, expand, or replace these elements.

     Recommendation #1: The one or more preparedness standards designated for use in the certification program should conform to the framework of core elements of private sector preparedness as identified in this recommendation.

“Straw Man” Core Elements of Private Sector Preparedness, Disaster Management,

    Emergency Management & Business Continuity Practice

    Category Definition

    Establish the need for a Business Continuity Management (BCM) 1. Project

    Process or Function, including resilience strategies, recovery Initiation

    objectives, business continuity and crisis management plans and and

    including obtaining management support and organizing and Management

    managing the formulation of the function or process either in

    collaboration with, or as a key component of, an integrated risk

    management initiative. (DRII/BCI)

    Federal, State, and local statutes and any implementing regulations 2. Laws and

    that establish legal authority for development and maintenance of Authorities

    the emergency management program and organization, and define

    the emergency powers, authorities, and responsibilities of the chief

    executive official and the emergency management coordinator.


    The process of identifying situations or conditions that have the 3. Hazard ID &

    potential of causing injury to people, damage to property, or Risk

    damage to the environment and the assessment of the likelihood, Assessment /

    vulnerability, and magnitude of incidents that could result from Risk

    exposure to hazards. (CAR) Evaluation

    Determine the events and external surroundings that can adversely

    affect the organization and its resources (facilities, technologies,

    etc.) with disruption as well as disaster, the damage such events

    can cause, and the controls needed to prevent or minimize the

    effects of potential loss. Provide cost-benefit analysis to justify

    investment in controls to mitigate risks. (DRII/BCI)


Identify the impacts resulting from disruptions and disaster 4. Business

    scenarios that can affect the organization and techniques that can Impact

    be used to quantify and qualify such impacts. Identify time-critical Analysis

    functions, their recovery priorities, and inter-dependencies so that

    recovery time objectives can be set. (DRII/BCI)

    Determine and guide the selection of possible business operating 5. Developing

    strategies for continuation of business within the recovery point Business

    objective and recovery time objective, while maintaining the Continuity

    organization‟s critical functions. (DRII/BCI) Management


    Systematic management approach to eliminate hazards that 6. Hazard

    constitute a significant threat to the jurisdiction or to reduce the Management

    effects of hazards that cannot be eliminated through a program of / Risk

    hazard mitigation.(CAR) Control

    Determine the events and external surroundings that can adversely

    affect the organization and its resources (facilities, technologies,

    etc.) with disruption as well as disaster, the damage such events

    can cause, and the controls needed to prevent or minimize the

    effects of potential loss. Provide cost-benefit analysis to justify

    investment in controls to mitigate risks. (DRII/BCI)

    Develop and implement procedures for response and stabilizing 7. Emergency

    the situation following an incident or event, including establishing Response

    and managing an Emergency Operations Center to be used as a and

    command center during the emergency. (DRII/BCI) Operations

    Systematic development of methodologies for the prompt and 8. Resource

    effective identification, acquisition, distribution, accounting, and Management

    use of personnel and major items of equipment for essential emergency functions. (CAR) The collection, analysis, and use of information, and also the 9. Planning

    development, promulgation, and maintenance of the organization‟s including

    comprehensive emergency management plan, action plans, and Developing

    mitigation plans. (CAR) and


    g Business Design, develop, and implement Business Continuity Plans that

    provide continuity within the recovery time and recovery point Continuity

    Plans objectives. (DRII/BCI) Development of the capability for the chief executive and key 10. Direction,

    officials to direct, control, and coordinate response and recovery Control and

    operations. (CAR) Coordination

    Development and maintenance of a reliable communications 11. Communicati

    capability to alert public officials and emergency response ons &

    personnel, warn the public, and effectively manage response to an Warning

    actual or impending emergency. (CAR)


Development, coordination, and implementation of operational 12. Operations

    policies, plans, and procedures for emergency management. &

    (CAR) Procedures

    Identification, location, acquisition, distribution, and accounting 13. Logistics &

    for services, resources, materials, and facilities to support Facilities

    emergency management. Logistics actions fall into one of four major categories: material management, property management, facility management, and transportation management. (CAR)

    Assessments, development, and implementation of a 14. Training /

    training/education program for public officials and emergency Awareness

    response personnel. (CAR) Programs

    Prepare a program to create and maintain corporate awareness and

    enhance the skills required to develop and implement the Business

    Continuity Management Program or process and its supporting

    activities. (DRII/BCI)

    Pre-plan and coordinate plan exercises, and evaluate and 15. Exercises,

    document plan exercise results. Develop processes to maintain the Evaluations

    currency of continuity capabilities and the plan document in & Corrective

    accordance with the organization‟s strategic direction. Verify that Actions

    the Plan will prove effective by comparison with a suitable including

    standard, and report results in a clear and concise manner. Exercising

    (DRII/BCI) and


    Business Assessment and evaluation of emergency response plans and

    capabilities through a program of regularly scheduled tests and Continuity

    Plans exercises. (CAR)

    Develop, coordinate, evaluate, and exercise plans to communicate 16. Crisis

    with internal stakeholders (employees, corporate management, Communicati

    etc.), external stakeholders (customers, shareholders, vendors, ons, Public

    suppliers, etc.) and the media (print, radio, television, Internet, Education &

    etc.). (DRII/BCI) Information

    Procedures to disseminate and respond to requests for pre-disaster,

    disaster, and post-disaster information involving employees,

    responders, the public, and the media. Also, an effective public education program regarding hazards affecting the jurisdiction.


    Development of finance and administrative procedures to support 17. Finance &

    emergency measures before, during, and after disaster events, and Administrati

    to preserve vital records. (CAR) on


    Establish applicable procedures and policies for coordinating 18. Coordination

    continuity and restoration activities with external agencies (local, with

    state, national, emergency responders, defense, etc.) while External

    ensuring compliance with applicable statutes or regulations. Agencies


Cross-Walk Comparison of Existing Standards

    In attempting to identify core elements of private sector preparedness, a cross-walk of existing preparedness standards can potentially be used to inform the process.

    The cross-walk can illustrate whether or not the chosen standards reflect the prospective

    core elements and further whether or not other elements are identified which are not

    reflected in the core elements used in the cross-walk. The following table provides a

    cross-walk comparison of how several existing preparedness standards specifically

    address the common elements / categories of practice defined above. For this draft,

    InterCEP has sought inputs from individuals connected directly to the standards

    developing organizations (SDO‟s) associated with these various standards, in an effort to

    ensure that the crosswalk is as accurate and informative as possible. Not all of these

    outreaches has been fully successful to date but they continue.

    Note that use of the subject areas of the DRII / BCI Professional Practices in conjunction with the Capability Assessment for Readiness (CAR) as an organizing

    scheme for this cross-walk does not suggest that these Practices nor CAR constitute a

    consensus-based standard for consideration in the Voluntary Private Sector Preparedness

    Accreditation & Certification Program. Rather these subject areas were used to facilitate

    the development of a straw man listing of core elements of private sector preparedness..

    Note also that the sequence of the elements is not meant to connote a particular order of

    application or level of importance.

    At the time of this release, InterCEP continues to await additional inputs as well as confirmations of existing information. On an ongoing basis, InterCEP will seek

    feedback from members of the standards organizations regarding how future versions of

    this crosswalk might be improved thus the specific elements of the crosswalk may

    continue to evolve based on appropriate stakeholder input. Furthermore, a future revision

    may include the text titles as well as the numbers of chapter / section citations.

     NFPA 1600 ASIS ISO/PAS BS 25999-1 BS 25999-2


    4 4.1.1, 4.2, 5.1, 5.2, 5.3, 4 & 5 3 Project

    4.2.1, 4.2.2, 5.4, 5.5,5.6 Initiation and

    A.1, A.2 Management

    5.2 6.2 4.3.2, A.3.2 6.2.3 & 7.9 5.2.3 Laws and


    5.3 6, 6.1, 6.2, 6.3, 4.3, 4.3.1, A.3, 6.5 4.1.2 Hazard ID &

    6.4, 6.5 A.3.1 Risk

    Assessment /




     NFPA 1600 ASIS ISO/PAS BS 25999-1 BS 25999-2


    5.3 6.6, Annex A 4.3.1, A.3, 6.2 4.1.1 Business

    A.3.1 Impact


    5.7, 5.8, 5.12 6.7 ,6.7.1, 4.3.3, A.3.3 7 4.2 Developing

    6.7.2, 6.7.3, Business

    6.7.4, 6.7.5, Continuity

    6.7.6, Annex C Management


    5.4, 5.5 6.6 4.1.3 Hazard


    / Risk Control

    5.8, 5.9, 5.10, 6.7.1, 6.7.2, 4.3.3, 4.4, 7.9 & 8.2 4.3.2 Emergency

    5.11 6.7.3, 4.4.1, 4.4.4, Response and

    6.7.4, 6.7.5, 4.4.5, 4.4.6, Operations

    6.7.6, Annex B 4.4.7, A.3.3,

    A.4, A.4.1,



    5.6 7.1 A.4.1 7 4.2 Resource


    5.8, 5.9, 5.10, 6.7, 6.7.1, 4.4, 4.4.1, 8 4.3 Planning

    5.11, 5.12 6.7.2, 6.7.3, 4.4.4, 4.4.5, including

    6.7.4, 6.7.5, 4.4.6, 4.4.7, Developing

    6.7.6, 7.1, 7.5, A.4, A.4.1, and

    7.6 A.4.6, A.4.7 Implementing




    4.1, 4.2, 5.16 8.2 4.3.2 Direction,

    Control and


    5.10 7.4 4.4.3, A.4.3 8.5 Communicati

    ons &


    5.11 8.7 4.3.3 Operations &


    5.8., 5.12 7 & 8.9 4.3.3 Logistics &


    5.13 7.2, 7.3, 4.4.2, A.4.2 10 3.2.4 & 3.3 Training /

    Annex D Awareness


    4.4, 5.14 8, 8.1, 8.2, 8.3, 4.5, 4.5.1, 9 4.4 Exercises,

    8.4, 8.5, 8.6 4.5.2, Evaluations 4.5.3, & Corrective

    4.5.4, 4.5.5, Actions

    4.6.4, A.5, including

    A.5.1, A.5.2, Exercising

    A.5.2.1, and

    A.5.2.2, A.5.4, Maintaining

    A.5.6 Business




     NFPA 1600 ASIS ISO/PAS BS 25999-1 BS 25999-2


    5.15 8.5.4 Crisis


    ons, Public

    Education &


    5.16 7.6 A.4.7 Finance &



    5.10 Introduction, 4.3.2, 4.4.3, 7.9 Coordination

    1, 6.2, A.3.2, A.4.2, with External

    7.4 A.4.3, A.4.7 Agencies



    aspects of


    National Fire ASIS International British British Responsible

    Protection International Standards Standards Standards Standards

    Association Organization Institution Institution Developing

    (NFPA) (ISO) (BSI) (BSI) Organization

    ANSI ? TBD ISO ISO ISO Relevant


    1991 Draft 2007 2006 Scheduled for Date of

    presented for release in original

    comment, November introduction

    2007; 2007 of standard


    under revision

    Revised in ? TBD ? TBD ? TBD ? TBD Cycle of

    1995, 2004, & revision

    2007 (3 5



    53 members, 9 members 46 members, 40 full 40 full Composition

    alternates and including including 12 members, members, of technical

    nonvoting representatives members from including including supporting

    members, of the private developing consultants consultants committee

    including sector and countries and users from and users from

    representatives academic a range of a range of

    of a range of organizations. public and public and

    public and private sector private sector

    private sector organizations organizations


As stated above, in populating the initial draft of this crosswalk, InterCEP reached out for

    input to representatives of the standards development organizations responsible for the

    specific standards. To the extent that these individuals identified elements that they felt


    were not reflected in the straw man common element crosswalk categories, they provided additional input.

    For ASIS and ISO/PAS, the following categories of practice were identified by connected parties: concepts of preparedness and continuity management (ASIS: Introduction, 1 Scope; ISO/PAS: 0 Introduction, 0.1 Summary); systems model (ASIS: 4 General; ISO/PAS: 4 All hazards risk management system requirements, 4.1 General requirements); preparedness prevention and mitigation programs (ASIS: 6.7.1 General,

    6.7.2 Prevention and mitigation programs; ISO/PAS: 4.3.3 Objectives, targets and program(s), A.3.3 Objectives, targets and program(s), A.4.6 Operational control, A.4.7 Incident preparedness and response); review and improvement (ASIS: 9 Management review; ISO/PAS: 4.6 Management review, 4.6.1 General, 4.6.2 Review input, 4.6.3 Review output, 4.6.4 Maintenance, 4.6.5 Continual improvement, A.6 Management review); documentation (ISO/PAS: 4.4.4 Documentation, 4.4.5 Control of documents, A.4.4 Documentation, A.4.5 Control of documents) ; control of records (ISO/PAS: 4.5.4 Control of records, A.5.5 Control of records); all hazards approach (ISO/PAS: 0.2 All hazards approach); process approach (ISO/PAS: 0.4 Process approach); compatibility (ISO/PAS: 0.5 Compatibility with other management systems, Annex B Correspondence between ISO 9001:2000, ISO 14001:2004, ISO 27001:2005 and the ASIS International Standard of Best Practices).

    For BS25999-2, the following categories of practice were identified: Documentation and Records, 3.4; Monitoring and Reviewing the BCMS, 5; Maintaining and improving the BCMS, 6.

All these comments warrant further examination in future revisions.


Report this document

For any questions or suggestions please email