Point of view: The Voluntary Private Sector Preparedness Accreditation and Certification Program

Why the new program and how should your company respond?

Understanding the need
Most of the infrastructure in the US is owned by the private sector, yet many companies do not have adequate emergency plans in place.

Addressing the gap
Legislation titled Implementing the Recommendations of the 9/11 Commission Act of 2007 (the Act) created a federal program to encourage companies to develop business continuity and emergency management plans for catastrophic events.

Determining whether to certify
Companies can elect to certify that they meet the standards of the voluntary program and opt to disclose their certification status publicly.

Next steps after deciding to certify
Once the decision to certify is made, the company must determine the level of certification it wants to achieve, as well as the timeline and strategy.

Reaping the benefits
Even if a company chooses not to certify, strengthening its plans can improve efficiencies, reduce liabilities, and boost stakeholder confidence.

The Voluntary Private Sector Preparedness Accreditation and Certification Program puts a spotlight on corporate America’s business continuity efforts

Nearly 85% of the critical infrastructure in the US—such as transportation, banking and utilities—is owned by the private sector. Collectively, these businesses are vulnerable to natural disasters, computer viruses/cyber attacks, terrorist attacks, and viral pandemics. Damage to this infrastructure presents a systemic threat to the US and, in particular, to the economy.

For example, if the Internet stopped, US retailers could lose $450 million a day in e-commerce.1 If an influenza outbreak occurred, New York state’s losses alone are estimated to be $49 billion.²

While many companies have disaster recovery, emergency response, and business continuity plans, the quality and consistency of them varies greatly because there are no federal cross-industry guidelines in place. As an issue of national security, the Act introduced a new nationwide program so that all companies would have a sound level of catastrophic event preparedness in their organizations. Under the Act, Title IX - Private Sector Preparedness, was created.³

At least 25% of businesses do not reopen after a major disaster.⁸ Having a plan in place that will reduce the impact of a disaster can protect assets, employees, and help a business successfully recover and reopen.

The private sector preparedness program⁴

The Act created a voluntary program whereby private sector organizations may choose to formally certify their business continuity and resilience management plans. DHS is responsible for designating the processes, standards, and related protocols each company can use for its certification, and will be promoting the business case to motivate companies to certify.

Many existing industry-based standards are being considered for the federally-sponsored program.⁵ DHS is also closely working with the private sector in developing the program to ensure it meets their needs and strengthens domestic security while creating business value.

According to R. David Paulison, chairman of the Private Sector Preparedness Council, “The success of this voluntary program will only come from a true public-private partnership to ensure that every step in the process meets the needs of private sector organizations. By providing common criteria for business preparedness, we will help strengthen our nation’s economic resilience for all hazards.”⁶

The three types of certification levels

It is highly likely, though not determined
yet, that there will be three types of certification levels:

• First-party certification—An internal self-assessment and self-declaration of certification.
• Second-party certification—Review by one with whom there is a joint business relationship, such as a customer, supplier, or parent organization.
• Third-party certification—Review by an accredited third-party certifier. The most independent and objective form of certification.

DHS has designated the ANSI-ASQ National Accreditation Board (ANAB) to oversee the certification process. ANAB will also be responsible for accrediting those third parties who wish to provide certification services.

Learning more about the program and your company’s current efforts

Several trade associations and academic organizations are actively monitoring the implementation of the program.7 They will provide up-to-date information and additional points of view on the status of the program and its related certification provisions. PwC is also closely monitoring the program’s progress and refining our Point Of View as it relates to business continuity, operational resilience, and risk management to assist our clients in fully understanding the status of their company’s preparedness plans and help them gain perspective regarding the program.

¹ “Dealing With Disasters At Home and Far Away” by Zosia Bielski, National Post, June 21, 2008.
² “Severe Pandemic Flu Outbreak Could Lead To Major Recession in New York,” Trust For America’s Health, March 22, 2007. http://healthyamericans.org.
³ Public Law 110-53, Implementing the Recommendations of the 9/11 Commission Act of 2007, Title IX, August 3, 2007.
⁴ Preparedness programs refer to preparedness, disaster management, emergency management, and business continuity programs.
⁵ Existing standards such as NFPA 1600, ISO/PAS 22399:2007, and BS 25999:2007-2 may be considered in supporting certification.
⁶ “DHS Selects ANSI-ASQ National Accreditation Board To Support Voluntary Private Sector Preparedness Certification Program,” DHS Press Release and Program Fact Sheet, July 30, 2008.
⁷ To stay abreast of current developments in the implementation of the Act, visit: www.dhs.gov, www.anab.org, www.nyu.edu/intercep, www.nfpa.org, www.asisonline.org, www.drii.org, and www.rims.org. For more information regarding standards, refer to www.iso.org.
⁸ “Open For Business,” The Institute for Business & Home Safety (IBHS), 2006. www.ibhs.org/docs/OpenForBusiness.pdf.

A crucial opportunity to enhance your organization today while safeguarding it for tomorrow

Today’s heightened risk environment makes business continuity a critical issue. We believe that strengthening the preparedness of the company will improve its long-term viability, reputation, and financial success.

Becoming “certification ready”

Becoming “certification ready” begins with an assessment of the company’s existing crisis management, business continuity, disaster recovery, and emergency response plans. A gap analysis should be performed using existing standards, such as those being reviewed for adoption by the Act, with the goal of preparing responses that will cover a spectrum of different disaster scenarios.

Next, identify the key actions that need to be taken, assign responsibility, and establish deadlines for remediation of any identified gaps. This preparation will put the company in an excellent position for formal certification once the process has been established.

Potential benefits of becoming “certification ready” include:

• Increased operational efficiency—Preparing for certification can provide clarity regarding operational processes and help the company identify enhancements that will improve efficiency and risk management.
• Reduced insurance premiums—The certification program could allow insurers to become aware of companies that have effective business continuity programs in place. This recognition may result in more favorable terms, premium pricing, and improved deductible levels.
• Increased supply chain reliability—Business partners would be able to leverage their preparedness efforts and operations reliability to customers and partners when competing for business or meeting contractual obligations.
• Decreased legal liability—Increased business preparedness may mitigate and prevent certain litigation risks.

After becoming “certification ready,” the company can determine the level of certification most appropriate to its needs. The higher the level of certification, the stronger demonstration of preparedness the company can show.

We believe the processes, protocols, and standards ultimately designated by DHS will become recognized as the best practice in business continuity management. And that, whether or not they choose to certify, companies will look to these standards to assess their existing plans and consider ways of improving them.

Whether or not a company chooses to certify, PwC believes it is in management’s best interest to review and revise its plans in order to
satisfy itself that it can respond to any potential crisis.

Going public with your certification status

DHS will keep a list of businesses that have become certified. Only those companies that give permission will have their names made public as being certified.

We believe companies electing to disclose their certification status publicly will benefit by providing shareholders, customers, suppliers, business partners, and others insight into the preparedness of the company. This transparency will help build confidence and facilitate transactions between parties, knowing that in the event of disaster, all participants should be capable of carrying on their operations. It may even influence decision-making by investors, customers, and suppliers, including capital investment and business partnership evaluations.

Also, one of the costs of not publicly certifying may ultimately be a loss of competitive advantage, as stakeholders start favoring companies that have transparent business continuity plans.

Fiduciary responsibility

There is always a financial risk to companies that do not have adequate preparedness plans in place. We believe board members and executive leadership have a fiduciary responsibility to have crisis management and business continuity plans that counter any reasonably foreseeable threats. By embracing the program’s standards, the board and the C-suite can more closely meet the public’s expectations of safety and possibly reduce financial risk to the company.

Understanding your options and next steps

Q&A

Q: Why is business preparedness a strategic issue today?

A: In the past decade alone, the US has faced unprecedented catastrophes such as 9/11 and Hurricane Katrina. They brought damage to critical infrastructure and the overall economy, and presented risks to national security. Today, the US government, boards of directors, and senior management see the importance of having business preparedness plans in place for such catastrophic events.

Q: How does the new program strengthen business preparedness?

A: The program encourages companies to strengthen their continuity planning and provides stakeholders a mechanism to evaluate a company’s crisis preparedness. It aims to develop a preparedness framework against which organizations can measure and benchmark themselves. Also, it is important to note the private sector is helping to determine the standards, processes, and protocols that will be used
in the certification process.

Q: Is certification mandatory?

A: No, certification is voluntary. However, as leading companies elect to formally certify, customers, suppliers, and other stakeholders may begin to demand certification as evidence of a company’s preparedness and business resiliency. Increasing marketplace demands for transparency could also influence more companies to opt for certification. In addition, we expect DHS will be making a strong business case for companies to voluntarily comply with the program and get certified.

Q: Will my company’s certification status be made public?

A: Each company will decide if and when its certification status is made public. DHS will maintain a list of companies that have become certified, and only companies that have given DHS permission to disclose
their certification status will be known to the public.

Q: What can companies do now to become “certification ready”?

A: It starts with an internal self-assessment of current preparedness. The company can then determine the necessary steps and time frame to prepare for actual certification. The program today refers to NFPA 1600, an existing standard, but there are other private sector standards being discussed such as BS25999:2007-2, ISO/PAS 22399:2007, and the ASIS Organizational Resilience: Security, Preparedness, and Continuity Management Systems Standard. We recommend that companies benchmark their current preparedness efforts against these standards.

Q: What are the benefits of participating in the certification program?

A: The most significant potential benefit is enhanced stakeholder confidence in a company’s business continuity and resilience management. Over time, we believe this will translate into better stakeholder relationships and business opportunities. Other potential benefits include improved overall disaster preparedness, more resilient operational processes, enhanced risk management, lower insurance premiums, and decreased legal liability.

Download