|
Highlights
|
Why the new program and how should your company respond? Understanding the need Addressing the gap Determining whether to certify Next steps after deciding to certify Reaping the benefits |
|
The Voluntary Private Sector Preparedness Accreditation and Certification Program puts a spotlight on corporate America’s business continuity efforts Nearly 85% of the critical infrastructure in the US—such as transportation, banking and utilities—is owned by the private sector. Collectively, these businesses are vulnerable to natural disasters, computer viruses/cyber attacks, terrorist attacks, and viral pandemics. Damage to this infrastructure presents a systemic threat to the US and, in particular, to the economy. For example, if the Internet stopped, US retailers could lose $450 million a day in e-commerce.1 If an influenza outbreak occurred, New York state’s losses alone are estimated to be $49 billion.2 While many companies have disaster recovery, emergency response, and business continuity plans, the quality and consistency of them varies greatly because there are no federal cross-industry guidelines in place. As an issue of national security, the Act introduced a new nationwide program so that all companies would have a sound level of catastrophic event preparedness in their organizations. Under the Act, Title IX - Private Sector Preparedness, was created.3 At least 25% of businesses do not reopen after a major disaster.8 Having a plan in place that will reduce the impact of a disaster can protect assets, employees, and help a business successfully recover and reopen. The private sector preparedness program4 The Act created a voluntary program whereby private sector organizations may choose to formally certify their business continuity and resilience management plans. DHS is responsible for designating the processes, standards, and related protocols each company can use for its certification, and will be promoting the business case to motivate companies to certify. Many existing industry-based standards are being considered for the federally-sponsored program.5 DHS is also closely working with the private sector in developing the program to ensure it meets their needs and strengthens domestic security while creating business value. According to R. David Paulison, chairman of the Private Sector Preparedness Council, “The success of this voluntary program will only come from a true public-private partnership to ensure that every step in the process meets the needs of private sector organizations. By providing common criteria for business preparedness, we will help strengthen our nation’s economic resilience for all hazards.”6 The three types of certification levels It is highly likely, though not determined
DHS has designated the ANSI-ASQ National Accreditation Board (ANAB) to oversee the certification process. ANAB will also be responsible for accrediting those third parties who wish to provide certification services. Learning more about the program and your company’s current efforts Several trade associations and academic organizations are actively monitoring the implementation of the program.7 They will provide up-to-date information and additional points of view on the status of the program and its related certification provisions. PwC is also closely monitoring the program’s progress and refining our Point Of View as it relates to business continuity, operational resilience, and risk management to assist our clients in fully understanding the status of their company’s preparedness plans and help them gain perspective regarding the program. 1 “Dealing With Disasters At Home and Far Away” by Zosia Bielski, National Post, June 21, 2008. |
|
A crucial opportunity to enhance your organization today while safeguarding it for tomorrow Today’s heightened risk environment makes business continuity a critical issue. We believe that strengthening the preparedness of the company will improve its long-term viability, reputation, and financial success. Becoming “certification ready” Becoming “certification ready” begins with an assessment of the company’s existing crisis management, business continuity, disaster recovery, and emergency response plans. A gap analysis should be performed using existing standards, such as those being reviewed for adoption by the Act, with the goal of preparing responses that will cover a spectrum of different disaster scenarios. Next, identify the key actions that need to be taken, assign responsibility, and establish deadlines for remediation of any identified gaps. This preparation will put the company in an excellent position for formal certification once the process has been established. Potential benefits of becoming “certification ready” include:
After becoming “certification ready,” the company can determine the level of certification most appropriate to its needs. The higher the level of certification, the stronger demonstration of preparedness the company can show. We believe the processes, protocols, and standards ultimately designated by DHS will become recognized as the best practice in business continuity management. And that, whether or not they choose to certify, companies will look to these standards to assess their existing plans and consider ways of improving them. Whether or not a company chooses to certify, PwC believes it is in management’s best interest to review and revise its plans in order to Going public with your certification status DHS will keep a list of businesses that have become certified. Only those companies that give permission will have their names made public as being certified. We believe companies electing to disclose their certification status publicly will benefit by providing shareholders, customers, suppliers, business partners, and others insight into the preparedness of the company. This transparency will help build confidence and facilitate transactions between parties, knowing that in the event of disaster, all participants should be capable of carrying on their operations. It may even influence decision-making by investors, customers, and suppliers, including capital investment and business partnership evaluations. Also, one of the costs of not publicly certifying may ultimately be a loss of competitive advantage, as stakeholders start favoring companies that have transparent business continuity plans. Fiduciary responsibility There is always a financial risk to companies that do not have adequate preparedness plans in place. We believe board members and executive leadership have a fiduciary responsibility to have crisis management and business continuity plans that counter any reasonably foreseeable threats. By embracing the program’s standards, the board and the C-suite can more closely meet the public’s expectations of safety and possibly reduce financial risk to the company. |
|
Understanding your options and next steps Q&A Q: Why is business preparedness a strategic issue today? A: In the past decade alone, the US has faced unprecedented catastrophes such as 9/11 and Hurricane Katrina. They brought damage to critical infrastructure and the overall economy, and presented risks to national security. Today, the US government, boards of directors, and senior management see the importance of having business preparedness plans in place for such catastrophic events. Q: How does the new program strengthen business preparedness? A: The program encourages companies to strengthen their continuity planning and provides stakeholders a mechanism to evaluate a company’s crisis preparedness. It aims to develop a preparedness framework against which organizations can measure and benchmark themselves. Also, it is important to note the private sector is helping to determine the standards, processes, and protocols that will be used Q: Is certification mandatory? A: No, certification is voluntary. However, as leading companies elect to formally certify, customers, suppliers, and other stakeholders may begin to demand certification as evidence of a company’s preparedness and business resiliency. Increasing marketplace demands for transparency could also influence more companies to opt for certification. In addition, we expect DHS will be making a strong business case for companies to voluntarily comply with the program and get certified. Q: Will my company’s certification status be made public? A: Each company will decide if and when its certification status is made public. DHS will maintain a list of companies that have become certified, and only companies that have given DHS permission to disclose Q: What can companies do now to become “certification ready”? A: It starts with an internal self-assessment of current preparedness. The company can then determine the necessary steps and time frame to prepare for actual certification. The program today refers to NFPA 1600, an existing standard, but there are other private sector standards being discussed such as BS25999:2007-2, ISO/PAS 22399:2007, and the ASIS Organizational Resilience: Security, Preparedness, and Continuity Management Systems Standard. We recommend that companies benchmark their current preparedness efforts against these standards. Q: What are the benefits of participating in the certification program? A: The most significant potential benefit is enhanced stakeholder confidence in a company’s business continuity and resilience management. Over time, we believe this will translate into better stakeholder relationships and business opportunities. Other potential benefits include improved overall disaster preparedness, more resilient operational processes, enhanced risk management, lower insurance premiums, and decreased legal liability. |