Introduction

In August of 2007, the President of the United States signed into law PL 110-53 (“Implementing Recommendations of the 9/11 Commission Act of 2007”). Title IX of that law provides for the development and implementation of a “Voluntary Private Sector Preparedness Accreditation and Certification Program”. The law is also referred to as HR 1 (the symbolic first legislation passed by the new Democratic majority). The 9/11 Commission recommended that the American National Standards Institute's National Fire Protection Association Standard on Disaster/Emergency Management and Business Continuity Programs (ANSI/NFPA 1600) be implemented as the standard for business continuity within the private sector of the United States (www.nfpa.org). Language (“or others”) was added in the draft law after NFPA 1600 opening the possibility of considering other standards. The law designates the Department of Homeland Security (DHS) to implement Title IX. DHS has appointed FEMA as the government organization responsible for creating the standard and overseeing certification of private companies.

 

The release of a British Standards Institute (BSI) standard on business continuity (BS 25999) at about the same time as Title IX sparked considerable discussion in the contingency planning community around regulations and standards. As a result, the Association of Contingency Planners (ACP) created a special committee of key members to interface with DHS, FEMA and other key Title IX stakeholders and to keep the ACP membership informed of developments as the “standards” process evolves.

Fifteen years ago, contingency planning focused on recovery and/or continuity within the technology environment. Today, business continuity is a more holistic process, encompassing all of the elements necessary to maintain the viability of the business entity during an interruption. While the sustainability of technology is an important aspect of business continuity, it is only one of many elements to mitigate, protect, respond, manage, recover and resume “normal business operations”. With Title IX, Congress and the regulatory bodies have clearly recognized and made this point. Although a direct result of 9/11 and its Commission, Title IX will focus on “all hazards” influencing private sector operations, not just terrorism.  While the precise process remains unknown, the resulting certifications will be for organizations only, not individuals.

Overview of Title IX (Private Sector Preparedness Act)

 

The Alfred P. Sloan Foundation prepared a detailed report on Title IX that is available on line (www.nyu.edu/intercep). In summary, the new law directs that DHS develop a private sector preparedness program that:

• Provides a method to independently certify the emergency preparedness of private sector organizations (including disaster/emergency management and business continuity programs)
• Is voluntary
• Engages key stakeholders in development of the program
• Is administered outside the government by third party organizations with experience/expertise in managing and implementing voluntary accreditation and certification programs
• Designates one or more preparedness standards citing NFPA 1600 as an example
• Integrates/recognizes existing industry efforts, standards, practices and reporting on preparedness
• Gives special consideration to small business [as defined within section 3 of the Small Business Act (15 U.S.C. 632)]
• Protects proprietary and confidential company information

 

DHS has four basic tasks under the law:

1. Designate one or more organizations to act as the accrediting body (develops and oversees the certification process and accredits third parties to carry out the certification process)
2. Separately designate one or more standards for assessing private sector preparedness
3. Provide information and promote the business case for voluntary compliance with the preparedness standard(s)
4. Monitor and report on the effectiveness of the certification program on an ongoing basis

 

Implementation of the private sector preparedness program has an ambitious schedule. Title IX includes two date-specific milestones for realizing the program goals, both linked to the date of enactment by Congress.

·        No later than 30 days after enactment (Sept 1, 2007), DHS Secretary Michael Chertoff had to choose the designated officer to lead the program. The FEMA Administrator was designated and will chair an internal Private Sector Preparedness Council comprised of DHS leadership from the Science & Technology Directorate, Private Sector Office and the Office of Infrastructure Protection.

·        No later than 210 days after enactment (Feb 28, 2008), the designated officer shall:

o       Enter into agreement(s) with one or more "selected entities" that will carry out accreditations and oversee the certification process

o       Begin supporting development and updating voluntary preparedness standards through voluntary consensus standard organizations

o       Develop and promote a program to certify preparedness of private sector entities

o       Implement that program through any entity with which the Designated Officer has reached an agreement for that purpose

NOTE: This milestone was met in late July 2008. DHS designated the ANSI National Accreditation Board (ANAB) as the entity that will carry out accreditations and oversee the certification process. ANAB had the same role for the earlier quality and environmental voluntary standards programs.

 

Key Terms

 

In discussing Title IX or any certification program, it is important to define a few terms.

 

• Regulation – an official document, usually from the government, carrying the force of law and mandating compliance with some practice, procedure or policy (e.g. SOX, Graham-Leach-Bliley)
• Standard – a document established by consensus and approved by a recognized body that provides for common and repeated use, rules, guidelines or characteristics for activities or their results aimed at achieving the optimum degree of order.
• The national standards setting body is the American National Standards Institute (ANSI) which represents the US at the International Standards Organization (ISO) in Geneva
• Conformity Assessment – the process under which an organization determines directly or indirectly that standards requirements are fulfilled (e.g. an audit). Assessments may be conducted:
• internally (first party)
• by a customer, supplier or vendor (second party)
• by an independent organization (third party)
• Accreditation or Accrediting Body – a group that assesses the competence of and accredits (i.e. approves) certification (or certifying) bodies to carry out certifications activities (conformity assessments) against a standard or set of accreditation requirements. FEMA has designated the ANSI National Accreditation Board (ANAB) to be the accreditation body for Title IX.
• Certification or Certifying Body – a group approved by the accreditation or accrediting body to assess the conformity of and to certify that an organization has met certain standards or specifications.

 

Ongoing Activities

 

The enactment of Title IX has prompted a flurry of activity in the business continuity community. In late 2007, the International Center for Enterprise Preparedness (InterCEP) hosted a forum of representatives (including ACP) from private sector businesses, key industry associations and government agencies to discuss the impact and form that the Title IX standard should take. The forum addressed the design and operation of the Title IX certification program, designation of an accreditation body, selection of a preparedness standard(s) and the business case for preparedness. Following the meeting, the Alfred P. Sloan Foundation funded and published a report (referenced above) on the “Framework for Voluntary Preparedness” that was presented to DHS and Congress.

 

In addition, the Sloan Foundation has funded ongoing research by InterCEP into the what (form) and the why (incentives) of the Title IX standard. As a result, InterCEP formed five working groups to address various aspects of the private sector preparedness equation (legal, supply chain, insurance, credit ratings and corporate governance). Each group has met and drafted reports from their unique perspectives that InterCEP will present to Congress, DHS, FEMA and the designated accrediting body (ANAB). Some of the key findings of the InterCEP groups include (complete reports are available at http://www.nyu.edu/intercep):

 

• Legal
• Common law precedent would substantiate certification as a way to mitigate potential liability
• Development of statutory guidelines would provide additional legal motivation to pursue certification
• Some corporations are concerned about possible disincentives associated with certification (e.g. identification of shortfalls)
• Allowing multiple standards for certification could be legally problematic
• Using a maturity model (levels of preparedness) may make certification more compelling from a legal perspective

 

• Supply Chain
• Global supply networks expose firms to a wider spectrum of possible disruptions at all levels of operation
• Many forward-leaning businesses are already implementing standards and best practices designed to ensure their supply chains are resilient
• Firms frequently require suppliers to adhere to certain preparedness requirements
• Some firms promote preparedness-related best practices through mentorship, training, education and joint exercises with their suppliers/vendors
• The management and oversight of preparedness among supply partners remains difficult for a variety of reasons (means to assess compliance)
• Specific markets and industry verticals (NYSE, NASD, FISAP, C-TPAT) have on-going initiatives to promote supply chain resilience through third-party coordination and oversight
• The Title IX certification program could have a number of concrete benefits to these on-going industry initiatives (eliminate redundancy, reduce overlap)
• Benefits derived by individual companies from Title IX will vary depending on a variety of factors (getting regulatory buy-in)


• Insurance
• The insurance industry can act as a major catalyst for business to undertake preparedness actions
• Current efforts to correlate preparedness actions to loss reductions focus largely on property risk
• The Terrorism Reinsurance Act (TRIA) effectively reduced the premium charged for exposures to risks associated with terrorism
• Insurance markets are stratified with larger companies receiving relatively more attention and greater flexibility from underwriters than smaller companies
• In general, underwriters would benefit from data that clearly correlates preparedness actions to a reduction of loss potential
• Prudent actions taken by businesses may not generally be rewarded by insurers
• Title IX could provide the insurance industry with a justification to shift toward more risk-based pricing and other incentives for companies to become more prepared
• Title IX standards may provide underwriters with a way to systematize their understanding of business continuity practices
• Title IX audit/assessment processes may also provide underwriters with data they cannot access otherwise due to a lack of time or expertise
• Insurance regulators may consider incorporating elements of Title IX certification into the underwriting process
• Title IX may also encourage some insurers to take the lead in the industry and step out of the box to pursue competitive advantage over other insurers
• Insured companies may take individual or collective action to demand acknowledgement of their preparedness efforts under Title IX by insurers
• Title IX also presents the insurance industry with an opportunity to incorporate certification in an ongoing effort to standardize the collection and electronic transmission of underwriting data

 

• Credit Ratings
• Recently, the major rating agencies have increasingly focused on business risks in general
• Standard & Poor’s (S&P) has begun to explore the possibility of incorporating enterprise risk management (ERM) into its ratings
• ERM is a broad framework for managing risk, and Title IX focuses on some of the same core elements of operational risk (business continuity and emergency management)
• Title IX could provide valuable input to support rating agency analysis of the key qualitative aspects of managing operational risk
• For rating agencies, any assessment process will need to use consensus-based standards/metrics and a common assessment methodology that can be audited by other
• There is precedent for using third-party certification as an input to ratings analysis
• Many firms (e.g. financial services) are already motivated by operational, regulatory and competitive pressures to undertake business preparedness programs; for them, Title IX certification could allow acknowledgement/credit for these efforts in the ratings process
• Title IX certification should include/acknowledge existing sector-specific best practices as well as reporting requirements

 

Discussion

 

Title IX allows for the integration of multiple standards, none of which have been identified as the standard or standards on which certification will be based. While the law mentions NFPA 1600 as an example of such a standard, the table below summarizes this standard as well as other related current standards.                

 

 

 

    

Any business certified under Title IX will appear on a public listing “as being in compliance with” Title IX.  Although voluntary, Title IX offers a certified organization a number of potential benefits including:

 

• More resilient supply chains
• Competitive differentiation

 

In the mind of many business continuity professionals, the true value of Title IX will be the increased business continuity awareness amongst business partners, the consistent execution of business continuity practices designed to increase readiness and recoverability and the greater management involvement the program will generate in meeting industry best practices.  At a minimum, Title IX is an opportunity to add efficiency to supply chain risk management efforts by encouraging vendor participation. Certified businesses may benefit as well from being more stable, dependable and reliable to their customer base as a result of their best-in-class, certifiable business continuity processes. 

 

Although the standard used for the voluntary certification program remains undefined (and will probably until the new administration takes over in 2009), business continuity professionals can assume that key attributes found in existing standards will be reflected in the Title IX voluntary accreditation program. The Sloan Foundation report found common requirements in all of the existing standards. These core preparedness attributes will most likely be reflected in the standard eventually adopted under Title IX:

 

• Preparing a high-level policy statement and governance document
• Securing management commitment
• Identifying potential hazards, assessing risks and analyzing/mitigating impacts
• Defining incident management procedures and controls to include managing necessary emergency preparedness and response resources and developing mutual aid agreements where needed
• Protecting proprietary and confidential information
• Exercising data control and back-up procedures for documents and information
• Providing for the continuity of critical operations
• Developing and conducting training and exercises to support and evaluate preparedness and response plans and operational procedures
• Crafting procedures to respond to requests for information from the media or the public
• Establishing processes to independently audit and assess the business state of preparedness on a recurring basis

 

At a minimum, a Title IX assessment of an organization’s business continuity program will ensure its key activities are documented and operating in a repeatable manner, consistent with leading standards such as those cited above. 

Accreditation Process

 

Regardless of which standard is selected, any audits that are sanctioned by any of the National Accreditation Boards will follow the format outlines in ISO 17021:2006. This standard outlines the approach that must be taken by any organization that applies for accreditation as a Certification or Certifying Body (CB).

 

Most nations have a National Accreditation Board (NAB); some countries have more than one (e.g. Japan has two). The vast majority of these national organizations are cosigners of the Multilateral Agreement (MLA) which, among other things, specifies that each signer of the MLA will recognize certifications granted by other NABs who have also signed the MLA. Thus, work performed by a CB approved by UKAS (the National Accreditation Board of the United Kingdom) will be recognized and accepted by the US board ANAB and others.

 

Reciprocity is important because in the UK, Europe and the Pacific Rim, one standard - BS 25999 - is gaining rapid acceptance. UKAS has accepted applications for CB status on BS 25999 in different parts of the world. The BSI Group, the developers of BS 25999, has already been granted CB status with regards to BS 25999. Two to three other firms are expected to be granted this status by late 2008. Together, these firms are actively promoting certification to the BS 25999 standard while the United States is awaiting selection of a standard under Title IX.

Conclusions

 

For individual organizations, the specific value of the Title IX business continuity preparedness certification remains somewhat unknown.  We can speculate that certification will be a competitive differentiator and possibly offer financial benefits similar to other ISO certification programs.  The real value of the law, however, is that it significantly elevates the visibility and importance of business continuity and business preparedness across all entities in the public and private sectors.  Business continuity professionals have already begun discussing the implications with their senior management teams and are considering how to participate and prepare.  These discussions, and the resulting impact on organizational responsiveness and recoverability, could enable a significant maturation of the business continuity industry as a whole.

Establishment and implementation of Title IX will require the creation of a business continuity standard(s) and a process commonly applicable across private sector organizations. The ease and efficiency of implementation will depend on public-private cooperation under the auspices of DHS.

The initial challenge for DHS, mandated by Title IX, is to identify the standard(s) to be used in consultation with the full range of stakeholders from standards-setting organizations to Critical Infrastructure Sector Coordinating Councils. It is critical that ACP, its members and other professional business continuity practitioners determine its equities in Title IX and begin sustained engagement with other stakeholders who will collectively shape Title IX implementation. That process is underway.