Security and emergency preparedness were important issues for facility executives long before the terrorist attacks of Sept. 11, 2001. But those attacks were so unexpected and so horrific that facility executives and senior managers alike had to step back to reevaluate their security measures and preparedness plans.
The U.S. government faced the same challenge on a national scale. The National Commission on Terrorist Attacks Upon the United States, also known as the 9/11 Commission, was created in late 2002 to review how the attacks occurred, how to respond and to provide recommendations to thwart future attacks. A federal law to implement recommendations of the commission was signed Aug. 3, 2007. Among its many provisions is one with particular relevance to facility executives: Title IX of the 9/11 Commission Act calls for the development of voluntary, private-sector emergency preparedness standards (see “Emergency Preparedness Checklist”) along with the creation of a voluntary preparedness accreditation and certification program for the private sector.
The thinking was straightforward: If a certification program existed, more companies would develop a preparedness plan. “More than 70 percent of the country’s infrastructure is in private sector hands, so if it’s not ready, there’s not much the government can do about it,” says Carol Fox, a senior director of risk management and business continuity planning at Convergys Corp. and a former board member of the Risk and Insurance Management Society (RIMS). “And if the program does what it’s intended to do — make the U.S. economy stronger and companies and organizations more prepared for what might come up — it’s absolutely a good thing.”
Today, developing preparedness standards and an accreditation and certification program is a work in progress: started but far from finished. A handful of organizations and associations, including the Alfred P. Sloan Foundation, have convened roundtables and forums to discuss the matter. While there have been some discussions about which existing guidelines and standards might be helpful in the formation of final preparedness standards, no formal consensus has been reached. It’s also unclear when any final standards will be issued, and when specific details regarding an accreditation and certification program will be released. Meanwhile, some in the private sector question the need for a certification program.
Although the program is being developed by the Department of Homeland Security, the law says that the private sector should be consulted regarding its development and day-to-day operations.
The issue of who will do it, how and whether they’re credible hasn’t been worked out yet, says Marc Siegel, a security management system consultant for ASIS International and an adjunct professor in the College of Business Administration and Master’s Program in Homeland Security at San Diego State University. “DHS is supposed to come up with a formula, which it hasn’t. It has only decided that it won’t designate a single way to do it,” he says.
Indeed, contributors to the Sloan Foundation’s “Framework for Voluntary Preparedness” report that was issued in January recommended that the private sector have the necessary flexibility to hand pick from an array of guidelines, standards and best practices “that best meet their needs for preparedness” because no two businesses are precisely the same. The report also noted that those in the private sector that already have fully developed preparedness plans should be recognized under the certification program, and that regulated industries not be forced to develop a duplicate plan of one that’s already in place.
In the Sloan report, ASIS International, the National Fire Protection Association (NFPA), RIMS and the Disaster Recovery Institute International (DRII) evaluated specific standards and guidelines from seven organizations, including NFPA and ASIS, noting their common elements and the issues addressed by those common elements.
“We’re calling for flexibility within a framework, which means you can use the ISO plan, the NFPA plan or another plan, just so it has the core components of a preparedness plan,” says Bruce Blythe, a contributor to the report and chief executive of Crisis Management International Inc., an Atlanta company that offers strategic crisis management planning and consulting.
Members of the Real Estate Roundtable, an organization of top executives from public and privately owned real estate entities, support the purpose of Title IX, but flexibility is paramount, says Roger Platt, senior vice president and counsel of the Roundtable. Real estate is so diverse that the Roundtable doesn’t want a single standard that all organizations must meet. What’s more, many of the roundtable’s members already have preparedness plans in place, he added.
“The issue of preparedness isn’t academic to our members. It’s the number one issue,” he says, noting that some members, such as Marriott International Inc., had property destroyed during the 9/11 attacks. “I think our members can see the value in improving preparedness for their tenants and medium and small businesses.”
The NFPA standard that’s cited in the Sloan report is the 2007 edition of NFPA 1600, a 57-page document that establishes a set of criteria for disaster/emergency management and business continuity programs. The 9/11 Commission cited NFPA 1600 in the section of its report regarding a standard for private preparedness. And it was cited in American National Standards Institute (ANSI) workshops, which also evaluated existing standards to determine how helpful they might be in the development of preparedness standards and an accreditation and certification program.
The contributors to the Sloan report used NFPA 1600 as the baseline document in its work, says Donald Schmidt, chief executive of Preparedness LLC, chairman of the NFPA technical committee on emergency management and business continuity and a contributor to the document. “About 90 percent of NFPA 1600 is the basic core elements of any preparedness program,” he says.
But NFPA 1600 isn’t the only document drawing attention. For example, Real Estate Roundtable members have been among those involved in developing the ASIS Business Continuity Guideline and the ASIS General Security Risk Assessment Guideline. The organization has noted that Title IX leaves the door open to the use of standards like the ones developed by ASIS.
The International Center for Enterprise Preparedness at New York University, also a Sloan report contributor, is acting as a clearinghouse of sorts for documents, papers and research regarding preparedness. The center was founded in October 2004 with Department of Homeland Security funding and a focus on private sector preparedness and business continuity. The center envisions any certification program using a performance-based standard instead of a prescriptive standard, says William Raisch, the center’s founding director and an adviser to the 9/11 commission.
“A prescriptive standard causes concern among corporations who say they don’t need anything that they can’t work with,” Raisch says. “A performance-based standard addresses the concern about certification being onerous.”
Still, not everyone views voluntary preparedness standards and a voluntary preparedness accreditation and certification program as necessary. Many companies have long recognized the need to address preparedness and have been doing so for some time, says Zachary Lowe, vice president and chief security officer for Waste Management Inc., adding that those companies that hadn’t thought about preparedness certainly did following Hurricanes Katrina and Rita. After Katrina, which produced widespread destruction on the southern coastline in August 2005, many companies couldn’t get water or transportation to their facilities that were affected by the storm, he says.
“A number of natural disasters have moved preparedness along as much as any government agency,” Lowe says. “The storms showed that widespread incapacity is something you truly have to address, as well as the fact that your suppliers may not be there for you.”
ASIS consultant Siegel says Title IX is “completely unnecessary” because so many standards and guidelines already exist for business continuity and preparedness, even though they might not be referred to in that manner. “That’s the core problem with Title IX — it didn’t take into account the activity that was already underway,” he says.
Siegel says he is also concerned about companies selecting a standard or guideline to follow and then discovering two years down the road that an international standard exists and must be adopted for the company to conduct business internationally.
Lowe says he isn’t convinced that having the federal government’s involvement will lead to improvements in Waste Management’s existing program. “We’re already doing what we think is appropriate,” he says. “We don’t need another government agency to provide oversight. And the fact that we’re talking about creating another entity that will certify what we’re already doing seems a little much.”
The fact that the government is involved will automatically raise questions as to whether Title IX is a quasi-regulatory program, regulation through the back door or voluntary, says Siegel.
Raisch, however, sees the federal government as a catalyst in the process. “But it’s critical for the private sector to become involved in the design if it’s to have an effect,” he says.
In addition to being voluntary, Title IX doesn’t include what for many organizations could be a key driver: financial incentives. The legislation doesn’t include any tax breaks or tax credits and that may be enough for some organizations, particularly small- and mid-sized businesses, to ignore it because they are already stretched thin on financial and human resources.
The Sloan report notes that businesses with annual revenues of less than $100 million face “a significant cost-benefit challenge” if they have to spend money to be certified or be in compliance with a standard. The section was included in the report in large part because DRII insisted upon it, says Al Berman, the institute’s executive director. The standards and accreditation may be voluntary, but the marketplace will ultimately pressure companies to conform because businesses that don’t become certified risk losing their customers to businesses that do, he says.
“I’m a realist. I’ve been in the private sector for a long time,” Berman says. “You have to be realistic about what’s doable and what’s not doable.”
Lowe agrees, noting that once voluntary standards and accreditation programs are in place, they quickly become a requirement because companies won’t do business with other companies that aren’t accredited, and that affects an organization’s entire supply chain. Some small companies will face a “huge burden” to make necessary preparedness investments, Lowe says. “And I’m not seeing any financial incentives for those smaller companies,” he added.
The 9/11 Commission report encouraged insurance companies and credit-rating agencies, whose ratings play a role in determining how much it costs to borrow money, to take a company’s compliance into account when determining insurability and creditworthiness. How exactly this may play out remains to be seen. Blythe says that any standards and accreditation program may ultimately have financial and legal implications. “So it is voluntary but on the other hand, you need to be as good as certified,” he says.
Homeland Security Department Pushes for Emergency Preparedness Certification Program
