This is not the document you are looking for? Use the search form below to find more!
BUSINESS CRISIS AND CONTINUITY MANAGEMENT
0.00 (0 votes)
Document Description
This chapter is focused on the private sector organizations (businesses) that support the economy at the individual, family, community, local, state and national levels. However, even with this
focus, the framework and principles of for profit business crisis and continuity management (BCCM) are applicable to all organizations, be they private, public or not-for-profit.
Organizations exist to provide products and/or services to their customers and should strive to maintain and/restore this capability, even in the face of highly disruptive events. Regardless of the terminology chosen as the title for organizational continuity, crisis and continuity management or continuity of operations, continuity is a strategic responsibility and function for all organizations if they are to survive and prosper.
File Details- Added: October, 08th 2010
- Reads: 209
- Downloads: 0
- File size: 136.47kb
- Pages: 18
- content preview
- Name: kenjirou
Embed Code:
Related Documents
THE COMPETENCIES REQUIRED FOR EXECUTIVE LEVEL BUSINESS CRISIS AND CONTINUITY MANAGERS
by: samanta, 118 pagesThe reality of business (the word business is used as a generic term in this research study to describe any organization, be it private, public or not-for-profit, that provides a product or service ...
Simplifying the Implementation of Identity and Access Management
by: hclisd, 2 pagesIdentity and access management (IAM) technology have become an integral part of security tools, and most enterprises are realizing the value of the same. IAM is fundamentally involved with the ...
Protect Vulnerable Information with Effective Identity and Access Management
by: hclisd, 2 pagesFrom enabling employees to access the internal resources that are needed to accomplish business objectives, through companies outsourcing functionality and hardware to consumers seeking to bank, ...
Changes in The Role of Production and Operations Management in the New Economy
by: samanta, 11 pagesThe paper analyses how the area of production and operations management (POM) in Brazil should change/adapt in order to remain relevant in the so called "new economy". Drawing from insights ...
Business Analysis and Valuation Using Financial Statements Palepu 4th Edition Solutions Manual
by: gordonbarbier, 51 pagesBusiness Analysis and Valuation Using Financial Statements Palepu 4th Edition Solutions Manual
Business Analysis and Valuation Using Financial Statements Palepu 4th Edition Solutions Manual
by: georgesheslers, 51 pagesBusiness Analysis and Valuation Using Financial Statements Palepu 4th Edition Solutions Manual
Investment Analysis and Portfolio Management Reilly 9th Edition Solutions Manual
by: georgesheslers, 48 pagesInvestment Analysis and Portfolio Management Reilly 9th Edition Solutions Manual
Investment Analysis and Portfolio Management Reilly 9th Edition Solutions Manual
by: georgesheslers, 48 pagesInvestment Analysis and Portfolio Management Reilly 9th Edition Solutions Manual
Oracle Billing and Revenue Management (BRM) consulting and development
by: sophe, 1 pagesOracle Billing and Revenue Management (BRM) consulting and development
Content Preview
BUSINESS CRISIS AND CONTINUITY MANAGEMENT
Gregory L. Shaw, D.Sc., CBCP
Senior Research Scientist
The George Washington University
Institute for Crisis, Disaster, and Risk Management
This chapter is focused on the private sector organizations (businesses) that support the economy
at the individual, family, community, local, state and national levels. However, even with this
focus, the framework and principles of for profit business crisis and continuity management
(BCCM) are applicable to all organizations, be they private, public or not-for-profit.
Organizations exist to provide products and/or services to their customers and should strive to
maintain and/restore this capability, even in the face of highly disruptive events. Regardless of
the terminology chosen as the title for organizational continuity, crisis and continuity
management or continuity of operations, continuity is a strategic responsibility and function for
all organizations if they are to survive and prosper.
Central to the development and maintenance of a comprehensive organizational continuity
program is an understanding of the myriad functions supporting continuity and their
interdependencies. Recent efforts to develop a national standard as contained in the NFPA 1600
Standard on Disaster/Emergency Management and Business Continuity Programs, 2004 Edition,
is a starting point, but falls short of the detail necessary to prescribe true standards.
As an alternate to the NFPA 1600 program description, a visual framework of BCCM, with
definitions is presented and explained as the foundation of an enterprise wide program of
BCCM. The framework was developed to be simple enough to be understandable at all levels of
an organization, yet complete enough to support the case for functional integration and
management to multiple stakeholders including boards of directors, executive level managers,
stock owners, and customers. The framework supporting function of risk management and its
sub-functions is explained to demonstrate the applicability and benefit of the business specific
functions of business area analysis and business impact analysis to any organization.
Introduction
“Business” is not just the purview of the private sector. All organizations, be they private
sector, public sector or not-for-profit provide products and/or services to their customers. Along
with the delivery of products and/or services, all organizations also share the possibility of
disruptive events that have impacts ranging from mere inconvenience and short-lived disruption
of operations to the very failure of their ability to deliver their products and/or services which are
the very nature of their business. Accordingly, organizational functions supporting business
disruption prevention, preparedness, response and recovery such as risk management,
contingency planning, crisis management, emergency response, and business resumption and
recovery are established and resourced based upon the organization’s perception of its relevant
environments and the risks within those environments.
Individually, these functions can contribute to the protection of an organization and its
business line. However, efficiency and effectiveness demand their integration and coordination
into a comprehensive program of business crisis and continuity management. A logical starting
point for accomplishing this integration is a visual framework and explanation that identifies the
business crisis and continuity management supporting functions and their relationship to one
another. Such a framework and its explanation are presented in this chapter. The framework, as
presented, may appear quite different from the widely recognized Federal Emergency
Management Agency model for Comprehensive Emergency Management which includes the
phases of mitigation, preparedness, response and recovery, but the underlying philosophy and
approach of both are actually quite similar and complementary.
The Term Business Crisis and Continuity Management (BCCM)
Because of the many inconsistencies in terminology found in the contemporary literature
of the business community the hybrid term business crisis and continuity management has been
coined and introduced as a title for an organization wide strategic program and process. It is
necessary to include a brief discussion of the creation and choice of this term since much of the
current literature and business practices use the individual titles crisis management or business
continuity management separately and often interchangeably as an umbrella term for the multiple
functions and processes supporting the mitigation of and response to business disruption.
2
United States based organizations such as Disaster Research Institute International (DRII
2004), ASIS International (ASIS 2004), and the Association of Contingency Planners (ACP
2004) use the terms Business Continuity Management or Business Continuity Planning as their
umbrella for multiple functions and processes including crisis management. The United
Kingdom based Business Continuity Institute also employs the term Business Continuity
Management as its overall program title. However, noted experts such as Ian Mitroff (Mitroff
and Pauchant 1992, Mitroff 2001) and Stephen Fink (Fink 1986) emphasize crisis management
as the unifying structure and term for strategic business protection, response and recovery and
include business continuity as one of many supporting functions.
Despite the difference in terminology, there is little debate in the business continuity and
crisis management literature that crisis management, business continuity management, and their
supporting functions need to be thoroughly integrated in support of overall business
management. Business Continuity Management: Good Practices Guidelines explains the
inconsistency in terminology by stating “Crisis Management and BCM [Business Continuity
Management] are not seen as mutually exclusive albeit that they can of necessity stand alone
based on the type of event. It is fully recognized that they are two elements in an overall
business continuity process and frequently one is not found without the other.” (Smith 2002)
Thus, in an attempt to emphasize the inter relatedness and equal importance of crisis
management and business continuity management, Business Crisis and Continuity Management
has been chosen as the umbrella term and is defined as:
Business Crisis and Continuity Management – “The business management practices that
provide the focus and guidance for the decisions and actions necessary for a business to
prevent, prepare for, respond to, resume, recover, restore and transition from a
disruptive (crisis) event in a manner consistent with its strategic objectives (Shaw and
Harrald 2004).”
3
The Evolution of BCCM
Business Crisis and Continuity Management, as a recognized business program, has
evolved over the past twenty plus years from a technology centric disaster recovery function
dealing almost exclusively with data protection and recovery to a much wider holistic and
enterprise wide supporting focus (Wheatman, Scott and Witty 2001). Despite some strides to
evolve BCCM into a profession including a widely accepted common body of knowledge and
terminology, standards of performance, and certification process, progress has been slow and is
hampered by the fact that BCCM, though generally recognized as a strategic function, remains a
discretionary program for all but the most highly regulated business sectors such as the financial
sector and healthcare sector. Even within these regulated sectors, standards of performance for
all BCCM supporting functions may not be recognized and specified in sufficient detail to insure
a truly comprehensive and integrated program.
As Ian Mitroff concludes from his extensive research in the area of business crisis
management (his umbrella term for an integrated BCCM program), most businesses do not have
an adequate crisis management program, supported by corporate culture, individual and
organizational level expertise, infrastructure and plans and procedures to fully understand,
prepare for, and manage the crises they may face (Mitroff 1992). Mitroff has since updated his
conclusions in the 2001 book, Managing Crises Before they Happen where he states that “The
vast majority of organizations and institutions have not been designed to anticipate crises or to
manage them effectively once they have occurred. Neither the mechanics nor the basic skills are
in place for effective CM. (Mitroff 2001)” Mitroff’s conclusions are further supported by the
results of the 2001 Business Continuity Readiness Survey, jointly conducted by Gartner, Inc.
Executive Programs and the Society for Information Management that found “Less than 25
4
percent of Global 2000 enterprises have invested in comprehensive business continuity planning.
(Gartner 2002)”
This trend in BCCM acceptance is changing, however. The reality of business is that
increasing and dynamic natural, technological and human induced threats, business complexity,
government regulation, corporate governance requirements, and media and public scrutiny
demand a comprehensive and integrated approach to business crisis and continuity management.
Classic natural, technological and human induced events such as Hurricane Andrew (1992), the
Northridge Earthquake (1994), the Exxon Valdez oil spill (1989), the Bhopal chemical release
(1984), the World Trade Center attack of 1993, and the Tylenol poisoning case (1982) have
provided lessons learned that emphasize each of these factors and the need for coordination and
cooperation within and between organizations, and between all levels of government, the private
and not-for-profit sectors.
These lessons have not been lost by many businesses that have reached the conclusion
that integrated BCCM should be viewed as an investment rather than an additional cost that
detracts from profits and have implemented their vision of comprehensive programs. The United
States Business Roundtable, an association of business chief executive officers of leading
corporations with the stated objective of improving public policy, explicitly recognizes the role
of the Board of Directors and Management in the area of corporate governance in general,
including specific business crisis and continuity management responsibilities. The Roundtable’s
white paper Principles of Corporate Governance charges the Board of Directors to periodically
review management’s plans for business resiliency and designate management level
responsibility for business resiliency. Within the scope of business resiliency various functions
are specifically mentioned and include business risk assessment and management, business
5
continuity, physical and cyber security, and emergency communications (The Business
Roundtable 2002). However, lacking recognized standards and incentives, many businesses still
consider BCCM as a burdensome cost that receives minimal and even no support.
The tragic events of September 11th, 2001 and the implications for businesses directly
and indirectly impacted by the events have further reinforced the need for enterprise wide
coordination of the multiple functions supporting business crisis and continuity management.
Studies following the attacks of September 11th, 2001, such as the 9/11 Commission study and
report have engaged the United States government, at all levels, in the process of recognizing the
responsibilities of the private sector and encouraging the private sector to take adequate steps to
protect people, property and business operations. Further steps, including mandated standards,
may well follow beyond the current level of encouragement and voluntary compliance.
With roughly 80% of America’s critical infrastructure managed by the private sector (The
Conference Board 2003), The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets recognizes that the “private sector generally remains the first line
of defense for its own facilities,” and encourages private sector owners and operators to “reassess
and adjust their planning, assurance and investment programs to better accommodate the
increased risk presented by deliberate acts of violence (The National Strategy 2003).” The most
recent versions of the National Response Plan (January 2005) and the National Incident
Management System (March 2004) include the private sector in all phases of crisis and
emergency awareness, prevention, preparedness, response and recovery planning and operations.
The National Response Plan explicitly charges the private sector to enhance overall readiness
(NRP 2005).
6
Supporting this goal of improved private sector readiness and intra and inter sector
coordination, the 9/11 Commission chartered the American National Standards Institute (ANSI)
to develop a consensus on a national standard for preparedness for the private sector (9/11
Commission 2004). Based upon its collaboration with the National Fire Protection Association
(NFPA) and the research of the 9/11 Commission, the “American National Standards Institute
(ANSI) recommended to the 9-11 Commission that the National Fire Protection Association
Standard, NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity
Programs, be recognized as the national preparedness standard (ISHN 2004).” The 9-11
Commission report contains the following recommendation concerning private sector emergency
preparedness and business continuity:
“We endorse the American National Standards Institute’s recommended standard for
private preparedness. We were encouraged by Secretary Tom Ridge’s praise of the
standard, and urge the Department of Homeland Security to promote its adoption. We
also encourage the insurance and credit-rating industries to look closely at a company’s
compliance with the ANSI standard in assessing its insurability and creditworthiness.
We believe that compliance with the standard should define the standard of care owed by
a company to its employees and the public for legal purposes. Private-sector
preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. It is
ignored at a tremendous potential cost in lives, money, and national security (9/11
Commission 2004).”
Following from the 9/11 Commission Report, The Intelligence Reform and Terrorism
Prevention Act of 2004, signed into law on December 18, 2004 specifically states in Section
7305 – Private Sector Preparedness, that:
7
“Preparedness in the private sector and public sector rescue, restart, and recovery of
operations should include, as appropriate –
(A) a plan for evacuation;
(B) adequate communications capabilities; and
(C) a plan for continuity of operations. (IRTPA 2004)”
The Act goes on to state that the NFPA 1600 standard “establishes a common set of
criteria and terminology,” and charges the Department of Homeland Security to “work with the
private, as well government entities. (IRTPA 2004)” The Sense of Congress included in the Act
falls short of mandating national standards for the private sector, but does encourage the
adoption of voluntary standards such as those included in NFPA 1600.
The implications of the Act and the evolution of national standards on the private sector
will certainly evolve over a period of time; however, there is already high level conjecture and
discussions that compliance with NFPA 1600 will be established as an acceptable "legal standard
of care" owed by businesses to their employees and the general public and will serve as a "safe
harbor" to minimize potential legal liability. Compliance with NFPA 1600 may also find its way
into insurance considerations including insurability, premium pricing, and deductible levels.
Additionally, proof of adequate “preparedness” is increasingly finding its way into contractual
agreements between the public and private sectors and between private sector businesses. Such
requirements gained prominence in the preparations for Y2K, but lacked any real standard to
demonstrate compliance. NFPA 1600 standards, though voluntary, appear to be the foundation
of widely accepted national standards. Legal protection, insurance savings and contract
requirements are certainly incentives for “preparedness” for all businesses and may be
8
supplemented by additional measures such as tax savings and other forms of preferential
treatment for business to business and business to government interactions.
NFPA 1600 Standard
The NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity
Programs (2004 edition) has gained national level attention and prominence as a result of the
9/11 Commission study and report, however, its development pre dates the events of September
11th, 2001. The original NFPA 1600 standards, published in 1995, focused on Recommended
Practice for Disaster Management. The 2000 Edition, updated in the 2004 Edition, expanded
the focus to a “total program approach for disaster/emergency management and business
continuity programs (NFPA 2004).” Lacking a visual framework of the functions comprising an
integrated program of Disaster/Emergency Management and Business Continuity, NFPA 1600
specifies 15 program elements as displayed in Figure 1.
Figure 1
NFPA 1600 2004 Edition Disaster/Emergency Management
and Business Continuity Programs Elements
1. General
2. Law and Authorities
3. Hazard Identification, Risk Assessment and Impact Analysis
4. Hazard Mitigation
5. Resource Management
6. Mutual Aid
7. Planning
8. Direction, Control and Coordination
9. Communications and Warning
10. Operations and Procedures
11. Logistics and Facilities
12. Training
13. Exercises, Evaluations, and Corrective Actions
14. Crisis Communication and Public Information
15. Finance and Administration
9
The intent of this chapter is not to be overly critical of NFPA 1600, but to recommend
areas of improvement. NFPA 1600, the result of a consensus process representing multiple
constituencies from all sectors, is a logical and necessary first step in the development of national
standards written at a level of detail that can be used to define and measure compliance. As
presented in the current edition (2004) of the document provides relatively broad descriptions of
the program elements with minimal detail and is open to very liberal interpretation as to what
actually comprises compliance at the program and program element level. A listing of the
program elements is useful, but a graphical presentation of the elements, their hierarchy and
interdependency could assist in the understanding and marketing of a comprehensive program
that truly integrates the component parts. Additionally, NFPA 1600 defines a Business
Continuity Program as:
“Business Continuity Program – An ongoing process supported by senior management
and funded to ensure that the necessary steps are taken to identify the impact of potential
losses, maintain viable recovery strategies and recovery plans, and ensure continuity of
services through personnel training, plan testing, and maintenance (NFPA 1600).”
This choice of a definition stresses preparedness, response and recovery with no mention
of prevention and the linkage of the program to overall organizational goals. The definition of
an overall Business Crisis and Continuity Management program presented earlier in this chapter
provides this necessary emphasis and relegates reactive Business Continuity to its appropriate
supporting function role.
A Framework for Integrated BCCM
Consistent with the philosophy of an integrated BCCM program is the need for a visual
framework identifying the component functions and their relationship to one another. A visual
framework should be simple enough to be understandable at all levels of an organization, yet
complete enough to support the case for functional integration and management to multiple
10
Gregory L. Shaw, D.Sc., CBCP
Senior Research Scientist
The George Washington University
Institute for Crisis, Disaster, and Risk Management
This chapter is focused on the private sector organizations (businesses) that support the economy
at the individual, family, community, local, state and national levels. However, even with this
focus, the framework and principles of for profit business crisis and continuity management
(BCCM) are applicable to all organizations, be they private, public or not-for-profit.
Organizations exist to provide products and/or services to their customers and should strive to
maintain and/restore this capability, even in the face of highly disruptive events. Regardless of
the terminology chosen as the title for organizational continuity, crisis and continuity
management or continuity of operations, continuity is a strategic responsibility and function for
all organizations if they are to survive and prosper.
Central to the development and maintenance of a comprehensive organizational continuity
program is an understanding of the myriad functions supporting continuity and their
interdependencies. Recent efforts to develop a national standard as contained in the NFPA 1600
Standard on Disaster/Emergency Management and Business Continuity Programs, 2004 Edition,
is a starting point, but falls short of the detail necessary to prescribe true standards.
As an alternate to the NFPA 1600 program description, a visual framework of BCCM, with
definitions is presented and explained as the foundation of an enterprise wide program of
BCCM. The framework was developed to be simple enough to be understandable at all levels of
an organization, yet complete enough to support the case for functional integration and
management to multiple stakeholders including boards of directors, executive level managers,
stock owners, and customers. The framework supporting function of risk management and its
sub-functions is explained to demonstrate the applicability and benefit of the business specific
functions of business area analysis and business impact analysis to any organization.
Introduction
“Business” is not just the purview of the private sector. All organizations, be they private
sector, public sector or not-for-profit provide products and/or services to their customers. Along
with the delivery of products and/or services, all organizations also share the possibility of
disruptive events that have impacts ranging from mere inconvenience and short-lived disruption
of operations to the very failure of their ability to deliver their products and/or services which are
the very nature of their business. Accordingly, organizational functions supporting business
disruption prevention, preparedness, response and recovery such as risk management,
contingency planning, crisis management, emergency response, and business resumption and
recovery are established and resourced based upon the organization’s perception of its relevant
environments and the risks within those environments.
Individually, these functions can contribute to the protection of an organization and its
business line. However, efficiency and effectiveness demand their integration and coordination
into a comprehensive program of business crisis and continuity management. A logical starting
point for accomplishing this integration is a visual framework and explanation that identifies the
business crisis and continuity management supporting functions and their relationship to one
another. Such a framework and its explanation are presented in this chapter. The framework, as
presented, may appear quite different from the widely recognized Federal Emergency
Management Agency model for Comprehensive Emergency Management which includes the
phases of mitigation, preparedness, response and recovery, but the underlying philosophy and
approach of both are actually quite similar and complementary.
The Term Business Crisis and Continuity Management (BCCM)
Because of the many inconsistencies in terminology found in the contemporary literature
of the business community the hybrid term business crisis and continuity management has been
coined and introduced as a title for an organization wide strategic program and process. It is
necessary to include a brief discussion of the creation and choice of this term since much of the
current literature and business practices use the individual titles crisis management or business
continuity management separately and often interchangeably as an umbrella term for the multiple
functions and processes supporting the mitigation of and response to business disruption.
2
United States based organizations such as Disaster Research Institute International (DRII
2004), ASIS International (ASIS 2004), and the Association of Contingency Planners (ACP
2004) use the terms Business Continuity Management or Business Continuity Planning as their
umbrella for multiple functions and processes including crisis management. The United
Kingdom based Business Continuity Institute also employs the term Business Continuity
Management as its overall program title. However, noted experts such as Ian Mitroff (Mitroff
and Pauchant 1992, Mitroff 2001) and Stephen Fink (Fink 1986) emphasize crisis management
as the unifying structure and term for strategic business protection, response and recovery and
include business continuity as one of many supporting functions.
Despite the difference in terminology, there is little debate in the business continuity and
crisis management literature that crisis management, business continuity management, and their
supporting functions need to be thoroughly integrated in support of overall business
management. Business Continuity Management: Good Practices Guidelines explains the
inconsistency in terminology by stating “Crisis Management and BCM [Business Continuity
Management] are not seen as mutually exclusive albeit that they can of necessity stand alone
based on the type of event. It is fully recognized that they are two elements in an overall
business continuity process and frequently one is not found without the other.” (Smith 2002)
Thus, in an attempt to emphasize the inter relatedness and equal importance of crisis
management and business continuity management, Business Crisis and Continuity Management
has been chosen as the umbrella term and is defined as:
Business Crisis and Continuity Management – “The business management practices that
provide the focus and guidance for the decisions and actions necessary for a business to
prevent, prepare for, respond to, resume, recover, restore and transition from a
disruptive (crisis) event in a manner consistent with its strategic objectives (Shaw and
Harrald 2004).”
3
The Evolution of BCCM
Business Crisis and Continuity Management, as a recognized business program, has
evolved over the past twenty plus years from a technology centric disaster recovery function
dealing almost exclusively with data protection and recovery to a much wider holistic and
enterprise wide supporting focus (Wheatman, Scott and Witty 2001). Despite some strides to
evolve BCCM into a profession including a widely accepted common body of knowledge and
terminology, standards of performance, and certification process, progress has been slow and is
hampered by the fact that BCCM, though generally recognized as a strategic function, remains a
discretionary program for all but the most highly regulated business sectors such as the financial
sector and healthcare sector. Even within these regulated sectors, standards of performance for
all BCCM supporting functions may not be recognized and specified in sufficient detail to insure
a truly comprehensive and integrated program.
As Ian Mitroff concludes from his extensive research in the area of business crisis
management (his umbrella term for an integrated BCCM program), most businesses do not have
an adequate crisis management program, supported by corporate culture, individual and
organizational level expertise, infrastructure and plans and procedures to fully understand,
prepare for, and manage the crises they may face (Mitroff 1992). Mitroff has since updated his
conclusions in the 2001 book, Managing Crises Before they Happen where he states that “The
vast majority of organizations and institutions have not been designed to anticipate crises or to
manage them effectively once they have occurred. Neither the mechanics nor the basic skills are
in place for effective CM. (Mitroff 2001)” Mitroff’s conclusions are further supported by the
results of the 2001 Business Continuity Readiness Survey, jointly conducted by Gartner, Inc.
Executive Programs and the Society for Information Management that found “Less than 25
4
percent of Global 2000 enterprises have invested in comprehensive business continuity planning.
(Gartner 2002)”
This trend in BCCM acceptance is changing, however. The reality of business is that
increasing and dynamic natural, technological and human induced threats, business complexity,
government regulation, corporate governance requirements, and media and public scrutiny
demand a comprehensive and integrated approach to business crisis and continuity management.
Classic natural, technological and human induced events such as Hurricane Andrew (1992), the
Northridge Earthquake (1994), the Exxon Valdez oil spill (1989), the Bhopal chemical release
(1984), the World Trade Center attack of 1993, and the Tylenol poisoning case (1982) have
provided lessons learned that emphasize each of these factors and the need for coordination and
cooperation within and between organizations, and between all levels of government, the private
and not-for-profit sectors.
These lessons have not been lost by many businesses that have reached the conclusion
that integrated BCCM should be viewed as an investment rather than an additional cost that
detracts from profits and have implemented their vision of comprehensive programs. The United
States Business Roundtable, an association of business chief executive officers of leading
corporations with the stated objective of improving public policy, explicitly recognizes the role
of the Board of Directors and Management in the area of corporate governance in general,
including specific business crisis and continuity management responsibilities. The Roundtable’s
white paper Principles of Corporate Governance charges the Board of Directors to periodically
review management’s plans for business resiliency and designate management level
responsibility for business resiliency. Within the scope of business resiliency various functions
are specifically mentioned and include business risk assessment and management, business
5
continuity, physical and cyber security, and emergency communications (The Business
Roundtable 2002). However, lacking recognized standards and incentives, many businesses still
consider BCCM as a burdensome cost that receives minimal and even no support.
The tragic events of September 11th, 2001 and the implications for businesses directly
and indirectly impacted by the events have further reinforced the need for enterprise wide
coordination of the multiple functions supporting business crisis and continuity management.
Studies following the attacks of September 11th, 2001, such as the 9/11 Commission study and
report have engaged the United States government, at all levels, in the process of recognizing the
responsibilities of the private sector and encouraging the private sector to take adequate steps to
protect people, property and business operations. Further steps, including mandated standards,
may well follow beyond the current level of encouragement and voluntary compliance.
With roughly 80% of America’s critical infrastructure managed by the private sector (The
Conference Board 2003), The National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets recognizes that the “private sector generally remains the first line
of defense for its own facilities,” and encourages private sector owners and operators to “reassess
and adjust their planning, assurance and investment programs to better accommodate the
increased risk presented by deliberate acts of violence (The National Strategy 2003).” The most
recent versions of the National Response Plan (January 2005) and the National Incident
Management System (March 2004) include the private sector in all phases of crisis and
emergency awareness, prevention, preparedness, response and recovery planning and operations.
The National Response Plan explicitly charges the private sector to enhance overall readiness
(NRP 2005).
6
Supporting this goal of improved private sector readiness and intra and inter sector
coordination, the 9/11 Commission chartered the American National Standards Institute (ANSI)
to develop a consensus on a national standard for preparedness for the private sector (9/11
Commission 2004). Based upon its collaboration with the National Fire Protection Association
(NFPA) and the research of the 9/11 Commission, the “American National Standards Institute
(ANSI) recommended to the 9-11 Commission that the National Fire Protection Association
Standard, NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity
Programs, be recognized as the national preparedness standard (ISHN 2004).” The 9-11
Commission report contains the following recommendation concerning private sector emergency
preparedness and business continuity:
“We endorse the American National Standards Institute’s recommended standard for
private preparedness. We were encouraged by Secretary Tom Ridge’s praise of the
standard, and urge the Department of Homeland Security to promote its adoption. We
also encourage the insurance and credit-rating industries to look closely at a company’s
compliance with the ANSI standard in assessing its insurability and creditworthiness.
We believe that compliance with the standard should define the standard of care owed by
a company to its employees and the public for legal purposes. Private-sector
preparedness is not a luxury; it is a cost of doing business in the post-9/11 world. It is
ignored at a tremendous potential cost in lives, money, and national security (9/11
Commission 2004).”
Following from the 9/11 Commission Report, The Intelligence Reform and Terrorism
Prevention Act of 2004, signed into law on December 18, 2004 specifically states in Section
7305 – Private Sector Preparedness, that:
7
“Preparedness in the private sector and public sector rescue, restart, and recovery of
operations should include, as appropriate –
(A) a plan for evacuation;
(B) adequate communications capabilities; and
(C) a plan for continuity of operations. (IRTPA 2004)”
The Act goes on to state that the NFPA 1600 standard “establishes a common set of
criteria and terminology,” and charges the Department of Homeland Security to “work with the
private, as well government entities. (IRTPA 2004)” The Sense of Congress included in the Act
falls short of mandating national standards for the private sector, but does encourage the
adoption of voluntary standards such as those included in NFPA 1600.
The implications of the Act and the evolution of national standards on the private sector
will certainly evolve over a period of time; however, there is already high level conjecture and
discussions that compliance with NFPA 1600 will be established as an acceptable "legal standard
of care" owed by businesses to their employees and the general public and will serve as a "safe
harbor" to minimize potential legal liability. Compliance with NFPA 1600 may also find its way
into insurance considerations including insurability, premium pricing, and deductible levels.
Additionally, proof of adequate “preparedness” is increasingly finding its way into contractual
agreements between the public and private sectors and between private sector businesses. Such
requirements gained prominence in the preparations for Y2K, but lacked any real standard to
demonstrate compliance. NFPA 1600 standards, though voluntary, appear to be the foundation
of widely accepted national standards. Legal protection, insurance savings and contract
requirements are certainly incentives for “preparedness” for all businesses and may be
8
supplemented by additional measures such as tax savings and other forms of preferential
treatment for business to business and business to government interactions.
NFPA 1600 Standard
The NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity
Programs (2004 edition) has gained national level attention and prominence as a result of the
9/11 Commission study and report, however, its development pre dates the events of September
11th, 2001. The original NFPA 1600 standards, published in 1995, focused on Recommended
Practice for Disaster Management. The 2000 Edition, updated in the 2004 Edition, expanded
the focus to a “total program approach for disaster/emergency management and business
continuity programs (NFPA 2004).” Lacking a visual framework of the functions comprising an
integrated program of Disaster/Emergency Management and Business Continuity, NFPA 1600
specifies 15 program elements as displayed in Figure 1.
Figure 1
NFPA 1600 2004 Edition Disaster/Emergency Management
and Business Continuity Programs Elements
1. General
2. Law and Authorities
3. Hazard Identification, Risk Assessment and Impact Analysis
4. Hazard Mitigation
5. Resource Management
6. Mutual Aid
7. Planning
8. Direction, Control and Coordination
9. Communications and Warning
10. Operations and Procedures
11. Logistics and Facilities
12. Training
13. Exercises, Evaluations, and Corrective Actions
14. Crisis Communication and Public Information
15. Finance and Administration
9
The intent of this chapter is not to be overly critical of NFPA 1600, but to recommend
areas of improvement. NFPA 1600, the result of a consensus process representing multiple
constituencies from all sectors, is a logical and necessary first step in the development of national
standards written at a level of detail that can be used to define and measure compliance. As
presented in the current edition (2004) of the document provides relatively broad descriptions of
the program elements with minimal detail and is open to very liberal interpretation as to what
actually comprises compliance at the program and program element level. A listing of the
program elements is useful, but a graphical presentation of the elements, their hierarchy and
interdependency could assist in the understanding and marketing of a comprehensive program
that truly integrates the component parts. Additionally, NFPA 1600 defines a Business
Continuity Program as:
“Business Continuity Program – An ongoing process supported by senior management
and funded to ensure that the necessary steps are taken to identify the impact of potential
losses, maintain viable recovery strategies and recovery plans, and ensure continuity of
services through personnel training, plan testing, and maintenance (NFPA 1600).”
This choice of a definition stresses preparedness, response and recovery with no mention
of prevention and the linkage of the program to overall organizational goals. The definition of
an overall Business Crisis and Continuity Management program presented earlier in this chapter
provides this necessary emphasis and relegates reactive Business Continuity to its appropriate
supporting function role.
A Framework for Integrated BCCM
Consistent with the philosophy of an integrated BCCM program is the need for a visual
framework identifying the component functions and their relationship to one another. A visual
framework should be simple enough to be understandable at all levels of an organization, yet
complete enough to support the case for functional integration and management to multiple
10
Add New Comment